Cybersecurity Awareness Month Archive 2023

Multi-Factor Authentication (MFA) is a security mechanism that provides an additional layer of protection by verifying digital users through at least two authentication factors. There are three common types of authentication factors:  

• Something you know:  This refers to information known only to the user. For example: unique passwords, security questions, PIN codes.
• Something you have:  This refers to something that the user owns. For example: a smartphone or a security token.
• Something you are:  This factor refers to something that is exclusive to the user. For example: biometrics (e.g. fingerprint, facial scan).

Multi-factor authentication is the most effective way to protect your accounts. With multi-factor authentication, even if a password is compromised, a malicious actor would have to obtain an additional piece of information to gain access. When offered to “enable” or “turn on” MFA on your personal accounts such as Facebook, Amazon or Google, we strongly encourage you to do so. 

At LSU, MFA is offered for all applications behind Microsoft authentication such as Workday, LSU email, Teams, Box, and Zoom.

All users will need to configure two methods for MFA: one as a primary method and a secondary method to be used as a backup. It is recommended that MFA be configured on different devices to ensure that you do not lose access in the event that a device and/or phone number change.   

While multi-factor authentication is one of the best ways to secure your accounts, there have been instances where cybercriminals have gotten around multi-factor authentication. However, these situations typically involve a hacker seeking multi-factor authentication approval to access an account multiple times and the owner approving the log-in, either due to confusion or annoyance.

Therefore, if you are receiving multi-factor authentication log-in requests and you aren’t trying to log in, do not approve the requests! Instead, contact the service or platform right away.

If it is an LSU account, contact the Service Desk at 225-578-3375 or by email at servicedesk@lsu.edu.

Change your password for the account ASAP. Also, if you reuse that password, change it for any other account that uses it (this is why every password should be unique). 

Don’t let this deter you, though. Multi-factor authentication is typically very safe, and it is one of the best ways you can bolster the security of your data! 

MFA at LSU 

Logging in with Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) Enrollment 
Multi-Factor Authentication (MFA) Troubleshooting 

As our lives expand while we do more online, we’ve gone from having just a couple of passwords to today, where we might manage upwards of 100 or more. If you’re like most people, you’re probably using the same password for most of your accounts—and that’s not safe. If your one password gets stolen because of a breach, it can be used to gain access to all your accounts and your sensitive information. 

Perhaps you do use unique passwords, but in order to keep track you write them in a notebook or keep them on sticky notes. This leaves you vulnerable to prying eyes.  But no need to fret, password managers are easy to use and make a big difference. 

The best way to manage unique passwords for the ever-increasing number of online accounts we own is through a password manager application. A password manager is software created to manage all your online credentials like usernames and passwords. It stores them in a safe, encrypted database and generates new passwords when needed. When you need a password, you can get a hyper-strong suggestion that is automatically stored in the password manager with just a few clicks. Say goodbye to short, reused passwords and hello to strong, unique passwords! 

Because the password manager stores all your passwords, you don’t need to memorize hundreds of passwords or keep that secret password paper in your drawer. Now, you only need to remember one to unlock your password vault in the manager app, so it makes things so much easier. 

Protip: because the password that unlocks your vault is the “key to the castle”, it is vital to ensure that this password is unique, long, and complex. See additional resources below for password best practices.

Password managers not only let you manage hundreds of unique passwords for your online accounts, but some of the services also offer other advantages as well. 

• Saves time 
• Works across all your devices and operating systems 
• Protects your identity 
• Notifies you of potential phishing websites
• Alerts you when a password has potentially become compromised 
• Most can be used along with multi-factor authentication for even more security

Even though password managers are the best way to keep your information safe, many people are afraid that storing all their passwords in one place means they are at risk if a hacker breaches your vault. 

Password managers today are safer than ever before, and they are much safer than using a physical notebook, storing passwords in a Notes app or reusing passwords that are easy to remember. However, due to ever increasing advances in technology, password managers should not be considered risk-free. Try to choose a password manager that utilizes multi-factor authentication for an added layer of security. 

Compare your options and look for a quality password management system – you have a lot of choices! See additional resources below for best password managers of 2023.

Source

Why You Need To Use A Password Manager 

Best Password Managers of 2023

myLSU Password Security Levels

Password Best Practices

One of the easiest ways to keep your information secure is to keep your software and apps updated.

Every day, software and app developers focus on keeping their users and products secure. They’re constantly looking for clues that hackers are trying to break into their systems, or they are searching for holes where cybercriminals could sneak in, even if they’ve never been breached before. To fix these issues and improve security for everyone who uses their services, upstanding software companies release regular updates. 

If you install the latest updates for devices, software, and apps, not only are you getting the best security available, but you also ensure that you get access to the latest features and upgrades. However, you can only benefit if you update! Don’t fret, updating software is easy, and you can even make it automatic. Check out the links below for more information. 

Keep your computer secure at home  

Protect your computer from viruses, hackers, and spies

When downloading a software update, only get it from the company that created it. Never use a hacked, pirated or unlicensed version of software (even if your friend gave it to you). Pirated, hacked, or unlicensed software can often contain and/or spread malware, viruses, or other cybersecurity nightmares to your network. Ruining your computer, phone, tablet, or other device isn’t worth it!

To view the catalog of software currently available to faculty, staff, and students follow the link below.

Check out Tigerware

Software from legitimate companies usually provides an option to update your software automatically. When there’s an update available, it gives a reminder so you can easily start the process and you can often choose to schedule the update during the middle of the night. If you can’t automatically update it, remind yourself to check quarterly if an update is available. 

Check out the links below for more information. 

Windows update: FAQ  
 
Update Your Mac device 

You’ve probably come across suspicious pop-up windows when visiting a website that urgently demand you download a software update. These are especially common on shady websites or if there is malware already on your machine. These are always fake – they are attempts at phishing or entice users to click on the link that may download malware.Don’t click any buttons on these pop-ups and close your browser.

Many web browsers will warn you if you are attempting to visit an unsecure web address or one that could contain malware. Heed these warnings and don’t take the bait!

Additionally, it is recommended that you avoid clicking on sponsored links that may appear at the top of search portals such as Google. Sponsored links may not point to legitimate websites for software downloads. Always look for legitimate websites of the application providers and download the software directly from official sites.

Source

In a social engineering attack, a malicious actor uses human interaction (social skills) to obtain or compromise information about a person or organization. The malicious actor may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by gathering data from unsuspecting people, he or she may be able to piece together enough information to compromise an individual or organization.   
 
The most common form of social engineering is phishing. Phishing emails are an attempt by malicious actors pretending to be legitimate entity or person for the purpose of stealing private information, such as username and passwords, social security numbers, or banking information. 

Note: Phishing attacks are not isolated to emails. Attackers may contact you over the phone (i.e. voice phishing /“vishing”) as well, spoofing numbers that will appear legitimate. Attackers may also utilize cell phone text messages (i.e. SMiShing) to send bogus text messages that appear to come from banks, credit card companies and other legitimate organizations.   For more information on Vishing and Smishing, please visit our Phishing page.

To protect yourself, become familiar with the key indicators of a phishing email. If you come to know some of the common indicators of a phish, you will be able to spot them more easily.

1.      Check the sender.

• Check the domain of the sender's address. Phishing emails will often come from unfamiliar domains.

2.      Check the body.

• Phishing emails often try to create a sense of fear and urgency in subject lines, hoping users will comply. Grammatical errors are common as well as random use of capitalization. 

3.      Check the destination.

• Always review links prior to clicking, and in the event the link has been clicked, please review the destination website for confirmation that the URL is accurate and valid. When possible, opt to go directly to a site through your browser instead of clicking a link.

• Learn the common indicators of phishing emails.
• Do not click on URLs from unknown sources.    
• Always ensure that your computer has the latest security updates and patches to reduce the chances of a vulnerable system that can be compromised or infected.
• Enter sensitive data on secure trusted websites only.
• Never email confidential or financial information.
• Be suspicious of all unknown callers/text messages.
• Don't inherently trust caller ID. Remember, telephone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you. 
• If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm.
• Never respond to suspicious text messages. 
  Only approve multi-factor authentication requests if you are actively logging in to your account(s).
• Never share your MFA token, code, etc. with anyone else.   

NOTE: LSU will never ask for your password over a phone call or e-mail.

Check out these additional resources:

Check It Before You Click It-Phishing, Malicious Links & Spoofed Headers 

ITSP’s comprehensive phishing awareness program seeks to educate our users to recognize malicious content by running regular phishing simulations. Beginning Fall 2023, at the completion of each simulated phishing campaign, ITSP will choose two reporters to win an LSU prize bundle. One student and one employee will be chosen at random from each month’s reporters.

To qualify for the prize, you must report the phish using the Cofense Reporter button in Outlook or Outlook Web. Winners will be notified by a member of ITSP via email the week following the conclusion of each campaign. 

ITSP has implemented a phishing reporting tool called Cofense Reporter. The application conveniently integrates directly with Outlook mail clients and Office365, providing LSU users a quick and easy mechanism to report phishing e-mails.

• Use Cofense Reporter to report a phishing e-mail to LSU ITSP. This method will be the only one utilized to identify winners for the Phishing Awareness Program
• If Cofense Reporter is not an available option for you, please report phishing messages to LSU ITSP.

If you believe you have fallen for a phish, please take the following actions:  

• If you accidentally shared your username and password, please change your password immediately. (NOTE: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well) .
• If you shared your banking (credit card, debit card, bank account number, etc.) information, please reach out to your financial institutions immediately and take the necessary steps as recommended by the respective institution. 
• If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.) you should take necessary steps to monitor your credit for any unauthorized changes. It is also a great idea to place a freeze on your credit with all credit bureaus. 
• If you have any questions, contact security@lsu.edu.

You can place a free freeze on your credit by visiting the following links:

·         Equifax

·         Experian

·         Transunion

We want everyone out there to be snobby about sharing their personal data – there is nothing rude about it! Your data is worth billions to social media companies, but you can control what is collected. Your personal data is valuable, treat it like cash! Strike up a habit of paying attention to what data a social media platform is requesting (like your current location) and think about your answers. 

Even if a social media app or website never asks you for data, you should assume it is still collecting it. Routinely check your privacy settings and ensure everything fits within your comfort level.  

On mobile devices, social media apps might ask for you to give them access permissions at all times, but you don’t have to agree. Here are some default settings you should usually turn off, unless you need it for the app to function and you trust the app: 

• Camera – off 
• Microphone – off 
• Location – off 
• Sync contacts – off 

Multi-factor authentication (MFA), sometimes called two-factor authentication or two-step verification, requires anyone logging into an account to prove their identity multiple ways. Typically, you will enter your username, password, and then prove your identity some other way, like with a fingerprint or by responding to a text message. Why go through all this trouble? Because MFA makes it extremely hard for hackers to access your online accounts, even if they know your password. 

Every one of your social media accounts should be protected by an awesome password created with these three guiding principles in mind: 

• Long: Every one of your passwords should be at least 12 characters long. Length is more important than complexity.  
• Unique: Each account needs to be protected with its own unique password. Never reuse passwords. This way, if one of your accounts is compromised, your other accounts remain secured.
• Complex: Each unique password should be a combination of upper and lower case letters, numbers and special characters (like >,!?). Again, remember each password should be at least 12 characters long. Some websites and apps will even let you include spaces.   

How do you keep track of all these unique passwords? Simple – use a password manager! 

Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data or commit other crimes such as stalking. Also, think about who can see your social media musings – most platforms allow you to limit who can see or engage with your posts if you don’t know the whole world to know your business.  

Even though many of us have been on social media for a decade or more at this point (maybe even most of your life!), it bears repeating that you should think about everything you post, message, or say online, because it can live forever. Posts are like ghosts; you don’t want what you say to haunt you. This is true even for apps that automatically delete posts, like Snap. Someone who sees it can screenshot or screen-record what you post.  

Remember that not everyone who requests to follow you has friendly intentions in mind. Depending on the information you have visible on your profile, someone who friends or follows you might know your contact info, general location, age, and other data. This is why you want to think twice before accepting a request or invitation to connect from just anyone. Many social media networks have tools that allow you to manage the info you share with friends in different groups. If you’re trying to get your influencer hustle going, create an open profile or fan page that encourages broad participation but limits personal information. Use your personal profile to connect with your real friends – typically ones you know IRL. 

While cyberbullying is often framed as an issue for children, anyone can be a victim. When it comes to the bullies of the 2020s, social media is now the unsupervised playground for us all. We recommend that you just block them – there’s no need to give them more of your time and energy. Every platform has simple ways you can block and report users engaged in bullying behavior. There’s no shame in having a strong blocking game! 

Phishing is when cybercriminals use fake emails, social media posts, or DMs with the goal of luring you to click on a bad link or download a malicious file. If you click on a phishing link or file, you might hand over your data to hackers. A phishing scheme can also install malware onto your device. If you get suspicious, typo-ridden, or too good to be true messages from someone you don’t know on social media, assume its phishing – delete it! You can usually report such messages to the social media platform, too. You might get a message or post from someone you know that seems like phishing (“when did Bill get into selling designer sunglasses?”). Assume it is phishing and delete. Use another method to contact the sender and let them know about the weird message.