Security Digest Vol. IV (Spring 2017)
Welcome to Volume IV (Spring 2017 Edition) of the Duquesne University Cyber-Security Digest. Here are some highlights and exciting initiatives that we wanted to bring to your attention:
Letter from the Director of Information Security and Special Initiatives to Campus
Dear Duquesne Community Members,
Duquesne University has recently been targeted by malicious emails that attempt to steal usernames and passwords. These phishing emails say things such as: "Update your account to avoid termination", "Important Notification", "New Email Login Information", and "Notification from DuqCTS". These emails are not authentic. The Duquesne University Computing and Technology Services (CTS) department lists all current Phishing Messages to campus at www.duq.edu/cyberaware.
- If you clicked on one of these messages or are concerned that your MultiPass account or personal information was exposed, please reset your MultiPass password at www.duq.edu/multipass.
- If you receive one of these emails, never click the link in the email. Individuals should also forward a copy of the email to firstname.lastname@example.org and email@example.com, then delete the message.
- CTS has updated the look and feel of the campus Office 365 web login pages, which you will read about in this digest. Please do not enter any credential into a site that looks like the old login.
These phishing scams will continue, but CTS will continue to develop more sophisticated resources and explore new technologies to better protect the community. Even with the new solutions, we cannot stop phishing at Duquesne University without your help. Please remain vigilant and proactive in helping us prevent these malicious attempts to steal your credential and information.
-Tom Dugas, Director of Information Security and Special Initiatives
Cyber Security News:
Updated DORI and DU Web App Login Pages
CTS recently implemented a new login page for CTS Cold Fusion web applications, Office 365 email, and many Single Sign-On (SSO) applications that are normally accessed via DORI. This new login page will provide a more standardized look and feel and provide users with a more secure and consistent login experience.
For more information on this change, and to view images of the new login pages, please visit www.duq.edu/authentication
Office 365 Implements Feature to Help Fight Email Spoofing
The goal of email spoofing is to pretend to be someone else for the purpose of identity concealment. Spoofing can occur in Internet Protocol (IP) addresses, MAC addresses, and email. If used in email, various email message headers are changed to conceal the spoofer's identity. This means that you may see messages from time to time that appear to come from close personal contacts, but are really sent by malicious impersonators.
Luckily, Microsoft has implemented a new feature to help user's identify potentially spoofed messages. When you receive a message that Microsoft identifies as possibly being from an illegitimate source, you will see the following message at the top of the email:
What to do if you receive a spoofed message:
- If you do not know the sender of the email, it should be deleted.
- If you know the sender, you should still confirm the legitimacy of the message by contacting the sender via phone or reaching out to the sender of the message via a separate email to an address you are sure they use
Important: DO NOT simply reply back to the message you received, as it could still be a spoofed message, and your reply could fall into the wrong hand
If you would like further guidance regarding the message, please contact the CTS Help Desk at 412.396.4357 or firstname.lastname@example.org
CTS Drafts Data Governance Policy
The purpose of the Data Governance Service Requirement is to ensure that data is created, maintained, secured, monitored, audited, and used in a manner that contributes value to Duquesne University. Duquesne University's institutional data, in all forms, is one of the University's most valuable assets and must be maintained and protected as such. It is critical to ensure that institutional data is accurate and trusted to support our University mission.
The full draft of the policy can be viewed on CTS's website: http://duq.edu/about/campus/computing-and-technology/policies
Securing Your Home Network
Most households now have several devices connected to their network at any given time. These devices can include not only computers, but also gaming devices, TVs, smartphones, and any other network-capable device. CTS would like to provide a few steps you can take to protect your home network.
Secure Your Personal Devices
Make sure ALL of your Internet-enabled devices are safe and have the latest operating system, and security software. Some general rules to follow:
- Keep security software current: Having the latest security software, web browser, and operating system is the best defense against viruses, malware, and other online threats.
- Protect ALL devices that connect to the Internet: These days, it's not just computers that connect to the internet. Smartphones, gaming systems, and any other web-enabled devices also need protection from viruses and malware.
- Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them before using them on your home computers.
- Protect your $$: when banking and shopping, check to be sure the sites is security enabled. Look for web addresses with "https:// "or "shttp://," which means the site takes extra measures to help secure your information. "Http://" is not secure.
- Back it up: Protect your valuable work, photos, and other digital information by making an electronic copy and storing it safely. All Duquesne email addresses come with 1TB of cloud storage that can be used to back up your data. It can be accessed by:
- logging into your email
- selecting the tiles panel in the upper right hand corner
- selecting the OneDrive tile
Important: you will have access to this cloud storage only while you remain at Duquesne University. If you leave Duquesne, you will want to backup this cloud information to another location so that you do not lose access to it.
Secure Your Wireless Router
Wireless is a convenient way to allow multiple devices to connect to the Internet from different areas of your home; however, unless you secure your router, you are vulnerable to people accessing information on your computer or potentially using your network to commit cybercrimes. Here are some ways that you can secure your wireless router:
- Change the name of your router: The default ID - called a "service set identifier" (SSID) or "extended service set identifier" (ESSID) is assigned by the manufacturer. Change your router to a name that is unique to you and will not be easily guessed by others.
- Change the pre-set password on your router: When creating a new password, make sure it is long and strong, using a mix of numbers, letters and symbols.
- Review security options: When choosing your router's level of security, opt for WPA2, if available, or WPA. They are more secure than the WEP option.
- Use a firewall: Firewalls help keep hackers from using your computer to send out your personal information without your permission. A firewall serves as a guard, watching for attempts to access your system and blocking communications with sources you do not permit. Your operating system and/or security software may come with a pre-installed firewall, but you may have to enable it yourself.
Information Security Training and Awareness Events
Duquesne Benefits Fair 2017
CTS will be at the Duquesne University Benefits Fair on April 19th. Join us to learn about how to protect yourself and the University from Cyber Crime.
Cyber Security Training Available for Campus
In our continued effort to fight the rising amount of cyber-attacks that are occurring, CTS will be providing SANS Secure the Human Cyber Security Training to the campus starting in June 2017. As part of this incentive, we will be offering contests and prizes for those who participate in the training, so keep an eye out for more information regarding these training events!