Cybersecurity Month Build A Better Password Banner

  
  
Description
  
  
  
Phish TankPhish Tank
A collection of phishing scams that have attempted to bait the Auburn community.
Phish TankIn page navigation
0
Changing Your Auburn PasswordUser Lock
Tips and information on changing your Auburn password.
Auburn PasswordIn page navigation
1
2-Factor AuthenticationDUO
Auburn has implemented DUO as high-security login authentication.
2-Factor Authentication (DUO)In page navigation
2
LastPassLastPass Logo
Stores links to websites, auto-generates secure passwords and auto-fills password forms.
LassPass InformationIn page navigation
3
SpirionSpirion
Enables Auburn employees to comply with protecting restricted data.
SpirionIn page navigation
4
Cybsecurity Awareness TipsSecurity
Auburn Cybersecurity Awareness Month information
Cybersecurity Awareness TipsIn page navigation
5
Mobile Device SecurityMobile Device
Auburn University's mobile device security requirements.
Mobile Device SecurityIn page navigation
6
PhishingPhishing
Phishing is an attempt to acquire personal information masquerading as a trustworthy entity.
PhishingIn page navigation
7
Cybersecurity TrainingSANS
Each day more and more cyber threats are committed against institutions of higher education.
SANS Securing the HumanIn page navigation
8
Spyware/MalwareSpyware
Removal Tips, Tools, and Information.
Spyware/MalwareIn page navigation
9
Virus ProtectionVirus Protection
Everyone at Auburn University is expected to take precautions to protect their computers against viruses.
Virus ProtectionIn page navigation
10
VPN ClientVPN Client
A VPN provides a secure two-way communication tunnel to the Auburn University network.
VPN ClientIn page navigation
11
Case In PointCase In Point
Lessons for the pro-active manager
Case In PointIn page navigation
12
Project CleanupDelete
Improving security and minimizing risk through proper data management
Project CleanupIn page navigation
13
External ResourcesWeb Resources
External Cybersecurity resources
External ResourcesIn page navigation
14
  
  
Description
  
  
  
Minimum Server StandardsServers
Minimum standards for server administration and security.
Minimum Server StandardsIn page navigation
100
Minimum Endpoint StandardsLaptop
Minimum standards for endpoint administration and security.
Minimum Endpoint StandardsIn page navigation
101
Minimum App StandardsApplication Code
Minimum standards for application development and security.
Minimum App StandardsIn page navigation
102
Data Storage MatrixStorage Device
Standards for data storage by classifiction
Data Storage MatrixIn page navigation
103
  infosec@auburn.edu  or    844-0888 with questions
  
  
  
Kittye Parker

Web Banner.jpg

​There's an old proverb that states that, “An ounce of prevention is worth a pound of cure." That statement is especially true in terms of how you handle cybersecurity – it's much easier to prepare than it is to repair! One of the best things you can to protect yourself, and the university, is to embrace as many preventative practices as possible: use unique passwords and a password vault, don't open attachments or links from senders when you aren't expecting them, always use a VPN when you don't have a secure internet connection, make sure you create constant file backups, etc. We can't encourage you enough to take those steps!


But unfortunately, with bad actors getting more and more sophisticated, and with “zero-click" exploits becoming more popular, even the most diligent and cautious individuals may end up falling prey to a scam or ransomware of some sort. If that happens, it's important that you immediately take steps to protect your data and devices. Here are some tips if you think you've been targeted by, or are a victim of, a cyber-attack. 


Report any kind of phishing attempt or message.

If you ever receive an email that includes “phishy" behavior, it's important that you report the message immediately – especially if you interact with it. That would include doing things like clicking links, downloading files, forwarding the message to colleagues, or entering your personal information without verifying the sender first. If you interact with a potential spam message, make sure to immediately report it and then take some follow-up steps.​

​​Reporting the Message

​If you receive a phishing message to your Auburn email account, whether you interact with it or not, make sure to send it to phishing@auburn.edu. Unfortunately, simply forwarding the email doesn't provide all the information that we need to combat similar attacks.  Instead, we ask that you send the original email as an attachment. If you receive a phishing message to your personal email account, check with your email provider on how to report that.​​

Following Up

Your next steps will depend on what kind of interaction you have with the message. If you clicked on a link or downloaded a file, you will want to run an anti-malware program to make sure that nothing malicious was added to your device. There are plenty of free malware-scanning programs available if you don't already have one. If you were prompted to enter any login information, you'll need to immediately change the password for any account using those credentials. See more about that in the section on passwords below. If you entered any information that could lead to potential identity theft (banking details or social security numbers), visit the FTC's page on identity theft.  Another concern with phishing attacks is possible spoofing – or someone sending a message as though they are you. If your personal email account is hacked, you may want to notify people in your address book that they should look out for suspicious messages that appear to come from you so they don't fall prey to the same scam.​


Only approve 2-factor prompts that you initiated.

You should set up 2-factor authentication for any account that offers it. A sure-fire way to know that someone else is using your credentials is if you get an authentication request that you didn't initiate. That could look like a text or email with a code that you're supposed to enter or a link to click on, or it may be a push notification through an authentication app like the Duo Mobile app that Auburn University uses. If you are not actively trying to log into an account, you should not approve or click on any authentication. You should immediately follow any reporting instructions that are available in the notification you received. You should also immediately change your password for the hacked account and any other accounts that use the same credentials – see more on that in the password section below.


Update your device and any apps that are on it.

We all get them from time to time - those little windows that pop up, notifying us that there are software updates available for our computer. Chances are, these always seem to present themselves right when we are in the middle of doing something seemingly important, so it's all too convenient to click on that “Remind Me Later" button. Later eventually rolls around, and our little pop-up friend is back once again, nagging us to install these updates and restart our computer. And just like during their last visit, we're right in the middle of something, and the cycle continues. However, that notification is not there just to pester us. There is actually significant importance in updating our software.

Bad actors make a habit of exploiting loopholes and flaws in applications and operating systems. The longer you wait for an update, the more vulnerable you are to cyber-attacks. If you fall victim to one, one of the first things you should do is make sure your system has its best defenses in place by being fully updated. Then you should go ahead and turn on the auto-update feature to bolster future protection.

Operating System update instructions: WindowsMacAndroidiOS

Only Run Official Updates

While we're on the subject of device updates, it's important to note that those bad actors have also found a way to take advantage of the regular updates that are so crucial for functionality and security. Sometimes they run pop-up ads or send text messages instructing you to click links in order to run updates or prevent viruses. Anytime you see something like that, the best thing to do is go into your settings and manually check for updates. It make take a few extra seconds, but it's well worth the security benefits of confirming that you're installing the correct updates – and not accidentally downloading a virus!


Check your credit report for fraudulent accounts.

If the cyber attack has anything to do with your social security number or any institution that has access to your financial records, you need to pull your credit report and make sure that all the transactions are 100% yours. You'll be able to see things like credit cards and usages as well as attempts to secure major loans for automobiles or homes. You should also be able to view a summary of banking and utility accounts. There are 3 major credit reporting entities, and you'll want to make sure you check all of them since they may update on different schedules.

Here are links to TransUnion, Experian, and Equifax, the three primary credit bureaus. 

Freeze Your Credit

​Once you've confirmed that your credit report is only listing things that you have authorized, one of the best things you can do is freeze your account. You'll have to do this for each of the reports, but it's a free and simple process, especially if you've already created an account to check your report. Freezing your credit will not affect your score in any way, and it won't keep you from checking your credit, but it will prevent you from having any hard checks performed. That means no new loans or credit cards until you unfreeze it.

Setup Alerts

If you know you're about to open a line of credit for anything (a new phone, a new credit card, a new car, etc.) then you may not want to go through the steps of freezing your accounts quite yet. There are several services that allow you to set up alerts when there are certain types of activity linked to your finances. You have options such as knowing any time a credit check is started, anytime a new account is opened, or even if an account has an expenditure over a certain amount. Setting up alerts can help you keep track of what's happening and improve your awareness so you can act swiftly against any future attacks.


Change the passwords for any hacked accounts

It may seem obvious, but it never hurts to reiterate an important point. If you suspect that any account that you have has been breached, make sure to change your login information for any account that shares the compromised password. This step is why we suggest the preventative measure or making all your passwords unique and storing them in a password vault. Don't forget that you get a free premium LastPass Account with your Auburn email address. Here are some things to think about when you're creating your new password.

Create Complex Passwords

Whenever you create a new password, make sure it's complex. That means it should contain a mix of uppercase and lowercase letters, numbers, and special characters. It should also be something that is not easy to guess or find out about you online such as your birthday, anniversary, pet's name, or school mascot. You should also avoid repeated or sequential numbers or letters such as 'aaaa' or '5678'.

Use 12 or More Characters

You may have heard the phrase, “a long password is a strong password." Many systems require you to create a password of at least 8 characters. However, the new standard is to have at least 12 characters in your password with some entities suggesting 16 or more. And as long as you don't just add '1234' or '!!!!' to the end of your existing password, then those 4 additional characters can make a big difference. If you consider a 4-digit pin for a phone or a debit card, there are 10,000 potential combinations of numbers. If you pick an 8-digit numeric password, it will be 1 of 100,000,000 possibilities. Adding JUST uppercase and lowercase letters gives you more than 2 million times as many combinations. That seems pretty unhackable, but it's not. There are computers that can run through those 200 trillion variations in less than 30 minutes.  But a 12-character password, especially one that uses uppercase and lowercase letters, numbers, and special characters, has over 200 million times more combinations that are possible. That's nearly 300 sextillion available variations.

Never Share Login Info

Everyone knows that passwords are supposed to be a secret. But surely, it couldn't hurt to share your Netflix or Amazon Prime account with someone, right? And if you're busy during your registration time ticket, it would be fine to give your password to someone to register for you, right? WRONG. You should never, ever, under any circumstances share your login information with other people. Once someone writes down your password, whether digitally or on paper, there are countless ways for it to get out to other people.

If there is a reason to grant someone access to an account you own, such as a group project where everyone needs to get into a certain email account, or some account you share with your significant other, then share the credentials through LastPass. As long as you both have accounts set up, you can grant each other access to an account or application without ever having to say or write down the password. You also get to choose whether the people you share with can actually see the password or if it just gets stored in their vaults. And should the need arise, you can revoke that access at any time.


Published: 10/1/2021 3:05 PM
Category:
# Comments: 0
  
Kittye Parker

With working and studying from home becoming more and more commonplace, this year's Cybersecurity Month will focus on ways that Auburn University students, faculty, and staff and build a distance defense and stay secure while remote. ​

Use a VPN whenever accessing or using sensitive data.

A VPN (Virtual Private Network) provides a secure two-way communication between your device and the information you're accessing. The Palo Alto GlobalProtect VPN is required in order to use certain Auburn University resources, but that's not the only time you should worry about secure data. Using 3G/4G/5G network data, public Wi-Fi, or even private Wi-Fi where the password is publicly available, can put your information at risk.

  • Financial Information: Online shopping is a breeze through mobile apps, and fast shipping can make it very enticing to complete a purchase as soon as you think about it. But completing an order means that you're transmitting financial information, whether it's bank account details or a debit or credit card number. You run into a similar problem if you access your banking apps or websites. Your password, account and routing number, and transaction history suddenly can become available.
  • Passwords: It may seem harmless to log into your social media while you're out and about, but if you use the same password across multiple accounts, hackers will have access to those as well. In addition to using a VPN for your browsing, you should also make sure that you use different passwords across all your accounts in the event that one is compromised. If that seems like a daunting task, you can store your passwords in a vault like LastPass.
  • Location Data: Many apps require access to your location data to provide you appropriate content. The convenience of finding restaurants, dates, and deals near you is very appealing! But consider the fact that other people may be able to find you if your location data gets transmitted over public networks. Not only may that lead to unsavory characters finding you on your night out, but it could also provide data for potential criminals who need to get you away from your house. Using a VPN gives you a lot more control over who can access that information.

 

Don't open links or files from unknown sources.

Phishing is constantly becoming more and more problematic as tens of thousands of people fall for phishing scams every single day. This can negatively affect the people who fall for the scams as well as anyone in their contacts or on the same network. It doesn't help that scammers are getting more sophisticated in their attacks, but there are still some red flags you can be on the lookout for:

  • Links: It's easy to make a link look like it's directing you somewhere else, so don't click on a link in an email you're not expecting. Instead, type in the web address directly into the browser. You should also be wary of links on unsecured websites.
  • Attachments: You may receive emails with attachments that look like simple documents or photos, but only open files from known senders, and even then, make sure you're expecting it. Innocuous looking files make still contain data and can install a virus or some other malware that can wreak havoc on your device.
  • Impersonal Greetings: Phishing messages often start with “Dear User" or “Dear Customer" instead of addressing you by name.
  • Threats: Be wary of any message that tells you that you will lose access immediately or that your account will be terminated.
  • Spelling & Grammar: Plenty of people make mistakes in spelling in emails, but phishing attacks often have more spelling and grammar issues than normal.
  • Request for Money or Information: If an email ever asks you to enter your password, banking information, social security number, or anything like that via email, don't do it. Legitimate companies will not request that information via email.

If you're worried you may have fallen for a phishing scam, or if you want more information on phishing, visit our Phishing Awareness page.

 

Beware of job, tax, and other financial scams.

When you're not working face-to-face with someone, a lot of correspondence happens through emails and text. Those forms of communication are easy to fake, so remote work is a great time for scammers to get your money or personal information. Here are some common scams to be aware of:

  • The Gift Card: This scam starts with an email typically asking if you are available. The account is made to look like it belongs to someone from Auburn and in your organizational structure, so many people quickly respond if they are available. The sender then requests that you purchase a gift card and send the redemption code or a picture of the card back via email. Whenever you get odd email requests, make sure to confirm the identity of the sender!
  • The Prize: This scam has been around for years, and it's not going anywhere. Whether it's via email, text message, or browser pop-up, be very skeptical if a message tells you that you've won some amazing prize. The “fine print" may ask you to enter banking information to pay for shipping, enter your social security number for tax purposes, or enter a username and password to confirm your identity. Be extremely careful about where you enter any sensitive information into any site or email.
  • The Job Offer: There are many variations of this scam ranging from temporary gigs to full-time employment, but they tend to show up more often near the end of semesters. And since there was a high rate of layoffs at the beginning of the pandemic, there has also been a big surge over the past 6 months. There's typically a “trial task" that involves making a purchase, paying a bill, or transferring money with the promise that you'll be reimbursed above what you spend. Never accept a job that requires a money transfer or something similar and be extra cautious with any job offer where you didn't apply.
  • The Stimulus Check: This particular scam has only become common since the start of the COVID-19 pandemic, but it has been rampant throughout 2020. The federal government has already provided one round of economic impact payments, and congress has been discussing another round for months. As long as a discussion of more payments persists, this scam will as well. Most people didn't have to do anything to get these payments other than wait – but that waiting can be difficult. Some scammers were offering you the chance to get your payments sooner, for a small fee, of course. Some scammers were calling or texting to request your Social Security number in order to confirm your payment, but the IRS already has that information. And if you do need to provide information, it should only be directly through the IRS website. If you think you've encountered a scam of these nature, contact the Federal Trade Commission.

 

Create secure backups of all your important files.

Your data is the most important thing on your computer. Be it family photos, important tax documents, pieces of art, your band's music, sensitive research papers, or anything else, losing it should simply not be an option. Unfortunately, computers fail, and often. Having a backup plan set before anything goes wrong is one of the most important tasks you will undertake as a responsible computer user. Just make sure that any personal data is in a secure, encrypted location.

  • Manually Backing Up Files: The most basic method to back up files is to simply copy/paste them to another resource such as a flash drive, external hard drive, shared network drive, or writeable media (such as a CD or DVD). System files should not be backed up. Instead focus on your personal files. And if you have sensitive files, consider purchasing an encrypted flash drive for those items.  
  • Using a Backup Program: There are a number of programs that you can use to assist you and automatically schedule backing up of files to local resources. Mac users should consider using Time Machine.
  • Backing Up to the Cloud: A number of cloud services provide ample secure storage to backup your personal files, such as OneDrive for Business, Box, Google Drive, DropBox, iCloud, etc. Work-related files that don't contain confidential information should be limited to OneDrive for Business and Box.​


Published: 10/2/2020 5:02 PM
Category:
# Comments: 0
  
William Miaoulis

As the United States and the world deal with the ongoing pandemic, the FBI’s national security and criminal investigative work continues. There are threats you should be aware of so you can take steps to protect yourself.  

  • Children who are home from school and spending more time online may be at increased risk for exploitation.
  • Anyone can be targeted by hackers and scammers.
  • Protecting civil rights and investigating hate crimes remain a high priority for the FBI.

Use the resources on the FBI page to help keep yourself and your family safe from these and other threats.

 https://www.fbi.gov/coronavirus


Published: 4/23/2020 8:57 AM
Category:
# Comments: 0
1 - 3Next
Retrieving Data
Retrieving Data