Cyber Security Awareness Month Tips

Passwords, when used correctly, are an extremely simple and effective way to protect your account and data from unauthorized access. Even when learning and working remotely, we need to continue to use good password practices.

There are a number of methods cybercriminals use to obtain your password, including:

• Social engineering - tricking people into handing over passwords. No one should ever ask you for your password.
• Using the same password on multiple accounts where one of the accounts becomes compromised, exposing that shared password.
• Physically stealing them; for example, when they are written down.
• Guessing based on easily accessible personal information (name, date of birth, etc.).
• Trying to use one of the most common passwords (123456, password, etc.).
• Brute force - automated guessing of passwords.
• Shoulder surfing - observing people typing in their passwords in public places.
• Key-logging malware which records passwords as they are entered.
• Intercepting them as they are transmitted over an unsecured network.

The following methods help to highlight some basic precautions which users can take to protect themselves.

• Never give anyone your password. No one should ever ask for it.
• Use a complex password containing multiple words that is at least 15 characters long.
• Use a unique password for every account.
• Never re-use passwords.
• Do not use any of the following in your password:
  • Your name of username
  • Family members or pets' names
  • Birthdays or anniversaries
  • Numerical or keyboard sequences (e.g., 12345, qwerty)
• Never share passwords or leave them written down next to your computer or in an easily found place.
• Be careful entering your password in public spaces where someone may be able to see you typing it.
• Do not use your password on an untrusted device.

One of the greatest risks remote users will face is social engineering attacks. Social engineering is a psychological manipulation of people into performing actions or divulging personal information. These attacks are made easier during a time of change and confusion such as COVID-19 when learning and working remotely has become the norm.

Phishing is one of the most prevalent forms of social engineering. Phishing messages will often ask you for personal information such as your password, cell phone number, or credit card information. Phishing messages may also try to convince you to perform a certain action, such as click on a link, open an attachment, send money, or buy gift cards. These messages are often crafted to appear like they came from a trusted authority or someone you know and trust.

Did you know that over 90 percent of cyber attacks start with phishing? Phishing messages are becoming more sophisticated and harder to detect. Phishing attacks can trick you into running malicious software that could allow cybercriminals to take control of your computer, log your keystrokes, or access sensitive business, personal, or financial information.

Criminals can also use SMS messaging, known as "smishing," to lure users into providing personal information. Fraudsters are also using the telephone to scam users. The telephone version of phishing is known as "vishing."

Noticeable signs of social engineering and phishing include the following:

• Messages that ask for personal information, such as cell phone number, username, password, bank account or credit card number, etc.

• Messages with a sense of urgency. For example, "Your account needs upgraded. Click this link or it will be deleted."

• Messages that seem suspicious and ask you to click a link.

• Messages with an attachment you weren't expecting. These can often be an invoice, fax, or shipping notification.

• Messages that ask you to perform tasks, like buying gift cards.

• Messages that have a generic greeting rather than using your name (Dear Customer, Dear User, etc.).

• Messages with poor grammar and spelling mistakes.

• Messages from another user in the organization that appear to have characteristics of a phish email may be a sign that the user's account is compromised and is being used to phish you.

Avoid social engineering schemes:

• During these uncertain times it is important to be vigilant when viewing and responding to any type of communication.

• Never give out usernames, passwords, or other sensitive information via email or telephone.

• The IT Support Center will never ask for your password via the telephone or email.

• Make sure you look at the actual email address, not just the display name, when responding to messages.

• Be cognizant of spoofed login pages. Review the URL before entering your credentials on web pages.

• Never click on links or open attachments from unfamiliar email addresses.

• If in doubt, send suspected phishing attempts as attachments to abuse@iup.edu.

While we work online from home during these uncertain times, you should follow these tips in order to have a safe online experience.

• Familiarize yourself with Zoom security features and use them. More information can be found on Securing Your Zoom Meetings.

• Connect to the VPN (vpn.iup.edu), and Remote Desktop into your IUP computer. Data and network access stays within IUP and keeps IUP's network security safety nets in place.

• Do not store work data and information on home computers or personal devices. All data on the IUP network drives (e.g., H: and O: drives) is secure and backed up.

• Make sure your computer's operating system and applications are up to date. Software updates provide security fixes to protect you and your device from cyber threats.

• Make sure your computer has anti-malware software installed. Contact the IT Support Center if you need to install anti-malware software on your personal laptop or computer.

• Don't use personal accounts for IUP business. Remember that IUP email is the official means of communications.

• Create unique and strong passwords for all your accounts and devices.

• Do not store printed paper documents with sensitive information at home.