Security Training Cycle - and Cyber Security Updates
Cyber Security Upgrades at Purchase College
We all receive phishing messages trying to trick us into logging into fake websites to steal our credentials. When they succeed, they steal the contents of our mailboxes and then use our accounts to phish others, including everyone in our contact lists.
Our email accounts are where our online banking and shopping accounts are homed - and our email account can be used to reset those passwords and gain access to those accounts.
The bad actors are getting better at what they do. These campaigns are increasingly conducted by foreign state or military operators. This real and present danger cannot be understated. Phishing accounted for over 93% of the breaches that occurred last year. People are the weakest link, and social engineering is the easiest way to penetrate any organization.
Phishing risks exposure of critical and sensitive information, and our ability to communicate with the world.
No college officer or official will ever ask you to conduct fund transfers, or buy them gift cards, or to send sensitive information via email. If you get any email requests like that – or anything unusual – call the requester on the phone and verify before acting or responding.
What are we doing about this problem?
Campus Technology Services (CTS) has a great many security measures in place already, and other improvements are underway. Some new measures are:
1. Training: New York State and SUNY require all employees to complete annual Security Awareness training. Purchase College uses an online training, and has a new and much better training system this year. If you have not already completed your mandatory training, please visit the training dashboard to begin. The link to the training also appears in the “Quick Links” section of the Faculty/Staff Portal page. Protect yourself – complete the training - and think twice before you click.
2. Outbound Spam Filtering: When your account gets phished, the intruders use that account to spew spam at the world. We have had an anti-spam appliance examining all inbound messages for the last 20 years. Now we added an outbound anti-spam appliance too. This does not affect any mail being sent from one Purchase College account to another Purchase College account. But… large volumes of messages sent to outside addresses are rate-controlled, providing us more time to react when there is a problem. In the most recent phishing tournament over 100 incoming freshmen accounts were phished, causing Purchase College to be labelled as Spammers across the Internet, and causing legitimate messages to be blocked at everyone else’s spam filters - a situation that lasted for about two weeks. An outbound spam filter reduces the likelihood of this happening again.
3. Data Loss Prevention - Proactive Scanning: Last spring we acquired a Data Loss Prevention tool that is used to detect the presence of personal, private or sensitive information (PPSI). This tool scans email, PCs, Servers, and databases. Tested on our own staff first, this tool proved effective in identifying sensitive information in our possession that the holders may not have been aware of. CTS is conducting proactive scans as a service for offices and individuals to help them manage their important and sensitive information.
4. Two-Factor Authentication (2FA): We have used 2FA for years on our VPN. The phrase “two-factor” refers to 1) Something you know (your ID/PW), and 2) something you have (your Smartphone.) When you attempt to access a service protected by 2FA, you have to enter your ID/PW and acknowledge the authentication request on your smartphone. We have enrolled our VPN user group in Cisco Duo, adding 2FA to our VPN user group. If you are enrolled in Duo, logging into the VPN or into Outlook Web Access (Web Email) will prompt you for Duo authentication.Over the next few months we will be expanding the use of Cisco Duo 2FA to all college services and systems.
5. Longer Password Change Interval: There has been a change in thinking over the past few years regarding the long-standing “best practice” of requiring frequent password changes. Several studies in the last two years determined that frequent password changes (ours was 100 days) did not actually improve security –worse – it reduced security because people re-used passwords or wrote them down. Therefore, in conjunction with the implementation of 2FA, we are extending our password change interval to 365 days.
Treat your mailbox like the one outside your front door - important stuff gets dropped off there, but you take it inside the house for safekeeping.
Do not leave important or sensitive documents in your mailbox.