Resolve to Be Cyber-mindful

Happy New Year! Hopefully you’ve received your 2017 “Becoming Cyber-Mindful” wall calendar (check for them wherever you receive your campus mail). In addition to keeping us straight about what day it is, those beauties set the scene for some of the safe computing topics we’ll talk about -- and practice -- this year.

Your safe computing team is kicking off 2017 with two safe computing resolutions:

First: We will get our passwords in line. If you’re like us, you’ve got usernames and passwords to a few billion sites and services floating around your head (or your post-it pile). Password management is a huge topic but, like eating an elephant, we’re going to tackle it a bite at a time this year. Below, we’ll take the first step in getting our passwords under control.

Second: We will beef up our phish detection skills. Last year’s phish training illuminated our collective “weak spots” with respect to social engineering ploys. This year, we’ll resolve to strengthen those particular detection muscles -- in 7 easy exercises!

So, two exciting cyber-mindful aspirations for 2017. We hope you’ll resolve along with us.

The First Step to Password Domination: Categorize

Estimates vary, but the average person has about 90 logins. That’s practically a pad of Post-Its. This year, we’re taking control of our passwords.

Tech gurus no longer insist that every account have a unique password -- there are simply too many to remember. And they even say that for low-risk accounts, using the same password is ok.

The key is setting passwords according to the importance of the information in the account. Accounts with high value info should be protected with unique, strong passwords (and 2FA, if possible), but for accounts with middle or low value info, less complex and even “recycled” passwords are sufficient. Feel free to peruse Microsoft’s robust explanation here, if you have a few hours.

That said, here’s our action item for January: start a list of your computing accounts (on an Excel doc or good old-fashioned paper) grouped by what kind of stuff is there. You’ll probably want three tiers:

  • High Value: Financial, tax, health care, government accounts with direct access to financial or sensitive personal information
  • Medium Value: Accounts where financial information is stored for making payments and social media accounts where compromise might be embarrassing
  • Low Value: “Junk” accounts for fan sites, sale notifications, etc.

As you encounter a login this month, add the service (but not its password) to your list. Next month, we’ll start talking about what we should do with each category of account.  

Editors’ Note: We, your faithful safe computing advocates, are not immune to the trials of password management. Over the next few months, we’ll be working right along with you, straightening out our own morasses of accounts, logins, usernames, and passwords. We’re in this together, UD!

2017 Phishical Fitness Program

Our campus Phishing Commissioner (the “Phish Commish”, if you will) knows consistency counts in any effective fitness regimen. Practice, practice, etc.

In 2017, we’ll practice looking for the 7 red flags of a socially engineered email with these questions:

  • Who’s it from?
  • Who’s it to?
  • When did it arrive?
  • What’s the subject?
  • How does the content look?
  • Are there attachments?
  • Are there links?

Each month, we’ll focus on one of the 7 tenets of phish-detection right here in this newsletter. Then, later in the month, our Phish Commish will email a phishing exercise that lets us try out our newly-learned (or reminded) detection skill. By the end of the year, we’ll be pros at assessing emails for harbingers of doom. In addition, if higher-ed specific phishing threats emerge from the cybersphere along the way, our Phish Commish will coach us on those, as well.

Phish exercises will start in February (‘cause January fitness plans are so cliche).

Scam of the Month: Faux PDF

This phishing campaign sends an email with the subject, "Assessment document." The body of the email has a PDF attachment that appears to be locked. The message reads: "PDF Secure File UNLOCK to Access File Content".

screenshot of phishing email

If you click to unlock the document, a dialog box will appear, asking for your email address and password. Of course, we know better than to hand that information over because some random email asks us to.

Just remember - Think Before You Click!