Want to win a free shirt!

This month we'll be raffling off a Security Hero tee-shirt! These are the cool shirts you could win!

Here are some ways to be entered into the raffle:

• Report a phishing email or suspicious email to infosec@vcu.edu. 
• Complete the Security Bingo Card and email it to infosec@vcu.edu

October 25: Update Your Software

• The importance of Software Updating?
• How to do it?
• Best practices?
• Backup your shit. 

This week we want to discuss updating your computer software. You may not realize it, but cyber attacks are constantly looking for weaknesses (aka vulnerabilities) in software you run on your phone and computer. If a bad person exploits these weaknesses (aka vulnerabilities) they may be able to install malware or trojans on your computer. Malware can remotely control your computer, steal your passwords, and gain access to files on your computer! Software vendors are constantly updating their software to fix these weaknesses (aka vulnerabilities) but it is your responsibility to install these updates. 

How updating works:

When a software vendor discovers a bug or weakness (aka vulnerabilities) in their software, they will create a software update to fix the problem. Often applications may update several times a week. These updates may also include new features and improvements. Software updates happen on  mobile devices such as an iPhone or Android phone and even your laptop. Software updates can either happen automatically or manually. Automatic updates will update whenever the software detects there is an update. It doesn't require your assistance but you may need to restart your computer/device. Manual updates must be downloaded and installed by you. While this gives you control over when to update, it can be difficult to manage or easy to forget. 

Here are some tips for software updates:

• Update Often - Don’t delay when there is a software update!
• Get it from the source - Once download software updates from reputable sources. Never use pirated, hacked or otherwise illegally versions of software. These type of software often come with malware!
• Make it automatic - You should set the security updates to happen automatically. Most vendors provide this solution. You can turn on automatic updates for Windows 10/11, macOS, iOS, and even Android.

Watch out for fakes! - If you are surfing the web and you see a sudden pop-up to update your software, these are typically fake.  Most software will automatically load from the application (e.g Zoom, Chrome, Word, etc) and you do not need to download a separate file.

October 19: Email Proper Use (Sending and Receiving)

We are going to break up this week’s cybersecurity focus on Receiving Emails and Sending Emails. Depending on whether receiving or sending emails, we’ll want to take different items into account.

Receiving Email:

When you receive an email, your primary concern will be phishing. Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution. Over the years, phishing has become more sophisticated. Phishers can even spoof email addresses!

At VCU, your Information Security hosts a Phishing Blog where we post phishing samples and inform the community about phishing attacks that are happening at VCU.

Here are some recent phishing scams you should be aware of:

• Fake Job/Intern Scam: This scam works by offering you a lot of money for a little bit of work. The scammer sends you a check for more than what they initially agreed to pay, you cash the check and send some money back to the scammer. The check is a fraudulent check and will bounce in a couple of days, leaving you on the hook for the full amount.
• Paypal Invoice Scam: The scammer pretends to be a vendor and sends you an invoice. As long as you do not pay the invoice, you will stay safe!
• Extortion Scam: The scammer pretends they have hacked your computer and threatens to exhort you for money. Don’t be fooled by this tactic.

If you receive a phishing or suspicious email, forward it to our Information Security Office at infosec@vcu.edu for us to review. If you report it, we’ll enter you in our monthly Security Hero Raffle where you have a chance to win a cool shirt.

Sending Email:

Although you may not think of sending emails as a security concern, there are a couple of aspects we’d like to highlight. While email can be used to send certain sensitive information, it may not always be the best option when transmitting highly sensitive information. It is important for us to consider what we are sending and who are the recipients. When sending the following information we recommend enforced encrypting in Gmail and password-protecting any documents with the following information:

• Payment card information
• Social Security Numbers/Driver's License Numbers with names and/or other identifiers - Confidential Personally-Identifying Information (PII)
• HIPAA Protected Health Information
• Other regulated information

Additionally, a good practice when you are emailing a group of students or a group of patients is to include those recipients in the BCC field to maintain privacy. The BCC field protects the privacy of email addresses in the original message. Recipients will receive the message, but won't be able to see the addresses listed in the BCC field

October 10: Password Management and Password Hygiene

What is password management?

Password management is a set of principles and best practices to be followed by users while storing and managing passwords in an efficient manner to secure passwords as much as they can to prevent unauthorized access.

What is a password manager?

A password manager (or a web browser) can store all your passwords securely, so you don't have to worry about remembering them. This allows you to use unique, strong passwords for all your important accounts (rather than using the same password for all of them, which you should never do).

The downside to password reuse and caution?

Reusing passwords makes it possible for a malicious agent to hack into an account to have access to others belonging to the same user. And the more a password is reused, the greater the risk of having the credentials breached

October 3: Multi-Factor Authentication Fatigue

We all know about Multi-Factor Authentication, right?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. It is an extra layer of security to ensure that you are the only person who can access your account, even if someone knows your password. VCU account access requires your eID, Password, and a Device.

Well, what if you unexpectedly receive a push notification from Duo?

Is that a Duo notification? I didn't log in to anything?

Suddenly notice your phone blowing up with Duo notifications?!

Multi-factor authentication (MFA) fatigue (aka MFA Prompt Spamming/MFA bombing) is a technique used by attackers to flood a user's authentication app with push notifications in the hope they will accept, enabling the attacker to gain entry to an account or device. This technique only works if the threat actor already has the credentials of a targeted account from a previous compromise such as phishing, credential replay, brute forcing, password spraying, or from password reuse. 

If you suspect that you are a victim of MFA fatigue please contact ITSC at 828-2227 to change your password, and report the incident to infosec@vcu.edu. If you don’t recognize the Duo push, do not respond. 

How do I manage my MFA devices?

You can manage your devices within eid.vcu.edu. You can delete and add new devices. The video will show you How to Manage 2FA Devices at VCU. 

If you need help setting up a new phone with DUO, please contact ITSC at 828-2227 or itsc@vcu.edu

* As of August 12th, DUO enrollment is required for all current and former students, staff, and faculty. * 

***  On June 30th, 2022, VCU is disabling the SMS text messaging option in Duo as a method of authentication  ***

“It's Easy to Stay Safe Online — See Yourself in Cyber.” #CyberForUs and #BeCyberSmart.

What is Cyber-Hygiene?

Cyber hygiene refers to fundamental cybersecurity best practices that an organization's security practitioners and users can undertake. As you have personal hygiene practices to maintain your own health, cyber hygiene best practices help protect the health of your organization's network and assets.

 Below you will find helpful guides to improve your Cyber-Hygiene:

• 5 Steps to Protecting Your Digital Home
• Social Media Cyber Security
• Cyber Security While Traveling

Tips for Protecting Yourself

• Always use passphrases on your computer.
  • Longer passwords with letters and numbers (and special characters if supported) can help to keep your data safe.

• Lock your computer when you step away.
  • On Windows, press [Windows + L].
  • On Mac, press [Control + Shift + Eject] or [Control + Shift + Power].

• Never share your passwords with anyone.
  • No VCU official or employee will ever ask you for your password.

• Use updated anti-virus and anti-spyware tools, plus a firewall.
  • VCU provides anti-virus software for use on- and off-campus.
  • All widely-available consumer operating systems (Windows, Mac OS X, and Linux) provide built-in firewalls.  Just make sure your firewall is on

• Back your data up.
  • Use a trusted, reputable online storage company, or officially-provided VCU network storage space.
  • Consider encrypting your data.

• Handle information with care.
  • Be careful when handling, transmitting, or storing sensitive or regulated information.

• Think before you click.
  • Be aware of phishing emails and scam websites.
  • If some sounds too good to be true, it probably is!
  • Learn the signs of phishing emails

• Be aware of theft.
  • Lock your doors and keep your personal belongings with you

Complete 5 action items in a row and get entered to a raffle for a free shirt! 

To turn in your bingo card, Email infosec@vcu.edu Subject: Security Bingo, and tell us the 5 things you got in a row!

Security Bingo Action Item Descriptions

Reported an email as spam:

Reporting an email as spam helps your email provider identify spam and helps protect others from spam. You can learn how to mark email as spam using Gmail.

Used the VPN this Month:

If you are VCU employee, we can use the RAMS VPN to access VCU resources when you are remote. When you use public WiFi network (e.g. Starbucks), it is a good idea to use a VPN to add another layer of data protection.

Have a password lock on your phone:

Cell phone theft is a common occurrence in the USA. One way to safeguard your phone data is to add a password/passcode to your phone. The process will be different for iPhone and Android phones, but it will help safeguard your data.

Added MFA to a social media account:

MFA (Multi-factor authentication) can help safeguard your account in the event that your password is compromised. Most social media accounts allow you to set up multi-factor authentication.

Delete a email from an unknown user:

If you don’t know who the email is from, just delete it! If it looks strange or odd, mark it as spam or even phishing!

Replaced a simple password with a strong one:

Simple passwords like “Dog123” or “hunter12” are easy for hackers to crack. We recommend using complex passwords that include: special characters, capital letters, numbers, and are longer than 12 characters. If you have trouble remembering a complex password, we recommend using a password manager. Most password managers will create complex passwords for you!

Reviewed your social media accounts privacy settings:

Privacy settings can help limit what information you disclose to the general public. We recommend reviewing your privacy settings for social media platforms. Most social media sites default to sharing everything! The University of Cincinnati has a guide on how to manage social media privacy settings.

Covered your webcam when not in use:

Webcam covers are used to physically block your webcam when it is not in use. Although it may not be necessary, it can give a piece of mind as you walk away from your computer.

Visit the Security Hero website:

Check out our Security Heroes website! A security hero is someone who actively helps keep the university environment and data safe and secure from harm. Reporting of potential security incidents will enter you into the security hero of the month raffle!

Read an article on Cybersecurity:

Keep up to date with cyber security by reading an article at any of the following publications:

• BleepingComputer | Cybersecurity, Technology News and Support
• The Hacker News - Most Trusted Cyber Security and Computer Security Analysis
• SANS.edu Internet Storm Center - SANS Internet Storm Center

Read an article on the staysafeonline.org website:

Read an article on Stay Safe Online!

Watch Cybersecurity Education Videos:

Although there are a ton of different cyber security education videos online, here are a couple interesting videos:

• Cybersecurity 101 - YouTube
• Cyber Security In 7 Minutes | What Is Cyber Security: How It Works? | Cyber Security | Simplilearn - YouTube
• Security Awareness Episode 1: Passwords - YouTube

Learn about STAC:

The VCU Student Technology Advisory Committee (STAC) is intended to form cooperation between VCU Technology Services and the academic and social life of students at VCU. The Committee advises VCU Technology Services in service design and implementation, programming, and technology promotion at VCU. You can read all about it on the STAC website.

Check cyber hygiene on haveibeenpwned.com:

Haveipbeenpwned.com is a great resource to check if your personal information has been published in a data breach. It is as simple as entering your email address or phone number.

Learn about password managers:

Password managers reduce the complexity of managing your password. They integrate into web browsers and also mobile devices. Password managers include vendors such as Lastpass, Keepass, and 1Password. 

Use a password manager:

Now it is the time to use a password manager! There are several password manager options that include free and paid options. 

Added MFA to your financial/bank accounts:

MFA (Multi-factor authentication) can help safeguard your account in the event that your password is compromised. Most financial or bank accounts allow you to set up multi-factor authentication.

Update software on your phone:

It is important to update your phone software to protect yourself from the latest vulnerabilities! If you have an Apple Device you can use these instructions and if you have an Android device you can use these instructions.

Update software on your computer:

It is important to update your computer software to protect yourself from the latest vulnerabilities! You can update software for macOS  and also Windows.

Add a strong password to your home WiFi:

You should create a strong WiFi password to prevent unauthorized computers from accessing your home network. The FTC also has some additional guidance on securing your home WiFi. 

Turn on your computer's firewall:

Your computer’s firewall can prevent malicious people/programs from accessing your computer. It is important to keep your firewall on!

Turn on your computer's antivirus software:

Modern antivirus software is pretty good at detecting threats on your computer. The most important point is to turn it on! By default, modern operating systems will turn on antivirus. You can turn on anti-virus for Windows.

Remove old/outdated software on your computer:

Outdated software can have vulnerabilities. Hackers can use these vulnerabilities to install malware on your computer. You should update the software or remove it all together.

Backup your Device:

In today’s world it is always a good idea to have a second copy of your file either on an external hard drive or in the cloud like Google or even Dropbox. We recommend backing up your files on a regular basis.