Longer Passwords are Stronger Passwords

Featured

password on computer screen

Gone are the days of requiring password complexity over length. You know what I mean, right?  We were often expected to come up with complex passwords that were at least 10 characters and included uppercase letters, lowercase letters, symbols, and numbers.  Perhaps something that looked like this 10 character password:

EgebDff79+

These days, NIST (National Institute for Standards and Technology) recommends password length over complexity. In fact, the longer the password, the longer it will take for the cyber criminals to crack. The other beautiful benefit is that longer, less complicated passphrases are often easier to remember. Additionally, many sites and applications now allow for spaces in your passphrase. So consider stringing together a few unrelated words, or creating a sentence that’s not commonly used or easy to guess.  Perhaps something like this 16 character passphrase:

Cats eat waffles 

Without a doubt this 16 character passphrase is easier to remember than our 10 character complex password example, and according to LastPass’ password tester, it’s also a very strong password.

Our first example (EgbDff79!+), did not fare as well…

With all of this said, we’re happy to announce that this month Princeton University has revised their password policy from a 10 character minimum requiring 4 character sets (uppercase letter, lowercase letter, number, and symbol) to a 16 character minimum with no complexity requirements. Although a password change is not required at this time, we strongly encourage you to take this opportunity to visit the Princeton Service Portal (select Password Reset > My Princeton Account from the top navigation menu) and change to a longer, stronger passphrase.  Remember to make your passphrase unique. If you reuse passwords or passphrases, you are putting yourself at risk for a security incident.  If one of the other sites you access with the same password or passphrase experiences a security breach, you are putting yourself at risk for a significant security incident.

And if you’re looking for help managing all of your passwords or passphrases, don’t forget that LastPass password manager is free for students, faculty, and staff.  You can learn more about it by visiting our LastPass web page

Reference

NIST: https://pages.nist.gov/800-63-3/sp800-63b.html#appA

Post by Tara Schaufler, Awareness & Training Program Manager

Posted in Uncategorized

Cyber Security Best Practices for Remote Workers and Learners

Featured

I think we can all agree that it has been an unusual summer, and the fall semester will likely be the same. And while Princeton’s Information Security Office (ISO) is still up and running, you will likely not see us in person on the campus any time soon. But this doesn’t mean we aren’t still thinking about security, and we want you to be as well.  

Next month we will announce our fall online learning opportunities and events. In the meantime, we’d like to share some tips gathered from the National Cyber Security Alliance (NCSA) concerning coronavirus scams and best practices for remote learning and working.

woman on couch with laptop computer

Vigilance Against Coronavirus Scams – Best Cyber Security Practices for Remote Workers and Learners

Cybercriminals are seizing on coronavirus fears by using online scams to extract internet users’ personal and financial information. These scams – sent through email, texts, or social media – claim to provide coronavirus awareness, sell virus prevention products, and/or may ask for donations to a charity. They can often appear to be from a legitimate organization or individual, including a business partner or friend.

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Pay attention to the website’s URL (www.website.com). Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .edu).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Remember to visit the Princeton University Phish Bowl for a list of current phishing scams that have been reported.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones, and tablets – up-to-date to reduce risk of infection from malware.

Tips for working and learning remotely:

  • Use the University’s Virtual Private Network or VPN (GlobalProtect or SonicWall) to access select Princeton network systems. Home routers should be updated to the most current software and secured with a lengthy, unique password. Beware of connecting to public WiFi to access Princeton accounts unless using VPN.
  • Consider separating your network so your University devices are on their own WiFi network and your personal devices are on their own. Watch the ISO’s webinar on securing your home network for more information.
  • Keep devices with you at all times or stored in a secure location when not in use. Set your computer’s screen to lock automatically. This is helpful if you step away from your computer and forget to lock it manually.
  • Limit access to the device you use for work. Only the approved user should use the device (family and friends should not use a University-issued device).
  • Regardless of where you are located, stay safer and more secure online by updating software on all devices (including antivirus and firewalls), backing up data, enabling multi-factor authentication wherever you can, and have strong, lengthy passwords or passphrases for each online account.

For more information and tips on how to stay safe online, visit the ISO’s Safe Computing page or the NCSA website

The content above was provided by the National Cyber Security Alliance (NCSA) and adapted for Princeton University.

Post by Tara Schaufler, Awareness & Training Program Manager

Posted in Uncategorized

Zoom & Security: Keep Calm & Zoom On

Featured

Written by Steve Niedzwiecki & Tara Schaufler

Many of our campus partners have reached out with questions about the security and privacy of Zoom. With our current COVID-19 environment, the use of this product at Princeton has increased exponentially as well as throughout the world. They’ve reportedly gone from a February 2020 daily peak of 10 million users to over 200 million daily users in March. Zoom is generally thought to be the clear, current leader for online meetings.Their previous corporate focus has now evolved to supporting online education around the world as well as personal use to help many of us connect with our friends. However, the extremely rapid growth of the use of the product has led to increased scrutiny of the security and privacy of Zoom. Some issues have been identified to which Zoom has responded or is in the process of responding.The good news is that Zoom has committed to continue to work on these issues. In fact, Zoom’s CEO recently announced that Zoom will forgo work on any new features over the next 90 days to focus solely on improving the platform’s security and privacy protections. This April 1st blog post summarizes the issues they’ve had, what they’ve done to correct them, and how they plan to proceed. Additionally, Zoom has prepared a web page related to all things security. At Princeton, we’ve prepared a Zoom Best Practices knowledge base article that includes information about using the platform securely (like preventing “Zoombombing” attacks). This updated article includes some suggested mitigations against recently identified security issues: 

  • A very recently announced vulnerability with Zoom for Windows (3/31/20) involves its chat function and links sent in chat. We recommend, as a best practice, not to click on links in chat particularly when you don’t know all of the participants in the Zoom session. A malicious link in chat which connects to another computer could be used to execute dangerous programs and compromise your computer.
  • The Zoom software installer for Macintosh has been criticized (3/30/20) in that it potentially enables malicious actors to modify the installer in ways that would put systems at risk. The best way to mitigate this risk is always to download the Zoom client directly from Zoom itself.

Princeton’s Information Security Office has been monitoring Zoom’s security and privacy posture, and although they’ve recently had some significant issues worthy of concern, we are pleased with the company’s responsiveness.

Other Princeton Zoom Resources:

Posted in Uncategorized

“Are you available?” Email Phishing Scams on the Rise

email scam

Many individuals on our campus have reported suspicious emails from someone impersonating a Princeton colleague.  These messages typically ask a question and look for a reply in an attempt to start a conversation. Once the individual engages the recipient in a conversation, they often ask for personal information or for them to purchase gift cards.  Please be on alert, as a small number of individuals on our campus have recently fallen victim to similar social engineering attacks.

Here’s an example of a recent message received at Princeton:

From: [Spoofed Princeton User]
Sent: Monday, January 20, 2020 12:14 PM 

Subject: Quick Request

Are you available?

In this example, this initial message was harmless, but subsequent messages asked for the recipient to purchase gift cards.

What can you do to stay safe?  

Examine incoming messages carefully. If something seems suspicious, check the Phish Bowl (https://princeton.edu/phish-bowl) to see if it’s been reported to OIT.  If it has not been reported, forward the message to phishbowl@princeton.edu.  Please be on alert and follow these tips:

  • Look carefully at the sender’s address.  They may try to trick you with something that looks like a princeton.edu email address (e.g. “tara.schaufler.princeton@gmail.com).
  • Question unusual requests, such as the sender is busy and needs your help right away.  An example we’ve seen is the sender asking the recipient to purchase gift cards, scratch off the codes, and email the information back to them.
  • Think twice before clicking on links or attachments.
  • Never give away personal information in an email.
  • Look for telltale signs of phishing emails, such as a blank “to” field, suspicious “from” field, odd or generic salutations, and spelling and/or grammar errors.

We all play an important role in keeping our campus safe.  Thank you for continuing to be our guardians at the gate!  

Posted in Uncategorized

‘Tis the Season: InfoSec Holiday Open House & Posterboard Session

On Thursday, December 12, the Information Security Office gathered from 2-5 PM to host a holiday open house and posterboard session. And what a great event it was!  I mean, what’s not to like?  There were festive beverages, snacks, and opportunities to learn.  All of that, and a lovely location as well. The event was held at Prospect House on the Princeton University campus.

Charged with keeping our campus safe from cyber criminals, the Information Security Office believes that arming the campus community with knowledge makes all the difference. At this event, attendees had the opportunity to enjoy festive nosh while viewing information security-related posters. If you missed this event, check out the links and images for all eight posters below.

Interested in learning more? The Information Security Office at Princeton offers many opportunities to learn throughout the year. For additional information security resources, visit our website. We look forward to seeing you at upcoming events.

Posted in Uncategorized

The InfoSec Team Can’t Do It Alone—Cyber Security Is Everyone’s Responsibility

Happy October and National Cyber Security Awareness Month (NCSAM)!

Protect Yourself Protect Princeton logoDid you know? In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data? The Princeton Information Security Office (ISO) believes YOU are our guardians at the gate and can actively help us protect data!  There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.  Here’s how you can help:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don’t hesitate—do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a strong password is to use a password manager (Princeton offers LastPass password manager free of charge to all students, faculty, and staff). A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one vault and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of mistakes where sensitive information is posted publicly, mishandled, or sent to the wrong party. Be sure you are familiar with Princeton’s data classifications.  Visit our Protect Our Info website for details.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department are looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include the ISO at the beginning of the project or contract process to help ensure that data are properly protected. Visit our Architecture & Security Review (ASR) webpage for more information.

For additional tips and to learn about upcoming events, visit our NCSAM webpage.

Portions of this blog were provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

LastPass Password Manager – What’s all the hype?

Tara Schaufler LastPass PosterHave you heard about LastPass password manager?  I hope so!  It’s now free to students, faculty, and staff. I have to admit that I didn’t use a password manager until I started working in the Information Security Office, but now I’m hooked.  I’m no longer scrambling to find passwords, and my password hygiene has improved.  

We all have a method of managing our passwords.  Perhaps you store passwords in a notebook, an Excel spreadsheet, in a web browser, or you simply reset your passwords a ton of times because you forget them.  The reality is that these methods are not secure. LastPass is built with security in mind. LastPass uses the same encryption algorithm that the U.S. Government uses for top-secret data. This encrypted data is unreadable to LastPass and to everyone else without the Master Password, which you create and set.  Now, if you’re anything like me, you’re probably thinking is this REALLY secure? I’m skeptical of basically everything electronic, so even with the excellent data that supports the security of this product, I’ve chosen to save everything in my vault except the passwords for a few sensitive accounts.  I keep those passwords in my head and in my physical safe at home. But I know plenty of security folks that keep all of their passwords in LastPass, I just have issues. 

All of my issues aside (and I assure you I have many), LastPass has definitely been a game changer for me.  I love having all of my passwords at my fingertips. Benefits I love include:

  • I now create better passwords using the built-in password generator. No more thinking up long, strong passwords because LastPass does it for me.
  • I don’t have to remember passwords because LastPass fills in the fields for me.
  • I create secure notes to capture information that I have trouble remembering but need to keep secure (like the PIN # for my Princeton travel card).
  • I’m organized!  My passwords are at my fingertips thanks to the LastPass browser extensions and mobile app for my phone.
  • And it’s free!  LastPass Enterprise is free for faculty and staff to store passwords used for University business, and free LastPass Premium accounts are available to store personal passwords.  The two vaults can be easily linked for convenience. If you leave the University your Enterprise account will go away, but your LastPass Premium account remains for you to use. Students are also eligible for free LastPass Premium accounts.  

Not convinced yet?  Here are some quotes from users on our campus:

“LastPass gives our team the ability to share administrative system information securely and is accessible from anywhere.“

“Using LastPass means all my passwords now will be strong, unique, and available everywhere.  One New Year’s resolution taken care of.”

“LastPass, puts the zip, zap, zoom in password management.”

Interested now?  Go to https://princeton.edu/lastpass to learn more!  You can also join me for one of our upcoming classes at Frist Campus Center on:

  • September 27 at 2PM or
  • November 7 at 10AM

Visit the Learn Center to enroll.  I look forward to seeing you!

Posted in Uncategorized

Keeping Tabs on Mobile Devices

mobile devicesWith an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it!
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to your organization so that they can act quickly. If you suspect that Princeton University information has been exposed to unauthorized individuals either through a lost or stolen computer/storage media or through a computer compromise, immediately report the incident to the OIT Support and Operations Center Help Desk at 8-HELP or helpdesk@princeton.edu.

Blog content provided by Educause (www.educause.edu/securityawareness).

 

Posted in Uncategorized

Shop Safe Online, Even on Black Friday!

The holiday season is the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. When you go to the grocery store or local shop, it’s habit to grab your reusable bags, lock the car, and make sure you’ve safely put away your credit card or cash before heading home with the day’s purchases. Similar precautions need to be taken when you’re shopping online from the comfort of your own home. If you make these simple precautions regular online shopping habits, you’ll be protecting your purchases and personal information.

The National Cyber Security Alliance recommends following these basic steps so you’ll be ready to cybershop safely and securely.

  • Lock down your login. One of the most critical things you can do in preparation for the online shopping season is to fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like e-mail, banking, and social media.
  • Keep clean machines. Before searching for that perfect gift, be sure that all web-connected devices—including PCs, mobile phones, smartphones, and tablets—are free from malware and infections by running only the most current versions of software and apps.
  • Shop reliable websites online. Use the sites of retailers you trust. If it sounds too good to be true, it probably is!
  • Conduct research. When using a new website for your holiday purchases, read reviews and see if other customers have had a positive or negative experience with the site.
  • Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.
  • Get savvy about Wi-Fi hotspots. If you are out and about, limit the type of business you conduct over open public Wi-Fi connections, including logging in to key accounts, such as e-mail and banking. Adjust the security settings on your device to limit who can access your phone. If you must use open Wi-Fi connections, connect to a virtual private network (VPN) first.
  • Check the address bar. Look for the green lock icon and https:// in the URL before using your credit card online.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Are You Ready for Ransomware?

What Is Ransomware?

Ransomware is a type of malicious software that encrypts your files. Often, the only way to decrypt and gain access to the files is by paying a “ransom” or fee to the attackers. The attackers might provide the decryption key allowing you to regain access to your files. Ransomware may spread to any shared networks or drives to which your devices are connected. We are continuing to see ransomware attacks and expect their frequency to increase.

How Can I Get Infected with Ransomware?
Common vectors for ransomware attacks include e-mails with malicious attachments or links to malicious websites. It’s also possible to get an infection through instant messaging or texts with malicious links. Antivirus may or may not detect a malicious attachment, so it’s important for you to be vigilant.

How Can I Protect Myself Against Ransomware?
There are two steps to protection against ransomware:

  • Preparation. Back up your information regularly. Once a ransomware infection occurs, it’s often too late to recover the encrypted information. Your research project or other important information may be lost permanently. For more information on backups, visit RIT’s best practices web page.
  • Identification. Ransomware typically appears as phishing e-mails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible vector is malvertising, malicious advertising on an otherwise legitimate website.

Probably the Most Important Steps You Can Take to Prepare…

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (potentially including connected cloud drives such as Dropbox), it’s important to back up your files regularly to a location that you’re not continuously connected to. To determine the backup capabilities available to you contact your IT service desk.
  • Ensure that you’re able to restore files from your backups. Again, work with your IT support personnel to discuss how to test restore capabilities.
  • Ensure that antivirus/antimalware is up to date and functioning. Antivirus may detect malicious attachments.
  • Ensure that you’re keeping your system (and mobile devices) up to date with patches. If you’re prompted by your computer or mobile device to accept updates, accept them at your earliest convenience.
  • Don’t do day-to-day work using an administrator account. A successful ransomware attack will have the same permissions that you have when working. (If you’re not using an account with administrator privileges, the initial attack may be foiled.)

What Do I Do If I Think I’m Infected?

  • Report the ransomware attack to your service desk immediately.
  • Isolate or shut down the infected computer. (If you’re on Wi-Fi, turn off the Wi-Fi. If you’re plugged into the network, unplug the computer. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.)

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized