Cybersecurity Awareness Month 2024 Archive

Multi-Factor Authentication (MFA) is a security mechanism that provides an additional layer of protection by verifying digital users through at least two authentication factors. There are three common types of authentication factors:  

• Something you know:  This refers to information known only to the user. For example: unique passwords, security questions, PIN codes.
• Something you have:  This refers to something that the user owns. For example: a smartphone or a security token.
• Something you are:  This factor refers to something that is exclusive to the user. For example: biometrics (e.g. fingerprint, facial scan).

Multi-factor authentication is the most effective way to protect your accounts. With multi-factor authentication, even if a password is compromised, a malicious actor would have to obtain an additional piece of information to gain access. When offered to “enable” or “turn on” MFA on your personal accounts such as Facebook, Amazon or Google, we strongly encourage you to do so. 

At LSU, MFA is offered for all applications behind Microsoft authentication such as Workday, LSU email, Teams, Box, and Zoom.

All users will need to configure two methods for MFA: one as a primary method and a secondary method to be used as a backup. It is recommended that MFA be configured on different devices to ensure that you do not lose access in the event that a device and/or phone number change.   

While multi-factor authentication is one of the best ways to secure your accounts, there have been instances where cybercriminals have gotten around multi-factor authentication by tricking users into approving a malicious sign-in attempt.

In a “MFA Fatigue Attack,” hackers that have stolen a user’s password may generate several MFA approval notifications or phone calls in a short period of time, hoping that the account owner approves one of the verification requests due to confusion or annoyance. Cybercriminals also can also use phishing messages and malicious “man-in-the-middle” websites to intercept a user’s sign on attempt and MFA approval, or the attackers may impersonate IT support and request your MFA code or instruct you to approve a specific login. In these cases, if the MFA request is approved or provided to the attacker, it can grant the cybercriminal access to the account. 

Therefore, if you are receiving multi-factor authentication log-in requests when you aren’t directly trying to log in, do not approve the requests!

If the request is for your LSU account, you can submit a “Fraud Alert” via the MFA phone call or app notification, or you can contact the Service Desk at 225-578-3375 or by email at servicedesk@lsu.edu. 

If the MFA request is for a sign-in with another account, consult that service’s support for further information. 

In any case, if you receive an unexpected MFA approval prompt, change your password for the account ASAP to prevent further malicious sign-on attempts and MFA verification requests. Also, if you reuse the potentially compromised password, change it for any other account that uses it (this is why every password should be unique). 

Don’t let this deter you, though. Multi-factor authentication is typically very safe, and it is one of the best ways you can bolster the security of your data! 

MFA at LSU 

Logging in with Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) Enrollment 
Multi-Factor Authentication (MFA) Troubleshooting 

As our lives expand while we do more online, we’ve gone from having just a couple of passwords to today, where we might manage upwards of 100 or more. If you’re like most people, you’re probably using the same password for most of your accounts—and that’s not safe. If your one password gets stolen because of a breach, it can be used to gain access to all your accounts and your sensitive information. Want to check to see if your passwords have been exposed? Check out our additional resources below. Perhaps you do use unique passwords, but to keep track, you write them in a notebook or keep them on sticky notes. This leaves you vulnerable to prying eyes.  But there is no need to fret; password managers are easy to use and make a big difference.

The best way to manage unique passwords for the ever-increasing number of online accounts we own is through a password manager application. A password manager is software created to manage all your online credentials, like usernames and passwords. It stores them in a safe, encrypted database and generates new passwords when needed. When you need a password, you can get a hyper-strong suggestion that is automatically stored in the password manager with just a few clicks. Say goodbye to short, reused passwords, and hello to strong, unique passwords! 

Because the password manager stores all your passwords, you don’t need to memorize hundreds of passwords or keep that secret password paper in your drawer. Now, you only need to remember one to unlock your password vault in the manager app, so it makes things so much easier. 

Pro tip: because the password that unlocks your vault is the “key to the castle”, it is vital to ensure that this password is unique, long, and complex. See additional resources below for password best practices.

Password managers not only let you manage hundreds of unique passwords for your online accounts, but some of the services also offer other advantages as well. 

·         Saves time 

·         Works across all your devices and operating systems 

·         Protects your identity 

·         Notifies you of potential phishing websites

·         Alerts you when a password has potentially become compromised 

Most can be used along with multi-factor authentication for even more security

Even though password managers are the best way to keep your information safe, many people are afraid that storing all their passwords in one place means they are at risk if a hacker breaches your vault. 

Password managers today are safer than ever before, and they are much safer than using a physical notebook, storing passwords in a Notes app or reusing passwords that are easy to remember. However, password managers should not be considered risk-free due to ever-increasing technological advances. Try to choose a password manager that utilizes multi-factor authentication for an added layer of security. 

Compare your options and look for a quality password management system – you have a lot of choices! See additional resources below for best password managers of 2024.

Source

Has your password been exposed in a breach?

Why You Need To Use A Password Manager

Best Password Managers of 2024

myLSU Password Security Levels

Password Best Practices

Every day, software and app developers focus on keeping their users and products secure. They’re constantly looking for clues that hackers are trying to break into their systems, or they are searching for holes where cybercriminals could sneak in, even if they’ve never been breached before. To fix these issues and improve security for everyone who uses their services, upstanding software companies release regular updates. 

If you install the latest updates for devices, software, and apps, not only are you getting the best security available, but you also ensure that you get access to the latest features and upgrades. However, you can only benefit if you update! Don’t fret, updating software is easy, and you can even make it automatic. Check out the links below for more information. 

Keep your computer secure at home  

Protect your computer from viruses, hackers, and spies

When downloading a software update, only get it from the company that created it. Never use a hacked, pirated or unlicensed version of software (even if your friend gave it to you). Pirated, hacked, or unlicensed software can often contain and/or s[SJ1] pread malware, viruses, or other cybersecurity nightmares to your network. Ruining your computer, phone, tablet, or other device isn’t worth it!

To view the catalog of software currently available to faculty, staff, and students follow the link below.

https://tigerware.lsu.edu/

Software from legitimate companies usually provides an option to update your software automatically. When there’s an update available, it gives a reminder so you can easily start the process and you can often choose to schedule the update during the middle of the night. If you can’t automatically update it, remind yourself to check quarterly if an update is available. 

Check out the links below for more information. 

Windows update: FAQ  
 
Update Your Mac device 

You’ve probably come across suspicious pop-up windows when visiting a website that urgently demand you download a software update. These are especially common on shady websites or if there is malware already on your machine. These are always fake – they are attempts at phishing or entice users[SJ1]  to click on the link that may download malware. Don’t click any buttons on these pop-ups and close your browser. Many web browsers will warn you if you are attempting to visit an unsecure web address or one that could contain malware. Heed these warnings and don’t take the bait! Additionally, it is recommended that you avoid clicking on sponsored links that may appear at the top of search portals such as Google. Sponsored links may not point to legitimate websites for software downloads. Always look for legitimate websites of the application providers and download the software directly from official sites. 

Source 

In a social engineering attack, a malicious actor uses human interaction (social skills) to obtain or compromise information about a person or organization. The malicious actor may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by gathering data from unsuspecting people, he or she may be able to piece together enough information to compromise an individual or organization.   
 
The most common form of social engineering is phishing. Phishing emails are an attempt by malicious actors pretending to be legitimate entity or person for the purpose of stealing private information, such as username and passwords, social security numbers, or banking information. 

Note: Phishing attacks are not isolated to emails. Attackers may contact you over the phone (i.e. voice phishing /“vishing”) as well, spoofing numbers that will appear legitimate. Attackers may also utilize cell phone text messages (i.e. SMiShing) to send bogus text messages that appear to come from banks, credit card companies and other legitimate organizations.  For more information on Vishing and Smishing, please visit our Phishing page.

To protect yourself, become familiar with the key indicators of a phishing email. If you come to know some of the common indicators of a phish, you will be able to spot them more easily.

1.      Check the sender.

• Check the domain of the sender's address. Phishing emails will often come from unfamiliar domains.

2.      Check the body.

• Phishing emails often try to create a sense of fear and urgency in subject lines, hoping users will comply. Grammatical errors are common as well as random use of capitalization. 

3.      Check the destination.

• Always review links prior to clicking, and in the event the link has been clicked, please review the destination website for confirmation that the URL is accurate and valid. When possible, opt to go directly to a site through your browser instead of clicking a link.

Learn the common indicators of phishing emails.

• Do not click on URLs from unknown sources.    
• Always ensure that your computer has the latest security updates and patches to reduce the chances of a vulnerable system that can be compromised or infected.
• Enter sensitive data on secure trusted websites only.
• Never email confidential or financial information.
• Be suspicious of all unknown callers/text messages.
• Don't inherently trust caller ID. Remember, telephone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you. 
• If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm. 
• Never respond to suspicious text messages.
• Only approve multi-factor authentication requests if you are actively logging in to your account(s).
• Never share your MFA token, code, etc. with anyone else.   

NOTE: LSU will never ask for your password over a phone call or e-mail.

Check out these additional resources:

Check It Before You Click It-Phishing, Malicious Links & Spoofed Headers 

IT Security and Policy’s (ITSP) comprehensive phishing awareness program educates our users on how to recognize malicious content by running regular phishing simulations. At the completion of each simulated phishing campaign, ITSP will choose two reporters to win an LSU bundle. One student and one employee will be randomly selected from each month’s reporters.

To qualify to win, you must report the phish using the Cofense Reporter button in Outlook or Outlook Web. Winners will be notified by a member of ITSP via email the week following the conclusion of each campaign. 

ITSP has implemented a phishing reporting tool called Cofense Reporter. The application conveniently integrates directly with Outlook mail clients and Office365, providing LSU users with a quick and easy mechanism to report phishing e-mails.

• Use Cofense Reporter to report a phishing e-mail to LSU ITSP. This method will be the only one utilized to identify winners for the Phishing Awareness Program
• If Cofense Reporter is not an available option for you, please report phishing messages to LSU ITSP.    

If you believe you have fallen for a phish, please take the following actions:  

• If you accidentally shared your username and password, please change your password immediately. (NOTE: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well) 
• If you shared your banking (credit card, debit card, bank account number, etc.) information, please reach out to your financial institutions immediately and take the necessary steps as recommended by the respective institution. 
• If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.) you should take necessary steps to monitor your credit for any unauthorized changes. It is also a great idea to place a freeze on your credit with all credit bureaus. 
• If you have any questions, contact security@lsu.edu.

You can place a free freeze on your credit by visiting the following links:       

• Equifax
• Experian
• Transunion

Here are some best practices for AI use:

• Don’t Share Sensitive Data: Data provided by users can be used by AI models to improve its responses. Never share sensitive data such as passwords, social security numbers, or bank details with AI services.
• Fact-check Answers: AI content can often be inaccurate, misleading, or can contain copyrighted material. AI models have been known to produce strange responses, sometimes referred to as “hallucinations”. It’s your responsibility to ensure that the data you receive is accurate.
• Check Permissions/Privacy: Review the privacy statement and carefully read over any permissions requests when downloading or using AI applications. In fact, this is a good guideline for any software or application use.
• Update Regularly: Make sure to keep your software and AI applications up to date to protect against new threats.

Source

Deepfakes are artificial intelligence-generated videos or audio clips that make it appear as though someone is saying or doing something they never did. This technology has been used to create fake celebrity videos, alter political speeches, and used by scammers to impersonate a target or a target’s family members.

Deepfakes can be used to defame individuals and commit fraud. For example, if your vocal identity and sensitive information got into the wrong hands, a cybercriminal could use deepfake audio to contact your bank.

• Create a “Family Codeword”:
  Scammers can use deepfake audio recordings to lead you to believe that a loved one needs help. The “help” requested could be a wire transfer, overnight money order, or simply a credit card number.  Create a “codeword” to be used by your family and friends in the event you receive a call that sounds suspicious or feels “off”.
• Share with care: The first step in avoiding deepfakes is to be extremely cautious about what personal information you share online. Limit the amount of data available about yourself, especially high-quality photos and videos, that could be used to create a deepfake.
• Enable strong privacy settings: Take full advantage of websites’ privacy settings to control who can access your personal information and content. Restrict who can see your photos, videos, and other sensitive data. Many social media networks have tools that allow you to manage the content you share with friends in different groups.
• Learn about deep fakes and AI: The realm of AI is changing rapidly. Staying aware of the latest developments can help you stay vigilant. You don’t need to become an expert, but following the news about these technologies is important for everybody. This knowledge can help you recognize potential red flags when encountering suspicious content.
• Practice Safety Basics: Cybercriminals can use AI to improve their attacks. It’s important to practice the safety basics we've covered this week such as having a strong password, using password managers, and enabling MFA to help protect yourself against attacks.
• Don’t take the phishing bait: Be extremely cautious when receiving emails, direct messages, texts, phone calls, or other digital communications if the source is unknown. This is especially true if the message is demanding that you act fast, such as claiming your computer has been hacked or that you won a prize. Deepfake creators attempt to manipulate your emotions so you download malware or share personal information. Verify the identity of the sender and avoid clicking on suspicious links. Think before you click.
• Report deepfake content: If you come across deepfake content that involves you or someone you know, report it to the platform hosting the content. This can help in having it removed or investigated, limiting its potential reach. You should also report it to federal law enforcement.  

Source