�Թϴ�Ӫ

Week 1

Learn about��.

Learn about��.

Download the��Multifactor-Authentication Poster.

MULTI-FACTOR AUTHENTICATION: WHY YOU SHOULD RACE TO EMBRACE IT

Authentication, in a security context, is about verifying your identity. And you authenticate on a regular basis: When you log into accounts and systems, the information you provide is intended to confirm your status as an authorized user. The problem with single-point authentication (think passwords and PINs) is that it’s also a single point of failure. If a password is the only safeguard in place, and that password is compromised… well, everything is compromised.��

Multi-factor authentication (MFA)—also commonly referred to as two-factor authentication (2FA)—has gained steam over the past several years. Technology advancements have made it relatively simple to implement MFA for key accounts, data repositories, and cloud-based systems. But there is another driving force behind MFA adoption: Password theft and successful credential compromise attacks have skyrocketed.��

MFA enhances security by requiring two or more pieces of information—that is, multiple factors—during the authentication process. There are three key factors in MFA:��

1. Something you know, like a password, PIN, or passphrase��

2. Something you have, like a real-time, unique verification code. These authentication codes are usually generated by a mobile app or security token, or they are delivered to you via a text message.��

3. Something you are, at a biometric level, like a fingerprint, iris scan, or voice pattern.��

In some cases, MFA isn’t optional. Organizations often require employees to provide multiple forms of authentication for assets like virtual private networks (VPNs) and cloud-based systems.��

But in other cases, the choice is yours. Many websites and applications have implemented MFA—but it’s up to you to enable it. Here are three reasons you��should always take advantage of MFA when it’s offered:��

1. It’s easy to add -�� Yes, you must take an action to enable MFA for your logins. But the process isn’t difficult. Sites and applications generally provide simple, step-by-step instructions and clearly explain when to expect an MFA prompt, and how to complete a login.��

2. It’s easy to use - As noted, there are multiple ways an organization might implement MFA. But regardless of the technology behind the additional authentication factor(s), MFA adds just a few seconds to your login process. (And the extra seconds are worth it.)��

3. It’s far more secure than a password alone - Cybercriminals have access to billions of stolen usernames and passwords on underground forums. So … what if the only thing standing between a criminal and your data, finances, and files is a compromised password? MFA helps to limit the damage that can be done if a threat actor steals (or buys) account credentials.
   ��

Week 2

Learn about��.��

Learn about��.

Download the��Password Poster.

UNDER LOCK AND KEY����

Creating strong passwords offers greater security for minimal effort.

You can buy a small padlock for less than a dollar—but you shouldn’t count on it to protect anything of value. A thief could probably pick a cheap lock without much effort, or simply break it. And yet, many people use similarly flimsy passwords to “lock up” their most valuable assets, including money and confidential information.��

Fortunately, everyone can learn how to make and manage stronger passwords. It’s an easy way to strengthen security both at work and at home.��

What makes a password “strong”?��

Let’s say you need to create a new password that’s at least 12 characters long, and includes numerals, symbols, and upper- and lowercase letters. You think of a word you can remember, capitalize the first letter, add a digit, and end with an exclamation point. The result: Strawberry1!

Unfortunately, hackers have sophisticated password-breaking tools that can easily defeat passwords based on dictionary words (like “strawberry”) and common patterns, such as capitalizing the first letter.��

Increasing a password’s complexity, randomness, and length can make it more resistant to hackers’ tools. For��example, an eight-character password could be guessed by an attacker in less than a day, but a 12-character password would take two weeks. A 20-character password would take 21 centuries.��

You can learn more about creating strong passwords in your organization’s security awareness training. Your organization may also have guidelines or a password policy in place.��

Why Uniqueness Matters��

Many people reuse passwords across multiple accounts, and attackers take advantage of this risky behavior. If an attacker obtains one password (even a strong one) they can often use it to access other valuable accounts.��

Here’s a real-life example: Ten years ago, Alice joined an online gardening forum. She also created an online payment account and used the same password. She soon forgot about the gardening forum, but someone accessed her payments account years later and stole a large sum of money.��

Alice didn’t realize the gardening forum had been hacked, and that users’ login credentials had been leaked online. An attacker probably tried reusing Alice’s leaked password on popular sites—and eventually got lucky.��

Guarding Your Passwords

1. Don’t write them down.��Many make the mistake of writing passwords on post-it notes and leaving them in plain sight. Even if you hide your password, someone could still find it. Similarly, don’t store your login information in a file on your computer, even if you encrypt that file.����

2. Don’t share passwords.��You can’t be sure someone else will keep your credentials safe. At work, you could be held responsible for anything that happens when someone is logged in as you.��

3. Don’t save login details in your browser.��Some browsers store this information in unsafe ways, and another person could access your accounts if they get your device.����

Week 3

Learn about��.

Download the��Outdated Software Poster.

Week 4

Learn about��.

THREE KEYS TO AVOIDING PHISHING EMAILS��AND RANSOMWARE ATTACKS��

Whether a large-scale onslaught or a smaller, more targeted campaign, all successful phishing and email-based ransomware attacks are disruptive and damaging on some level. And the simple reality is that they rely on human error; in order for cyberattacks to succeed, someone, somewhere, needs to take the bait. Cybercriminals utilize social engineering techniques—some basic and some very sophisticated—to manipulate human emotions and trigger a response.��

It can feel overwhelming sometimes given that we, as the targets, need to be right all the time while the attackers only need to be right once. But the good news is that small steps can amount to big strides when it comes to protecting data, devices, and systems at work and at home. Here are three simple, practical cybersecurity awareness training tips you can use to identify and avoid malicious emails��

#1 Stop Skimming and Start Studying

��We receive so many emails that we’ve conditioned ourselves to skim messages and make quick�� decisions. But when we do this, we take unnecessary risks. That’s because there can be clues both on the surface and just below the surface of the message that can alert us to things that aren’t right.��

 “From” addresses, URLs, and embedded links can masquerade as things they aren’t.����

 Do not take these items at face value (even if a name, logo, or other identifiers seem familiar and safe). On your PC, hover over—or “mouse over”—these pieces of content and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long press” or “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is actually presented, steer clear.����

The content or topic of a message might not be quite right or not fully relevant to you.��

Be on alert if the tone of an email from a colleague, friend, or relative seems inappropriate or just doesn’t “sound like” them. Likewise, be sure to question receipt of an invoice or shipping notification that doesn’t make sense based on your ordering history. Thoroughly read what is written; don’t just skim past details.����

Misspellings and poor grammar can be indicators that the email did not originate from a trusted source.����

This is particularly true with messages that appear to be from a well-known, well-established individual or organization.����

In general, any unsolicited email—that is, any email that you were not explicitly expecting to receive—should be looked at carefully. But you should be particularly wary of any email that seems like it’s designed to trigger an emotional response— fear, surprise, excitement, concern—and that urges you to respond or act in some way (click a link, download a file, confirm/change a password, etc.).��

#2 Think It Through��

After you read an email, take a moment to digest it. What you want to do is give yourself the space to act thoughtfully, rather than just reacting in the moment. To help get yourself out of the habit of skimming and reacting, consider asking yourself a few quick questions about any email that requests a response or action that could compromise sensitive data, devices, or systems.����

For example:����

Was I expecting this message?– If the answer is “no,” ask more questions.����

Does this email make sense? – If the tone doesn’t seem right or the information you’re being provided doesn’t make sense, it could very well be a phish.����

Am I being pushed to act hastily or out of fear? – If you are, this is a major red flag.����

Does this seem too good to be true?–If you can’t believe what you’re reading, it’s likely you’re reading a phish.����

What if this is a phishing email? – This is a great question to ask yourself, because it can help you work through the things that could happen if you’re dealing with a phishing attack. Could you be downloading malware that would corrupt all your files? Could you be turning over a password or credit card number to a criminal? Could you be exposing your coworkers’ private information to a scammer?��

#3 Verify, Verify, Verify��

So nice, it’s worth saying thrice.����

It’s critical to remember that, with phishing scams, things are never what they seem. The reality is that a message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow?����

If reading and thinking don’t get you to 100% confidence, you must take extra steps to verify that you are dealing with a legitimate request before you click a link, download a file, or reply with sensitive data. Here are some easy ways to confirm that the information presented in an email is legitimate:����

Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.����

Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you are able to confirm.����

If you’ve received a questionable message from a colleague or friend, contact them via another channel (like a phone call or text message) to make sure they sent it.����

Reach out to your IT team for advice. Alert them that there is a potential phishing threat active on your organization’s network.����

It takes just a minute to confirm a questionable message, whether it comes from a coworker, internal department, financial institution, or other source. In contrast, it can take days or weeks (or even longer) to remedy the consequences of interacting with a phishing or ransomware email. And sometimes you can’t ever remedy the consequences.

Did you know?

The Information Security team offers many services that can help your unit stay safe from cyber threats. For more information on what we can do to help from assessments to specialized training, please visit this page.

��

Videos

Learn more