June News from Information Security
I realize some of you may not have even read the May newsletter yet, as it only came out a week ago, but you should have…go do that…I’ll wait.
Now that you are up to speed, June is here and all of the “specialness” we experience every June is headed our way. SOAR sessions, campus updates, technology updates, and more are in progress. All of the things that we don’t do during the two main semesters are now in full swing. With this edition of the newsletter I want to preview some technology updates and changes that are coming our way, take a moment to remind everyone why the Office of Information Technology (OIT) highly recommends using a password manager, and talk about the new rage in login security that (hopefully) will eventually make usernames and passwords obsolete – passkeys. There’s a lot to unpack about passkeys, so we’ll do this in two parts, with an introduction now and the conclusion in the July newsletter.
The Office of Information Technology is currently pursuing a number of technology updates related to security that will affect the way you’ll interact with OIT, with the network in general, with your data and applications, and with threats like phishing emails. I’ve already mentioned the new help desk software, TeamDynamix, that handles your requests for assistance or services. The main page of the system will have info on any known outages, upcoming maintenance, and information security news and alerts. It also has useful links to OIT documentation on setting up multi-factor authentication (MFA), resetting your password, reading your Berry email on your phone or mobile device, downloading a copy of Microsoft Office, and connecting to Berry WiFi networks. This is also where you can place a request for OIT to complete a project related to technology like a new software integration or hardware upgrade.
In the not-too-distant future, there will be additional security measures in place to protect Berry data, potentially requiring changes in how your office or department work is completed, particularly by student workers. In some cases, you may need to provide a Berry-managed desktop or laptop for student workers to complete job tasks. This will certainly affect budgets, so as we know more about the specific changes, we will update everyone.
Changes to the network to improve security are already in progress, as Network Operations staff installed new perimeter firewalls in May and are currently configuring the network to separate Berry-managed devices from personal devices (both student and and employee), Internet of Things devices (light bulbs, personal assistants like Alexa and Google Home, and other network connectable gadgets), and a group of devices we call operational technology. This includes things like electronic door locks, gates, cameras, fire alarm systems, HVAC control systems and even agricultural equipment. For the most part you shouldn’t even notice when these changes go into effect, but we live in a flawed world and someone is bound to notice, for some reason, at some point. We’ll provide more information as we start to roll out more changes.
I promised more information about dealing phishing emails, but that is coming in July’s newsletter, so be sure to come back to this site and read it once it is published. What I will mention now is that in the future, reporting phishing and spam emails should help us build our defenses against them ever reaching your Inbox. More details in July…come back then.
I’ve talked a lot about the topic of password managers and why you should use them (not as much as spotting phishing emails, but, still, a lot). Since usernames and passwords are still the most ubiquitous way to log in to Internet sites and services, it is best to use strong, unique passwords for every site and service. How strong should a password be? We require 14 characters for a Berry password, but you should shoot for 20+ characters for most passwords. These passwords should be mostly random, not using common words or information that can be gleaned about you from social media or other public information sources. No birthdays, pet’s names, schools, teams, hobbies, or book titles. “But wait!”, you say, “I can’t remember that many random passwords!”. Believe me, I know…hence, the password manager. Take a look at the Quick Info page for password managers here on the site to get an idea of what a small investment it is to protect all of your accounts with a unique, random password.
How will we ever get away from this username and password mess, you ask? The way, according to some, is passkeys. That’s sounds a lot like passwords, you say. But they are better, with some caveats. Passkeys are specific to a website or service, using unique information to prove you are who you say you are. However, passkeys are tied to a device, preventing anyone from accessing your account without the specific key and device immediately available to them. What device is used to create and store these keys? Your smartphone, which immediately places some roadblocks to full adoption of passkeys, because as many of you know, not everyone has a smartphone. There are other layers of complexity with passkeys, as some sites that say they support passkeys only support them in specific browsers.
While not yet sustainable as a full replacement for usernames and passwords, OIT encourages you to use them with sites that support them, if you have a compatible device and software. If you use a Mac of any kind, an iPhone or an iPad, that software is Keychain which comes preinstalled with the device. For Android users, Password Manager or a compatible third-party app is required and for Windows, you would use Windows Hello.
Here are a couple of resources from How-To Geek, including a slightly more in-depth introduction to passkeys:
What is a Passkey, and Should You Use Them?
Why the Future is Passwordless (and How to Get Started)
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! We are holding a drawing at the end of every month for a small prize and all you need to do to enter the drawing is to report a phishing email.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.
Food For Thought
Mark Rober is a REALLY smart guy and if you’ve never seen any of his videos, you should start watching now, and if you have kids with curious minds, you should definitely watch. This is a longer video (22 minutes), but well worth the time. Mark relates his experience with a company that may be shaping the future of the effective use of drones.
Featured Image: Photo by FLY:D on Unsplash
October News from Information Security