Welcome to week two of Cybersecurity Awareness Month! If you haven’t started your cybersecurity awareness training, I encourage you to do so soon. The deadline is October 31st. If you haven’t started the scavenger hunt, then what are you waiting for? There have already been several completions and I know that your knowledge and perspective will both be enhanced by digging for the answers to the questions in the hunt. AND…you can win a prize! Complete all five levels and fill out the form at the end of the hunt and you will have six chances to win something cool.
Now that I have completed the necessary pleas to complete your training and join the scavenger hunt, let’s get to our topics for this week. We talked about passwords and password managers last week, along with deepfakes. This week we are looking at multifactor authentication, particularly the best ways to do it, and we have a topic researched and written up by a Berry student worker. QR codes and shortened URLs (uniform resource locator – a web address) are everywhere, making it easy and convenient to find websites about specific topics, but how do you find out where these mysterious codes and short, easy to type URLs actually take you?
Multifactor authentication or second-factor authentication (MFA and 2FA) are the same thing. They are an additional proof that you are who you say you are when you attempt to log into a website. But what is a factor? A factor is something that identifies you and there are three types:
- Something you know – a password, a code word, a PIN, etc.
- Something you have – a key, a hardware token, a file on a USB drive, a number in an app
- Something you are – your fingerprint, your face, your retina, your handprint, or even your voice
You use factors with an identifier – your username or email address. The website asks for a username or email address (and we will discuss how it is a bad idea to use email addresses to log into sites), the it asks for a factor – usually a password or a PIN. MFA and 2FA require another factor – something you have or something you are. You may be asked to check a phone app for a six digit number or you might get one texted to your phone or emailed to you. You then enter that number into the website form and you are allowed to log in. Without this second factor, even if you have the correct password, you will not be allowed access. MFA is required for your Berry account for everything except logging into campus computers.
All MFA is not equally secure. MFA that relies on phone calls or text messages is not as secure as an authenticator app like Google Authenticator or Microsoft Authenticator. Hardware keys like those made by Yubikey are even more secure, as long as you don’t lose them… There are also hardware tokens that work like the Authenticator apps in that they supply continuously changing six digit numbers on a small display that you can provide as a second factor. Whatever you decide to use, use it for every account you can.
Here begins the section of this article written by my student worker, Gabby Ganues.
This week’s second topic considers the impact of QR codes in public and private business spaces recently, along with the increased use of short URLs. My hope is that you will be confident in using these in the future. Let’s start with QR codes.
QR codes provide a quick and easy way to navigate to websites, forms, surveys, and apps, just by scanning the code. Along with the convenience of the QR code, there also comes risk. Although some codes look harmless, the path or website imbedded inside of the code can lead to malware, or other suspicious websites that can prompt you to give away sensitive information.
A useful tool to determine that a QR code is safe is through the source. If the source is a presenter at school, or a trusted company/media platform, the code is usually safe. In any case that you might be unsure, there are online resources to decode them and to identify if they lead to a suspicious pathway or website. You can check to see where a QR code goes by using this site.
Short URLs are similar to QR codes in the sense that they are compact. Common short URL brand names like Bitly, and TinyURL, shorten the website of your choice, and make what would be a longer URL, look more uniform or aesthetically pleasing.
These URLs, however, produce an new risk: they are short. There is little to no information you can identify in these URLs. It is good practice to plug them in to a decoding website similar to the QR decoder to ensure that the link source is trustworthy.
As always, if you are unsure of a link, do NOT click on it!
That’s all we have for this week. Complete that training, attempt the scavenger hunt! We’ll be back next week with two new topics.
NCSAM Week 1 – Social Media, Passwords, Cyber Hygiene
CAM Week1 – Passwords, Password Managers, and Protecting Connected Devices
