Week 4: University Phishing Simulation

As National Cybersecurity Awareness Month draws to a close, we are writing to let you know that we will be conducting a University-wide phishing simulation in the coming weeks. The purpose of this exercise is to practice recognizing the common characteristics of phishing messages and what to do (and not do) when you receive one. If you “bite” on our phish hook, you will see a BU web page letting you know that it was us and identifying how you might have known the message was false.

Why is this an important exercise now? On March 6, 2020 the Department of Homeland Security (DHS) sent a warning to all Americans that cyber actors were sending emails with malicious attachments or links to fraudulent websites exploiting the Covid-19 pandemic. They followed up on March 13 encouraging all organizations to adopt a heightened state of cybersecurity and then issued a Covid-19 cyber threat update warning that the frequency and severity of attacks will increase over the coming weeks and months. Boston University is conducting this training as a direct response to this threat.

What can you do to prepare?  Visit our phishing page to learn what the warning signs are, how to identify or flag a suspicious email, and how to report a suspicious email to Boston University: https://www.bu.edu/tech/support/information-security/security-for-everyone/phishing/

In addition, the National Cyber Security Alliance has launched a Covid-19 resource library in an effort to provide updated information on current scams, cyber threats and remote working: https://staysafeonline.org/covid-19-security-resource-library/

Falling for our simulated phish will not have any negative impact or consequence for you. It will only provide you with quick, helpful guidance to consider in the future. However, responding to or clicking on a link within a real phishing message will put you and the University at risk. We urge you to be cautious at all times when using email.

Stay cyber safe!

Week 3: Two-Factor Authentication

Passwords are increasingly easy to compromise. They can often be phished, stolen, or even guessed! Let’s be honest, our passwords need some help (enter Two-factor authentication…) Two-factor authentication (2FA) is a validation method that requires two or more verification factors to gain access; something you know –  your password or security questions – plus something you have –  a smartphone app or mobile device. This additional layer of protection significantly increases your security, protecting you even if your password is compromised.

Here at the University, we use Duo for our two-factor authentication (Duo 2FA). If you’re using BU Works or the Student Link you’re already using Duo 2FA. We’re excited to add Duo 2FA for BU Google accounts (which includes BU Gmail) on November 12, 2020.

We know MFA makes our accounts significantly harder to compromise, but are we using it correctly?

TIP OF THE WEEK: Take an active part in your security by following these practices for using Duo 2FA:

• Monitor your Duo prompts: When you log in to access your account, you’ll receive a Duo prompt on your mobile device. If someone else attempts to access your account, you will also receive a prompt. Click “Deny” on any prompt you did not initiate! This will stop anyone on the other end from gaining access. You’ll then be prompted to answer “Why are you denying this request” clicking on “It seems fraudulent” will trigger a support ticket through the IT Help Center so we may investigate further.

• Use the App: If you can use the smartphone app to approve Duo requests this is the best way to go. It’s simple and easy to use, provides clear information about the source of the request, and it saves the university money over the phone call and SMS options.

• Make sure your information is up to date: It’s critical to ensure that you know what devices and phone numbers Duo has associated with you Make sure your second factor information is correct and up to date in the app. If you get a new phone number or device, make sure to update Duo right away!

• Contact the IT Help Center if you lose your mobile device: The IT Help Center can remove your connected device ensuring someone isn’t able to access your accounts if they have possession of your phone or tablet.

For more information on Duo visit: https://www.bu.edu/tech/support/duo/

You can also add Duo 2FA if you have an BU Office365 account by opting in. In addition, you should add 2FA to your personal accounts like Facebook and your bank. Even the Starbucks app allows you to add 2FA to your account!

Hit “accept” on enabling 2FA wherever and whenever possible for an extra layer of security for the rest of your week!

Week 2: Phishing

Phishing remains the number one source of cyber-attacks & breaches globally, and here at Boston University. Being the victim of a phishing attack not only jeopardizes University resources, it can result in financial loss, identity theft, and take substantial time and effort to resolve.

During the pandemic, cyber criminals have aimed at taking advantage of the all the information and uncertainty surrounding COVID-19. Attackers are always looking for new opportunities to exploit vulnerable situations and we must be especially vigilant to prevent them from taking advantage of this crisis. If you are unsure of information that you have received electronically about the University’s response to COVID-19 do not click on any links or download attachments. The most current and accurate information is always available on BU’s Back2BU webpage or our Covid-19 Testing Data Dashboard.

What is phishing? Phishing is an attempt to criminally and fraudulently acquire sensitive information such as usernames, passwords, or credit card details by posing as a trustworthy entity in an electronic communication. This includes email, telephone or text messages.

What can I do to prevent falling for a phishing attack? Stop, think & evaluate any digital communications. Be critical of unsolicited or unexpected emails or messages, especially those that instill a sense of urgency. Click with caution and always verify the source.

What actions do I take if I suspect I’ve received a phishing communication? Forward any suspected phishing emails to abuse@bu.edu and then DELETE IT! If you do respond to a phishingemail, the most important action to take is to change your password immediately and contact the IT Help Center.

So how can BU better help our community in combating phishing during this time? Well this leads us to our…

TIP OF THE WEEK: Check out the BU Phish Bowl for the latest scams that have been reported by our community. Being vigilant and knowing what is out there will prepare you for when a phish makes its way into your inbox. This website will show you actual (and timely) phishing scams that have made it onto our network so you can identify and avoid getting hooked!

For more information on phishing and how to spot a phish visit: https://www.bu.edu/tech/support/information-security/security-for-everyone/phishing/

DO YOUR PART #BeCyberSmart and remember taking the extra step to stop,  think and reach out to verify a digital communication will keep you and the University safer. Take it further by passing on your knowledge to family & friends.

WHAT’S NEW IN ZOOM? Join us this Thursday 10/15 at 5pm for a Demo & Discussion of the latest security features for securing your sessions! Resister here: https://bostonu.zoom.us/meeting/register/tJclc-mgpz4pGNFmGdhBISgU58GAXAgM-gDo

Stay safe & phish-free!

Week 1: Zoom Security

Happy October! This month kicks off Cybersecurity Awareness Month a collaborative effort between the U.S. Department of Homeland Security and the cybersecurity industry to raise awareness about the importance of protecting your information online. This year’s theme is “Do Your Part. #BeCyberSmart.”

Every year, in alignment with Cybersecurity Awareness Month, the BU Information Security Team reaches out weekly in an effort to communicate simple tips, resources and best practices to help our community become safer online. More than any other time in history, now is the time to be proactive about your online wellness. So remember: If you connect it, protect it.

Let’s dive into the first topic for Cybersecurity Awareness Month 2020, our new best friend: Zoom!

TIP OF THE WEEK: Check out the new and improved BU Zoom security guide: 
https://www.bu.edu/tech/services/cccs/conf/online/zoom/getting-started/meeting-security/ 

BU has compiled a helpful guide for faculty, staff and students to Zoom security features. The Guiding Questions, Security Features and Planning Guide will walk you through maximizing and securing your sessions. 

In addition, join us for a demo & discussion: What’s new in Zoom? on Thursday October 15th at 5pm EST. Get more details and register here:
https://www.bu.edu/tech/support/information-security/cam/events/

Here are some highlights to get you started:

Don’t go public with your meetings: Posting meeting links, IDs, and passcodes on a public forum invites unwanted guests. Instead, send meeting details directly to attendees. Running a public event? Link to an event page hosted on a BU website or consider requiring registration for your meeting.

Utilize waiting rooms to your advantage: You can enable waiting rooms when you create a meeting or at any point during the meeting. Waiting rooms allow hosts to be selective about who can enter a session.

Use security features real-time: In a meeting and have a security concern? Don’t disrupt it by ending the meeting; hosts & co-hosts can use the Security button to quickly remove participants or adjust features, including the ability for participants to unmute themselves.

Make sure you’re using the latest & greatest version: Updating not only your Zoom but all apps & operating systems is the simplest thing you do to stay up to date with the latest protections (and cool features!).

We’ve tried to make Zoom security simple with the updated Zoom guide. Zoom has provided even more helpful information through their blog: https://blog.zoom.us/ 

What’s up next: Next week we’ll take you phishing with us!

Coming Soon: In the coming months we’re excited to roll out Duo Two-Factor authentication for your BU Google accounts. Stay tuned for more information!