“Who will I be at the Halloween party this year?”
How about… YOU?
Lehigh University faculty, students, and staff live in a collaborative world where a mission of education and research leads to an open and trusting environment. We thrive on the open exchange of ideas with others both within and outside the university and have built an information technology environment that is open and easily accessible, collaborative, and blazingly fast to support that mission. In fact, a recent issue of The Atlantic asks the question “Can Campus Networks Ever Be Secure?” regarding information security in an environment of academic openness.
The answer is YES, and perhaps the most important thing any Lehigh user can do to improve their online safety is to simply “share their candy and not their credentials!” this Halloween.
So Who Wants to be YOU?
Those outside-your-door hackers or attackers want to be you. They ring your doorbell, swipe your credentials, and are off and running impersonating you!
It is estimated that 76% or more of 3 in every 4 data security breaches are attributed to logon credential compromises. While Halloween is only one day out of the year, the Lehigh community sees a stream of tricky
Phishing emails designed to “bag” user credentials. Those credentials are then often used by the attacker to treat themselves to your email account, or try to access other personal accounts as many people use the very same logon credentials for access to other services.
What many users find haunting however, are the ghoulish acts that insiders, or those within your community, can do when impersonating you. Insiders often have higher levels of access to critical systems, which makes these credentials the very best of costumes to wear. Many times it may seem harmless to share your credentials with a co-worker or collaborator for a non-critical system and think they are trustworthy enough to stay out of more sensitive locations and systems. Often what happens is that life events such as personal or work issues, or just plain old curiosity, leads them to creep into those sensitive locations. Only now, as a “ghost” of you, they may move dollars or critical data into their goodie bag!
Put it in a Pumpkin Shell?
So what can you do to better protect your credentials? Despite the advice of Peter-Peter-Pumpkin-Eater, the best thing you can do is keep your credentials to yourself. You also can become more aware of the pitfalls and pranks users often fall for and better protect yourself from the mayhem that follows.
Similar to rules for trick-or-treating, some simple things you can do are:
Never share your credentials with anyone
Not even a “trustworthy” coworker or collaborator!
Use different credentials for Lehigh and for other services
If you find remembering passwords difficult, consider a password manager or signing up for two-factor authentication when possible.
Never reply to an email with your credentials in an email
Email is insecure to begin with and ANYWHERE you type a password that appears ON SCREEN as the password…should be considered rather SPOOKY!
For Phishing pages and urgent response type communications stop, remain calm, and ask questions. Attackers want you to rush to judgement and respond. Slow down and think first.
Trust but VERIFY
As humans we want to be helpful. We want to trust. There are many senior executives in the news who have performed large dollar wire-transfers without proper verification. Make sure you follow verification procedures for accounts and transactions before proceeding.
October marks National Cyber Security Awareness Month and there are many resources available at www.staysafeonline.org for adults and children. Lehigh University and Library & Technology Services have again this year registered as Champions to promote security awareness through outreach programs, but know that Information Security welcomes any questions or concerns about data security issues either with Lehigh data or personal information. Contact us at firstname.lastname@example.org or by calling 610-758-3994.