Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

Premium Antivirus for SJSU

Logo for Sophos Antivirus

SJSU IT has partnered with Sophos to provide advanced antivirus and digital safeguards at no cost to you. Sophos Home Premium has all of the same excellent desktop protection features as the enterprise version we use on campus: AI threat detection, ransomware protection, privacy protection, and more. Thanks to our strategic partnership, Sophos is offering this free to SJSU at a cost of $800,000. 

Because so many folks in our campus community are learning, teaching, and working remotely, we have to change the way we think about security. In the old paradigm, SJSU’s fortified campus network protected students, faculty, and staff who worked and conducted research from machines entirely within our environment. While connecting to the campus network via VPN or DaaS is still the most secure choice, we need to give more options to protect you wherever you work. COVID may have accelerated how we approach security, but our goal to have a mobile campus has always meant we’d need to expand our definition of security. This partnership will bring the kind of enterprise-grade security we use on university machines to your home devices. 

Download Sophos Home Premium today with your SJSU email address.

Thanks go to Michael Hastings for getting this ready for SJSU.

Best regards,
Bob Lim

Zoom Bombing at SJSU

Spartans,

With the start of a full semester spent teleworking and teleworking, I want to let you know about what we’re doing to prevent Zoom Bombing at SJSU. Zoom Bombing, the practice of “crashing” a zoom meeting or class, is something we’re taking very seriously. SJSU’s students deserve a safe virtual learning environment that fosters an open, interactive learning atmosphere.

Because this kind of action triggers serious repercussions in the traditional classroom setting, it will have similar repercussions in the virtual classroom. To some, Zoom Bombing may just seem like a prank, but it’s a malicious activity that disrupts the education environment. Unfortunately, Zoom Bombing is usually committed by individuals with authorized access to a session, rather than outside agents or someone sneaking in thanks to poorly configured security settings. We’ve enabled the option for Zoom hosts to require authentication for participants, a strong protection against potential Zoom Bombing.

ZOOM AUTHENTICATION

Should a student participate in an activity that substantially and materially disrupts the normal operations and infringes on the educational rights of the community, the University may issue any of the following sanctions that it believes are proportional to the behavior: restitution; educational and remedial sanctions; disciplinary probation; suspension; and/or expulsion. Any reported instance of Zoom Bombing will be thoroughly investigated, and we’ll use all available power to ensure we identify bad actors.

To all of the tens of thousands of students who have made the transition to online learning and to all the thousands of faculty who are now instructing remotely, we’d like to thank you for helping foster a community of support throughout our now virtual university.

If you have any questions about Zoom Bombing or about our disciplinary policy, don’t hesitate to reach out to us.

Thank you,

Alexandra D. Froehlich, M.A.
Director of Student Conduct & Ethical Development
Deputy Title IX Coordinator

Hien Huynh
Information Security Officer
SJSU IT

SJSU IT Phishing Awareness Program Starts June 30

Colleagues,

Next week, our Information Security Office will begin their Phishing Awareness Program in support of our Technology Recovery Plan, building on our cybersecurity layering strategy.

As part of this program, our staff, faculty, and students will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to create a realistic experience without putting employees or the university at risk for a security breach. Employees who respond to the fake phishing attempts are directed toward training and resources to help them recognize phishing attempts in the future without shaming anybody.  We’ve run this program multiple times over the last few years and the results have been great. The Information Security Office will now operationalize this procedure quarterly because a knowledgeable user base is a strong defense against cybercriminals.

This program is critical because many of our faculty, staff, and students are working and learning remotely, where security safeguards are not as robust as on our campus network.

Faculty and staff were notified about the program in a campus-wide email on April 22 and prior messages. We’ll send out five such email phishing simulations over the next six months, timed to avoid the first two weeks of school, finals, and other critical events on campus, as part of our normal business process.

1. Staff Only: June 30, 2020
2. Staff Only: July 30, 2020
3. Faculty & Staff: September TBD
4. Students Only: October TBD
5. Faculty & Staff: November TBD

SJSU IT will redact the identifying information on those that responded and offer security training for departments with higher susceptibility rates. If you have any questions, please let me know.

Thank you,
Bob Lim

 

Critical Zoom Updates

Dear SJSU campus community,

As we move into summer and as we’ve mentioned in previous communications, SJSU IT is implementing improvements to Zoom. As usual, we hold off on any changes through finals to minimize any possible disruption for our faculty and students. Both of the items in this email will greatly enhance the security of Zoom for our university and both will impact how you use Zoom.

Authentication with SJSU

Your Zoom meetings have passwords by default, but anyone with the meeting link can still join your Zoom. That’s fine until your link gets shared with a malicious person outside your class or meeting. This is where authentication comes in, providing an additional layer of security on top of using meeting passwords.

Zoom meetings hosted by SJSU users can now require that all attendees be authenticated through SJSU’s single sign-on. Authenticated attendees are individuals who have signed in to Zoom and been verified as valid Zoom users. For SJSU authentication, this means they’ve logged in to Zoom using the SJSU single sign-on portal. SJSU authentication is a great security precaution when everyone in the meeting or class is an SJSU. We’re implementing this setting to enhance security at SJSU. Remember to double-check this setting whenever you schedule a meeting, as different Zoom clients have different default settings.

LEARN MORE

There are a number of cases where you may not need or want to use authentication and may consider changing this setting: classes with a visiting lecturer, meetings with off-campus vendors, or collaborative research discussions with other institutions, to name a few. To read about how to change this setting, please visit our Zoom Authentication website.

This change will go live Thursday, 5/28/2020. Take a moment before then to review our Zoom Authentication website so you’ll know the extra steps you may need to take before joining a class or meeting. It’s also a good idea to give yourself an extra couple minutes before meetings and classes once this change goes live, just in case.

Zoom 5.04

Beginning May 30, Zoom will require everyone to upgrade to the newer version of their client, Zoom 5.04. This new version has a handful of new features, but most importantly it uses a more secure encryption standard.

If you’re using a university machine, then the update will be automatically installed for you. If you’re currently working remotely on a home device, Zoom will notify you of the new version and help you download and install. You can update early by visiting Zoom’s Download Center and downloading and installing the latest Zoom Client for Meetings.

 

You’ll still be able to use Zoom without updating, but it will launch in the web interface. Zoom on the web is much less secure and has a very restricted feature set. That’s why SJSU IT is recommending that everyone update Zoom to this new version.
Student Conduct & Ethical Development
Lastly, I want to let you all know that we will be sending an email to students shortly informing them of our university processes around disciplinary action for Zoom Bombing. SJSU IT and the Office of Student Conduct and Ethical Development have been working closely on the issue of Zoom Bombing. Our university has only had a handful of cases, a testament to the integrity of our student population.
If you have any questions about the updating process or need help, please contact the SJSU IT Service Desk online or at 408-924-1530.
Thank you,
Bob Lim