Category Archives: Security

It’s IT’s goal to make SJSU the most secure, safest campus in the country.

Premium Antivirus for SJSU

Logo for Sophos Antivirus

SJSU IT has partnered with Sophos to provide advanced antivirus and digital safeguards at no cost to you. Sophos Home Premium has all of the same excellent desktop protection features as the enterprise version we use on campus: AI threat detection, ransomware protection, privacy protection, and more. Thanks to our strategic partnership, Sophos is offering this free to SJSU at a cost of $800,000. 

Because so many folks in our campus community are learning, teaching, and working remotely, we have to change the way we think about security. In the old paradigm, SJSU’s fortified campus network protected students, faculty, and staff who worked and conducted research from machines entirely within our environment. While connecting to the campus network via VPN or DaaS is still the most secure choice, we need to give more options to protect you wherever you work. COVID may have accelerated how we approach security, but our goal to have a mobile campus has always meant we’d need to expand our definition of security. This partnership will bring the kind of enterprise-grade security we use on university machines to your home devices. 

Download Sophos Home Premium today with your SJSU email address.

Thanks go to Michael Hastings for getting this ready for SJSU.

Best regards,
Bob Lim

Zoom Bombing at SJSU

Spartans,

With the start of a full semester spent teleworking and teleworking, I want to let you know about what we’re doing to prevent Zoom Bombing at SJSU. Zoom Bombing, the practice of “crashing” a zoom meeting or class, is something we’re taking very seriously. SJSU’s students deserve a safe virtual learning environment that fosters an open, interactive learning atmosphere.

Because this kind of action triggers serious repercussions in the traditional classroom setting, it will have similar repercussions in the virtual classroom. To some, Zoom Bombing may just seem like a prank, but it’s a malicious activity that disrupts the education environment. Unfortunately, Zoom Bombing is usually committed by individuals with authorized access to a session, rather than outside agents or someone sneaking in thanks to poorly configured security settings. We’ve enabled the option for Zoom hosts to require authentication for participants, a strong protection against potential Zoom Bombing.

ZOOM AUTHENTICATION

Should a student participate in an activity that substantially and materially disrupts the normal operations and infringes on the educational rights of the community, the University may issue any of the following sanctions that it believes are proportional to the behavior: restitution; educational and remedial sanctions; disciplinary probation; suspension; and/or expulsion. Any reported instance of Zoom Bombing will be thoroughly investigated, and we’ll use all available power to ensure we identify bad actors.

To all of the tens of thousands of students who have made the transition to online learning and to all the thousands of faculty who are now instructing remotely, we’d like to thank you for helping foster a community of support throughout our now virtual university.

If you have any questions about Zoom Bombing or about our disciplinary policy, don’t hesitate to reach out to us.

Thank you,

Alexandra D. Froehlich, M.A.
Director of Student Conduct & Ethical Development
Deputy Title IX Coordinator

Hien Huynh
Information Security Officer
SJSU IT

SJSU IT Phishing Awareness Program Starts June 30

Colleagues,

Next week, our Information Security Office will begin their Phishing Awareness Program in support of our Technology Recovery Plan, building on our cybersecurity layering strategy.

As part of this program, our staff, faculty, and students will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to create a realistic experience without putting employees or the university at risk for a security breach. Employees who respond to the fake phishing attempts are directed toward training and resources to help them recognize phishing attempts in the future without shaming anybody.  We’ve run this program multiple times over the last few years and the results have been great. The Information Security Office will now operationalize this procedure quarterly because a knowledgeable user base is a strong defense against cybercriminals.

This program is critical because many of our faculty, staff, and students are working and learning remotely, where security safeguards are not as robust as on our campus network.

Faculty and staff were notified about the program in a campus-wide email on April 22 and prior messages. We’ll send out five such email phishing simulations over the next six months, timed to avoid the first two weeks of school, finals, and other critical events on campus, as part of our normal business process.

1. Staff Only: June 30, 2020
2. Staff Only: July 30, 2020
3. Faculty & Staff: September TBD
4. Students Only: October TBD
5. Faculty & Staff: November TBD

SJSU IT will redact the identifying information on those that responded and offer security training for departments with higher susceptibility rates. If you have any questions, please let me know.

Thank you,
Bob Lim

 

Critical Zoom Updates

Dear SJSU campus community,

As we move into summer and as we’ve mentioned in previous communications, SJSU IT is implementing improvements to Zoom. As usual, we hold off on any changes through finals to minimize any possible disruption for our faculty and students. Both of the items in this email will greatly enhance the security of Zoom for our university and both will impact how you use Zoom.

Authentication with SJSU

Your Zoom meetings have passwords by default, but anyone with the meeting link can still join your Zoom. That’s fine until your link gets shared with a malicious person outside your class or meeting. This is where authentication comes in, providing an additional layer of security on top of using meeting passwords.

Zoom meetings hosted by SJSU users can now require that all attendees be authenticated through SJSU’s single sign-on. Authenticated attendees are individuals who have signed in to Zoom and been verified as valid Zoom users. For SJSU authentication, this means they’ve logged in to Zoom using the SJSU single sign-on portal. SJSU authentication is a great security precaution when everyone in the meeting or class is an SJSU. We’re implementing this setting to enhance security at SJSU. Remember to double-check this setting whenever you schedule a meeting, as different Zoom clients have different default settings.

LEARN MORE

There are a number of cases where you may not need or want to use authentication and may consider changing this setting: classes with a visiting lecturer, meetings with off-campus vendors, or collaborative research discussions with other institutions, to name a few. To read about how to change this setting, please visit our Zoom Authentication website.

This change will go live Thursday, 5/28/2020. Take a moment before then to review our Zoom Authentication website so you’ll know the extra steps you may need to take before joining a class or meeting. It’s also a good idea to give yourself an extra couple minutes before meetings and classes once this change goes live, just in case.

Zoom 5.04

Beginning May 30, Zoom will require everyone to upgrade to the newer version of their client, Zoom 5.04. This new version has a handful of new features, but most importantly it uses a more secure encryption standard.

If you’re using a university machine, then the update will be automatically installed for you. If you’re currently working remotely on a home device, Zoom will notify you of the new version and help you download and install. You can update early by visiting Zoom’s Download Center and downloading and installing the latest Zoom Client for Meetings.

 

You’ll still be able to use Zoom without updating, but it will launch in the web interface. Zoom on the web is much less secure and has a very restricted feature set. That’s why SJSU IT is recommending that everyone update Zoom to this new version.
Student Conduct & Ethical Development
Lastly, I want to let you all know that we will be sending an email to students shortly informing them of our university processes around disciplinary action for Zoom Bombing. SJSU IT and the Office of Student Conduct and Ethical Development have been working closely on the issue of Zoom Bombing. Our university has only had a handful of cases, a testament to the integrity of our student population.
If you have any questions about the updating process or need help, please contact the SJSU IT Service Desk online or at 408-924-1530.
Thank you,
Bob Lim

End of Spring 2020 Update

Dear colleagues,

As we close this historic semester at San José State University, I want to thank each and every one of you for coming together to support each other and our community. I know that for many of you, the online resources you’ve been relying on to work, teach, and research for the past two months were entirely new. We all face uncertainty as we look not just into summer, but into fall as well. That’s why I want to take a moment to share and provide clarity on the technology initiatives we have implemented and will be implementing in the next couple of months to support you as we prepare for the “New Normal,” whatever it may bring.

Accelerating & Extending Strategy

For the last three years, SJSU IT’s strategy has been to enhance the mobility and agility of our university, including enabling remote learning and remote working. To continue our strategy, we’re looking to accelerate many of the programs that were in the pipeline, providing even more support for the New Normal and, more importantly, creating a realized modern digital campus.

We’re moving projects up the priority list that will help maintain safe practices once a gradual return to campus is possible. We are working on developing a queue management system that will let people get in line virtually, ping them when it’s their turn at the window, and let them step back in line. We’re also looking into virtual event platforms for all the things Zoom and Hangouts Meet just can’t do — things like job fairs, onboarding, and commencement.

Another example of acceleration is how we’re ramping up our collaboration with other departments across campus. SJSU IT recently completed Phase I with University Personnel to digitize the process for managing and storing PAF. UP can now consolidate many existing documents into a single PAF document and enable review by chairs, admins, and individual faculty online. This will eliminate rows of documents in filing cabinets that would need to be hand-carried to reviewers across campus. Most importantly, the entire process can now be done anywhere, on or off campus.

In the past few years, SJSU IT has digitized over 65% of the university’s business processes online. Our goal is to be close to 100% within the next three years. If you have more ideas for digitization, please reach out to SJSU IT at it-solution-development-group@sjsu.edu.

Enhancing Security and Privacy

Security and privacy have always been a top priority. Maintaining our security and privacy standards while faculty, staff, and students are operating from locations across the country (and internationally), on home devices and home networks, presents new challenges.

We’ve opened up the option for SJSU students to opt into Multi-Factor Authentication (MFA) through Duo. Making Duo required for all SJSU faculty and staff immediately raised the security profile of our university and added convenience by extending password renewals from six months to two years. In January 2020, SJSU was the target of a concentrated phishing attack, with over 1,600 phishing emails detected. Because of Duo, there were no incidents on our campus. Our data also shows that 630 logins from this attack were denied access through Duo. We know that turning on Duo for students will have just as profound of an impact. We’re encouraging students to sign up by going to this page.

For the 600-plus folks using the VPN to connect to campus, we will be sending out another email soon detailing new measures to enhance VPN security even more.

Customer Service

The shelter-in-place order is changing so much about where, when, and how we work, learn, and research. Just because you aren’t on campus doesn’t mean we can’t be there to help. We’re building customer service models that will enable us to support your home devices and home networks. We also want to be available when you need us, so we’re exploring options beyond our normal support hours to provide 24/7 desktop and virtual classroom support.

Zoom Security

If you have any questions about Zoom security settings, you can always call the support desk for real-time help with Zoom. If you’re looking for some extra peace of mind, sign up for our new Personalized Zoom Security Check-up. Our SJSU IT service staff will work with you one-on-one remotely to ensure all your Zoom security settings are correctly set. Once you sign up, we’ll reach out to you to set up a specific time.

We’ve updated our SJSU Zoom Security Checklist website so you can quickly check your security settings. Here are just some of the key tips:

Scheduling Hosting
The Do’s

  • DO keep meeting passwords on.
  • DO use automatically-generated meeting IDs.
  • DO keep meeting links private if your meeting is private.
  • DO control who you distribute classroom meeting join links to.
  • DO verify your Google Calendar sharing settings.
  • DO set your meeting to mute new people on entry if you’re running a large class or meeting.
  • DO enable registration if you’re running a public meeting or event.
  • DO enable the waiting room if you’re running a public event or a large class.
 The Do’s

  • DO use your waiting room to welcome attendees if you have enabled it.
  • DO disable annotation in your meeting.
  • DO consider locking your meeting or class after everyone has joined.
  • DO become familiar with the security options on the toolbar.
  • DO use the “On hold” and “Remove” features when necessary

The Don’ts

  • DON’T use your Zoom Personal Meeting ID (PMI)
  • DON’T host alone if you’re running a large meeting or class.
  • DON’T enable Screen Sharing unless necessary

I’m sure you’ve all seen some of the SJSU IT communications about Zoom from the past two months. Enabling remote modalities means making sure the tools and online resources you’re using are secure as well. You may have seen that Zoom has upgraded to 5.02 and included a slew of additional security features. SJSU IT will be requiring this latest version for all SJSU-connected devices to take advantage of Zoom’s newer security encryption. SJSU IT will also be expanding Zoom’s security even further. We’re going to be turning on the option for Zoom meetings to require SJSU authentication through single sign-on. This feature will be implemented after finals have been completed.

Thank You

Thank you all for your patience as the entire university tries to move forward in a way that provides some stability. We’ll be sure to keep you up to date on what’s happening over the summer. Lastly, I want to take a moment to thank all of my colleagues in SJSU IT, all the IT staff across campus, and the multiple SJSU IT consultation boards who have helped shepherd the transition to remote modalities.

I hope you all stay safe and stay healthy.

Best Regards,
Bob Lim