Category Archives: Security

It’s IT’s goal to make SJSU the most secure, safest campus in the country.

End of Spring 2020 Update

Dear colleagues,

As we close this historic semester at San José State University, I want to thank each and every one of you for coming together to support each other and our community. I know that for many of you, the online resources you’ve been relying on to work, teach, and research for the past two months were entirely new. We all face uncertainty as we look not just into summer, but into fall as well. That’s why I want to take a moment to share and provide clarity on the technology initiatives we have implemented and will be implementing in the next couple of months to support you as we prepare for the “New Normal,” whatever it may bring.

Accelerating & Extending Strategy

For the last three years, SJSU IT’s strategy has been to enhance the mobility and agility of our university, including enabling remote learning and remote working. To continue our strategy, we’re looking to accelerate many of the programs that were in the pipeline, providing even more support for the New Normal and, more importantly, creating a realized modern digital campus.

We’re moving projects up the priority list that will help maintain safe practices once a gradual return to campus is possible. We are working on developing a queue management system that will let people get in line virtually, ping them when it’s their turn at the window, and let them step back in line. We’re also looking into virtual event platforms for all the things Zoom and Hangouts Meet just can’t do — things like job fairs, onboarding, and commencement.

Another example of acceleration is how we’re ramping up our collaboration with other departments across campus. SJSU IT recently completed Phase I with University Personnel to digitize the process for managing and storing PAF. UP can now consolidate many existing documents into a single PAF document and enable review by chairs, admins, and individual faculty online. This will eliminate rows of documents in filing cabinets that would need to be hand-carried to reviewers across campus. Most importantly, the entire process can now be done anywhere, on or off campus.

In the past few years, SJSU IT has digitized over 65% of the university’s business processes online. Our goal is to be close to 100% within the next three years. If you have more ideas for digitization, please reach out to SJSU IT at it-solution-development-group@sjsu.edu.

Enhancing Security and Privacy

Security and privacy have always been a top priority. Maintaining our security and privacy standards while faculty, staff, and students are operating from locations across the country (and internationally), on home devices and home networks, presents new challenges.

We’ve opened up the option for SJSU students to opt into Multi-Factor Authentication (MFA) through Duo. Making Duo required for all SJSU faculty and staff immediately raised the security profile of our university and added convenience by extending password renewals from six months to two years. In January 2020, SJSU was the target of a concentrated phishing attack, with over 1,600 phishing emails detected. Because of Duo, there were no incidents on our campus. Our data also shows that 630 logins from this attack were denied access through Duo. We know that turning on Duo for students will have just as profound of an impact. We’re encouraging students to sign up by going to this page.

For the 600-plus folks using the VPN to connect to campus, we will be sending out another email soon detailing new measures to enhance VPN security even more.

Customer Service

The shelter-in-place order is changing so much about where, when, and how we work, learn, and research. Just because you aren’t on campus doesn’t mean we can’t be there to help. We’re building customer service models that will enable us to support your home devices and home networks. We also want to be available when you need us, so we’re exploring options beyond our normal support hours to provide 24/7 desktop and virtual classroom support.

Zoom Security

If you have any questions about Zoom security settings, you can always call the support desk for real-time help with Zoom. If you’re looking for some extra peace of mind, sign up for our new Personalized Zoom Security Check-up. Our SJSU IT service staff will work with you one-on-one remotely to ensure all your Zoom security settings are correctly set. Once you sign up, we’ll reach out to you to set up a specific time.

We’ve updated our SJSU Zoom Security Checklist website so you can quickly check your security settings. Here are just some of the key tips:

Scheduling Hosting
The Do’s

  • DO keep meeting passwords on.
  • DO use automatically-generated meeting IDs.
  • DO keep meeting links private if your meeting is private.
  • DO control who you distribute classroom meeting join links to.
  • DO verify your Google Calendar sharing settings.
  • DO set your meeting to mute new people on entry if you’re running a large class or meeting.
  • DO enable registration if you’re running a public meeting or event.
  • DO enable the waiting room if you’re running a public event or a large class.
 The Do’s

  • DO use your waiting room to welcome attendees if you have enabled it.
  • DO disable annotation in your meeting.
  • DO consider locking your meeting or class after everyone has joined.
  • DO become familiar with the security options on the toolbar.
  • DO use the “On hold” and “Remove” features when necessary

The Don’ts

  • DON’T use your Zoom Personal Meeting ID (PMI)
  • DON’T host alone if you’re running a large meeting or class.
  • DON’T enable Screen Sharing unless necessary

I’m sure you’ve all seen some of the SJSU IT communications about Zoom from the past two months. Enabling remote modalities means making sure the tools and online resources you’re using are secure as well. You may have seen that Zoom has upgraded to 5.02 and included a slew of additional security features. SJSU IT will be requiring this latest version for all SJSU-connected devices to take advantage of Zoom’s newer security encryption. SJSU IT will also be expanding Zoom’s security even further. We’re going to be turning on the option for Zoom meetings to require SJSU authentication through single sign-on. This feature will be implemented after finals have been completed.

Thank You

Thank you all for your patience as the entire university tries to move forward in a way that provides some stability. We’ll be sure to keep you up to date on what’s happening over the summer. Lastly, I want to take a moment to thank all of my colleagues in SJSU IT, all the IT staff across campus, and the multiple SJSU IT consultation boards who have helped shepherd the transition to remote modalities.

I hope you all stay safe and stay healthy.

Best Regards,
Bob Lim

Alert: COVID-19 Phishing Scams on the Rise

Dear SJSU faculty and staff,

The COVID-19 pandemic has impacted almost everything about our lives, changing how we work and interact every day. It’s also created a rapidly-changing environment where hackers and scammers are trying to capitalize on our fears and anxieties. Attacks related to COVID-19 started circling as early as January and have only proliferated since.

COVID-19 Phishing
The most recent trend has been focused on the upcoming stimulus package, with emails featuring subject lines like “URGENT: COVID-19 stimulus check delivery blocked. Please accept delivery here to continue with shipment.” Other recent email attempts include:
  • Posing as the government and asking you for banking information before sending your stimulus money
  • Posing as aid organizations and accepting donations, but taking your money instead
  • Sending links to “information” about COVID-19 cures/vaccines that install malware when you open them

This type of attack, called “phishing,” is an attempt by criminals to gain access to your SJSU and personal accounts. As many of you are currently working and lecturing from home, it’s especially important to be vigilant. Home computing devices and home networks do not have the security defenses of our campus network and systems. Duo Two-Factor Authentication can effectively help protect your account from these kinds of attacks. Students, faculty, and staff can also download Sophos Anti-Virus for free on home computers.

Reputable Resources
  • The Federal Trade Commission is a reputable source of information on this topic and has multiple posts about how to identify and avoid COVID-19 scams.
  • Additionally, the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency and United Kingdom’s National Cyber Security Centre issued a joint activity alert titled, “COVID-19 Exploited by Malicious Cyber Actors.” The alert discusses the exploitation of virtual private networks, phishing emails and text messages about COVID-19, and websites deceptively advertised as COVID-19 sites.
  • For more approachable security awareness content, NINJIO is offering a series of 10 free videos about being data secure while working from home.

Phishing Awareness Program
You can also visit SJSU IT’s  How to Spot a Phishing Attempt page to read about our ongoing Phishing Awareness Program. As part of this program, you will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to give you a realistic experience without putting you or the university at risk for a security breach. If you fall for our fake messages, there’s no judgment. We’ll just send you tips and tricks to improve your phishing recognition skills. We have run this program many times over the last few years and the response has been great.

If you ever receive a request for your login information, you can always contact the SJSU IT Service Desk at (408) 924-1530. Visit our blog or website for more information on How to Spot a Phishing Attempt or sign up for our ongoing phishing education program. You can also visit Google’s site to see how reporting phishing emails in Gmail helps prevent future attempts. For tips on how to use Zoom securely, download our Zoom FAQ PDF.

Best regards,

Hien Huynh
Information Security Officer
Division of Information Technology

Proactive Zoom Security Measures

Dear Colleagues: 

You may have read recent articles and news stories regarding security and privacy concerns with Zoom. As much of what we previously did face-to-face is now happening over Zoom, it’s important we understand what potential security issues exist within this platform, how some of these concerns may be addressed by enabling existing Zoom security features, and the new measures Zoom is taking to protect its users. SJSU IT and eCampus is committed to working with faculty, students, and staff to ensure appropriate security precautions are in place and to relaying our community’s concerns to Zoom.     

SJSU IT is actively monitoring news coverage of Zoom. Our Information Security Officer and Zoom account administrator are reviewing reports from information security researchers who have uncovered and documented vulnerabilities as they are published. We are in daily contact with other CSU Zoom administrators, Information Security Officers, and security industry leaders to ensure we understand the ramifications of any issues.  

eCampus and SJSU IT Resources
SJSU IT and eCampus have created an extensive Zoom FAQ, available here, answering questions found on various websites and forums. Ongoing training for Zoom is available from eCampus and within the next few days. eCampus will also be rolling out new training for faculty on Zoom security, privacy, and the Do’s & Don’ts of working with Zoom. We’re also sharing a quick-reference Do’s and Don’ts sheet.

SJSU IT Proactive Changes to Zoom Defaults
To improve overall Zoom meeting security and control who joins a Zoom meeting, we will be changing the default setting to only allow authenticated users to join meetings. This will require all participants to authenticate to SJSU Single Sign On before entering a meeting. Hosts will be able to change this default setting to not requiring authentication when scheduling a meeting with external participants. Please look for a message in the next few days with additional details and the specific date this change will be made. 

Zoom’s New Security Toolbar Icon for Hosts
Meeting hosts will now see an option in the Zoom meeting controls called Security. Visible only to hosts and co-hosts of Zoom Meetings, the new Security icon provides easy access to several existing Zoom security features. The Security icon replaces the Invite button in the meeting controls. The Invite button has been moved to the Manage Participants panel, and hosts can add additional guests there. This new icon will help hosts quickly find and enable many of Zoom’s in-meeting security features.

Zoom toolbar with new security button

By clicking the Security icon, hosts and co-hosts have an all-in-one place to quickly:

  • Lock the meeting
  • Enable the Waiting Room (even if it’s not already enabled)
  • Remove participants
  • Restrict participants’ ability to:
    • Share their screens
    • Chat in a meeting
    • Rename themselves
    • Annotate on the host’s shared content

Google Hangouts Meet Added to Canvas
In order to provide our faculty with additional options who are hosting small-session discussions, eCampus and SJSU IT have enabled Hangouts Meet as an option in Canvas.

It is also important to note that the Chancellor’s Office carefully assessed Zoom’s security provisions during the procurement process and ensured that the systemwide contract prohibits the company from selling personal data from any member of our CSU community. Based on what is known today, the Chancellor’s Office does not perceive that Zoom puts students’ staff or faculty members’  privacy at risk when used with good practices.   

While we use Zoom as part of our CSU-provided and vetted set of online tools, we are not advocating for Zoom. It is up to individual community members to decide if Zoom is the appropriate tool for their needs. To assist you in making this important decision, SJSU IT has developed and shared a frequently asked questions and answers document relating to Zoom use, privacy, and security and will keep you up-to-date on any Zoom issues that may impact our SJSU community. If you have any questions, please do not hesitate to reach out to us.  

 

Best regards, 

Hien Huynh
Information Security Officer

Simon Rodan
Professor, College of Business, Statewide Senator and liaison to the statewide Information Technology Advisory Committee  

Bob Lim
VP Information Technology and Chief Information Officer 

Ahmed Banafa
Cybersecurity Expert and Faculty member at the College of Engineering

Leslie Albert
Associate Professor, College of Business, Director of the Center for Organizational Resilience

Zoom Bombing

Campus Colleagues,

I want to make you aware of a new kind of phishing attack that’s growing quickly in the wake of a global switch toward teaching, learning, and working remotely — “Zoom Bombing.”  

Zoom bombing is when an unwanted participant joins your Zoom meeting. Sometimes attackers are joining just to be a nuisance, but for others, the aim is to slip in unnoticed as you share documents with protected information on them or discuss confidential data. 

While SJSU already has some extra protocols in place to help keep you secure, I want to give you some quick tips to further help you prevent Zoom bombing.

  1. Keep Meeting URLs Private – Don’t share them anywhere that’s accessible to the public. Just keep it to the group of people you’re sure you want to be there.
  2. Keep Meeting Passwords On – These are on by default, so all you have to do is put in a password when prompted and leave them on. 
  3. Lock your meetings – When a meeting is locked, no one can join. Learn how on the SJSU IT Securing Zoom Meetings page. 
  4. Double-check your Zoom Google Calendar invites – If you add a Zoom meeting to your calendar or create a Zoom meeting in your calendar using the Zoom Plug-in, the calendar entry may include the Zoom meeting password. Depending on your settings, this may expose the password to anyone who views your calendar. Make your calendar entry private or edit the entry to remove the Zoom meeting password.

For more details on each of these tips and some more information on staying secure while working from home, visit the Work Anywhere Zoom page. You can also find information on the Work Anywhere FAQ about how to send data securely using DocuSign and safely access SJSU data systems remotely. 

 

Thank You,
Hien Huynh
Information Security Officer
Division of Information Technology

Improving Your Zoom Connection

Hello everyone:

We are monitoring the critical technology issues that universities and businesses are experiencing using Zoom and their networks. We are seeing reports that there are more instances of audio or video in Zoom becoming choppy or distorted. This seems to mostly be issues of local bandwidth, PC activity, or home WiFi setups. So I wanted to send some information about what you can do to improve your online experience. 

Run a Speed Test
The first thing to do is to figure out how fast your internet is currently. You can type “internet speed test” into a search engine.  If your speed is much slower than what you’re paying for, you may want to contact your ISP.

Make sure your system requirements are correct
Make sure that the computing device you’re using supports Zoom. These are the system requirements for PC, Mac, and Linux from Zoom: https://support.zoom.us/hc/en-us/articles/201362023-System-Requirements-for-PC-Mac-and-Linux  

Use the best Internet connection you can. 

  • Wired connections are faster and more stable than wireless (WiFi or cellular) connections.
  • WiFi connections are faster and more stable than cellular (3G/4G/LTE) connections.

Plan for Zoom meetings, and as often as possible, join Zoom meetings from a location where you can use a fast, reliable, wired Internet connection. 

If you are using WiFi, check your router.
Problems with wireless connections are usually easy to fix. For detailed information about your WiFi setup, please see Enhancing Your WiFi-Powered Zoom Meeting.  Some quick tips for improving WiFi signal include:

  • Try bringing your computer or mobile device closer to the WiFi router or access point in your home or office.
  • Upgrade your WiFI router firmware. Check your WiFi router support site for firmware upgrade availability. 
  • If necessary, consider using a WiFi extender to increase the distance and strength of your WiFi signal.
  • If you use a cable connection, use a DOCSIS 3.0 or higher cable modem to improve internet performance.

Mute your microphone when you’re not speaking.
When your microphone is on, Zoom will devote part of your Internet connection to an audio stream for you, even if you are not speaking. Mute your microphone when you do not need it, and you will allow Zoom to use your Internet connection more effectively.

Stop your webcam video when you don’t need it.
If your instructor or moderator is okay with you doing so, start your video only when you need to show yourself on webcam, and stop your video when it isn’t required.

Disable HD webcam video.
Sending high definition (HD) webcam video requires more bandwidth than sending non-HD. Disabling HD video will free up more of your Internet connection for other parts of your Zoom meeting. How do I disable HD video in the Zoom Client? From within the Zoom Client: 

  • Click the “Home” tab.
  • Click ” Settings.”
  • In the Settings window that opens:
  • Click the “Video” tab.
  • Uncheck “Enable HD.”
  • Close the Settings window.

Close other, unneeded applications on your computer.
Zoom meetings can demand significant memory and processing power from your computer. Closing other applications — ones you do not need during the session — will help Zoom run better.

Avoid other activities that will steal bandwidth.
Don’t start other bandwidth-intensive activities just before, or during, a Zoom meeting. On your Zoom device—and as much as possible, on different computers and devices that share your Internet connection—avoid:

  • large downloads
  • large uploads
  • streaming video (e.g., Netflix, Hulu, YouTube)
  • cloud backups (e.g., Carbonite, CrashPlan)
  • cloud file synchronizations (e.g., OneDrive, Dropbox)
  • other high-bandwidth activities

Communicate with the instructor or moderator of your Zoom meeting.
If the best Internet connection you have for Zoom is a slow one, such as a weak cellular data connection, let the person or people running your session know ahead of time.

Best Regards,
Bob Lim