Bringing Multi-Factor Authentication to Our Students

In Spring 2021, we moved to protect our entire student population with multi-factor authentication (MFA). We rolled out MFA to more than 47,000 students in five waves, with the last group of accounts activated on April 9, 2021. As of today, 100% of SJSU accounts are protected with MFA.  

Our data shows that MFA works at SJSU. From September 2020 to February 2021, just before the student rollout, MFA blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been attacked through unprotected student accounts. 

Protecting our student accounts with MFA is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to student accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. MFA for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni. 

There are lots of people in SJSU IT who worked on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions. 

Best regards,
Bob Lim

Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

End of Spring 2020 Update

Dear colleagues,

As we close this historic semester at San José State University, I want to thank each and every one of you for coming together to support each other and our community. I know that for many of you, the online resources you’ve been relying on to work, teach, and research for the past two months were entirely new. We all face uncertainty as we look not just into summer, but into fall as well. That’s why I want to take a moment to share and provide clarity on the technology initiatives we have implemented and will be implementing in the next couple of months to support you as we prepare for the “New Normal,” whatever it may bring.

Accelerating & Extending Strategy

For the last three years, SJSU IT’s strategy has been to enhance the mobility and agility of our university, including enabling remote learning and remote working. To continue our strategy, we’re looking to accelerate many of the programs that were in the pipeline, providing even more support for the New Normal and, more importantly, creating a realized modern digital campus.

We’re moving projects up the priority list that will help maintain safe practices once a gradual return to campus is possible. We are working on developing a queue management system that will let people get in line virtually, ping them when it’s their turn at the window, and let them step back in line. We’re also looking into virtual event platforms for all the things Zoom and Hangouts Meet just can’t do — things like job fairs, onboarding, and commencement.

Another example of acceleration is how we’re ramping up our collaboration with other departments across campus. SJSU IT recently completed Phase I with University Personnel to digitize the process for managing and storing PAF. UP can now consolidate many existing documents into a single PAF document and enable review by chairs, admins, and individual faculty online. This will eliminate rows of documents in filing cabinets that would need to be hand-carried to reviewers across campus. Most importantly, the entire process can now be done anywhere, on or off campus.

In the past few years, SJSU IT has digitized over 65% of the university’s business processes online. Our goal is to be close to 100% within the next three years. If you have more ideas for digitization, please reach out to SJSU IT at it-solution-development-group@sjsu.edu.

Enhancing Security and Privacy

Security and privacy have always been a top priority. Maintaining our security and privacy standards while faculty, staff, and students are operating from locations across the country (and internationally), on home devices and home networks, presents new challenges.

We’ve opened up the option for SJSU students to opt into Multi-Factor Authentication (MFA) through Duo. Making Duo required for all SJSU faculty and staff immediately raised the security profile of our university and added convenience by extending password renewals from six months to two years. In January 2020, SJSU was the target of a concentrated phishing attack, with over 1,600 phishing emails detected. Because of Duo, there were no incidents on our campus. Our data also shows that 630 logins from this attack were denied access through Duo. We know that turning on Duo for students will have just as profound of an impact. We’re encouraging students to sign up by going to this page.

For the 600-plus folks using the VPN to connect to campus, we will be sending out another email soon detailing new measures to enhance VPN security even more.

Customer Service

The shelter-in-place order is changing so much about where, when, and how we work, learn, and research. Just because you aren’t on campus doesn’t mean we can’t be there to help. We’re building customer service models that will enable us to support your home devices and home networks. We also want to be available when you need us, so we’re exploring options beyond our normal support hours to provide 24/7 desktop and virtual classroom support.

Zoom Security

If you have any questions about Zoom security settings, you can always call the support desk for real-time help with Zoom. If you’re looking for some extra peace of mind, sign up for our new Personalized Zoom Security Check-up. Our SJSU IT service staff will work with you one-on-one remotely to ensure all your Zoom security settings are correctly set. Once you sign up, we’ll reach out to you to set up a specific time.

We’ve updated our SJSU Zoom Security Checklist website so you can quickly check your security settings. Here are just some of the key tips:

Scheduling Hosting
The Do’s

  • DO keep meeting passwords on.
  • DO use automatically-generated meeting IDs.
  • DO keep meeting links private if your meeting is private.
  • DO control who you distribute classroom meeting join links to.
  • DO verify your Google Calendar sharing settings.
  • DO set your meeting to mute new people on entry if you’re running a large class or meeting.
  • DO enable registration if you’re running a public meeting or event.
  • DO enable the waiting room if you’re running a public event or a large class.
The Do’s

  • DO use your waiting room to welcome attendees if you have enabled it.
  • DO disable annotation in your meeting.
  • DO consider locking your meeting or class after everyone has joined.
  • DO become familiar with the security options on the toolbar.
  • DO use the “On hold” and “Remove” features when necessary

The Don’ts

  • DON’T use your Zoom Personal Meeting ID (PMI)
  • DON’T host alone if you’re running a large meeting or class.
  • DON’T enable Screen Sharing unless necessary

I’m sure you’ve all seen some of the SJSU IT communications about Zoom from the past two months. Enabling remote modalities means making sure the tools and online resources you’re using are secure as well. You may have seen that Zoom has upgraded to 5.02 and included a slew of additional security features. SJSU IT will be requiring this latest version for all SJSU-connected devices to take advantage of Zoom’s newer security encryption. SJSU IT will also be expanding Zoom’s security even further. We’re going to be turning on the option for Zoom meetings to require SJSU authentication through single sign-on. This feature will be implemented after finals have been completed.

Thank You

Thank you all for your patience as the entire university tries to move forward in a way that provides some stability. We’ll be sure to keep you up to date on what’s happening over the summer. Lastly, I want to take a moment to thank all of my colleagues in SJSU IT, all the IT staff across campus, and the multiple SJSU IT consultation boards who have helped shepherd the transition to remote modalities.

I hope you all stay safe and stay healthy.

Best Regards,
Bob Lim

SJSUOne Password Extension with Duo – It’s Free

We’ve heard the feedback from faculty and staff about password security and have made changes to how often password renewals will be required. Starting with our initial pilot rollout, if faculty or staff have Duo Two-Factor Authentication (2FA) active on their SJSUOne account, their password won’t expire for two years. That means no more email reminders every 180 days and no more locking yourself out when you inevitably forget it the next morning. Our goal is to always find technology solutions that add more value — that’s the competitive advantage that SJSU IT offers.

Two-Factor Authentication adds a second layer of security to your SJSUOne account. By verifying your identity using a second factor (such as a key fob or your mobile device), 2FA makes it much more difficult for anyone else to log into your account, even if they know your password.

Signing up for Duo is easy and free. Learn more about Duo 2FA and fill out the registration form on our Duo@SJSU webpage. We’ve already made enrollment mandatory for university staff, and we’re aiming to have all faculty enrolled in Duo by December 1, 2019.

We greatly appreciate everyone’s diligence and support in protecting our students’ data and enhancing the security of our campus. Thank you for your continued help and support.

Thank you,
Bob Lim

Phishing

We would like to remind you of a security threat that is never far away: Phishing. During a phishing attack, a scammer disguises their email to look like a legitimate message from a colleague or company in an attempt to trick you. The goal of the phishing email is to have you click on a link or open an attachment that will ask you for sensitive or confidential information. Find information on how to spot phishing emails on our safe computing pages.

Signing up to use two-factor authentication with Duo helps keep your account safe. With Duo, you’ll be protected when somebody attempts to use your account through Okta single sign-on or other Duo-integrated apps (such as a VPN client). You can learn more about Duo and sign up for it early here.

Impersonation alerts are another useful feature, available on the Gmail website and in the Gmail apps for iOS and Android. These alerts will help remind you to be vigilant about suspicious emails, but they work best when you’re using your SJSU email account for university-related communication. If you see this alert, take a moment to review the details of the message, referencing our safe computing tips.

The single best way to protect yourself is to stay vigilant and use common sense. Oftentimes, phishers will impersonate figures of higher authority. But if you ask yourself, “When’s the last time the President emailed me directly?” and the answer is “Never,” that should raise a red flag. If you ask yourself, “I thought the President had better grammar/punctuation/spelling?,” that should raise a red flag. If you see these kinds of suspicious emails, use the Report Phishing feature in Gmail.