Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

SJSU IT Phishing Awareness Program Starts June 30

Colleagues,

Next week, our Information Security Office will begin their Phishing Awareness Program in support of our Technology Recovery Plan, building on our cybersecurity layering strategy.

As part of this program, our staff, faculty, and students will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to create a realistic experience without putting employees or the university at risk for a security breach. Employees who respond to the fake phishing attempts are directed toward training and resources to help them recognize phishing attempts in the future without shaming anybody.  We’ve run this program multiple times over the last few years and the results have been great. The Information Security Office will now operationalize this procedure quarterly because a knowledgeable user base is a strong defense against cybercriminals.

This program is critical because many of our faculty, staff, and students are working and learning remotely, where security safeguards are not as robust as on our campus network.

Faculty and staff were notified about the program in a campus-wide email on April 22 and prior messages. We’ll send out five such email phishing simulations over the next six months, timed to avoid the first two weeks of school, finals, and other critical events on campus, as part of our normal business process.

1. Staff Only: June 30, 2020
2. Staff Only: July 30, 2020
3. Faculty & Staff: September TBD
4. Students Only: October TBD
5. Faculty & Staff: November TBD

SJSU IT will redact the identifying information on those that responded and offer security training for departments with higher susceptibility rates. If you have any questions, please let me know.

Thank you,
Bob Lim

 

Phishing

We would like to remind you of a security threat that is never far away: Phishing. During a phishing attack, a scammer disguises their email to look like a legitimate message from a colleague or company in an attempt to trick you. The goal of the phishing email is to have you click on a link or open an attachment that will ask you for sensitive or confidential information. Find information on how to spot phishing emails on our safe computing pages.

Signing up to use two-factor authentication with Duo helps keep your account safe. With Duo, you’ll be protected when somebody attempts to use your account through Okta single sign-on or other Duo-integrated apps (such as a VPN client). You can learn more about Duo and sign up for it early here.

Impersonation alerts are another useful feature, available on the Gmail website and in the Gmail apps for iOS and Android. These alerts will help remind you to be vigilant about suspicious emails, but they work best when you’re using your SJSU email account for university-related communication. If you see this alert, take a moment to review the details of the message, referencing our safe computing tips.

The single best way to protect yourself is to stay vigilant and use common sense. Oftentimes, phishers will impersonate figures of higher authority. But if you ask yourself, “When’s the last time the President emailed me directly?” and the answer is “Never,” that should raise a red flag. If you ask yourself, “I thought the President had better grammar/punctuation/spelling?,” that should raise a red flag. If you see these kinds of suspicious emails, use the Report Phishing feature in Gmail.