Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

SJSU IT Phishing Awareness Program Starts June 30

Colleagues,

Next week, our Information Security Office will begin their Phishing Awareness Program in support of our Technology Recovery Plan, building on our cybersecurity layering strategy.

As part of this program, our staff, faculty, and students will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to create a realistic experience without putting employees or the university at risk for a security breach. Employees who respond to the fake phishing attempts are directed toward training and resources to help them recognize phishing attempts in the future without shaming anybody.  We’ve run this program multiple times over the last few years and the results have been great. The Information Security Office will now operationalize this procedure quarterly because a knowledgeable user base is a strong defense against cybercriminals.

This program is critical because many of our faculty, staff, and students are working and learning remotely, where security safeguards are not as robust as on our campus network.

Faculty and staff were notified about the program in a campus-wide email on April 22 and prior messages. We’ll send out five such email phishing simulations over the next six months, timed to avoid the first two weeks of school, finals, and other critical events on campus, as part of our normal business process.

1. Staff Only: June 30, 2020
2. Staff Only: July 30, 2020
3. Faculty & Staff: September TBD
4. Students Only: October TBD
5. Faculty & Staff: November TBD

SJSU IT will redact the identifying information on those that responded and offer security training for departments with higher susceptibility rates. If you have any questions, please let me know.

Thank you,
Bob Lim

 

Proactive Zoom Security Measures

Dear Colleagues: 

You may have read recent articles and news stories regarding security and privacy concerns with Zoom. As much of what we previously did face-to-face is now happening over Zoom, it’s important we understand what potential security issues exist within this platform, how some of these concerns may be addressed by enabling existing Zoom security features, and the new measures Zoom is taking to protect its users. SJSU IT and eCampus is committed to working with faculty, students, and staff to ensure appropriate security precautions are in place and to relaying our community’s concerns to Zoom.     

SJSU IT is actively monitoring news coverage of Zoom. Our Information Security Officer and Zoom account administrator are reviewing reports from information security researchers who have uncovered and documented vulnerabilities as they are published. We are in daily contact with other CSU Zoom administrators, Information Security Officers, and security industry leaders to ensure we understand the ramifications of any issues.  

eCampus and SJSU IT Resources
SJSU IT and eCampus have created an extensive Zoom FAQ, available here, answering questions found on various websites and forums. Ongoing training for Zoom is available from eCampus and within the next few days. eCampus will also be rolling out new training for faculty on Zoom security, privacy, and the Do’s & Don’ts of working with Zoom. We’re also sharing a quick-reference Do’s and Don’ts sheet.

SJSU IT Proactive Changes to Zoom Defaults
To improve overall Zoom meeting security and control who joins a Zoom meeting, we will be changing the default setting to only allow authenticated users to join meetings. This will require all participants to authenticate to SJSU Single Sign On before entering a meeting. Hosts will be able to change this default setting to not requiring authentication when scheduling a meeting with external participants. Please look for a message in the next few days with additional details and the specific date this change will be made. 

Zoom’s New Security Toolbar Icon for Hosts
Meeting hosts will now see an option in the Zoom meeting controls called Security. Visible only to hosts and co-hosts of Zoom Meetings, the new Security icon provides easy access to several existing Zoom security features. The Security icon replaces the Invite button in the meeting controls. The Invite button has been moved to the Manage Participants panel, and hosts can add additional guests there. This new icon will help hosts quickly find and enable many of Zoom’s in-meeting security features.

Zoom toolbar with new security button

By clicking the Security icon, hosts and co-hosts have an all-in-one place to quickly:

  • Lock the meeting
  • Enable the Waiting Room (even if it’s not already enabled)
  • Remove participants
  • Restrict participants’ ability to:
    • Share their screens
    • Chat in a meeting
    • Rename themselves
    • Annotate on the host’s shared content

Google Hangouts Meet Added to Canvas
In order to provide our faculty with additional options who are hosting small-session discussions, eCampus and SJSU IT have enabled Hangouts Meet as an option in Canvas.

It is also important to note that the Chancellor’s Office carefully assessed Zoom’s security provisions during the procurement process and ensured that the systemwide contract prohibits the company from selling personal data from any member of our CSU community. Based on what is known today, the Chancellor’s Office does not perceive that Zoom puts students’ staff or faculty members’  privacy at risk when used with good practices.   

While we use Zoom as part of our CSU-provided and vetted set of online tools, we are not advocating for Zoom. It is up to individual community members to decide if Zoom is the appropriate tool for their needs. To assist you in making this important decision, SJSU IT has developed and shared a frequently asked questions and answers document relating to Zoom use, privacy, and security and will keep you up-to-date on any Zoom issues that may impact our SJSU community. If you have any questions, please do not hesitate to reach out to us.  

 

Best regards, 

Hien Huynh
Information Security Officer

Simon Rodan
Professor, College of Business, Statewide Senator and liaison to the statewide Information Technology Advisory Committee  

Bob Lim
VP Information Technology and Chief Information Officer 

Ahmed Banafa
Cybersecurity Expert and Faculty member at the College of Engineering

Leslie Albert
Associate Professor, College of Business, Director of the Center for Organizational Resilience

Google Cloud Platform Workshop

In a first among the CSU system, Google partnered with the SJSU IT Division to host a workshop on some cutting-edge cloud technologies: Artificial Intelligence, Machine Learning, Decision Learning, and Data Engineering. Close to 500 Spartans (including students, faculty, researchers, and staff) signed up to attend the January 8-11 event in Clark Hall, though we could only fit 50 into a packed room. The workshop brought one of Silicon Valley’s biggest tech giants to campus and augmented academic knowledge with hands-on opportunities from a field expert, delivering on IT’s promise to bring enterprise-grade academic technology advancement to SJSU.

In a follow-up survey, 100% of respondents rated the workshop as Very Good or Excellent and 100% said they would attend a future workshop hosted by IT.  “The content of the workshop is very informational and advanced in the cloud platform field. The hands-on labs are interactive exercises those make me understand the concepts well and be involved in the learning process,” said one.

When asked valuable the session was in supplementing academic knowledge, 90% of the responders rated the workshop Very Good or Excellent. SJSU IT looks to roll this success forward into future events. Participants in the workshop expressed interest in a number of other topics for possible future workshops, with Artificial Intelligence and Blockchain leading the way followed by Cybersecurity and Virtual Machines.

Google’s instructor remarked that the attendees at SJSU were some of the quickest, most engaged he’s worked with. The feeling was mutual, with one attendee stating, “The instructor was very knowledgeable with what he teaches and gives very good presentations. He was very helpful with the labs.”

While many of participants were SJSU students, there were plenty of researchers, faculty, and staff, all gaining practice and experience with enterprise-level tools to carry into the classroom or implement within the university’s IT and research infrastructures. “Overall the topics covered on GCP was exceptional. SJSU is currently exploring the implementation of cloud-based BI and Predictive analytics strategy. The timing of these workshops is just perfect and they allow the technical team to perform comparisons and benchmark for the ideal solution that is beneficial to SJSU,” said Ravi Pisupati, a Senior Analyst & Project Manager with SJSU.

Thank you to everybody involved in making this event a success. It certainly didn’t go unnoticed, as one attendee commented, “The room had a speedy WIFI connection and wonderful setup screens. Thanks for organizing everything so well for us. Their effort and hard work made the intensive experience much easier.” I could agree more and want to specifically thank Joseph Chou and Willie Simon for their work on this event.

Best Regards,
Bob Lim