Security Awareness – Page 29

Protect Yourself: Methods to Protect your SMU Accounts and Data

We’ve all been there. After a long busy day in classes you rush to print out that big project at the library. Your class is just five minutes away, so you rush away without logging off of the public computer. We always like to think of our fellow classmates as trustworthy and caring people, but with security breaches on the rise, it’s best to take every precaution possible when using your SMU account.

News articles constantly talk about “hackers” gaining passwords to an individual’s account. One of the most recent victims was none other than CIA director John Brennan. The high-schooler that “hacked” Mr. Brennan’s personal AOL account didn’t really use any hacking or technical expertise to get access to the account; he just simply acted as if he was Mr. Brennan during a fake technical support call. Many other examples include nefarious individuals simply calling people asking for their passwords. This makes it extremely important to keep your personal information private and to never offer it to others.

The best way to keep your SMU information yours is to always fully log out of any services you use when you’ve finished using them. Always log out completely from any public computers on or off campus to prevent anyone from walking up and accessing your information. Most public computers on campus are set to completely wipe any information saved on them when restarted. Restarting the computer, if possible, would be the most secure option.

Here’s a few other quick tips that can make your account more secure:

Use a PIN or touch pattern to lock your smart phone or tablet. The longer and more complex the better!
Use a password manager like LastPass, 1Password or KeePass to save your passwords securely and to generate random and secure passwords automatically.
NEVER give your password to anyone, even if asked by someone saying they provide technical support.
For example, the SMU Help Desk will never ask you for your password, so if anyone claims they are from SMU and asks for your password, end the conversation and contact the Office of Information Technology immediately!
Don’t leave your personal devices logged on and unattended. Not only could the devices be physically stolen, but the perpetrator can also steal your information. If you must leave your device, make sure it’s at least locked.

By following these tips, you can help make your information even safer from the threat of cyber attacks. If you have any questions on how to stay secure, call the Help Desk at 214-SMU-HELP or drop us a line at help@smu.edu.

Thinking of Using SMU Email for Your Marketing? Think Again.

Private Tutor Email
With over 11,000 students available to you through the Outlook address book, you might think this is a great group to market your services or product. They are SMU students. You are an SMU student. You have that natural connection and why wouldn’t they like the bag you designed on Etsy that is perfect for Boulevarding. Or maybe you speak four languages and really could help that struggling student in German – if they only knew you were available. The problem occurs when you click that send button. At that point, your email becomes a violation of SMU policy and that can cause problems for you.

As George Finney, Chief Security Officer at Southern Methodist University, explains, “This is a violation of our bulk email policy and it also uses SMU resources for a commercial venture… As a non-profit, SMU’s tax-exempt status requires us to not allow this.” If you are found in volition, OIT will prevent further email distribution by you, and block access from campus to any 3^rd party email address listed in the message. You basically get marked as a spammer. Also, your account will be reviewed and if further action is warranted, it will be taken.

If you have questions about email policy, please feel free to contact the Help Desk at 214-768-HELP. For more information on University policies, please review the official University Policy Manual at smu.edu/policy.

New Logins for My.SMU and Employee.SMU

Very soon, OIT will be adding my.SMU and Employee.SMU to our list of sites using the secure Shibboleth login. For those not familiar with Shibboleth, it is a software solution that provides Single Sign-On (SSO) service, allowing you to gain access to web resources both inside and outside SMU after logging in just one time. Shibboleth also allows websites, such as Concur and Lynda, to grant access to their online resources. This is all done securely and in a way that preserves your privacy. We have used Shibboleth to authenticate to external sites for some time, but my.SMU and Employee.SMU are two of the most widely used SMU sites to begin using the Single Sign-On service.

The Shibboleth Login

When you log in to my.SMU, you will see the new my.SMU portal. Upon clicking the Login button, you’re directed to the Shibboleth login page. You use your SMU ID and password to log you in. You will be able to move freely between the services without having to log in every time, as long as you are in the same browser.

Once you log out, you will need to exit (Alt+F4 for Windows) or quit (⌘+Q for Mac) out of the browser – not just close the tab or window – to end your session.

Don’t Bookmark It

Please, do not bookmark the Shibboleth login page. The Shibboleth login page ONLY works if you are sent to it by a web service or application. It requires information from the originating web service to know where to go after you log in. You should bookmark the site you are trying to access (smu.edu/lynda for example) rather than the Shibboleth Login Page.

Find Out More

For more information about Shibboleth, please see the Shibboleth service page at www.smu.edu/OIT/Services/Shibboleth.

Update 10/04/2015: Page updated to reflect change in rollout date.

Password Managers: What are they and should I use one?

For those who are challenged with managing multiple different passwords for different accounts they might consider using a password manager, also known as a password vault.

A password manager is a piece of software that helps someone to organize their own passwords or pin codes. It typically is a local database that encrypts passwords and the database itself uses a master password to open it. Some types of password managers also acts as a Form Filler, where once a particular website is launched, and it prompts for a username and password, the password manager recognizes the request and will automatically fill the user name and password into the form. This type of password manager can be used as a defense against “phishing” as it is setup to handle automated logins to a particular site, and will not work with an imitation or a look alike website.

Some password managers include a password generator. In this case, when you define an entry in the database for a password, the password manager can generate a password that can be stored and used as needed. There are also password managers that are available online. This type of tool is a web based version similar to a desktop password manager, but allows for more portability.

Password managers have pros and cons. Some of the pros are listed above, while one of the main cons is that if your computer (or phone if you have a password manager on your smartphone) is lost, so are your passwords. Even though they may be protected and encrypted inside of the password manager, you no longer have access to that information.

(A few password manager tools are Keepass, Lastpass, Roboform, Kaspersky Password Manager and 1password)

Phishing Exercises Coming Soon.

Phishing No. It’s not about fish doing Zumba.

Twice per year, SMU conducts a simulated phishing exercise where the University sends a simulated phishing message to employees based on the types of phishing messages we have most recently received. Last year, over 100 SMU accounts were compromised due to users falling victim to these attacks so we are committed to reducing our click through rate through user education and awareness. When we started the simulated phishing awareness campaigns in 2013, we saw a 40% click-through rate. In 2014, we reduced that click-through rate to 20%. In our first campaign of 2015 that number had dropped to just 10%.