Cybersecurity Best Practices
This article provides vital information for the Bellevue University organization and its student body, along with the greater Bellevue University community, to help protect against the most common types of malicious security threats and attacks from the Internet and technology-based sources. Knowledge and understanding of this information are important to protect you and the University and will help to avoid situations that could lead to a loss of system access or irretrievable loss of data.
IMPORTANT! The most important point to be aware of is that you, the user, are both the weakest link, and the best defense against cyberthreats and attacks.
For the many of the websites and services we use, our passwords are often the only defense between a cyberattack and our private data. Using a long, complex password is the simplest way to protect ourselves from an attack.
How do I create secure (and memorable) passwords?
The primary goal for passwords is to make attempts to "brute force," or simply guess a password much more difficult and take far longer to execute. Given current technology, a properly formulated password makes attacks of this type completely impractical and effectively futile.
Primary Factors for Strong Passwords
● The longer your password is, the more secure it is. Bellevue University requires a minimum of 8 characters, but 12 characters or more is recommended.
● Use multiple character types, including: UPPERCASE; lowercase; numb3rs; and "special" characters (e.g. !@#$%^&*()_+).
● Long series of words or characters that cannot be matched doing a dictionary search.
● Avoid common culture references, such as famous titles or quotes.
● Reset passwords if potentially compromised. It is much safer to change a password than to risk unauthorized access to your account.
● Multifactor Authentication (MFA). This feature is REQUIRED for all Bellevue University students, staff, and faculty to access University systems through Bruin Connect. Additionally, most financial institutions and many online services offer MFA or "Second Factor Authentication" (2FA). MFA is often the most effective method to protect your account from a "brute force" attack, or a case of your password being compromised.
In addition to those above, also consider...
● Use a Password Manager! What is a password manager? Using a password manager is the easiest way to avoid memorizing your passwords. It also greatly eases the task of never reusing a password.
● Use a Password Generator! What is a password generator? In conjunction with a password manager, a password generator relieves you of the task of trying to think up unique, complex passwords.
● AVOID ALL COMMONLY USED PASSWORDS! List of the most common passwords.
● Use a "Password Haystack!" What is a Password Haystack?
What do I do if my account is "hacked?"
If you suspect that someone else has gained access to your Bellevue University account, these steps can help you to re-secure your account and block further unauthorized access.
● CHANGE YOUR PASSWORD! This is your first step to re-secure your account.
● Scan your computer for malware. What is a malware scanner? Along with the security software built into our operating systems, there are additional lightweight and effective malware scanning utilities available for free. However, not all are created equal. It is recommended that you perform sufficient research on what is available and what is most recommended (and safe) before downloading any software from the internet!
● If you have any other accounts using the same password, change those passwords as well. If someone gets into one account, they will often try the same email address and password at other websites (Google, Facebook, etc.).
● Check for evidence of unauthorized access to your secondary or recovery email account, and change your password. Often, an attacker first gains access to your email account, then begins to use that account to gain access to your other accounts by resetting your password on those websites.
How do I avoid Phishing Emails and SMS/Text Messages?
Phishing, Spear Phishing, or Whaling are all terms related to email or SMS/text-based social engineering attacks that are designed to "lure" you into "taking the bait," all by using purposely familiar content in the message. The message will usually prompt you in some way, often using basic fear tactics, to convince you to reply or click on a link, which then takes you to a fraudulent "look-alike" or "spoof" website. You may be asked to provide login credentials, personal or financial information, or even your password, all of which gets sent directly to the attacker.
What to Look For
● Messages sent from an unusual or unexpected email address.
● Unexpected requests or threats, such as "Your account will be locked/deleted."
● Messages with unusual formatting or improper grammar.
● Mismatched links: For example, the text says "https://bruinconnect.bellevue.edu," but the embedded link goes to a different site (e.g. docs.google.com/forms, bruinconnect.be11vue.edu).
● Asking for login credentials or personal information.
● Asking for your Credit Card or Bank information.
● Requesting payment of any type.
● Unexplained attachments: Especially those with unusual file name extensions (e.g. Report.doc.vbs or Report.exe).
What to Do (Or NOT to Do)
● Be Aware!! Stop and think, "Does this request make sense?"
● Don’t open it! Don’t click it! Delete it!
● Look and verify QR code links BEFORE visiting the page. Your phone or other device should allow you to see the link you're about to visit before proceeding. Never take it for granted.
● Before replying, clicking, or opening unexpected message content, call the apparent sender and verify that it's authentic and intentional.
● Report the message to your IT department.
How do I use Public Wi-Fi safely?
Public Wi-Fi "hotspots" are convenient, but may also pose a threat to your security. When joining a public access point, you are adding your device to that network, along with all the other devices attached to that network. The following tips will help you avoid exposure to possible attack.
● Make sure you are required to log into the network. Even if the password is given freely by the business owner or proprietor, this helps to guarantee that your connection to the access point is encrypted.
● Designate the network as Public. After connecting, if prompted by your operating system networking software, select the "Public" network option. Doing so automatically disables access to file sharing and other networking features on your computer.
● Use HTTPS. HTTPS designates that your connection to a website is encrypted, from your browser to that webserver. Most popular web browsers should also warn you if on an "unsecure" site.
● Use a 3rd party VPN (Virtual Private Network) service. What is a VPN service? These services encrypt all network traffic from your device to the VPN service provider's network. Your traffic then proceeds to the intended websites or services from that network. Always be sure to use a reputable and trusted VPN service provider! There are many to choose from, and they usually require a monthly fee.
Additional Resource Materials:
The National Institute of Standards and Technology (NIST) - NIST Computer Security Resource Center | CSRC
Bellevue University IT Training: Passwords
Bellevue University IT Training: Phishing
Bellevue University IT Training: Mobile Security
Bellevue University IT Training: Cyber Attacks
Bellevue University IT Training: Physical Computer Security
Bellevue University IT Training: Social Engineering
Bellevue University IT Training: Web Usage
To provide feedback on this article, contact Bruin Support Services!
