Securing Our Information: Testing, training, and 12-character passwords
As announced in February’s issue of Discover IT, an increased focus on information security and changes in UW System policies have led to several UW-Platteville initiatives meant to protect University data as well as our own.
As part of our ongoing efforts to increase phishing awareness, ITS began conducting controlled phishing campaigns over the last several months. The purpose of these exercises is to:
- Provide phishing simulations for email account holders to receive and evaluate phishing email messages
- Evaluate our current level of cyber security awareness to determine training needs
- Increase awareness and sensitivity around phishing emails
- Provide education on methods for detecting phishing email messages.
A quick search of recent technology headlines will reveal scams at some of the world’s largest companies like Gmail and PayPal. UW-Platteville is not immune to such attacks. As they say, “The best defense is a good offense.” Pioneers need to be skilled at identifying malicious messages when they arrive. How do we do this? Practice, practice, practice.
So, how did we do?
Excellent: The ITS Help Desk received literally hundreds of reports of suspicious mail during the controlled campaigns. Thank you! Reporting suspicious messages not only allows our staff to reduce the risk by disabling embedded links, it provides us a “big picture” of the scope of the attack, which determines how and when we communicate to campus.
Very Good: Many Pioneers simply deleted the messages without reporting. That works too! If you don’t have time to report, protect yourself, your information, and the University by simply getting rid of the email.
Needs Improvement: Some Pioneers did click the links embedded within the emails, potentially compromising their accounts. From 5 – 25% of the people phished fell victim to the “attacks”, depending on the campaign. These folks were met with tips and information that hopefully reduces their risk the next time.
The best news is that no real information was at risk or stolen during these controlled phishing simulation exercises. Pioneers were provided a safe place to test their awareness and perhaps pick up some valuable tips without compromising their accounts or their identities.
Maintain that healthy sense of paranoia
Controlled phishing simulation exercises will continue at UW-Platteville, for all our sakes. The types of messages will become more and more sophisticated to improve our skills and keep them sharp.
Malicious phishing will definitely continue as well. There’s no way to tell the difference between the two – either on campus or in your personal business. ITS recommends treating every suspicious message with the same healthy sense of paranoia.
- Educate yourself by checking out real-life phishing samples in the ITS Knowledge Base and other resources at /its/technology-mashup-resources-january-2017
- Continue to report phishy messages to the ITS Help Desk on campus (or to your personal provider at home)
- And remember – ITS will never ask for your username and password in an email – or via a link within an email. Never, ever. Seriously!
Education is a vital component of any awareness program. In Fall 2016, UW-System implemented a policy requiring all System employees to complete information security awareness training within 30 days of employment and annually thereafter.
- Read the policy at https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-awareness/
For faculty and staff, UW-Platteville has contracted with the SANS Institute to provide self-paced training aimed at preparing the whole person, not just employee. The Securing the Human program consists of a series of video tutorials and online quizzes. Past versions of this training have been used by select departments that deal with sensitive information. To be compliant with new UW System policy, all employees will be required to participate going forward. Watch for an email in the coming weeks with more details about this important initiative.
In addition to security awareness, UW System has implemented authentication policy and procedures requiring additional security controls related to authentication, including stronger passwords on campus accounts and the use of multi-factor authentication when accessing sensitive data. The changes introduced by UW System are intended to decrease the risk of an individual’s password being guessed and used by an unauthorized individual to gain access to University resources.
- Read the policy at https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-authentication/information-security-authentication/
UW-Platteville password policy changes will go into effect later this spring, including an increase in the minimum number of characters from eight to 12. Watch for more information in April.
Information security is everyone’s business, and we appreciate your cooperation and vigilance as we roll out these changes that serve to make you and UW-Platteville more secure. If you have questions about any of these information security initiatives, please contact the ITS Help Desk at 608.342.1400 or firstname.lastname@example.org.
Contributions by Louann Gilbertson, Information Security Officer; Mike Sherer, Deputy CIO and director of ITS Systems & Infrastructure; with Deb Meyer
Latest from Discover IT
Subscribe to Discover IT using our RSS feed.