IT Security

"Passwords are like keys to your personal home online."

Here are some tips to keep your password protected:

DO NOT share your password with others

• That includes the help desk, co-workers, managers, friends and family.
• Passwords used on official PSU accounts should never be used for a personal account.

DO NOT make your password anything that can be easily found out about you

• It shouldn't be your pets name, the name of anyone in your family, the kind of car you drive.
• A strong password should be at least 8 characters long with a mixture of upper and lower case letters, special characters and numbers.
• Passwords should not be words found in the dictionary.

DO NOT use the same password for all your online accounts

• If one account gets compromised, then all your other accounts are at risk.

DO NOT write your password down

• Jot down a clue or a hint that will jog your memory.  If you have to write it down, keep it stored in a safe, secure place away from your computer.

DO NOT check the "remember my password box"

• Many programs have no built-in security measures to protect this information.  Some programs actually store the password in plain text in a file on the computer.

DO NOT keep the same password for months and months

• Change your password at least every 6 months.
• Changing your password often not only minimizes the chance that someone could guess or crack your password, it also shortens the length of time that person would have control of your system.

ITS will NEVER ask you for your password in an email - NEVER!

Here is a link to our current password policy.

https://www.pittstate.edu/it/information-technology-services/it-policies.html

Why do I need to change my password twice a year?

• Changing passwords periodically limits the amount of time that an attacker can access an account if he/she has guessed a password.
• Changing passwords periodically makes guessing a password harder.
• The university has adopted a password policy to protect our clients and to comply with the Kansas Information Technology Executive Council (ITEC) policy and guidelines

How do I change my password?

• Log in to GUS
• Computer Accounts and Passwords (left side menu)
• PSU Unified Password
• Password Change
• https://psuapps.pittstate.edu/UI/AccountManagement/ChangePassword/PasswordWizard

Password Recovery Options:

Password recovery options allow you to self-serve changing your password if you forget your password

• Log in to GUS
• Computer Accounts and Passwords (left side menu)
• PSU Unified Password
• Password Recovery Options
• https://psuapps.pittstate.edu/UI/AccountManagement/PasswordResetOptions/Index

What happens when I change my password off campus?

• BEST PRACTICE: Change your password on campus using your work computer so you are on the PSU domain (network).
• If you change your password using your work computer while off campus, your computer login will not get synced to the new password. Once you connect your computer to the PSU domain (network) your computer password will sync and you can use your new password.
• If you change your password from any other computer while off campus, your passwords will sync and you will be able to use your new password immediately.

What if I forget my password?

• Use the Forgot My Password link on the GUS log in page.
• Contact your tech or Gorilla Geeks Help Desk at ext. 4600.
• Use the following link: https://go.pittstate.edu/forgotpassword

Don't get Hooked!

How to Spot a Phishing email:

Who is the message From? Who is the Reply-To? 

• In Outlook if you hover over the From or Reply-To name or any clickable links, it will display the actual email address or web address.    

• It is easy to fake a From email address.  Don't be fooled even if the From is @pittstate.edu  

• Does the web address start with: www.pittstate.edu or go.pittstate.edu - if not, be suspicious.  Remember to hover your mouse over the link to see where the link will actually take you.

There is a sense of urgency.    

• If you don't take action right now your account will be closed.

The email asks for personal information.  

• Your email user name and password is personal information!
• Your credit card number or bank account information is personal information.

The email has bad grammar, odd formatting, or misspelled words.

• If it looks odd, be suspicious

The email is not signed by an actual person or there is no phone number to call for questions.

• The closing is from a generic "System Administrator", "Information Technology Services", or "IT Help Desk" instead of an actual person.

What if the email is from UPS, FedEx, airline, or cell phone company?

• There are lots of emails that "appear" to be from legitimate companies.  If you aren't expecting a package, purchased a plane ticket, etc... then be suspicious of these emails.  
  

• A safe practice is to go directly to the company's website and use that contact information.  Not the information provided in the email.
  

• Never click the links in an email and provide personal information.  Legitimate companies will not send an email asking for this information.
  

• Never open an attachment, unless you are expecting an attachment, even if it is from someone you know.
• Attachments are a common source of viruses and malware.  

NOTE:  With a spear phishing attack (very targeted attack), you may even see words like "ITS", "Outlook", "Pittsburg State University". The inclusion of these words does not make the email any more legitimate.  This just means the attackers have done their research.

Legitimate emails from PSU will NEVER, ever, ask for your password.

Universities and colleges have been targeted by spear phishing campaigns designed to steal user credentials for many years.  Stolen credentials are used for many purposes, such as sending spam from compromised e-mail accounts, optimizing search engine results for black market pharmaceutical web pages, gaining access to university-licensed resources, and hosting malware.

For roughly the past year, many of these campaigns have used harvested credentials to alter victim’s direct deposit information. Targeted individuals include both faculty and administrators from various departments. Several of the attacks appear to have specifically targeted individuals in university medical and dental programs. These e-mails often use subjects related to salary increases to lure victims into clicking on malicious links. Subject lines have included:  

• Your Salary Review Documents
• Important Salary Notification
• Your Salary Raise Confirmation
• connection from unexpected IP
• RE: Mailbox has exceeded its storage limit

The malicious links contained in these e-mails direct victims to webpages controlled by the attackers that look nearly identical to their university’s legitimate login portals. Once the attackers harvest the user’s credentials, the credentials are commonly used to access the victim’s payroll information and re-route direct deposits to a bank account controlled by the attacker. In at least one case, insurance policy information was also changed. The number of personnel targeted in these attacks also varies but reports indicate targets range anywhere from 15 to several hundred.

To view the entire document, CLICK HERE.

* REN-ISAC - Research and Education Networking Information Sharing and Analysis Center

The mission of REN-ISAC is to aid and promote cyber security operational protection and response within the research and higher education (R&E) communities.

Don't Get Scammed!

Phishing attacks can often take advantage of current events and certain times of the year

• Natural disasters (hurricanes, tornadoes, tsunamis)
• Epidemic and health scares (Covid, H1N1)
• Major political elections
• Holidays

How to avoid being a victim

• Be suspicious of unsolicited phone calls, personal visits, email messages, text messages asking for donations or personal information
• Never give your credit card or other personal information to someone or an organization you don't know
  - If you want to make a donation be sure to research the organization to make sure they are legitimate
• Beware of sound alike names
  - Fake charities will try and mimic the legitimate organization

Useful websites

• Wise Giving Alliance: www.bbb.org/us/charity
• Charity Navigator: www.charitynavigator.org

Facebook, Twitter, YouTube, Instagram, SnapChat, TikTok - Social Networking has become an integral part of our lives.  They are a great way to stay connected, but you should be wary about how much personal information you share.

Here are some tips for protecting your social networking life:

Continually monitor your privacy and security settings

• These settings change periodically.  Stay current with the apps you are using.

Once posted, always posted

• What you post online, stays online.  Posts, pics, and tweets never truly go away so be cautious and considerate when posting about yourself or others.

Keep personal information personal

• The more information you post about yourself the easier it is for hackers or someone else to steal your identity, access your data or commit other crimes like theft or stalking.

Know and manage your friends

• Periodically clean up your friends list and use tools to manage the information you share with different groups of people.

Be honest if you're uncomfortable

• If a friend posts something that makes you uncomfortable or you think it is inappropriate, let them know.

Know what action to take

• If someone is harassing or threatening you, remove them from your friends list, block them, or report them to the appropriate authorities.

For additional information: www.staysafeonline.org

Keep a Clean Machine

How do I prevent getting malware on my computer?

• Keep your anti-virus software, operating system, and web browser up-to-date.

• Turn on automatic updates if available.  Software updates help protect your computer against the latest threats and vulnerabilities.

• USB drives (flash drive, thumb drive) and other external devices can be infected.  Use your security software to scan them.

• Install or enable a firewall.  Firewalls may be able to prevent some types of infections by blocking malicious traffic to your computer.

• Don't follow links in emails making claims to good to be true.  The same goes for pop-up windows.  To safely close the pop-up window click the 'X' on the title bar, not the button in the window.

• Adjust your browser preferences to limit pop-up windows and cookies.

• Be very cautious when opening email attachments even if they are from someone you know and trust.  If it looks suspicious, contact the sender before opening it to make sure they sent it and it is legitimate

Payment Card Industry-Data Security Standards (PCI-DSS)

Set of requirements designed by the credit card companies (Visa, MasterCard, American Express, Discover and JCB), to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

Why is being PCI-DSS compliant important?

Failure to comply could result in substantial fines and PSU could lose the ability to take credit cards.

Before you go

Review the US State Department website for travel warnings and tips about your location.  Travel advisories are not only issued for high risk areas but for COVID restrictions.  This website is a great resource for international travel tips, guidelines and general information.

1. Travel light. Take with you only what you need. If you can manage your trip without a laptop, tablet, and/or smartphone, leave them at home.
2. Avoid bringing devices that contain private data. 
   1. Evaluate the data you have stored on your hard drive and remove any sensitive/confidential data.
   2. It is recommended that you take a clean laptop with only the data you need for your trip.
      • Clear your browser history and cache, including saved usernames and passwords.
      • Delete any saved or favorite sites that could expose any personal information.
3. Encrypt your hard drive, USB flash drives, external hard drives and any other external storage (if allowed at your destination). These devices should remain with you at all times and should be transported in carry-on luggage.
4. Ensure smartphones and tablets are encrypted (if allowed at your destination) and protected by a PIN, passphrase, or biometric, such as a fingerprint or facial recognition. Remove all unneeded data, apps, and accounts from the device prior to travel. Register your device with a locator service such as Find My iPhone/iPad or Android Device Manager so that it can be wiped remotely if lost or stolen.
5. Change your passwords and PINs. Change your unified PSU password, and any passwords for Internet services you will access while traveling, such as Gmail or Facebook.  This includes PIN’s on tablets and smartphones.
6. Update your software, especially your anti-virus, operating system, and browser. Updates often correct security vulnerabilities. Therefore, it's important to alwayskeep your software up-to-date, especially before traveling.  If updates are necessary while abroad, download the updates directly from the software vendor’s website.
7. Setup VPN on your laptop. Before you leave the country, install and test your VPN connection. Always connect to VPN before accessing university resources.  When you connect your devices to Wi-Fi abroad, using VPN ensures that your data is securely sent over the Internet. This is important, as most public Wi-Fi networks cannot offer this protection.
8. Backup your computer. Talk to your tech about backing up the data on your device.
9. Determine if you need adapters or converters for your devices. Make sure you have the proper plug adapter. Modern laptops have "switching" power supplies that can use both standard AC and DC current in most countries, but wall outlets outside the United States are often a different style and may require you to use an adapter.
10. Leave a copy of your passport, itinerary, and important phone numbers with family, friends, or coworkers so they can quickly and easily access the information and get it to you in the event  your passport or other valuables are stolen.

 Visit the GUSVerify website for information regarding using Duo while traveling.

While you are there

1. Always connect to VPN before accessing university resources.
2. Avoid using public workstations. The security of public workstations or even a friend’s computer, especially in high risk countries, cannot be trusted.  When you use a public workstation, anything that you enter into the system - IDs, passwords, data - may be captured and used, so limit your activity to the devices that you bring. And never enter information such as bank account numbers, or credit cards numbers.
3. Be aware of your surroundings when logging in or inputting data into your devices. There have been many cases where an ID, password or a piece of confidential information had been compromised simply by watching the person input the information. Be discrete when entering your ID and passwords. “Shoulder surfing” and cameras pointed toward keyboards are common ways that credentials are compromised.
4. Be cautious clicking on pop-ups. This is especially true while using untrusted hotel Internet connections. Some pop-ups are actually scams designed to trick people into installing malicious software.
5. Beware of software updates.  Entities in foreign country have been know to push fake updates when a user connects to a local network so they can install malware and spyware.
6. Do not use USB-based public battery charging stations. “Juice jacking” attacks can install malware on your mobile device and/or copy data from your device.  Only use chargers you brought from home and know to be good.
7. Reset your Password if you think your account has been compromised. You can reset your passwords yourself on the GUS Portal: https://psuapps.pittstate.edu/UI/AccountManagement/ChangePassword/PasswordWizard?page=1 if you need assistance contact the Gorilla Geeks: 620-235-4600 or geeks@pittstate.edu.
8. Contact local authorities if your device is stolen. Also contact the IT Security Officer if your device is lost or stolen: ITSecurity@pittstate.edu.

When you return

1. Reset your any passwords you used while traveling. When you return to the U.S., you should reset your passwords. If passwords were compromised while you were abroad, changing them upon your return will render the stolen ones useless.
2. Have your tech scan for viruses and malware.

LastPass is a popular password management tool used to create, store, and manage passwords as well as other secure information.  In Dec 2022, they reported a security breach of usernames, passwords, and other sensitive data.  If you use LastPass personally, please see the following recommendations to secure your accounts.

1. Change your master password

2. Change all your other passwords :)

• Start with your critical accounts: online banking, financial records, credit cards, medical information, email, social media, online shopping where you have your credit card stored for easy checkout, etc...
• Do not reuse passwords

3. Enable multi-factor authentication (MFA) on any account that offers it.  Reject any MFA prompts that you did not initiate.

4. Monitor your financial accounts for fraudulent transactions.

Also, be aware that there is an increased likelihood of phishing and social engineering attempts referencing LastPass that aim to trick you into following a link, downloading an attachment, or providing information. Be vigilant. If an email is suspicious, do not follow links, download attachments, or reply. Even if you do not use LastPass, you may still be targeted by these phishing attacks.

Additional information can be found here.