Cybersecurity Best Practices

The purpose of this article is to provide vital information to help the Bellevue University organization, the student body, and the greater Bellevue University community protect ourselves against the most common types of malicious security threats and attacks from the Internet and technology-based sources. Knowledge and understanding of this information is important to protect you and the university as a whole, and may help to avoid situations that could lead to a loss of system access or irretrievable loss of data.

Perhaps the most important point to be aware of is that you, the user, are both the weakest link, and the best defense against cyber attacks.

How do I create secure (and memorable) passwords?

For the majority of the websites and services we use, our passwords are sometimes the only thing between a cyber criminal and our data. However, using a strong password is one of the easiest ways to protect it.

In regard to creating passwords, included within the most recent recommendations from The National Institute of Standards and Technology (NIST, SP 800-63-3, June 2017) are summarized below:

All of these criteria for passwords force any "brute force" attack, or simply the effort to guess a password, much more difficult, and take much longer. With a properly formed password, attacks of this type can be made effectively impossible given current technology.

• The longer your password is, the more secure it is. Bellevue University requires a minimum of 8 characters, but 12 characters or more is recommended. 
• Use multiple character types, including "nonstandard" and "special" characters.
• Use of long passphrases, or a long series of characters that cannot be found in a dictionary.
• Reset passwords if potentially compromised or forgotten. It's easier to change a password than to risk unauthorized access to your account.
• Multifactor Authentication (MFA). This feature is provided to all students through Bruin Connect.

In addition to those above, also consider...

• Use a password generator. Examples include Passwords Generator and DinoPass.
• Use a Password Manager! Using a password manager is the easiest way to NEVER FORGET YOUR PASSWORD AGAIN! Examples include LastPass, BitWarden, or RoboForm, and all offer free versions.
• Know the most commonly used passwords, and NEVER USE THEM! (Wikipedia - List of the most common passwords)
• Use a "Password Haystack" (Steve Gibson, GRC.com - Password Haystacks)

What do I do if my account is "hacked?"

If you suspect that someone else has gained access to your Bellevue University account, these steps can help you to re-secure your account and block further unauthorized access.

• CHANGE YOUR PASSWORD! This is your first step to re-secure your account.
• Scan your computer for malware. Along with Windows Defender, built into the Windows operating system, MalwareBytes and SuperAntiSpyware are popular and effective scanning tools, and both offer free editions of their software.
• If you have any other accounts using the same password, change those passwords as well. If someone gets into one account, they will often try the same email address and password at other websites (Google, Facebook, etc.).
• Check for evidence of unauthorized access to your secondary or recovery email account, and change your password. Often, an attacker first gains access to your email account, then begins to use that account to gain access to your other accounts by resetting your password on those websites.

How do I avoid Phishing Emails?

Phishing emails, Spear Phishing, and Whaling are all terms related to email-based social engineering attacks that are designed to "lure" you into "taking the bait," which is the content of the message. The message will usually prompt you in some way, often using basic fear tactics, to convince you to click on a link, which then takes you to a fraudulent or "spoof" website, where you may be asked to provide login credentials, or personal and financial information, all of which gets sent directly to the attacker, rather than to the real website you have been made to believe you are at.

What to Look For

• Sent from an unusual or unexpected email address (of someone you know).
• Unexpected or outlandish threats.
• Message format (e.g. greeting)
• Mismatched URLs: For example, the text says "https://bruinconnect.bellevue.edu," but the embedded link goes to a different site (e.g. docs.google.com/forms, bruinconnect.be11vue.edu).
• Asking for login credentials or personal information.
• Asking for your Credit Card #
• Requesting giftcards for payment.
• Unexplained attachments, especially those with unusual file name extensions (e.g. Report.doc.vbs).
• Improper spelling or grammar in what is otherwise a "professional" email.

What to Do (Or NOT to Do)

• Be Aware!
• Don’t Open It!
• Don’t Click It!
• Delete It!
• Call and verify with the person the message presumes to be from.
• Report it to your IT department.

How do I use Public Wi-Fi safely?

Public Wi-Fi "hotspots" are convenient, but may also pose a threat to your security. When joining a public access point, you are adding your device to that network, along with all the other devices attached to that network. The following tips will help you avoid exposure to possible attack.

• Make sure you are required to log into the network. Even if the password is given freely by the business owner or proprietor, this helps to guarantee that your connection to the access point is encrypted.
• Designate the network as Public. After connecting, when prompted by your operating system firewall software, select the "Public" network option. Doing so automatically disables access to file sharing and other networking features on your computer.
• Use HTTPS. HTTPS designates that your connection to that website is encrypted, from your browser to their server. Newer versions of the most popular web browsers will even warn you if on an "unsecure" site.
• Use a 3rd party VPN (Virtual Private Network) service. These services protect (encrypt) all network traffic from your device to the VPN service provider's servers. Your traffic then proceeds to the sites or services you are connecting to from there. Also, be sure to use a reputable and trusted VPN service, such as ExpressVPN, NordVPN, Mozilla VPN, or Google One VPN. There are many to choose from, and these are not free services. However, using a VPN is simply the most reliable way to secure your network traffic.

Additional Resource Materials:

The National Institute of Standards and Technology (NIST) - Special Publication Number 800-63-3 - "Digital Identity Guidelines"

Bellevue University IT Training: Passwords
Bellevue University IT Training: Phishing
Bellevue University IT Training: Mobile Security
Bellevue University IT Training: Cyber Attacks
Bellevue University IT Training: Physical Computer Security
Bellevue University IT Training: Social Engineering
Bellevue University IT Training: Web Usage