Letter from the CISO, Vol 3 Issue 7
Washington University Community:
Holidays and the joys of giving and receiving (safely)!
As we are in the middle of the holiday season, it’s easy to get caught up in the joyous atmosphere and excitement of finding the perfect gift or the muted pain of receiving an ugly sweater. However, amidst the celebrations and warmth of shared moments lurk ominous threats that can dampen the festivities. These threats can range from the ransom and theft of sensitive personal and university data and systems to financial losses due to various swindles and scams. This holiday season, it’s crucial to adopt a mindset that combines the joy of giving with a vigilant approach to safe computing, especially with sensitive information.
“The Joy of Giving” extends beyond the exchange of tangible gifts to encompass the sharing of experiences, love, and warmth with family, friends, and colleagues. However, in the digital age, the joy of giving can inadvertently expose individuals and organizations to cyber threats. Cybercriminals are adept at exploiting the holiday season, capitalizing on the increased volume of online transactions, festive communications, and the general sense of goodwill.
To counter these threats, WashU community members should remember such timeless advice as “if it seems too good to be true, it probably is!” as well as my frequent admonition for everyone to be “vigilant, skeptical, and a little paranoid.”
Gifts we must take
Sometimes we get gifts we don’t really like. For me, as a kid, it was homemade itchy wool sweaters.
Last month, I wrote anticipating our implementation of DUO Verified Push in response to criminals who had become too successful at socially engineering their way past regular DUO Pushes. This month and into the new year, WashU IT will be working with people who use DUO’s “Call Me” Two-Factor Authentication (2FA) method to find a more secure method that works for them.
I hate changes (giving gifts) like this that make the basic process of logging in more difficult. Unfortunately, the success of hackers conning people into approving regular DUO pushes has grown to the point that this change is essential.
For now, I thank you all for your willingness to help with this change while promising we are always looking for ways to make information security easier.
The most important thing
I always try to boil down my monthly cyber security advice to a single most important thing, and usually, that is being “vigilant, skeptical, and a little paranoid.”
In my August 2023 column, I encouraged everyone to be a cyber security buddy for friends and family members. Please see Keeping Information Security Simple – Who’s your cyber security buddy? for a short checklist of things you might want to do to protect your loved ones this holiday season, especially if they get new computers and smart devices.
This month I argue that the most important thing is to help create a strong social cyber safety net for your loved ones. Please be the person they call when they see something suspicious!
This is the role I play for my elderly mother. For the past couple of years, she had been receiving 20-30 phone calls a day on her old-fashioned landline phone. I wanted to switch her to a cell phone and block all unknown numbers, but she was unable to learn how to use one. Making the situation worse, she was unable to ignore calls, even ones that clearly identified the caller as “SPAM.” And then she would talk to them, sometimes at great length, even going to her computer and trying to follow their instructions so they could help her with whatever scam pretense they were using!
This fall I victoriously set up a cellphone to block all unknown callers to her old phones. Now, visiting her isn’t a nightmare of constant ringing, and being away from her isn’t a nightmare of not knowing who will con her out of her credit card or bank account number.
Call to action
Over the holidays, as you spend time with friends and family, please share the gift that keeps giving — cyber security!
If you need help with any of these ideas, please contact the Office of Information Security at infosec@wustl.edu or 314-747-2955.
Thank you for reading, and being members of the university’s Information Security team, as well as a cyber security gift giver!
Good luck, and be careful out there!
-Chris Shull, CISO