As attackers figure out new ways to get around traditional multi-factor authentication, we must evolve to prevent fraudulent access to our accounts. The next wave of multi-factor authentication will fortify user accounts against phishing attacks. Unlike traditional multi-factor authentication, new approaches incorporate advanced techniques such as biometric authentication, hardware tokens, and push notifications to trusted […]
Many WashU community members create audio and video recordings in research, during meetings, while attending lectures, and in other circumstances. These recordings can be indispensable to a project because they document what was said with perfect fidelity for future reference and analysis. A transcript of the recording is even more helpful, making it easy to […]
Letter from the CISO, Vol 3 Issue 5 Washington University Community: It doesn’t seem fair… Last month I wrote about how the “right phish at the wrong time can catch anyone.” And this month, despite the fact it is Cybersecurity Awareness Month, we’ve had to deal with a wide range of innovative attacks against us […]
Cybersecurity Awareness Month 2023 is coming to a close. This year, we hosted three webinars, promoted key behaviors to encourage every employee to take control of their online lives, and published weekly newsletters full of original content authored by WashU’s Office of Information Security. Below, you will find a recap of some of the key […]
On WashU-supported Macs, you can now use firewall settings to turn on the firewall in macOS to prevent unwanted connections from the internet or other networks. To change these settings in the latest version of macOS, choose Apple menu > System Settings, click Network in the sidebar, then click firewall on the right. (You may need to scroll […]
When using social media platforms, it is wise to be careful about what you post. Cybercriminals can use what you post to entice you into clicking malicious links. Be Careful What You Post Any information you publicly post on social media could be used in a spear phishing attack. Spear phishing is when cybercriminals target […]
We encourage you to turn on multi-factor authentication for every online account or app that offers it. As time goes on, more websites and applications will offer multi-factor authentication, but it might not be turned on by default. Here are some guides on how to enable it for popular services:
Password managers are apps, browser plugins, or programs within your browser. They store your passwords in a vault and lock the vault behind a “master password.” It is safe to replace your password notebook Even though password managers are the best way to safeguard your passwords, you might worry that storing every password in an […]
Let a password manager do the work! A password manager creates, stores and fills passwords for us automatically. Then we each only have to remember one strong password—for the password manager itself. Search trusted sources for “password managers” like Consumer Reports, which offers a selection of highly rated password managers. Read reviews to compare options […]
When guessing passwords, hackers start with the most common passwords. According to research by NordPass, the top 10 passwords from 2022 are: Are any of your passwords on this list? Creating, storing, and remembering passwords can be an inconvenience for all of us online. Still, the truth is that passwords are your first line of […]
Mark your calendar Microsoft applications may require users to reauthenticate On the evening of October 20, WashU IT will enhance the university’s cloud-based Microsoft services. As a result, users may see authentication (login) prompts on Microsoft applications such as Teams, Outlook, Office, and OneDrive on their devices. These prompts are expected. Completing the WUSTL Key […]
Why it’s so important to update promptly If a criminal gets into a device through a security flaw, they will look for personal information and sensitive data to exploit. Technology providers issue software updates to “patch” security weak spots as quickly as possible. If we don’t install them, they can’t protect us!Software updates can also […]
Many of us receive a steady flow of emails every day, including bank statements, order confirmations, or sales promotions. To keep up, you may look through your inbox as quickly as possible—but do not forget to stay vigilant. Cybercriminals take advantage of haste and send dangerous, unexpected emails. Unusual Account Activity Detected One of the […]
Scammers can create fake login screens that are strikingly similar to legitimate ones. One of the login screens pictured above is our true WUSTL login screen, and the other is an imitation from a real scam. Can you spot the difference? To make this more challenging, we’ve cropped out the URL from each login screenshot. […]
In addition to using WashU email for work, most people use email in their personal lives, too. You can get an email from your aunt with her stew recipe or an email from your boss about an office party. But what if the email isn’t actually from your aunt or boss? Cybercriminals often pretend to […]
For more information about using generative AI at WashU, please visit Generative Artificial Intelligence (AI) – Information Technology (wustl.edu).
With the internet and social media, it can be difficult to avoid sharing personal information online. Having an online presence can be valuable, but sometimes sharing personal information is risky. If you want to know what information about you is online, Google yourself. Your Search Results If you Google your name, you may find public […]
The Washington University in St. Louis Office of Information Security supports education, research, and clinical care by protecting systems and data for everyone at our institution. Information security is essential to every member of our community, and we all share personal responsibility for ensuring the security of our systems. We continuously improve our systems and […]
Letter from the CISO, Vol 3 Issue 4 Washington University Community: How likely are you to click? A few years ago, I advised a company to conduct its first email phishing simulation, otherwise known as a “phish test.” The systems administrator enthusiastically crafted a test message that used a logo from the company’s website, included […]
October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. The Office of Information Security is proud to champion this online safety and education initiative this October. All month long, we are promoting these key behaviors to encourage every employee to take […]
The Office of Information Security is running a competition throughout October for Cybersecurity Awareness Month! WashU staff, faculty, and students can submit several entries to win up to $1,000 in BearBucks. Beginning September 28th, we will release three episodes of “The Inside Man,” a soap opera-style training that covers critical cybersecurity themes. Every Friday until […]
The Office of Information Security has identified a trend in which criminals send members of our community a Google Document containing a malicious link, in hopes that a victim may give up their credentials. In this more elaborate scam, hackers posed as Adis Avila, who is not an individual who works at our university, sending […]
Steve Bochte, Information Security Architect, brings a wealth of experience and enthusiasm to the InfoSec team. Steve remembers being interested in IT and security as a grade-schooler, and these fields still appeal to his love for fixing things and improving processes today. After taking the CISSP exam in 2007, he started exploring the world of […]
Letter from the CISO, Vol 3 Issue 3 Washington University Community: Welcome (back) to school! A friend recently shared that her son was assigned a roommate with whom he seems to have nothing in common. They’ve recognized and embraced their differences and are enjoying better, richer experiences because of it. This made me think that […]
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Welcome back! We know you will be busy as the semester begins, so we have pulled together resources to help you with a variety of common security needs. See below for our roundup of guidance to help you get in the swing of the semester! Devices Device security is essential for protecting your privacy and […]
The Office of Information Security observes a trend in which criminals send a fraudulent order confirmation claiming the recipient will be charged almost $500. The criminals hope victims will call a phone number to refute the “purchase” and disclose their banking information. If you see a message like the one below, please do not interact […]
Shane Powell, Information Security Architect, is one of the newest members of the InfoSec team here at WashU. Originally, Shane is from Texas, but after many years of visiting St. Louis with his wife, they decided to move here in 2016. In his day-to-day work here, Shane “communicates with various groups throughout the university and […]
Letter from the CISO, Vol 3 Issue 2 Washington University Community: Is our best good enough? In the battle against malicious cyber actors, we are constantly challenged by more clever and sophisticated attacks. For example, for several years after we implemented DUO 2-Factor Authentication (2FA), the number of successful account-compromise attacks dropped to almost zero. […]
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
The Office of Information Security observes a trend in which criminals use a compromised email account to trick victims into divulging their WUSTL Key password. In this scam, criminals took over a legitimate email address from UT Health San Antonio and used it to send phishing emails. Victims who click on the phishing link are […]
Our Governance, Risk, and Compliance (GRC) team is fortunate to have three GRC Analyst Trainees this summer who are assisting with various InfoSec efforts. We are excited to have them on our team and would like to introduce you to each of them. Lindsey Wichman Lindsey Wichman is currently majoring in Computer Science with a […]
Our office is continually searching for the best ways we can serve you and help you secure your work and WashU’s resources. We regularly update our information security website (https://informationsecurity.wustl.edu) with the latest information and resources to help you navigate the increasingly complicated digital landscape. In addition to the great original content we post on […]
Letter from the CISO, Vol 3 Issue 1 Washington University Community: Do you like chocolate more than kale? Of course! In a recent keynote presentation at the Gartner Security and Risk Management Summit, Mary Mesaglio, a Managing Vice President who leads Gartner’s Executive Leadership Dynamics team, discussed the importance of getting people to care about […]
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
The Office of Information Security observes a trend in which criminals impersonate the sheriff’s office over the telephone. These scammers claim you signed for a subpoena, are an expert witness, or are a juror and never showed up for court and then demand payment. Along with a false accusation, scammers may list your personal information […]
With the new design of our Policies page, visitors can conveniently locate, search, and preview our office’s policies, standards, and guidelines. Along with a contemporary design, the three terms each include a brief definition. Understanding their differences can prevent confusion and help you find the information you need to carry out your work securely. So, […]
Hannu Turri, cloud security architect, is an integral part of the InfoSec team at WashU. Hannu comes to us from Finland, where he first served in the military and transitioned into IT, working as a CISO. After attending an AWS re:Invent event in Las Vegas, where he met his future wife a few years ago, […]
Letter from the CISO, Vol 2 Issue 12 Washington University Community: Are cyber threats like pop quizzes? I was recently asked, “How are cyber threats like pop quizzes?” I’ve realized this is an interesting question, but not in the way I originally thought. Initially, I thought of reasons they were similar. They are unexpected, test […]
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]
Starting with our June edition, SECURED will have a new look. Information Security is a big part of the future of IT at WashU, so we are aligning our published content with the rest of the great information and news coming from WashU IT. You can learn more about WashU IT’s strategic plan on the […]
If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]
The Drug Enforcement Administration (DEA) is warning the public of a widespread fraud scheme where scammers impersonate DEA agents to extort money or steal personally identifiable information. DEA personnel will never contact members of the public to demand payment or sensitive information. No legitimate federal law enforcement officer will request cash or gift cards from […]
A campus-wide initiative is underway to improve computer security by installing the Splunk Forwarder and CrowdStrike on all servers by the end of June, as InfoSec Policy requires. The Splunk Forwarder gathers real-time log data from servers into a searchable repository. This log data can help detect and troubleshoot security incidents quickly and efficiently. CrowdStrike, […]
Letter from the CISO, Vol 2 Issue 11 Washington University Community: With Great Power Comes Great Responsibility As Uncle Ben in Spiderman said to the young Peter Parker, “with great power comes great responsibility.” Thinking back to the way I learned to program computers in high school by writing FORTRAN code onto paper by hand, […]
The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you to a couple of resources that will help you protect yourself from cybercrime and understand how our office can support you. We’d like to thank our challenge participants. We recently […]
These three fundamental cybersecurity concepts are related but have distinct meanings. Security experts define these three concepts in a variety of ways, and the terms threat and risk are sometimes used interchangeably. This article’s definitions come from paraphrasing Computer Security: Principles and Practice by William Stallings and Lawrie Brown. Each term can be thought of […]
The Office of Information Security has observed a trend in which criminals impersonate Chancellor Andrew Martin over text message. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly powerful when the person being impersonated is in a position of authority. If you see a message like […]
Armin Toric, Information Security Analyst I, is passionate about “protecting the university from cyber villains!” After attending St. Louis Community College and Ranken Technical College, Armin took advantage of CompTIA certifications and other cybersecurity boot camps. He took the initiative to obtain his Network+, Security+, and CySA+ certifications to build his skills around topics like […]