Letter from the CISO, Vol 2 Issue 8
Washington University Community:
There has been a lot of news lately about the exciting and alarmingly adept Artificial Intelligence (AI) known as ChatGPT, which may be able to pass Alan Turing’s famous test of being indistinguishable from real (human) intelligence.
Some say this is the beginning of the end for many white-collar workers who analyze, synthesize, and write for a living and that schools and universities may have to change how they teach, assign homework, and grade.
Why is it relevant to Information Security?
At the simplest, it could generate better (worse) scam and phishing emails that are more difficult to detect as fraudulent and mass-customize them, making them harder to block technically. The Nigerian Prince scam (and its more subtle cousins) can now be customized for each of us and feature spelling and grammar that would make our high school teachers proud!
But that is just the beginning of the problem.
Another Big News Story
The compromise of the LastPass password manager also has been prevalent in the cybersecurity news lately. If you missed it, malicious actors apparently obtained the email addresses, website addresses, and encrypted passwords of LastPass subscribers.
This is not as bad as actually getting the unencrypted passwords, but if the LastPass subscriber used a weak password to encrypt all their other passwords, they better change all of them as soon as possible.
But it is still pretty bad because the malicious actors now know the websites where all those LastPass customers have accounts and might potentially use a tool like ChatGPT to customize phishing messages for all of them.
The Checklist Manifesto
If you are not familiar with it, “The Checklist Manifesto” by Atul Gawande is a popular non-fiction book describing how to improve the quality and consistency of many complex activities. The central idea is that simply by creating and following a checklist of the optimal or “best-practice” steps needed in processes, you increase the probability of enjoying better, more successful outcomes and dramatically curtail the probability of adverse results.
What Should We All Do?
As I always advise, to protect yourself, Keep Information Security Simple by doing a small set of very effective things. Over the past year and a half, many of my columns have spoken to “the one thing” you should do to protect yourself, your family, and WashU. Today’s “one thing” is a prioritized checklist of the most important things I have recommended. I acknowledge this is cheating because the one thing is really 11 things. You can start at the top and work down. If you have already done some of these, that is great! If not, it is never too late to start. Here is the checklist, with links to my previous columns on each of them.
|Stay vigilant, skeptical, and even a little paranoid.||Vol 1 Issue 3|
|Whenever possible, use long, easy-to-remember passphrases instead of short, hard-to-remember passwords.||Vol 1 Issue 2|
|Use 2-Factor Authentication everywhere you possibly can.||Vol 1 Issue 2|
|Use a Password Manager to make sure all your online accounts have different passwords and passphrases and use a special long one for your password manager.||Vol 1 Issue 3, Vol 1 Issue 11|
|Enable passwordless authentication where possible, such as using your thumbprint or facial recognition to unlock your phone or computer.|
|At WashU, report suspected phishing messages with the Phish Alert Button in Outlook.||Vol 1 Issue 1,|
Vol 1 Issue 4,
Vol 1 Issue 5
|Update your software automatically for both the operating system and your applications.||Vol 1 Issue 7|
|Ensure the physical security of your phone, your computer, and yourself.||Vol 1 Issue 4|
|Back up your important files.||Vol 1 Issue 5|
|Enable “Find My Device” services for all your mobile devices and computers.||Vol 1 Issue 6|
|Protect your privacy by being careful about the free services you sign up for.||Vol 1 Issue 8|
Thank you for reading and being members of the University’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO