Newsletter

Keeping Information Security Simple – Congratulations: You are a Risk Manager and a Systems Administrator – Know It or Not, Like It or Not

Letter from the CISO, Vol 2 Issue 11

Washington University Community:

With Great Power Comes Great Responsibility

As Uncle Ben in Spiderman said to the young Peter Parker, “with great power comes great responsibility.” Thinking back to the way I learned to program computers in high school by writing FORTRAN code onto paper by hand, punching holes in cards, and then waiting two days for results, today’s computer systems and devices are miraculously powerful. However, with that power comes risk and responsibility.

Congratulations

You are the beneficiary and the custodian of that great power.

All of which means I’m obliged to inform you that – whether you know it or not – you are a Risk Manager and Systems Administrator. But even if it isn’t explicitly in your job description (perhaps as “Other duties as assigned”), it is still your responsibility.

Some of you are already fully aware of this and devote significant time and effort to making sure your computer, phone, game system, and household appliances are safe and secure. If you’d like a checklist to make sure you aren’t missing something, please read on.

For everyone else, here are the most important things you can do to manage your risks and protect your systems.

How to Protect Your Devices and Everything on Them

1) Consider security and privacy before you buy things.

There are many very inexpensive systems and devices on the market, from computers, tablets, phones, and game systems, to TVs, refrigerators, and toasters, to home automation systems, security cameras, doorbells, door locks, smoke detectors, thermostats, and vacuum cleaners. If the product seems very inexpensive, sometimes they are missing important security features.

Sometimes their software can be updated automatically by companies you might not trust or the governments that control those companies.

Before buying electronic and computer devices, research their security capabilities, and read their reviews. Beware if they don’t support the features below.

2) Turn on full, automatic updates of the operating system, firmware, and applications.

One of the most common ways systems are compromised is through flaws in the software. Nearly all software has unknown bugs, and some of those bugs can be used by the people who discover them to gain access to your systems. Normally such bugs are fixed once they are uncovered. But if you haven’t turned on automatic updates, you won’t get the fixes. This can be okay for a while, but eventually, the bad actors will find your system, and then you will be in trouble.

3) Change default login passwords to long and unique passphrases.

Many systems come with default login passwords. Changing them to unique, long passwords or passphrases takes away an often-used avenue of attack. Generally speaking, long passphrases, even ones constructed by putting together 3 or 4 words, are more secure than short, hard-to-remember and type passwords. It is also vitally important that you never reuse passwords on different systems. You still have to remember and be able to type this password but, if you follow my advice to use long passphrases in Letter From the CISO Vol1 Issue 2, this shouldn’t be too difficult.

4) Use a Password Manager.

If you follow the advice to use long unique login credentials, passwords, and passphrases, you will almost certainly want to also use a password manager. Password managers help you create, remember, and automatically enter long, unique passwords. They also help you avoid falling for phishing attacks because they won’t automatically enter your password in a website that is impersonating the one for which you have an account.

5) Turn on two-factor authentication (2FA) everywhere you can.

Just as WUSTL Key logins now require DUO 2FA, you should use Google, Microsoft, or other authenticators to secure other accounts, like social media or e-commerce. If they don’t support authenticator apps, 2FA via text message, email, or phone calls aren’t quite as good but are still very worthwhile.

6) Enable backups of your information.

Many systems provide ways of backing up your information. For example, iPhones and Macs easily connect to iCloud, Android phones connect to Google Drive, and Microsoft Windows devices to Microsoft OneDrive or Google Drive. These are great choices for backing up personal information, but WashU data should be stored on either Box or Microsoft OneDrive.

7) Stay vigilant, skeptical, and a little paranoid.

I write these words almost every month because you are our best manager of cyber risk and ultimate defense against cyberattacks. Take the extra couple of milliseconds to be cautious of suspicious emails, hover over and examine links before you click on them, and don’t download or open attachments from unknown or unsuspected senders. Please report any suspicious messages via the Phish Alert Button in Outlook or by following the directions for people who don’t use Outlook.

Special note for professional Systems Administrators

If your day job is as a sysadmin of WashU servers or endpoints, you should be:

  1. using WUSTL Key for authentication;
  2. running CrowdStrike or AMP;
  3. sending your server security logs to WashU IT’s Splunk server;
  4. installing patches and updates;
  5. backing up your data; and
  6. testing restoration procedures regularly.

If you need any help with any of these, please contact the Office of Information Security.

Thank you for reading and being members of the university’s information security team!

Good luck, and be careful out there!

-Chris Shull, CISO