Letter from the CISO, Vol 4 Issue 11
WashU Community:
Confession time
I have two confessions to share.
First, I have failed phishing tests. Not the ones I’ve seen and approved for use (thank goodness), but ones that caught me at the wrong time in the right way. It can happen to anyone. As I wrote back in September of 2023, “The Right Phish at the Wrong Time Can Catch Anyone”.
The important thing is to learn from the experience. This brings us to WashU IT’s theme for the month of April: “Growth and progress – Investing in yourself and your community.”
And my second confession, namely that I am taking great pleasure from a silly series of science fiction novels (the “Bob and Nikki” series by Jerry Boyd). One of the recurring themes is that “Murphy is our shepherd, because he challenges us and makes us strong.” Normally, I don’t confess to my reading addiction or even think it’s a problem. But I feel a little guilty because this is far from great literature. The grammar and writing style are loose and informal, which seems appropriate since the stories are told from the perspective of the main character Bob, who is (in his own words) a hillbilly from rural Missouri. I’m reminded of the pulp western Louis L’Amour cranked out in the 1930s and 40s, but much sillier. If you like fast-moving action with lots of bad jokes and amusing plot twists, I recommend it highly as a guilty pleasure!
And the point is…
Having gotten the confessions out of the way, I wanted to share the motto of Bob’s company “Murphy is our shepherd.” It provides a wonderfully pithy, memorable, and humorous way of remembering what we always need to be alert and prepared for: “a visit from Murphy,” i.e., bad things happening. It is less directive but more memorable than my motto of “Keeping Information Security Simple” and my mantra of “please be vigilant, skeptical, and a little bit paranoid.”
In many ways, “Murphy is our shepherd” could be a metaphor for our times, but it certainly applies in the arena of cybersecurity.
Every day offers new challenges and opportunities to grow stronger. Innovative cyber criminals continuously make news with successful attacks on companies and institutions.
My team is charged with leading improvements to our defenses and helping everyone at WashU be better prepared to detect and respond when attackers figure out another way to pierce our defenses.
Start with technical defenses
WashU has invested substantially in our cyber defenses and has made it significantly more difficult for nefarious actors to hack into our systems directly, to phish you for your login credentials, or to con you into downloading malicious programs.
Knowing that no defense can ever be perfect, we’ve also deployed an array of tools to detect when something bad starts to happen and alert us so we can stop it before much damage occurs. Your use of the Phish Alert Button in Microsoft Outlook has been critically important to this effort.
Together, these two sets of protective and detective approaches have prevented and stopped many thousands of attacks.
You can also use the tips I’ve shared in previous columns to address security concerns in your personal lives.
Technical defenses can only do so much
As mentioned above, technical defenses can’t be perfect, meaning we must rely on your help.
Almost all security measures are obstacles to doing work, no matter how much effort we put into reducing the friction they create. Sometimes, the technical defenses even seem to be more trouble than they are worth. But please know that we never deploy these defenses unless the value is clear and significant.
Many of them work behind the scenes and require little or no action on your part. Sometimes we need your help. If a suspicious message gets through our defenses, we rely on your reports of suspicious messages via the Phish Alert Button.
Similarly, we depend on everyone noticing suspicious texts, social media messages, websites and webpages that are a little off, and pausing to report them to the Office of Information Security.
The extended InfoSec team
I usually wrap up my column by encouraging everyone to be “vigilant, skeptical, and a little bit paranoid.” Today, I’ll go further and say that we are all depending on you to do so.
Additionally, I’ll say your family, friends, and neighbors are also counting on you to help them be secure in their lives. Please refer to the Cyber Security Buddy checklist for a few very practical things you can do to help everyone improve their security.
You are all vital parts of the university’s Information Security team!
If you need help with any of these ideas, please contact your colleagues in the Office of Information Security.
Thank you for reading my column and for being part of the team.
Good luck and be careful out there!
-Chris Shull, CISO