Letter from the CISO, Vol 2 Issue 2
Washington University Community:
Why Do Cars Have Brakes?
Why do cars have brakes? The obvious answer is that it helps them slow down and stop.
The “real” counter-intuitive reason is that brakes let cars go fast.
Imagine the panic and fear of being in a car that loses its brakes. I hope this hasn’t ever happened to you, but you may have had a similar experience driving in bad weather where the road is covered with water, snow, or ice. Brakes allow cars to go fast because they are able to slow down and stop when they need to.
Information security performs the same function for information technology, allowing the university to move quickly!
More broadly, information security also provides or supports many other “rules of the road,” including vehicle inspections, driver education and licensing, guard rails, solid and dotted lines on roads and highways, hazard warnings, and even highway design features like camber and those little slots in the road that help prevent hydroplaning.
In information security, we are constantly trying to understand the greatest threats to the confidentiality, integrity, and availability (commonly referred to as CIA in information security circles) of our information and systems so that we can implement “brakes.” We call those “brakes” controls, which help reduce those risks even if many other drivers on the road are trying to make you crash!
The greatest threats presently center on email, so we’ve implemented many technical controls to prevent its abuse, such as WUSTL Key 2-Factor Authentication (2FA) logins, the safe-links & safe-attachment features in Office 365, and more.
However, the most important “brake” continues to be your skepticism and willingness to take just a few seconds to think about what you are being asked to do in an email message, text message, or even a phone call.
A new way to hack your account
Our readers might not yet be aware of a new tactic malicious actors use to trick you out of your username, password, and 2nd factor. I heard a recent story that illustrates the threat. In brief, a Senior Vice President at a major international bank had approved over 80 2FA push requests from Russia (when he wasn’t in Russia nor trying to log in). He justified this behavior because he had been told to tap “approve” when prompted and that no one had told him /not/ to approve requests when he wasn’t actively logging in!
You may laugh, but this is a fairly common problem. I’ve heard of users who pushed “approve” when they were grocery shopping and another situation where a manager had all his employees set his phone for their verifications, and he would approve all of them when they came to him.
It is vitally important to understand that you should ONLY approve DUO pushes when YOU are logging in.
Help a friend or family member
This may be obvious to you, but there’s almost certainly someone in your life who might give the person on the phone, claiming to be from their bank, their 2nd factor. This could take the form of a “push” notification to DUO or similar authenticator apps, a voice phone call, or a text message. No one from your bank (or any other organization) will ever need to call you to obtain your social security number, credit card numbers and codes, your username, password, or 2nd factor. They might need to verify the last four digits of some number if you call them, but if you receive a call asking for any of this information, hang up, look up their number from a trusted source like an invoice, account statement, or back of the credit card, and call that number to see if they really called you and if so, what’s happening.
What if I’m getting push requests when I’m not logging in?
Lastly, if you ever receive a DUO push when you aren’t actively trying to log in, that means the bad guys have already collected your username and password and are trying to trick you into letting them into your account. You should decline this and any other DUO push requests and reset your password at connect.wustl.edu or by contacting the IT Service Desk at 314-933-3333 or firstname.lastname@example.org.
If you are getting lots of requests (known as a “push flood”), calling the Service Desk is safer than trying to log in yourself to change your password.
Thank you for reading and being part of the University’s Information Security team!
Good luck, and please be careful out there!
-Chris Shull, CISO