Presented by: Brendan Walsh Manager, Security and Access Management Cyber Security Presented by: Brendan Walsh Manager, Security and Access Management BAS Forum – 10/11/2017

Agenda for this presentation Importance of protecting your digital identity Recent and in-progress security improvements Ways to avoid compromise Recognizing and reporting security issues

Why is protecting your digital identity important? Your FlashLine username and password are your keys to everything Kent State (which makes them prime targets) W-2 Direct Deposit Dependent information Grades and student information Plus access to other university information General Ledger Payroll Data Financial Accounts HIPAA, FERPA, GLBA, PCI, etc.

Recent actions to secure our environment Restricting of access to email addresses from public phone directory Tweaking email parameters to improve spam/phish/junk mail routing Secure VPN with Multi-Factor authentication for super-users Improved efficiency in detecting and securing compromised accounts

Additional efforts we have underway Authentication enhancements Multi-factor authentication for everyone Adaptive access controls based on risk Network firewall enhancements Security awareness training and communications

You are the last line of defense! BUT… All of the best security controls can only go so far You are the last line of defense!

Security attacks you may face Phishing Vishing (Voice/phone Phishing) Credential Stuffing (Reuse of stolen passwords)

How to recognize and avoid getting phished – Email messages Five things to watch for: Message sounds threatening or conveys a sense of urgency E.g. Account will be disabled Message sounds official but comes from an unofficial address Message has a generic greeting or signature Link in message does not match landing site E.g. Link to Dropbox goes to “weebly.com” Request seems “out of the norm” E.g. CFO asks you to send copies of all W-2s

How to recognize and avoid getting phished – Email examples

How to recognize and avoid getting phished – Email example Example of a Phishing Email Attempts to steal usernames and passwords by tricking the recipient Do not click on links in suspicious email Forward suspicious email to: Phish@kent.edu

How to recognize and avoid getting phished – Message links Be wary of any link that goes to a login prompt Don’t login until you check the address Don’t login unless you see a padlock

Check the link before logging in! Kupa.bg/wp/wp-includes… is not Login.kent.edu Notice the missing:

Here’s the real one:

How to recognize and avoid getting “vished” – Voice phishing Caller claims to be a vendor, but does not have tangible details Caller will not provide call-back number Caller sounds threatening Intent is to trick or fraud the call receiver

Common Vishing Examples Microsoft Support Informs you that they detected a virus on your computer IRS Agent Informs you of a pending lawsuit Printing/Copier or Office Supply Vendors Asks you to confirm the printer serial number to invoice you for toner or other supplies

How to avoid being susceptible to “credential stuffing” – Password reuse Reuse of passwords across different sites A breach of your password from one site will put all other accounts at risk Consider a password manager for personal accounts Check your email addresses and accounts using the site: haveibeenpwned.com “Have I Been P-owned”

A quick review Never share your passwords with anyone Be on alert for phishing email Exercise caution when you receive pushy calls Question any request that seems out of the norm Never reuse passwords for multiple sites Forward suspicious email to: Phish@kent.edu

Additional information available: SecureIT.kent.edu Phishing email archive, training materials, and identity protection information Security Roadshow Invite security staff to speak at a staff event or team meeting Contact us at Security@kent.edu or x2-5566

Q&A Brendan Walsh Manager, Security and Access Management bmwalsh@kent.edu 330-672-5566