As Iowa State's director of information security, Rich Tener leads efforts to protect university computers and networks from attacks. The most common threat on campus is phishing, attempts to trick a user into disclosing personal information such as an account password.
So Tener -- and the information technology services (ITS) security team -- often advises the campus community on how to avoid getting phished. He's also personally experienced it. He once entered his Yahoo password after clicking on what he thought was a link to a friend's photo gallery. He realized his mistake when the photos didn't load.
Tener's experience falling for a phishing attack points out a couple of lessons. First, if it can happen to an experienced digital security expert, it can happen to anybody. Which is why the second lesson is important: Pay attention and act quickly if you suspect you've been had. Tener changed his password immediately, before his friend let him know that he'd been hacked.
"Be suspicious. If you click on something and don't get the expected result, don't go, 'That's weird,' and forget about it," he said.
Here are some other digital security tips from Tener to keep in mind this fall.
Keep it unique
If Tener could wave a magic wand that compelled all ISU students and employees to use one method to make their digital accounts more secure, his wish would be simple and effective: Stop reusing passwords. You've heard it before, no doubt. But it's the No. 1 risk you can control.
Unique login credentials prevent hackers from leveraging one stolen password to break into numerous associated accounts. Hackers make hundreds of attempts a day to access university accounts with presumably stolen passwords, most of which fail, Tener said.
Using a digital password manager such as LastPass or 1Password can help ensure you're using a different strong password for every account. But using a base password with minor variances or even writing your passwords down in a notebook at home also are safe, he said.
"Even if a password is predictable, that's OK because hackers aren't trying to guess them. They're just stealing passwords from one site and trying it on another," he said. "And it's unlikely anyone is going to physically come into your house and steal a password list."
Faculty, staff and students must use Okta's multifactor authentication (MFA) to access most online university services, an essential layer of protection that requires a second form of identity confirmation such as entering a text code or clicking "Yes, It's Me" on the Okta Verify mobile app.
To overcome MFA, digital scammers increasingly are phishing for more than your password, Tener said. That could mean asking for the access code sent by text message or repeatedly requesting a verification from the Okta app.
Don't disclose an MFA code to anyone, except to enter it into the usual login screen. "We will never ask for that," Tener said of information technology services (ITS).
And no matter how many times the alert pops up on your phone, never confirm an Okta login unless you're actually logging in. Tener said users sometimes accidentally confirm a fraudulent login via the Okta app because they're used to clicking "Yes" and do it out of habit. Other times, it's because they're tired of clicking "No."
"Attackers may try to keep pushing the notification until you click 'Yes,'" he said.
A simple plan
One simple way to avoid inadvertently compromising your ISU Net-ID is to be extra skeptical when asked to enter that information anywhere but the Okta login screen. Tener said Okta is integrated with most services that require a Net-ID, and ITS works continuously to add it to university websites and vendors.
"When I use my ISU login, it's almost always in an Okta login box," he said.
Only enter your password into a website you trust, and look at the URL to see if anything looks off. Consider checking with the ITS security team before entering your Net-ID at a login prompt that's neither Okta nor an iastate.edu website, especially if you're not familiar with the website.
Remote work caution
University employees working remotely should consider what sort of data they're accessing before using a personal device for work. ISU-issued laptops and computers, even when used off-campus, have digital protections such as a firewall and anti-malware software, Tener said. Your personal computer may not.
"It's OK to use a personal device for work, but not if you're dealing with highly sensitive student or research data," he said.
It's required on your ISU email, but make sure MFA protection also is enabled on your personal email account, Tener said. It's an especially risky target for attacks.
"If someone can log in to your main email account, they can recover passwords on all of your accounts and hijack everything," he said.
So now what?
If you suspect you've been phished, change your account password immediately like Tener did after signing in to a fake Yahoo login. Hackers often collect passwords to use later or sell, he said.
"You might have a little time. All is not lost," he said.
If you think your Net-ID has been stolen or you have other questions or concerns, contact the ITS security team at firstname.lastname@example.org or call the solutions center at 294-4000.
For more information
For additional security tips, read Inside's coverage of Tener's presentation at the Professional and Scientific Council last fall on avoiding ransomware or see the information security knowledge base articles in the ISU Portal.