A healthy dose of skepticism aids cybersecurity

Providing security for 90,000-plus devices on the Iowa State network is a challenging daily task for information technology services (ITS). Employees can take steps to recognize potential problems and limit risk. 

October is National Cybersecurity Awareness Month, and Rich Tener, chief information security officer for ISU, reminds everyone the best way to protect information is to:

• Use strong passwords and multi-factor authentication (MFA).
• Recognize and report phishing.
• Update technology software when it becomes available.

"One of the things we are stressing most right now is that ITS will never ask for your password or text you to ask for your MFA code," Tener said. "If this happens, email security@iastate.edu."

The ITS security team also tries to find stolen passwords before they are used. Microsoft provides a service where it constantly monitors the dark web for lists of compromised emails and passwords. If it finds one with an "@iastate.edu" domain, it checks the password for the Iowa State account and notifies ITS if the two match, Tener said.

"If people reuse their Net-ID password on a different site and it gets hacked, Microsoft will notify us that it needs to be changed. We will scramble that password and tell the individual," added Tener, who said this occurs 10-20 times each month on campus.

Protect your computer

Many employees have shared work spaces or are in areas open to the public. Tener said anytime someone is away from their computer or laptop they should lock the screen. Users can adjust their screen saver settings to begin running after a certain number of inactive minutes and require a password to log back in after the screen saver begins or the display is turned off.

Users also can quick-lock their computer anytime they are going to be away. 

• On a Windows computer, click the "Windows" + "L" keys. 
• On Macs, click "Control" + "Command" + "Q." 

"[Locking your screen] prevents people from being able to steal your data, for example by uploading it to a cloud storage site or plugging in a USB key," Tener said. 

ISU employees

Tener said many scams are directed toward students on campus, but there is growing concern that

A floor cling this month at Parks Library reminds visitors that ITS will never ask them to reveal their password. Photo by Christopher Gannon.

cybercriminals may or already have targeted faculty and staff.

"If anyone ever poses as IT and asks for a security code, please contact us and let us know," he said. "With employees and researchers, the stakes can be much higher than students. They may try to target faculty members or those doing sensitive research."

Tener said if an employee is scammed, report it as soon as possible. ITS still may be able to limit the damage and help going forward.

Small but mighty team

Tener oversees the ITS security team -- a group of six other employees who work to eliminate or limit threats. Three information security analysts and a manager are dedicated to incident detection and response. Once a possible phishing message is received, an analyst searches to see who else received the message and emails a warning to each recipient to let them know that it was a phishing message.

"People are so good at reporting phishing we are actually getting overwhelmed, so we're shopping for technology to make the phishing response process more efficient," Tener said. "We’ve had over 2,000 phishing reports since the start of the semester. We encourage everyone to keep reporting them and we are going to use technology to automate and scale our response activities."

Another team member spends most of their time working with IT teams to protect systems, and another's job is security compliance. That includes ensuring rules are followed for the 45 business units on campus that accept credit cards. That person also handles research security to make sure ISU's research data is adequately protected.