Current Non-Threats, Security Awareness Newsletters

This Week’s Cybersecurity News, 10/08/2024

Posted on Oct 08, 2024Share on

Statement to use multifactor authentication

Good afternoon, everyone.

For week two of Cybersecurity Awareness Month I want to share some tips about using multifactor authentication. This is a really important and easy way to protect your data, finances, social media presence, email, and identity.

I also want to share information about a current non-threat and emails requesting your personally identifiable information.

Multifactor Authentication Tips

  • Last week I said that passwords are like the keys to your house.
  • In keeping with that thought, multifactor authentication (MFA) is like the deadbolt, but not the kind that uses the same key as the regular lock.
  • MFA is an extra layer of security that confirms your identity when you log into an account by using a code sent to your phone or generated by an authenticator app.
  • When you use MFA the right way unauthorized users won’t be able to access your account even if they have your password.
  • UT already uses Duo for most everything that requires NetID and password for authentication.
  • But you can also protect other accounts that are not using your NetID and this includes third-party apps or personal accounts like credit cards, banking, or health.
  • To see if you can use MFA for each of these, go to the app or account settings and turn on MFA (aka two-factor authentication or something similar) if it is available.
  • You can usually choose how you want to get your code, whether it is by text or email, authenticator app, or face recognition.
  • If you use an authenticator app, I highly recommend either Microsoft Authenticator or Google Authenticator and download them only from a known and trusted source like Apple’s App Store or Google Play.
  • But I have to warn you to keep your guard up and pay attention to any push or passcode requests you receive.
  • Sometimes we get so used to normal tasks that we don’t pay close enough attention and that makes us click on something that we didn’t ask for.
  • If you approve a push or passcode that you did not request, then you are likely giving a hacker the ability to use MFA with your compromised password, which negates the security of this feature.
  • If you just don’t recall asking for the push or passcode, deny the request because you can always request again if you really needed it.
  • You can read more about MFA by going to the UTIAsecurity knowledge base for Multifactor Authentication.

Current Non-Threats

  • UT Alert (popup)
    • This morning you may have noticed a popup that covered the screen.
    • The message said that it was an Emergency Alert System Alert!
    • There was a green “Acknowledge” button to click that would make the popup go away.
    • This was a legitimate popup.
    • OIT did a UT Alertus server move as part of scheduled maintenance this morning between 6:30 and 7:30.
    • Once everything was connected, it prompted the popup to test computer display message capability.

Important Information

  • Requests for PII in Emails
    • In the last week, I have seen multiple requests via emails asking for personally identifiable information (PII).
    • Some people have forwarded the emails to me, but I also received one myself.
    • These particular emails did come from known entities that I was able to track down legitimate information that matched what was in the emails, but what was shocking was that some of the emails came from entities within the State of TN.
    • Some emails asked for Social Security numbers or copies of the SSN cards, while some asked for copies of the person’s driver’s license.
    • This is in no way a valid thing for someone to ask for in email and in none of the cases did the requestor offer a way to send the information in an encrypted email, which would have been secure.
    • Sending this kind of information can easily lead to identity theft and should never be asked for via email.
    • Please know that you should never email your PII to anyone, even if the requestor is legitimate.
    • Always call that known and proven number (don’t rely on the number in the email…look it up if you don’t have it saved from previous contact) and tell them you need another way to get the information to them, such as a secure website (https://) that will allow you to enter such information.
    • From the Social Security Administration, “Do not respond to emails requesting personal information. Reputable businesses and public agencies will not ask you for personal information in an email.”
    • If you have doubts or questions, or just want me to verify the contact information, please email me!

  • IT Security Awareness Training
    • If you have been assigned training, this is a reminder to complete that training before the end of the year.
    • The IT Security Awareness training is required of all UTIA workforce, which includes student employees, on an annual basis.
    • The IT Security Awareness training is part of the 2024-2025 UTK Compliance training, as assigned by UTK HR.
    • Assignment and reminder emails will come from the UTK Compliance Committee noreply[@]utk.edu, but I will start sending specific reminders about the IT Security Awareness training later this month.
    • As in the past, any user not completing the IT Security Awareness module by the deadline will still lose access to all Institute-owned and University-owned systems until the training has been completed.
    • If you have been assigned the training, you can find it by logging into K@TE https://kate.tennessee.edu.
    • While the deadline has been set for 12/31/2024, I recommend that you complete it before then to ensure you get the proper credit due to DASH implementation happening at the first of the year.

Thank you so much for everything you do to protect the Institute and its data, students, employees, clients, and yourself! And thank you for all you do for each other!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is, and I can include it. I do this as a blind copy so student names and addresses will not show up!

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu