Category: Information Security

Cybersecurity Awareness Month – Multi-Factor Authentication

Posted on by Peter Zillmann

This week’s post for Cybersecurity Awareness Month covers Multi-Factor Authentication.

What is MFA?

An authentication factor is a way for a person to identify oneself to a computer. Multi-Factor Authentication (MFA) means using more than one factor to prove to a computer that you are who you say you are. Typical authentication factors come in three types:

  • Something you know (like a password or PIN number)
  • Something you have (like a phone or ID card)
  • Something you are (biometrics like a fingerprint or facial recognition)

You probably use MFA all the time: when you use an ATM, you use a debit card (something you have) with a PIN (something you know). When someone checks that your face matches the picture on your driver’s license, they’re authenticating you with two factors.

How does MFA help?

According to Microsoft, 99.9% of account compromise attacks can be stopped with MFA. When you use MFA, a cybercriminal who wants to use your account will face a much greater challenge. If your password is compromised but a second authentication factor is required to sign in, a criminal using your password will not be able to authenticate as you. Visit the National Cybersecurity Alliance MFA page for more information.

Where should we use MFA?

You should use MFA with any service that stores sensitive information. These include:

  • financial sites (like your bank, credit card company, or investment account)
  • social media (like Facebook, Instagram, TikTok)
  • email (like Gmail or Hotmail)
  • your Kalamazoo College network account

MFA is required for all students, faculty, and staff, and more information can be found at our Multi-Factor Authentication page.

Subscribe to our Posts

Did you miss the latest IS announcement? Subscribe to receive our posts directly to your inbox!

Subscribe!

Cybersecurity Awareness Month – Passwords and Password Manager

Posted on by Katrina Frank

This week’s post for Cybersecurity Awareness Month covers habits relating to passwords and password managers. To be cybersecure:

1. Create passwords with these three principles

  • Long – All passwords should be at least 12 characters long.
  • Unique – Never reuse passwords and create unique passwords for each account.
  • Complex – Use a combination of upper and lower case letters, numbers, and special characters.

Remembering passwords and following these principles may sound hard, but there’s a better way…

2. Use a Password Manager

Password managers make it easy to use passwords that are long, unique, and complex. They save time, work across all your devices and operating systems, and can alert you when a password has become compromised. Visit the National Cybersecurity Alliance password managers page for more information including password manager options you can use to be more secure.

3. Know When to Change your Password

As reported by the National Institute of Standards and Technology it is no longer recommended to change your passwords every few months. For personal accounts we recommend focusing on creating long, unique, and complex passwords. Should you become aware that an unauthorized person is accessing an account or a password was compromised in a data breach, change your password immediately. Please note that as part of our process at Kalamazoo College, we require users to change your KNET password periodically; however, there may be a change to this process in the future.

The information on this page was adapted from the National Cybersecurity Alliance’s passwords and NCSAs password manager page.

Subscribe to our Posts

Did you miss the latest IS announcement? Subscribe to receive our posts directly to your inbox!

Subscribe!

Cybersecurity Awareness Month – Oct 2022

Posted on by Katrina Frank
cybersecurity awareness month logo.

Did you know that October 2022 marks the 19th Annual Cybersecurity Awareness Month?

To spread cybersecurity awareness, this month IS will be sharing key behaviors we can all adopt to be more secure. Read our posts each Friday for the month of October to learn more.

About Cybersecurity Awareness Month

“The National Cybersecurity Alliance launched Cybersecurity Awareness Month in partnership with the U.S. Department of Homeland Security in 2004. The campaign is a strong collaboration between government and private industry to raise awareness about online security” (National Cybersecurity Alliance). You can learn more about the month and other cybersecurity initiatives on the National Cybersecurity Alliance website.

Habits to adopt:

Throughout the month of October we will be sharing more detailed information on the following habits:

  1. Using strong passwords and a password manager
  2. Enabling multi-factor authentication
  3. Recognizing and reporting phishing
  4. Complete required and offered cybersecurity trainings offered by IS

Subscribe to our Posts

Did you miss the latest IS announcement? Subscribe to receive our posts directly to your inbox!

Subscribe!

Frequently Asked Questions about MFA

Posted on by Peter Zillmann

If your question is not listed below, please contact the Help Desk (helpdesk@kzoo.edu, 269.337.5800), or visit us in the Upjohn Library Commons, room 117.

Basics

What is MFA?

Multi-Factor Authentication (MFA) means using more than one key (e.g. password) to log on to a given service. You are probably familiar with MFA if your bank sends you a text message when you log in.

How does MFA work?

MFA protects your account and protects Kalamazoo College because when you sign in, you prove your identity in two ways: with something you know (a password) and something you have (usually a phone).

How do I get started?

Got one minute? Use this link and add your cell number to confirm your logins via text message: https://aka.ms/MFAsetup. Got two more minutes? Continue at that link and set up the Microsoft Authenticator app.

Implementation

Why is K implementing MFA?

MFA is a standard practice at most colleges, universities, and businesses that allow access to protected information. It helps protect personal and institutional information from theft, cyberattack, and ransomware. Additionally, K must implement MFA by July 1, 2022 to renew our cybersecurity insurance. Use of MFA will be required for all who use K’s Office 365 apps.

What’s the timeline for implementation of MFA?

All students completed MFA enrollment by May 27. The deadline for staff was June 3, 2022. The deadline for faculty was June 17, 2022.

My email stopped working; what do I do?

After enabling MFA on your account, some users find that their email stops synchronizing on their phone. It’s easy to fix: just remove your email account from your phone and re-add it. You can use our instructions for Connecting Email to a Mobile Device.

Day-to-Day

What applications will use MFA?

We are implementing MFA for all Office 365 apps (like email, Teams, Word, etc.). Notably, this list does not include signing into Windows itself, nor does it include Moodle or HornetHQ.

Briefly, Office 365 applications are Microsoft Forms, Microsoft Teams, Office 365 Exchange Online (our email), Office 365 SharePoint Online (including apps that depend on SharePoint online, like OneDrive, Word, Excel, PowerPoint). 

How often will I have to use MFA?

You should expect to see prompts to authenticate with MFA about once every 90 days.

What if I reboot my computer?

Rebooting your computer does not sign you out of the apps on your computer. You should not expect a reboot to trigger an MFA prompt.

What about Colleague? What about VPN?

MFA for Office 365 apps does not change how you will use Colleague or VPN. Continue to use these services as before.

What about my tablet?

You may choose to install the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android on a tablet, and use it in addition to (or instead of) a mobile phone. If you use Office 365 apps on your tablet, you may find it convenient to have the Microsoft Authenticator app on your tablet. Having the Microsoft Authenticator app on a tablet in addition to a phone is a good idea, so you can use your tablet to authenticate in case you get a new phone or new phone number.

What authentication method is recommended for MFA?

Information Services recommend that you add your mobile phone as your authentication phone. For your primary authentication method, we recommend the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android. It’s easier, quicker, and more secure than text messages.

Should I register more than one device for authentication?

Yes; Information Services recommends you add at least two authentication methods. For most folks, it makes sense to add a mobile phone and the Microsoft Authenticator app. It’s smart to add another method (like the Microsoft Authenticator app on a tablet) as a backup.

If I use Office 365 apps on multiple devices, do I need Microsoft Authenticator on each device?

No. You only need to download the app on one device to be able to authenticate using the Microsoft Authenticator app. For instance, when you log into Teams on a laptop, you can confirm the logon with the Microsoft Authenticator app on your mobile phone. It’s smart to add the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android to a second device, in case you have problems with your main device.

Special Circumstances

What if I work at K and I forget my mobile phone at home?

If you have a phone in your office, we suggest you add your office phone as an authentication factor, in case you need to use MFA on a day when your mobile phone is not with you.

What if I’m traveling internationally? What if I don’t have signal or data?

We suggest you download and configure the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android before you leave. With it you can sign in without receiving a text message. If your phone is connected to the Internet, you can approve sign-ins via notifications. If your phone is not connected to the Internet, the Microsoft Authenticator app can still generate codes that you can use for authentication.

What if I get a new phone number?

If you have configured a second authentication factor (like the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android) you can add your new number (even an international number) at https://aka.ms/mfasetup. You should then remove your old number if that number will not be in your control. If you have already gotten a new phone number and did not previously configure a second authentication factor, please contact the Help Desk.

What if I move my number to a new phone?

If you move your phone number to your new phone, you will continue to receive text message verification messages to that number on the new phone. We recommend you add the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android to your new phone as well.

What if I get a new phone and new number at the same time (like on study abroad)?

If you will get a new phone and new phone number at the same time (perhaps upon arrival in a study abroad location), the transition will be straightforward if you bring an existing authentication factor with you (like your old phone, or a tablet to which you’ve added the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android). You can add your new number for text verification at https://aka.ms/mfasetup, and approve the sign-in with your existing authentication factor. For example:

  1. Before leaving to get a new phone and new number, add the Microsoft Authenticator app to your old phone (you could also add the app to a tablet and bring that). This will be your existing authentication factor.
  2. Bring the existing authentication factor with you when you get your new phone
  3. When your new phone number is ready to receive text messages, visit https://aka.ms/mfasetup to add your new phone number as an authentication factor.
    • When prompted, approve the sign-in as normal. If you can’t receive a push notification to the app on your existing authentication factor, you can choose to use a verification code. To get this code, open the Microsoft Authenticator app on your existing authentication factor, and tap the entry with your kzoo.edu email address. Use the one-time password code here to approve the sign-in.
  4. When your new phone number is added as an authentication factor, be sure to get the Microsoft Authenticator app for iOS or the Microsoft Authenticator app for Android for simpler, more secure sign-ins.

Additional MFA Questions

Please contact the Help Desk (helpdesk@kzoo.edu, 269.337.5800), or visit us in the Upjohn Library Commons, room 117 for additional questions.

Multi-Factor Authentication (MFA) Implementation

Posted on by Peter Zillmann
The Microsoft Authenticator logo
The Microsoft Authenticator logo

What is MFA?

Multi-Factor Authentication (MFA) means using more than one key (e.g. password) to log on to a given service. You are probably familiar with MFA if your bank sends you a text message when you log in. We are implementing MFA for all Office 365 apps (like email, Teams, Word, etc.).

Why MFA?

MFA is a standard practice at most colleges, universities, and businesses that allow access to protected information. It helps protect personal and institutional information from theft, cyberattack, and ransomware. Additionally, K must implement MFA by July 1, 2022 to renew our cybersecurity insurance. Use of MFA will be required for all who use K’s Office 365 apps.

How do I setup MFA and when?

All Kalamazoo College members who use K’s Office 365 apps will need to setup MFA at https://aka.ms/MFAsetup. The process is easiest if you finish setup before the “completed by” date listed in the MFA implementation schedule. If you don’t complete setup before the “completed by” date, when you next log on to an Office 365 app, you will be presented with a screen with instructions.

MFA implementation schedule

K College MembersCompleted By
Information ServicesMay 6 (6th week)
Pilot groups, President’s Staff, and early adoptersMay 13 (7th week)
Idle accounts (no sign-ins in the last six months), new employee accounts, more pilot groupsMay 20 (8th week)
StudentsMay 27 (9th week)
Staff June 3 (10th week)
FacultyJune 17

MFA Setup

  1. Go to https://aka.ms/MFAsetup before the “completed by” date listed in the MFA implementation schedule.
  2. For the easiest and most secure method of authentication, download either the Microsoft Authenticator app (Apple App Store) or Microsoft Authenticator app (Google Play).

Note: If you don’t complete setup before the deadline, when you next log on to an Office 365 app, you will be presented with a screen with instructions. You will need to complete MFA setup before proceeding.

Using email on a smartphone?

If you use email on a smartphone, you may need to remove and re-add your email account to your mobile device, which will enable modern authentication.

When do I need to use MFA?

Each time you log in to any Office 365 app, you will use a second authentication factor. If you stay logged in to an app, you can use it without reauthenticating for up to 90 days. Each Office 365 app is distinct, so, for example, you’d need to use MFA to log in to email and then again to log in to OneDrive.

Problems or questions?

Please see our Frequently Asked Questions about MFA, or contact the Help Desk at 269.337.5800 or HelpDesk@kzoo.edu.

Subscribe to our Posts

Did you miss the latest IS announcement? Subscribe to receive our posts directly to your inbox!

Subscribe!

Coming Soon: Multi-Factor Authentication

Posted on by Peter Zillmann

Information Services is pleased to to announce that Multi-Factor Authentication (MFA) will be coming soon to K for Office 365 apps, including email and Teams.

To learn more, you can watch a video about MFA or read about how to register about MFA.

You can also get a head start and configure your MFA sign-in methods now (you won’t be required to use them until MFA is enabled on your account). We suggest adding an authentication phone and then add the Microsoft Authenticator app.

Subscribe to IS announcements for the latest details, and look for a Hornet Hive announcement the week of May 16.

If you have questions, please contact the Help Desk.

IT Tip – Are you being phished by email?

Posted on by Katrina Frank

Are you being phished by email?

“A phishing email is an email that appears legitimate but is actually an attempt to get your personal information or steal your money” (Microsoft Support, Phishing and Suspicious Behaviour)

This IT Tip will share ways to identify suspicious emails and how to report a phishing case.

Phishing attacker taking personal data through a laptop.
Photo credit: alwarebytes LABS and shutterstock

Red Flags in Suspicious Emails

The content below has been adapted from KnowBe4 resource, Social Engineering Red Flags.

From:

  • The email is from someone inside K or from a vendor, or partner and the email is very unusual or out of character.
  • You don’t have a business relationship nor any past communications with the sender.
  • The email is from someone outside of K and it’s not related to your job responsibilities.
  • The email is from a suspicious domain (like micorsoft-support.com)

To:

  • You were copied on an email sent to other people, but you don’t personally know the other people it was sent to.
  • The email was also sent to an unusual mix of people within your organization. For example, a group of people who last names start with the same letter.

Date and Subject:

  • The email was sent at an unusual time like 3 a.m. and not during regular business hours.
  • The subject line is irrelevant or does not match the message content.
  • The email message is a reply to something you never sent or requested.

Attachments

  • There is an attachment that you were not expecting or that does not make sense in relation to the email message.
  • There is an attachment with a possibly dangerous file type such as:
    • ZIP and RAR Files
    • DOC and DOCX
    • XLS, XLSX, XLSM
    • PDF
    • IMG, ISO, etc.

Hyperlinks

  • The biggest red flag – When you hover over the hyperlink to preview the URL and the link-to address is for a different website.
  • The email only has long hyperlinks with no other information.
  • The email has a hyperlink with a misspelling of a known website such as www.bankofarnerica.com (in this case the “m” is really two characters, “r” and “n.”
  • The sender asks you to click a link that seems odd and/or illogical.

Content

  • The email is out of the ordinary, has bad grammar, and/or spelling errors.
  • The sender asks you to click a link or open up an attachment that seems odd and/or illogical.
  • The sender asks you to click a link or open an attachment in order to gain something of value or avoid a negative consequence.
  • The email claims to have a compromising or embarrassing picture of yourself or someone you know.

Tips for checking a link without clicking on it

Simply hover over the link and look at the bottom left corner of your computer screen for the full URL the link actually goes to.

How to Report Phishing Attempts

The easiest way to report phishing emails is through the Report message option in Outlook which can be found in different locations depending whether you’re using Microsoft Office Outlook or Outlook.com.

The following information was retrieved from the “How to report a phishing scam” section on Microsoft’s “protect yourself from phishing” documentation.

Microsoft Office Outlook

With the suspicious message selected, do the following:

  1. Choose Report message from the ribbon
  2. Select Phishing.

This is the fastest way to report it and remove the message from your Inbox. It will also help Microsoft improve their filters so that you see fewer of these messages in the future.

Webmail at outlook.office.com

Select the check box next to the suspicious message in webmail. Select the arrow next to Junk, and then select Report phishing.

Note: If you’re using an email client other than Outlook, start a new email to phish@office365.microsoft.com and include the phishing email as an attachment. Please don’t forward the suspicious email; as it needs to be received as an attachment so the headers on the message can be examined.

Have Questions?

For more Microsoft documentation please visit the Phishing and Suspicious Behaviour page through Microsoft Support. Additionally, please feel free to email Help.Desk@kzoo.edu with more specific questions related to phishing emails.

Katrina Frank, Web Services Specialist

Suggest an IT Tip

If you have a topic that you would like us to cover in the future, please complete the IT tip suggestion form or email, Katrina Frank at Katrina.Frank@kzoo.edu directly.

Required Cybersecurity Training for Faculty and Staff

Posted on by Katrina Frank

Kalamazoo College Faculty and Staff,

Information security is as important as it’s ever been. To maintain cybersecurity requires a cooperative effort from all of us. In addition to securing IT systems, protecting the network, and reviewing key business practices, each user must be mindful of cybersecurity concepts and must make good information security choices.

To that end, President’s Staff asks all employees to complete online cybersecurity training by June 30, 2022.

Training Details

  • The training is composed of a series of short video modules (approximately 15 minutes total run time) with interactive questions.
  • The training was developed by Beazley Breach Solutions, K’s cybersecurity insurance carrier.
  • We will track completion to ensure that all employees finish this by July 1.

Start your Training!

  1. Visit https://campus.kzoo.edu/is/cybersecurity/
  2. Enter your username and KNET password when you see the prompt (you’ll notice the module is from Beazley Breach Solutions)
  3. Go through the video modules and answer the interactive questions
  4. Upon successful completion of the required module, you’ll receive a certificate of completion.

Difficulty Completing the Training?

Please contact the help desk (helpdesk@kzoo.edu or 269.337.5800) if you are in need of an accommodation due to a disability or have difficulty completing the online training.

Thank you in advance for doing your part to keep K’s community and our information secure.

Safeguarding PII While Working From Home

Posted on by Greg Diment

Personally Identifiable Information (PII) is information that, when used alone or with other relevant data, can identify an individual. Many employees work with PII about students, staff or alumni. Find a more detailed definition of PII and Kalamazoo College’s policy for protecting it on the IS Policies page.

  • Follow the steps in our earlier post “Tips for Working Securely from Home.” In particular, employees should be extra vigilant when working from home against social engineering attacks.  It might be harder to tell if that email from your supervisor or colleague is legitimate when you are not located down the hall from them. If you receive a request for PII, we suggest that you get verbal/video confirmation from the requester.  
  • Try to minimize how much PII you work with from home. 
  • Never send PII through email 
  • If you need to work with PII, the best way to keep it secure is to store it on a computer that is on campus under IS management. This would include the KFiles server. We do not recommend storing PII on cloud-based services or on your device at home.  
  • To work with PII, you can also use remote access via our VPN to connect using Remote Desktop to a campus computer. Another advantage to connecting with remote desktop is that if your home internet connection is unstable, your work is preserved on the campus desktop if you get disconnected.
  • If you have further questions or need help getting set up for remote access, please contact the Help Desk.

Update to Faculty

Posted on by Greg Diment

The Information Services Team has worked to produce extensive content to support online learning and collaboration during Spring Quarter. You can follow our COVID-19 Online Learning Plan Updates and Faculty Tools pages. Recent posts include information about virtual computer labs, tips for working securely from home, and student writing in Moodle.

What’s Working

  • Response to Microsoft Teams has been strong. We currently support over 425 various Teams including courses, committees, departments, and more. We intend to continue to refine and expand support for Teams in the future.
  • We’ve welcomed faculty new to Moodle for their asynchronous course communication and supported returning faculty in developing further skills. The number of Moodle courses is up 35% from Spring Quarter 2019.
  • Early adoption of Microsoft Stream has provided another robust platform for video communication and eased the burden on other hosting sources.
  • Classes that require software that is available only in on-campus labs can now access them remotely. This has maintained learning opportunities with programs like SPSS, MATLAB, and ArcGIS that would have been otherwise lost.

What’s Not Working

Moodle Supporting Large/Long videos

Moodle users began experiencing “500 – Internal server error” messages last week. We believe the major cause is lengthy videos hosted directly onto Moodle. Therefore, we have expanded our support of Microsoft Stream and encourage comfortable users to post to YouTube when appropriate. Currently, we are asking faculty to refrain from posting any videos longer than five minutes directly to Moodle.

Stream and Privacy

Many course videos of student introductions and instructor content are currently posted as available for anyone at the College using Stream. It is important that users not inadvertently share with larger audiences than they intend. Please know that the Quick share option available via the Stream phone app publishes video with the permission Allow everyone in your company to view this video. For more control, disable Quick Share and then use Save as draft. For further discussion of permissions in Stream, please visit the Video Streaming page of the IS website or watch our video overview.

Choice of Videoconferencing platforms

We have received extensive feedback about user experiences in Zoom and Teams. We know that Zoom’s expanded display of video and some of its scheduling features are appealing. However, we are also aware of increasing concerns over “Zoombombing” and the challenges of conducting College business in unsupported platforms. Microsoft recently posted that they are working to accelerate their implementation of increased number of concurrent video displays in Teams. Information Services believes that the benefits of using a more secure tool that is integrated to our software architecture is the best choice. We’ve published a post titled Moving from Zoom to Microsoft Teams that addresses some of the most common questions and attempts to provide solutions for success.

Teams Calendar Event Feature

Some Microsoft documentation references “Meeting” and “Calendar” tabs inside Microsoft Teams. These are integrations that are not available at the College. Windows users with Teams and Outlook 2013 or later versions can use Outlook to schedule Teams meetings. For additional strategies on initiating and managing calls, please refer to Moving from Zoom to Microsoft Teams.

Return to all COVID-19 Online Learning Plan Updates