Navigating Cybersecurity: How to Be Your Own Human Firewall

Photo by Marilyn Hesler

Andrew McClurg, with Information Technology Services (ITS), is often asked how people can stay safe online to protect against scams and hackers. He breaks it down to some basic points to remember.

“I always focus on four main things: passwords, multi-factor authentication (MFA), keeping software updated and knowing how to spot phishing emails and how to report them,” says McClurg, an IT analyst with the Information Security (InfoSec) team.

Andrew McClurg

SU News caught up with McClurg for a Q&A on the best tips during Cybersecurity Awareness Month. Established in 2004 by Congress and the White House, the initiative raises awareness about cybersecurity’s importance and ensures people have the resources to be safer and more secure online.

For the University, InfoSec team members do everything they can to keep your experience online as safe as possible. As part of securing users and their data, the University has firewalls in place; these are security systems that monitor and control network traffic to protect a computer or network from cyberattacks. The challenge, however, is that hackers are getting smarter than ever. To stay safe online, you need to be your own human firewall.

What does that look like exactly? McClurg explains.

What can we do to keep our passwords safe?

• Make sure all your passwords are unique across your accounts.
• Create complex passwords.
• Use long memorable phrases or song lyrics with numbers and special characters.
• Never share your passwords with others. ITS staff will never ask for or need your password to assist you.
• Setup a password manager to keep track of and monitor your passwords. This will suggest strong passwords, alert you to passwords that have appeared in data leaks and flag passwords used across accounts.

Why should we enable MFA?

MFA adds an extra layer of security to your accounts by requiring a second form of verification, such as a code or login approval request sent to your mobile device or email, in addition to your password. MFA requests could also require a biometric component, such as a fingerprint or facial recognition. The University requires the Microsoft Authenticator. Something important to keep in mind is that you should never share your MFA codes with others and ITS staff will never ask for or need your MFA code to assist you.

Want to learn more about MFA? Visit our Answers page.

How do software updates play a role in keeping devices secure?

In addition to new features and general maintenance, software updates often include security patches that close vulnerabilities that bad actors might use to install malware, steal data or launch other types of attacks. It is recommended to keep your systems updated to strengthen your security posture. Often operating systems (e.g. Windows, macOS, Android, iOS) and some software offer automatic updates to make this process easier for the user.

What is a phishing email and what should I do if I receive one?

Phishing emails are a common tactic used by cybercriminals to steal sensitive information. You should be wary of unexpected emails, especially if they ask for personal information, create a sense of urgency or contain suspicious links/attachments.

If you receive a suspicious email, be sure to consider the following:

• Does the URL look right?
  • On your smartphone or tablet, press the link and hold down until a dialog box appears containing the URL.
  • On your computer, hover over the link with your mouse. The URL will usually appear in the lower-left corner of your window.
• Does the login screen look right? Do not enter your NetID and password unless you are certain it is safe.
• Are you expecting the document or link? Be suspicious of unexpected emails sharing documents and links. If you are not sure, contact the sender (preferably via text message, phone or an alternative email address) and ask if they shared a document with you.
• Do you know the person sharing it? Consider the message suspicious if you do not know the person the message is from. Be aware, though, that phishers often use compromised accounts to send their messages, and they can also forge the sending address. If you feel at all unsure, call the person and ask if they shared a document or link with you.
• Can you tell what the document is? Is it clear to you from the document title and message what the document is and why the sender is sharing it with you? Phishers often send vague messages that just say a document has been shared with you. They rely on your curiosity. Do not open suspicious shared documents just to see what they are.
• Beware of flattery. Customized emails that compliment research and ask you to look at a shared document or link related to it. If it looks suspicious, do not log in.
• Be suspicious of emails offering deals that seem too good to be true. For example, remote work that pays exceptionally well for little time investment or offers of heavily discounted or even free technology hardware, tools and musical instruments. A favorite of the security team is the free baby grand Yamaha piano, which appears several times each year.

You can report suspicious emails by using the Report Phishing function within Microsoft Outlook. This will alert the security team who will take the appropriate actions to remediate the incident, which may include deleting the email from all inboxes, locking accounts if sent from a Syracuse account and blocking the sender. Additionally, for the latest list of phishing emails that have recently circulated throughout the Syracuse University community, visit the ITS Phish Bowl.