Information Security

Security experts always tell you to choose a long, complicated password, which preferably contains numbers and punctuation characters rather than just letters. Because a password, which consists of a combination of entries from a 26-character repertoire (a-z), is much easier to crack than if the range of characters is 52 (a-z and A-Z) or 62 (including digits too).

If you've ever wondered just how secure your favorite password is, here's a simple website that will tell you. Just go to How Secure is My Password (opens in new tab) and start typing. As you type, the indicator is updated after every character to tell you approximately how long a desktop PC typically takes to crack it.

At home, remember: it's far more convenient to choose a good password in the first place than it is to change it. You can write your passwords down and keep them in a safe location or use a program like Password Safe (opens in new tab).

The main reason for regular password changes is to limit your account's exposure to misuse. Whenever you type your password, it is at risk of compromise - by someone looking over your shoulder, through interception as it travels across the network, and possibly through a phishing scam. Have you ever shared your password with a friend or family member? If so, you might be inadvertently putting your information in unintended hands. Certainly, if you break up with someone with whom you've shared a computer, change them all!

If a hacker gets your password either by guessing or stealing it, he can access your network or account for as long as your password is valid. Updating your password every quarter significantly limits the utility of that password to an attacker.

If you suspect your account has been compromised, we strongly recommend you contact the Help Desk and change your password. This goes for personal accounts too. If you suspect a virus or malware on your phone, it is crucial to clean up the device before entering any other passwords on it.

When you sign into your account for the first time on a new device or app (like a web browser), you need more than just the username and password. You need a second thing - what we call a second "factor" - to prove who you are.

The three most common factors are:

• Something you know. Your password or a Pin on your phone
• Something you have. Your smartphone with an app or a secure USB Key
• Something you are. A fingerprint or facial recognition

MFA helps protect your account by proving you are who is logging in. If your password was compromised, then the attacker could log in from anywhere. With MFA, you can prevent an attacker from using your credentials without you knowing.

Some common MFA applications are Microsoft Authenticator and Duo. 

Keeping track of passwords is a challenge many of us face in today's digital age. It is important to store passwords in a secure location that is easily accessible when needed, while also ensuring that they are encrypted. One solution to this issue is using a password manager. These applications allow you to store different passwords for various applications, while only requiring a single master password and multi-factor authentication for access. A few password manager options to look at are:

• 1password (opens in new tab)
• LastPass (opens in new tab)
• Keeper (opens in new tab). 

See our University Credentials page for information on how to change your password.

Phishing attacks target YOU, the individual, with a sense of urgency. The goal of the attack is to get you to provide the attacker with information to access your account, your colleges account, or to send money somewhere. Once the attacker has the information, they pivot to identity theft, financial loss, or accessing sensitive information. With your credentials, the works their oyster!

To protect yourself - Think Before You Click

• Hover over the links in an email to see what website address each is pointing to.
• When in doubt, go directly to the website by typing the website address in your browser's address bar.
• Verify any urgent requests that come from a contact within your organization to confirm they are valid, particularly before transferring money or divulging information.
• Only open attachments that come from known senders.
• Never click/enable macros or content from unknown sources.
• Send any suspicious emails to phishtank@fitchburgstate.edu.

Vishing refers to voice phishing. It is a social engineering attack where criminals attempt to trick individuals into revealing sensitive information over the phone. They often use deceptive tactics to impersonate legitimate organizations like banks, government agencies, or IT support.

The callers are often armed with data from other breaches, making their requests seem legitimate. We need everyone to be extra vigilant—please review the following red flags and best practices to help safeguard our information.

Vishing Techniques to Look Out for:

• Urgent or Threatening Language: Scammers often try to create a sense of urgency or use fear tactics, claiming accounts are at risk or legal action is imminent.
• Non-Answers or Redirecting Questions: Be cautious if the caller dodges questions or tries to redirect the conversation when asked to clarify their identity.
• Requests for Sensitive Information: Scammers may ask for things like Students' ID numbers or what data we have on file. Most legitimate callers should not need this information. It’s better to lead them to the information on their own rather than divulging it.

How to Protect Yourself from Vishing:

• Ask for Full Caller Details: Always ask for the caller’s full name, contact information, and reason for calling before continuing with any request.
• Verify Identity Independently: Check the caller’s information using independent methods, such as looking up their contact details or verifying ID numbers. When in doubt, don’t proceed until you’ve confirmed their identity.
• Stay Calm and Consistent: Scammers rely on throwing you off guard, so following a consistent process can help prevent errors. Stick to our verification steps regardless of the caller’s tone.
• Limit Information Disclosure: Only provide information that is strictly relevant to the stated inquiry. If something seems off or irrelevant, notify the Technology Security team.
• Report Suspicious Calls: If you receive a suspicious call, open a Help Desk ticket (opens in new tab). Be sure to include all the details of the call. If you feel threatened or if the caller is aggressive, reach out to University Police as well. We’re here to mitigate risks, track trends, and work to prevent repeated scams.

Helpful Resources on Phone Scams

• FTC Phone Scams (opens in new tab)
• FCC Stop Unwanted Robo Calls (opens in new tab)

Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.

In many cases, the smishing message will come from a "5000" number instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.

Recently we have seen smishing messages being sent to alumni groups. Do not respond to smishing messages!

Ransomware (opens in new tab) is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. If you suspect your computer has been hit by ransomware, e.g. you start to see strange files on your computer, Turn off the computer and bring your laptop to the Help Desk or an IT professional. 

To protect yourself:

• Ransomware commonly happens after a phishing attack. Be vigilant about suspicious links and not enabling macros from unknown sources.
• Update your computer and phone. Vulnerable applications and OSs are the targets of most ransomware attacks.
• Back up data regularly. Keep it on a separate device and store it offline. An external hard drive can be a great spot to keep family photos and documents in case of an attack.