GW Box is the university's enterprise file sharing service for online cloud storage and collaboration. GW also uses Gmail for email service, as such, the community has access to Google Drive as a cloud storage solution as well. Sharing and collaborating is essential to every work and study environment in the 21st century. Whether it’s for class projects or work projects, cloud storage and sharing solutions have changed and simplified how we do things. But, there are practices we should implement and guidelines we should follow in order to use the cloud responsibly. Below are the recommended Best Practices by GW IT and GW Information Security.
Social media trends are not only fun, but they also include a hint of FOMO if we don’t participate. The same can be said for the newest viral trend of “how hard did aging hit me” challenge, also know as the “10 year challenge.” There have been speculations on the origin and purpose of this trend across the internet, even in the information security Twitter community.
Kate O’Neill’s tweet is a perfect example of a growing distrust the public has of social media and the internet in general after the introduction of many AI technologies, whether they be related to ad content or predictive text.
This affects the GW community at every level; students, staff members, and faculty members alike partake in social media sharing. There is nothing that confirms that O’Neill’s tweet has truth to it. However, our goal is to highlight the need of users to be smart and to be safe online. Always be vigilant of what you post and how much detail you give out, especially when it comes to location sharing. Criminals are becoming increasingly more knowledgable about how to use technology to their advantage, as are large corporations like Facebook where we live our daily lives. The younger the clientele, the more common it is for them to live their life in the digital world. Be #securityaware.
Skeptics can agree that this trend and some others can be seen as data mining or data harvesting parading as a harmless social game. Realistically speaking, information security professionals know that technology has become so mobile that it goes where we go. So, our message to you is be mobile, but be mindful. Stay mindful of what you share and how much you share. It may sound like an older generation reprimanding you, but it is true, everything you do does not have to be a social media post.
Over the past few months, GW has been introducing two-step authentication to all students, faculty and staff for GW Google apps. By February 28, 2018, the entire GW community will be required to use two-step authentication to sign into GW Google email, calendar and drive.
Two-step authentication is a second layer of security in addition to your password for any kind of login. It means you have to confirm your identity in two ways – with something you know (your password) and something you have (a code sent to your phone).
OK, how does this work? GW uses Microsoft two-step authentication to ask individuals for a second confirmation of their identity at login, using a physical device in their possession. The device may be a smartphone or tablet using the free Microsoft Authenticator app, a text message sent to your phone, or an automated voice call to landline or cell phone.
Why do we need two-step authentication? Passwords alone aren’t good enough to protect your personal information and our systems and networks. Two-step authentication makes it much harder for unauthorized individuals to access your account, in addition to GW systems and networks.
Isn’t this an inconvenience? We hope not! Many people already use two-step authentication systems for online banking and shopping. Even social media sites may ask you to confirm your identity when you’re trying to log in from a new device or location. If you try to use your credit card to buy gas, you may be asked to enter your ZIP code. That's two-step authentication at work.
In addition, the GW community has the ability to select a “Remember me for 14 days” option. This means you’ll only have to use two-step authentication every 14 days to sign into your GW email from a trusted device.
Does two-step authentication really provide better protection? Yes. While it’s not foolproof or perfect, it is a great additional measure to safeguard your accounts and data. At GW, the most secure option is to use two-step authentication with the Microsoft Authenticator app, which will generate a one-time code each time you login, even if you don’t have cellular reception. This eliminates the possibility of getting hacked through your text messages or email. Although two-step authentication isn’t perfect, it’s one of the best options to protect your data.
The Division of IT is committed to providing the GW community with resources to be more secure. To learn more about two-step authentication at GW, visit https://it.gwu.edu/two-step or check out this November Hatchet article.
This month, we’re talking about the importance of data privacy and steps you can take to better protect your data online. Data Privacy Day is Sunday, January 28 and was created to start a conversation about the importance of data privacy and provide resources to help you protect your data.
Here at GW, the Division of IT provides students, faculty and staff access to GW Google Drive and GW Box to store and collaborate on files. These document management solutions provide plenty of storage space and have features that allow users to easily share documents with others.
In order to protect your data and GW’s data when using these services, follow these security best practices:
Evaluate the business need
If you don’t need to store or maintain a document, don’t
If the document contains regulated data, use GW Box, not GW Google Drive
If the document contains restricted or public data, you can use GW Box or GW Google Drive
Share with care
Be mindful of what you are sharing and with whom you are sharing it. It’s easy to make mistakes when it comes to sharing files so be mindful of typos and these options when you share:
Share with “People with the Link” - Anyone with the link to this file is able to access the document (this sharing means public)
Share with “People in your company” - Anyone with the link at GW will be able to access the document
Share with “People in this folder” - Anyone who has access to the folder will be able to access the document
Don’t store credit card numbers
Limit use and storage of Social Security Numbers (SSN)
Most of the functionality and use of SSN has been replaced by the GWID
If you do work with SSNs, be mindful of what you are storing on your local machine and in GW Box and GW Google Drive
Only store Social Security Numbers in GW Box and only if there is a valid business need
The Division of IT is holding a Data Privacy Event on January 30, 2018 in the lower level of District House. Join us to learn more about data privacy resources.
If you’re interested in helping to shape a data privacy program at GW, please take our short survey: https://it.gwu.edu/data-privacy-survey. Respondents will be entered to win one of two books about data privacy.
Last week, the Division of IT sent an e-mail to the GW community regarding the recent discovery of 1.4 billion stolen credentials(usernames and passwords). The purpose of this blog post is to discuss the risks associated with credential re-use and things you can do to minimize the chances of your GW credentials being used by unauthorized persons. We wanted to take a moment to elaborate on the nature of this threat and how "credential dumps" can impact you and your online safety.
As you may have heard, large websites like Adobe.com, LinkedIn.com, and Yahoo.com have all suffered major cyber incidents in the last few years. A common hallmark of these incidents is that attackers steal the usernames and passwords for users of these sites and then leak the credentials publicly. There's very little that any regular user can do to prevent these types of incidents from occurring, but there are some actions that you can take to safeguard your accounts and your data. The most recent credential dump referenced in the above article is a collection of credentials gathered from numerous hacks.
Follow these guidelines to help protect your accounts:
1.) Check haveibeenpwned.com* to see if any of your e-mail addresses are associated with any large credential breaches. This site is operated and maintained by Troy Hunt, who is a well-known, reputable computer security expert.
Simply type your e-mail address, click the "pwned?" button and see a list of any websites where your e-mail address and password has been part of a known credential breach.
If you see this, that's good. No passwords to change.If you see this, change the passwords for the impacted accounts.
Feel free to share this URL with your family and friends.
2.) It is important that you do not re-use passwords. For example, if I use my GW e-mail address to register for Pinterest.com, the password used should not be the same as the password that you use with your GW e-mail address. This way, if Pinterest is ever compromised, that password is essentially useless for anything other than Pinterest. If you have trouble remembering passwords (this applies to roughly 99.9% of all people including the author) use a password manager. While not officially supported by the GW Division of IT, we like LastPass. LastPass works on PCs and Macs, as well as mobile devices that run iOS and Android. Password managers help users manage unique, long, complex passwords in an efficient manner.
3.) Choose passwords that are long (the longer the better) and complex (no dictionary words). Easily guessable passwords or passwords that employ obvious obfuscation techniques (e.g. Ra1seH1gh!) are not great passwords. While GW does not require you to change your password, it's not a bad idea to change your password periodically. There are some competing schools of thought on this issue but the GW security team recommends changing your password at least once annually.
The GW information security team is always on the lookout for notices of public credential dumps. We may tell you about these from time to time, especially if we learn that you may have been impacted by one of these dumps. In the meantime, follow the above guidance. These little things will go a long way to protect your accounts and your data from an attacker.
* - "pwned" is hacker-speak for "owned" or compromised.
