Skip to content

Category: data breaches

Published on

The George Washington University (GW) offers Information Technology Resources (IT Resources) to facilitate virtual learning and teleworking. Complying with the University guidelines is essential to performing academic and work-related activities securely while preserving the confidentiality, integrity, and availability of the University information. 

Higher education institutions are facing increased cyber threats, from cyberattacks such as phishing and ransomware to hijacking video conferencing sessions. Higher education institutions are a prime target for cyber attackers that are seeking to acquire and steal university information, such as research, personally identifiable information (PII), or to disrupt operations for financial or political gains. As a GW community member, it is essential to safeguard GW’s digital environment by understanding modern cyber threats and taking a role in minimizing risks associated with the unintentional misuse of the University IT Resources. This includes reporting events and incidents that could put university information and IT Resources at risk of exposure, theft, or misuse.  

This advisory guide is intended to support the GW community when using university-approved video conferencing software and related collaboration tools. Recommendations are included to reduce the likelihood of unintentional exposure of university and personal information beyond intended recipients. 

Recommendations for GW End-Users: 

  1. Only Use “Approved Platforms” to host events, and meetings.
    • Do not host school business via unapproved tools. Use only tools that have been provided or approved by GW. 
    • Carefully review meeting invitations. Think before you click and be wary of links sent by unfamiliar addresses 
  2. Secure your meeting for attendees.
    • Only make meetings “public” when necessary for the planned audience. 
    • Have a plan to terminate a meeting if needed.
    • Require a meeting password and use features such as a waiting room to secure private meetings.  
    • Provide a link to the meeting directly to your students and share passwords in a separate email.  
  3. Secure University Information.
    • Manage screensharing, recording, and file sharing options prior and during your hosted meeting. 
    • Protect non-public information, especially when screensharing and displaying GW information. 
    • Follow GW IT's guidelines for web conferencing storage.
    • Report suspicious activities or unusual events you notice during a meeting. 
  4. Secure Yourself and our GW Community.
    • Don’t unintentionally reveal information. Check your visual and audio surroundings to safeguard your personal information. 
    • Check and update your home network. Change default settings and use complex passwords for your Wi-Fi network. 
    • Always use GW VPN when accessing GW non-public information and IT Resources.  

Please visit the individual collaboration web pages for specific platform best practices.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or it.gwu.edu. For self-help resources and answers to frequently asked questions, please visit the GWiz knowledge base at http://go.gwu.edu/GWiz.  

Some of the blog content is provided by The Cybersecurity and Infrastructure Security, modified to align with the University’s mission and common terminologies. 

Published on

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Published on Leave a comment on Public credential dumps affecting the GW community

Last week, the Division of IT sent an e-mail to the GW community regarding the recent discovery of 1.4 billion stolen credentials(usernames and passwords). The purpose of this blog post is to discuss the risks associated with credential re-use and things you can do to minimize the chances of your GW credentials being used by unauthorized persons. We wanted to take a moment to elaborate on the nature of this threat and how "credential dumps" can impact you and your online safety.

As you may have heard, large websites like Adobe.com, LinkedIn.com, and Yahoo.com have all suffered major cyber incidents in the last few years. A common hallmark of these incidents is that attackers steal the usernames and passwords for users of these sites and then leak the credentials publicly. There's very little that any regular user can do to prevent these types of incidents from occurring, but there are some actions that you can take to safeguard your accounts and your data. The most recent credential dump referenced in the above article is a collection of  credentials gathered from numerous hacks.

Follow these guidelines to help protect your accounts:

1.) Check haveibeenpwned.com* to see if any of your e-mail addresses are associated with any large credential breaches. This site is operated and maintained by Troy Hunt, who is a well-known, reputable computer security expert.

"Have I been pwned?" image

Simply type your e-mail address, click the "pwned?" button and see a list of any websites where your e-mail address and password has been part of a known credential breach.

Pwn All-clear Image
If you see this, that's good. No passwords to change.

Pwned report image
If you see this, change the passwords for the impacted accounts.

Feel free to share this URL with your family and friends.

2.) It is important that you do not re-use passwords. For example, if I use my GW e-mail address to register for Pinterest.com, the password used should not be the same as the password that you use with your GW e-mail address. This way, if Pinterest is ever compromised, that password is essentially useless for anything other than Pinterest. If you have trouble remembering passwords (this applies to roughly 99.9% of all people including the author) use a password manager. While not officially supported by the GW Division of IT, we like LastPass. LastPass works on PCs and Macs, as well as mobile devices that run iOS and Android. Password managers help users manage unique, long, complex passwords in an efficient manner.

3.) Choose passwords that are long (the longer the better) and complex (no dictionary words). Easily guessable passwords or passwords that employ obvious obfuscation techniques (e.g. Ra1seH1gh!) are not great passwords. While GW does not require you to change your password, it's not a bad idea to change your password periodically. There are some competing schools of thought on this issue but the GW security team recommends changing your password at least once annually.

The GW information security team is always on the lookout for notices of public credential dumps. We may tell you about these from time to time, especially if we learn that you may have been impacted by one of these dumps. In the meantime, follow the above guidance. These little things will go a long way to protect your accounts and your data from an attacker.

* - "pwned" is hacker-speak for "owned" or compromised.

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.