Skip to content

Tag: awareness

Published on
Creating, managing, and using complex passwords for the many sites and services we all access is a daunting task.  While password managers can assist with the memorization and management challenges, traditional passwords do not leverage modern security capabilities.  A rapidly evolving technology involves passkeys in place of passwords.  At a basic level passkeys leverage your personal computer, mobile device, or even a password manager to provide a validated (through finger print for example) encrypted response to login challenges from a website you have an account on.  This process effectively replaces the matching of a password you submit to one stored on the site.  In the passkey scenario you are providing an encrypted answer to a unique challenge and all of the communications are encrypted.  Through the use of public key and private key technology and in underlying technology, your identity is verified and access granted without your private key being transferred.   There is a more technical explanation of the passkey process here: Passkey (Passkey Authentication) Technopedia June 2023. Basic passkey process steps:
  1. You establish a passkey on a website that supports it using a device that supports the technology.
  2. Once established, when you access a site instead of entering a password, your device will ask you to verify your identity
  3. You use device-based authentication (PIN number, fingerprint, or facial recognition) on your personal device to authorize website access.
  4. Your device responds to the site through an encrypted message confirming your identity.
  5. The website then grants you access.
The process of the challenge question to your device and the messaging back to the site is encrypted, your private key is not transferred, and information about the web site all combine to make this login approach more secure than using passwords.  Using passkeys should help reduce inadvertent credential compromises through fraudulent websites with the added safeguards built in around site verification. A PCWorld article - Passkeys Explained: How to Embrace a Passwordless Future Today from May 2024 has additional information on passkeys and notes there are directories of providers that support passwordless logins:

Services with passkey support

There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.ioPasskeys Directory, and Keeper, among others.
If you utilize a password manager, most offer support for managing and using passkeys. Cloud services can enable passkey use across multiple devices.  While there are many options to explore a simple way to get started would be using solutions from vendors deeply connected to devices and the device operating systems software like Google, Apple, and/or Microsoft. Ars Technica published an article in May of 2023 with frequently asked questions about passkeys  Passkeys may not be for you, but they are safe and easy—here’s why   The article covers common questions about privacy, personal account security, and trust.  The following excerpt from the site recaps how the passkey process works while enhancing your personal cybersecurity. (emphasis added)
Q: Passkeys give control of your credentials to Apple/Google/Microsoft, to a third-party syncing service, or to the site you’re logging in to. Why would I ever do that? A: Assuming you’re using a password to sign in to a service such as Gmail, Azure, or Github, you’re already trusting these companies to implement their authentication systems in a way that doesn’t expose the shared secrets that allow you to log in. Logging in to one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials that they had before. The reason is that the private key portion of a passkey never leaves a user’s encrypted devices. The authentication occurs on the user device. The user device then sends the site being logged in to a cryptographic proof that the private key resides on the device logging in. The cryptography involved in this process ensures that the proof can’t be spoofed.
Key takeaways:
  • Passwords will still be present for many sites for some time.
  • Passkeys provide more secure authentication for sites and device that support them.
  • Explore passkeys on a couple of sites and expand your use as you gain experience.
  • It is a good idea to try the technology, as it will become more prevalent and in some cases required to access web applications.

Published on
Before spilling your digital secrets to ChatGPT or other AI tools, remember it's more sieve than vault!  The amount of stolen ChatGPT accounts is just unbelievable. Why? Because criminals know people copy/paste sensitive data into ChatGPT conversations. Here are a few tips to keep you safe when using any AI tools:
  1. Beware of fake AI apps and browser extensions that may be malware or phishing scams
  2. Never enter sensitive information or PII while using AI tools
  3. Treat AI tools like a knowledgeable but overconfident friend, and use them cautiously
Want even more tips on how to stay safe using AI? Continue reading or watch this 1-minute video: (material by Wizer-training.com)
  • Never enter sensitive information of personally identifiable information (PII) while using AI tools.
  • Remove mentions of GW, faculty, staff and student names from content put in AI tools.
  • Ensure that AI-generated information is validated through other sources prior to using.
  • Understand potential bias in AI-generated content.
  • Thoroughly review AI-generated code before using.
  • Treat AI tools like a knowledgeable but overconfident friend and use them cautiously.

    • Content provided by wizer-training.com

Published on

The National Cybersecurity Alliance partnered with Consumer Reports to bring you a new animated video [opens YouTube link] about how you can take control of your data! Check out "The Tale of Privacy Peyton" below, and download Consumer Reports' Permission Slip.

Image of for Tale of Privacy Peyton Video

Published on

Security is in your hands image

95%  of all successful cyberattacks start with human error according to the IBM Cybersecurity Intelligence Index. That would make it pretty important to periodically evaluate and increase your own awareness of Information Security hygiene and awareness. 

Information security is one of the fastest-changing fields in the world. New technologies emerge every day that change the way people attack and defend systems and networks. While professionals in information security are required to be in a constant state of learning to keep up with the field as a whole, those without day to day dealings tend to be the primary targets and the least informed. Being aware and informed enables everyone to protect themselves. Staying informed is simple, there are a wide range of awareness organizations and individuals dedicated to reaching outside of the information security community and enabling everyday users to secure themselves, their data, and thereby their organizations. 

 

Awareness Companies

Security awareness training should be a high priority for any organization. To facilitate effective awareness training, a number of companies focus on providing awareness training as a professional service, often using computer based training. Companies such as Habitu8, SANS, KnowBe4, and Security Ninja focus on providing awareness training packages to organizations who want to inform and educate their employees. These packages are frequently integrated into something called a learning management system (LMS). An LMS is something like Blackboard. Other free resources are also available and essential to reaching people both inside and outside the Information Security community. Free websites often feature webinars, talks, and videos. You can ask your organization or awareness training coordinator what resources are available to educate yourself. (At GW, you can email infosec@gwu.edu for more resources or to request training for your student organization or department.)

Free training resources
Reading and news: https://www.sans.org/security-resources/
Test your knowledge and learn: https://www.khanacademy.org/partner-content/nova/cybersecurity/cyber/e/cybersecurity-101-quiz

 

On the Web

While organized and mandatory awareness training can be effective, it isn’t the only way to reduce risk and stay up to date on cybersecurity. There are an abundance of websites, blogs, and other informational pages freely available to all. Cybersecurity is often in the news as well, it is worth noting that it comes up more and more often. 

One website run by Troy Hunt, Have I Been Pwned not only allows users to check if their email has been associated with a data breach, but also stay up to date on data breaches happening around the world. Hunt’s website provides information on hundreds of breaches that may impact you or your family and can often provide the early warning you need to change your passwords before your accounts are stolen. In addition to providing a breach checking service, the site also offers a way for users to check their password against the ever growing list of compromised passwords that Hunt maintains, and if you are unsure of how to choose a secure password look no further than the same page for guidance.

Credit monitoring services like Credit Karma and Equifax also offer services the track your exposure to identity fraud or a credit data breach.

Many information security websites can be so technical that they drive less informed readers away, but don’t let that discourage you. Brian Krebs an investigative journalist runs a site called Krebs on Security where he writes about the most recent information security news. Krebs provides in depth coverage of ongoing stories that far surpass traditional news media coverage. He achieves this without alienating less technical readers with overly complicated and technical language and articles. Krebs on Security provides a good way for the average user to stay up to date on relevant topics in the information security space.

As social media has gained popularity, more and more professionals are turning towards it to keep informed and spread their message. It may come as a surprise to some that there is a large information security community on twitter, but it is one of the best places to keep up with the latest in security news. While some may think that only information security professionals should be following each other on twitter, everyone can benefit from the discussions, news, and events that are posted all over the #infosec twitter space. Users will frequently post links to free webinars, blogs, and conferences covering a wide range of topics that would help even the least technical user remain aware and informed. Big names on twitter such as Jake Williams (@MalwareJake), Brian Krebs (@briankrebs), Troy Hunt (@troyhunt), and Lesley Carhart (@hacks4pancakes) provide a constant stream of information security news, issues, and tips to benefit everyone. Organizational Twitter accounts like the National Cyber Alliance (@StaySafeOnline) and SANS Internet Storm Center (@sans_isc) also provide comprehensive and consistent updates to the cybersecurity student and professional. Don’t be afraid to use less traditional methods such as Twitter and social media to educate and protect yourself.

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.