KnowBe4 Cybersecurity Awareness Training
Recently, PASSHE Executive Leadership Group (ELG) mandated that all universities provide and require annual IT Cybersecurity Awareness training for their faculty, staff and students. The employee training and management program is also required to comply with the US Department of Education GLBA requirements. We will also begin conducting simulation phishing exercises annually. On Monday, March 7, 2022, all employees will receive an email from WCU Office of Information Security to complete an annual campaign, WCU’s Information Security Awareness Training. The campaign includes an interactive 15-minute video/quiz on Cybersecurity.
Cyber-attacks are commonly initiated through email known as phishing which can often lead to other vulnerabilities to data resulting in ransomware or other types of malware to cripple university systems. IS&T appreciates the campus community’s participation in this campaign help everyone make the most of today’s technology…safely and securely.
Self-Paced cybersecurity awareness training materials for students are available on D2L in a site called Navigating Digital Learning.
It is important to remember to Be Cyber Smart and Think Before You Click. Bad actors are intensifying their efforts to trick unsuspecting users into scams that can steal your credentials, inject malware onto devices, or obtain credit card information by falsely selling products. Most recently, they have started using the COVID-19 Omicron variant, and false DUO alerts as a lure to trick you. Higher education institutions are often targeted especially when users are focused on exams and projects and less likely to spot a scam.
Things to consider to navigate the season safely and securely:
Think before you click. If an email looks suspicious or an offer looks too good to
be true, it probably is.
Learn how to Report suspicious emails
Don’t fall for fake delivery notifications or text messages.
Learn how to deny a fraudulent Duo Request
Be careful about the apps you download and verify that the publisher is trusted. When
ordering online, use trusted sites with https:// in the url and also monitor your bank account and card activity.
understand current global cybersecurity threats
IS&T encourages everyone to take increased ownership of enhanced online activity and the important security practices that come along with it. The virtual safety of our community, and, ultimately, our nation, depends on our personal online safety practices. Cybersecurity is important to West Chester University and we are committed to helping our faculty, staff and students become more resilient.
Be Cyber Smart
Stay protected while connected.
Before you connect to any open/public wireless network (like at an airport, hotel, or cafe) be sure to confirm the name of the network and exact login procedures to ensure that the network is legitimate. If you use an unsecured public access point, practice good internet hygiene by avoiding sensitive activities (banking and shopping) that require passwords or credit cards. Using a personal hotspot or cellular data is often a safer alternative to free Wi-Fi. Only use sites that begin with https:// when online shopping or banking.West Chester University's RamNet WiFi is a secured network. It is secured by an enterprise network authentication protocol called 802.1X. Using this protocol, all network traffic, including usernames and passwords, are encrypted during transmission. During the connection process, usernames and passwords are checked to verify that the user is an active member of the WCU community. Once confirmed, appropriate network access is assigned based off network needs and requirements. Remember, free Wifi could cost you: https://www.wcupa.edu//infoServices/security/documents/FreeWifiCouldCostYou.pdf
Fight the Phish
Play hard to get with strangers.
Cyber criminals use phishing tactics hoping to fool their victims. If you are unsure who an email is from (even if the details appear accurate) or if the email looks "phishy" do not respond and do not click on any links or attachments found in that email. When available use the "report Phish" or "Report" option to help your organization or email provider block other suspicious emails before the arrive in your inbox.
Deny a Duo login approval request if you did not initiate it.
Imagine you are getting coffee with friends and you receive a Duo Multifactor authentication request on your phone. You suspect that it is fraudulent because you are not trying to log into any systems or accounts. What should you do? You should deny the request. This article explains how to deny a fraudulent Duo login approval request: https://wcupaprod.service-now.com/kb_view.do?sysparm_article=KB0011185
Social Media Cybersecurity Tips
Never Click and Tell.
Limit what information you post on social media. Popular quizzes often ask users a series of shareable personal questions, ranging from the name of their pet, childhood best friend, first grade teacher or their birth city. Some people see them as a fun way to bond with friends, but many of these queries are similar if not identical to security questions used when setting up accounts at banks and other organizations. Keep Social Security numbers, account numbers, and passwords private as well as specific information about yourself such as your full name, address, birthday, etc.
Think Cybersecurity First
Cybersecurity is a year-round effort and staying safe online is increasingly important as our world continues to operate virtually for so much of work and play. We should all approach cybersecurity with care in owning, securing, and protecting all our online accounts, data and information. West Chester University offers these resources that you can utilize to keep yourself safe online:
- CISA’s Cyber Essentials – basic cyber best practices for business leaders: cisa.gov/cyber-essentials
- Learn about careers in cyber with the National Initiative for Cybersecurity Careers and Studies: niccs.cisa.gov
*National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) content is copyrighted and reproduced under the Creative Commons BY-NC-ND 3.0 or Creative Commons BY-NC-ND 4.0 license.
KnowBe4 User Awareness Training for Faculty & Staff
This is an offering for all faculty and staff. It involves taking a 15 minute online webinar that teaches you the basics of information security and privacy. KnowBe4 is a Security Awareness platform that was originally started by famed hacker, Kevin Mitnick. WCU Employees can get to KnowBe4 by going to https://training.knowbe4.com/ui/login and login with your WCU credentials.
Self-Paced Training for Students
Information Services & Technology teams worked with the Office of Digital Learning and Innovation ( ODLI ) to put together a short security awareness class for students on D2L in a site called Navigating Digital Learning. The focus of the training currently is around Phishing Emails.
Information Security Tools @WCU
WCU has various methods of offering Information Security and Privacy programs. Information Security can only be achieved with lots of layers (like an onion.) One of those layers is the concept we sometimes call the "Human Firewall." Many times this is the first layer that protects the confidentiality, integrity and availability of data and IT services. This means YOU. However, in order to make that achievable, WCU has provided a few services and educational opportunities to assist you.
Carbon Black is an Endpoint Detection and Response (EDR) system that detects suspicious activity, uncovering attackers’ behavior patterns and empowering IS&T to detect and stop emerging attacks. As part of a multi-pronged approach to enhance endpoint security monitoring, all university owned laptops and desktops now require an application called Carbon Black.
DUO Multi-Factor Authentication
As many of you have now experienced WCU rolled out Multi-Factor Authentication using
Duo technology for many of the applications and services you use on campus. The primary
goal for this is to protect your digital identity from being compromised even if your
password is exposed to bad actors. Currently, 89-% of all faculty and staff have enrolled
into Duo. Students will start the onboarding process this fall as well.
Mimecast Email Security Gateway
We have subscribed to a new email filtering service called MimeCast. This service sits between you and your WCU email account. Mimecast is designed to help protect your account from Unsolicited Email (Spam), Phishing Attempts and Malware. Last Month, 21% of inbound email was rejected by MimeCast. 66% was for email from known bad servers and 7% of those messages was for Spam.
If you receive a suspicious email, you can visit The Phish Bowl to view a list of latest phishing attempts. If the email is posted, then the email has already been reported, and you can simply delete the email. How to Spot and report a Phish or Spam email.
Phishing Red Flags:
For your safety and security, please consider the following red flags if you receive a job via email that is not coming from Handshake, or from a professor, student, or staff member at the university that you know and trust.
- Is a personal assistant job, or a job where the employer is not named
- Comes from an email address that doesn’t match the company’s name
- Does not provide information, such as the title of the person sending the email, the employer’s address or phone number, etc.
- Offers to pay a large amount of money for not much work
- Offers you the job without interviewing you
- Asks you to pay an application fee or some other fee as a condition of starting employment
- Wants you to transfer money from one account to another, by wire service, courier or other means, or deposit a check that they send you
- Requests your bank account or credit card information
No legitimate employer will send payment in advance and ask you to send a portion of it back to them. These jobs are often posted as a personal assistant or administrative assistant and ask for assistance in depositing checks or doing mystery shopping. These checks are fraudulent and can end up costing you hundreds of dollars.