Cybersecurity: 7 ways you can better protect your data and devices

Passwords

Yes, it’s obvious, and yes, you’ve heard it before, but the importance of a strong password really cannot be stressed enough. A recent study showed that millions of people worldwide use easy-to-guess passwords — including more than 23 million instances of 123456 appearing in a password, according to the BBC.

Passwords work only if they are complex and confidential. Most people, however, create passwords that are based on personal information (birthdays, family or pet names, phone numbers) and are easy to find or remember (common words or phrases, famous quotations, and song lyrics), making it easier for criminals to decipher, or even guess, them.

Strong passwords should include:

• 8-64 characters
• Upper- and lowercase letters
• Numbers and special characters

Ways to create stronger passwords:

• Misspellings (e.g., “daytt instead of “date”)
• Mnemonics (e.g., use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all.")
• Three or more random words together (e.g., "OrangePickpocketYarn")
• A pass phrase or sentence with correct punctuation and grammar (e.g., “To be safe, the stronger the better!”)

After you create a strong password, think carefully about how to protect it. For starters, don’t write it down or share it — even with friends, classmates, or colleagues. (Note: Sharing your CIS password and/or assigned accounts for any reason is a violation of university policy.)

And don’t reuse it — ever.

“Reusing a password, even a strong one, endangers your accounts just as much as using a weak password,” according to CISA. “If attackers guess your password, they would have access to all of your accounts.”

One way around this is a password manager, which creates and stores randomly generated codes for all of your accounts. Instead of creating multiple passwords, you’ll need only one master password to access the manager.

Additionally, you can add a layer of protection through two-factor authentication (2FA). 2FA requires a username/password combo plus a second method of verifying your identity, typically a physical object like a cellphone, tablet, or hardware token. So even if an attacker obtains your login credentials, the information is less effective without access to the secondary device.

While the University of Utah requires 2FA for its employees, students can opt in through the Duo Management Portal. 2FA also can be enabled on many popular websites, such as Instagram, Gmail, and Venmo.

Social media

It’s no secret that social networking sites encourage you to provide personal information — that’s how they connect you to other people, interest groups, and organizations. The more information you make public, however, the more you expose yourself to cyberthreats.

One common tactic criminals use is social engineering, or the manipulation of people into performing actions or divulging confidential information.

“Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data,” CISA says.

It also makes it easier for criminals to guess passwords based on personal information.

Ways you can better protect yourself:

• Limit your online friends and connections to people you actually know
• Limit the amount of personal information you post
• Use privacy settings to restrict who can see and post on your profile
• Think before you share — once you post online, you can’t take it back (the internet is forever)
• Turn off location sharing and/or geo-tagging, or wait to post until you get home
• Don't believe everything you read online
• Be cautious with third-party applications

Online shopping

Despite its convenience, the internet comes with inherent security risks, especially for online shoppers. Because online purchases require personal and financial information, criminals have twice the incentive to carry out attacks.

—

Attackers may try to exploit shoppers by creating fraudulent websites and emails that appear to be legitimate; intercepting unencrypted transactions; and accessing vulnerable devices through viruses or other malicious code.

Ways you can protect yourself:

• Do business only with reputable, established vendors
• Ensure your information is encrypted
• Do not respond to emails requesting sensitive information
• Use a low-limit credit card to cap your liability for fraudulent charges
• Keep a record of your purchases and compare them to your bank statements

Privacy

Like the too often-skipped Terms & Agreements section, a website’s privacy policy includes legal documentation you should read before submitting any personal information. This includes how your information will be used and distributed to other organizations.

If you agree to a website’s privacy policy, also make sure that site is secure. Your personal information should be submitted only to websites that are encrypted. Look for URLs that begin with “https,” a closed padlock (often in the address field), and valid certificates from trusted sources.

Other ways to protect your privacy:

• Do not use your primary email address in online submissions
• Devote one low-limit credit card to online purchases
• Do not allow browsers to remember your passwords

Home networks

Although your home should feel like a safe space, the reality is that every device and network connected to the internet — no matter the size or location — opens to the door to potential cyberthreats.

You can better secure it by regularly updating your software, running up-to-date antivirus programs, installing a network firewall, backing up your data (e.g., UBox), and mitigating email threats.

Perhaps more importantly, you should adjust factory default settings on your software and hardware, and enable wireless security.

Ways to enhance the security of your router:

• Use the strongest encryption protocol available
• Change the router’s default administrator password
• Change the default service set identifier (SSID)
• Disable Wi-Fi protected setup (WPS)
• Disable universal plug and play (UPnP) when not needed
• Upgrade firmware
• Disable remote management
• Monitor for unknown device connections

IoT devices

If you’re connecting to the internet via a tech gadget that’s not a smartphone, tablet, or desktop or laptop computer, then you may be using an Internet of Things (IoT) device. These items — think media players, smart TVs, voice-controlled speakers, gaming consoles, smart watches, and other smart devices — send and receive data automatically through the internet.

But the interconnectedness of these objects can present serious risks to your privacy and security.

Ways to improve the security of IoT devices:

• Evaluate your security settings
• Ensure you have up-to-date software
• Consider whether continuous connectivity is necessary
• Change default passwords to a new, unique passcode

U students, faculty, and staff also have access to ULink, a secure wireless network exclusively for IoT devices, while on campus.

Patches

One of the easiest things you can do to improve your security is download and install patches, aka software and system updates. These releases typically address vulnerabilities, fix performance bugs, and provide enhanced security features.

If possible, take advantage of automatic updates. If they are not available, visit the vendor’s website for information. You also can search or follow #patchTuesday on Twitter for the latest news about available patches.

Updates should be downloaded and applied only from trusted network locations or via a virtual private network (VPN). The U community can access the campus network through Cisco AnyConnect VPN client.

In the event that a vendor no longer supports or issues updates for its software, you should stop using that product. End-of-life (EOL) software comes with its own risks, including security vulnerabilities, compatibility issues, and decreased system performance and productivity.

Note: Microsoft will end support for Windows 7 in January 2020. Users should move to Windows 10.

Cybersecurity and other IT resources