Re: Cyber Security Awareness Month - Examples of Online events or Phishing

[Kristen Dietiker <000001c25973bc27-dmarc-request () LISTSERV EDUCAUSE EDU>]

Hi Cathy, here you go. I'm doing 5 questions per level.

CLUE 1: October is National Cybersecurity Month. What is this year's theme?
Rationale: start 'em off easy.

CLUE 2: SCU uses Duo 2-factor authentication to secure accounts and
applications. When prompted with a Duo authentication request, you
can accept a Push notification on your smartphone, tap on a hardware token,
answer a phone call, or use a passcode sent via SMS. If you use the SMS
option with Duo at SCU, how many passcodes will you receive at once?
Rationale: Travel options are one of the top support questions I get about
Duo. Getting advance codes usually works best for the person involved.
Hopefully this plants the seed so they don't need to contact support.

CLUE 3: Duo 2FA has a feature to Remember This Device, where you check a
box to "Remember Me for 12 hours", which limits how frequently you get
prompted to authenticate to Duo. Regardless of this setting, what SCU
service will always prompt you for Duo?
Rationale: We just rolled out the "Remember Me" option and it directs
people to our support pages for an explanation on how it works (and why it
might not).

CLUE 4: SCU's Information Security Office maintains a website with links to
relevant cybersecurity information and advice. According to their Password
Advice, a strong password is at least how many characters long?
Rationale: Educate people on what a secure password is.

CLUE 5: According to the National Cyber Security Alliance's "Remote Working
Tip Sheet", what is the first basic security measure you should take to
protect yourself from cybercriminals?
Rationale: just another reminder to Think Before You Click, as phishing is
a top focus for us.

CLUE 6: The website stopthinkconnect.org contains basic tips & advice for
staying safe online. What is their first tip?
Rationale: During work from home/learn from home, reinforcing good computer
hygiene is a top concern. It also drives them to a site that provides tips
in multiple languages for bilingual community members who can then reshare
with friends and family members.

CLUE 7: Smartphones are pocket sized computers, and people often use them
to access some of their most sensitive data like online banking. Keeping
your smartphone secure is critical for protecting yourself. The US Federal
Communication Commission (FCC) has an easy-to-use site to lead users
through the process. How many steps are in the FCC Smartphone Security
Checker?
Rationale: More device hygiene. Drives people to view secure smartphone
settings that are tailored to specific platforms.

CLUE 8: The Student Privacy Compass (formerly called FERPASherpa) is a
student privacy resource website published by the Future of Privacy Forum.
How many federal privacy laws do they cite as being relevant to Higher
Education Institutions?
Rationale: We recently implemented employee-wide cybersecurity training and
based it off GLBA compliance. Change is hard and it's just a gentle attempt
to reinforce that sometimes we have to change due to external forces, and
there's a lot more than just FERPA we have to think about. Also for
students, it drives them to this resource so they can better understand
their rights.

CLUE 9: According to the SCU Information Security Office's "Personal
Account" advice, what is the most important online account to secure with
2-factor authentication?
Rationale: account security is a top concern for us, and we also always try
to personalize our advice.

CLUE 10: The National Cybersecurity Alliance has several videos available
on YouTube. In "Security Awareness Episode 1: Passwords", they recommend
Multi- Factor authentication, long memorable passwords, and what else?
Rationale: It's a humorous video and it reinforces the main tenets about
account security that are woven throughout this scavenger hunt. I wanted to
include more videos, but it was hard to find ones that would be relevant to
visual or hearing impared participants.

CLUE 11: Brian Krebs is one of the foremost investigative reporters working
on cybersecurity issues. In an August 2020 blog post, he discusses the
practice of “planting your "flag”, creating and securing online accounts
tied to your identity. This helps protect you from identity theft by
preventing cybercriminals from creating these accounts in your name.
Examples of online accounts he says everyone should create and secure are
credit bureaus, financial institutions, utility companies, the IRS, and the
Social Security Administration. According to this article, it's a good idea
to create and secure an account for which other federal service? (Hint:
provide the name of the service, not the agency that provides the service)
Rationale: When communicating with the SCU community, I focus not only on
SCU security but their personal security, and that of their families. I
think personalizing infosec makes people more receptive. It also adds a
different kind of resource format to the scavenger hunt and hopefully gets
people thinking.

CLUE 12: The FBI investigates cyber crime through their Internet Crime
Complaint Center (IC3). The IC3 also publishes consumer fraud alerts and an
annual Internet Crime Report. According to their 2019 report, cybercrime
victims experienced financial losses exceeding how much money? (Omit the
dollar sign)
Rationale: Scare people? ;-)

CLUE 13: LastPass is a popular and frequently recommended password manager.
Their “Psychology of Passwords” report discusses the top 6 risky behaviors
that make you a target online. What’s the 5th risky behavior they cite?
Rationale: Again pounding in the one of our account security tenets.
Twisting the question a bit and reminding people they underestimate their
risk (and putting it right after 3.5 billion in losses for a little more
psychological punch hopefully).

CLUE 14: According to the SCU Information Security Office website's advice,
what is the main benefit of using a Password Manager?
Rationale: Drives people to our website where they might stay and look
around a bit, and also bashing them over the head with our account security
tenets.

CLUE 15: Google provides an Account Privacy Checkup feature, which allows
you to choose whether to save or pause your activity (history) data. On
your SCU account, you can edit this setting for Web & App Activity and what
else?
Rationale: Get people to actually go to the Google privacy checkup feature.
Maybe they'll adjust some settings while they're there ;-)

Feel free to borrow & adapt.
--
*Kristen Dietiker*
Chief Information Security Officer
Santa Clara University
(408) 554-5554



On Wed, Sep 2, 2020 at 8:24 AM Ullman, Catherine <cende () buffalo edu> wrote:

> Hi Kristen,
>
>
>
> Would you be willing to share your questions?  We may want to do something
> like this for next year and would love to have a starting point that’s a
> little more EDU-friendly.  Feel free to reply off-list if you prefer.
>
>
>
> Best,
>
> Cathy
>
>
>
>
>
> Dr. Catherine J Ullman
>
> Senior Information Security Forensic Analyst
>
> Information Security Office
>
> University at Buffalo
>
> cende () buffalo edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Kristen Dietiker
> *Sent:* Tuesday, September 1, 2020 9:29 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cyber Security Awareness Month - Examples of
> Online events or Phishing
>
>
>
> I've built an online scavenger hunt, modeled after one SANS did several
> weeks ago for their awareness summit:
> https://sites.google.com/view/ScavengerHuntStart
> <https://urldefense.com/v3/__https://sites.google.com/view/ScavengerHuntStart__;!!MLMg-p0Z!R_kphC5PdrcqP9bzNvcoYjaLcgHK2fmYzioEKPsLGsTCaZiDlmoJb0vQL2f-bVoW$>
> (Not sure how long their site will be available.)
>
>
>
> It uses Google forms and Google sites. Answers to clues on a Google form
> are used to create a key that becomes part of the URL of the next level (A
> Google site), which has another form with clues to unlock the third level.
> (Wrong answers won't generate the correct URL). The SANS version concluded
> with "finding the buried treasure" by generating coordinates for Google
> maps. I've ditched this part and just created an end page with a "Congrats,
> here's a reward" message. Those rewards will likely be cybersecurity & SCU
> themed wallpapers or Zoom backgrounds they can download right from the end
> page. I also hope to do drawings for small prizes.
>
>
>
> I thought most of the SANS questions weren't really suitable for our
> faculty and staff and didn't really serve to drive behavioral change. I
> really tried to focus on creating clues and answers that addressed the
> common problems we see–such as account security. My questions are split
> between asking about SCU security resources, and advice that is found on
> our website, and security resources around the web. Most questions focus on
> using long passwords, password managers, & multi-factor auth, with the
> purpose of driving change in these areas. A few questions drive people to
> external resources they can use to assess personal security risk.
>
>
>
> --
>
> *Kristen Dietiker*
> Chief Information Security Officer
> Santa Clara University
> (408) 554-5554
>
>
>
>
>
>
>
> On Mon, Aug 31, 2020 at 2:28 PM Royse, Rhonda - (rroyse) <
> rroyse () arizona edu> wrote:
>
> Good afternoon everyone!
>
>
>
> I are prepping for our online Cybersecurity Awareness month, and I recall
> a few universities who have administered online phishing quizzes, or games.
> Would appreciate any examples or campaigns that you could share!
>
>
>
> We are looking at phishing instances or even small videos that can help
> explain key concepts to our audiences.
>
>
>
> Thank you
>
> Rhonda
>
>
>
> *Rhonda Bartz-Royse*
> DCIO/IT Security Program/IAM – Manager
> Information Security Office
> THE UNIVERSITY OF ARIZONA
>
> Computer Center
> PO Box 210073 | Tucson, AZ 85721
> Office: 520-621-5927 | Cell: 480-209-6465
> rroyse () arizona edu
>
> *security.arizona.edu
> <https://urldefense.com/v3/__https:/security.arizona.edu/__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpPmsiGU-$>*
> facebook
> <https://urldefense.com/v3/__https:/www.facebook.com/UArizonaInfoTech/__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpLRhDhPP$>
> | twitter
> <https://urldefense.com/v3/__https:/twitter.com/UaInfotech__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpF5HHz7R$>
> | instagram
> <https://urldefense.com/v3/__https:/www.instagram.com/uainfotech/__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpO0q57iv$>
> | linkedin
> <https://urldefense.com/v3/__https:/www.linkedin.com/school/the-university-of-arizona__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpGSdtrVW$>
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!XXgIy1D9gBAybI6cB1PvPX_huscU1sk7CJURPvLTlB1oEy7lZrlnluJWpLV00yGH$>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.com/v3/__https://www.educause.edu/community__;!!MLMg-p0Z!R_kphC5PdrcqP9bzNvcoYjaLcgHK2fmYzioEKPsLGsTCaZiDlmoJb0vQL2_8z-FS$>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.com/v3/__https://www.educause.edu/community__;!!MLMg-p0Z!R_kphC5PdrcqP9bzNvcoYjaLcgHK2fmYzioEKPsLGsTCaZiDlmoJb0vQL2_8z-FS$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community