October is Cybersecurity Awareness Month!
Hosted by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA), the overarching theme of this month is to encourage individuals and organizations to “own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity”. In addition to this overarching theme, each week of this month will focus on a different aspect of cybersecurity and will include some recommended action items from ITS to help keep your part of cyberspace as secure as possible!
Today we will be focusing on Multi Factor Authentication (MFA or 2FA) and the extra layer of security it provides your accounts and how it can nullify even a successful Phishing attempt.
Using MFA to secure your accounts blocks 99.9% of account hacks.
Data collected by Microsoft and Verizon has shown that 81% of hacking-related breaches used stolen or weak passwords. With MFA enabled, you have up to three layers of protection. These three layers can be summed up as Something you know (Passwords), Something you have (a trusted device), and Something you are (biometrics). This makes it so that even if your password is compromised, the attacker would also need to have access to the account’s trusted device and any authentication to the device such as a pin or facial recognition. This layering of security makes it so even if cyber-criminals steal a password, it is much less likely they will also have the user’s trusted device.
Where to Begin?
A great place to begin with MFA is reviewing the methods we already use at Penn to secure our accounts. Great information to review is what backup methods you have in the event you get a new phone. Also, be sure you are using the Authenticator as your default method for your LawKey MFA.
What to be aware of?
It is important to be aware of the Authentication notifications you are receiving. If you don’t recognize or didn’t attempt to log in with an authenticated service, but still receive an MFA request, don’t accept it unless you can be certain something you’re using is requesting authentication. You can review your PennKey’s trusted browsers and verification history at https://twostep.apps.upenn.edu. Your LawKey’s trusted browsers and authentication history can be found at https://mysignins.microsoft.com.
What next?
It is also important to check any accounts you use and see if they offer Multi Factor Authentication as well. Amazon, Google, Facebook, Microsoft, Twitter, LinkedIn, and PayPal are just a few of the places you can enable MFA for your accounts.
With the significant increase in phishing attacks and how interconnected the services we use are, it is important to think of all avenues your personal and professional lives can be attacked by malicious actors. A simple scenario to think about is if your personal email gets compromised and then used as a vector to phish your family, friends, and colleagues by abusing their trust in your account.
As always, if you have any questions or concerns, reach out to us anytime at itshelp@law.upenn.edu.