Information Services > Security > Security Training > Top Ten Security Tips

Top Ten Security Tips

​These security recommendations are general guidelines that you should apply to all of your computing practices, whether at home, at school or at work.


Here are three easy ways to build a secure, easy to remember passphrase:

1. Make a passphrase by using a short phrase and:

    • Changing the capitalization of some of letters
    • Replacing some letters with numerical and symbolic substitutions ($ instead of S, 8 instead of B)
    • Misspell or abbreviate certain words

(E.g., the phrase “iced tea is best for summer” becomes “!cedTisB3st4$umm3R”.)

2. Choose multiple shorter words and add some numbers in the middle, then switch the capitalization and substitute symbols for letters. (E.g., the phrase “book 825 Westbury” becomes “bO()K825We$tbury”.)

3. Choose a memorable saying or phrase and use only the first letter from each word (or a portion or all of some words with symbols and numbers). Switch the capitalization. Also include numbers and symbols, either as substitutions for letters or as a replacement for a full word.

(E.g., Wayne Gretzky’s “You will always miss 100 percent of the shots that you never take” becomes “ywAM1$$100%ot$tyN+”.)

Whenever possible (on all of your accounts), use two-step or multi-factor authentication (MFA)

When you sign into your online accounts - a process we call "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. Unfortunately, that's not a very good way to do it. Usernames are often easy to discover; sometimes they're just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites.

That's why almost all online services - banks, social media, shopping and yes, DePaul University too - have added a way for your accounts to be more secure. You may hear it called "two-step verification", "multi-factor authentication", 2FA, or MFA but the good ones all operate off the same principle. When you sign into the account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second thing - what we call a second "factor" - to prove who you are.

Learn more about DePaul's BlueKey MFA

What is BlueKey multi-factor authentication (MFA)?

Multi-factor authentication adds another layer of authentication in addition to your password. For most DePaul students, faculty, and staff you can set up MFA through the Microsoft Authenticator app on your mobile phone.

How do I set up BlueKey MFA?

  1. Navigate on your laptop or desktop web browser to https://bluekey.depaul.edu/multifactor
  2. Login using BlueKey login credentials (username@depaul.edu and password). Follow the steps in the web browser.
  3. Download the Microsoft Authenticator app.

Important Note: Once you have set up MFA, go to the “Security Info” tab on the BlueKey multi-factor site (https://bluekey.depaul.edu/multifactor) on your computer. For best results, please have your “default sign-in method” set to “Microsoft Authenticator - notification”. If you don’t have a mobile phone or the ability to download apps, it is recommended to set your default sign-in method to “Phone – call”.

Helpful Links

My BlueKey account: https://bluekey.depaul.edu/myaccount

  • On this page you can: Change password, review settings, view sign-ins and devices, etc.

Check BlueKey multi-factor authentication settings: https://bluekey.depaul.edu/multifactor

  • On this page you can: Add or remove sign-in methods. Change default sign-in method. Sign out of all devices (in case of lost device).

Having trouble registering for BlueKey MFA? Contact the Help Desk directly at helpdesk@depaul.edu or (312) 362-8765.

 

Watch out for phishing attempts!

Scammers use email or text messages to trick you into giving them your personal and financial information. But there are several ways to protect yourself. (Content below from ftc.gov)

How To Recognize Phishing

Scammers use email or text messages to try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could get access to your email, bank, or other accounts. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.

Scammers often update their tactics to keep up with the latest news or trends, but here are some common tactics used in phishing emails or text messages:

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or a credit card or utility company. Or maybe it’s from an online payment website or app. The message could be from a scammer, who might

  • say they’ve noticed some suspicious activity or log-in attempts — they haven’t
  • claim there’s a problem with your account or your payment information — there isn’t
  • say you need to confirm some personal or financial information — you don’t
  • include an invoice you don’t recognize — it’s fake
  • want you to click on a link to make a payment — but the link has malware
  • say you’re eligible to register for a government refund — it’s a scam
  • offer a coupon for free stuff — it’s not real

Here’s a real-world example of a phishing email:

Netflix phishing scam screenshot

Imagine you saw this in your inbox. At first glance, this email looks real, but it’s not. Scammers who send emails like this one are hoping you won’t notice it’s a fake.

Here are signs that this email is a scam, even though it looks like it comes from a company you know — and even uses the company’s logo in the header:

  • The email has a generic greeting.
  • The email says your account is on hold because of a billing problem.
  • The email invites you to click on a link to update your payment details.

While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.

How To Protect Yourself From Phishing Attacks

Your email spam filters might keep many phishing emails out of your inbox. But scammers are always trying to outsmart spam filters, so extra layers of protection can help. Here are four ways to protect yourself from phishing attacks.

Four Ways To Protect Yourself From Phishing

1. Protect your computer by using security software. Set the software to update automatically so it will deal with any new security threats.

2. Protect your cell phone by setting software to update automatically. These updates could give you critical protection against security threats.

3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The extra credentials you need to log in to your account fall into three categories:

  • something you know — like a passcode, a PIN, or the answer to a security question.
  • something you have — like a one-time verification passcode you get by text, email, or from an authenticator app; or a security key
  • something you are — like a scan of your fingerprint, your retina, or your face

Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.

4. Protect your data by backing it up. Back up the data on your computer to an external hard drive or in the cloud. Back up the data on your phone, too.

What To Do if You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: 

Do I have an account with the company or know the person who contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the advice in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message to security@depaul.edu and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real — not the information in the email. Attachments and links might install harmful malware.

What To Do if You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, report it to security@depaul.edu and go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan and remove anything it identifies as a problem.

How To Report Phishing to the DePaul and the FTC

If you got a phishing email or text message, report it. The information you give helps fight scammers.

More info for DePaul Students, Faculty, and Staff

Members of the university community may have seen targeted phishing emails that may look legitimate, asking specifically for your BlueKey login creadentials (email or username, and password). These fraudulent emails purport to originate from official university communications (perhaps a recognized, department, school, or office at DePaul). Most of these phishing attempts will ask you to ‘immediately update’ your personal information or face serious consequences. Don’t be fooled! These emails do not come from DePaul. They are fraudulent messages attempting to compromise your personal information.

DePaul's Information Services department will abolutely never ask for your login credentials, password, or other sensitive information from an email or link.

Note: Information Services uses sophisticated email filtering software called Microsoft Safe Links and Safe Attachments to automatically identify and block SPAM, phishing, malware, and other harmful links and files. To help reduce risks, the Safe Links and Safe Attachments may take action including blocking or removing certain questionable types of emails.

Please remember that Safe Links and Safe Attachments software is not foolproof and some unwanted messages may get through on occasion. It is very important that you watch the phishing video in this section and learn to identify phishing scams, take the appropriate steps to protect your computer and your information, and report messages to security@depaul.edu.


 

Don't enter any sensitive information on a public computer or open WiFi

Using public computers or open WiFi networks (WiFi that doesn't require proper authentication) will always carry the risk of exposing your personal data. If you're using a computer at a place like a lab or the library, don't enter any login credentials or sensitive information.

Never input this information into a public computer or on your computer over public WiFi:

  • Login credentials including passwords
  • Personal information
  • Financial information
  • Any sensitive information or data that you wouldn't want a hacker to have

 

Protect your computer with anti-virus and anti-malware software

Install anti-virus software on your computer and set automatic updates at least once per day.  Do not connect to the Internet without first activating an anti-virus program.  If you purchased an anti-virus system for your home computer, do not let your subscription lapse. Keeping your devices secure and free from malware is critical.

 

Perform Regular Updates and Patches on all Devices and Apps

Set up your computer and mobile devices to use “Automatic Updates.”  By enabling this feature, your devices will regularly check for any updates. Technology companies that make computers, mobile devices, operating systems, and apps are constantly updating software to respond to flaws and vulnerabilities, and defend your device against the most recent hacking threats. It is vital that you automatically update or regularly update all devices, software, and apps. It is much easier for viruses and hackers to get into your computer or mobile device if you aren't keeping up with the latest updates and patches.

Always remember to update:

  • Computer operating systems
  • Mobile device operating systems
  • Software
  • Apps

View steps to update:

Back-up your data on a consistent basis (once a week).  For easy back-ups, keep all document files in a central location. It is highly recommended to use cloud storage for backing up files, documents, photos, and more. Cloud storage can typically be accessed on a variety of digital devices and web browsers for convenient saving, uploading, and organizing.

All current DePaul students, faculty, and staff have access to OneDrive cloud storage

(Video from microsoft.com)

 

OneDrive at DePaul

View more details about accessing and using OneDrive at DePaul

Access files on your computer, mobile app, or web browser. You access, edit, and share your files on all your devices, wherever you are. You can also stay connected, share your documents and photos with friends and family, and collaborate in real time with Microsoft 365 apps. Access OneDrive by using your BlueKey login credentials (username@depaul.edu and password).

OneDrive on a DePaul-issued, Windows-based computer:

  • DePaul employees already have OneDrive on their work computers if they have Windows 10 or higher
  • View these instructions to get started with OneDrive
  • Save all files to your OneDrive folder in order to sync them to OneDrive cloud storage. Manage files in OneDrive from your desktop. Simply navigate to the OneDrive folder on your computer's files

OneDrive in a web browser:

OneDrive on a Mac or Windows computer that doesn't have OneDrive preinstalled:

DePaul students, faculty, and staff also have the option to download OneDrive for either a Windows computer or Mac.

OneDrive on Android or Apple mobile devices:

Always be aware of the licensing requirements of any software you would like to use. Although it may be tempting to download and start using a software application that you can get free on the Internet, these tools may carry a hidden cost. Installing these programs may often cause other programs to stop working and may contain hidden viruses, adware, or bloatware. When using software, visit this page of approved DePaul-licensed or DePaul-approved applications.

What is authorized software?

Authorized software is one that you have properly acquired or been granted a license for use.

Software for DePaul employees

For employees with DePaul computers, most free or personal licenses do not apply, as DePaul University typically falls under the enterprise or business category. DePaul employees need to purchase a license or ensure the license is approved for the use intended at our institution. Open-source software may be free to use on DePaul computers, but it is still subject to the acceptable use policy

Students and personal computers

Students using personal computers generally have more authorization to use open-source software and products with a personal license. Pirated software or the use of software cracks is obviously a violation of license and Institutional policy. Students should also review the acceptable use policy when considering software usage.

No matter how many passwords you have activated, authentication methods you are using, or security procedures you may have in place, none of these matter if you leave your computer or mobile device alone with the screen unlocked and open. Make sure to always lock the screen of any digital device whenever you are not using it. There's no easier way to crack into a computer or phone then to grab it while the home or main screen is completely unlocked. The thief essentially gets the keys to the car, and they can drive away with all of the information stored on that digital device. 

1. Always lock your screens and make sure to use strong verification methods to unlock them.

2. If you're using a code number to unlock your screen, make sure it's difficult to guess (not 111111).

3. Be very aware when entering your code around others. Never let anyone see you entering your passcode or other verification method.

This one may be tough to do, but it is highly recommended that you avoid storing any sensitive data, including personal/financial/login information on your mobile device. Mobile devices can be stolen. If the thief can open your phone, they will have access to all of the sensitive data on that phone. This is one of the easiest ways to compromise sensitive data. If your phone were stolen, what would the thief be able to access? Try to store as little personal information as you can on a mobile device.

Only banks, your employer, and the government can legally require your SSN. Certain scams, known as “phishing,” attempt to get this information from you by sending a seemingly legitimate message from a bank or other institution that asks for sensitive information “for verification purposes.” Do not give out personal information over the phone, through the mail or over the Internet, unless you have initiated the contact or you are sure you know with whom you are dealing.

 

Act quickly. Freeze credit. Add a fraud alert. Contact various institutions.

Contact the Banks, Organizations, or Institutions Connected to the Identity Theft

If you believe your identity has been stolen, resulting in abuse of your bank accounts or lines of credit, you should freeze the account in question, as well as change the account login information. Contact the organization that services the account and let them know your information has been stolen. Often, those in the organization are the ones who can initiate the freeze on your account. They may also provide you with a list of what steps you should take next.

Credit Freeze and Fraud Alert

Next, you should request free credit reports from all three major credit bureaus, Equifax, Experian, and TransUnion. Check the reports carefully, and report any incorrect, suspicious, or fraudulent activity.  You can request your free credit report from annualcreditreport.com.  Beware of imposter websites!  You are entitled to a free credit report from each of the main credit reporting agencies once every 12 months.  You can request all three at once or spread them out throughout the year.   In certain circumstances such as identity theft, you may be entitled to additional free reports.

The next and most important step will help prevent the attacker from taking out additional credit in your name, such as new credit cards or cellular accounts.  Contact one of the credit bureaus to place a free fraud alert on your account.  With a fraud alert on your account, any prospective lenders will be warned that you are a victim of identity theft.  Most businesses will then take extra steps to verify your identity before issuing a new line credit.

Additionally, you have the option of contacting each of the credit bureaus to place a freeze on your credit reports.  A security freeze is even more restrictive than an alert, as it will block most lenders from seeing your credit history.  If you choose this option, in the future when you want to allow companies that you do want to do business with access to your credit report, you will have to request that the freeze be lifted for a period of time.

Report the Identity Theft to the FTC

Finally, you should report the identity theft to the Federal Trade Commission - or FTC - as well as the local police department. You can use these reports to remove bogus charges from your accounts, correct your credit reports, clear criminal charges, or replace your social security card or government-issued IDs. For more information and steps you can take, visit identitytheft.gov.

  • Make sure to go through the Cyber Security Videos to learn about topics like: strong passwords, safe browsing, protecting personal devices, responding to identity theft, and more.
  • Use strong and unique passwords or passphrases. Long passphrases that are difficult to guess are preferable.
  • Consider using a password manager to securely store all of your passwords.
  • Always use two-factor or multi-factor authentication whenever the option is available.
  • Try to avoid using open WiFi networks. If you need to use one, don't input any passwords, personal information, financial information, or any data that needs to remain secure. It can be easy for hackers to steal your personal information over unsecure WiFi networks.
  • When using shared computers (such as a computer lab) avoid inputting sensitive data, passwords, or any data that needs to remain secure. It can be easy for hackers to steal your personal information from shared computers.
  • Make sure to regularly update all operating systems, web browsers, and apps. Updates and patches respond to the most recent security threats. It's critical to keep all of your computers, devices, and applications up-to-date.
  • Always sign out or lock any computer or mobile device whenever you leave the device, even if it's just for a brief period of time.
  • Only click on links and attachments in email if you are 100% sure that the link or attachment is legitimate. Unsure? Reach out to the original sender independently to verify authenticity. If it's a message from a source like your bank, go to a known web url of the bank to verify the communication.