Carnegie Mellon University

Cybersecurity Awareness Month

October 31, 2017

It's National Cybersecurity Awareness Month. How safe are you?

Cybersecurity Awareness Month

By Jessica Corry

In the wake of a staggering number of recent data breaches and ransomware attacks – Equifax, WannaCry, Petya – awareness of safe cybersecurity practices is more important than ever. As National Cybersecurity Awareness Month draws to a close, the Information Networking Institute’s (INI) faculty, students and alumni share their top piece of advice for online safety and privacy.

“The starting point for a safer, more secure cyberspace is strengthening the cyber workforce,” said Dena Haritos Tsamitis, director of the INI. “Carnegie Mellon University (CMU) has been a leader in closing the skills gap and training the next generation of cyber analysts, developers and engineers.”

The INI invested in hiring cybersecurity faculty within the College of Engineering prior to 9/11 and later contributed to the launch of CyLab in 2003. Today, the INI offers three information security graduate degree programs in Pittsburgh, Silicon Valley and Japan.

“We have all seen the impact on losses of personal data, time and money due to cybersecurity incidents,” said Yen-Ming Chen, a 1999 INI alumnus and principal security architect at Microsoft. “The goal for this month is to help everyone establish good habits – similar to how parents teach their kids personal hygiene habits – while online to help prevent and minimize potential risk/losses.”

  1. Use a password manager.
  2. Opt for two-factor authentication.
  3. Think before you click.
  4. Avoid public wi-fi if at all possible. 
  5. Be aware of what you share.
  6. Monitoring your credit post-Equifax breach.

1. Use a password manager.

Remembering all your passwords can be challenging, but do not let that discourage you from using different passwords for all of your accounts.

“Let a password manager remember for you instead of writing them down!” said Karen Miller, Master of Science in Information Security (MSIS) student.

Password managers generate unique, long and random passwords for each of your online accounts. The app stores the password and pastes it into your browser whenever you need.

“Make sure to pick a manager from a company you can trust. After all, you are entrusting them with authorization to your entire online life,” added Professor Bill Nace, associate teaching professor for INI and electrical and computer engineering. “Don’t roll your own. These companies have thought out lots of the details like securing your password database and ensuring copies aren't left in memory when you access them.”

He recommends 1Password, LastPass and Dashlane.

2. Opt for two-factor authentication. 

Most sites and services support two-factor authentication. Always look for this option in your account settings! After enabling it, you'll be required to enter a code, sent to your phone or generated by an app, when you log in.

“This makes it exponentially harder for an attacker to hijack your account, even if a company loses your password hash in a data breach,” said Tiemoko Ballo, MSIS student.

3. Think before you click.

Phishing attacks are among the most common cyber attacks, in part because humans are the weakest link in cybersecurity.

“Next time you get that email about cat videos or something ‘urgent’ that requires you to click on a link, don't click blindly! Instead, be paranoid, and analyze whether the email is genuine before clicking,” said MSIS student Sahil Uppal.

When it comes to banking and other important online accounts, Professor Martin Carlisle recommends using a bookmark or typing out the URL rather than clicking on links in an email. Professor Carlisle, academic advisor for the MSIS program, also says you should never open an email attachment you were not expecting to receive.

“If you have the slightest doubt that an email is a phishing email, it's best to delete/mark it as spam,” said Vidya Gopalakrishnan, MSIS student. ”Throw it out, when in doubt!”

If you do click on a link or download an attachment only to realize that it is malicious later, do not stay silent. Contact the responsible authorities, who will be able to plug the security gap in time. At Carnegie Mellon, computer users can report suspicious emails to the Information Security Office (ISO).

4. Avoid public wi-fi if at all possible.

According to alumnus Yen-Ming Chen, public wi-fi is the easiest way for your device to be compromised, resulting in personal data disclosure or communication monitoring.

“If you can't avoid using public wi-if, at least use a Virtual Private Network (VPN) service or other method to better protect your device and data,” said Chen.

5. Be aware of what you share.

Get in the habit of reading the latest news about the products and apps you use, like Facebook, Microsoft Office, Uber and Amazon. “Before signing up for a service or making a purchase, perform a rough background check about the company and read reviews from existing customers,” said Vibha Venugopal, a bicoastal information security (MSIT-IS) student.

“It is human to be aware of things around you. In cyberspace, the challenge is tougher, but at the same time more critical than ever before,” she added.

Devika Yeragudipati, a 2012 alumna and senior security architect at Bloomberg, agrees, especially when it comes to apps. “Examine the app you are downloading, verify it's from a legitimate source and be vigilant about the security permissions the app asks of you,” she said.

6. Bonus tip: monitoring your credit post-Equifax breach.

“Equifax is a hard breach for the average person since you didn't choose for them to have your data!” said Professor Carlisle.

Make sure to watch your credit; you can get free credit reports once per year from https://www.annualcreditreport.com/ for each credit reporting agency. If you space these out, you can get a free report every four months. Moving forward, read your account statements thoroughly and report suspicious charges quickly. 

Looking Ahead

Dedicating a month to the cause of raising cybersecurity awareness is a huge step forward. These best practices will help you safeguard from the risks that have emerged in our increasingly connected society. Put simply, “when online, always be cautious; better safe than sorry,” said Haris Kampouris, 2006 INI alumnus and senior product manager at Wandera.


About Our Security Students

Vidya Gopalakrishnan
Internship: Palo Alto Networks, Information Security Team
Outside the Classroom: Research assistant with the Cylab Usable Privacy and Security lab. Involved in a project regarding user perceptions of mechanisms like the two-factor authentication.

“Given that we live in an increasingly connected world, the breadth at which we get attacked/hacked also correspondingly increases. What drew me to security is the field's breadth of applications; starting from the obvious laptop/mobile phones to the most unassuming of devices like lightbulbs or even cars and door locks, cybersecurity is everywhere.”

Adam Tse
Internship: Software Engineering Institute, CERT Division

“I was drawn to cybersecurity because I believe it is a very honorable profession. Security provides people assurance, and assurance relieves stress on people so they can focus on other tasks. Using my experiences, I hope to protect individuals and corporations, giving them the assurance to be able to perform their own duties using technology without the fear of incident.”

Karen Miller
Internship:
Department of Homeland Security

“A career in cybersecurity is not one that you can forget about the second you get home, because in the time it took you to drive from work to your house, an application you use may have been exploited or a critical organization hacked. I see cybersecurity as a puzzle that's constantly changing, a never-ending battle against people with bad intentions, and my motivation to solve the puzzles and fight the bad is what drew me in.”

Tiemoko Ballo
Internship: Sandia National Labs, Security R&D
Independent Study: MITRE Embedded Capture the Flag

“Like most engineers, I've always been interested in how things work. I was initially drawn to cybersecurity because it's a field that requires technical expertise at every layer of the stack, you can't exploit or protect something you don't understand. As a Scholarship for Service (SFS) student, I'm motivated by the opportunity to improve our nation's security posture. There are novel challenges in cybersecurity regardless of your industry, but there's a sense of purpose in the public sector that really gives the work context.”

Vibha Venugopal
Internship: Carnegie Mellon CyLab, Research Intern

“Innovation is a never-ending cycle, and at every phase we have the challenge to protect the good and eliminate the bad! The fact that there is someone out there who holds the capacity to steal my password and hack into my computer to ruin my privacy made me curious to security and dig into possible defensive and offensive techniques to overcome the issue.”

About INI Security Programs

The INI’s programs provide a rigorous technical curriculum while incorporating business and policy perspectives, preparing graduates to pioneer solutions, advance technologies and protect our nation’s critical information infrastructure.

Pittsburgh MSIS: The MSIS program offers a technical focus in security and computer systems, further developed through research opportunities. Graduates may pursue doctoral degrees or obtain positions as security experts equipped to manage the emerging complexities associated with securing data, networks and systems. The MSIS program meets the criteria for the CyberCorps® Scholarship for Service (SFS) program.

Pittsburgh-Silicon Valley MSIT-Information Security: The bicoastal MSIT-IS program prepares students to become industry leaders in information security by blending education in information security technology with other topics essential for the effective development and management of secure information systems.

Kobe MSIT-IS: Dual-degree program offered in partnership with the University of Hyogo in Kobe, Japan.