Faculty - Secure Purdue - Purdue University

PSS Cybersecurity Awareness Month Newsletter (Oct. 14, 2022)

Welcome to PSS Cybersecurity Awareness Month! Large-scale cyberattacks make the news, but that’s just the tip of the iceberg. Cybercrime is on the rise, and most attacks happen from phishing emails.

Consider the following facts:

AtlasVPN reported a surge in retail websites impersonating Amazon on one of the year’s busiest shopping days. In 90 days up to July 12, 2022, 1,633 fake sites were detected, with 897 spoof Amazon sites active on Prime Day.
According to IBM, one in five companies that suffered a malicious data breach in 2021 was infiltrated due to lost or stolen credentials, while 17% were breached via a direct phishing attack.

This week's theme is 'Watch Out for Phishing'. We need to always remain vigilant to protect all of Purdue. Here are some actions to stay safe:

Avoid clicking links or downloading attachments without verifying the mail's source and the sender very carefully.
Check all links and attachments rigorously, and never click or open any that seem suspicious.
Analyze any requests for personal or university information.
Always be weary of any messages demanding that you take immediate action. Don't react instinctively and always verify the request's authenticity.
Be very cautious of any unexpected messages, especially if the content seems suspicious or too good to be true, as they usually are.

In the time it took you to read this document, there were multiple cyberattacks across the globe. Make sure you stop, look, and think before you take any sort of action.

Lastly, we would like to leave you with some additional mobile device activities that will allow you to continue to build your wealth of information pertaining to Cybersecurity:

Google Play application link | https://play.google.com/store/apps/developer?id=Cybersecurity+and+Infrastructure+Security+Agency
Apple App Store application link | https://apps.apple.com/us/app/defend-the-crown/id1550656752

To learn more about the Cybersecurity Awareness Program, visit https://www.purdue.edu/securepurdue/Cybersecurity/index.php or email Nolyn Johnson at cyberaware@purdue.edu.

Where is the standard?

https://www.purdue.edu/policies/information-technology/s13.html

What changes were made?

The most significant changes are additional requirements to sections on Authentication, General Security Controls and Remote Access Controls. Additionally, Endpoint Protection Software.

The following is a summary of added requirements: 

Privileged Access to Purdue IT Resources must utilize Multi-factor Authentication method(s) approved by the CIO.
University servers, end user computers (e.g., laptops and desktops) and other applicable Devices (e.g., virtual machines), unless exempted by the CISO, must have appropriate working Endpoint Protection Software installed prior to any new or continued connection to University IT Resources.
Mass storage systems, unless exempted by the CIO or CISO, must be periodically backed up in a way that creates indelible copies with verified integrity.

Networked systems, unless exempted by the CIO or CISO, must send appropriate logs (as defined in IT Resource Logging (S-11) standard) to the central university logging service/aggregator.
Remote Access to Purdue IT Resources must use one of the following:

An encrypted virtual private network (VPN) approved by the CIO or CISO, or
Another encrypted connection approved by the CIO or CISO.

When will the new requirements be enforced for existing systems or accounts that are not in compliance?

A plan must be in place by December 31, 2022, and compliance is required by June 30, 2023. However, the endpoint protection requirements are effective immediately and should be addressed as soon as possible.

What if compliance is not feasible for a system or account?

Systems or accounts that are not in compliance will need mitigating controls in place. A security policy exception will be needed for these cases. The security exception process can be found at the following: Security Policy/Procedures Exceptions - Secure Purdue - Purdue University

What is the security policy exception process?

Information about the security policy exception process can be found at the following: Security Policy/Procedures Exceptions - Secure Purdue - Purdue University

When should I file a security policy exception?

After all feasible options to comply have been exhausted. Questions about compliance options can be sent to itpolicyreq@purdue.edu.

What are the approved Multi-factor Authentication (MFA) method(s) by the CIO?

The current approved methods are Duo (BoilerKey) and Microsoft multi-factor authentication. The following are links to more information about these methods:

Microsoft MFA: Microsoft multi-factor authentication | Purdue University

BoilerKey: BoilerKey: Two-Factor Authentication | Purdue University

Is this FAQ a static document?

New questions and answers may be added to this FAQ over time.

What is the change history of this FAQ?

This FAQ was published November 1st, 2022. It has not been changed since that date.

This FAQ did not address my question about the S-13 policy changes. Now what?

Please send questions to itpolicyreq@purdue.edu. Include the policy or standard reference (in this case, “S-13”) in the subject line. Questions received will be answered and used to improve content in the FAQ.