Fall Back into Cybersecurity: October is Cybersecurity Awareness Month

While having a unique password for every account may seem cumbersome, it doesn't have to be. To create a password that is both strong and memorable, try a passphrase. A passphrase could be your favorite song lyrics, an inside joke, or an uncommon phrase. Passphrases are secure because they are easy to remember but hard to crack. We are fighting against computer algorithms that can guess passwords at a fantastic rate, so the longer the passphrase, the better—this is part of why NetIDs now require a minimum 12-character password. 

While passphrases help make it easier to remember passwords, a password manager combines easy recall with seamless passphrase generation. Many options on the marketplace are available, with some of the most popular being 1Password, Bitwarden, and Dashlane. Apple also released a new password manager that is available on devices running iOS 18 or macOS 15. 

When vetting password managers, be mindful that "free" services often collect and sell your personal data. 

Multi-factor Authentication adds an additional layer of protection by depending not just on something you know (your password/passphrase) but also on something you have (a hardware token, mobile phone app, or biometric authenticator). Northwestern IT took a major step forward in its Multi-factor Authentication (MFA) Enhancement project earlier this year, requiring more secure methods of MFA and Duo’s Verified Push.  

Verified Push provides an additional layer of security against harassment and fatigue attacks by asking users to enter a verification code while approving an authentication request. This change ensures that you cannot accidentally approve login requests—since implementing Verified Push in July, Northwestern has measured a significant decrease in account takeovers. 

While Duo MFA is a standard for systems at Northwestern, MFA is available for most services and applications available today. If you don't have MFA turned on for your bank, personal email, or other services, turn it on. It's a huge leap toward keeping your personal information and services secure. 

Phishing remains one of the top cyberthreats to the Northwestern community. Despite the University's robust email defense system that catches hundreds of millions of malicious emails annually, many can make it to Northwestern inboxes. If you think something smells “phishy,” report it. While many phishing attempts are targeted to collect credentials or other sensitive information, they can also download malware or be a gateway for other threatening or criminal activity.  

Northwestern IT has a few tips and resources to help identify and avoid phishing: 

• Verify the sender. Bring a healthy level of skepticism to any messages that have odd language, urgent calls for action, or request personal information. 
• Never open links directly from emails. Always verify any link's URL address in a separate browser or by using a URL checker tool. Also, consider where the link takes you—it may be a "login page" that is actually a Google Form to collect your password. 
• Report it. If you think a message might be phishing or otherwise suspicious, report it to the Information Security Office—they can investigate and let you know if an email is safe. If you suspect a security incident has occurred, immediately contact your school or department's local technical support staff or the Northwestern IT Service Desk. 
  • Call the Northwestern IT Service Desk at 847-491-4357 (1-HELP). 
  • Email the Northwestern IT Information Security Office at security@northwestern.edu. 
  • Any incidents involving online harassment or physical device theft should be reported to University Police. 
• Find more tips and see examples of phishing at Northwestern. 

You are not imagining it—you are getting prompted more often to update software on your devices. Nearly all technology today—laptops, smartphones, streaming devices, and the applications they use—are pushing out updates at an increasing rate. While these updates can include new user features like expanded emoji packs or built-in generative AI, they often contain fixes to critical vulnerabilities that threat actors can use to compromise your system or data.  

According to the National Vulnerability Database (NVD), more than 28,000 vulnerabilities were identified in 2023. So far, we've already surpassed that number in 2024—more than 29,000 vulnerabilities have been identified, and there are still two months left to the year. 

While it's easy to hit "Remind Me Later" and postpone an update, running the latest software ensures you have the latest security patches and precautions. Outdated technology can increase your target for attack because it can have weaker defense and widely known exploits. So, take the time to update your systems and applications when there is an update available.