Information Security Tips

 Information Security Tips

Networking and information technology allow us to improve our reach and efficiency, but with great power comes great responsibility. Cyber criminals often target large organizations like Stockton with phishing scams and social engineering, 2-Factor Authentication is currently the most powerful defense available against these attacks, and Stockton University is leveraging the Duo Security platform to enable easy and non-intrusive 2-Factor Authentication across secure services such as Banner and E-mail.

 

To begin, start by downloading the Duo Mobile App for your smart phone.  Although the Duo Security platform has multiple ways to provide a second authentication factor, we recommend using the Duo Mobile app for IOS and Android for the best experience.    

  • On your Android device open up the Google Play store and search for "Duo Mobile".  It can also be found here.  
  • Tap "install" to start the applicaiton installation 

DuoPlayStore

  • On your Apple device open up the App store and search for "Duo Mobile".  It can also be found here.  
  • Tap "get" to start the applicaiton installation 

Duo App Store

 

After you've installed the Duo Mobile application on your phone open a web browser on your computer and navigate to the Stockton goPortal at https://go.Stockton.edu to login to your account by clicking on the "Login to goStockton Portal".  

PortalLogin

 

After entering your username and password you will be prompted by Duo to enroll in 2-Factor Authentication click on the “Start Setup” button and choose the setup option “Mobile phone”.

A screenshot showing the initial setup button for Duo Security

 

Next, select the setup option “Mobile phone”.
 A screenshot showing the device selection options for Duo security

 

Enter the phone number of the device you’re enrolling in 2-Factor Authentication, make sure to check the confirmation box that your phone number is correct.

A screenshot showing the phone number entry dialog for Duo security

 

Select a device type

A screenshot showing the mobile phone type selection screen for Duo security

 

 

 

 

 

 

 

 

 

Depending on the device you’ll be using to enroll in 2-Factor Authentication, follow either the Android or iPhone instructions below. If selecting “Other” you’ll receive the option of either receiving a phone call or a text message passcode to authenticate.

 

Android:

 

iPhone:

Launch the Duo Mobile app, then tap on the “Add Account” button to open up your camera and scan the QR code on your computer screen.

  

Launch the Duo Mobile app, accept the license agreement, then tap on the plus icon (+) button at the top-right of your phone screen to open up your camera. Scan the QR code on your computer screen to proceed.
A screenshot showing the QR code used to activate a Duo mobile Android installation   A screenshot showing the QR code used to activate a Duo mobile iPhone installation

 

If your scan was successful, you should see a green check mark appear over the QR code. Click Continue to proceed.

Choose an authentication method to proceed with logging in to your account, you may check the “Remember me for 30 days” box to remain authenticated with Duo for 30 days.

A screenshot showing the select authentication method menu in Duo security

 

 

 

 

 

 

 

If using “Send me a Push” Duo will create a notification on your phone when you attempt to log into a secure service.

A screenshot showing a push notification for Duo Mobile

 

 

 

 

 

 

Tap the green button to approve your login attempt.

A screenshot showing a login request with an approve and deny button in the Duo Mobile app

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you experience any issues enrolling with Duo 2-Factor Authentication, contact the IT Services Help Desk at 609-652-4309.

 

If you do not wish to install the Duo mobile app on your smartphone, there are several alternative options:

  1. Text message (SMS): A text message with a one-time use code is sent to your phone.A screenshot of the Duo "text message" option
     
  1. Voice call: A call will be made to the number on file.  Press 1 to accept, press # to report a fraudulent authentication attempt. 
    A screenshot of the Duo "voice call" option

 

  1. Hard token: A small physical device that you carry around.  Press the button and it generates a one-time use code. A screenshot of the Duo "hard token" option

 

 If you previously enrolled your phone with the Duo app and would prefer to use only the voice/text options, simply uninstall the app from your device and choose the desired option (SMS or voice) next time you’re prompted for a second factor. 

 

If you would like to obtain a hard token or wish to adjust your enrollment method, please contact information.security@stockton.edu via email or by phone (609-652-4779). 

 

Phishing is any attempt to disguise electronic communications with the intent to defraud and acquire information such as usernames, passwords, or credit card details. As computer networks become hardened against online attacks, social engineering has become a more potent vector and an attractive target for criminals. Stockton University takes network security seriously and asks that you notify staff of any phishing attempts you receive.

 

If you have received a message directing you to reply with or otherwise enter personally identifiable information online, please report the message as a phishing attempt (phishing@stockton.edu) or use the phish alert button which reports the phishing solicitation to the Information Security team (this button automatically appears in your Outlook and Office 365 clients).

 

A screenshot depicting the "Mark as Phishing" button in Outlook Web.

A screenshot depicting the "Report Phishing" button in the Outlook client for Windows.

The Phish Alert button will also delete the suspicious email from your mailbox to prevent any future exposure. We all play a critical role in keeping institutional data secure and to aid in this task, we ask that you take a skeptical approach to any solicitations that seem suspicious. Stockton University's Information Technology Services will never ask you to disclose your password (via email or otherwise).

If you suspect that you’re being targeted, please notify information.security@stockton.edu via email or by calling (609) 652-4779. 

Additionally, if you feel unsure about an email message sent from a member within the Stockton community, please reach out to them or their unit directly for clarification (before clicking on included links or opening suspicious attachments).

While Stockton and our vendors employ strong security measures to safeguard your data, the main line of defense is a secure password – any level of encryption can be bypassed if a password is compromised through subterfuge, sharing, or simplicity.

 

Keep your password secure.

Never tell someone else your password. Stockton University feels so strongly about this aspect of password protection that it is specifically stated in the acceptable use policy in Standard 2.  Additionally, you should never write down your password. Anyone observing your login will see where it is located and can retrieve it for their use -- or misuse -- when you aren’t around. Even if they don’t observe your login, they will look for anything written down and posted in the vicinity of your workstation (e.g., the side of the monitor, bottom of the keyboard, on the keyboard tray).

Avoid password pitfalls

Don’t pick a password that can be found in the dictionary. Our central computers check your password against a system dictionary, but there are many different dictionaries available. A word that is not in our system dictionary just might be in the crackers’ dictionary. This includes foreign language dictionaries as well.

Don’t choose a password that uses personal information that someone could easily find out about you. This includes information such as:

  • Your name, username, or nickname
  • Names or nicknames of friends, relatives, pets, or locations that are special to you
  • Numerical data about you such as birth date, social security number, license plate number, phone number, address, or zip code
  • Technical terms or names of prominent individuals in your field of expertise

Don’t choose a password that others might also choose. You should avoid:

  • Names of famous people such as sports figures, literary characters, mythological figures, biblical figures, actors, or political figures
  • Any commercial brand names
  • Names of cartoon characters or science fiction characters

Choose a good password

A good password is one that is easy to remember but hard to guess. There are several methods you can use. You can use real words as long as you use them wisely. One method is to concatenate two unrelated words. Example are LAMPFISH or BOATAPPLE. You can create a pseudo-word by alternating consonants with one or two vowels. These words are pronounceable and easy to remember, but hard to guess. Examples are BOUGAMIT or EXOJUK.  Finally, you can create a password like you might create a mnemonic device. Take a phrase that you can easily remember and use the first character of each word. If possible, include numbers and non-alphanumeric characters. For example, the phrase “Four score and seven years ago” could translate into the password 4SA7YA. 

 To reset your GoStockton Portal password, you can complete the online Self-Service Password Reset form.

Traditionally, resetting a GoStockton Portal password necessitated a call to the IT Services Help Desk. Our new self-service form empowers individuals to reset their GoStockton Portal passwords even outside of normal Help Desk operating hours.

 

If you’ve forgotten your GoStockton Portal password, you can quickly and easily reset it by clicking on the “Forgot your username or password” link on the Portal login page.

 A screenshot of the GoStockton Portal login page, highlighting the "Forgot your username or password" link.

 

On the next page, enter your username, date of birth, and social security number to verify your identity. All transmitted information is encrypted, and any data entered into this form is not retained after the password reset is processed.

 

A screenshot of the GoStockton Portal password reset form. It indicates the three fields to fill in for identity verification - username, date of birth, and social security number.

 

Once your identity has been verified, enter and confirm your new password. Passwords should be between 8 and 32 characters long, contain at least one (1) alphabetic character, and contain at least one (1) numeric character. Passwords are case-sensitive.

 

A screenshot of the GoStockton Portal password reset form. It indicates the two fields "new password" and "confirm password". 

After submitting your new password, you’ll receive a confirmation page. You can now log in to the GoStockton Portal and other web services. New passwords may take up to ten (10) minutes to synchronize to Stockton’s WiFi network. If you require assistance with resetting your GoStockton Portal password or accessing services with your GoStockton credentials, please contact the IT Services Help Desk at 609-652-4309 or stockton.edu/helpdesk.