Web

Using LinkedIn’s New Two-Factor Authentication

The growing trend in sites adding two-factor authentication to their log in process has many feeling more secure in their social media and other online interactions.

With passwords being easy to compromise with phishing attacks, many users have been hoping for something more secure.  Two-factor authentication gives a double protection on your account, requiring you to know something (your password), and have something in your possession (a token).  The token can be any number of devices, cards or other physical items, often generating unique codes as proof you have the object.  Think of ATMs.  You need to have the ATM card (the token) and know your PIN in order to access your account and do any transactions at the ATM.  One without the other and you can’t get in.

LinkedIn is using a single-use code sent via SMS to whatever mobile number is listed on the account.  Your mobile device serves as your token.  This code is entered into the site after you enter your password to complete the two-factor authentication.  The idea behind this is if your password happens to be cracked or phished, as long as you don’t lose or compromise your phone, you are still safe from attackers logging into your account (though you should change your passwords and do a virus scan to be safe if your password gets compromised!).  

Want to enable this security feature for your own LinkedIn account? LinkedIn provides some instructions here:  http://www.slideshare.net/linkedin/two-step-verification-on-linked-in.  

Many other sites have similar security features so check out your account settings and give yourself an extra layer of protection.

SECURITY NOTES:

As with any security chain, there are ways this could possibly be compromised.  The easy way is if an attacker knows your password and stole your phone.  A more sophisticated way is if you get phished for both your password and the code just sent to you, and the attacker users both before the code expires.  How likely could these happen?  Well that’s up to your security prowess.  Read more on our website about creating secure passwords (https://www.rit.edu/security/content/password), avoiding phishing attempts (https://www.rit.edu/security/content/phishing) and best practices when it comes to mobile device security (https://www.rit.edu/security/content/mobile-devices). 

Requirements for Faculty/Staff

Faculty and Staff

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Forms, Checklists, and Templates

Forms, Checklists, and Templates

Many forms and checklists below are provided as Adobe PDF Fill-in forms and can be filled in and printed from Acrobat Reader. 

NOTE: these forms may contain Javascript. If you need a different format, please contact the RIT Information Security Office at Infosec@rit.edu or call 585-475-4123.

Form Name

Use

Exception Request Form

To request an exception from an RIT Security Standard (PDF Fill-In form)

Non Disclosure Agreement (NDA)

Optional NDA used at department discretion

RIT Systems Support Personnel Non Disclosure Agreement

Required for all systems support personnel

 

Checklist Name

Use

Desktop and Portable Computer Checklist General User

Compliance checklist for use by self-supported faculty, staff, and students.

Desktop and Portable Computer Checklist ITS-Supported Users Compliance checklist for use by ITS-supported faculty, staff, and students. (1/23/13)

Desktop and Portable Computer Checklist Systems Support

Systems support personnel compliance checklist for computers they support.

Server Security Checklist

Compliance checklist for use with the Server Security Standard

Network Security Checklist

Compliance checklist for use with the Network Security Standard

Web Standard Compliance Checklist

Compliance checklist for use with the Web Security Standard

 

Template Name

Use

MSWord RIT Confidential Template

For general marking of Confidential Information

MSWord RIT Internal Use Only Template

For general marking of Internal Information

Information Access and Protection Inventory Template (MS Excel)

For department use in creating an information inventory for Information Access and Protection.

 

Online Safety

Online Safety

Everyone connected to the Internet is a potential target. Use of anti-virus, anti-spyware, and firewall software is critical in protecting your computer online; however, simply protecting your computer is not enough. 

Web Browsers

Cyber criminals often target vulnerabilities in web browsers. Because Internet Explorer is the web browser used by most people, it has become a primary target. Using a different browser can reduce your risk while on the web. The table below lists alternative browsers:






Browser

Operating System

License

Firefox

Mac, Windows, Linux

Free (open source)

Chrome

Mac, Windows, Linux

Free

Opera

Mac, Windows, Linux

Free

Safari

Mac OS X

Free

Configure Settings

Changing the default security settings can help protect you while browsing.  Learn more here.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

Note: If you use Internet Explorer with RIT Oracle Applications, you may not be able to use the newest versions of Internet Explorer are not certified for compatibility with Oracle at this time.

Use Limited Account Privileges

Learn more here.

Be Smart With What you Do Online

View our pages on Social Networking and Online Banking/Shopping.  Also look for posts on our blog about identity theft, online banking, and scams. 

Security Assessment Tools

Security Assessment Tools

The following tools should be used in combination to conduct security assessments.













Tool

Description

Rapid 7 Nexpose (RIT Enterprise Licensed by ISO)

Unified vulnerability management enterprise solution

Nessus

Network Vulnerability Scanner

CIS Score

Security Consensus Operational Readiness Evaluation provides various security checklists.

Secunia Vulnerability Scanners

Secunia Software Inspectors provide detection and assessment of missing security patches and end-of-life programs.

Microsoft Baseline Security Analyzer (MBSA)

MBSA helps determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.

Nipper

Nipper enables network administrators, security professionals and auditors to quickly produce reports on key network infrastructure devices.

Scrawlr

HP SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Core Impact

Penetration testing software

Qualys

Provides a suite of tools for:

  • Vulnerability Management
  • Policy Compliance
  • PCI Compliance
  • Web Application Scanning

NMAP

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.

BidiBlah

The BiDiBLAH utility is a framework that can be used to assist in automating existing vulnerability assessment tools

 

Pages

Subscribe to RSS - Web