Security Tips & Documentation

⚡ Quick Daily Tips

• Enable MFA on all school accounts — email, LMS, VPN.
• Use a password manager (Bitwarden, KeePass) and unique passwords per service.
• Verify sender domains before clicking any link.
• Be wary of urgent or threatening language in emails.
• Prefer PDF over executable attachments; when in doubt, ask IT.
• Keep devices patched and auto-update enabled.
• Report suspicious emails to IT — don't forward them.
• Lock your screen when leaving your workstation, even briefly.
• Avoid using public Wi-Fi for accessing school systems without a VPN.
• Never share your credentials with classmates, even "temporarily."

🎣 Phishing — In Depth

Phishing is the #1 attack vector in educational institutions. Attackers impersonate IT staff, professors, or university portals to steal credentials or deliver malware.

Common Types

• Spear Phishing — Targeted emails using your name, course, or professor's identity.
• Smishing — Phishing via SMS: "Your exam result is ready, click here."
• Vishing — Phone calls impersonating IT support asking for your password.
• Clone Phishing — A copy of a real email with a malicious link replacing the legitimate one.

How to Defend

• Always check the full sender email address, not just the display name.
• Hover over links before clicking — the real URL shows in the status bar.
• If an email feels urgent, call the sender directly to verify.
• Enable browser warnings for dangerous sites.
• Use email filters and report phishing to your mail provider.

🔑 Password Security — In Depth

Weak or reused passwords are exploited via credential stuffing, brute force, and database breaches. A single compromised password can cascade across all your accounts.

Password Rules

• Minimum 12 characters — aim for 16+.
• Mix uppercase, lowercase, digits, and symbols (!@#$%^&*).
• Never use names, birthdays, university names, or dictionary words.
• Never reuse passwords across different services.
• Change passwords immediately if a breach is suspected.

Attack Types Targeting Passwords

• Brute Force — Trying all possible combinations. Mitigated by length and complexity.
• Dictionary Attack — Using lists of common passwords. Avoid real words.
• Credential Stuffing — Using leaked passwords from other breaches. Use unique passwords.
• Keylogging — Malware records keystrokes. Use MFA and keep devices clean.

🔒 Ransomware — In Depth

Ransomware encrypts your files and demands payment. Universities are prime targets because they hold valuable research data, student records, and often have under-resourced IT security.

How It Spreads

• Malicious email attachments (.exe, .bat, .js, .zip containing scripts).
• Drive-by downloads from compromised websites.
• Exploiting unpatched software vulnerabilities.
• Via infected USB drives left in public areas (baiting).

Prevention

• Back up files regularly to an offline or cloud location not connected to your main system.
• Never open unexpected attachments, even from known senders.
• Keep OS and software fully patched.
• Use endpoint protection / antivirus with real-time scanning.
• If infected — isolate the device immediately, do NOT pay the ransom, contact IT.

🎭 Social Engineering — In Depth

Social engineering manipulates people rather than systems. It exploits trust, urgency, authority, and fear — no technical skill required from the attacker.

• Pretexting — Attacker creates a fake scenario ("I'm from IT, we need your login to fix an issue").
• Baiting — Leaving infected USB drives where students will find and plug them in.
• Tailgating — Following someone through a secured door by pretending to be staff.
• Quid Pro Quo — Offering something (e.g., free software) in exchange for credentials.
• Verify every unexpected request for credentials or access — regardless of who asks.
• IT staff will NEVER ask for your password. If they do, refuse and report.

📋 Real-World Cases in Education

• University of California (2020) — Paid $1.14M ransom after NetWalker ransomware encrypted COVID-19 research data.
• Lincoln College (2022) — Closed permanently after a ransomware attack crippled enrollment and fundraising systems.
• Clark County School District (2020) — Student and staff data leaked after refusing to pay ransom.
• Blackbaud (2020) — Cloud provider breach exposed donor data from hundreds of universities worldwide.
• These cases show that education is a top target — awareness and preparation are the best defenses.

🚨 What To Do If You're Attacked

• Step 1: Disconnect from the network immediately (unplug cable / disable Wi-Fi).
• Step 2: Do NOT turn off the device — forensic data may be lost.
• Step 3: Contact your IT/security team immediately.
• Step 4: Change passwords for all accounts from a clean device.
• Step 5: Document everything — screenshots, email headers, timestamps.
• Step 6: Do not pay ransoms — it funds further attacks and doesn't guarantee recovery.