Author Archives: Dave Gibson

About Dave Gibson

Chief Information Officer at Sul Ross State University

NCAM Message 3 – Two-Factor Authentication (2FA)

In two previous posts, we discussed the necessity and some of the problems associated with passwords.  As mentioned in those articles, passwords are a needed defense against those that would attempt to steal or damage our electronic information.  With the increased likelihood of passwords being compromised, there is yet another approach, which I will discuss here and expand over the remainder of this academic year, that provides the best protection we have against unwanted attacks against our information systems: two-factor authentication (2FA). 

Using two-factor involves using a second method to verify a logon activity.  When you open an application in your web browser, you typically supply a username and password.  That is referred to as single-factor authentication because it has one method for gaining access to your account, a username and password.  If we add one more step in the process before allowing access to your account, that is two-factor authentication, because you had to supply two things to gain access to your account. 

The implementation of 2FA involves “something you know” and “something you have” for access. When you visit an ATM, one authentication factor is the physical ATM card  (“something you have”). The second factor is your PIN (“something you know”).  Many of you already use modern two-factor for other wesbites, such as your bank.  When you log into a 2FA-protected website with your username and password (“something you know”), you receive a text message or a phone call on your cellular device (“something you have”) that requires your interaction before you can successfully log into the website.  

In the coming months, we will begin the process of adding 2FA to some of our institutional applications.  Keep an eye on these posts for more information.

NCAM Message 2 – Password Management

The simple truth is that passwords are a pain.  It is also true that password are necessary to protect the digital information of Sul Ross and your own personal information. 

Passwords are your first line of defense against break-ins to your online accounts, computers, smart phones and tablets. Poorly crafted passwords, those that are used on multiple accounts, and those seldom changed are more susceptible for being compromised. This situation can leave the technology resources and information on those devices, whether owned by the university or on your own personal devices, at higher risk of being stolen or damaged. The best antidote available against the cyber criminals and others that are intent on stealing or damaging your devices and information is better password management.

Poorly Crafted Passwords

One reason for poorly crafted passwords is they fall into recognizable patterns. This usually occurs because these patterns are more easily remembered than some ambiguous string of characters. These patterns are often in the form of someone’s name, a date, a memorable place, or they follow keyboard patterns such as “123456” and “qwerty.” These kinds of patterns are highly predictable and easy to crack. Rather than an obvious pattern for a password, try a short sentence or phrase. You’ll have the upper case and lower case characters that are needed and a password that is much easier to remember. Using an abbreviation for one of the words provides an extra level of complexity that helps keep your password safe. Also, to ensure you password complies with all password requirements of SRSU, simply change one of the letters to a number and one of the letters to a special character and you’re finished. For example, take the phrase, “Change is good!” Applying the rules we just covered, our phrase can be modified to Chg 1s g@@d!, which meets all our password requirements and is easier to remember than kjhdSDj34@nS.

Multiple Accounts

Having our email address and password compromised because of a weak or easy to guess password is bad enough. While having your email account compromised isn’t ideal, if you use the same account ID to access your financial institution, social network, and other sites, the potential for impact on your wallet and your reputation can be painful. Many of our accounts today use our email address as the ID for the account. Using the same password heightens the risk for any account using the same ID/password combination. When you have to use your email address for an account ID on another system, always ensure that a different password is used to access that other system.

Seldom Changed

The longer an account password is not changed, the longer a compromised password can be used by cyber criminals. Changing an account password on a regular basis limits a hacker’s ability to gain access to your account and “listen in” without you knowing they are there.

How to Survive

With all the accounts, for all the systems, and all those passwords, how is one to survive the security requirements and not simply write all the passwords down on a sticky note and paste it to our monitor? The answer is a password manager. A password manager is a piece of software that allows you to store the plethora of passwords needed in your life (business and personal), that are all hidden behind a specific account ID and password.

These tools give you the ability to record all your passwords in a single, strongly encrypted location. Of course, you still need a password in order to gain access to the password manager, so make sure this system uses a complex password, is not used anywhere else, and is changed with some regularity.

Sul Ross OIT has been using Lastpass for password management for some time now.  This password management software allows us to store passwords away safely and access them when needed across all our devices.  If you want to take advantage of this opportunity, reach out to LTAC and have them set up a Lastpass account for you and your department.

In the end, all computer security is about mitigating the risk inherent in your devices that are connected to the world around us. There is no way for anyone to be 100% secure. All you can do is lower the risk of being hacked. Complex passwords that are used on only one system, are changed on a regular basis, and are stored in an appropriate password manager lowers your risk.

NCAM Message 1 – Passwords: Don’t Spray It or Replay It

It is National Cybersecurity Awareness Month so I’ll share a few cybersecurity messages with you. In this initial post, I want to make you aware of two methods hackers use to gain access to your work and personal computing systems and what you can do about it.

Some of the most common problems/vulnerabilities with the passwords we use involves password spray and password replay, two terms commonly used in the cybersecurity world.

Password spray simply means automatically testing combinations of common passwords and known usernames on a system. You know how poor the most popular passwords are these days—those are lists that attackers keep close on hand. This is a straight numbers game.

By contrast, password replay attacks exploit our fondness for reusing the same passwords on different systems. Made much worse when people reuse passwords from their personal accounts on their work ones.

Two solutions to prevent this from happening to you:

Bad Passwords
  1. Don’t use common words or terms for your passwords, such as P@ssword1, MyD0ghasFle@s, etc.  These are primary targets for the lists hackers keep and use constantly to gain access to systems
  2. Don’t use the same password for multiple services, i.e. work, school, bank, etc.  Doing so allows a hacker to gain access to all your confidential and sensitive data once they determine one of your passwords.

Which means we have to create and remember multiple passwords for different systems.  How are you supposed to do that?

The answer is by using a password manager.  Stay tuned for the next installment of this series on passwords, where I will cover one solution we already are licensed for and use at Sul Ross.

Ransomware – One Year Later

It was one year ago today that we experienced the ransomware event that challenged all of us and changed the way we think about technology.

As I look back at this event and the corporate response, I feel a combination of pride and thankfulness for the way everyone pitched in to get us past the initial attack: the support and kindness offered to the OIT team members while they dealt with this difficult situation, everyone’s willingness to figure things out on the fly until systems were restored. Without your help and support, getting things back to normal would have been more difficult, maybe even impossible.

The reality is that an event like this never completely leaves us and could happen again. The folks in the black hats never stop trying and due to the complexity of technology in the 21st century, there are more ways than ever to attack.

What has changed? Today, we have better software on our computer to detect and remediate the malware designed to steal or destroy our institutional information. We hired a security specialist to spend more time watching for and dealing with these attacks. We’re using encryption on more devices to protect the information stored on them in case of an attack. And, we are putting more time and effort into educating everyone on the possibilities of another attack and how prevent it.

Even with all these changes in place, our best hope for keeping the bad guys out is you. You do this every day by being vigilant against all forms of attack. You do this when you “Don’t Click” an attachment or link in an email you were not expecting. For all of this I say, “Thank you.”

I want to offer a special thanks to the people in OIT who work hard every day so that systems run, email messages (the right ones) are sent and received, checks are cut, POs generated, networks network, and computers, those infernal machines that they are, connect to give us the ability to create and share. I specifically want to thank the OIT team for getting us back to our new normal. It was a Herculean task and I am thankful for what they accomplished.

Now, we look forward. We look to newer, better, faster things than we have had in the past: better classrooms, better applications, better security, better experiences. We ask for your help in this next phase of our technology journey. It will not be easy and we will hit a few bumps in the road. With your help, we can get there.

Microsoft 365 Office Suite Available for Free Download

Current students of Sul Ross State University have access to the Office Suite, Word, Excel, Powerpoint, and other applications through a download link in Microsoft 365 ( Only current student, those that are actively attending classes (does not include those auditing a class), are licensed for the download.

Under the agreement between Sul Ross and Microsoft, you are allowed to download and install any of the Microsoft Office applications on as many as five devices, including desktops, laptops, tablets and smart phones.

Here are some resources to assist you in the download and installation processes.

Follow the link below (requires login) for a video to that shows how to download and install the applications you need.

Additional information from Microsoft is linked below:

To download and install on PC or Mac

To download and install on a mobile device

If you have any questions or need help with this process, please call us at 432-837-8888.

Like us on Facebook @sulrossoit

Follow us on Twitter @srsuoit

See us on Instagram @srsu_oit

Zoom: Is It Safe to Use?

I want address some of the hyperbole around Zoom and the recent issues that have surfaced as Zoom has become a considerably more popular and widely-used application during the COVID-19 pandemic. 

Updated 4/9/2020:

Here are a number of updates from our contact on Zoom. This is a list of features they have updated over the last week or so.

Security Toolbar Icon for Hosts

  • The meeting host will now have a Security option in their meeting controls, which exposes all of Zoom’s existing in-meeting security controls one place. This includes locking the meeting, enabling Waiting Room, and more. Users can also now enable Waiting Room in a meeting, even if the feature was not turned on before the start of the meeting. For more information, please visit this recently published Blog.

Invite Button on Meeting Client Toolbar

  • The button to invite others to join your Zoom meeting is now available at the bottom of the Participants panel

Meeting ID No Longer Displayed

  • The meeting ID will no longer be displayed in the title bar of the Zoom meeting window. The meeting ID can be found by clicking on Participants, then Invite or by clicking on the info icon at the top left of the client window.

Remove Attendee Attention Tracking Feature

  • Zoom has removed the attendee attention tracker feature as part of our commitment to the security and privacy of our customers. For more background on this change and how we are pivoting during these unprecedented times, please see a note from our CEO, Eric S. Yuan 

Removal of the Facebook SDK in our iOS client 

  • We have reconfigured the feature so that users will still be able to log in with Facebook via their browser

File Transfers

  • The option to do third-party file transfers in Meeting and Chat was temporarily disabled. Local file transfer is available with our latest release. Third-party file transfers and clickable URLs in meeting chat will be added back in an upcoming release

New Join Flow for the Web client

  • By default, users will now need to sign in to their Zoom account or create a Zoom account when joining a meeting with the Web client. This can be disabled by the Admin or the User from their settings page

Join Before Host Emails Disabled

  • Notifications sent to the host via email when participants are waiting for the host to join the meeting have been disabled.

Setting to Allow Participants to Rename Themselves

  • Account admins and hosts can now disable the ability for participants to rename themselves in any meeting. This setting is available at the account, group, and user level in the Web portal.

Language for Directory and Company Directory (please note, this does not impact your account)

  • Domain contacts: For free Basic and single licensed Pro accounts with unmanaged domains, contacts in the same domain will no longer be visible. We’ve also removed the option to auto-populate your Contacts list with users from the same domain. If you would like to keep those contacts, you can add them as External Contacts.

Change in visibility of contacts with same domain (please note, this does not impact your account)

  • For Basic and single licensed Pro accounts with unmanaged domains, contacts in the same domain will no longer be visible under ‘Company Directory’ in the ‘Contacts’ tab. Consequently, for the single Pro accounts with unmanaged domains, we’ve removed the option in the admin experience to populate Company Directory with users from the same domain. If these affected users would like to keep contacts with the same domain, they can add them as External contacts. This change will not impact paid accounts with multiple licenses and all accounts with managed domains.

Growth of this magnitude for any technology product attracts legitimate users and also the attention of malicious actors who seek to abuse or compromise the platform.  This attraction, particularly by those with mal intent, is the same faced by any technology company, including Microsoft, Cisco, Blackboard, Ellucian (Banner) and many others.

It is difficult for any vendor to anticipate every fracture that results from heavy and continued usage, particularly by those with evil intentions.  All technology at some point will fail: some is small ways, others in more pronounced ways .  The challenge for any technology organization, whether that is Zoom, Microsoft or OIT, is how to react to the failure. 

Zoom has experienced issues in recent weeks.  Zoom Bombing, that is interrupting a class lecture or a meeting by hijacking a meeting to display inappropriate, vulgar or racists material on the Zoom connection, is the most pronounced and obvious way the Zoom meetings have been attacked recently. 

As these events occurred and were discussed in the media, Zoom provided solutions for the issues and communicated to their customers in a matter of hours.  And Zoom continues to provide fixes for their software to ensure all of us have the best  and safest experience possible.  See this article,, authored by security professionals for a perspective on Zoom’s response to recent attacks.

Additionally, here is a message from the CEO of Zoom detailing the approach they took when this all started, including actions taken by Zoom and what they continue to do to ensure the best experience possible:

Allow me to address some of the more talked about issues that you may be aware of.

  1. Zoom Bombing: Most of the attention surrounding Zoom currently is focused on Zoom Bombing. Zoom’s product is designed to be very flexible and to be able to easily accommodate attendees from outside of your organization. That flexibility provides the host of a meeting a great deal of flexibility in how strict or lax they want to be in protecting their online meeting. Here is an article that provides guidelines provided by Zoom to help prevent Zoom Bombing:  Those of you hosting classes in a Distance Education Room need to contact OIT for assistance as those spaces require special handling in regards to managing your guests.

One action you can take, if you are concerned about Zoom Bombing, is to password protect your meeting.  This is done by selecting the Require Meeting Password checkbox on your Zoom MeetingID setup and supplying a reasonably complex password.  Share this password with your students or other staff members so they can attend the meeting.

  1. Zoom Encryption: Encryption is defined as providing cryptographic assurances that only the individuals that are supposed to see a message can do so.  End-to-end encryption (E2E) describes a system where content is encrypted when it is stored (sitting on a hard drive or server) and when it is being transmitted (sent over the internet or a network). Zoom does guarantee E2E for every device attached to a Zoom meeting that is using their software for a connection.  If you use the Zoom app on a desktop, laptop or mobile device to connect to Zoom, your connection is end-to-end encrypted.  If you use one of the Distance Education rooms to connect to Zoom through a Conference Room Connector (CRC), which is what we do with our DE rooms at Sul Ross, the connection is end-to-end encrypted as well once it connects to the CRC in the cloud.  One device that is never E2E is a telephone connecting over a traditional land line.  As state in the article on encryption, Zoom’s goal is to “keep data encrypted throughout as much of the transmission process as possible.”  If you would like more information on encryption methods used by Zoom, see this article:   
  1. Zoom Privacy: Zoom sharing usage data with Facebook has been a recent headline. The Facebook sharing was limited to the IOS mobile app, involved aggregate metadata only, meaning there is no evidence that identifiable or sensitive information is being shared without user consent, and was removed after the PR backlash that resulted from this awareness.  Zoom addresses where they share data with third-parties in their privacy policy at

My intention is not to convince you to use Zoom.  If you are uncomfortable using Zoom for your classes or your meetings, I encourage you to look at one of our other supported applications such as Blackboard or Microsoft Teams.  My goal here is to break through much of the hyperbole in the media and to assure you that while some issues surfaced recently with the Zoom product, it is a good solution for your meeting needs and comes with a great deal of usability, stability and security.  I am comfortable recommending the use of Zoom for any of your classes or meetings.

If you have questions, feel free to contact me directly.  If you need assistance with any of the configuration items in Zoom, please contact my staff at the Helpdesk and we will guide you through those discussions.

Applications Update – July 2019

This blog lists the applications and services that are now available for your use. If something is missing or needed, please contact me or LTAC and we will add to the list.

  • Banner 8 and 9 (only available on campus)
  • LoboOnline (Banner Self Service)
  • Blackboard
  • ImageNow
  • mySRSU
  • Email
  • Evisions Suite (Argos, Form Fusion, Intellicheck)
  • DegreeWorks
  • Office 365, including Sharepoint sites, OneDrive and Teams

Applications and Services we are working on at this time

  • Network Shares – once the network shares are available, we will encourage each individual and department that has a network share to migrate their data to Office 365.

You may contact LTAC at, 432-837-8888, x.8888, or toll free at 888-837-2882.

Like us Facebook SRSUOIT

Follow us on Twitter @SRSUOIT

Projects for Summer 2018

The Office of Information Technology is busy with several projects and updates over the summer.  Here is a list of some of our most important project on our plate along with status and possible completion dates.

  • PBX/Server Room Updates.  The Systems and Networking team is busy with two significant updates in our PBX/Server room.  They are working with Dell to install new servers that provide faster processing capabilities and higher throughput.  These new servers are used to run many of our institutional applications, including email, Banner, Perceptive Content (formerly ImageNow) and others.  These new servers will allow us to continue to offer these services for the next several years.  Dell is scheduled to be onsite July 17 and 18 to install the new hardware.  Over the few weeks following the install, all the applications will be migrated to these new servers.  There should not be any downtime associated with this installation and the migration to this new hardware.  The Systems and Networking team is also replacing a number of aging network switches in this space to ensure we can maintain the network connectivity you are used to seeing across the campuses and to the internet.  These new switches will be installed during the August timeframe.  Expect some downtime with this upgrade.
  • Banner 9.  The next iteration of Banner, our ERP solution that includes the student information system, finance system, human resources system, and others, is being updated and tested.  The advantages of this software over previous versions of Banner is it not longer requires java on the local computer, it runs in a larger number of browsers, and can be accessed through our single sign-on mechanism.  The software has been installed, is being tested, and is slated to be the only version of Banner we run sometime during the fall semester.
  • Touchnet OneCard VIP Solution.  Our existing ID Card system, installed in the mid-2000’s, is old and difficult to keep running.  To replace this old system, SR has contracted with Touchnet, our bill payment provider, to implement their OneCard VIP (?) system.  The initial phase of this project will replace the current card reader locations one-for-one and provide a supported, stable environment for us to grow with.  Locations for this upgrade include Lobo Village 1, 2, 3 and 4, Fletcher Hall, Warnock Science, Centennial, ANRS and the Museum.  A new location, ACR, will be added to the system to allow us to experiment with the wireless access system Touchnet is selling now.  If the wireless systems performs as advertised, expanding into other locations across the Alpine campus will be easier since we won’t be required to pull wire to each access location.  With this update, the card production facilities are to moved to Lawrence Hall, in the one-stop-shop located on the first floor of that building.  We are on schedule to implement this new system between July 30th and August 3rd.
  • Switch/Network Updates for RGC Campuses.  The switch hardware for the Del Rio and Eagle Pass campuses is in need of updates.  The Networking team has already completed the needed updates in the Del Rio Campus and will perform the same updates for the Eagle Pass campus during the fall semester.  In the fall, we will consider replacing some of the switches that are beyond their life expectancy and are no longer supported by the manufacturer.
  • New Classrooms for RGC Campuses.  The Educational Technology Director and LTAC are building six new classrooms for the RGC campuses, two at each location, with equipment salvaged from the Castroville site.  These classrooms allow more offerings at those locations in support of student demand at those campuses.  These classrooms are scheduled to come online before the start of the fall semester.
  • Fire and Safety Systems Updates.  A number of repairs and updates are being applied to the various safety systems across the Alpine campus (SWTJC provides these updates to the RGC campuses).  These include updates and repairs to fire alarm systems, fire sprinkler systems, the current card access systems, and others.  These repairs and updates are already in place or to be completed in time for the start of the fall semester.
  • Print Management via Papercut.  The team in LTAC is installing and configuring an application, Papercut, that is used widely for print management.  Once the software is installed and running, it will be used to monitor printing activity in labs, some classes, and in locations where printers are generally available, such as the Library.  For at least one long semester, data is to be collected on these locations in order to determine who is printing and how much are they printing.  The software will be ready for the start of the fall semester.
  • Disaster Recovery Replacement.  For the last 4 years, servers at an alternate location have been used as a backup location in the event of a disaster  that requires us to run our applications from an alternate location.  This hardware is now nearing its end of life and needs replacement.  The OIT staff are pulling together information and developing alternatives for this important feature.  While new solutions won’t be in place until next summer, this evaluative process is the starting point for determining where we need to go next.  Alternatives include:
    • Expanding the use of alternative systems we already own
    • Cloud-based options
    • Third-party options
  • Annual Risk Assessments.  OIT and other areas of the institution are required to perform an annual risk assessment on the state-owned information resources available to us.  This analysis allows us to understand and develop plans for the risks associated with these assets.  Over the remainder of the summer, OIT will work with other departments to complete the risk assessments for 2018.
  • General Lab and Classroom Cleanup.  Each summer, while many of our academic spaces are not in use, LTAC reimages and cleans up many of the computers in these spaces to ensure they are ready for the coming academic year.  For example, this summer LTAC is working on LH 300, LH309, Ferguson 201, and others.  This includes cleanup of computers as well as the physical space. These updates are to be completed before the start of the fall semester.
  • Security Camera Expansion.  We are evaluating locations for an expansion of the current security camera system.  A number of locations have cameras and recorders that are no longer functioning and need to be replaced.  Additionally, a number of new locations need to be brought online to ensure we have adequate coverage for the campus.  This evaluative process is to be completed this summer with the expansion work being completed in the fall.


Telephone System Team

The day has finally arrived and the new phone system is ready to go.  The team pictured here all had a hand in some aspect of this project.  Today, we’ll be out and around the campus ensuring that all the phones come back to life and that everything is working to the satisfaction of our campus partners.


  Can’t say enough about each of the SRSU team members and also want to thank the folks from Big Bend Telephone for the support through this project.


OneDriveforBusiness Now Supports Version History for All File Types

OneDrive is a great place to store all your important documents.  Prior to the recent announcement from Microsoft, while you could store and edit almost any file type on OneDrive, only Microsoft Office documents allowed you to store and edit multiple versions of a file.

Microsoft today (7/29/2017) announced that version history is available for all (yet to be defined) file types and not just Office files. This allows you to look at and edit previous versions of older PDF and CAD files, for example.

“Previously, version history only supported Office files. Now, version history is compatible with all file types, so you no longer need to worry about your PDFs, CAD files or even your photos and videos getting accidentally edited—you’ll always be able to restore or download a previous version”

See more at this web page: