Data Security Awareness

Good Cyber-citizens Make the Internet a Safer and Better Place

“The Internet is a powerful and useful tool, but in the same way that you shouldn’t drive without buckling your seat belt or ride a bike without a helmet, you shouldn’t venture online without taking some basic precautions.”Here are some tips to keep in mind as we work together to create a better, safer digital world for ourselves and others.

  • Own your online presence. To keep yourself safe, set privacy and security settings on web services, apps, and devices to your comfort level. You do not have to share everything with everyone. It is your choice to limit what (and with whom) you share personal information.
  • Be a good digital citizen. The things that you would not do in your physical life, do not do in your digital life. If you see crime online, report it the same way that you would in real life. Keep yourself safe and assist in keeping others safe on the Internet.
  • Respect yourself and others. Practice good netiquette, know the law, and do not do things that would cause others harm. The Golden Rule applies online, as well.
  • Practice good communications. Never send an e-mail typed in anger. Put it in your draft folder and wait. Keep in mind that digital communications do not give the reader the same visual or audio cues that speaking in person (or by video or phone) does.
  • Protect yourself and your information. Use complex passwords or passphrases, and don’t reuse the same password or variations of a simple phrase. Better yet, enable two-factor authentication or two-step verification whenever possible.

Privacy Is Our Shared Responsibility

Everyone in our community is responsible for the protection of our customers’ privacy and their personal information. However, you don’t need to understand the nuances of every privacy regulation currently affecting higher education to tackle data privacy issues on campus. Whether you are working on a data breach response plan, updating institutional policies, collaborating with researchers on a new project, or educating students, faculty, and staff about data privacy, consider teaming up with your institution’s privacy officer(s). The privacy officer(s) will be more than happy to lend expertise and help make sure privacy, risk, and information security considerations are carefully weighed.

Know and understand your privacy policies.

  • Most institutions have a standard privacy policy, statement, or notice on their website to help visitors understand the practices related to the collection, use, or disclosure of information. ATU’s electronic communication policy
  • Additional privacy statements or notices may be included in third-party contracts or services offered to students, faculty, and staff (e.g., learning management systems used for classes).
  • Also consider any third-party privacy policies or terms and conditions you may have agreed to as an individual (e.g., Facebook or any other third-party services or apps that aren’t officially hosted by the institution through a signed contract).

Always start with privacy.

  • Include privacy in the planning phase of all new projects.
  • If you don’t need personal information, don’t collect it. You can always ask for more information later.
  • Inform your customers about why you’re collecting their personal information.

Keep and use data securely.

  • Keep personal information confidential and limit access to the data.
  • Make sure you’re only using the data the way you said you’d use it. Ensure you get the customer’s consent before you use it otherwise.
  • Destroy or deidentify private information when you no longer need it.
  • Know your data breach response plan.

Your Mobile Devices Won’t Secure Themselves!

Mobile security at one time meant using a laptop lock and keeping tabs on your phone. However, the growing capabilities and use of mobile devices — coupled with the ubiquity of smart devices stitched into the very fabric of our daily lives (figuratively and literally) — now require a more sophisticated defense-in-depth approach to match the growing threat. Following are a few things you can do to protect your devices and personal information on campus, at home, or at work.

 

  • Secure your devices with a strong password, pattern, or biometric authentication. Check the settings for each device to enable a screen-lock option. For home routers, reset the default password with a strong one.
  • Install anti-malware. Some software includes features that let you do automatic backups and track your device.
  • Check your Bluetooth and GPS access. Disable these settings on all devices when not needed and avoid using them in public areas.
  • Update your devices often. Install operating system and application updates when they become available.
  • Review phone apps regularly. Remove any apps you don’t use. Be selective when buying or installing new apps. Install only those from trusted sources and avoid any that ask for unnecessary access to your personal information.
  • Treat devices like cash! Don’t let your devices out of your sight or grasp. Maintain physical control of your device in public areas. Get a lock (alarmed is best) for your laptop and use it.
  • Keep it sunny in the cloud. Whether using Google Drive, Dropbox, OneDrive, iCloud, Amazon Drive, or any of the many cloud options, set privacy restrictions on your files to share them only with those you intend. Protect access to your cloud drive with two-factor authentication.
  • Create a secure wireless network. Configure your wireless router to protect your bandwidth, identifiable information, and personal computer. Secure it with proper set up and placement, router configuration, and a unique password, using the strongest encryption option. See http://www.wi-fi.org/ for more tips.
  • Protect your Internet of Things (IoT) devices. Are you sharing your livestreaming nanny cam with the world? Review privacy settings for all Internet-ready devices before connecting them to the web.

 

 

 

How Higher Ed Can Support Cybersecurity Students

 The cybersecurity field continues to grow along with the need for new workforce talent. In fact, the 2016 EDUCAUSE Center for Analysis and Research’s study on the higher education IT workforce showed that cybersecurity management skillsets are among those most in demand in higher education today. Most information security jobs require at least a bachelor’s degree, so the knowledge students acquire through degree programs is critical. At the same time, students should be encouraged to seek additional opportunities for professional development and growth, including the following:

  • Campus internships. Consider hiring student interns to assist in your institution’s information security department. Interns can offer the department additional staffing resources, and department staff can offer interns real-world experiences and the chance to develop mentoring relationships. For suggested qualifications and responsibilities, see the Information Security Intern Job Description Template.
  • Cyber competitions. Institutions with an information assurance or computer security curriculum can participate in regional events hosted by the National Collegiate Cyber Defense Competition. These events give students the chance to hone their practical information security skills, as well as experience working in teams.
  • Scholarships. Full-time students pursuing a bachelor or master’s degree in a formal cybersecurity program at colleges and universities selected by the US Department of Homeland Security (DHS) are eligible to receive scholarship grants. In exchange, scholarship recipients will be placed in an internship; they will also be offered a full-time cybersecurity position after graduation with a federal agency (or other organization approved by the National Science Foundation).
  • Conferences. Students can take advantage of a plethora of information security conferences held each year. Among them is the Women in Cybersecurity conference, which seeks to recruit, retain, and advance women in cybersecurity. This annual conference brings together students and women in cybersecurity from various industries for knowledge sharing, mentoring, and networking.
  • Job fairs. Likewise, students can choose from among numerous job fairs, including the following. DHS hosted its first Cyber and Tech Job Fair in July 2016. The U.S. Department of State maintains a list of job fair websites, including some that require a security clearance. The SANS Institute hosts a CyberTalent Fair — a virtual event for anyone seeking career or job opportunities in cybersecurity. Many campuses also host IT and cybersecurity job fairs, offering advice to students about certifications and connecting graduates or alumni with potential employers.
  • Training courses. The DHS National Initiative for Cybersecurity Careers and Studies (NICCS) Training Catalog includes more than 2,000 cybersecurity training courses offered in the US. A handy interactive map quickly shows viewers the number of courses offered in specific locations. Users can also search for training opportunities by keyword, location, specialty area, provider, proficiency level, and delivery method.
  • Student associations. The National Cybersecurity Student Association requires a small membership fee, but allows students to network through local and state chapters; learn about opportunities for scholarship, internship, and mentoring; and develop technical and leadership skills as they prepare for the cybersecurity workforce.

Authors: Published: Columns:

 

Employment Phishing Scam

The following text is from a Phishing email going around campus.

I am XXXX XXXXX and I work as a clinical counselor for the department of Disability Resources and Educational Services (DRES). I provide individual and group therapy, coaching, assessment and academic screenings to support students with disabilities (physical, chronic, psychiatric, and invisible)registered with DRES. A large percentage of the students served by the mental health unit have psychiatric disabilities or co-morbid psychiatric disabilities and need mental health support to be successful at the university. In addition, many University of  students with academic difficulties and no prior diagnosis are seen and assessed through the academic screening and assessment process. I also am the director of supervision, training and coordination of counseling psychology and clinical psychology graduate students of the United States who have practicums at DRES and APA-accredited school psychology pre-doctoral interns.

You have received this email because you have an offer from the University Office for Students with Disabilities to work with me while we help Students with disabilities frustrated with ignorance and lack of services but as my temporary personal assistant.  I care about Animal Welfare, Arts and Culture, Children, Civil Rights and Social Action, Education, Environment, Disaster and Humanitarian Relief, Social Services and lots more.

This is a very simple employment. You will only help me Mail letters, Make payments at Walmart and purchase some Items when needed. This employment only takes an hour a day and 3 times a week for $420 weekly.

I am unable to meetup for an interview because I am currently away  and helping the disabled students in Australia. You will be paid in advance for all tasks and purchased to be done on my behalf and some of my personal letters and mails will be forwarded to your residence or nearby post office for you to pick up at your convenience. Upon my arrival we will discuss the possibility of making this a long-term employment if I am impressed with your services while I am away. My arrival is scheduled for the last week of October. 

To Apply, Please email your Full name, Address, Alternate email and mobile ..

Regards,

XXXX XXXXX

Clinical Counselor, Disability Resources and Educational Services

Don’t Let a Phishing Scam Reel You In

Cyber-criminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via e-mail. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cyber-criminal with an e-mail address can launch one.

According to Verizon’s 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you’re up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

  • Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
  • Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won’t. Still not sure if the e-mail is a phish? Contact your IT help desk. (Many institutions now offer a “phish bowl” so end users can quickly and easily report phishy messages or view the latest scams.)
  • Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
  • Confirm identities. Phishing messages can look official. Cyber-criminals steal organization and company identities, including logos and URLs that are close to the links they’re trying to imitate. There’s nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
  • Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
  • Check the sender. Check the sender’s e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
  • Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
  • Don’t click links in suspicious messages. If you don’t trust the e-mail (or text message), don’t trust the links in it either. Beware of links that are hidden by URL shorteners or text like “Click Here.” They may link to a phishing site or a form designed to steal your username and password.

Avoiding Ransomware Attacks

Ransomware is a type of malware designed to encrypt users’ files or lock their operating systems so attackers can demand a ransom payment. According to a 2016 Symantec report, the average ransom demand is almost $700 and “consumers are the most likely victims of ransomware, accounting for 57 percent of all infections between January 2015 and April 2016.”

Similar to a phishing attack, ransomware executes when a user is lured to click on an infected link or e-mail attachment or to download a file or software drive while visiting a rogue website. Sophisticated social engineering techniques are used to entice users to take the desired action; examples include

  • an embedded malicious link in an e-mail offers a cheap airfare ticket (see figure 1);
  • an e-mail that appears to be from Google Chrome or Facebook invites recipients to click on an image to update their web browser (see figure 2); or
  • a well-crafted website mimics a legitimate website and prompts users to download a file or install an update that locks their PC or laptop

http://er.educause.edu/~/media/images/blogs/2016/11/erob166211figure1.png?la=en

To avoid becoming a victim of ransomware, users can follow these tips:

  • Delete any suspicious e-mail. Messages from unverified sources or from known sources that offer deals that sound too good to be true are most likely malicious (see figure 3). If in doubt, contact the alleged source by phone or by using a known, public e-mail address to verify the message’s authenticity.
  • Avoid clicking on unverified e-mail links or attachments. Suspicious links might carry ransomware (such as the CryptoLocker Trojan).
  • Use e-mail filtering options whenever possible. E-mail or spam filtering can stop a malicious message from reaching your inbox.
  • Install and maintain up-to-date antivirus software. Keeping your operating system updated with the latest virus definitions will ensure that your security software can detect the latest malware variations.
  • Update all devices, software, and plug-ins on a regular basis. Check for operating system, software, and plug-in updates often — or, if possible, set up automatic updates — to minimize the likelihood of someone holding your computer or files for ransom.
  • Back up your files. Back up the files on your computer, laptop, or mobile devices frequently so you don’t have to pay the ransom to access locked files.

http://er.educause.edu/~/media/images/blogs/2016/11/erob166211figure3.png?la=en

 

Are You Practicing Safe Social Networking?

Who Else Is Online? Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.

  • Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
  • Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
  • Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)

How Do I Protect My Information? Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.

  • Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
  • Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
  • Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
  • Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
  • Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
  • Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.

My Information Won’t Be Available Forever, Will It? Well, maybe not forever, but it will remain online for a lot longer than you think.

  • Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
  • Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.

Think You’ve Been Hacked? Here’s How to Shake It Off!

Face it: Hackers Gonna Hack. How to know if you’ve been hacked?

Hackers Gonna Hack image

  • Your friends tell you. They’ve received a spammy or phishy e-mail from your account.
  • Your phone tells you. Collection companies are calling about nonpayment. Battery and data usage are higher than normal. Charges for premium SMS numbers show up on your bill.
  • Your browser tells you. Unwanted browser toolbars, homepages, or plugins appear unexpectedly. You’re seeing lots of pop-ups or web page redirects. Your online passwords aren’t working.
  • Your software tells you. New accounts appear on your device. Antivirus messages report that the virus hasn’t been cleaned or quarantined. You see fake antivirus messages from software you don’t remember installing. Programs are running or requesting elevated privileges that you did not install. Programs randomly crash.
  • Your bank tells you. You receive a message about insufficient funds due to unauthorized charges.
  • Your mail tells you. You receive a notification from a company that has recently suffered a cybersecurity breach.

Shake it off. Following are the steps you can take to recover.

  1. Change your affected passwords using an unaffected device. Not sure which passwords are affected? It’s best to change them all.
  2. Update your mobile software and apps. Make sure you keep them up-to-date.
  3. Update your antivirus software. Then run a complete scan. Follow the instructions provided to quarantine or delete any infected files.
  4. Update your browser software and plugins. Check frequently for new updates and delete any unnecessary or obsolete plugins.
  5. Is your computer still acting wonky? It might be best to start from scratch with a complete reformat of your machine so you can ensure that all affected software is fixed.
  6. Self-report to credit agencies. If you believe your personally identifiable information has been affected, you don’t want to deal with identity theft on top of being hacked.
  7. Be prepared with backups. Don’t let the next compromise ruin your day. Backup your files frequently. Consider storing at least two separate backups: one on an external drive and one in cloud storage.
  8. Stay ahead of the hackers. Check the Have I been pwned website to see if your accounts were hacked in a known attack.

 

Get the Word Out

Follow these six National Cyber Security Alliance recommendations to better protect yourself online and make the Internet more secure for everyone:

  • Fortify each online account or device. Enable the strongest authentication tools available. This might include biometrics, security keys, or unique one-time codes sent to your mobile device. Usernames and passwords are not enough to protect key accounts such as e-mail, banking, and social media.
  • Keep a clean machine. Make sure all software on Internet-connected devices — including PCs, laptops, smartphones, and tablets — are updated regularly to reduce the risk of malware infection.
  • Personal information is like money. Value it. Protect it. Information about you, such as purchase history or location, has value — just like money. Be thoughtful about who receives that information and how it’s collected by apps or websites.
  • When in doubt, throw it out. Cybercriminals often use links to try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
  • Share with care. Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
  • Own your online presence. Set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.