Learn What It Takes to Refuse the Phishing Bait!

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member.

According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.

Keeping It Private

You exist in digital form all over the Internet. It is thus important to ensure that the digital “You” matches what you are intending to share. It is also critical to guard your privacy — not only to avoid embarrassment, but also to protect your identity and finances!

Following are specific steps you can take to protect your online information, identity, and privacy.

  • Use a unique password for each site. Hackers often use previously compromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
  • Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site. See https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201310_en.pdf for more info on password managers.  The OIT department uses Lastpass for our purposes and have found it easy to use and secure.
  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.

(Taken in part from the EducauseReview website)

 

SRSU OIT Security Advisory – Virus in Email Attachment 8/12/2016

Sul Ross is receiving email messages that contain a harmful virus.  The Locky virus encrypts all the files on your computer’s hard drive and these files cannot be recovered.  The only mechanism we have to clean up the virus is to reformat your hard drive.

The email message indicates it is coming from a @sulross.edu account and contains a Microsoft Word document (*.doc, *.docx, *.docm) that when clicked, spreads the virus to your local machine and any attached devices, including thumb drives, external hard drives, and any other physically attached devices.

Our advice is that you never click on any attachments in an email message unless you are specifically expecting the attachment.  We also suggest you look carefully at the sender, the subject line, and the body of the message for indications the email is not legitimate (poor grammar, invalid references, etc.).

In the instances we are seeing today, the email purports to come from Dorothy, Gwendolyn and other common names (e.g. Dorothy@sulross.edu).  We do not use only first names in our email addresses, although some individuals have an alias that includes their first and last, e.g. david.gibson@sulross.edu.

If you receive an email from a peer, we suggest you take a moment, call the individual that supposedly sent the email and verify they did so and that they included an attachment.

Attacks on all institutions are on the rise.  Our best line of defense is you.  Be aware.  Don’t click.  Call us if you need help or are unsure at 432-837-8888.

 

Mobile Device Theft

Mobile Device in Hand

With an increasing amount of sensitive data being stored on mobile devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is lost or stolen or misplaced.

  • Don’t leave your device alone, even for a minute! If you’re not using it, lock your device in a cabinet or drawer, use a security cable, or take it with you. It’s not enough to simply ask the stranger next to you in a library or coffee shop to watch your laptop for a few minutes.
  • Differentiate your device. It’s less likely that someone will steal your device and say they thought it belonged to them if your device looks unique. Sometimes these markings make the laptop harder to resell, so they’re less likely to be stolen. Use a permanent marking, engraving, or tamper-resistant commercial asset tracking tag.
  • Delete sensitive information. Don’t keep any restricted data on your laptop. We recommend searching your computer for restricted data and deleting it. Restricted data includes your Social Security number, credit card numbers, network IDs, passwords, and other personally identifiable information. You’d be surprised how easy it is to forget that this information is on your computer!
  • Back it up. Set a reminder to backup your data on a regular basis! Keep an external copy of important files stored on your laptop in a safe location in case it is lost or stolen. Your photos, papers, research, and other files are irreplaceable, and losing them may be worse than losing your device.
  • Encrypt information. Protect your personal data with the built-in disc encryption feature included with your computer’s operating system (e.g., BitLocker or FileVault).
  • Record the serial number. Jot down the serial number of your device and store it in a safe place. This information can be useful for verifying your device if it’s found.
  • Install software. Install and use tracking and recovery software included with most devices (e.g., the “Find iDevice” feature in iOS) or invest in commercial products like LoJack or Prey. Some software includes remote-wipe capabilities. This feature allows you to log on to an online account and delete all of the information on your laptop. There are both paid and free versions of this type of software, and each provides different levels of features. Search online to find the best combination of cost and functions to meet your needs.

If you have question, please contact the Helpdesk at 432-837-8888.

Guard Your Privacy Online

blog-writing

You and your information are everywhere. When you’re online you leave a trail of “digital exhaust” in the form of cookies, GPS data, social network posts, and e-mail exchanges, among others. It is critical to learn how to protect yourself and guard your privacy. Here are some ideas that can help protect you, your information, as well as the data you are entrusted with from SR.

  • Use long and complex passwords or passphrase. These are often the first line of defense in protecting an online account. The length and complexity of your passwords can provide an extra level of protection for your personal information.
  • Take care what you share. Periodically check the privacy settings for your social networking apps to ensure that they are set to share only what you want, with whom you intend. Be very careful about putting personal information online. What goes on the Internet, usually stays on the Internet.
  • Go stealth when browsing. Your browser can store quite a bit of information about your online activities, including cookies, cached pages, and history. To ensure the privacy of personal information online, limit access by going “incognito” and using the browser’s private mode.
  • Using Wi-Fi? If only public Wi-Fi is available, restrict your activity to simple searches (no banking!) or use a VPN (virtual private network). The latter provides an encrypted tunnel between you and the sites you visit.
  • Should you trust that app? Only use apps from reputable sources. Check out reviews from users or other trusted sources before downloading anything that is unfamiliar.

If you have questions about how to follow any of these guidelines, contact the Helpdesk at 432-837-8888.

By the way, never use your laptop as a coffee mug coaster as in the picture.  Not a good idea. 🙂

 

Guard Your Privacy When Offline or Traveling

suitcasePlanning a summer vacation? People are frequently more vulnerable when traveling because a break from their regular routine or encounters with unfamiliar situations often result in less cautious behavior. If this sounds like you or someone you know, these five tips will help you protect yourself and guard your privacy.

  • Track that device! Install a device finder or manager on your mobile device in case it’s lost or stolen. Make sure it has remote wipe capabilities and also protects against malware.
  • Avoid social media announcements about your travel plans. It’s tempting to share your upcoming vacation plans with family and friends, but consider how this might make you an easy target for local or online thieves. While traveling, avoid using social media to “check in” to airports and consider posting those beautiful photos after you return home. Find out how burglars are using your vacation posts to target you in this infographic.
  • Traveling soon? If you’re traveling with a laptop or mobile device, remove or encrypt confidential information. Consider using a laptop or device designated for travel with no personal information, especially when traveling out of the country.
  • Limit personal information stored on devices. Use a tool like Identity Finder to locate your personally identifiable information (e.g., SSN, credit card numbers, or bank accounts) on your computer, then secure or remove that information.
  • Physically protect yourself and your devices. Use a laptop lock, avoid carrying identification cards, shred sensitive paperwork before you recycle it, and watch out for “shoulder surfers” at the ATM.

These tips can’t protect you from every possible scenario but they will provide some protections and give you ideas for others.  The best advice of all … be aware.

Securing Mobile Devices

erblogbondscontent Mobile devices have become one of the primary ways we communicate and interact with each other. The power of a computer is now at our fingertips, allowing us to bank, shop, view medical history, attend to work remotely, and communicate virtually anywhere. With all these convenient features come added risks, but here are some tips to protect your devices and your personal information.

  • Password-protect your devices. If you mobile device is ever lost or stolen, giving yourself more time to protect your data and remote wipe your device could be the difference between the pain of losing the device and the pain of losing much of your important information. Enabling passwords, PINs, fingerprint scans, or other forms of authentication will slow down anyone intent on getting to your personal information and give you more time to take action and remove personal or sensitive information from your device.
  • Backup data. Be sure to back up data on each device in case it is ever lost or stolen. If the original device is never found, you can restore the backed up data to a new one.
  • Verify app permissions. Don’t forget to review app specifications and privacy permissions before installing it!
  • Update operating systems. Security fixes or patches for mobile device operating systems are often included in these updates.
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Think Before You Click

    Phishing attempts are fraudulent email messages that appear to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages direct you to divulge private information (e.g., passphrase, credit card, or other account updates).

    These scams are designed to induce panic in the reader. They attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

    Things to know and remember when opening ANY e-mail that is asking you to provide information:
    – No reputable organization, including OIT, will ever ask you for confidential information via e-mail.
    – Never respond to an e-mail from a source you are not 100 percent sure of. When in doubt, call them.
    – Always check the authenticity of a Web site before you provide any of your personal information.
    – Never click on a link in a suspicious e-mail because it may take you to a malicious site. Open a new browser window and type in the link manually.
    – Phishing e-mail will often have a sense of urgency. (“Your account will be closed if you don’t…” etc.) They may also contain strange words, misspelled words or unusual or awkward phrasing to help them avoid SPAM-filtering software.

    With the recent rise in phishing activity, be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.

    A Word on Passwords

    Passwords are your first line of defense against break-ins to your online accounts, computers, smart phones and tablets. Poorly crafted passwords, those that are used on multiple accounts, and those seldom changed are more susceptible for being compromised. This situation can leave the technology resources and information on those devices, whether owned by the university or on your own personal devices, at higher risk of being stolen or damaged. The best antidote available against the cyber criminals and others that are intent on stealing or damaging your devices and information is better password management.

    Poorly Crafted Passwords

    One reason for poorly crafted passwords is they fall into recognizable patterns. This usually occurs because these patterns are more easily remembered than some ambiguous string of characters. These patterns are often in the form of someone’s name, a date, a memorable place, or they follow keyboard patterns such as “123456” and “qwerty.” These kinds of patterns are highly predictable and easy to crack. Rather than an obvious pattern for a password, try a short sentence or phrase. You’ll have the upper case and lower case characters that are needed and a password that is much easier to remember. Using an abbreviation for one of the words provides an extra level of complexity that helps keep your password safe. Also, to ensure you password complies with all password requirements of SRSU, simply change one of the letters to a number and one of the letters to a special character and you’re finished. For example, take the phrase, “Change is good!” Applying the rules we just covered, our phrase can be modified to Chg 1s g@@d!, which meets all our password requirements and is easier to remember than kjhdSDj34@nS.

    Multiple Accounts

    Having our email address and password compromised because of a weak or easy to guess password is bad enough. While having your email account compromised isn’t ideal, if you use the same account ID to access your financial institution, social network, and other sites, the potential for impact on your wallet and your reputation can be painful. Many of our accounts today use our email address as the ID for the account. Using the same password heightens the risk for any account using the same ID/password combination. When you have to use your email address for an account ID on another system, always ensure that a different password is used to access that other system.

    Seldom Changed

    The longer an account password is not changed, the longer a compromised password can be used by cyber criminals. Changing an account password on a regular basis limits a hacker’s ability to gain access to your account and “listen in” without you knowing they are there.

    How to Survive

    With all the accounts, for all the systems, and all those passwords, how is one to survive the security requirements and not simply write all the passwords down on a sticky note and paste it to our monitor? The answer is not sticky notes or a piece of paper in your desk drawer or attempting to get around the password requirements of the institution. The answer is a password manager. A password manager is a piece of software that allows you to store the plethora of passwords needed in your life (business and personal), that are all hidden behind a specific account ID and password. These tools give you the ability to record all your passwords in a single, strongly encrypted location. Of course, you still need a password in order to gain access to the password manager, so make sure this system uses a complex password, is not used anywhere else, and is changed with some regularity.

    In the end, all computer security is about mitigating the risk inherent in your devices that are connected to the world around us. There is no way for anyone to be 100% secure. All you can do is lower the risk of being hacked. Complex passwords that are used on only one system, are changed on a regular basis, and are stored in an appropriate password manager lowers your risk.

    Contact the SRSU Helpdesk, LTAC, if you have questions about anything in this article.