Creating a Password : Cybersecurity Awareness Month

CREATING A PASSWORD

Creating a strong password is an essential step to protecting yourself online. Using long and complex passwords is one of the easiest ways to defend yourself from cybercrime. No citizen is immune to cyber risk, but #BeCyberSmart and you can minimize your chances of an incident.

SIMPLE TIPS:

Creating a strong password is easier than you think. Follow these simple tips to shake up your password protocol:

• Use a long passphrase. According to NIST guidance, you should consider using the longest password or passphrase permissible. For example, you can use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.

• Don’t make passwords easy to guess. Do not include personal information in your password such as your name or pets’ names. This information is often easy to find on social media, making it easier for cybercriminals to hack your accounts.

• Avoid using common words in your passwords. Substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A” and an exclamation point (!) can replace the letters “I” or “L.”

• Get creative. Use phonetic replacements, such as “PH” instead of “F”. Or make deliberate, but obvious misspellings, such as “enjin” instead of “engine.”

• Keep your passwords on the down-low. Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls. Every time you share or reuse a password, it chips away at your security by opening up more avenues in which it could be misused or stolen.

• Unique account, unique password. Having different passwords for various accounts helps prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. It’s important to mix things up—find easy-to remember ways to customize your standard password for different sites.

• Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. Read the Multi-Factor Authentication (MFA) How-to-Guide for more information.

• Utilize a password manager to remember all your long passwords. The most secure way to store all of your unique passwords is by using a password manager. With just one master password, a computer can generate and retrieve passwords for every account that you have – protecting your online information, including credit card numbers and their three-digit Card Verification Value (CVV) codes, answers
to security questions, and more.

Cybersecurity While Traveling : Cybersecurity Month

CYBERSECURITY
WHILE TRAVELING

In a world where we are constantly connected, cybersecurity cannot be limited to the home or office. When you’re traveling— whether domestic or international—it is always important to practice safe online behavior and take proactive steps to secure Internet-enabled devices. The more we travel, the more we are at risk for cyberattacks. #BeCyberSmart and use these tips to connect with confidence while on the go.

Simple Tips: (Before You Go)

  • If You Connect IT, Protect IT. Whether it’s your computer, smartphone, game device, or other network devices, the best defense against viruses and malware is to update to the latest security software, web browser, and operating systems. Sign up for automatic updates, if you can, and protect your devices with anti-virus software. Read the Phishing Tip Sheet for more information.
  • Back up your information. Back up your contacts, financial data, photos, videos, and other mobile device data to another device or cloud service in case your device is compromised and you have to reset it to factory settings.
  • Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.
  • Keep up to date. Keep your software updated to the latest version available. Maintain your security settings to keeping your information safe by turning on automatic updates so you don’t have to think about it and set your security software to run regular scans.
  • Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. Read the Multi-Factor Authentication (MFA) How-to-Guide for more information.

Simple Tips: (During Your Trip)

  • Stop auto connecting. Some devices will automatically seek and connect to available wireless networks or Bluetooth devices. This instant connection opens the door for cyber criminals to remotely access your devices. Disable these features so that you actively choose when to connect to a safe network.
  • Stay protected while connected. Before you connect to any public wireless hotspot—such as at an airport, hotel, or café—be sure to confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate. If you do use an unsecured public access point, practice good Internet hygiene by avoiding sensitive activities (e.g., banking) that require passwords or credit cards. Your personal hotspot is often a safer alternative to free Wi-Fi. Only use sites that begin with “https://” when online shopping or banking

Study the NCSAM Guide for additional info on this and more cybersecurity concepts.

 

Cyber Secure At Work : Cybersecurity Month

5 WAYS TO BE CYBER SECURE AT WORK

Businesses face significant financial loss when a cyber attack occurs. In 2019, the U.S. business sector had 17% increase in data breaches: 1,473 breaches. § Cybercriminals often rely on human error—employees failing to install software patches or clicking on malicious links—to gain access to systems. From the top leadership to the newest employee, cybersecurity requires the vigilance of everyone to keep data, customers, and capital safe and secure. #BeCyberSmart to connect with confidence and support a culture of cybersecurity at your organization.

Simple Tips:

      • 1) Treat business information as personal information. Business information typically includes a mix of personal and proprietary data. While you may think of trade secrets and company credit accounts, it also includes employee personally identifiable information (PII) through tax forms and payroll accounts. Do not share PII with unknown parties or over unsecured networks.

     

      • 2) Don’t make passwords easy to guess. As “smart” or data-driven technology evolves, it is important to remember that security measures only work if used correctly by employees. Smart technology runs on data, meaning devices such as smartphones, laptop computers, wireless printers, and other devices are constantly exchanging data to complete tasks. Take proper security precautions and ensure correct configuration to wireless devices in order to prevent data breaches. For more information about smart technology see the Internet of Things Tip Card. Read the Internet of Things Tip Sheet for more information.

     

      • 3) Be up to date. Keep your software updated to the latest version available. Maintain your security settings to keeping your information safe by turning on automatic updates so you don’t have to think about it and set your security software to run regular scans.

     

      • 4) Social media is part of the fraud toolset. By searching Google and scanning your organization’s social media sites, cybercriminals can gather information about your partners and vendors, as well as human resources and financial departments. Employees should avoid oversharing on social media and should not conduct official business, exchange payment, or share PII on social media platforms. Read the Social Media Cybersecurity Tip Sheet for more information.

     

    • 5) It only takes one time. Data breaches do not typically happen when a cybercriminal has hacked into an organization’s infrastructure. Many data breaches can be traced back to a single security vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages immediately. For more information about email and phishing scams see the Phishing Tip Sheet.

Study the NCSAM Guide for additional info on this and more cybersecurity concepts.

 

ref. § Identity Theft Resource Center, “2019 End-of the Year Data Breach Report”, 2019

National Cybersecurity Awareness Month Begins

Every year, the National Cyber Security Alliance designates this month of October to remind us: STOP. THINK. CONNECT.

The “bad guys” are always changing their tactics, and trying every way they can – phishing emails, ads on websites, even texts on our smartphones – to trick us.  Keeping up a layered defense is our best approach. There are three main messages :

Own IT.

  • Never Click and Tell: staying safe on social media
  • Update Privacy Settings on your phone and on social
  • Keep Tabs on Your Apps: best practices for apps on your devices

Secure IT.

  • Shake Up Your Passphrase Protocol: create strong, unique passphrases
  • Double Your Login Protection: turn on multi-factor authentication
  • Shop Safe Online: making sure your purchases are secure
  • Play Hard To Get With Strangers: how to spot and avoid phish

Protect IT.

  • If You Connect, You Must Protect: updating to the latest security software, web browser and operating systems
  • Stay Protected While Connected: Wi-Fi safety
  • If You Collect It, Protect It: keeping personal information safe

 

In the upcoming weeks, stay on the lookout here and in the myWidener Portal where we will periodically post throughout the month and explore these concepts.  If you ever have a question about an email, please forward it to phish@widener.edu. You can also call the Helpdesk at x1047, or email at helpdesk@widener.edu.

Happy October, and safe computing!

 

PHISHING Awareness: [EXTERNAL:] Email Subject Tagging

Phishing is among the top security concerns for Information Technology. Personal identifiable information, the primary target of phishing attempts, falling into the wrong hands can cause both financial and reputation damage to our university, students and its employees. Phishing attacks are often launched by including malicious attachments or links in email. When recipients open these malicious attachments or click on the links, it can spark an attack. Most email scams begin with messages from an external email system.

As part of Widener University’s effort to reduce phishing and other email scams and spoofing, these external email messages will now receive an [External:] tag in the message subject. [External:] email tagging makes it as easy as possible for you to recognize phishing attempts wherever you can.

Avoid being scammed

The best defense to avoid being scammed is to be suspicious of any message asking for sensitive information. If the message seems off, it probably is. Trust your instincts. Phishing attempts can be clever, but they’re easy to avoid if you know the signs.

What is [External:] tagging and how does it work?

Most email scams begin with messages from a non-Widener (external) email system. When tagging is enabled these external email messages will now receive an [EXTERNAL:] tag in the message subject. Many safe and legitimate email messages come from external email systems. The [EXTERNAL:] tag does not mean the message is a scam or malicious, only that recipients should take caution and read carefully. All email originating from outside the university, except for approved services, will be tagged with this [EXTERNAL:] message. See sample below:

What should I do when I see an [External:] email?

Its important to note that an email message with this warning does not necessarily mean the email is malicious, only that the recipient should take caution before clicking any links or attachments included within the email. The [EXTERNAL:] tag means you need to stop and think about this email:

  • Is it from a sender you know?
  • Were you expecting the email?
  • Verify with your friend or co-worker over the phone if you are unsure or if the email seems a bit off.
  • If there is a link in the message, Don’t click it! Instead, hover over the link to verify it is legitimate, or manually enter the known good URL into your browser.
  • Does the message make sense?
  • If you are concerned and unsure, send the message to Phish@widener.edu

Note: A legitimate message would not ask you to provide your credentials to maintain your account access.

Welcome from Information Security

Welcome (and welcome back) to Widener!

It’s a new academic year, and internet threats are ready and waiting as usual. Students, faculty, and staff are all busy preparing for a great year of learning, but the bad guys are trying to sneak past our guard. Here are some of the old classic threats that are still in use:

  • Impersonation emails that look like they’re from someone on campus (“Are you available?” gift card scams)
  • Random offers of on- or off-campus jobs (especially involving exchanges of gift cards or money orders)
  • PDF files that are nothing but a link, or try to get you to “log in”
  • Office365 document shares that don’t look like Widener emails
  • Warnings or threats about your Widener email account being closed or locked out, or that it “needs to be verified”
  • Voicemails or faxes that are supposedly waiting on you
  • Screen pop-ups that try to get you to click something (even legit ads are dangerous)

Please remember to be very careful with email links, especially from addresses you don’t know. The bad guys can also paste a real name onto a fake email, so take care when using your phone – phones often don’t show the email address. And they love to hit you during your commute.

When an email asks you to click a link, it’s best if you initiate the reply using a fresh start. Contact the person or department the way you’re familiar with, or check on my.widener.edu for the correct campus link.

Any phishing, scam, questionable, or just plain weird emails should be sent to phish@widener.edu. We’ll gladly check whether it’s real or a scam.

Follow our blog here at itsnews.widener.edu – we post on all types of ITS issues. Follow on Twitter at @WidenerISO for security news and current issues. If you ever have a question about email, passwords, viruses, or computer security in general, feel free to call the Information Security Office at ext. 1044, or open a ticket at the HelpDesk (quickticket.widener.edu).

Thanks, and have a great year!

Update Recommended for Chrome Browser

Google recently released an advisory telling users to update their Chrome browser immediately due to a zero-day vulnerability.  The flaw allows a specially-scripted page to read older file data in Chrome’s cache (the quick-read files that browsers store to speed things up).  This could potentially expose personal information such as medical data, banking information, tax returns (’tis the season), and much more.

All that was the bad news – the good news is that Chrome updates itself by default, and it never asks you if you want to turn that off.  Nevertheless, it’s worth a look to see if your Chrome installation has updated.

Users on Windows, Mac and Linux can access Chrome settings by visiting chrome://settings/help and checking to see if the version is up to date.  You can also click on the Customize and Control icon (the three vertical dots in the upper right of the browser) and choose Help > About Google Chrome.  If your browser has 72.0.3626.121 as the version, it is up to date (and will say so). If this isn’t your version, you can manually start a download.

As always, if you need assistance, please contact the Helpdesk at x1047, or open a ticket.

It’s Everyone’s Job to Ensure Online Safety at Work

It takes all of us to keep each other secure.

Photo by Stanley Dai on UnsplashIt’s often said that “people are the weakest link” in cybersecurity. We prefer to think of them as our greatest assets – not only our focus of protection, but also our greatest allies! A lot of phishes and spam that gets past our filters is caught by you. You’ve been forwarding the weird stuff to phish@widener.edu (keep it going!), and we’ve had a lot of success in reducing the number of compromised accounts. So, don’t let up – the bad guys sure aren’t. Every user at Widener is a target, even President Wollman herself. In fact, she’s one of our most eagle-eyed phish catchers!

Last week we spoke about the many scams that are hitting universities, and ours is no exception. Since that post, we’ve had several of the same types of scams come through our systems. We were safe from each due to skeptical and security-aware staff. Nevertheless, the attacks continue, and we expect them to get more targeted and better crafted.

Please be aware that one of the methods used is to build a scam so that you can’t easily verify the sender’s email address on a smartphone. Plus, if the bad guys send it during your commute, it’s even harder to know if it’s legit. Add to that an “URGENT” or a “right now,” and your red flags should go up. We want you to know who the sender really is, but we also want you to drive safely and get here okay. Check that email sender’s address on your PC, laptop, or tablet before replying.

Whether it’s preventing phishes, spam, and malware by a system we’ve put in place, or by the awareness of our user community, keeping Widener University safe is a shared responsibility.

Sometimes the Spam is a Scam

National Cybersecurity Awareness Month continues, and so do the scams.

 

There’s never a lull in email scams here at Widener.  Our community is targeted daily by one or more scams.  Some of them are old classics, and some are brand new.  Here is a list of a few we’ve seen – but even though it’s a short list, we get plenty of them.

Invoices – the bad guys send us “invoices” that are often spoofing or impersonating Widener employees.  The attachments usually have some sort of installer that tries to put malware (probably Ransomware) on the computer.  Sometimes they’re just PDFs with “links” to phishing sites.  So far, our defenses are finding them before they do anything bad (the author here knocks on wood).  Still, it’s best to be aware of any invoice, especially those that don’t refer to anything that’s due. (FTC link about this)

Direct Deposit – we’ve seen several instances of the bad guys impersonating employees to try to get our Payroll and HR groups to change their direct deposit info.  The goal is to catch a payroll or reimbursement deposit and then drain the account before the absence is noticed by the employee. This one is bad because when the money is gone, it’s gone. Since these started, we’ve put controls in place to verify requests. (Lexology link about this)

Dog-Walking/Babysitting/Nanny/Caregiver Offer – This scam involves the offer of a job doing some light care of pets, children, or a loved one.  Once responded to, the bad guy begins a scheme where a bad check is deposited, and the victim is directed to pay a third party to buy needed supplies and pay themselves.  The third party (the scammer) gets the money before the bank discovers the check is bogus, and victim is stuck with the shortage. (FTC link about this)

Sextortion” – The victim gets an email claiming to know their password, and it is often a valid one (usually old).  The scammer tells the victim that he/she has been caught looking at porn sites, and will release a pic “from the user’s camera” unless a sum of money is paid.  This one really gets to users because the password that the scammer sends is from one of the many breaches that have revealed passwords tied to addresses.  It’s a really popular scam – we’ve received dozens here at Widener – but it’s a scam nonetheless. (Forbes link about this)

Gift Cards – In this one, scammers impersonate someone that has a management position, and direct the employee to buy a sum of gift cards, scrape off the back, and provide the verification numbers back to the scammer.  Everyone wants to please their boss, so this one can be a real problem.  The best defense is to get to know your boss, and never use gift cards like this. (FTC link about this)

The goal of the scammer/phisher is to appear legitimate, which makes this difficult.  The better they are, the more people they can fool. Use this to your advantage: if it looks good, but you shouldn’t be getting it, that’s a red flag. Forward any email that’s weird or out of the ordinary to phish@widener.edu.

Make Your Home a Haven for Online Safety

It’s National Cybersecurity Awareness Month again!

https://staysafeonline.org/ncsam/

Since 2004, the National Cyber Security Alliance has designated the month of October to remind us: STOP. THINK. CONNECT.™  ITS posts every week this month with a new theme to keep cybersecurity awareness at the top of mind.

This week’s theme is “Make Your Home a Haven for Online Safety.”  We live in an age where having the internet in your home is a fact of life.  Most of us have learned how to give our home router a strong password.  We are routinely connecting PCs and smartphones, as well as game consoles and tablets.  Many of us have more fully-connected homes with devices such as thermostats, security systems, cameras – even things like refrigerators, door locks, and light bulbs! Keeping these items secure is critical, since each is a small computer, and carries much of the same risk as your other data devices.

It’s also important to remember that, for many students, Widener is their home for most of the year.  ITS maintains many security measures, but keeping out the bad guys also means having a strong password and staying alert for scams and phishing.  Keep in mind that the bad guys hit us when we’re most busy, and for us that’s the start of the semester and finals.

If you ever have a question about an email, feel free to forward it to phish@widener.edu.  You can also call the Helpdesk at x1047, or email at helpdesk@widener.edu. And be sure to follow us on Twitter at @WidenerISO.  Happy October, and safe computing!