CYBERSECURITY IS EVERYONE’S RESPONSIBILITY!

Keeping Your Personal Information Secure Online

Know who you share your information with. Store and dispose of your personal information securely.

Be Alert to Impersonators

Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request.

Safely Dispose of Personal Information

Before you dispose of a computer, get rid of all the personal information it stores. Use a wipe utility program to overwrite the entire hard drive.

Before you dispose of a mobile device, check your owner’s manual, the service provider’s website, or the device manufacturer’s website for information on how to delete information permanently, and how to save or transfer information to a new device. Remove the memory or subscriber identity module (SIM) card from a mobile device. Remove the phone book, lists of calls made and received, voicemails, messages sent and received, organizer folders, web search history, and photos.

Encrypt Your Data

Keep your browser secure. To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.

Keep Passwords Private

Use strong passwords with your laptop, credit, bank, and other accounts. Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for some words or letters. For example, “I want to see the Pacific Ocean” could become 1W2CtPo.

Don’t Overshare on Social Networking Sites

If you post too much information about yourself, an identity thief can find information about your life, use it to answer ‘challenge’ questions on your accounts, and get access to your money and personal information. Consider limiting access to your networking page to a small group of people. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.

Securing Your Social Security Number

Keep a close hold on your Social Security number and ask questions before deciding to share it. Ask if you can use a different kind of identification. If someone asks you to share your SSN or your child’s, ask:

• why they need it
• how it will be used
• how they will protect it
• what happens if you don’t share the number

The decision to share is yours. A business may not provide you with a service or benefit if you don’t provide your number. Sometimes you will have to share your number. Your employer and financial institutions need your SSN for wage and tax reporting purposes. A business may ask for your SSN so they can check your credit when you apply for a loan, rent an apartment, or sign up for utility service.

Don’t be Afraid of Multi Factor Authentication

It should be obvious that using multi factor authentication (MFA) helps with cybersecurity because it is a combination of three or more authentication factors: Something you know, something you have, and something you are (biometrics). Unfortunately, MFA still gets a bad rep. While most organizations utilize some form of traditional MFA or 2FA, it is universally hated because it’s a nuisance and frustrating to implement and use.

Is this bias toward convenience hurting companies? You bet! An analysis of recent breaches shows that if there had been additional authentication factors, the breaches probably wouldn’t have happened. There are a multitude of poorly designed MFA programs out there, so it’s no wonder that many companies don’t like utilizing them. With most MFA programs, you need to go through every step of the authentication process every time you need to sign in. This is absolutely a hassle, but it doesn’t have to be that way. In addition, many MFA solutions require you to create one-time passwords (OTP) or tokens every time you sign-in. This is annoying and time consuming for users. Thankfully, there is another way – using your biometrics as part of an MFA solution.

Passwords are Hurting You

Passwords are ancient. They’ve been used for centuries as a way to protect people and information. In the early years of technology, they seemed like the best solution for controlling access to systems with sensitive data.

Over the years, passwords and password encryption methods have become more complex, but so have the skills of hackers. Passwords have accounted for 81 percent of data breaches in the past few years. Computers don’t know when a password has been compromised, it just grants access to whoever enters it. This lack of proof of identity is an obvious flaw in passwords today.

Not being able to prove identity with a password is one thing, but in addition, businesses can’t always monitor employees and users to make sure they are using best practices. Most people use the same or similar passwords for almost all accounts.

Take the phishing-quiz below and learn more on how to recognize Phishing Scams.

https://www.opendns.com/phishing-quiz/

What Is Ransomware?

Ransomware is a special type of malware that is actively spreading across the Internet today, threatening to destroy victim’s documents and other files. Malware is software–a computer program–used to perform malicious actions. While ransomware is just one of many different types of malware, it has become very common because it is so profitable for criminals. Once ransomware infects your computer, it encrypts certain files or your entire hard drive. You are then locked out of the whole system or cannot access your important files, such as your documents or photos. The malware then informs you that the only way you can decrypt your files and recover your system is to pay the cyber criminal a ransom (thus the name ransomware). Most often, the ransoms must be paid in some form of digital currency, such as Bitcoin. Ransomware spreads like many other types of malware. The most common method involves emailing victims malicious emails, where cyber criminals trick you into opening an infected attachment or clicking on a link that takes you to the attacker’s website.

Online Shopping Tips

• Conduct research: When using a new website for purchases, read reviews and see if other consumers have had a positive or negative experience with the site.
• When in doubt, throw it out: Links in emails, posts and texts are often how cybercriminals try to steal your information or infect your devices.
• Personal information is like money: value it and protect it: When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember, you only need to fill out required fields at checkout.
• Use safe payment options: Credit cards are generally the safest option because they allow buyers to seek a credit from the issuer if the product isn’t delivered or isn’t what was ordered.
• Don’t be disappointed: Read return policies and other website information so you know what to expect if the purchase doesn’t go as planned.
• Protect your $$: When shopping, check to be sure the site is security enabled. Look for web addresses with https:// indicating extra measures to help secure your information.

SMiShing is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. SMiShing is short for “SMS phishing.”

Some cell phone users have started receiving SMS messages along these lines: ‘We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com.’ (This is an example and was not a real url at the time of writing) This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service best practices for mobile device security management should include:

• Policies that help to address phishing.
• Security software to address viruses and other malware.
• A way to use over-the-air updates to re-image devices and recover data.

Users are advised to be as vigilant about security for their mobile devices as they are for desktop computers.

There’s good news and bad news. The good news: advances in technology have changed our lives in many positive ways. The bad news: crooks keep pace with technological innovations and adjust their scams accordingly. One of the many technology-based criminal scams is ‘vishing’.

What is vishing?

Impersonating a person or legitimate business to scam people isn’t a new thing. Vishing is simply a new twist on an old routine. In fact, vishing has been around almost as long as internet phone service. The word ‘vishing’ is a combination of ‘voice’ and ‘phishing.’ Phishing is the practice of using deception to get you to reveal personal, sensitive, or confidential information. However, instead of using email, regular phone calls, or fake websites like phishers do, vishers use an internet telephone service (VoIP).

Using a combination of scare tactics and emotional manipulation, they try to trick people into giving up their information. These vishers even create fake Caller ID profiles (called ‘Caller ID spoofing’) which makes the phone numbers seem legitimate. The goal of vishing is simple: steal your money, your identity, or both.

Common Vishing Techniques

By spoofing a legitimate phone number, scammers lead people to believe the call is legitimate. At the same time, since you know that they can do this, you can’t even trust Caller ID. Yet even if you don’t answer the phone, they leave voice messages to provoke a response – you’ll return their call and give up your information.

Vishing Examples

Vishing can take several forms. One form targets your bank account or credit card account. For example, you might get a call from with a message such as:

Your account has been compromised. Please call this number to reset your password. 

The visher hopes you’ll hear the message and panic. Typically, when you dial the number they leave, you hear an automated recording which asks for information like bank account numbers and/or other sensitive information.

Another example is a phone call about a free offer or telling you that you’ve won a prize. But in order to redeem the freebie, you must first pay for shipping and handling. A third example is a call saying you’ve won a prize such as a cruise or Disney vacation. To claim your prize, you’re told to first pay a redemption fee. Often, they ask you to give your credit card number over the phone.

Other vishing scams include things like:

• Unsolicited offers for credit and loans
• Exaggerated investment opportunities
• Charitable requests for urgent causes
• Extended car warranty scams
• Social Security Cancellation
• Police Warrants

What is vishing banking?

Vishing banking scams are a vishing attack that involve a call from someone who says they’re from your bank or some other financial organization. They may tell you that there is a problem with your account or with a payment from your account. They might ask you to transfer money to a different account to correct the problem. However, all they’re doing is taking your money.

What is Sensitive Data?

Students, faculty, and staff interact with data on a daily basis. It is important to understand that all data cannot be treated equally in terms of how we store, share, and dispose of it.

• Confidential Data is the most sensitive classification. Examples of confidential data include:
  • Social Security Numbers
  • Credit Card Numbers
  • Health Records
  • Financial Records
  • Student Records
• Private Data is not considered confidential, but reasonable effort should be made so that it does not become readily available to the public. Examples of private data include:
  • Research Data
  • Personal Contact Data
  • Proprietary information
• Public Data is suitable for public consumption and protection of the data is at the discretion of the owner. Examples of public data include:
  • Public budget data
  • Employee contact data
  • Departmental Websites

Here are some things to consider when dealing with sensitive data:

• Do not transmit confidential data via wireless technology, email, or the Internet unless the connection is secure, or the information is encrypted. (https://dots.neit.edu/encrypted-email)
• Password protect all confidential data, and accounts with access to confidential data.
• Do not share passwords, and do not write passwords down.
• Do not store unencrypted confidential information on laptop computer/desktop computer’s hard drive, USB drive, CD, flash memory card, floppy drive, or other storage media.
• Eliminate the use of forms that ask for confidential information whenever possible.
• Do not store confidential information obtained from your institution systems on media or other systems unless required by the Institution or by law.
• Always lock computers, offices, desks, and files that contain confidential information when unattended.
• Do not publicly display confidential data, or leave confidential data unattended.
• Do not share confidential documents or information with anyone unless required by government regulations, specific job responsibilities, or business requirements. Be prepared to say “no” when asked to provide that type of information.
• Do not communicate confidential information to others unless you know they are approved to handle confidential information.
• Notify Department of  Technical Services (DoTS) if you suspect confidential information may have been compromised.

Protect Yourself from Phishing Scams

Phishing scams continue to proliferate at alarming rates and are becoming more and more difficult to detect. It’s important for you to understand how to recognize a phishing attempt and what you can do to protect yourself.

What Can I Do?

• Be cautious about all communications you receive. If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at [email protected].
• Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email.
• Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens.
• Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the number of phishing attempts.

For more information:

• U.S.-CERT Security Tip: Avoiding Social Engineering and Phishing Attacks
• Anti-Phishing Working Group (APWG): Monthly Phishing Attack Trends Reports