TIP: Secure Virtual Conferencing
Secure Telework Essentials
This PDF has great guidance on secure remote work for executives, IT professionals and other teleworkers:
Top 5 Steps to Work Securely from Home
TOP 5 STEPS TO SECURELY WORK FROM HOME
We know that working from home can be new to some of you, perhaps overwhelming as you adjust to your new environment. One of our goals is to enable you to work as securely as possible from home. Below are five simple steps to working securely. The best part is all of these steps not only help secure your work, but they will make you and your family far more safe as you create a cybersecure home.
1) YOU
First and foremost, technology alone cannot fully protect you – you are the best defense. Attackers have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. If they want your password, work data or control of your computer, they’ll attempt to trick you into giving it to them, often by creating a sense of urgency. For example, they can call you pretending to be Microsoft technical support and claim that your computer is infected. Or perhaps they send you an email warning that a package could not be delivered, fooling you into clicking on a malicious link. The most common indicators of a social engineering attack include:
- Someone creating a tremendous sense of urgency, often through fear, intimidation, a crisis or an important deadline.
- Pressure to bypass or ignore security policies or procedures, or an offer too good to be true (no, you did not win the lottery!).
- A message from a friend or co-worker in which the signature, tone of voice or wording does not sound like them.
ULTIMATELY, THE BEST DEFENSE AGAINST THESE ATTACKS IS YOU.
2) HOME NETWORK
Almost every home network starts with a wireless (often called Wi-Fi) network. This is what enables all of your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. Both work in the same way: by broadcasting wireless signals to which home devices connect. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:
- Change the default administrator password: The administrator account is what allows you to configure the settings for your wireless network. An attacker can easily discover the default password that the manufacturer has provided.
- Allow only people that you trust: Do this by enabling strong security so that only people you trust can connect to your wireless network. Strong security will require a password for anyone to connect to your wireless network. It will encrypt their activity once they are connected.
- Make passwords strong: The passwords people use to connect to your wireless network must be strong and different from the administrator password. Remember, you only need to enter the password once for each of your devices, as they store and remember the password.
NOT SURE HOW TO DO THESE STEPS?
Ask your Internet Service Provider, check their website, check the documentation that came with your wireless access point, or refer to the vendor’s website.
3) PASSWORDS
unique passphrase means using a different one for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe.
CAN’T REMEMBER ALL THOSE PASSPHRASES?
Use a password manager, which is a specialized program that securely stores all your passphrases in an encrypted format (and has lots of other great features, too!). Finally, enable two-step verification (also called two-factor or multi-factor authentication) whenever possible. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app that generates the code for you. Two-step verification is probably the most important step you can take to protect your online accounts and it’s much easier than you may think.
4) UPDATES
Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing them by releasing updates. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TV’s, baby monitors, security cameras, home routers, gaming consoles or even your car.
MAKE SURE EACH OF YOUR COMPUTERS, MOBILE DEVICES, PROGRAMS AND APPS ARE RUNNING THE LATEST VERSION OF ITS SOFTWARE.
5) KIDS & GUESTS
Something you most likely don’t have to worry about at the office is children, guests or other family members using your work laptop or other work devices.
MAKE SURE FAMILY AND FRIENDS UNDERSTAND THEY CANNOT USE YOUR WORK DEVICES.
They can accidentally erase or modify information, or, perhaps even worse, accidentally infect the device.
ALSO REMEMBER
- Voice control devices including Google Home, Amazon, Apple, etc should be disabled/removed from the home work area for privacy reasons. Staff should remove them if you are having Call/Video meetings. Faculty should remove them when teaching over collaborative technologies.
- Any hard copies of documents should be secured from family and friends just like work devices. If using a shared, family computer then no documents/logins/passwords should not be saved at all.
- If using a camera, ensure you are in a private area where no personal/private items are in view or where family/friends will not normally enter into view of the camera. When possible/available, blur the background.
General Internet Security
Don’t use lazy passphrases
Never use a password that anyone could guess or work out – a middle name, pet’s name, or favourite football team. Include capital letters, numbers, and punctuation for extra security. Ideally, the best password is one that has so many characters that it could not be guessed by a computer program in a reasonable amount of time, this is a passphrase. Automated guessing in this fashion, known as a “brute force attack”, is one of the most common methods used by individuals that steal information with malicious intent.
For example…
If your preferred password is your pet’s name: “fido”, make a memorable phrase instead: “fido_likes_internet_security”
- Make your password at least 12 characters in length.
- Never use the same password for different accounts. If it is compromised, all of your accounts are at risk.
- Read this article for further information: Password Security: Complexity vs. Length
Be careful what you post online
- Everything you write on a social network is public information, so don’t give out any personal details, such as your address, bank details, date of birth, or social security number. That would be the equivalent of shouting the details out of the window. Don’t write that you are going on holiday, as that leaves you vulnerable to burglars.
- Many employers perform a simple Google search on prospective employees before hiring, so don’t post anything that could damage your chances of getting a job.
Important Concepts For A Safer Internet Experience
- Never open email attachments or click on links from strangers
- If you do any online banking, follow all security recommendations made by the institution
- Watch out for email scams
- Spoof emails are very common, ranging from Nigerian princes asking for a short-term loan to proper-looking companies asking you for personal information; a process called phishing.
- If you get an official looking email saying there is a problem with your account, forward it to the company in question to get confirmation it’s from them.
- Most companies will never ask you to tell them your password.
- Use a firewall, anti-virus program, and anti-spyware program
- A firewall will stop unauthorized people hacking on to your computer.
- Anti-virus programs will guard your computer against viruses which could destroy your computer.
- Anti-spyware will look out for programs such as keyloggers and trojans which spy on your machine use in an attempt to learn passwords or account details.
Watch Out For Fake Apps.
Beware! Scammers are now creating fake apps. They trick you into downloading them to your smartphone or tablet, and ask you to load your credit card information in these apps. You can guess what happens next.
Here are 5 things to keep in mind about this Scam of The Week:
- Be very judicious in deciding what app to download. Better safe than sorry.
- If you *do* decide to download an app, check the reviews first; apps with few reviews or bad reviews are a big Red Flag.
- If you receive an email with a link to download a new app, don’t click it. Always go directly to the website of the retailer to download software, or use the AppStore or Google Play.
- Don’t link your credit card or give out any personal information to a program unless you are certain you’re dealing with a verified vendor.
CYBERSECURITY TIP OF THE DAY 31
CYBERSECURITY IS EVERYONE’S RESPONSIBILITY!
CYBERSECURITY TIP OF THE DAY 30
Keeping Your Personal Information Secure Online
Know who you share your information with. Store and dispose of your personal information securely.
Be Alert to Impersonators
Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request.
Safely Dispose of Personal Information
Before you dispose of a computer, get rid of all the personal information it stores. Use a wipe utility program to overwrite the entire hard drive.
Before you dispose of a mobile device, check your owner’s manual, the service provider’s website, or the device manufacturer’s website for information on how to delete information permanently, and how to save or transfer information to a new device. Remove the memory or subscriber identity module (SIM) card from a mobile device. Remove the phone book, lists of calls made and received, voicemails, messages sent and received, organizer folders, web search history, and photos.
Encrypt Your Data
Keep your browser secure. To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.
Keep Passwords Private
Use strong passwords with your laptop, credit, bank, and other accounts. Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for some words or letters. For example, “I want to see the Pacific Ocean” could become 1W2CtPo.
Don’t Overshare on Social Networking Sites
If you post too much information about yourself, an identity thief can find information about your life, use it to answer ‘challenge’ questions on your accounts, and get access to your money and personal information. Consider limiting access to your networking page to a small group of people. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.
Securing Your Social Security Number
Keep a close hold on your Social Security number and ask questions before deciding to share it. Ask if you can use a different kind of identification. If someone asks you to share your SSN or your child’s, ask:
- why they need it
- how it will be used
- how they will protect it
- what happens if you don’t share the number
The decision to share is yours. A business may not provide you with a service or benefit if you don’t provide your number. Sometimes you will have to share your number. Your employer and financial institutions need your SSN for wage and tax reporting purposes. A business may ask for your SSN so they can check your credit when you apply for a loan, rent an apartment, or sign up for utility service.
CYBERSECURITY TIP OF THE DAY 29
Don’t be Afraid of Multi Factor Authentication
It should be obvious that using multi factor authentication (MFA) helps with cybersecurity because it is a combination of three or more authentication factors: Something you know, something you have, and something you are (biometrics). Unfortunately, MFA still gets a bad rep. While most organizations utilize some form of traditional MFA or 2FA, it is universally hated because it’s a nuisance and frustrating to implement and use.
Is this bias toward convenience hurting companies? You bet! An analysis of recent breaches shows that if there had been additional authentication factors, the breaches probably wouldn’t have happened. There are a multitude of poorly designed MFA programs out there, so it’s no wonder that many companies don’t like utilizing them. With most MFA programs, you need to go through every step of the authentication process every time you need to sign in. This is absolutely a hassle, but it doesn’t have to be that way. In addition, many MFA solutions require you to create one-time passwords (OTP) or tokens every time you sign-in. This is annoying and time consuming for users. Thankfully, there is another way – using your biometrics as part of an MFA solution.
Passwords are Hurting You
Passwords are ancient. They’ve been used for centuries as a way to protect people and information. In the early years of technology, they seemed like the best solution for controlling access to systems with sensitive data.
Over the years, passwords and password encryption methods have become more complex, but so have the skills of hackers. Passwords have accounted for 81 percent of data breaches in the past few years. Computers don’t know when a password has been compromised, it just grants access to whoever enters it. This lack of proof of identity is an obvious flaw in passwords today.
Not being able to prove identity with a password is one thing, but in addition, businesses can’t always monitor employees and users to make sure they are using best practices. Most people use the same or similar passwords for almost all accounts.
CYBERSECURITY TIP OF THE DAY 28
Take the phishing-quiz below and learn more on how to recognize Phishing Scams.
https://www.opendns.com/phishing-quiz/
CYBERSECURITY TIP OF THE DAY 25
Protecting Sensitive Data
The Information Age has brought with it the ability to share, store, and transmit data with the click of a mouse. The risky part of this equation is that storage and transmission of sensitive data across computer systems can be difficult to protect, increasing the need for vigilance.
In the paper world, if a document is marked “Classified” or “Confidential”, we can easily protect it by placing it face-down on our desk when someone walks by that does not have a need to know, lock it in a file cabinet when it is not being used, or when needing to share use a courier or hand-deliver to the appropriate person, and finally when it is no longer needed we can shred it. We need to take these same precautions in the computer world.
Computer systems are complex. They can include operating system software, applications and programs, databases, hardware components, and networks. Each of these elements requires a different method for protecting the data. Adding to the complexity is the dynamism in terms of the way the systems and their parts interact and their requirement for frequent updates to fix bugs or protect against the latest hack attack. All of this collectively underscores the need for each of us to take responsibility to protect the sensitive data we handle.
If you ever have questions about the security of a system or an electronic document you are handling. In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.
What ‘deepfakes’ are and how they may be dangerous
KEY POINTS
- Anybody who has a computer and access to the internet can technically produce a “deepfake” video, says John Villasenor, professor of electrical engineering at the University of California, Los Angeles.
- “The technology can be used to make people believe something is real when it is not,” said Peter Singer, cybersecurity and defense focused strategist and senior fellow at New America.
A comparison of an original and deepfake video of Facebook CEO Mark Zuckerberg.
Elyse Samuels | The Washington Post | Getty Images
Camera apps have become increasingly sophisticated. Users can elongate legs, remove pimples, add on animal ears and now, some can even create false videos that look very real. The technology used to create such digital content has quickly become accessible to the masses, and they are called “deepfakes.”
Deepfakes refer to manipulated videos, or other digital representations produced by sophisticated artificial intelligence, that yield fabricated images and sounds that appear to be real.
Such videos are “becoming increasingly sophisticated and accessible,” wrote John Villasenor, nonresident senior fellow of governance studies at the Center for Technology Innovation at Washington-based public policy organization, the Brookings Institution. “Deepfakes are raising a set of challenging policy, technology, and legal issues.”
In fact, anybody who has a computer and access to the internet can technically produce deepfake content, said Villasenor, who is also a professor of electrical engineering at the University of California, Los Angeles.
What are deepfakes?
The word deepfake combines the terms “deep learning” and “fake,” and is a form of artificial intelligence.
In simplistic terms, deepfakes are falsified videos made by means of deep learning, said Paul Barrett, adjunct professor of law at New York University.
Deep learning is “a subset of AI,” and refers to arrangements of algorithms that can learn and make intelligent decisions on their own.
But the danger of that is “the technology can be used to make people believe something is real when it is not,” said Peter Singer, cybersecurity and defense-focused strategist and senior fellow at New America think tank.
Singer is not the only one who’s warned of the dangers of deepfakes.
Villasenor told CNBC the technology “can be used to undermine the reputation of a political candidate by making the candidate appear to say or do things that never actually occurred.”
“They are a powerful new tool for those who might want to (use) misinformation to influence an election,” said Villasenor.
How do deepfakes work?
A deep-learning system can produce a persuasive counterfeit by studying photographs and videos of a target person from multiple angles, and then mimicking its behavior and speech patterns.
Barrett explained that “once a preliminary fake has been produced, a method known as GANs, or generative adversarial networks, makes it more believable. The GANs process seeks to detect flaws in the forgery, leading to improvements addressing the flaws.”
And after multiple rounds of detection and improvement, the deepfake video is completed, said the professor.
According to a MIT technology report, a device that enables deepfakes can be “a perfect weapon for purveyors of fake news who want to influence everything from stock prices to elections.”
In fact, “AI tools are already being used to put pictures of other people’s faces on the bodies of porn stars and put words in the mouths of politicians,” wrote Martin Giles, San Francisco bureau chief of MIT Technology Review in a report.
He said GANs didn’t create this problem, but they’ll make it worse.
How to detect manipulated videos?
While AI can be used to make deepfakes, it can also be used to detect them, Brookings’ Villasenor wrote in February. With the technology becoming accessible to any computer user, more and more researchers are focusing on deepfake detection and looking for a way of regulating it.
Large corporations such as Facebook and Microsoft have taken initiatives to detect and remove deepfake videos. The two companies announced earlier this year that they will be collaborating with top universities across the U.S. to create a large database of fake videos for research, according to Reuters.
“Presently, there are slight visual aspects that are off if you look closer, anything from the ears or eyes not matching to fuzzy borders of the face or too smooth skin to lighting and shadows,” said Singer from New America.
But he said that detecting the “tells” is getting harder and harder as the deepfake technology becomes more advanced and videos look more realistic.
Even as the technology continues to evolve, Villasenor warned that detection techniques “often lag behind the most advanced creation methods.” So the better question is: “Will people be more likely to believe a deepfake or a detection algorithm that flags the video as fabricated?”
CYBERSECURITY TIP OF THE DAY 24
Credit Card Fraud
Credit card fraud is the unauthorized use of a credit or debit card, or similar payment tool (ACH, EFT, recurring charge, etc.), to fraudulently obtain money or property. Credit and debit card numbers can be stolen from unsecured websites or can be obtained in an identity theft scheme. Visit the FBI’s Identity Theft webpage for additional information.
Tips for Avoiding Credit Card Fraud:
- Don’t give out your credit card number online unless the site is secure and reputable. Sometimes a tiny icon of a padlock appears to symbolize a higher level of security to transmit data. This icon is not a guarantee of a secure site, but provides some assurance.
- Don’t trust a site just because it claims to be secure.
- Before using the site, check out the security/encryption software it uses.
- Make sure you are purchasing merchandise from a reputable source.
- Do your homework on the individual or company to ensure that they are legitimate.
- Obtain a physical address rather than simply a post office box and a telephone number, and call the seller to see if the telephone number is correct and working.
- Send an e-mail to the seller to make sure the e-mail address is active, and be wary of those that utilize free e-mail services where a credit card wasn’t required to open the account.
- Consider not purchasing from sellers who won’t provide you with this type of information.
- Check with the Better Business Bureau from the seller’s area.
- Check out other websites regarding this person/company.
- Don’t judge a person or company by their website; flashy websites can be set up quickly.
- Be cautious when responding to special investment offers, especially through unsolicited e-mail.
- Be cautious when dealing with individuals/companies from outside your own country.
- If possible, purchase items online using your credit card. You can often dispute the charges if something goes wrong.
- Make sure the transaction is secure when you electronically send your credit card number.
- Keep a list of all your credit cards and account information along with the card issuer’s contact information. If anything looks suspicious or you lose your credit card(s), contact the card issuer immediately.
