Archives For best practices

Securing Your New Devices

John Knights —  January 7, 2015

As students, faculty, and staff members come back from our winter break to begin the new semester, we want to make sure we are sharing some useful security tips you should follow for those new devices you may have been gifted or purchased over the holidays. The following list is an excerpt from a Newsletter compiled by the Center for Internet Security and the Multi-State Information Sharing and Analysis Center. We recommend you take a look and consider these tips to ensure you are following security best practices for your new and older internet-enabled devices (computers, smartphones, tablets, game consoles, smart tvs, etc.).

  • Configure your device with security in mind. The “out-of-the-box” configurations of many devices and syste components are default settings often geared more toward ease-of-use and extra features rather than securing your device to protect your information. Enable security settings, paying particular attention to those that control information sharing.
  • Turn on your firewall. Firewalls provide an essential function of protecting your computer or device from potentially malicious actors. Without a firewall, you might be exposing your personal information to any computer on the Internet.
  • Enable encryption. Encryption makes it hard for attackers who have gained access to your device to obtain access to your information. It’s a powerful tool that you should consider implementing.
  • Lock the device. Locking your device with a strong PIN/password makes unauthorized access to your information more difficult. Additionally, make sure that your device automatically locks after five minutes of inactivity. This way, if you misplace your device, you minimize the opportunity for someone to access your personal information.
  • Regularly apply updates. Manufacturers and application developers update their code to fix weaknesses and push out the updates and patches. Enable settings to automatically apply these patches to ensure that you’re fixing the identified weaknesses in the applications, especially your operating system, web browser and associated third party apps.
  • Install antivirus software. Install antivirus software if it is available for your device to protect from known viruses. Additionally, enable automatic updating of the antivirus software to incorporate the most recently identified threats.
  • Be careful downloading apps. When downloading a new app to your device, you are potentially providing that app with a lot of information about you, some of which you may not want to share. Be proactive and make sure that you read the privacy statement, review permissions, check the app reviews and look online to see if any security company has identified the app as malicious. A good way to prevent accidental downloading of malware is to use a trusted store instead of third party stores. Google Play Store and Apple’s App Store proactively remove known malicious apps to protect users.
  • Disable unwanted services/calling. Capabilities such as Bluetooth, network connections and Near Field Communications provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not needed.
  • Set up a non-privileged account for general web use. Privileged (such as Administrator or Root) accounts allow users to make changes and access processes and functions that are not needed on a daily basis. A compromised administrative account provides attackers with the authority to access anything on your computer or possibly even your network. Setting up a non-privileged account for use in browsing websites and checking emails provides one more layer of defense.

NCSAM Week 4 Recap

John Knights —  October 24, 2014

Last week’s Twitter chat (#ChatSTC) was on “Cybersecurity for Small and Medium-Sized Business and Entrepreneurs.” During an hour-long chat on Twitter last Thursday, organizations and individuals join together to discuss the top concerns and shared tips on addressing them.

What was apparent is that many of the same threats and challenges that large corporations face each day are applicable to small and medium businesses. Actually, these are issues that all organizations face, even in higher ed. If you’re interested in learning more about what was discussed, stop by the StaySafeOnline.org Blog (link below) and read some of the highlights from yesterday’s discussion.

Students, as you go on your coops or prepare to graduate and begin your careers, it doesn’t matter what field or discipline your in. Cybersecurity affects all organizations and as part of the NCSAM campaign, we’d like to remind everyone that cybersecurity is “Our Shared Responsibility.”

Join next week’s Twitter chat on “Preventing and Recovering from Cybercrime.”

Link to StaySafeOnline.org Blog – “Cybersecurity and the Risk to the Small Business Owner

Link to National Cyber Security Awareness Month information page.

Recently, there’s been some news coverage regarding a vulnerability found on USB devices. The vulnerability involves the small computer chip on USB devices that allows the attached device, usually a computer, to detect the type of USB device that was attached and then connect it for use. This is done rather quietly and in the background on your computer. The small embedded computer ship onboard these USB devices has an operating system (a small version that has a set of information and instructions to facilitate the detection and connection) that is referred to as its firmware. The vulnerability involves this firmware, more specifically that this firmware can be changed or updated on some USB devices.

What does this mean for you? Well, this means that the firmware on USB devices can be altered with potentially malicious software that can harm your computer or expose sensitive information. This malware, using the fact that USB devices are allowed to automatically run the onboard firmware on your computer, can infect a vulnerable machine without needing any additional interaction from the user (plug-in and auto-execute malware).

There is a silver lining to this vulnerability. It takes a vulnerable machine to be infected by a compromised USB device. So make sure you keep up with operating system and application patches and updates for all your devices. (See yesterday’s blog for more on the importance of keeping your machine up-to-date with patches.)

In addition, we would like to share some good advice from Symantec and McAfee (security software providers) as covered in an article posted on Mashable.com on how you can avoid being a victim of a BadUSB attack.

  1. Only use USB devices from reputable retailers. Make sure you are purchasing new, sealed devices.
  2. Avoid using “pre-owned” or used USB devices.
  3. Do not leave USB devices, and computers, unlocked and unattended in public places. It is always a good practice, regardless of whether a usb storage is vulnerable to this attack or not, to  keep external storage in a secure location.

Learn more about BadUSB at the linked articles below.

“BadUSB” – what if you could never trust a USB device again?: https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/

BadUSB – now with Do-It-Yourself instructions: https://nakedsecurity.sophos.com/2014/10/06/badusb-now-with-do-it-yourself-instructions/

How You Can Avoid a BadUSB Attack: http://mashable.com/2014/10/03/how-can-you-avoid-badusb/

Data Privacy Month Wrap-up

John Knights —  February 28, 2014

Throughout Data Privacy Month we have covered a few important areas to help you better protect your privacy and information online. As the month comes to a close, remember to implement the tips you’ve learned and guard your information year round. Protecting yourself from phishing and other types of social engineering relies only on your vigilance. Always be on the lookout for suspicious communication requesting information, especially when there are spelling errors, mysterious links, or when something just doesn’t look or sound right to you. Ensure that trusted websites are the official versions and not just impersonations before you submit personal information. If you are suspicious of a website, link, or any form of communication, you can report it to Information Security.  To better prepare you for phishing attacks check out our Phishing page and report any potential spam or phishing emails to SPAM@wit.edu.

If you still haven’t, check your privacy settings on social networks and ensure your personal data that you do not want made available to the public is hidden. You can prevent your pictures from being stolen and used for advertising without your permission and stop future employers from scrutinizing your profile during the hiring process. Secure your account and help prevent hacking by choosing a more complex password. Don’t be convinced by scams that seem too good to be true and remember that the best thing to do is not click if you aren’t confident about the link.  For more on staying safe on social networks check out the last Information Security blog.

If you are using a public Wi-Fi hotspots, make sure that your sharing settings are off to ensure that you are not broadcasting your computer to others on the same network. Remember, if you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network (VPN) service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.) Always be cautious when in a public space, even when connecting to “secured” or encrypted Wi-Fi hotspots as they may not employ the most up-to-date settings or security. At Wentworth, our LeopardSecure Wi-Fi network utilizes strong encryption, so you can be sure that your communications are secure.  To learn more about Public Wi-Fi read the Information Security blog about it.

If everyone does their part in protecting sensitive information and following safe practices when online, all benefit. Not only are you safeguarding your information when following these practices, you are also protecting your families, friends, and colleagues. For the latest news, advisories and alerts, follow Wentworth’s Information Security Office on Twitter at @InfoSec_WIT and on the web at www.wit.edu/dts/security.

Phishing is a type of cyber attack that utilizes social engineering in an attempt to steal your identity by obtaining your personal information. By impersonating a person or company you trust, the scammer tries to receive your passwords, credit card numbers, account numbers, birthdate, or other information. Phishing can also be conducted via e-mail, websites, telephone, or even postal mail.  The point is to exploit you without you knowing and with your help. Knowing how to protect yourself by learning how to spot phishing attempts can protect you against having you identity stolen.

Protecting yourself from this type of cyber-attack relies only on your vigilance online. Always be on the lookout for odd letters or emails requesting information, especially when there are spelling errors or mysterious links. Often a phishing email will pose as one company but the link inside goes to a completely different obscure website. Ensure that trusted websites are the official versions and not just impersonations before you submit personal information. If you are suspicious of a website, link, or any form of communication, you can report it to Information Security by forwarding the email to spam@wit.edu or abuse@wit.edu.

The Wentworth Information Security Office also provides more on how to better prepare you for phishing attacks at our phishing information page.

What better place to catch unsuspecting people who are bored and want to go online than the airport? Next time you’re flying be cautious of the wireless network you choose to join on you mobile device because it could easily be an ad hoc network (phone to phone connection) or another trap set by a hacker. Often times a hacker will intercept information over an unsecured Wi-Fi network and acquire people’s passwords to social media or worst yet, their credentials used to access their bank account online. Think of unprotected Wi-Fi like a mailing a letter in a transparent envelope and placing it in an unsecure mailbox, you have to leave the information in it and wait for the mail carrier (website) to pick it up. If a hacker gets to the information before the website (mail carrier), he could view the contents and even tamper with it. The safest thing is to never input sensitive information on an unprotected Wi-Fi network.

If you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network, or VPN service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.), Always be cautious when in a public space, even when connecting to “secured” or encrypted WiFi hotspots as they may not employ the most up-to-date settings. At Wentworth, our LeopardSecure WiFi network utilizes strong encryption, so you can be sure that your communications are secure.

A few other things to consider when using public WiFi hotspots. First, make sure that your sharing settings are off. This will ensure that you are not broadcasting your computer to others on the same network, limiting your potential exposure. Secondly, be careful even when you’re on a secure Wi-Fi network when it comes to your personal information. Chrome’s Incognito and Mozilla’s Private Browsing modes will cover your tracks on your computer but they leave the data you share vulnerable. Many sites allow for secure connections using an encrypted channel to their web site, through HTTPS. The problem is that even though it is available, many sites use the unencrypted HTTP as a default to ensure connectivity. There is a tool that you can use with your browser named HTTPS Everywhere. HTTPS Everywhere is a browser plugin that solves this problem and secures your data. Stay encrypted while browsing by default on every website that allows it. This is available for Mozilla Firefox, Google Chrome, and Opera.

The theme for this year’s National Cyber Security Awareness Month is “Our Shared Responsibility,” which aims to inform everyone of their role in making sure we are all using the Internet in a safer and more secure manner. One area that security professionals tend to focus on is how we authenticate to all the services and accounts we utilize through the Internet. To authenticate to these services, we typically use two components, a username and password. Whether it is a site that simply offers more information to those that subscribe or banking sites, we need to follow best practices when creating and maintaining these passwords. The following is a list of the top suggested best practices.

 

  1. Use complex passwords. It is key to make passwords hard to guess and hard to crack. To make sure that your password is strong and hard to break, make sure they are:
  • At least 8 characters long
  • Does not match any of your previous 6 passwords
  • Does not contain your username, first, or last name
  • Contain a character from 3 of the following 4 groups
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Non-alphabetic characters ($ % ^ &)
  1. Never give anyone your password. Remember, DTS will never ask you for your password nor would most service providers that usually do so as part of their policy and practice.
  2. Use a different password for every service or site you use one. The main reason to do this is to minimize the potential impact if one of your accounts is compromised. For example, if you use the same password for Amazon, Outlook, and Twitter, an attacker can compromise all three by only compromising one. If you are compromised on one site, you just need to address the concerns of that site.
  3. Store your passwords securely. So you’re using different, complex passwords for each site. Now you need to manage them and writing them down is not a good practice as a simple search on your computer for an unencrypted file or a search on your desk for passwords written on Post-It notes can compromise all accounts. You can use an Excel spreadsheet that is password protected, which will encrypt the file, but it is not convenient. A simple and convenient approach is best to make sure you stick with these best practices. A few that always are on the top of the lists are LastPass, 1Password, and KeePass. Some are free, others are not. The price usually determines ease and flexibility more than security. Just make sure whichever you decide to use is from a reputable company or organization and works across all devices you use to access your accounts over the internet.

If you have any questions or comments about what was covered today or in any of the previous posts, please contact us at infosecurity@wit.edu.

National Cyber Security Awareness Month is in full swing and this week’s topic is about protecting data. Information security is all about protecting the privacy and availability of data. One of the main causes behind a compromise of data privacy is accidental disclosure. Members of Technology Services are continually working to improve the systems and tools used to protect the Institute’s data privacy and availability, but there are limitations to what can be done centrally. Review the following tips you can use to ensure that we all are working together to secure our sensitive data and protect the Institute against accidental disclosures.

TIP 1: KNOW WHAT DATA YOU HAVE. Before you can protect data, you need to know what you have that needs protecting. The Institute utilizes a tool called Identity Finder. This is a good tool that searches through all the files on your computer to identify potentially sensitive information based on the criteria you provide. For example, if you select it to search for social security numbers, it will search for all potential ways that it can be expressed (e.g., with or without dashes) and return the results to you. What is especially useful about this tool is that it can perform tasks on the files, such as shred (deletes the file in a secure manner) or quarantine (relocates files to a predetermined location for easier management), when they match the criteria you have set. For more information on Identity Finder and how to use it, please visit our Identity Finder resource page. For those that do not have it installed on their machines, please go to our Tool & Resources page for information on obtaining a free version.

TIP 2: DELETE WHAT YOU DON’T NEED. Once you determine what sensitive data you store locally, consider whether or not you really need to have it. If it is data that your department uses, then store it on your department’s shared drive. Of course set the permissions on the folder(s) to ensure only those that need the data can access the folder. Another route would be to utilize your P-drive. This stores the files on our trusted datacenter and is routinely backed up. For more information on these options, visit our page on connecting to network resources.

TIP 3: PROTECT WHAT YOU KEEP. Data protection can be accomplished by following computer security best practices for data protection. The basic three are:

  • Encrypt data that you plan to transport, including via email or on a mobile device such as an iPad;
  • Use strong passwords on all devices and ensure that they automatically lock after a short idling period;
  • Physically lock down your mobile devices, on and off campus.

This list is in no way complete, but it is a strong start. Collectively, they will help you keep the data you chose to store on your machine safe. For more information on these best practices and tools available to follow them, please contact infosecurity@wit.edu or visit our Tools & Resources page on the web.