Archives For infosec awareness

Securing Your New Devices

John Knights —  January 7, 2015

As students, faculty, and staff members come back from our winter break to begin the new semester, we want to make sure we are sharing some useful security tips you should follow for those new devices you may have been gifted or purchased over the holidays. The following list is an excerpt from a Newsletter compiled by the Center for Internet Security and the Multi-State Information Sharing and Analysis Center. We recommend you take a look and consider these tips to ensure you are following security best practices for your new and older internet-enabled devices (computers, smartphones, tablets, game consoles, smart tvs, etc.).

  • Configure your device with security in mind. The “out-of-the-box” configurations of many devices and syste components are default settings often geared more toward ease-of-use and extra features rather than securing your device to protect your information. Enable security settings, paying particular attention to those that control information sharing.
  • Turn on your firewall. Firewalls provide an essential function of protecting your computer or device from potentially malicious actors. Without a firewall, you might be exposing your personal information to any computer on the Internet.
  • Enable encryption. Encryption makes it hard for attackers who have gained access to your device to obtain access to your information. It’s a powerful tool that you should consider implementing.
  • Lock the device. Locking your device with a strong PIN/password makes unauthorized access to your information more difficult. Additionally, make sure that your device automatically locks after five minutes of inactivity. This way, if you misplace your device, you minimize the opportunity for someone to access your personal information.
  • Regularly apply updates. Manufacturers and application developers update their code to fix weaknesses and push out the updates and patches. Enable settings to automatically apply these patches to ensure that you’re fixing the identified weaknesses in the applications, especially your operating system, web browser and associated third party apps.
  • Install antivirus software. Install antivirus software if it is available for your device to protect from known viruses. Additionally, enable automatic updating of the antivirus software to incorporate the most recently identified threats.
  • Be careful downloading apps. When downloading a new app to your device, you are potentially providing that app with a lot of information about you, some of which you may not want to share. Be proactive and make sure that you read the privacy statement, review permissions, check the app reviews and look online to see if any security company has identified the app as malicious. A good way to prevent accidental downloading of malware is to use a trusted store instead of third party stores. Google Play Store and Apple’s App Store proactively remove known malicious apps to protect users.
  • Disable unwanted services/calling. Capabilities such as Bluetooth, network connections and Near Field Communications provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not needed.
  • Set up a non-privileged account for general web use. Privileged (such as Administrator or Root) accounts allow users to make changes and access processes and functions that are not needed on a daily basis. A compromised administrative account provides attackers with the authority to access anything on your computer or possibly even your network. Setting up a non-privileged account for use in browsing websites and checking emails provides one more layer of defense.

Summer Projects – 2014

John Knights —  September 5, 2014

Along with the rest of Technology Services, the Information Security Office (ISO) has been busy working on projects to improve the overall information security posture at Wentworth. As we start the new academic year, we want to share some of what we have been working on.

Data Management

Over the course of the summer, members of the Information Security Compliance Committee (ISCC) have worked to put together a set of policy documents to set the requirements for improving data governance and security. Once approved these policies we will send out a notice as well as publish them on the Technology Services Policy Page.

In addition to the policies, the ISO has worked with other members from Technology Services to provide all staff and faculty with a data loss prevention tool, Identity Finder. This tool is available to all staff and faculty for use on their institutional Windows or Mac-based desktops and laptops. For more information, please visit our Data Loss Prevention “Top Topics” page or go straight to the Identity Finder Tool page for instructions on obtaining, installing and using Identity Finder.

Information Security Awareness & Compliance Training Program

In an effort to improve awareness of information security and regulatory compliance requirements, we have worked with the ISCC and our training video service provider WeComply to provide our staff and faculty with a set of comprehensive educational videos on various topics (Information Security, Data Privacy, FERPA, and others). Visit the ISO’s Training page for more information on the program launching this October.

 

Phishing In Focus

givend —  March 14, 2014

In the past decade, word of phishing has spread to the masses and many people have learned what to avoid and look out for.   In addition, software has improved and there are now online defenses against phishing.  Mass messages that once tricked a few percent of unsuspecting email users are now mostly caught in elaborate spam filters, never to be opened.  And the ones that do make it through are usually far too vague or generally addressed for the average user to be fooled by it.  Unfortunately, the same campaigns used to educate the masses have improved criminals techniques of stealing people’s information.  Phishing has evolved from a wide lazy net to more concentrated and tailored efforts against a specific group.  This method is called spear phishing and is usually seen as a personalized attack against a known target or an attempt at impersonating a trusted company to fool any of their clients.

In the past few weeks there has been a new spear phishing attack sent out to Netflix subscribers and placed in fake ads.  It then sends them to a fake login page that tells them their account has been suspended due to “unusual activity”.  It then provides a phone number for a “customer representative” that tries to convince you to download “Netflix support software” that is really a remote login program.  Once fooled, Netflix users’ information on their computer could easily be stolen and their contact lists could be sent the same phishing attack.  This technique of posing as trusted companies has a higher success rate for scammers than traditional blanket phishing attacks, and can hurt companies’ reputations.  This type of attack is exactly what we want to educate the community about and put an end to.  If you are contacted and information is requested by an unknown or untrustworthy source, send information to infosecurity@wit.edu for assistance.

Phishing isn’t going to get any easier to prevent in the near future; spam filters may block a majority of it but with the sheer amount of attempts, people are bound to encounter it eventually.  Be prepared and never trust a message just because it claims to be a company.  Remember to always check the URL address of the website you’re on and try to use a HTTPS secure connection whenever possible.  If you want the most secure connection possible on each site, download HTTPS Everywhere here.  Also, as a general rule never give out your personal information over the phone to someone you don’t know and never download something that doesn’t come from a good source.  A quick search of the term “Netflix support software” would have told you about the scam.  Always think before you click, especially during tax season, and we can all live in a safer online world.

Data Privacy Month Wrap-up

John Knights —  February 28, 2014

Throughout Data Privacy Month we have covered a few important areas to help you better protect your privacy and information online. As the month comes to a close, remember to implement the tips you’ve learned and guard your information year round. Protecting yourself from phishing and other types of social engineering relies only on your vigilance. Always be on the lookout for suspicious communication requesting information, especially when there are spelling errors, mysterious links, or when something just doesn’t look or sound right to you. Ensure that trusted websites are the official versions and not just impersonations before you submit personal information. If you are suspicious of a website, link, or any form of communication, you can report it to Information Security.  To better prepare you for phishing attacks check out our Phishing page and report any potential spam or phishing emails to SPAM@wit.edu.

If you still haven’t, check your privacy settings on social networks and ensure your personal data that you do not want made available to the public is hidden. You can prevent your pictures from being stolen and used for advertising without your permission and stop future employers from scrutinizing your profile during the hiring process. Secure your account and help prevent hacking by choosing a more complex password. Don’t be convinced by scams that seem too good to be true and remember that the best thing to do is not click if you aren’t confident about the link.  For more on staying safe on social networks check out the last Information Security blog.

If you are using a public Wi-Fi hotspots, make sure that your sharing settings are off to ensure that you are not broadcasting your computer to others on the same network. Remember, if you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network (VPN) service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.) Always be cautious when in a public space, even when connecting to “secured” or encrypted Wi-Fi hotspots as they may not employ the most up-to-date settings or security. At Wentworth, our LeopardSecure Wi-Fi network utilizes strong encryption, so you can be sure that your communications are secure.  To learn more about Public Wi-Fi read the Information Security blog about it.

If everyone does their part in protecting sensitive information and following safe practices when online, all benefit. Not only are you safeguarding your information when following these practices, you are also protecting your families, friends, and colleagues. For the latest news, advisories and alerts, follow Wentworth’s Information Security Office on Twitter at @InfoSec_WIT and on the web at www.wit.edu/dts/security.

What better place to catch unsuspecting people who are bored and want to go online than the airport? Next time you’re flying be cautious of the wireless network you choose to join on you mobile device because it could easily be an ad hoc network (phone to phone connection) or another trap set by a hacker. Often times a hacker will intercept information over an unsecured Wi-Fi network and acquire people’s passwords to social media or worst yet, their credentials used to access their bank account online. Think of unprotected Wi-Fi like a mailing a letter in a transparent envelope and placing it in an unsecure mailbox, you have to leave the information in it and wait for the mail carrier (website) to pick it up. If a hacker gets to the information before the website (mail carrier), he could view the contents and even tamper with it. The safest thing is to never input sensitive information on an unprotected Wi-Fi network.

If you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network, or VPN service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.), Always be cautious when in a public space, even when connecting to “secured” or encrypted WiFi hotspots as they may not employ the most up-to-date settings. At Wentworth, our LeopardSecure WiFi network utilizes strong encryption, so you can be sure that your communications are secure.

A few other things to consider when using public WiFi hotspots. First, make sure that your sharing settings are off. This will ensure that you are not broadcasting your computer to others on the same network, limiting your potential exposure. Secondly, be careful even when you’re on a secure Wi-Fi network when it comes to your personal information. Chrome’s Incognito and Mozilla’s Private Browsing modes will cover your tracks on your computer but they leave the data you share vulnerable. Many sites allow for secure connections using an encrypted channel to their web site, through HTTPS. The problem is that even though it is available, many sites use the unencrypted HTTP as a default to ensure connectivity. There is a tool that you can use with your browser named HTTPS Everywhere. HTTPS Everywhere is a browser plugin that solves this problem and secures your data. Stay encrypted while browsing by default on every website that allows it. This is available for Mozilla Firefox, Google Chrome, and Opera.

The theme for this year’s National Cyber Security Awareness Month is “Our Shared Responsibility,” which aims to inform everyone of their role in making sure we are all using the Internet in a safer and more secure manner. One area that security professionals tend to focus on is how we authenticate to all the services and accounts we utilize through the Internet. To authenticate to these services, we typically use two components, a username and password. Whether it is a site that simply offers more information to those that subscribe or banking sites, we need to follow best practices when creating and maintaining these passwords. The following is a list of the top suggested best practices.

 

  1. Use complex passwords. It is key to make passwords hard to guess and hard to crack. To make sure that your password is strong and hard to break, make sure they are:
  • At least 8 characters long
  • Does not match any of your previous 6 passwords
  • Does not contain your username, first, or last name
  • Contain a character from 3 of the following 4 groups
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Non-alphabetic characters ($ % ^ &)
  1. Never give anyone your password. Remember, DTS will never ask you for your password nor would most service providers that usually do so as part of their policy and practice.
  2. Use a different password for every service or site you use one. The main reason to do this is to minimize the potential impact if one of your accounts is compromised. For example, if you use the same password for Amazon, Outlook, and Twitter, an attacker can compromise all three by only compromising one. If you are compromised on one site, you just need to address the concerns of that site.
  3. Store your passwords securely. So you’re using different, complex passwords for each site. Now you need to manage them and writing them down is not a good practice as a simple search on your computer for an unencrypted file or a search on your desk for passwords written on Post-It notes can compromise all accounts. You can use an Excel spreadsheet that is password protected, which will encrypt the file, but it is not convenient. A simple and convenient approach is best to make sure you stick with these best practices. A few that always are on the top of the lists are LastPass, 1Password, and KeePass. Some are free, others are not. The price usually determines ease and flexibility more than security. Just make sure whichever you decide to use is from a reputable company or organization and works across all devices you use to access your accounts over the internet.

If you have any questions or comments about what was covered today or in any of the previous posts, please contact us at infosecurity@wit.edu.

National Cyber Security Awareness Month is in full swing and this week’s topic is about protecting data. Information security is all about protecting the privacy and availability of data. One of the main causes behind a compromise of data privacy is accidental disclosure. Members of Technology Services are continually working to improve the systems and tools used to protect the Institute’s data privacy and availability, but there are limitations to what can be done centrally. Review the following tips you can use to ensure that we all are working together to secure our sensitive data and protect the Institute against accidental disclosures.

TIP 1: KNOW WHAT DATA YOU HAVE. Before you can protect data, you need to know what you have that needs protecting. The Institute utilizes a tool called Identity Finder. This is a good tool that searches through all the files on your computer to identify potentially sensitive information based on the criteria you provide. For example, if you select it to search for social security numbers, it will search for all potential ways that it can be expressed (e.g., with or without dashes) and return the results to you. What is especially useful about this tool is that it can perform tasks on the files, such as shred (deletes the file in a secure manner) or quarantine (relocates files to a predetermined location for easier management), when they match the criteria you have set. For more information on Identity Finder and how to use it, please visit our Identity Finder resource page. For those that do not have it installed on their machines, please go to our Tool & Resources page for information on obtaining a free version.

TIP 2: DELETE WHAT YOU DON’T NEED. Once you determine what sensitive data you store locally, consider whether or not you really need to have it. If it is data that your department uses, then store it on your department’s shared drive. Of course set the permissions on the folder(s) to ensure only those that need the data can access the folder. Another route would be to utilize your P-drive. This stores the files on our trusted datacenter and is routinely backed up. For more information on these options, visit our page on connecting to network resources.

TIP 3: PROTECT WHAT YOU KEEP. Data protection can be accomplished by following computer security best practices for data protection. The basic three are:

  • Encrypt data that you plan to transport, including via email or on a mobile device such as an iPad;
  • Use strong passwords on all devices and ensure that they automatically lock after a short idling period;
  • Physically lock down your mobile devices, on and off campus.

This list is in no way complete, but it is a strong start. Collectively, they will help you keep the data you chose to store on your machine safe. For more information on these best practices and tools available to follow them, please contact infosecurity@wit.edu or visit our Tools & Resources page on the web.

National Cyber Security Awareness Month has produced quite a bit of useful information. One topic that continues to dominate the security headlines is social engineering attacks. Last week we went through a spear phishing email. This week, we’ll look at how some social engineers get the information they use to go after you, social networking sites.

Social networking sites have changed the way we communicate and keep track of one-another. There have been great advantages to these innovative services, from staying connected with distant friends and relatives to helping us promote and find new jobs. As with any great advancement in technology, folks have found ways to exploit them to harm others. Social networking sites have been used to gather information to improve social engineering attacks, spread malware, and establish new forms of old malicious activities, such as with cyber bullying. Below are some quick tips and resources to better protect yourself and your social networking profiles from malicious attacks.

  1. Use different passwords for each site or service you use. This way, if one site’s security or password is compromised, the threat is contained to just the site or service affected.
  2. Know what the site or service does with your information. Read the privacy statements for each service you use. The best way to know what these sites can and may do with your information is to read the privacy statements, which typically provide instructions for what settings to change to opt-out or opt-in to a privacy feature.
  3. Share responsibly. Remember, what you put out into the web, stays on the web. If you have information or a photo that you wouldn’t want broadcasted out to the general web, don’t put it on your site or service. Even when you have all the privacy settings turned on and you chose to share only to your friends, content can still make its way out of those boundaries you’ve created.
  4. Think before you click. Social networking sites are a treasure trove for social engineers. An increasing number of phishing attacks are using information obtained from your social networking site profiles, and those of your friends, to craft very specific and intricate emails used to trick you into a nefarious activity. Be cautious and think before you click on any links within emails.
  5. Stay informed. Follow us on Twitter! We follow some lots of useful resources that will keep you up to date on all sorts of cyber security topics.

A couple weeks ago, some of our Wentworth community members received what is called a phishing email. More specifically, it would be considered a spear phishing email, as the email appeared to be coming from a legitimate group on campus, our own Help Desk, addressed to our community.

Although this email was one of the more sophisticated examples we’ve seen, it still contained a few essential items that should raise your suspicion. So what did the message look like? Well, it looked similar to most service update emails.

message

Unlike most phishing emails, it was free of spelling errors and grammatically correct, or at least good enough. The message itself was close to what we would send from DTS and the links appeared correct. They appeared correct, but a closer look revealed some hidden truths.

The “From:” field contained an address that looked right, except if you look closer, you can see that there is an underscore after “helpdesk.”

helpdesk_

 

Another, more hidden item was the webpage that the “Access E-Mail” link actual links to. (TIP: hover your mouse over a link to see where it will actually take you!)

fake_link

The latter half of the link, “https.employee.wit.edu.htm” is actual a page within the website hosted at mail-wit [dot] ga522 [dot] net, rather than the actual website in the visible link on the email.

If you had clicked on the link, it took you to a page that was an exact replica of our webmail log-in page. Except, instead of logging you into our Exchange e-mail service, it just captured your credentials and sent them to the attacker.

 

When we find or are alerted of these messages, we do our best to inform the affected users and block the site, which is what we did. (TIP: To report phishing emails, please email them to abuse@wit.edu.)

 

So how can you catch these in the future?

1.  Familiarize yourself with what official emails look like.

This first example is a Wentworth Announcement that departments send out to communicate announcements, events, and general information the targeted audience should know. Below is an example.

example1

The “From” is going to be the department sending the message and the “To” will always be “Wentworth Announcements.” In addition, we brand all messages from the departments sending out the announcement.

There are times that DTS will send messages from within a system to inform individuals about items that require their attention. Below is an example password expiration notice.

example2

Notice that “DTS Help Desk” is indicated as the sender in the “From” field, which properly resolves to the actual Help Desk email address of “helpdesk@wit.edu.” In addition, for these individually targeted emails, DTS will include your Wentworth ID number (redacted here for security reasons). Make sure you verify that before going any further with these very important emails. Again, the message is branded as a “Division of Technology Services” email.

2.  Read more about phishing on our Information Security webpage at http://wit.edu/dts/security/training-awareness/top-topics/phishing.html

This page has more examples and resources to better equip yourself with the knowledge to make sure you don’t get caught the next time someone goes phishing!

2013 ncsam banner

This year marks the tenth anniversary of National Cyber Security Awareness Month (NCSAM). NCSAM is observed throughout the month of October to increase the awareness of cyber security threats and techniques to safeguard against them.

As a NCSAM Champion, Wentworth will be providing frequent tips and articles throughout the month on how you can better protect your data and computing devices from security threats such as malware, phishing emails, and identity theft. Each Friday of this month, the Information Security Office we will share an article that is relevant to you. Topics will range from recognizing a “phishing” email to best practices for password management. In addition, we will be relaunching the Information Security website this month with additional information and resources, as well as a look at where we are headed with the Information Security Plan at WIT. Finally, we will be taking this show on the road with presentations on cyber security threats, data privacy, and information security best practices. If you would like to have the Institute’s Information Security Officer come to your department or group, please email infosecurity@wit.edu to schedule a presentation.

Follow us on Twitter @InfoSec_WIT for more on NCSAM, security news, and resources for improving your information security practices.

NCSAM-Champion