24 May 2018
Home network security as defined by the United States Computer Emergency Readiness Team refers to the protection of a network that connects devices to each other and to the internet within a home. With technology becoming more and more prevalent in our daily lives, it becomes increasingly important to protect against security risks. This article hopes to better your understanding of the risks associated with being connected to the internet as well as the importance of properly securing your home networks and systems.
Most people are under the assumption that their home network will never be attacked. This is a very common misconception for a couple of reasons. Home users believe their network is not big enough to be at risk of a cyber attack, and they think the devices they are provided by companies such as Comcast and Verizon are plenty secure. This line of thought is wrong and can be costly because attacks can occur to any network connected to the internet no matter the size, and the devices you are provided by Internet Service Providers (ISPs) are preconfigured with factory issued settings such as default usernames and passwords that create opportunities for cyberattackers to gain unauthorized access to information, amongst other problems.
The good news is that there are ways to prevent these types of problems. By improving the security of your home network, you can significantly reduce the chances of being successfully attacked. The list below are ways to improve the security of your home network.
- Regularly update software as the updates often include critical patches and security fixes for the most recent threats and vulnerabilities
- Remove/uninstall unnecessary services and software to reduce security holes on a device’s system
NOTE: This is especially important on new computers as they are often pre-installed with many software and application trial versions
- Adjust factory default configurations on software and hardware because the configuration settings are created to be user-friendly and are not geared towards security
- Install up-to-date antivirus software and make sure to enable automatic virus definition updates
- Install a network firewall to block malicious traffic from entering your home network and alert you to any potential dangerous network activity
- Install firewalls on network devices to inspect and filter a computer’s inbound and outbound network traffic
- Back up your data on a regular basis to minimize the impact if your data is lost, corrupted, infected, or stolen
- Enable wireless security by:
- Using the strongest encryption protocol available
- Changing the router’s default administrator password
- Changing the default SSID (often referred to as the network name)
- Disabling WPS (WiFi Protected Setup)
- Reducing wireless signal strength
- Turning the network off when not being used
- Disabling UPnP (Universal Plug and Play) when not needed
- Upgrading firmware
- Disabling remote management
- Monitoring for unknown device connections
- Familiarize yourself with the most common elements of a phishing attack
- Create strong passwords by:
- Making the password long and complex
- Creating a unique password for each account
- Never use personal information within the password
For more information about home network security, please visit the United States Computer Emergency Readiness Team website.
27 Apr 2018
Microsoft has recently announced new advanced security features available to Office 365 subscribers. Since the University of Pittsburgh migrated to Office 365, these new protection capabilities are available to you.
The new security features offered are:
- File recovery for OneDrive
- Outlook prevent forwarding
- Email encryption
File Recovery for OneDrive
This feature allows you to restore your entire OneDrive to a previous version within the last 30 days. This can be very helpful when a file or multiple files are accidentally deleted, become corrupt, or some other disastrous issue. Keep in mind the file restore will only work for files that were stored on your OneDrive. If the file was stored somewhere else, this feature will not work.
To use file restore:
- Go to http://portal.office.com
- Login with your University email address and password (may not be required if you are already logged into Office 365).
- Click the OneDrive icon.
- Click the Settings icon in the top right-hand corner.
- Click OneDrive – Restore your OneDrive.
- Select a date from the dropdown menu and click Restore.
Outlook Prevent Forwarding
This feature allows you to restrict your email recipients from forwarding or copying your emails. Prevent forwarding should be used when an email you send contains sensitive information.
To send an email with the prevent forwarding feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select Do Not Forward.
- Send the email.
This feature offers an added layer of protection to sent emails. Some email providers don’t encrypt their connection, which means your communication could be susceptible to being intercepted and read. If you use the email encryption feature offered by Office 365, the email you send will remain encrypted over a secure connection. This should be used when sending an email to an external user.
To send an email with the email encryption feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select either University of Pittsburgh – Confidential or University of Pittsburgh – Confidential View Only.
NOTE: Selecting University of Pittsburgh – Confidential will allow recipients to modify the content but not copy or print it. Selecting University of Pittsburgh – Confidential View Only will not allow recipients to modify the content.
- Send the email.
For more information on all of these features and more, please visit Office 365 new capabilities.
When you are scrolling your Facebook feed or taking a Buzzfeed quiz online, do you answer historical questions? Questions about your childhood home, your family dog, or the first car you drove can expose you to cyber criminals. These seemingly harmless games can lead to Facebook or quizzes online can help the company store and potentially sell your data. That is not to mention the other people that are seeing your answers online.
You may think to yourself, who care if they knew my first dog was a Boxer named Luna. Well, if you ever used that as a security question to reset your password, you may be more concerned. These data-harvesting schemes have become more and more prevalent and give identity thieves and scammers easier ways to access your online accounts.
There are many examples of this but, lets take a look at a few from krebsonsecurity.com
San Benito Tire Pros created a post that says, “What car did you learn to drive stick shift on?” This seems like a harmless answer, but by answering this question you could be giving them the answer to “What was the make and model of your first car?” This questions is one of the most commonly used by banks and other companies to verify customers before they reset their password.
Another from Good Old Days asks “What was your first pet, and what was it’s name?” This one is a little more obvious as it directly asks the question that you will frequently see as your security questions from companies online.
This can also happen when Facebook pages post quizzes or articles but pose questions as their caption. Texas asked “What was your high school mascot?” with a link to the most unusual texas high school mascots.
Protect yourself online and don’t share your historical data or make sure you answers to security questions are fictional. However, then you have to remember what you wrote.
07 Dec 2016
Do you do your holiday shopping online? There are a few easy ways to protect yourself online whether you are purchasing items for yourself or for the University with your P-Card. Follow the tips below for a safe experience:
1. Shop with reputable merchants. Only purchase from online vendors that you are familiar with, or do some research first. If you are not familiar with an online store, use caution. Just because the website looks professional, it doesn’t mean the vendor is trustworthy or has proper security controls in place. Check an independent source that allows customers to rate their shopping experience with a vendor such as Reseller Ratings. You can also refer to the Better Business Bureau to see if there are any complaints listed. You should also be aware that in some cases, you may be purchasing from an individual rather than business, and your legal recourse may be different in the event of a dispute.
2. Check the merchant’s customer information and return policies. Before ordering, be sure to read the terms of sale, return policies and fees, shipping methods and prices, and guarantees. Make note of vendor’s policies for storing and distributing your personal contact information. If you do not want to be included on mailing lists or have your contact information made available to third parties (spam lists), look for an option on the web site to indicate your preference. Do not provide vendors with sensitive personal information, such as your social security number or bank account numbers. Basic shipping and credit card information is all that should be required to make a purchase.
3. Be sure the transaction is secure. When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by looking for “https://” (rather than “http://”) at the beginning of the web site’s address in the browser. Another sign is the presence of a padlock symbol in the address bar of the browser. In Internet Explorer, the padlock symbol will appear on secure pages in the address bar, located to the right side of the web address. You can click on the lock symbol to verify the security of the site.
4. Never send credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text (non-encrypted) format, so it’s possible for someone other than the vendor to see it. Sending a credit card number through e-mail is the equivalent of writing it on a postcard rather than mailing it in an envelope.
5. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
6. Use Identity Finder to protect your data. All FIS-supported computers have a program called Identity Finder installed. It will search your files, e-mails, databases, websites, and web browser data for Social Security numbers, Credit Card numbers, Bank Accounts, Passwords, etc. so you can then take steps to remove the sensitive data from your files. This program is also available for home use by contacting FIS.
7. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
8. Take action if there is a problem. If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, you should contact your bank and ask them to stop the payment. If that’s not possible, you can use an online service such as SquareTrade to resolve your dispute. You can also file a complaint to the state Attorney General’s Office, who will investigate the case. You should also post your experience on a site like Reseller Ratings so other customers can be warned. While you may also wish to contact the Better Business Bureau, note that they have no authority over the vendor. They will simply accept your complaint and allow the vendor to respond.
Take this quiz, Workplace Security Risk Calculator, to find out if you activities while at work are risky and what you can be doing on the front lines to protect our organization!
Welcome to FIS’s 5 days of Cyber Security! October is national cyber security month. This is an initiative to help keep our online community safer and all citizens more informed. Over the next 5 days, we will highlight everything from types of scams to a checklist to complete cyber spring cleaning. Follow along with all of our information, videos, and quizzes! We are going to start with basic tips and advice to be safe online. Be sure to watch the YouTube video to gather 3 easy tips to stay safe on the go.
14 Mar 2016
One of the most common methods that cybercriminals use to gain sensitive information is known as ‘phishing’. Phishing occurs when you receive a message requesting personal information (social security number, email address, birthday, etc.) that appears to come from a reputable source (your bank, business, etc.). Phishing attacks come in different types (spear phishing, whaling, clone phishing, etc.), but the general premise remains the same.
While most phishers are primarily looking to steal your personal information, phishing is also a method used by hackers to install malware onto your computer.
Phishing attacks have become very sophisticated, but they are still vulnerable to a watchful eye and a little common sense. Since your personal data and security are at stake, it is extremely important to know how to identify phishing, and to know what steps to take if you think you are the target of a phishing attack.
How to Identify a Phishing Attack
Inconsistent Email Address
Here’s a typical example of what a phishing email might look like. Take a close look at the sender’s information and email address. In the above example, note that the sender is S-tandard Bank. Also, the email domain “alert-std.co.za” does not match the format at the bottom of the message, “standardbank.co.za.”
False Sense of Urgency
Note that the email from “Amazon,” states “***DON’T WAIT! The Link Above Expires on 12/28!” Scammers try to create a false sense of urgency to get you to react quickly and emotionally. Always take a couple extra seconds to really examine what you are reading before clicking any links.
Note again how the email address does not end in “amazon.com.”
Questionable Information Requests
Phishing attacks will frequently ask for information that they either don’t need or should already have. As a rule, reputable businesses will never ask for your account name, account number, password, Social Security number, etc. There was a recent phishing scam that appeared to come from the IRS, asking for account information from the victim’s financial institutions. If there’s anyone that doesn’t send emails like this, it’s the IRS.
If You Suspect Phishing
There are a number of steps that you can take if you suspect that a message you have received is a phishing attack.
- Verify the identity of the sender. For example, if you receive an email that looks like it’s from PNC Bank, call or email their customer support team to confirm. It’s important not to reply to the email itself, as any links in the message will not point back to a legitimate business entity. If it looks like a friend or coworker sent the message, follow up with them in a separate email (again, do not reply to the original message).
- Change any relevant passwords. Changing your password is almost never a bad idea, and having unique passwords for each site/service that you use is a best practice.
- Go back to the official source. Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks. As mentioned, avoid links in the original message, as they will most likely redirect to a fraudulent site.
- Trust your instincts and err on the side of caution. If an email or website doesn’t look or “feel” right, there’s probably a reason.
If you think that your work email has been targeted by a phishing attack, please contact FIS via our Support Portal, or call us at 4-FIS1. If your personal email address has been targeted, please report it to any of the following agencies:
- Federal Trade Commission
- US Computer Emergency Readiness Team
- FBI Internet Crime Complaint Center
- Anti-Phishing Working Group
- PhishKillers Blacklist
For More Information
For additional background and tips, check out the articles in the FIS Knowledge Base, or read any of the following: