28 Oct 2019
In honor of October being National Cybersecurity Awareness Month, here are a few tips from the National Cyber Security Alliance.
1. Keep a Clean Machine
Having the latest security software, web browser, and operating system is the best defense against viruses, malware, and other online threats. Mobile phones and tablets need regular updating, too.
2. Share with Care
Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
3. Treat Personal Information Like Valuables
Information about you, such as your purchase history or location, has value––just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
4. Lock Down Your Login
Always enable the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device. Your usernames and passphrases are not enough to protect key accounts like email, banking, and social media.
5. Back It Up
Data can be lost in several types of incidents, including computer malfunctions, theft, viruses, spyware, accidental deletion and natural disasters. So it makes sense to back up your files regularly. Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.
6. Secure Your Wi-Fi Router
Set a strong passphrase (at least 12 characters long) for your Wi-Fi network. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music”). Name your network in a way that doesn’t let people know it’s your house.
08 Oct 2019
It begins with an email looking innocently enough. You click on the link believing it is from a colleague or perhaps from your IT administrators. You are then taken to a site asking for your email address and password. This seems ordinary. After all, it seems like all websites these days require login information. What comes next is anything but ordinary. Your information has been stolen and is being used against both your organization and yourself.
These attacks are becoming more prevalent and sophisticated. So much so that October is National Cybersecurity Awareness Month. Now in its 16th year, it is hosted every October by the Department of Homeland Security and the National Cyber Security Alliance. According to fbi.gov, multiple agencies, including the FBI, collaborate to raise awareness about cybersecurity and stress the collective importance and effort to stop cyber intrusions, online thefts, and scams.
Pitt and FIS are no different. We go to great strides to protect the university’s financial information and educate our users on security awareness. Take, for example, the annual security awareness training videos that all connected computer users take as well as CSSD’s fake phishing attempts.
The security awareness training must be completed by all users who log into a FIS machine. It is a series of interactive videos that will test your knowledge of various subjects at the end of the video. After completing the training, you can print a certificate validating that you completed the training. Security awareness training needs to be completed annually. However, every subsequent training is a refresher course and is less robust than the initial training. While this may seem a bit excessive, the numerous attacks that have occurred over the past few years at many corporations most definitely prove otherwise.
Those attacks and the information obtained as a result of them are the reason CSSD sends out fake phishing emails. The latest phishing attempt was an email sent from “Message Center email@example.com” and was titled Incoming Emails Rejected. The message was simple enough. It contained your email address, an understandable explanation of why the emails were rejected, and a link to retrieve the emails. These are some of the most damaging and common attacks.
With all of that in mind, here are some cyber safety tips the FBI highly recommends.
- Examine the email address and URLs in all correspondence. Scammers often mimic a legitimate site or email address by using a slight variation in spelling.
- If an unsolicited text message or email asks you to update, check, or verify your account information, do not follow the link provided or call the phone numbers in the message. Go to the company’s website to log into your account or call the phone number on the official website to see if something does, in fact, need your attention.
- Do not open any attachments unless you are expecting the file, document, or invoice and have verified the sender’s email address.
- Carefully scrutinize all electronic requests for a payment or transfer of funds.
- Be extra suspicious of any message that urges immediate action.
- Confirm requests for wire transfers or payment in person or over the phone as part of a two-factor authentication process. Do not verify these requests using the phone number listed in the request for payment.
If you have questions, feel free to submit a ticket through the FIS Service Portal.
13 Sep 2018
Scammers pretending to be the Chinese Consulate office have recently started contacting people in the hopes of obtaining your bank account or credit card information. This social engineering attack has been recognized by the Federal Trade Commision (FTC). An attack like this reminds us that scammers are always trying new tactics to rob people by simply tricking them into making a mistake. This article intends to help you learn how these attacks work and how to identify them.
What is Social Engineering
According to SANS.org, social engineering is a psychological attack where an attacker tricks you into doing something that you shouldn’t do. This concept is not new. Con artists have been attempting to steal money from unknowing people for thousands of years. Scammers are essentially con artists using today’s technology to aid them in stealing. What makes this tactic so effective is that today’s technology allows them to not be physically seen and contact millions of people around the world either by phone call or email.
Take for example the recent attack from scammers pretending to be the Chinese Consulate. According to the FTC’s website, people across the country have reported getting a call or message saying they have to pick up a package at the Chinese Consulate office, or they need you to give them information to avoid being in trouble with the Chinese Consulate. We actually had multiple people at FIS receive this phone this week! This type of phone call is a perfect example of what social engineering is and what it is trying to accomplish.
Another example is a CEO fraud, which is an email attack that most often occurs at work. The way this attack work is a scammer researches your company and identifies the name of your boss or coworker. This is especially easy to obtain here at the University of Pittsburgh as most information like this is public knowledge. The attacker then creates an email pretending to be that person which asks you to take some sort of action such as wiring them money or emailing sensitive company/employee information.
You should know that social engineering attacks are not limited to emails and phone calls. They can occur in any form. The best thing you can do is be as informed as possible on the subject and never, ever send money or sensitive data over the phone or via email if someone is asking for it.
How to Detect a Social Engineering Attack
While social engineering attacks are dangerous and tricky, stopping such an attack is simpler then it seems. Often times, common sense is your best defense. Listed below are some of the more common clues of a social engineering attack.
- Someone creating a sense of urgency that requires immediate action. For example, you may receive a phone call from someone claiming to be from a computer support company that tells you your computer is infected and you need to purchase their security software or risk losing all of your computer data.
- Someone asking for information they should not have access to such as bank account numbers or social security numbers.
- Someone asking for a password. Legitimate companies will not ask you for your password.
- Something that seems too good to be true. For example, being notified you won an iPad or the lottery.
- Receiving an email from a friend or coworker that contains verbiage that does not sound like it’s from them.
If any of those scenarios occur, you should take appropriate action such as hang up the phone or delete the email. In the instance of receiving an odd email from a friend or coworker, it is recommended to reach out to them through some other means of communication. For more information, please submit a ticket through the FIS portal or review your security awareness training.
We all know the role that social media now plays in the world. Between Facebook, Twitter, Instagram, SnapChat, and LinkedIn, social media has become nearly inescapable. While these sites are amazing resources for connecting people across the globe, they all come with risks. These risks not only could affect you but also your friends, family, and employer. This article is going to cover some key steps for securely using social media.
Perhaps the most important and obvious step towards securely using social media is to be careful of what you post. Even if you enable privacy features and think your posts are not viewable to everyone, you should still post with the mindset that it can be viewed by everyone. If it could negatively impact your reputation and future, it should not be posted on any social media platform.
Even though privacy features should not be viewed as a filter that blocks your posts from being viewed by anyone, they should still be enabled. Almost all social media sites have strong privacy features. However, with strong privacy features comes change and confusion. You should make it a habit to check for any changes and to confirm they are working the way they are intended.
Another seemingly obvious security step is to create a strong, unique password. This has been drilled into all computer users head’s but it is still avoided by many people. The reason for its avoidance is simple. People have a hard time remembering complex passwords and do not want to have to remember passwords for multiple systems. While we recognize the annoyance in having multiple complex passwords, it is still a key step in securely using not only social media sites but computers in general.
Unfortunately, creating a strong password for all of your accounts is no longer enough. You should still have a strong password but you should also enable two-factor authentication on all of your social media accounts. Pitt has already enabled two-factor authentication when logging into my.pitt.edu in order to protect you from people who could potentially obtain your password. While this may seem like more work, your personal information will be substantially more secure. To look at it another way, you would not want simply having your ATM card as a way to withdraw money. Banks knew this and decided a pin was also necessary to access the features of an ATM card.
You should also be careful of what you click on when using social media sites. There is a good chance you can be tricked into providing personal information by clicking on a fraudulent post or link. If a friend’s post seems suspicious you should avoid accessing it.
Being careful of what you post, creating a strong password, enabling two-factor authentication, and being careful of what you click on when using social media sites are all effective ways to securely use social media. If you have any questions or would like to learn more, please submit a ticket through the FIS portal.
24 May 2018
Home network security as defined by the United States Computer Emergency Readiness Team refers to the protection of a network that connects devices to each other and to the internet within a home. With technology becoming more and more prevalent in our daily lives, it becomes increasingly important to protect against security risks. This article hopes to better your understanding of the risks associated with being connected to the internet as well as the importance of properly securing your home networks and systems.
Most people are under the assumption that their home network will never be attacked. This is a very common misconception for a couple of reasons. Home users believe their network is not big enough to be at risk of a cyber attack, and they think the devices they are provided by companies such as Comcast and Verizon are plenty secure. This line of thought is wrong and can be costly because attacks can occur to any network connected to the internet no matter the size, and the devices you are provided by Internet Service Providers (ISPs) are preconfigured with factory issued settings such as default usernames and passwords that create opportunities for cyberattackers to gain unauthorized access to information, amongst other problems.
The good news is that there are ways to prevent these types of problems. By improving the security of your home network, you can significantly reduce the chances of being successfully attacked. The list below are ways to improve the security of your home network.
- Regularly update software as the updates often include critical patches and security fixes for the most recent threats and vulnerabilities
- Remove/uninstall unnecessary services and software to reduce security holes on a device’s system
NOTE: This is especially important on new computers as they are often pre-installed with many software and application trial versions
- Adjust factory default configurations on software and hardware because the configuration settings are created to be user-friendly and are not geared towards security
- Install up-to-date antivirus software and make sure to enable automatic virus definition updates
- Install a network firewall to block malicious traffic from entering your home network and alert you to any potential dangerous network activity
- Install firewalls on network devices to inspect and filter a computer’s inbound and outbound network traffic
- Back up your data on a regular basis to minimize the impact if your data is lost, corrupted, infected, or stolen
- Enable wireless security by:
- Using the strongest encryption protocol available
- Changing the router’s default administrator password
- Changing the default SSID (often referred to as the network name)
- Disabling WPS (WiFi Protected Setup)
- Reducing wireless signal strength
- Turning the network off when not being used
- Disabling UPnP (Universal Plug and Play) when not needed
- Upgrading firmware
- Disabling remote management
- Monitoring for unknown device connections
- Familiarize yourself with the most common elements of a phishing attack
- Create strong passwords by:
- Making the password long and complex
- Creating a unique password for each account
- Never use personal information within the password
For more information about home network security, please visit the United States Computer Emergency Readiness Team website.
When you are scrolling your Facebook feed or taking a Buzzfeed quiz online, do you answer historical questions? Questions about your childhood home, your family dog, or the first car you drove can expose you to cyber criminals. These seemingly harmless games can lead to Facebook or quizzes online can help the company store and potentially sell your data. That is not to mention the other people that are seeing your answers online.
You may think to yourself, who care if they knew my first dog was a Boxer named Luna. Well, if you ever used that as a security question to reset your password, you may be more concerned. These data-harvesting schemes have become more and more prevalent and give identity thieves and scammers easier ways to access your online accounts.
There are many examples of this but, lets take a look at a few from krebsonsecurity.com
San Benito Tire Pros created a post that says, “What car did you learn to drive stick shift on?” This seems like a harmless answer, but by answering this question you could be giving them the answer to “What was the make and model of your first car?” This questions is one of the most commonly used by banks and other companies to verify customers before they reset their password.
Another from Good Old Days asks “What was your first pet, and what was it’s name?” This one is a little more obvious as it directly asks the question that you will frequently see as your security questions from companies online.
This can also happen when Facebook pages post quizzes or articles but pose questions as their caption. Texas asked “What was your high school mascot?” with a link to the most unusual texas high school mascots.
Protect yourself online and don’t share your historical data or make sure you answers to security questions are fictional. However, then you have to remember what you wrote.
16 Nov 2017
The holiday season is here and we will be searching for the perfect gifts for many people in our lives. Shopping from the convenience of our own home is one of the greatest benefits of the internet. You don’t have to wait in line, stand in crowds, or even take off your pajamas. With this convenience, comes many cyber criminals creating fake shopping websites, sending phishing emails, and trying to steal from others.
Spot Fake Online Stores
Criminals can create fake websites that replicate the look of real sites or using the names or well-known stores or brands. When you are searching online for the lowest prices, you may find yourself directed to one of these websites. Below are ways to help identify fake websites:
- Shop with reputable merchants.
- Research the website. There are many independent sources that will give grades to websites. Places like Reseller Rating or Better Business Bureau can be very informative. Even entering the the URL into a search engine and looking at results can be informative.
- Check the merchant’s customer information and return policies. Do not provide a vendor with personal information or bank account numbers. Make sure that they will support you if you package is stolen or missing.
Your Computer and Mobile Device
Protecting your device is just as important as shopping at legitimate websites. Make sure to always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cyber criminal to infect your device. On top of that, if you have children, let them use a secure device. Not one where your credit card or bank information is stored.
Be Sure the Transaction is Secure
When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by look for https: (rather than http://) at the beginning of the web site’s address in the browser.
Your Credit Card Information
Never send your credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text format, so it’s possible for someone other than the vendor to see it.
Keep a record of your transactions. Print or store the copy somewhere for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
Consider using credit cards that generate a unique card number for every online purchase, such as PayPal, which do not require you to disclose your credit card number to the vendor.
If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, contact your back and ask them to stop the payment. You can also use an online service such as SquareTrade to resolve your dispute.
Finally, you can file a complaint to the state Attorney General’s Office, post your experience on a site like Reseller Ratings, or contact the Better Business Bureau.
Take this quiz, Workplace Security Risk Calculator, to find out if you activities while at work are risky and what you can be doing on the front lines to protect our organization!