Cyber Security Awareness Month 2018 Archive
Week 1 - Security Considerations While Traveling
Personal devices like phones, tablets, and laptops often contain sensitive personal data and are valuable targets for thieves. When travelling, there are a few things to keep in mind to make sure your data and devices stay safe.
- Keep track of your things. Small devices like phones and laptops are easy for thieves to walk away with. Avoid leaving your devices unattended in public, in your car, etc. Additionally, never leave your devices in your checked bag on your flight.
- Use passwords on all of your devices. This will help protect your device from unauthorized access, whether someone is trying to quickly peek at your phone or if someone steals your laptop.
- Avoid entering your myLSU credentials into public computers if possible. Public computers are those that are available to any user in public places such as libraries, hotels or business centers. Since these computers are accessible by anyone at any time, there is an increased risk that the machine could be compromised.
- Learn about security features like “Find My Phone” and remote locking and wiping. Apple and Android phones provide security features that can allow you to track your phone, wipe your phone of sensitive materials after it has been stolen, and make it more difficult for a thief to sell your stolen device.
- Use device encryption whenever possible. Laptops and mobile devices often give you the ability to use full disk encryption. This prevents attackers from bypassing your password by accessing your device’s storage directly. Encryption is the best way to protect data from being accessed if a device is stolen.
- Consider using a Virtual Private Network (VPN) to further protect yourself on untrusted networks. To learn more about VPNs and how they work, reference the article linked here: https://thebestvpn.com/what-is-vpn-beginners-guide/
- Avoid open and unprotected Wi-fi networks. It may be possible for malicious users on unsecured Wi-fi networks to attack your devices or “sniff” your web traffic. When connected to an untrusted network, limit sensitive activities and make sure you’re visiting websites over HTTPS connections, not HTTP connections. Communications sent over HTTP connections are not encrypted and can easily be read by any hacker. HTTPS encrypts communications between your browser and the website you are connected to. In addition to an indication of secure HTTPS, always ensure the domain name exactly matches the site you are intending to visit. The image below illustrates an example of what browsers may display when a site is delivered over HTTP vs. HTTPS.
- Protect Your Identity
- Protect Your Mobile Device
- All About Encryption
Week 2 - Phishing
Are you familiar with email Phishing? Can you effectively spot a Phishing email? How
do you define social engineering? See below to learn more!
Phishing is an attempt by malicious actors pretending to be a legitimate enterprise for the purpose of stealing private information, such as Username and Passwords, Social Security Numbers (SSN), Date of Birth, and Banking information.
LSU receives phishing emails on a constant basis. To protect yourself, become familiar with the “anatomy” of a phishing email. If you come to know some of the common indicators of a phish, you will be able to spot them more easily. Click on the image below for details:
Reporting a Phish
So now that you can spot a Phish, what do you do when you receive one? The IT Security and Policy Team (ITSP) has implemented a phishing reporting tool called PhishMe Reporter. The application conveniently integrates directly with Outlook mail clients and Office365, providing LSU Faculty, Staff, and Students a quick and easy mechanism to report phishing e-mails.
For specific instructions on how to utilize PhishMe Reporter to report a phishing e-mail to LSU ITSP, please read the GROK article here - https://grok.lsu.edu/Article.aspx?articleid=19636.
If PhishMe Reporter is not an available option for you, please report phishing messages to LSU ITSP as outlined here - https://grok.lsu.edu/Article.aspx?articleid=17107#Reporting
What if you've been hooked?
If you believe you have fallen for a phish, please take the following actions:
If you accidentally shared your username and password, please change your password immediately. NOTE: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well.
If you shared your banking (credit card, debit card, bank account number, etc.) information, please reach out to your financial institutions immediately and take the necessary steps as recommended by the respective institution.
If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.) you should take necessary steps to monitor your credit for any unauthorized changes. It is also a great idea to place a freeze on your credit with all credit bureaus.
Phishing attacks are not isolated to emails. Attackers may contact you over the phone as well, even spoofing numbers that appear legitimate. Using the telephone system to maliciously gain access to private personal information is what is referred to as “vishing” or voice phishing.
To protect yourself from vishing, ITSP recommends the following:
- Be suspicious of all unknown callers
- Don't inherently trust caller ID. Remember, telephone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you.
- If you are unsure about a caller, ask lots of questions. If a caller is asking for
personal information or wants you to purchase something, ask for company information
and inform them that you will call back. You can search for the company and their
customer support number to call back and confirm.
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
How do you avoid being a victim?
- Be suspicious of unsolicited phone calls, on site visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its IT infrastructure or networks, unless you are certain of a person's authority to have the information.
- Do not allow access or hold doors open to areas that contain sensitive technology or data. Yes, holding a door open is polite, but areas containing sensitive data require badge scanning for a reason or other physical security mechanisms. Ensure the door closes behind you.
What do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate leadership within the organization, including security and network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Week 3 - Internet of Things (IoT)
Are you familiar with Internet of Things (IoT)? Are you using IoT devices? Are you
aware of the security risks associated with IoT? See below to learn more!
Everything is becoming increasingly connected in what is referred to as the “Internet of Things.” Our networks have moved from connecting only our computers to printers, cameras, phones, tablets, toys, “Smart” home hubs, speakers, and even appliances like refrigerators and washing machines!
One problem with many IoT devices is that they are set-and-forget, so they don’t usually get the care and attention devices like computers get to keep them safe. Here are a couple of tips to protect your IoT devices:
- If you don’t have to connect it to the internet, don’t!
- Make sure to set a password on the device. Devices with no or default passwords can be hacked and used to spy on you or to participate in botnets.
- Check for firmware updates from the device often. Firmware updates are an important way to make sure that discovered vulnerabilities are taken care of.
- If a device is no longer supported, take it offline or replace it. Do research to avoid buying products from vendors who do not maintain updates for their products.
- Never set up port forwarding on your router for IoT devices until you’re sure it is up to date, has a good password, and are fully aware of the implications of what you’re configuring.
Securing Your Home
IoT Devices used for Botnets
Basic IoT Security Tips
Week 4 - Passwords
How secure is your password? Are you familiar with password best practices? Do you
understand the benefits of password generators?
Creating a strong password is key to protecting your personal information. In general, the longer and more diverse your password is, the more difficult it will be for an attacker to crack. See below for information around password rules at LSU and other general password best practices.
Regarding password length, LSU offers two options to the user community, with a longer password expiring less frequently:
- Option 1, which requires 10 – 14 characters with an expiration of every 60-days
- Option 2, which requires 15 or more characters with an expiration of every 180-days.
Password Best Practices
Beyond password length, ITSP recommends several best practices to help strengthen your credentials for PAWS, LSUMail and any additional accounts you may own. Follow the best practices outlined below, and you will have greatly improved your online security posture.
- Use a variety of characters
- Use a variety of characters including numbers, upper case letters, lower case letters, and special characters (e.g ~, @, #, $, %)
- Create a passphrase
- Passphrases are phrases that you can easily remember and can also be translated into characters. For example, the phrase “I saw Mike the Tiger at LSU in 2006” can be translated to “iSmtT@LsUi2006”.
- Never share with others
- Anyone with access to your password has access to your personal information, and therefore can impersonate you online. This includes being able to alter your financial information, make purchases, send emails addressed as you, etc.
- Use different passwords for different accounts
- If the same password is used across multiple applications and an attacker manages to get access to your password, they can then compromise all of your accounts with that one password. Using different passwords for different applications ensures that all of your accounts won’t be compromised if one of your passwords is cracked.
- Change your password periodically
- Changing a password periodically allows for less time for attackers to obtain a particular password.
- For personal accounts, consider a password manager
- If you struggle to create and remember complex passwords, consider a password manager for your personal accounts (e.g. LastPass, Dashlane, Keeper)
For more information about creating strong passwords, please feel free to reference any of the links below.
Create and Manage Strong Passwords:
- Tips for Strong, Secure Passwords
- What Makes A Strong Password
- Examples of Weak and Strong Passwords
Week 5 - E-commerce and Online Shopping Tips
E-commerce is fast and convenient, but it comes with some inherent risks. Do you know
how to protect yourself while shopping online? See below to learn some tips and tricks!
Practicing good account and web safety can help protect your credit cards and bank accounts. Be mindful of where you enter credit card and banking information. Only use secured, trusted sites. If a deal seems too good to be true, or a site seems a little sketchy, don’t give up your info! For any page that is asking for logins or payment information, make sure you’re accessing the site over “https” and you have the secure lock indicator in your browser.
In addition to making sure you can trust the site, make sure you can trust the device you’re purchasing from. A computer or phone that has a virus or other malware can be made to steal your banking account passwords and credit card information. Do not enter payment info or passwords on public computers. Keep your anti-virus software on your personal machines up to date.
When possible, avoid saving your banking or card information on websites and even in your browser. This will prevent your cards from being abused if someone accesses your account or computer.
For accounts that do have your payment information saved, or that protect other personal financial data, make sure to use unique, strong passwords and enable two-factor authentication wherever possible.
lthough the autofill function in web browsers like Google Chrome can make life a bit easier by saving you time and effort, it can also be a dangerous feature. Learn more about the dangers of the autofill feature by clicking the link below:
Two-factor authentication can be beneficial when shopping online. Click the link below to learn why using two-factor authentication is one of the most effective ways to reduce cyber crimes such as hacking, identity theft and phishing:
Shopping online can be convenient, but it also comes with risks. Check out any of the links below for further shopping tips and more info on how to protect yourself online:
Your credit card information is always at risk for theft. Click the link below to learn more about credit card safety when shopping online:
Malware can be used against individuals to gain information such as personal identification numbers, bank account numbers or credit card numbers. Click the links below to learn more about Malware and the dangers associated with it:
Online scams and fraud are difficult to identify because they look legitimate. Click the links below to learn how to recognize fraud, how to avoid falling victim to online scams, the actions you should take if you feel you've been a victim of a scam or fraud and how to educate and protect children and elders against online scams and fraud:
- Practical Tips To Avoid Fraud
- Steps to Avoid Scams
- Most Recent Scam Alerts
- What to Do After Being Scammed Online
- Teach Your Kids to Avoid Online Scams
- Protecting Seniors Against Fraud