Increased Cyber Threats Due to COVID-19

Security agencies around the world are sounding the alarm as hacking groups and nation state threat actors are taking advantage of the COVID-19 crisis.  A joint advisory published last week by the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) shows that cyber-criminal groups are increasing attacks against individuals and organizations around the world with ransomware and malware.

Many of these attacks are phishing campaigns appearing to come from high level members of organizations tasked with fighting the threat of COVID-19.  One such attack appeared to be from the Director-General of the World Health Organization (WHO).

Preying on Fear

One of the main reason attackers have shifted tactics is related to the fear that this global pandemic has created.  The daily news cycle has given us plenty to worry about with stories of death, food and equipment shortages and an unknown timeline for resolution.

This climate of fear and uncertainty gives attackers a lot of leverage using our human behaviors and impulses.  It’s easier for attackers to trick users into making a mistake.  We are being overwhelmed with information and news that comes from the communications about the pandemic.

Remote Work Force

With stay-at-home orders and organizations moving non-essential personnel out of the office, we have a significant increase in full time remote workers.

Under normal circumstances IT departments with a focus on security work hard at keeping the corporate network safe.  Many layers of security controls are considered and constantly being re-worked to keep employees and information safe.

A lot of this changes with remote workers.  Organizations are less able to control what types of threats exists on home networks.  Attackers know that more workers are at home where the level of security is much lower.  They also know that since remote workers are connected directly to the organization via cloud applications and VPN’s, if they are able to compromise workers home networks, they can often get access to the connections being made to the organization.  This is why digital hygiene is so important not only in the workplace but also at home.

So, you may also be asking yourself how does this affect me and my work at DMU?  The short answer is that we have implemented some key measures to ensure that home networks are not a security vulnerability when accessing our organizational resources.  This is one reason why we require the use of DMU-issued hardware so that we can configure many of the security controls that keep you and the organization’s network safe.  The recent addition of two-step verification to our Office 365 environment and applications significantly reduces the risks associated with connections being made from home networks.  Our VPN also requires the same two-step verification which protects from attackers gaining access to our network.  Please be vigilant and contact our Help Desk if you notice anything out of the ordinary.

Healthcare and Education are Targets

Cyber-criminals are using the pandemic for commercial gain by using ransomware and malware to gain access to systems for profit.  Basic social engineering tactics are used by threat actors to trick users into carrying out a specific action.  For instance, phishing messages which automatically install a CryptoLocker ransomware application.  The phishing message is the social engineering, taking advantage of human error, and CryptoLocker is the malicious software.

The most lucrative businesses continue to be healthcare, finance and education.  These industries have valuable information.  Couple that with a distracted workforce from the pandemic and you can see why our industries (healthcare and education) are the among the most targeted sectors.

Your Responsibility!

You have a responsibility to help keep our organization safe and we can’t do it without you.  By working together, we can all increase our awareness and pay attention to the details in our digital communications.

By now we should all have some basic understanding of how threats enter our environment and what potential harm they may create.  Where our vigilance comes in, is understanding what attackers are going to try to use against us.  Right now, they are increasing the use of COVID-19 messaging to prey on our fears. This causes us to react quickly and make a mistake by clicking that button and giving away our personal information or installing something malicious.

Examples of phishing email subject lines from CISA and NCSC included:

• 2020 Coronavirus Updates,
• Coronavirus Updates,
• 2019-nCov: New confirmed cases in your City, and
• 2019-nCov: Coronavirus outbreak in your city (Emergency).

Our best line of defense is YOU.  Educate yourself on threats and take a step back to assess every digital interaction you receive to determine if it’s a threat.  Always verify you are on a company’s legitimate website before entering login details or sensitive information.  Through your diligence, you keep your personal information and our organization safer.

Here are some excellent tips for staying safe: https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats

https://www.us-cert.gov/ncas/alerts/aa20-099a

https://www.inforisktoday.com/uk-us-security-agencies-sound-covid-19-threat-alert-a-14085

by: Andrew Violet, Sr. Security Analyst
andrew.violet@dmu.edu

 

 

 

Be Smart! Protect Your Connected Devices

Smart/IoT devices may be the panacea for consumer convenience. Do you want to know and change the temperature of your house or even your fridge remotely? There’s an app for that. Such devices also raise extreme privacy concerns about the data collected about you. Devices can track or discern details about your life based on usage and interaction. And that data could potentially be aggregated with data coming from other smart devices, painting a fairly robust and accurate profile of you and your life. My fitness-tracking device serves as my wake-up alarm. Not only does it track the time that I set for the alarm, it also tracks my interaction when I shut it off. Maybe your coffee maker tracks when you start the brew (mine doesn’t because I’m Coffee Old School). My car tracks what time I start it, how far I drive it, and the GPS location where I park it. These data points are provided to me as the consumer but are also presumably stored by the device provider. It’s only 9:00 a.m. and my smart world already has collected or observed several key privacy factoids about me. And where data exist, risk to data exposure also exists.

Devices geared toward consumers will continue to push convenience over privacy, and consumers will continue to call for greater connectivity and convenience. That means more connected devices and ongoing evolution for more information, interaction, integration, and automation. It’s no longer a question of whether your home devices should be connected. Instead, we need to proactively assess the risks of such connectivity. When those risks are greater than our threshold risk tolerance, we need to take steps to minimize those risks.

Take the following steps to protect yourself when you start using a new device:

• When you bring home a new consumer device, check to see if it’s transmitting. Ask whether you need that device to be connected. What are the advantages of having your fridge broadcast the whereabouts of your cheese? Is the potential to activate remote maintenance with the device provider important to you? Do you want to interact with that device remotely? Then by all means, keep that connection. If you don’t need the maintenance options or to monitor or interact with the device remotely, turn off the device’s connectivity.
• Periodically scan your networks to make sure you know and manage what’s online. If you want devices to be connected, be proactive. Find out how they connect; how devices are patched; what the default security settings are; and what data are collected and how/when/where the data are transmitted. Protect your home wireless network(s) with strong password management, active maintenance practices, and vigilance.
• Use the same cybersecurity hygiene on your smart devices that you use on your computer. While it may be revolutionary that your car is now essentially a computer on wheels, it’s still just a computer. You don’t have to become a cybersecurity expert, but you may want to find a few trusted sources of security advice for consumers.

It’s time to get smart about your devices, manage them appropriately, and reap the rewards of their convenience.

Mobile Device Security Tips

As you embark on a new school year, it is a good idea to pay attention to the security of your mobile device.  With an increasing amount of sensitive data being stored your personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

• Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools available on your phone or tablet.  Some phones just need a password to enable encryption.  Others require you to specifically turn on encryption.  Refer to your device documentation for more details.
• Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
• Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
• Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your passwords.
• Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
• Be smart about recycling or disposing of old computers and mobile devices.Properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
• Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it!
• Be cautious of public Wi-Fi hot spots (e.g., hotels or coffee shops). Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
• Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to the ITS Help Desk so we can act quickly.

Associate CIO and Director of Educational Technology Named

As of May 1, the ITS leadership will include an Associate CIO and a Director of Educational Technology.  Please join us in congratulating Keith Grey as our new Associate CIO and Carlyn Cox as our new Director of Educational Technology!

These changes are part of a larger effort to plan for the future and better support the community.  They will allow for improved support and operations, will increase synergies within ITS, will elevate the educational technology function, and required no additional funding from the university!

Keith Grey, Associate CIO

As the Associate CIO, Keith will be responsible for Infrastructure (networking, servers, storage, etc.), Enterprise Applications (Colleague, Pulse, Business Intelligence, etc.), the Help Desk, and Information Security.  This position will focus on excellence in operations and technical support.

Keith just celebrated his 5 year anniversary at DMU.  Over the past 5 years, he has served as the Director of Infrastructure and Information Security Officer.  He has in depth experience in all areas and brings technical expertise as well as strengths in collaboration and teamwork.  Keith has been a key contributor to many of ITS’ initiatives over the past 5 years, including wireless network upgrades, information security improvements, building redundancy into our infrastructure and forging partnerships throughout the university.

Carlyn Cox, Director of Educational Technology

As the Director of Educational Technology, Carlyn will be responsible for implementing projects to enhance education and engagement through the innovative and effective use of technology in teaching and learning.  This includes support of our Learning Management System, other educational applications, multi-media, and classroom technology.

Carlyn has both an education and innovation background.  She has many accomplishments under her belt after two years at DMU and has leveraged her ability to design, document and improve processes and manage vendors to make major improvements to D2L, implement Panopto, and run the ExamSoft Pilot, to name just a few.

 

 

 

New Ways to Connect with ITS

We now have multiple ways for you to get your updates and information from ITS!

Check out our Web Site!

Identity Theft is Real

The threat of identity theft (ID theft) is real, and it can take months or years to recover once you become a victim. Recent statistics show that each year approximately 15 million U.S. residents have their identities used fraudulently. In addition, nearly 100 million Americans have their personal information placed at risk of theft each year when records in databases are lost, stolen, or accessed by unauthorized individuals. EDUCAUSE research shows that 21% of respondents to the annual ECAR student study have had an online account hacked, and 14% have had a computer, tablet, or smartphone stolen. Here are some tips to help prevent ID theft:

• Read your monthly statements carefully. Review bank, credit card, and pay statements, as well as other important personal accounts (e.g., health care, social security). If a statement has mistakes, charges you don’t recognize, or doesn’t arrive when expected, contact the business.
• Shred outdated documents. Make sure you shred any documents that show sensitive financial or medical information before you throw them away.
• Be careful when sharing personal info. Avoid responding to pop-up ads, e-mails, texts, or phone messages that ask for personal information such as your Social Security number, password, or account number. Legitimate companies don’t ask for information in this way.
• Protect your online accounts. Create strong passwords or passphrases that are at least eight characters long and include a mix of letters, numbers, and special characters. Don’t use the same password or passphrase for multiple accounts.
• Limit use of public Wi-Fi. If you must use a public wireless network, make sure it is fully encrypted before sending sensitive information. Use HTTPS (for websites) and SSL (for applications like e-mail) whenever possible, and use a VPN (virtual private network) if you have access to one. Save your most sensitive browsing and work for when you are in a place where you know the Wi-Fi is secure.
• Use secure devices. Whenever possible, encrypt your hard drive, make sure operating system and application software and plug-ins are up-to-date, and install antivirus software (and keep it current).
• Keep personal information private. Limit what you share on social media. For instance, don’t share your vacation pictures publicly until you return home (so thieves don’t target your empty home).
• Review your credit report every year. You can request a free annual credit report.

If you’ve been a victim of ID theft:

• Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
• Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
• Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-525-6285); TransUnion (800-680-7289); or Experian (888-397-3742).

New Phone System Coming to DMU

The university has heard the feedback from our faculty & staff about our current phone system and we have listened.  A new phone system is coming!  The phone system is Skype for Business with Microsoft Unified Communications and will have some terrific advantages including:

·         New phones for everyone
·         Integrated instant messaging
·         Video/Web conferencing
·         Integration with Microsoft Office
·         Voice mail transcription
·         Mobile capabilities
·         Telepresence 

ITS is in the beginning stages of the project, but moving fast.  We are currently building out the infrastructure (servers, gateways, phone lines, etc.) with our vendor, Enabling Technologies, and plan to start a pilot phase in the spring.  As we progress further with the project, we will be providing monthly updates regarding the transition and implementation timeline of the project.  We are extremely excited about this work and hope you are too. 

Don’t Get Hooked

You may not realize it, but you are a phishing target at school, at work, and at home. Ultimately, you are the most effective way to detect and stop phishing scams. When viewing e-mail messages, texts, or social media posts, look for the following indicators to prevent stolen passwords, personal data, or private information.

* Beware of sketchy messages. Phishy messages may include a formal salutation, overly-friendly tone, grammatical errors, urgent requests, or gimmicks.

* Avoid opening links and attachments. Even if you know the sender, don’t click on links that could direct you to a bad website. And do not open attachments unless you are expecting a file from someone.

* Verify the source. Check the sender’s e-mail address to make sure it’s legitimate. If in doubt, just delete the message.

Resources

• Learn more about spam and phishing or hacked accounts from the National Cyber Security Alliance.
• The FTC provides more information for consumers about phishing scams and how to spot them.
• The Anti-Phishing Working Group also provides consumer advice, as well as games and quizzes.

DMU Wellne$$ Pay$ Goes Mobile!

Are you taking advantage of DMU’s Wellne$$ Pay$?  If you are not because tracking is inconvenient, you’re in luck!  A new mobile app is now available that allows you to track your activity for Wellne$$ Pay$ from your iPhone or Android device.

Use the app to track all of your wellness activities on the go, including:

• Cardiovascular activities
• Strength training activities
• Flexibility activities
• Community Service
• Regular Blood Sugar Checks
• Intellectual Wellness
• Social Wellness
• Mind / Body /Spiritual Wellness

Ready to download?
The app itself is compatible with iPhone and Android and is available to download from the App Store or Google Play.

If you have any questions or would like further information on the mobile app, please contact the ITS Help Desk.

Safe Computing Best Practices

Technology alone cannot protect us from security vulnerabilities.  Hackers exploit human vulnerabilities and this is one of the main causes of security breaches today. Following the best practices below will help at work and at home. If you access DMU resources from a home computer, you will need to implement these steps yourself.

1. Passwords. Use strong passwords, and use different passwords for different types of systems (e.g., don’t use your DMU systems passwords on social media sites, and use yet different ones for your financial sites, etc.), and never, ever share your passwords with others.
2. Malware. Scan all files downloaded from the Internet, and otherwise loaded onto any of your computing systems, with anti-virus software and then use those files with caution.
3. Encryption. Encrypt stored sensitive and critical information such as educational records, Social Security Numbers, identification numbers (GWID), and credit cards numbers. Also encrypt non-public information that is sent through the public Internet.
4. Protect information. Do not put or leave University information in locations where unauthorized individuals can see it.
5. Network access. Do not connect other networks to DMU networks; contact the CIO if you have such a need.
6. No snooping! Only access information needed to perform your work responsibilities.
7. Don’t fall for it. Watch out for requests (through email, by phone, or online) asking you for DMU information. Crooks often use such social engineering and phishing messages to trick you into divulging confidential information.  Your ITS Department, including the Help Desk will never ask you for your login and password information.
8. Be alert! Notify the CIO or Director of Infrastructure/ISO immediately of you suspect any information security problems, or have any information security incidents, such as disclosed passwords, or lost/stolen access control mechanisms.