Cyber Security
Information security is a collective responsibility. Every member of the campus community
plays a significant role in protecting the College’s electronic resources and information.
When considering these issues, please remember that your information is stored someplace
on campus, so when you are dealing with the College’s electronic resources and information,
you are really protecting your information as well as others'. It is also important
to realize that any personal information that you may post on the internet could open
you up to information security issues.
SUNY Orange Information Technology Services (ITS) is committed to keeping student,
faculty, and staff sensitive information safe from ongoing cyber threats. Protecting
the confidentiality, integrity, and availability of SUNY Orange’s information from
unauthorized use, access, disclosure, modification, damage, or loss is a main area
of focus for ITS. The sections below will help you understand the sensitivity of that
information and teach you how to protect it and yourself from compromise.
Ransomware: Higher Education at Risk
It has been 30 years since the first ransomware attack. A Trojan virus targeted HIV/AIDS researcher’s data that cybercriminals took control of and demanded a check mailed to an address in Panama to regain access to their work. Modern ransomware has evolved to demand bitcoin, a digital form of untraceable currency to decrypt files on your system. This first started in 2013 with the Cryptolocker variant.
49 of 182 reported ransomware attacks in 2019 came from educational institutions. Only municipalities reported a higher number of with 70 ransomware incidents while the healthcare industry reported 27 attacks. Many cities have recently been in the national news because of ransomware attacks (Baltimore MD, Atlanta GA and Albany NY). Cybercriminals also target the financial and healthcare industries for financial gain.
Higher education and K – 12 schools have become the target for ransomware activity. Financial gain is not always a cybercriminals endgame in our case though. This is because educational institutions house vast amounts of data. Personal Identifiable Information (PII) related to FERPA, SOX, PCI and GLBA, Electronic Protected Health Information (ePHI) related to HIPAA and research databases are all at risk. College databases are valuable to cybercriminals for this reason.
Much of the vast amount of data that resides within educational institutions is known as “fresh data” in the cybercrime community. Many of the students who attend SUNY Orange have a clean financial history, making their data worth more than an adult who has bills, car payments, a mortgage, etc. This reduces the value of adult records compared to student data in the eyes of cyber-criminals selling information on the dark web.
Please follow the tips below to help prevent ransomware from affecting you or the college.
- Turn your computer off at the end of the day to ensure the latest patches are installed
- Backup your important files regularly by saving information on external drives at home and network drives on campus. Keep important data in at least two places AND make sure the OTHER place is not directly accessible by your computer
- Install, use, and keep security software up-to-date (such as antivirus, antimalware, and antispyware)
- Do not open unexpected emails, attachments, or visit website links in messages (email, chat, texts, etc.) unless you know who is sending them and why they have been sent
- Do not click on links in pop-ups while browsing.
- Use an account that is not “Administrator” or “root”
- Enable features to “show file extensions” on your operating system
- Disable Macros in email programs and editing programs like Microsoft Word and Excel. If you do need Macros, enable them on a file-by-file basis
- For administrators: Practice the principle of “Least Privilege;” minimize access to files and applications needed to do your job or work
To Learn More:
https://its.ny.gov/security-advisory/cisa-ms-isac-nga-nascio
https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-tech-tuesday-building-a-digital-defense-against-ransomware-at-home
https://www.dhs.gov/cisa/blog/2019/08/21/cisa-insights-ransomware-outbreak
In the News:
https://www.insidehighered.com/news/2019/07/15/hackers-demand-2-million-monroe-college-ransomware-attack
https://www.darkreading.com/threat-intelligence/ransomware-strikes-49-school-districts-and-colleges-in-2019/d/d-id/1335872
https://www.neagle.com/news/20190913/school-district-computers-paralyzed-in-attack
https://www.ibtimes.sg/malicious-cyber-threat-forced-this-us-university-shut-down-its-it-services-32254
https://thecrimereport.org/2019/09/04/cybercriminals-attacking-schools-governments-with-ransomware/
Email Security at SUNY Orange
The quickest and most efficient way for you to be sure that your SUNY Orange emails are secure is to use only official sunyorange.edu email to correspondence with students, professors and staff members. Due to state and federal privacy regulations, only correspond with your official sunyorange.edu email account when handling college business. By doing so, the contents of the email will be encrypted within the SUNY Orange email system and will also help you make sure that you are not being phished since you will be able to confirm that the email came from a sunyorange.edu email.
Phishing
A phish is an email or a text message that looks legitimate but is actually fraud. Phishing attempts look like they are from a trusted source, such as your bank, your employer, or a friend/coworker, but they are really from hackers and scammers. The email tries to trick you into clicking on a link that will download malware onto your computer or reveal a password, an account number, or other private information.
If a phisher can get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks like these every day—and they are often successful. The FBI’s Internet Crime Complaint Center reported that people lost $30 million to phishing schemes in 2017.
How to recognize and avoid Phishing Email
Scammers often update their tactics, but there are some signs that will help you recognize a phishing email or text message. Protect yourself and others by scrutinizing every email you receive at home and on campus. Here are a few examples of the most often-used phishing techniques:
- An unexpected email from a bank, a credit card company, a social networking site, an online payment website or app, or an online store.
- An email that asks you to click a link or open a file
- If someone in suggests negative consequences if you don’t do as they say
- If there are spelling, grammar, or formatting errors
- A phishing email will often tell you it is going to ask for a sign-in once you click the link. Phishing emails often point you to a bogus web page set up to capture login credentials or other information.
- They will often say that they have noticed some suspicious activity or log-in attempts
- Can include a fake invoice
- “You’re eligible to register for a government refund”
- “Click here for a coupon for free stuff”
- Deal with finances, private data, or other sensitive topics that say you must confirm some personal information
- Virtually any email that claims that there is a problem with your account or your payment information
- Threaten to close your account or delete it. If you are not sure, call the sender at a known contact phone number (such as the one on the back of your credit card or on a bill that you receive from the company). Do not click on any links or call a phone number in the email.
- If you are unsure about a link, move your cursor over the link and wait. The website it links to will appear and you can see if it matches what the email says.
When you get an email that looks suspicious, here are a few things to check:
- Check that the email address and the sender name match
- Check if the email is authenticated
- Check the message headers to make sure the "from" header is not showing an incorrect name or email address
Google Phishing Quiz
https://phishingquiz.withgoogle.com
Learn more about Phishing:
https://www.rapid7.com/fundamentals/phishing-attacks/
https://www.us-cert.gov/ncas/tips/ST04-014
https://www.us-cert.gov/ncas/tips/ST04-013
http://www.antiphishing.org/
http://www.ftc.gov/bcp/edu/microsites/idtheft/
https://www.us-cert.gov/security-publications/recognizing-and-avoiding-email-scams
Business Email Compromise aka BEC
BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments. It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks. The fraudsters used the method most commonly associated with their victims’ normal business practices. Both scams typically involve one or more fraudsters, who compromise legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
According to the Internet Crime Complaint Center (IC3), BEC complaints share some common characteristics. Businesses that use open source email services are targeted frequently, for example, as are employees who handle wire transfers. The scenario often plays out like this: An email arrives that appears to be from a high-level executive within the company — or even a business partner or company attorney. Since the email address has been spoofed, it appears to be legitimate. A request for a wire transfer is included in the email, which urges the recipient to take immediate action. The fraudulent email might claim, for example, that a supplier requires prompt payment for a service rendered. IC3 reported multiple instances of fraudsters impersonating lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters.
Keep in mind: Requests for money might ultimately come via a phone call. While BEC is initiated over email, criminals can use various modes of communication to complete the fraud.
How to spot BEC
Criminals do a lot of homework — and seek a variety of information — when targeting a victim, including:
- General information about the company (i.e., where it does business and with whom)
- Names and titles of company officers
- Management organizational structure
- Information about new rounds of funding
- Information about new products, services, and patents
- Product or geographic expansion plans
- Travel plans
Tips to avoid BEC
- Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
Phishing and Business Email Compromise Examples:
https://www.boisestate.edu/oit/2019/01/30/are-you-available-email-phishing-scam/
Password Best Practices
Passwords can be the bane of our technological existence if not managed appropriately. We here in the SUNY Orange ITS department feel your pain. We have passwords for servers, passwords for switches, personal passwords, and passwords for services and well, we could probably continue for half this article with the various passwords that we need to use on a daily basis. This is a big reason that we are pushing to get more services behind the Single Sign-On (SSO) Mansion page. Each service we can get behind SSO is one less password that we all need to remember. With all of that in mind, we want you to think of passwords like toothbrushes…you want to choose a good one, never share it and replace it quarterly. The best password is actually a strong passphrase, impossible to forget and difficult to guess, even for a person that knows personal details about you, such as, the name of the street you grew up on.
The worst kind of password is one that everyone uses, can be easily guessed or uses common phrases and words.
Follow the tips below to minimize the risk of passwords becoming compromised.
- Never repeat passwords for different accounts
- Change passwords every three months. User names and passwords that have been obtained through data breaches may be used by cybercriminals to attempt to gain access to your accounts.
- Ensure that no one is watching as you enter your password (“shoulder surfers”)
- Scan files that are downloaded with antivirus software to detect any malicious content such as key-loggers or password grabbing malware.
- Use a cloud-based password manager if you have many accounts
To add an extra layer of security, use two factor/multifactor authentication whenever possible (Keep an eye on the next issue of the Grapevine to learn more about two factor/multifactor authentication).
For more information about password managers:
https://www.wired.com/story/best-password-managers
https://www.pcmag.com/roundup/300318/the-best-password-managers
Learn more about password best practices:
https://www.krebsonsecurity.com/password-dos-and-donts
https://security.googleblog.com/2019/08/new-research-lessons-from-password.html
Learn more about password grabbers:
https://www.techradar.com/news/major-rise-in-password-stealing-malware-detected
Multi-Factor Authentication
What is multi-factor authentication?
MFA is commonly referred to as two-factor authentication and is a security enhancement that adds an extra layer of security to your sensitive account(s) login verification. Your credentials can be grouped into three categories: something you know like a password or pin number, something physical that you carry like a smart card, or something you is a piece of you like biometric data such as fingerprints, palm print or a retina scan. Enhanced security is achieved when two out of three categories are combined to authenticate a user. The enhanced security that MFA provides makes it very difficult for cybercriminals to log into an account as if they were you. According to Google, a recent survey of security experts found that using MFA is one of the top three things to do that will protect online security.
So look at a simple scenario such as logging in to your bank account. If you have turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you will type in your username and password. Then, as a second factor, you will use an authenticator app, which will generate a one-time code that you enter on the next screen. Then you are logged in – that is it!
In most cases, it is even easier than that. Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor. Between device recognition and analytics, the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.
When Should MFA be Used?
Whenever possible. This is especially true for your email, financial records, health records, and any other important accounts that you use at home or on campus. Some organizations require MFA while others offer it as an extra layer of security for users.
What is Considered Secure avenues for use of MFA?
MFA is commonly offered in the form of a call, text message or email that provides a one-time use access code for users to authenticate their account. Information Security practitioners have noticed an uptick in cybercrimes known as sim-swapping/sim-jacking that allows cybercriminals to take complete control of your mobile device. After a device is compromised, a cybercriminal can take your Personal Identifiable Information (PII) and impersonate you at a cell-phone retailer to hijack your device. This issue is affecting CEOs, celebrities, and everyday people and sometimes causes major problems. See the links below for some more information about recent sim-swapping cases.
In the News:
https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html
https://lifehacker.com/how-to-prevent-and-respond-to-a-sim-swap-scam-1835627474
https://www.kuow.org/stories/ruby-was-sim-swapped-and-here-s-why-you-should-be-afraid
https://krebsonsecurity.com/tag/sim-swapping/
More about Multi-factor Authentication:
https://www.cyber.nj.gov/this-is-security/the-importance-of-multi-factor-authentication
If you have missed any of our series this month, please visit our website: https://sunyorange.edu/its/cybersecurity.html
Don't Let Your Tech Own You
Keeping your devices up to date can be a daunting task. On campus you have support
from ITS that helps keep your college owned devices and the networks they communicate
over protected from threats and vulnerabilities. At home, you have may have devices
that may be susceptible to threats and vulnerabilities. Technology is reaching out
into every part of our homes more and more as time goes on. The variety of IOT devices
(smart devices) that have come onto the market are more often than not developed without
security in mind. This is also the case for other connected devices such as cars and
even devices such as pacemakers and MRI machines that have been proven to be vulnerable
to exploitation.
Your devices and home network should always be kept up to date. Antivirus updates
and operating system patches should be performed on a normal basis. Home networks
should be secured with unique usernames and passwords. They should also be accessed
on a normal basis to check with the vendor for any important security patches or firmware
updates. Smart devices that have administrative access should also use unique passwords.
Another thing to keep in mind about apps that you can download on your smart phone/TV
may request permissions on your device that have nothing to do with its features or
functionality that can exfiltrate your personal data.
Stories in the headlines about corporations listening to and recording audio from
the likes of Facebook, Google and Amazon have raised concerns among lawmakers and
privacy experts. Other smart devices with Wi-Fi capabilities have also been exploited
by hackers. For example, baby monitors have been found to be vulnerable. A hacker
can take control of the built-in microphone to instill fear into children or to threaten
parents by posting a video of private moments. If you would like to know more about
recent stories in the news please check the links below for more information.
According to Danny Palmer, Senior Reporter from ZDNet, home surveillance systems represent
47 percent of vulnerable devices installed on home networks. Hackers can leverage
your devices to perform distributed denial of service (DDOS) attacks and have recently
caused massive DDOS events that have affected Internet Service Providers, online gaming platforms
and Web Hosting companies. One notable attack took place against security researcher
Chris Krebs. His website was targeted by a 620 Gbps attack, which took KrebsOnSecurity offline for almost four days. Smart home devices can even be hacked to mine digital
currency, commonly known as bitcoin. The top number of IoT devices by country are
listed below.
Be wary, a bit paranoid and have a proactive stance as technology keeps evolving to
stay safe at home or while on campus. Any device that can connect to a wireless or
wired network may be at risk.
Tips for home networks and smart devices
- Connect IoT devices to a Guest network and set your router to encrypt
- Enable the router's MAC filtering to allow connections only from your own MAC (unique Media Access Control) addresses at home or in your room
- Ensure that the firewall is enabled
- Don't trust wireless cafes or other places providing unsecure wireless services
- Change the name of your router called the service set identifier (SSID) to a unique name that will not be easily guessed by others
- Always logout of your accounts
- Antivirus, software updates regularly
In the News
https://www.csoonline.com/article/3279194/another-baby-monitor-camera-hacked.html
https://www.cnn.com/2019/10/02/health/fda-medical-devices-hackers-trnd/index.html
https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/
Privacy Settings
Privacy is a subject everyone can relate to, but many people overlook their digital privacy without concern. At home, locks, curtains and doors provide a level of comfort that comes with the feeling of privacy. Take it one step further to protect yourself while using a computer or a smartphone to achieve a greater level of privacy for yourself and your family. Computers can invade your privacy via the web browser or even the operating system. Settings on smartphones should be reviewed to also tighten up your level of privacy. Social media settings should also be reviewed to ensure that the information that you share on these platforms maintains a certain level of privacy. Remember to utilize methods previously shared this month such as, using a password manager and protecting your accounts with MFA
Computers
Browsers have privacy settings that can be accessed from the tools menu in most browsers to see whether you can fine-tune them to keep the good and block the bad. When you go online, websites install cookies on your computer that track your movements. Some cookies can be beneficial, such as those that remember your login names or items in your online shopping cart. But some cookies are designed to remember everything you do online, build a profile of your personal information and habits,
and sell that information to advertisers and other companies.
Smartphones/Tablets
Androids and iPhones have a settings page where you can see which apps have access to everything from your heart rate to your home's lighting system. From here, you can review which apps have access to what services and disable permissions that you don't remember granting.
Apple even offers an option to reset all iPhone privacy and security settings at once. The next time you open an app that needs access to your microphone, camera, or other data, it will ask for your permission as if you were just using the app for the first time.
In terms of what apps can do, there are some differences between Android phones and iPhones to keep in mind. For example, Apple does not allow developers to access the camera unless an app is open and in use, nor access iMessages or SMS messages.
Stick to app stores
Apple and Google maintain app stores where most people buy their apps. It is a way for the two companies to control what people can do on their platforms — for better and for worse.
One benefit is that, as part of the app store review process, Apple and Google test apps for potential security or privacy issues. This essentially screens out apps that would otherwise be classified as malware, or try to access user data in a way that violates their terms of service.
While you can disable the security settings on Android and iPhone that prevent you from downloading apps from other sources, you probably shouldn't unless you really know what you're doing. There's no one watching to make sure that the app you received from a friend is really doing what it says it does.
Social Media Accounts
We share a wealth of information about ourselves on social media platforms. We snap perfectly posed selfies, check-in at happy hours, tweet at our friends, and announce the arrival of bouncing new babies. The benefits and joys of social media are numerous, but there are privacy risks to consider as well.
Social media users tend to overshare life details in order to feel connected to friends, family, and coworkers. But these private details can be used maliciously by cyber thieves to access sensitive accounts, create fraudulent identities, and compromise careers.
Check out the links below to learn more about privacy settings and how to access them.
Privacy for computers, browsers and Social Media
Windows 10
Apple MacOS, IoS (iPhone, iPad)
https://www.mashable.com/article/apple-macos-privacy-settings/
Android
https://www.cnet.com/how-to/android-10-everything-you-need-to-know-about-its-new-privacy-settings/
Browser Privacy Settings
https://safety.google/privacy/privacy-controls/
https://support.microsoft.com/en-us/hub/4230784/internet-explorer-help
https://support.apple.com/en-us/HT203036
Steps to Protect your Privacy on Social Media
Facebook https://www.facebook.com/facebookmedia/blog/keep-your-facebook-information-secure
Twitter https://help.twitter.com/en/safety-and-security/twitter-privacy-settings
Instagram https://www.consumerreports.org/privacy/instagram-privacy-settings/
Google Account https://safety.google/privacy/privacy-controls/
In the News:
https://www.cnn.com/2019/10/10/tech/alastair-mactaggart/index.html
https://www.nytimes.com/2019/10/02/technology/personaltech/google-data-self-destruct-privacy.html
Safe Social Media Posting
Think before you post
The information that you share on social media platforms may be intended to make friends and family aware of what is happening in your life. There is a dark side to this though, any information that can be found by security professionals can also be found and used by threat actors. On top of that, information that you do share that is protected by a social media site may become compromised if a data breach occurs.
Your personal information on Social media is one of many outlets for Open Source Intelligence
(OSINT) gathering. OSINT is information or data that is gathered from overt public
sources available on the web such as, public records at government offices and public
libraries. OSINT is combined with social engineering to gain information about a person
or organization via email or physical conversations/interactions.
The information that you share about yourself at home, on campus or while on vacation
can be used as a steppingstone for cybercriminals to target you. Geotagged pictures
or Check-in posts are one example. There have been social media concerns raised by the
government, military, private and not for profit sectors for this reason. Look at
the links in the news section below to find out more.
Here are some general tips to share responsibly on social media:
Never share your personal identifiable information (PII) on social media to avoid identity theft
- Birthday, age or place of birth
- Address, phone number and email (if possible)
- Location data (facebookcheckins, picture metadata containing GPS details)
In the news
How to Disable Facebook Tracking
https://www.techrepublic.com/article/how-to-disable-facebook-location-tracking/
CNN Tech Reporter Data Stolen in Seconds
https://www.youtube.com/watch?v=LYilP-1TwMg
Former NSA Hacker Reveals 5 Ways to Protect Yourself Online (Tips 4 and 5)
https://youtu.be/-ni_PWxrsNo?t=113 video starts 1:53
Oversharing on Social Media
https://www.lifewire.com/why-sharing-your-location-on-social-media-is-a-bad-thing-2487165