Data Privacy and Security

Stop before you Scan: QR Codes and Cybersecurity

Written by Alex Magid, Information Privacy and Compliance Analyst

You see them on hallway walls, in emails, and in place of traditional restaurant menus. Quick Response Codes, commonly referred to as QR Codes, are machine-scannable images that can be read using a Smartphone camera. Every QR code consists of a number of squares and dots which represent certain pieces of information. When your Smartphone scans this code, it translates that information into something that can be easily understood by humans – often a link to a website.

QR codes surged in popularity during the pandemic because consumers found them easy to use and businesses did not have to worry about contact contamination. QR codes are a great tool for saving space, and quickly directing people to information… and hackers know this!

Users should think about QR codes the same way we think about other phishing tactics like email scamming and social engineering. While most codes are safe, some QR codes can contain links maliciously embedded with malware so that cybercriminals can easily obtain your data such as credit card information or social security number.

How to spot authentic QR Codes

Always check the URL on the notification before clicking to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, exit out of your browser.

Attackers and pranksters have printed counterfeit QR code stickers and put them on top of existing QR codes, a common tactic that occurs in restaurants on menus, and on shared bulletin boards. So before scanning, take a quick look to see if the QR code looks out of place or seems to be a sticker when it shouldn’t be.

Users should always avoid downloading an app from a QR code and instead once learning the name of the app use their respective app stores for a safer download. Finally, if you scan a QR code, and it prompts you to download a “QR reader,” it is likely a trick used by scammers.

Have Questions?

If you have questions about how to stay safe while using QR codes, please contact the Help Desk at (helpdesk@clarku.edu, 508-793-7745)

Get Ready for Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. As education, socializing, and many aspects of life increasingly rely on technology, it’s more important than ever to protect your digital identity and steer clear of cybercriminals.

The theme for the month is ‘It’s easy to stay safe online’ #BeCyberSmart, and Clark University is proud to be a champion and support this online safety and education initiative.

This month is all about taking action! There are all kinds of ways to stay safe and secure online but even just practicing these cybersecurity basics can make a huge difference:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords and a Password Manager
  3. Update Your Software
  4. Recognize and Report Phishing

We want to help you, your family, friends, and our community stay safe all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple steps you can take to #BeCyberSmart.

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/champions/ and https://www.cisa.gov/cybersecurity-awareness-month.

Stay tuned for weekly emails during October highlighting cybersecurity topics.

MFA and Travel

You have your passport, you have your bags packed, and you’re excited to get going. But wait! If you plan on connecting to your Clark account when travelling, preparing your MFA in advance can make your trip much easier.

When travelling or otherwise, ITS recommends using the Microsoft Authenticator app as your primary MFA factor. This app can be installed on multiple devices, and will allow you to authenticate into your Clark account from anywhere your devices can connect to the internet – regardless of cell service or phone number.

1. Setting Authenticator as Default

Before boarding the plane or hitting the road, be sure that Microsoft Authenticator is your primary MFA factor. This means that Microsoft will use the Authenticator (that can connect via internet) rather than a text that requires a specific phone number

Click here https://mysignins.microsoft.com/security-info and log in if prompted. Ensure that your Default Sign In Method is Microsoft Authenticator.

If Microsoft Authenticator is not your default sign-in method, look below at the list of factors.

  • If Microsoft Authenticator is not listed on the list
    • Click Add sign-in method
    • Choose Authenticator App
    • Click Add, and follow the prompts
    • When complete, check that Authenticator is listed as your default sign-in method again.
      • If not, follow the instructions below.
  • If Microsoft Authenticator is listed with a device that you recognize:
    • Click the Change link to the right of the Default Sign-in method
    • From the drop-down that appears, choose Microsoft Authenticator – notification
    • Choose Confirm

2. Installing Authenticator on Another Device

Now that Authenticator is your primary factor, you can install the app on multiple internet-connected devices to give you lots of flexibility when travelling. However, be sure to only install it on devices that you are the sole user of to prevent security issues.

Before beginning this process, be sure that the device with Authenticator set up as your primary factor in step 1 is connected to the internet.

  1. Download Microsoft Authenticator to your new device. Be sure that it’s published by Microsoft.·
  2. Launch the application
  3. Choose Work or School account
  4. Enter your Clark email address
  5. When prompted log in with your usual Clark credentials
  6. At this point, Microsoft will attempt to authenticate your login using your primary factor – the Authenticator app on your first device. Follow the prompts on your first device to authenticate your new device

From now, when authentication needs to happen, the Authenticator app on both devices (as long as connected to the internet) will prompt you to approve your login.

If you have any questions about this process, please contact the Help Desk at helpdesk@clarku.edu, 508-793-7745. Remember that we can support you more easily if you contact us before travelling.

Say No to Password123: Password Managers

For everything from online banking, to social media accounts and in between, most websites require you to create a username and a password. While most of us understand the importance of selecting a strong password; not everyone practices other elements of proper password hygiene.

It is critical to make sure that no matter the website or app, you have created strong unique passwords which make it difficult for unauthorized users to guess at. But we know that managing, changing and remembering all of these passwords can be a full-time job – so how can you stay safe and sane? It all starts with a good password manager.

What are password managers?

Password managers are applications that remember your chosen passwords, and give you the option to generate randomized passwords for all the sites you visit. If a password for one site is compromised, it’s common for attackers to take those credentials and try them on many other sites.  The only thing worse that changing your password on one compromised site is to have to do it on LOTS of sites because that password was reused.

A password manager stores your credentials for you in a secure virtual vault accessed by using a master password, or even biometrics. Then, when you visit a site or open an app where you need to log in, the password manager automatically fills in your login information and password for you.

The best password managers let you know if your existing passwords are weak, reused, or have shown up in a data breach through dark-web monitoring. These products help you improve your password hygiene by suggesting new, strong, and unique credentials for every login. When creating a new password, you can use a scrambler that will auto generate a strong password that is at least 20 characters long and include all the major character types: uppercase, lower case, numbers, and symbols.

Some managers charge annual subscription fees, while some are no-cost. A trustworthy password manager can cost anywhere from $25-$60 annually. Additionally, some managers offer 50% discounts to students and those working in Higher Education. These and other recommended Password Managers are listed below.

Phishing Simulations and Training from ITS

Approximately 90% of cyber attacks begin with a phishing email and all Clark community members can help protect our information resources by being able to identify and ignore suspicious emails. To support this, ITS has partnered with KnowBe4, a security awareness training and simulated phishing platform to offer an on-going security awareness campaign.

This campaign helps to educate the Clark community through a broader lens of understanding how hackers can steal your personal information, and track your movements. Our campaign works to encourage change across Clark while empowering and equipping users with the tools to protect the physical, and digital data of the University.

Through the KnowBe4 software, Clark members will be sent several ‘simulated phishing’ messages over the course of each semester. These simulated phishing emails are based off malicious emails that a hacker would send you.

Since launching the campaign in July of 2021, institutional risk related to users being ‘phish prone’ (those who are likely to fall for simulated phishing emails) has decreased by 13%.

What will happen if I open a ‘simulated phishing email’?

If you open an email which was sent through our KnowBe4 system, nothing dangerous will happen. It is up to you to report it using the Phish Alert button (click here to learn more about how to use the Phish Alert button).

However, if you click a link within the body of the message, download an attachment, or forward the email to someone else (including to the Help Desk), you will be directed to a landing page (similar to below) letting you know that this was a simulated email from KnowBe4. This page will alert you to why this email should seem ‘phishy’ to you, and what steps you can take in the future to more quickly identify it as malicious. Additionally, you will be asked to watch a 2-minute video about phishing.

In addition to the short video, you will automatically be enrolled into Clark’s Cybersecurity Training Course. This course which is also done through our KnowBe4 system, can be accessed using the link provided in an email that you will receive (similar to below)

What do I need to know about the training?

Training typically consists of two modules which take approximately 10 minutes to complete, and will provide you with tips and tricks to spot and avoid clicking on phishing emails in the future. Failure to complete the assigned trainings will result in continued notification reminders.

What happens if I click on more than one ‘simulated phishing email’?

Don’t worry, it happens to us all! With phishing emails getting more sophisticated and trickier than ever, we understand that you may accidentally click on one. If this happens, you will be auto-enrolled into another Cybersecurity Training. However, each time you are enrolled, you will be presented with a more detailed course. More than 3 incidents in one academic semester may result in a user having a conversation with their supervisor and/or ITS to help ensure we can best protect our information resources.

I reported the simulated phish by clicking the Phish Alert Button

Congratulations! You outsmarted the hackers. If you properly spot and report a simulated phishing email, you will receive a notification on a job well done, and a HUGE thank you from Clark ITS in helping to keep Clark safe from potential cyber-threats.

Seems Phishy!

Email is a critical communication tool, and as a result, it’s important for all of us to be vigilant and able to spot phishing emails that attempt to compromise our personal and community information.

What is Phishing?

Phishing is the process in which malicious people try to trick you into giving out sensitive information or taking a potentially dangerous action, like clicking on a link or downloading an infected attachment. They do this using emails disguised as contacts or organizations you trust so that you react without thinking first. It’s a form of criminally fraudulent social engineering.

Phishing is one of the most common ways that attackers try to access our data and commit fraud. Phishers pose, usually via email, as a someone you know and lure you into revealing sensitive personal information, downloading malicious software or sending money or gift-cards.

How can I spot Phishing?

While Clark’s advanced security will do much to prevent many phishing emails reaching your inbox, it’s up to each of us to remain vigilant. Phishing emails can look like any other email. Some claim to offer free drinks from your favorite coffee shop, while others may pretend to be from a familiar department on campus.

Phishing emails often have the following characteristics:

  • They will often appear to come from a Clark email address, but instead will be ‘spoofed’. Spoofed email addresses look similar but are actually different – similar to presidentsoffice.clarku.edu@gmail.com.
    • For Staff and Faculty: Look for the [EXT] label in the subject which indicates an email was sent from outside Clark. If you see an email that looks like it came from a member of the Clark community, but has the [EXT] label, be cautious.
  • Make requests for personal information (usernames, passwords, account numbers)
  • Alarming and urgent statements instructing you to act immediately
  • Slight alterations of well-known organization names (e.g. IT department, instead of ITS)
  • Awkward writing style, misspelled words, or poor grammar are common, but phishers are becoming more sophisticated and polished in their writing.

What do I do if I suspect a message is a Phishing scam?

If you receive an email from someone that just feels out of place then you should report it. It is always better to ask ITS to investigate the email (by using the Phishing Alert button – see below), than open a malicious one that can spread malware and infect your device and even steal your information.

In a change to our previous advice, we ask that you no longer forward suspected phishing emails to anyone, including the Help Desk. Instead, please follow the instructions below to report the email in the most secure way.

Outlook on Windows or Mac

  • Click on the Phish Alert Report button in the top right of the email window.

Desktop & Phish Alert

Outlook Online

  • Click on the More Actions (three dots) button in the top right
  • Click on the Phish Alert V2 option

Outlook App on iOS or Android

  • Click on the More Actions (three dots) button in the email
  • Click on the Phish Alert button
    • Note that on Android you may need to scroll down to see this option as it’s below Delete

What does ITS do to help prevent phishing?

You are a critical step in helping to protect our shared computing resources. Security is best deployed in layers, so if one layer is breached, others can help protect those critical resources. In addition to the great work we do as a community by reporting and ignoring the requests in phishing emails, ITS has deployed tools and techniques to aid in your ability to detect a phishing message, and also prevent these messages from reaching your inbox. In February 2022, approximately 20% of all email sent to members of the Clark community were automatically kept from reaching your inbox. That’s almost 700,000 messages we didn’t have to delete! Some of these techniques are:

  • We partner with organizations like Microsoft, Palo Alto Networks, and REN-ISAC to help us identify attributes of messages that we know are malicious, and we send those messages right to your Junk Email folder. With Microsoft as our email provider we are part of a large global community, potentially learning about malicious content after it impacts other users, and before it impacts Clark.
  • If a message has a known malicious attachment, that attachment is replaced with a notice that an attachment was removed from the message before it is delivered to your Inbox.
  • When you click on a link in most email, in real-time the link is scanned to see if it is sending you to a known malicious website. If it is, then you are redirected to a warning page notifying you the link was malicious.
  • Faculty and staff may notice [EXT] appended to the subject of an email that originates from outside of Clark’s email system. If you see a message that looks like it may have come from a member of the Clark community, but it has the [EXT] tag in the subject, be suspicious, and maybe reach out to them in a new email (not a reply to that potentially fraudulent email) sent to their Clark account.
  • Clark uses technology like SPF and DKIM to help identify legitimate messages that do originate from outside our email system.

Hacking and the Holiday Season

Decorative: A person holding a credit card and using a laptop with holiday lights in the background.

With the holiday season upon us, hackers, scammers and online thieves are gearing up for creative ways to steal your information. As millions of online shoppers begin looking for the best deals, hackers are looking to take advantage of people by searching for weaknesses in their devices, internet connections and failure to update to current software versions.

There are several key ways to prevent leaving yourself open to hackers and giving your information to the wrong individuals:

  • Stop, Look, and Think before you click on unknown links! When in doubt, if a message or email is real visit the company’s website or verify the sender through another method.
  • Never install unapproved software or download attachments without verifying they are safe. Always ensure your computer is up-to-date with the latest approved security patches.
  • Don’t download any e-gift card or other links if you do not know the sender. Downloading links from unknown senders can lead to ransomware installs and encryption of data.
  • Secure your devices by keeping them close and using strong passwords.
  • Password managers are a great tool, and help to create and store strong passwords. They make it secure and easy to not use the same password for all websites, and accounts – a bad practice. If one site is compromised, then the hackers will try the same password on many other sites.  If the password is unique per site, then you only have one account to worry about instead of all your accounts!
  • Make sure not to leave any devices unattended or connect to any unknown Wi-Fi networks. When possible, always use MFA.
  • Be cautious of websites that are not well known and offer special deals or promotions if you sign up.

With these steps, you can minimize your risk of browsing online and have a happy and secure holiday season.

National Cybersecurity Awareness Month

National CyberSecurity Awareness Month (NCSAM) was started as a collaborative effort between the National CyberSecurity Division within the Department of Homeland Security (DHS) and the nonprofit National Cyber Security Alliance in 2003. The month of October raises awareness about the importance of cybersecurity.

As education, socializing, and many aspects of life increasing rely on technology, it’s more important than ever to protect your digital identity and steer clear of cybercriminals.  The theme of 2021 is for you to Do Your Part, #BeCyberSmart all year long.

What is Clark Doing during the Month of October for NCSAM? Clark will be promoting safe online practices through a variety of actives and resources around campus. Look for new resources or activities each week to help encourage you to #BeCyberSmart. Some topics will include:

Fight the Phish

Phishing attacks and scams have increased during the COVID pandemic. We will stress the importance of staying aware of threatening emails, text messages or chat boxes that come from cybercriminals to gain your information or personal assets.

Explore. Experience. Share (Cybersecurity Career Awareness Week)

This will inspire and promote the exploration of cybersecurity careers. No matter if you are a student or a veteran seeking a career change, the dynamic field of Cybersecurity is rapidly growing and holds something for everyone!

Cybersecurity First

Here we will raise awareness how businesses are working to integrate and build partnerships to incorporate security into their products and everyday processes. For individuals, it is about keeping Cybersecurity at the forefront of your mind as you connect daily and understand when privacy and default settings of your applications and devices. Cybersecurity should be a proactive mindset not a reactive one.

Remember that if you have any questions or are curious about how you can Do Your Part and #BeCyberSmart all year long, feel free to ask the Clark ITS Team or visit one of the following links:

 

An Update on Multi-Factor Authentication

In the last month over 4000 Clarkies have set-up and begun to use Multi-Factor Authentication and ITS would like to say Thank You!

Multi-Factor Authentication will provide Clark and our individual community members a higher level of security for their personal and institutional data, and will make our efforts to reduce cyber-threats more effective and efficient.

Over the last few weeks while supporting students, staff and faculty with Multi-Factor Authentication, we got some great questions. We’ve added the answers to our Multi-Factor Authentication webpage but wanted to cover some of the most frequently asked here.

If you still have questions about Multi-Factor Authentication, or are having issues accessing your email, please reach out to the Help Desk for support at 508-793-7745 or helpdesk@clarku.edu.

How often will I have to use Multi-Factor Authentication to access my account?

You will need to authenticate the first time you use a new device (computer, laptop, phone, tablet, etc.), or browser to access protected systems.

After the initial authentication on a device, you may be asked to reauthenticate again usually after a number of weeks. ITS will calibrate the timing of reauthentication requests to best balance security needs and your convenience.

Do I need Multi-Factor Authentication for Moodle? VPN? CUWeb?

Currently, you will only be required to use Multi-Factor Authentication to access Clark email and Office 365. However, ITS is adding MFA security to important Clark applications over the coming semesters including Moodle, VPN, CUWeb and Banner. We’ll be sure to let everyone know when we add new systems to Multi-Factor Authentication.

My mail app isn’t displaying new mail after setting up Multi-Factor Authentication. What do I do?

If after setting-up Multi-Factor Authentication, you find that your email app isn’t displaying new emails, you may need to remove and re-add your Clark account to your app in order for it to sync correctly.  Your phone manufacturer, or app developer should have instructions on how to do so, or you can contact the Help Desk if you need further assistance.  Using the Microsoft Outlook app on mobile devices helps provide a consistent experience between your devices.

How do I edit my factors?

You may need to do this if you buy or sell your smartphone, change your phone number, or just want to manage your factors. To see or edit your factors, you can visit the Multi-Factor Authentication webpage on the Clark website and choose “Edit my Factors” on the right.

What do I do if I lose my phone?

When using Multi-Factor Authentication, your smartphone becomes an important step in gaining access to your account. If you lose your device, please reach out to the Help Desk at 508 793 7745 or helpdesk@clarku.edu so we can verify your identity and get you back into your account as quickly as possible.

 

Firewalls: The First Line of Defense

As you may have read in the media and in your email inbox, cyber-attacks of all types are on the increase, and each of us need to be more vigilant than ever before clicking on links in emails, or responding to unknown senders.

But you’re not alone in the fight against phishing, viruses and malicious links. ITS is working hard to minimize our users’ exposure to nefarious attempts at attacking the institution and our data. And that work starts with a strong Firewall.

A Firewall is, first and foremost, a wall! It provides a barrier between our internal network – including systems such as Banner, WordPress and Outlook – and the external internet. Our Firewalls allows us to monitor traffic requests into the Clark network, and refuse traffic that is malicious and looking to compromise our users and our data. The easiest way to demonstrate how important the Firewall is to our security, is to share some numbers.

Since the beginning of the semester our Firewall has blocked over 2 BILLION attempts to access our network from general malicious actors and over 70,000 specific attempts to spoof Clark University email addresses. Additionally, our partnership with Microsoft has blocked over 5 million additional spam emails, and 12 million instances of malware. The technology that we use leverages machine learning, so that it identifies trends in new threats, learns from our users’ behavior and becomes more effective every day.

Without this technology, it would be impossible to run our campus effectively or securely. It allows us to communicate with Clarkies and external partners and greatly minimizes the percentage of attacks to reach your inbox. From there, we rely on you. So, don’t forget to ‘think twice, click once’ and follow our guidelines (click here to read) to help prevent cyberattacks on our network and data.