Data Privacy and Security

MFA and Travel

You have your passport, you have your bags packed, and you’re excited to get going. But wait! If you plan on connecting to your Clark account when travelling, preparing your MFA in advance can make your trip much easier.

When travelling or otherwise, ITS recommends using the Microsoft Authenticator app as your primary MFA factor. This app can be installed on multiple devices, and will allow you to authenticate into your Clark account from anywhere your devices can connect to the internet – regardless of cell service or phone number.

1. Adding Authenticator as a Factor

Before boarding the plane or hitting the road, be sure that Microsoft Authenticator is your primary MFA factor. Authenticator can approve your login via internet rather than using a text code that requires a specific phone number. In fact, usually Microsoft will default to using Authenticator if it is included as your factor since it is the most secure.

Click here https://mysignins.microsoft.com/security-info and log in if prompted.

If Microsoft Authenticator is not included in your list of factors.

    • Click Add sign-in method
    • Choose Authenticator App
    • Click Add, and follow the prompts
    • When complete, check that Authenticator is listed as your default sign-in method again.
      • If not, follow the instructions below.

Once complete ensure that your Sign-in method when most advisable is unavailable is Microsoft Authenticator – notification. If not, click Change and choose “App-Based Authentication – notification”.

2. Installing Authenticator on Another Device

Now that Authenticator is your primary factor, you can install the app on multiple internet-connected devices to give you lots of flexibility when travelling. However, be sure to only install it on devices that you are the sole user of to prevent security issues.

Before beginning this process, be sure that the device with Authenticator set up as your primary factor in step 1 is connected to the internet.

  1. Download Microsoft Authenticator to your new device. Be sure that it’s published by Microsoft.·
  2. Launch the application
  3. Choose Work or School account
  4. Enter your Clark email address
  5. When prompted log in with your usual Clark credentials
  6. At this point, Microsoft will attempt to authenticate your login using your primary factor – the Authenticator app on your first device. Follow the prompts on your first device to authenticate your new device

From now, when authentication needs to happen, the Authenticator app on both devices (as long as connected to the internet) will prompt you to approve your login.

If you have any questions about this process, please contact the Help Desk at helpdesk@clarku.edu, 508-793-7745. Remember that we can support you more easily if you contact us before travelling.

Tips, Tricks, and Treats: October is Cybersecurity Awareness Month!

Cartoon image of a vampire

With blue skies, fall foliage, and haunted houses, October is one of the best times to live and learn in New England. It also happens to be cybersecurity awareness month, which makes it the perfect time to enjoy pumpkin spiced treats, plan your Halloween costume, and prepare yourself against the scariest monsters of them all: cybercriminals like Count Hackula and Frankenphisher. 

What’s so scary about cybercriminals? 

Most often, cybercriminals target personal identifying information (PII) such as your full legal name, birth date, or social security number. Once they have access to this information, they can use it to impersonate you, gain access to your accounts, and sell your data. For educational institutions such as Clark, hackers typically try to trick you into revealing your password so they can access the network, target others in the Clark community, and locate confidential data such as health or financial information of students and employees. As a reminder, ITS will never ask for the password to your Clark account, and this password should never be shared with anyone else, especially through an electronic means such as a text message or email. 

Most cybersecurity violations (80% of security incidents and 90% of data breaches) stem from social engineering attempts, in which a cybercriminal or bot poses as a legitimate business, charity, or colleague. They often appear as emails, but cybercriminals may also send text messages or leave voicemails about an urgent or critical matter. For example, you may receive an email from a foundation asking for your personal information so you can receive a prize, or a text message reportedly from your bank regarding a compromised account. Learn more about different types of social engineering here. 

Yikes! How can I protect myself? 

If you have additional questions about cybersecurity at Clark University, please contact the Help Desk by emailing helpdesk@clarku.edu or by calling 508-793-7745. 

Data Management

Now, more than ever, we share information and use data daily in our personal and professional lives. There are certain types of information that are regulated and must be handled appropriately when shared with others not only to ensure compliance with legislation, but also to minimize the risk of the information being viewed inappropriately and to help protect the privacy of individuals. To help Clark employees handle specific types of information, the university has a Data Classification Policy that defines three types of data (confidential, restricted, public) and details how we can use and share those types of data. In addition to the policy, there is a one page reference sheet that provides examples and guidelines for managing different types of data. Reading the policy and following the reference sheet will help you manage the information we’ve all been entrusted to protect. 

If our ability to protect certain information is compromised, Clark must provide notice to individuals impacted as well as state or federal authorities. Spirion is installed on Clark-managed computers. It can identify where sensitive information lives on your computer and in your email. Information on how to use it can be found online. If Spirion identifies confidential or restricted information that is no longer needed, then it should be deleted. 

In addition to defining how we must manage Clark data, these documents also provide good guidelines for how we can manage our own personal data. For example, you should never email highly confidential information like a social security or credit card number. Email you send with this information usually lives in your sent items for a long time, serves no useful purpose living there, and creates risk around a compromise. If an email account is compromised, cybercriminals will first download all email in the account to mine for information later. If you do have this information in your mailbox, we recommend you delete those messages. 

Social Engineering

Each day, hackers come up with new and innovative ways to trick individuals into providing personal information. These types of attacks are commonly referred to as social engineering attacks. Social engineering is the tactic of manipulating, influencing, or deceiving a victim to gain control over a computer system or steal personal and financial information. Currently, there are three main types of social engineering attacks.

Phishing

In phishing attacks, hackers send malicious emails with information about a free product, pose as a service you use, or pretend to be a friend trying to get in touch with you. When you click on a link or open an attachment from these emails, malicious files are downloaded to your device, causing it to be held for ransom.

Smishing

SMS phishing, or ‘smishing,’ happens when hackers try to steal your personal details by posing as a trusted person or service via text message. For example, a cybercriminal could pose as a representative from your bank and ask you to click on a link to connect to your bank’s “web page” and verify a recent suspicious charge. Others might ask you to call a customer service number, conveniently included within the text message, regarding a compromised account. Hackers even pose as celebrities or charitable foundations, sending text messages asking for donations to aid with hurricane relief or animal rescues. Once you input your bank information, credit card number, or social security number, the criminal can make fraudulent charges.

Vishing

Vishing is voice or voicemail phishing. This occurs when hackers call your phone number to speak to you or leave voice messages. They claim to be from a reputable company, often mentioning outstanding bills or account emergencies in order to confuse you and ask for personally identifiable information such as bank and credit card information.

Spotting Social Engineering

Click here for lots of tips on how to spot Phishing – social engineering via email.

For Smishing, look at the phone number that sent the text message. Do you recognize it? Sometimes the first few numbers or the country code can reveal that the message is coming from another country. Additionally, many automated texts from institutions like banks are only a few numbers, rather than a full ten-digit phone number. A good general hint is to never click on a link in an SMS, and instead find the link on your computer through official websites.

What about Vishing? Typically, vishers will call from restricted or unrecognizable numbers. If you do not recognize it, let it go to voicemail. Most of the time, vishers will not leave a voicemail, but if they do, you will have more time to determine its legitimacy when you do not feel rushed to answer questions. Vishers often pretend to be calling from a government agency, financial organization, or law enforcement agency. They will usually ask for sensitive information such as social security numbers, mother’s maiden name, or childhood home address.

Staying up to date with current smishing and vishing campaigns can help you be aware of what to watch out for. Click here for information from the Social Security Administration’s website.

Limiting telemarketer calls and messages also reduces the chances of being targeted by phishing, smishing, and vishing. If you do not want to receive calls or texts from telemarketers, you can register your home or mobile phone number for free at:  https://www.donotcall.gov/

If you have any questions about the validity of a text message or voicemail, especially any claiming to be from a member of the Clark University community, contact the ITS Help Desk by emailing helpdesk@clarku.edu or calling 508-793-7745.

Alex MagidOur monthly information security articles are written by Alex Magid, Information Privacy and Compliance Analyst. ITS is proud to announce that Alex was recently nominated as a candidate for Educause’s Board of Directors, and additionally has been awarded a scholarship by the Regulated Research Community of Practice to attend the Educause Cybersecurity and Privacy Professionals Conference.

 

 

Think Twice Before Charging!

We have all been there, your phone battery is at 5%, and you’re in an airport, coffeeshop or other public space. You search for an outlet, but instead find a powered USB port. You figure this will charge the same way as a pronged outlet. Think twice!

While it’s true that public USB ports can help charge in a pinch (though often at much slower rates), it may also leave your device at risk of malicious malware. Hackers can infect USB ports with software that can infect your device as soon as you plug in. To help minimize the risk of your device being compromised, it is best to use a USB Data Blocker.

What are USB Data Blockers?

A USB data blocker is a device that plugs into the charging port on your phone, acting as a shield between the public charging station and your phone. USB data blockers restrict hackers from accessing your phone’s data.

Which USB Data Blocker is the Best?

There are many types of USB Data Blockers, all of which accomplish the same goal of protecting your device. Some use a stronger level of security, and so depending on the type of data on your device, we recommend researching and seeing which blocker your industry prefers and why.

If you have no specific needs, our recommendation is the 4th Gen Juice-Jack Defender. It is cheap, effective, comes in many colors, and is available on Amazon and from many other retailers

Anatomy of a Data Breach

Arguably no phrase has dominated the tech world over the last 24 months more than the term “data breach.” From breaches impacting critical infrastructure like the Colonial Pipeline, which provides most of the country’s fuel, to hackers compromising healthcare records of half a million people at UC San Diego Health, the headlines of last two years have been full of cybersecurity mishaps. Yet, despite this breach-centric news cycle, many individuals may not know what exactly a data breach is, how they typically start, and why they occur.

What is a data breach?

While it may seem like a complex concept, once the jargon is removed, a data breach is very straightforward. According to Trend Micro, a data breach is “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.” And while data breaches can be the result of a system or human error, a vast majority of data breaches are the result of cyberattacks, where a cybercriminal gains unlawful access to sensitive system data. In fact, 92% of the data breaches in Q1 2022 were the result of cyberattacks.

What kind of data can be breached?

Unfortunately, cyber criminals look to get their hands on any available information, ranging from more obvious sensitive information such as social security numbers and credit card information to more obscure data like past purchase history.

How do data breaches happen?

Cybercrime is getting more sophisticated each day. However, cyberattack tactics do not have to be cutting-edge or advanced in order to be effective. Here are a few examples of popular tactics used by cybercriminals:

  • Phishing: Phishing is when a cybercriminal pretends to be a legitimate party in hopes of tricking an individual into giving them access to personal information. Phishing is one of the oldest tricks in the book for cybercriminals but it is just as effective as ever. For example, 80% of security incidents and 90% of data breaches stem from phishing attempts.
  • Malware: Another tried-and-true method for cybercriminals is malware. Malware is malicious software that secretly installs itself on devices – often by way of a user engaging with fake links and content – and quietly gains access to the data on an individual’s device or business network.
  • Password Attack: Through password attacks, cybercriminals look to gain access to sensitive data and networks by way of “cracking” user passwords and using these credentials to get into networks and extract data.

How do I spot a possible breach?

The best way to stop a data breach is to stop it before it even starts. This includes taking steps like making sure passwords are long and complex and reporting suspicious emails. If you do suspect that you have been the victim of a breach, immediately contact Clark’s ITS Help Desk (helpdesk@clarku.edu, 508-793-7745) and follow advice to help scan, detect, and remediate any issues.

If you are interested in learning more, or ever have questions about how to keep yourself or those you care about safe and secure through the digital landscape, feel free to contact or stop by the ITS Help Desk. We would love to chat!

Stop before you Scan: QR Codes and Cybersecurity

Written by Alex Magid, Information Privacy and Compliance Analyst

You see them on hallway walls, in emails, and in place of traditional restaurant menus. Quick Response Codes, commonly referred to as QR Codes, are machine-scannable images that can be read using a Smartphone camera. Every QR code consists of a number of squares and dots which represent certain pieces of information. When your Smartphone scans this code, it translates that information into something that can be easily understood by humans – often a link to a website.

QR codes surged in popularity during the pandemic because consumers found them easy to use and businesses did not have to worry about contact contamination. QR codes are a great tool for saving space, and quickly directing people to information… and hackers know this!

Users should think about QR codes the same way we think about other phishing tactics like email scamming and social engineering. While most codes are safe, some QR codes can contain links maliciously embedded with malware so that cybercriminals can easily obtain your data such as credit card information or social security number.

How to spot authentic QR Codes

Always check the URL on the notification before clicking to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, exit out of your browser.

Attackers and pranksters have printed counterfeit QR code stickers and put them on top of existing QR codes, a common tactic that occurs in restaurants on menus, and on shared bulletin boards. So before scanning, take a quick look to see if the QR code looks out of place or seems to be a sticker when it shouldn’t be.

Users should always avoid downloading an app from a QR code and instead once learning the name of the app use their respective app stores for a safer download. Finally, if you scan a QR code, and it prompts you to download a “QR reader,” it is likely a trick used by scammers.

Have Questions?

If you have questions about how to stay safe while using QR codes, please contact the Help Desk at (helpdesk@clarku.edu, 508-793-7745)

Get Ready for Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. As education, socializing, and many aspects of life increasingly rely on technology, it’s more important than ever to protect your digital identity and steer clear of cybercriminals.

The theme for the month is ‘It’s easy to stay safe online’ #BeCyberSmart, and Clark University is proud to be a champion and support this online safety and education initiative.

This month is all about taking action! There are all kinds of ways to stay safe and secure online but even just practicing these cybersecurity basics can make a huge difference:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords and a Password Manager
  3. Update Your Software
  4. Recognize and Report Phishing

We want to help you, your family, friends, and our community stay safe all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple steps you can take to #BeCyberSmart.

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/champions/ and https://www.cisa.gov/cybersecurity-awareness-month.

Stay tuned for weekly emails during October highlighting cybersecurity topics.

Say No to Password123: Password Managers

For everything from online banking, to social media accounts and in between, most websites require you to create a username and a password. While most of us understand the importance of selecting a strong password; not everyone practices other elements of proper password hygiene.

It is critical to make sure that no matter the website or app, you have created strong unique passwords which make it difficult for unauthorized users to guess at. But we know that managing, changing and remembering all of these passwords can be a full-time job – so how can you stay safe and sane? It all starts with a good password manager.

What are password managers?

Password managers are applications that remember your chosen passwords, and give you the option to generate randomized passwords for all the sites you visit. If a password for one site is compromised, it’s common for attackers to take those credentials and try them on many other sites.  The only thing worse that changing your password on one compromised site is to have to do it on LOTS of sites because that password was reused.

A password manager stores your credentials for you in a secure virtual vault accessed by using a master password, or even biometrics. Then, when you visit a site or open an app where you need to log in, the password manager automatically fills in your login information and password for you.

The best password managers let you know if your existing passwords are weak, reused, or have shown up in a data breach through dark-web monitoring. These products help you improve your password hygiene by suggesting new, strong, and unique credentials for every login. When creating a new password, you can use a scrambler that will auto generate a strong password that is at least 20 characters long and include all the major character types: uppercase, lower case, numbers, and symbols.

Some managers charge annual subscription fees, while some are no-cost. A trustworthy password manager can cost anywhere from $25-$60 annually. Additionally, some managers offer 50% discounts to students and those working in Higher Education. These and other recommended Password Managers are listed below.

Phishing Simulations and Training from ITS

Approximately 90% of cyber attacks begin with a phishing email and all Clark community members can help protect our information resources by being able to identify and ignore suspicious emails. To support this, ITS has partnered with KnowBe4, a security awareness training and simulated phishing platform to offer an on-going security awareness campaign.

This campaign helps to educate the Clark community through a broader lens of understanding how hackers can steal your personal information, and track your movements. Our campaign works to encourage change across Clark while empowering and equipping users with the tools to protect the physical, and digital data of the University.

Through the KnowBe4 software, Clark members will be sent several ‘simulated phishing’ messages over the course of each semester. These simulated phishing emails are based off malicious emails that a hacker would send you.

Since launching the campaign in July of 2021, institutional risk related to users being ‘phish prone’ (those who are likely to fall for simulated phishing emails) has decreased by 13%.

What will happen if I open a ‘simulated phishing email’?

If you open an email which was sent through our KnowBe4 system, nothing dangerous will happen. It is up to you to report it using the Phish Alert button (click here to learn more about how to use the Phish Alert button).

However, if you click a link within the body of the message, download an attachment, or forward the email to someone else (including to the Help Desk), you will be directed to a landing page (similar to below) letting you know that this was a simulated email from KnowBe4. This page will alert you to why this email should seem ‘phishy’ to you, and what steps you can take in the future to more quickly identify it as malicious. Additionally, you will be asked to watch a 2-minute video about phishing.

In addition to the short video, you will automatically be enrolled into Clark’s Cybersecurity Training Course. This course which is also done through our KnowBe4 system, can be accessed using the link provided in an email that you will receive (similar to below)

What do I need to know about the training?

Training typically consists of two modules which take approximately 10 minutes to complete, and will provide you with tips and tricks to spot and avoid clicking on phishing emails in the future. Failure to complete the assigned trainings will result in continued notification reminders.

What happens if I click on more than one ‘simulated phishing email’?

Don’t worry, it happens to us all! With phishing emails getting more sophisticated and trickier than ever, we understand that you may accidentally click on one. If this happens, you will be auto-enrolled into another Cybersecurity Training. However, each time you are enrolled, you will be presented with a more detailed course. More than 3 incidents in one academic semester may result in a user having a conversation with their supervisor and/or ITS to help ensure we can best protect our information resources.

I reported the simulated phish by clicking the Phish Alert Button

Congratulations! You outsmarted the hackers. If you properly spot and report a simulated phishing email, you will receive a notification on a job well done, and a HUGE thank you from Clark ITS in helping to keep Clark safe from potential cyber-threats.