Data Privacy and Security

Data Privacy and Security, September 2022

Get Ready for Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, a global effort to help everyone stay safe and protected when using technology whenever and however you connect. As education, socializing, and many aspects of life increasingly rely on technology, it’s more important than ever to protect your digital identity and steer clear of cybercriminals.

The theme for the month is ‘It’s easy to stay safe online’ #BeCyberSmart, and Clark University is proud to be a champion and support this online safety and education initiative.

This month is all about taking action! There are all kinds of ways to stay safe and secure online but even just practicing these cybersecurity basics can make a huge difference:

  1. Enable Multi-Factor Authentication
  2. Use Strong Passwords and a Password Manager
  3. Update Your Software
  4. Recognize and Report Phishing

We want to help you, your family, friends, and our community stay safe all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple steps you can take to #BeCyberSmart.

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/champions/ and https://www.cisa.gov/cybersecurity-awareness-month.

Stay tuned for weekly emails during October highlighting cybersecurity topics.

Data Privacy and Security, March 2022

Say No to Password123: Password Managers

For everything from online banking, to social media accounts and in between, most websites require you to create a username and a password. While most of us understand the importance of selecting a strong password; not everyone practices other elements of proper password hygiene.

It is critical to make sure that no matter the website or app, you have created strong unique passwords which make it difficult for unauthorized users to guess at. But we know that managing, changing and remembering all of these passwords can be a full-time job – so how can you stay safe and sane? It all starts with a good password manager.

What are password managers?

Password managers are applications that remember your chosen passwords, and give you the option to generate randomized passwords for all the sites you visit. If a password for one site is compromised, it’s common for attackers to take those credentials and try them on many other sites.  The only thing worse that changing your password on one compromised site is to have to do it on LOTS of sites because that password was reused.

A password manager stores your credentials for you in a secure virtual vault accessed by using a master password, or even biometrics. Then, when you visit a site or open an app where you need to log in, the password manager automatically fills in your login information and password for you.

The best password managers let you know if your existing passwords are weak, reused, or have shown up in a data breach through dark-web monitoring. These products help you improve your password hygiene by suggesting new, strong, and unique credentials for every login. When creating a new password, you can use a scrambler that will auto generate a strong password that is at least 20 characters long and include all the major character types: uppercase, lower case, numbers, and symbols.

Some managers charge annual subscription fees, while some are no-cost. A trustworthy password manager can cost anywhere from $25-$60 annually. Additionally, some managers offer 50% discounts to students and those working in Higher Education. These and other recommended Password Managers are listed below.

Data Privacy and Security, February 2022

Phishing Simulations and Training from ITS

Approximately 90% of cyber attacks begin with a phishing email and all Clark community members can help protect our information resources by being able to identify and ignore suspicious emails. To support this, ITS has partnered with KnowBe4, a security awareness training and simulated phishing platform to offer an on-going security awareness campaign.

This campaign helps to educate the Clark community through a broader lens of understanding how hackers can steal your personal information, and track your movements. Our campaign works to encourage change across Clark while empowering and equipping users with the tools to protect the physical, and digital data of the University.

Through the KnowBe4 software, Clark members will be sent several ‘simulated phishing’ messages over the course of each semester. These simulated phishing emails are based off malicious emails that a hacker would send you.

Since launching the campaign in July of 2021, institutional risk related to users being ‘phish prone’ (those who are likely to fall for simulated phishing emails) has decreased by 13%.

What will happen if I open a ‘simulated phishing email’?

If you open an email which was sent through our KnowBe4 system, nothing dangerous will happen. It is up to you to report it using the Phish Alert button (click here to learn more about how to use the Phish Alert button).

However, if you click a link within the body of the message, download an attachment, or forward the email to someone else (including to the Help Desk), you will be directed to a landing page (similar to below) letting you know that this was a simulated email from KnowBe4. This page will alert you to why this email should seem ‘phishy’ to you, and what steps you can take in the future to more quickly identify it as malicious. Additionally, you will be asked to watch a 2-minute video about phishing.

In addition to the short video, you will automatically be enrolled into Clark’s Cybersecurity Training Course. This course which is also done through our KnowBe4 system, can be accessed using the link provided in an email that you will receive (similar to below)

What do I need to know about the training?

Training typically consists of two modules which take approximately 10 minutes to complete, and will provide you with tips and tricks to spot and avoid clicking on phishing emails in the future. Failure to complete the assigned trainings will result in continued notification reminders.

What happens if I click on more than one ‘simulated phishing email’?

Don’t worry, it happens to us all! With phishing emails getting more sophisticated and trickier than ever, we understand that you may accidentally click on one. If this happens, you will be auto-enrolled into another Cybersecurity Training. However, each time you are enrolled, you will be presented with a more detailed course. More than 3 incidents in one academic semester may result in a user having a conversation with their supervisor and/or ITS to help ensure we can best protect our information resources.

I reported the simulated phish by clicking the Phish Alert Button

Congratulations! You outsmarted the hackers. If you properly spot and report a simulated phishing email, you will receive a notification on a job well done, and a HUGE thank you from Clark ITS in helping to keep Clark safe from potential cyber-threats.

Data Privacy and Security, February 2022

Seems Phishy!

Email is a critical communication tool, and as a result, it’s important for all of us to be vigilant and able to spot phishing emails that attempt to compromise our personal and community information.

What is Phishing?

Phishing is the process in which malicious people try to trick you into giving out sensitive information or taking a potentially dangerous action, like clicking on a link or downloading an infected attachment. They do this using emails disguised as contacts or organizations you trust so that you react without thinking first. It’s a form of criminally fraudulent social engineering.

Phishing is one of the most common ways that attackers try to access our data and commit fraud. Phishers pose, usually via email, as a someone you know and lure you into revealing sensitive personal information, downloading malicious software or sending money or gift-cards.

How can I spot Phishing?

While Clark’s advanced security will do much to prevent many phishing emails reaching your inbox, it’s up to each of us to remain vigilant. Phishing emails can look like any other email. Some claim to offer free drinks from your favorite coffee shop, while others may pretend to be from a familiar department on campus.

Phishing emails often have the following characteristics:

  • They will often appear to come from a Clark email address, but instead will be ‘spoofed’. Spoofed email addresses look similar but are actually different – similar to presidentsoffice.clarku.edu@gmail.com.
    • For Staff and Faculty: Look for the [EXT] label in the subject which indicates an email was sent from outside Clark. If you see an email that looks like it came from a member of the Clark community, but has the [EXT] label, be cautious.
  • Make requests for personal information (usernames, passwords, account numbers)
  • Alarming and urgent statements instructing you to act immediately
  • Slight alterations of well-known organization names (e.g. IT department, instead of ITS)
  • Awkward writing style, misspelled words, or poor grammar are common, but phishers are becoming more sophisticated and polished in their writing.

What do I do if I suspect a message is a Phishing scam?

If you receive an email from someone that just feels out of place then you should report it. It is always better to ask ITS to investigate the email (by using the Phishing Alert button – see below), than open a malicious one that can spread malware and infect your device and even steal your information.

In a change to our previous advice, we ask that you no longer forward suspected phishing emails to anyone, including the Help Desk. Instead, please follow the instructions below to report the email in the most secure way.

Outlook on Windows or Mac

  • Click on the Phish Alert Report button in the top right of the email window.

Desktop & Phish Alert

Outlook Online

  • Click on the More Actions (three dots) button in the top right
  • Click on the Phish Alert V2 option

Outlook App on iOS or Android

  • Click on the More Actions (three dots) button in the email
  • Click on the Phish Alert button
    • Note that on Android you may need to scroll down to see this option as it’s below Delete

What does ITS do to help prevent phishing?

You are a critical step in helping to protect our shared computing resources. Security is best deployed in layers, so if one layer is breached, others can help protect those critical resources. In addition to the great work we do as a community by reporting and ignoring the requests in phishing emails, ITS has deployed tools and techniques to aid in your ability to detect a phishing message, and also prevent these messages from reaching your inbox. In February 2022, approximately 20% of all email sent to members of the Clark community were automatically kept from reaching your inbox. That’s almost 700,000 messages we didn’t have to delete! Some of these techniques are:

  • We partner with organizations like Microsoft, Palo Alto Networks, and REN-ISAC to help us identify attributes of messages that we know are malicious, and we send those messages right to your Junk Email folder. With Microsoft as our email provider we are part of a large global community, potentially learning about malicious content after it impacts other users, and before it impacts Clark.
  • If a message has a known malicious attachment, that attachment is replaced with a notice that an attachment was removed from the message before it is delivered to your Inbox.
  • When you click on a link in most email, in real-time the link is scanned to see if it is sending you to a known malicious website. If it is, then you are redirected to a warning page notifying you the link was malicious.
  • Faculty and staff may notice [EXT] appended to the subject of an email that originates from outside of Clark’s email system. If you see a message that looks like it may have come from a member of the Clark community, but it has the [EXT] tag in the subject, be suspicious, and maybe reach out to them in a new email (not a reply to that potentially fraudulent email) sent to their Clark account.
  • Clark uses technology like SPF and DKIM to help identify legitimate messages that do originate from outside our email system.

Data Privacy and Security, November 2021

Hacking and the Holiday Season

Decorative: A person holding a credit card and using a laptop with holiday lights in the background.

With the holiday season upon us, hackers, scammers and online thieves are gearing up for creative ways to steal your information. As millions of online shoppers begin looking for the best deals, hackers are looking to take advantage of people by searching for weaknesses in their devices, internet connections and failure to update to current software versions.

There are several key ways to prevent leaving yourself open to hackers and giving your information to the wrong individuals:

  • Stop, Look, and Think before you click on unknown links! When in doubt, if a message or email is real visit the company’s website or verify the sender through another method.
  • Never install unapproved software or download attachments without verifying they are safe. Always ensure your computer is up-to-date with the latest approved security patches.
  • Don’t download any e-gift card or other links if you do not know the sender. Downloading links from unknown senders can lead to ransomware installs and encryption of data.
  • Secure your devices by keeping them close and using strong passwords.
  • Password managers are a great tool, and help to create and store strong passwords. They make it secure and easy to not use the same password for all websites, and accounts – a bad practice. If one site is compromised, then the hackers will try the same password on many other sites.  If the password is unique per site, then you only have one account to worry about instead of all your accounts!
  • Make sure not to leave any devices unattended or connect to any unknown Wi-Fi networks. When possible, always use MFA.
  • Be cautious of websites that are not well known and offer special deals or promotions if you sign up.

With these steps, you can minimize your risk of browsing online and have a happy and secure holiday season.

Data Privacy and Security, September 2021

National Cybersecurity Awareness Month

National CyberSecurity Awareness Month (NCSAM) was started as a collaborative effort between the National CyberSecurity Division within the Department of Homeland Security (DHS) and the nonprofit National Cyber Security Alliance in 2003. The month of October raises awareness about the importance of cybersecurity.

As education, socializing, and many aspects of life increasing rely on technology, it’s more important than ever to protect your digital identity and steer clear of cybercriminals.  The theme of 2021 is for you to Do Your Part, #BeCyberSmart all year long.

What is Clark Doing during the Month of October for NCSAM? Clark will be promoting safe online practices through a variety of actives and resources around campus. Look for new resources or activities each week to help encourage you to #BeCyberSmart. Some topics will include:

Fight the Phish

Phishing attacks and scams have increased during the COVID pandemic. We will stress the importance of staying aware of threatening emails, text messages or chat boxes that come from cybercriminals to gain your information or personal assets.

Explore. Experience. Share (Cybersecurity Career Awareness Week)

This will inspire and promote the exploration of cybersecurity careers. No matter if you are a student or a veteran seeking a career change, the dynamic field of Cybersecurity is rapidly growing and holds something for everyone!

Cybersecurity First

Here we will raise awareness how businesses are working to integrate and build partnerships to incorporate security into their products and everyday processes. For individuals, it is about keeping Cybersecurity at the forefront of your mind as you connect daily and understand when privacy and default settings of your applications and devices. Cybersecurity should be a proactive mindset not a reactive one.

Remember that if you have any questions or are curious about how you can Do Your Part and #BeCyberSmart all year long, feel free to ask the Clark ITS Team or visit one of the following links:

 

April 2021, Data Privacy and Security

An Update on Multi-Factor Authentication

In the last month over 4000 Clarkies have set-up and begun to use Multi-Factor Authentication and ITS would like to say Thank You!

Multi-Factor Authentication will provide Clark and our individual community members a higher level of security for their personal and institutional data, and will make our efforts to reduce cyber-threats more effective and efficient.

Over the last few weeks while supporting students, staff and faculty with Multi-Factor Authentication, we got some great questions. We’ve added the answers to our Multi-Factor Authentication webpage but wanted to cover some of the most frequently asked here.

If you still have questions about Multi-Factor Authentication, or are having issues accessing your email, please reach out to the Help Desk for support at 508-793-7745 or helpdesk@clarku.edu.

How often will I have to use Multi-Factor Authentication to access my account?

You will need to authenticate the first time you use a new device (computer, laptop, phone, tablet, etc.), or browser to access protected systems.

After the initial authentication on a device, you may be asked to reauthenticate again usually after a number of weeks. ITS will calibrate the timing of reauthentication requests to best balance security needs and your convenience.

Do I need Multi-Factor Authentication for Moodle? VPN? CUWeb?

Currently, you will only be required to use Multi-Factor Authentication to access Clark email and Office 365. However, ITS is adding MFA security to important Clark applications over the coming semesters including Moodle, VPN, CUWeb and Banner. We’ll be sure to let everyone know when we add new systems to Multi-Factor Authentication.

My mail app isn’t displaying new mail after setting up Multi-Factor Authentication. What do I do?

If after setting-up Multi-Factor Authentication, you find that your email app isn’t displaying new emails, you may need to remove and re-add your Clark account to your app in order for it to sync correctly.  Your phone manufacturer, or app developer should have instructions on how to do so, or you can contact the Help Desk if you need further assistance.  Using the Microsoft Outlook app on mobile devices helps provide a consistent experience between your devices.

How do I edit my factors?

You may need to do this if you buy or sell your smartphone, change your phone number, or just want to manage your factors. To see or edit your factors, you can visit the Multi-Factor Authentication webpage on the Clark website and choose “Edit my Factors” on the right.

What do I do if I lose my phone?

When using Multi-Factor Authentication, your smartphone becomes an important step in gaining access to your account. If you lose your device, please reach out to the Help Desk at 508 793 7745 or helpdesk@clarku.edu so we can verify your identity and get you back into your account as quickly as possible.

 

Data Privacy and Security, November 2020

Firewalls: The First Line of Defense

As you may have read in the media and in your email inbox, cyber-attacks of all types are on the increase, and each of us need to be more vigilant than ever before clicking on links in emails, or responding to unknown senders.

But you’re not alone in the fight against phishing, viruses and malicious links. ITS is working hard to minimize our users’ exposure to nefarious attempts at attacking the institution and our data. And that work starts with a strong Firewall.

A Firewall is, first and foremost, a wall! It provides a barrier between our internal network – including systems such as Banner, WordPress and Outlook – and the external internet. Our Firewalls allows us to monitor traffic requests into the Clark network, and refuse traffic that is malicious and looking to compromise our users and our data. The easiest way to demonstrate how important the Firewall is to our security, is to share some numbers.

Since the beginning of the semester our Firewall has blocked over 2 BILLION attempts to access our network from general malicious actors and over 70,000 specific attempts to spoof Clark University email addresses. Additionally, our partnership with Microsoft has blocked over 5 million additional spam emails, and 12 million instances of malware. The technology that we use leverages machine learning, so that it identifies trends in new threats, learns from our users’ behavior and becomes more effective every day.

Without this technology, it would be impossible to run our campus effectively or securely. It allows us to communicate with Clarkies and external partners and greatly minimizes the percentage of attacks to reach your inbox. From there, we rely on you. So, don’t forget to ‘think twice, click once’ and follow our guidelines (click here to read) to help prevent cyberattacks on our network and data.

Data Privacy and Security, October 2020

Multi-Factor Authentication 

When users ask ITS about how best to protect their online data and identity, using Multi-Factor Authentication is one of our top tips. ITS is planning to use this security feature in the coming months to better protect Clark’s information. 

To help you get started, here is a short introduction to Multi-Factor Authentication 

What is Multi-Factor Authentication? 

Click below to watch a short (3 minute) video about Multi-Factor Authentication.

Screenshot of a video embed for MFA

Multi-Factor Authentication (MFA), sometimes referred to as Two-Step Login, Two-Factor Authentication, or 2FA, is a security enhancement that requires you to present two (or more) pieces of evidence of who you are when logging in to an account. This evidence should fall into two (or more) of these three categories: 

  • something you know: for example, a password or PIN
  • something you havefor example, an application on your phone or a bank card 
  • something you are: for example, a fingerprint or retinal scan  

In fact, you probably already use Multi-Factor Authentication in some form. For example, you’ve used it if you’ve: 

  • swiped your bank card (something you have) at the ATM and then entered your PIN (something you know).
  • logged into a website, like Amazon, with a username and password (something you know) and was then sent a numeric code to your phone (something you have), which you entered to gain access to your account.

Multi-Factor Authentication helps to protect your personal data, identity and moneyITS recommends enabling Multi-Factor Authentication (or Two-Step Login) where available for any online services that you use regularly such as Google/GmailApple and others. 

Multi-Factor Authentication and Clark 

Over the next two semesters, Clark University will begin to introduce Multi-Factor Authentication as a log-in option (and eventual requirement) for access to certain systems. This additional layer of security will help protect Clark’s computing resources, your personal data, and reduce the impact of phishing scams. 

Be on the lookout over the next few months for more information on this change and know that ITS will be here to help every step of the way. 

Data Privacy and Security, October 2020

Gone Phishing

This article has been updated. Please click here for more up-to-date information.

Email has always been a critical communication tool, but even more so now that Clarkies are learning and working in many different modalities. As a result, it’s even more important now for all of us to be vigilant and able to spot Phishing emails that attempt to compromise our personal, and community information.

Phishing is one of the most common ways that attackers try to access our data and commit fraud. Phishers pose, usually via email, as a someone you know and lure you into revealing sensitive personal information, downloading malicious software or sending money or gift-cards.

How can you tell a Phishing Email?

Phishers are becoming more and more sophisticated and the days of requesting bank transfers to help deposed princes are long gone. However, there are some signs to help you spot a phishing attempt, and in combination with the security and tools that ITS has put in place, we can reduce the risk to Clark’s information.

One way you can prevent mistaking a phishing attempt for a legitimate request is to pause before responding and re-read the email. We know in these busy times, when we receive so many emails every week, that being quick and efficient is necessary. However, phishers rely on the element of urgency. Taking just an extra moment to review emails before responding can make a big difference.

So, what should you look for? Phishing emails often have the following characteristics:

  • They will often appear to come from a Clark email address, but instead will be ‘spoofed’. Spoofed email addresses look similar but are actually different – similar to presidentsoffice.clarku.edu@gmail.com.
    • For Staff and Faculty: Look for the [EXT] label in the subject which indicates an email was sent from outside Clark. If you see an email that looks like it came from a member of the Clark community, but has the [EXT] label, be cautious.
  • Make requests for personal information (usernames, passwords, account numbers)
  • Alarming and urgent statements instructing you to act immediately
  • Slight alterations of well-known organization names (e.g. IT department, instead of ITS)
  • Awkward writing style, misspelled words, or poor grammar are common, but phishers are becoming more sophisticated and polished in their writing.

What should you do if you suspect an email?

  • If you receive an email from a colleague or senior member of your department asking you to act urgently, contact that person by other means for confirmation – a phone call, Teams chat, walk down the hall (when possible).
  • NEVER share your Clark username and password, with anyone. Nobody at Clark, including members of ITS, will ever ask you directly for your password.
  • If you identify a suspected phishing attempt, use our Phish Alert Report button to alert ITS

Outlook on Windows or Mac

    • Click on the Phish Alert Report button in the top right of the email window.

Desktop & Phish Alert

Outlook Online

    • Click on the More Actions (three dots) button in the top right
    • Click on the Phish Alert V2 option

Outlook App on iOS or Android

    • Click on the More Actions (three dots) button in the email
    • Click on the Phish Alert button
      • Note that on Android you may need to scroll down to see this option as it’s below Delete

Android App & Phish Alert

If You Get Phished

If you believe that you have been the victim of a phishing scam, change your password immediately by logging into ClarkYOU and using the “Password Change Utility” located at the bottom of the left sidebar. Also, contact the Help Desk at helpdesk@clarku.edu or (508) 793-7745.