Category Archives: Security Awareness

What is CloudLock?

CloudLock is a service that helps ensure files within your Fordham Google Drive account that may contain Fordham protected and/or Fordham sensitive data are stored and shared appropriately and securely.

Why does Fordham have CloudLock?

Fordham has an obligation to the University community to protect information from unauthorized access and illicit use. Fordham IT is a partner in carrying out that obligation in order to ensure we use all available means to manage secure data in accordance with best practices and compliance regulations. CloudLock assists in ensuring that protected and sensitive data within a Fordham member’s Google Drive account is stored and shared in an appropriate and secure manner.

Is CloudLock looking at my Google Drive files?

CloudLock assesses files in Fordham Google Drive accounts and looks for patterns within those files that match those of protected and sensitive data (such as Social Security numbers, credit card numbers, Fordham ID numbers, etc.) and may not be shared in a secure manner in accordance with Fordham’s Data Classification Policy.

What is considered protected and sensitive data?

Protected data contains personally identifiable information (PII) such as Social Security numbers and credit card numbers.

Sensitive data has been deemed as such based on internal standard operating procedures. It contains data such as employee compensation and annual budget information. You can read more on how Fordham’s data classification Fordham’s Data Classification Guidelines. The Data Classification Grid describes regulations and policies governing protected and sensitive data. Use it to determine where and how to store your files.

What does CloudLock do when it finds a file with protected and sensitive data?

If CloudLock finds protected or sensitive data in a file. You will receive an alert from”no-reply@cloudlock-ops2.com”  notifying you that the file was shared in an inappropriate manner. The file is not modified, but when you receive the alert it is advised that you perform the following steps:

  1. While viewing or editing the shared file, from the drop down menu, select File | Share
  2. Change the option “Anyone at Fordham University with the link can view” to “OFF – only specific people can access”
  3. In the “People” section add the names of the individuals you would like to share the file with

 

 

 

Educational Institutions Attractive Target for Cybercriminals

Via: NJ Cybersecurity and Communications Integration Cell

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyber-attacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom. In October 2017, the US Department of Education issued an updated Cyber Advisory warning schools about a new method of cyber extortion impacting institutions across the country.

In recent attacks, cyber-criminals demanded large ransom payments in exchange for sensitive student record information obtained via schools’ compromised networks. In some instances, cyber-criminals made direct threats to the safety of students and staff members via SMS messaging. According to Verizon’s 2017 Data Breach Investigations Report, the education sector was impacted by approximately 455 security incidents in 2016, with at least 73 of these events involving the disclosure of data. As the use of technology within the classroom is increasingly required for educational purposes, more schools are implementing Bring Your Own Device (BYOD) policies, allowing students and employees to connect their personal computers, tablets, and mobile phones to their networks. Unfortunately, if BYOD is not implemented with security in mind, schools could be exposing their networks and sensitive data to an increased risk of compromise created by vulnerable and infected devices. Sophisticated and profit-motivated threat actors are cognizant of this fact and will continue to target universities and school districts as many of them do not have adequate resources, funding, or staffing to properly protect and defend their networks.

  • The NJCCIC recently alerted its education sector members to a cyber-extortion campaign targeting educational institutions in Florida. In this targeted attack, emails were sent to the presidents of several colleges and universities threatening mass shootings and bombings if a payment of 1.2 Bitcoin, approximately $18,000 USD at the time, was not received. The emails originated from onlyfair[@]protonmail.com and reportedly contained threats of imminent violence against students and staff.

 

  • In November 2017, SchoolDesk, a company that provides website hosting solutions for schools, suffered a breach by a hacking group known for distributing ISIS propaganda videos. The breach resulted in the defacement of the Bloomfield Public School District website, where an ISIS-sponsored video was displayed for approximately two hours before being detected and removed. Although no sensitive information was accessed or released, the ability of threat actors to gain remote access to web servers highlighted the impact that third-party vendor vulnerabilities can have on educational institutions.

 

  • A group known as The Dark Overlord claimed responsibility for the breach of numerous school districts in several states across the US in late 2017, including the Johnston Community School District in Iowa, the Splendora Independent School District in Texas, and the Columbia Falls School District in Montana. The breaches stemmed from compromised servers that exposed confidential information including names, phone numbers, and addresses of students, parents, and staff. In some instances, students and parents received violent, threatening messages from the attackers resulting in school closures and canceled extracurricular programs.

Recommendations
The NJCCIC advises our education sector members to take proactive steps to reduce their cyber risk, beginning with comprehensive audits of their networks to identify and patch existing vulnerabilities in outdated operating systems, applications, servers, and websites. Continuously monitor systems for indicators of compromise by running reputable and up-to-date antivirus software and maintain network traffic logs in accordance with your data retention policy. Limit user privileges to only those systems and files required by one’s job functions, and implement strict authentication policies incorporating mandatory password resets, minimum character requirements, and multi-factor authentication for email, web services, and remote access tools. Additionally, encrypting systems and databases that contain sensitive personal data, financial information, and user credentials can mitigate the impacts of data breaches and render stolen data useless. Have an incident response plan in place and report cyber-attacks to your local police department, the FBI, and the NJCCIC.

Meltdown & Spectre – How to Protect Yourself

Following up on our previous post sharing what was then breaking information about these vulnerabilities, the UISO would like to share some additional best practices to follow in order to reduce one’s risk to attack.

Install Operating System Updates on Personal Devices

Staying current with security updates on personal for security features is always advised, and all major operating systems not currently end-of-life have patches in place that aid in reducing risk. The following are guides for updating one’s operating system for those not familiar with the process.

Limit JavaScript in your Web Browser

One of the methods by which Meltdown and Spectre can be triggered is via JavaScript, which can be activated by visiting a website hosting malicious code intentionally or via a targeted advertisement. The UISO recommends adding a browser extension that limits exposure to potentially malicious JavaScript.

For performance purposes, it is recommended to install one or the other of these extensions, but not both.

 

Research is still underway, and as further methods to mitigate the risk posed by these vulnerabilities are assessed by the information security community we will share them accordingly.

As always, please subscribe to this blog, our Twitter feed, or our FaceBook page for updates, and contact the UISO with any questions or concerns.

Article:“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws

A major security flaw has been revealed to be prominent in every modern processor. Details can be found below.

Via: Arstechnica

“Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it has been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches.

Now we know what the flaw is. And it’s not great news, because there are in fact two related families of flaws with similar impact, and only one of them has any easy fix.

The flaws have been named Meltdown and Spectre. Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was discovered independently by Project Zero and independent researcher Paul Kocher.

At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.

However, while the discarded effects of this speculative execution don’t alter the outcome of a program, they do make changes to the lowest level architectural features of the processors. For example, speculative execution can load data into cache even if it turns out that the data should never have been loaded in the first place. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren’t cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured, which can similarly be used to reveal sensitive information.

Meltdown

The first problem, Meltdown, is the one that stimulated the flurry of operating system patches. It uses speculative execution to leak kernel data to regular user programs.

Our original coverage gave a high-level summary of how operating systems virtualize system memory, the use of page tables to map from virtual memory addresses to physical addresses, how processors cache those mappings, and how the kernel’s page table mapping is shared between processes in order to maximize the value of this special cache.

While all modern processors, including those from Intel, AMD, and ARM, perform speculation around memory accesses, Intel’s processors do so in a particularly aggressive way. Operating system memory has associated metadata that determines whether it can be accessed from user programs or is restricted to access from the kernel (again: our original coverage has more detail about this point). Intel chips allow user programs to speculatively use kernel data, and the access check (to see if the kernel memory is accessible to a user program) happens some time after the instruction starts executing. The speculative execution is properly blocked, but the impact that speculation has on the processor’s cache can be measured. With careful timing, this can be used to infer the values stored in kernel memory.

The researchers say they haven’t been able to perform the same kind of kernel memory-based speculation on AMD or ARM processors, though they hold out some hope that some way of using this speculation offensively will be developed. While AMD has stated specifically that its chips don’t speculate around kernel addresses in this way, ARM has said that some of its designs may be vulnerable, and ARM employees have contributed patches to Linux to protect against Meltdown.

For systems with Intel chips, the impact is quite severe, as potentially any kernel memory can be read by user programs. It’s this attack that the operating system patches are designed to fix. It works by removing the shared kernel mapping, an operating system design that has been a mainstay since the early 1990s due to the efficiency it provides. Without that shared mapping, there’s no way for user programs to provoke the speculative reads of kernel memory, and hence no way to leak kernel information. But it comes at a cost: it makes every single call into the kernel a bit slower, because each switch to the kernel now requires the kernel page to be reloaded.

The impact of this change will vary wildly depending on workload. Applications that are heavily dependent on user programs and which don’t call into the kernel often will see very little impact; games, for example, should see very little change. But applications that call into the operating system extensively, typically to perform disk or network operations, can see a much more substantial impact. In synthetic benchmarks that do nothing but make kernel calls, the difference can be substantial, dropping from five million kernel calls per second to two-to-three million.

Spectre

Owners of AMD and ARM systems shouldn’t rest easy, though, and that’s thanks to Spectre. Spectre is a more general attack, based on a wider range of speculative execution features. The paper describes using speculation around, for example, array bounds checks and branches instructions to leak information, with proof-of-concept attacks being successful on AMD, ARM, and Intel systems. Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems.

Moreover, Spectre doesn’t offer any straightforward solution. Speculation is essential to high-performance processors, and while there may be limited ways to block certain kinds of speculative execution, general techniques that will defend against any information leakage due to speculative execution aren’t known.

Sensitive pieces of code could be amended to include “serializing instructions”—instructions that force the processor to wait for all outstanding memory reads and writes to finish (and hence prevent any speculation based on those reads and writes)—that prevent most kinds of speculation from occurring. ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several. But these instructions would have to be very carefully placed, with no easy way of identifying the correct placement.

In the immediate term, it looks like most systems will shortly have patches for Meltdown. At least for Linux and Windows, these patches allow end-users to opt out if they would prefer. The most vulnerable users are probably cloud service providers; Meltdown and Spectre can both in principle be used to further attacks against hypervisors, making it easier for malicious users to break out of their virtual machines.

For typical desktop users, the risk is arguably less significant. While both Meltdown and Spectre can have value in expanding the scope of an existing flaw, neither one is sufficient on its own to, for example, break out of a Web browser.

Longer term, we’d expect a future Intel architecture to offer some kind of a fix, either by avoiding speculation around this kind of problematic memory access or making the memory access permission checks faster so that this time interval between reading kernel memory, and checking that the process has permission to read kernel memory, is eliminated.”

Source: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

Phishing Scams Now Harder to Detect

Via: Krebs On Security

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

View the full article.

Critical macOS High Sierra Update

Apple has released a security update resolving the widely reported authentication bug known as iAmRoot. The UISO recommends that Apple computers running High Sierra (macOS 10.13.x) install this security update.

Due to its critical nature, Apple has deployed this as an automatically-installing update. However, it is still recommended to check for this and any other pending security updates.

The process to update is:

  • Click the  logo in the Taskbar
  • Click App Store
  • Click Updates
  • Install any security related updates shown
    • The recommended patch is Security Update 2017-001

Please do not hesitate to to contact infosec@fordham.edu with any questions.

Sources:

US-Cert: Apple Releases Security Update for macOS High Sierra

New security update fixes macOS root bug

Holiday Shopping 2017: How to avoid fake retail sites and other scams

Via: USAToday.com

1) Stop chasing any and all deals

“We live in an age where we have all these push notifications and emails,” said Steve Koenig, senior director of market research at the Consumer Technology Association, a trade group in Arlington, Va.

The volume of such activity during the holidays, he said, only makes consumers even more vulnerable to clicking on a $100 coupon before thinking twice.

“We’re all moving super fast, we get distracted,” said Tim Helming, director of product management at DomainTools.

When we’re rushing, we might not notice that the website in an email has an odd name.

Brands that continue to be spoofed include Amazon,Walmartand Target. Other brands that are commonly targeted include PayPal, Yahoo and Apple.

Helming told me that consumers need to be wary of fake sites that play up the “Black Friday” frenzy. Dozens of malicious domain registrations that touted a Black Friday connection cropped up last year beginning around Nov. 20, and he’d expect the same this year, too.

2) Learn how to spot a fake

Watch out for a domain decorated with a few extra, possibly even reassuring words or odd spellings. DomainTools listed some brand-abusing domains that have a dot-com at the end but they’re still frauds, such as Amazonsecure-shop, Target-officialsite or  Walmartkt.

Other fakes include: Amazonshop.gq or Targethome.today or Walmart-outlet.ga.

Helming said domains that include a hyphen and words such as shop or secure can be good clues to a phony site, as many brand names use their names alone for their sites.

Other words in a fake URL site that appears to be connected to a well-known name might be something like outlet, discounts or deals.

Many times, the fraudsters use words like “official site” to make their fake sites look legitimate. Or there might be extra letters, such as “Yahooo” or “Walmaart.”

Take care on social media. Phishers can use of “URL shortening” services to obfuscate phishing URLs. As a result a very short URL, can be used in Tweets, which automatically redirect the visitor to a longer “hidden” URL, according to the Anti-Phishing Working Group’s research.

3) Recognize the risks of rushing

Consumers who click on the links or visit malicious sites are typically unknowingly handing over their name, address, and credit card information.

Never click on links in emails or social media to go to a retailer’s website. A better bet: Take a few extra seconds to go directly to the site yourself. Be sure to take a second look at all URLs.

4) Ask yourself why would Amazon be sending you a free gift card? Really?

Yes, one of those free $50 Amazon gift cards popped up in my email the other day. Of course, it’s a spoofed email. So I just hit delete.

Amazon is warning consumers that phishing emails will direct you to a “false website that looks similar to the Amazon website, where you might be asked to provide account information such as your e-mail address and password combination.”

The fake sites can steal sensitive information that can be used without your knowledge to commit fraud, according to Amazon.

Phishers can steal usernames and passwords from one site to engage in fraud on other sites. Too many consumers carelessly use the exact same usernames and passwords across different sites.

Amazon doesn’t send emails that ask for your Social Security number, bank account information, PIN, or your Amazon.com password.

Amazon offers shoppers a way to report suspicious emails and web pages. You can forward the email or send suspicious e-mail as an attachment to stop-spoofing@amazon.com.

More: Are 2017’s Black Friday deals really as amazing as retailers claim?

More: How to find hard-to-get, out-of-stock gifts without getting ripped off

5) As you order gifts online, don’t get tripped up by fake email alerts

As holiday shipping goes up in November and December, the frequency of phishing emails relating to orders or shipments goes up, too.

Walmart warns that if you received an order confirmation email from Walmart but never placed such an order, it may be a “phishing scam attempting to gather information, or in some cases, spread malware.”

FedEx warns consumers about a  “delivery failure” scam email.

Fraudulent emails claiming to be from FedEx or the U.S. Postal Service “regarding a package that could not be delivered.”

The consumer is then asked to open an attachment in order to obtain the invoice needed to pick up their package. The attachment in the email may contain a virus.

Don’t just rush and assume there’s trouble with something that you ordered.

“Be suspicious of incoming email from unknown or unsolicited sources, especially those that have attachments as well as hyperlinks,” said Jeremy Stempien, detective for the City of Novi, Mich., and a special federal deputy marshal for the Southeast Michigan Financial Crimes Task Force.

“The same should apply to incoming phone calls,” he said.

6) Every deal you find online is not a bargain

Con artists tempt consumers with great deals on hard-to-find items or hot gifts. Maybe you’ll spot some extraordinary deal on an Apple iPhone X or find a crazy bargain price on an L.O.L. Surprise! Big Surprise toy.

Or you think you’ve found a great deal on jewelry. The Better Business Bureau and others warned in 2017, for example, about fake sites that offer up to 70% off on Pandora charms.

Charisse Ford, chief marketing officer for Pandora Americas, said shoppers should be aware that counterfeit sites have some clear indicators, including the “About Us” page that can be very generic without descriptions about the business, company mission or current Pandora images or promotions.

Another clue: Try calling and talking with someone in customer service first before placing an order to ask about return policies or the like. Shoppers are less likely to connect with a real person if going through a fraudulent site.

Companies such as Pandora note that they work hard to help identify and shut down counterfeit sites, including those on social media channels.

Con artists use phony websites to sell counterfeit goods — or engage in cybercrime.

It’s no bargain if, when you click on the link, you download malware.

“You think you are getting the discount of a lifetime or an exclusive offer, but this is a phishing attack,” warned Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Remember, bargains abound throughout the holiday season — so there’s no reason to think you absolutely must get all that shopping done right now.

 

Source: https://www.usatoday.com/story/money/columnist/tompor/2017/11/17/fake-amazon-gift-cards-phony-walmart-sites-and-other-cyber-scams-tempt-holiday-shoppers/862083001/

New Email Scam Using Fake Netflix Website

Via: mailguard.com.au

A scam email has appeared today that is pretending to be from Netflix. MailGuard detected the new scam early this morning, and stopped the malicious emails from entering our client’s inboxes.

This scam email is relatively well designed. The scammers are using a template system to generate individualised messages with specific recipient data.

This works like a mail-merge; the body of the email is generic, but the sender field is designed to show the name of the intended victim, which personalises the scam making it more convincing.

In this case the scammer’s system has not worked as well as they hoped and in the example below – screen-captured by our operations team – you can see that the ‘recipient’ field in the email has not been merged successfully. Instead of the victim’s name, it shows the placeholder instead:

 

Screen Shot 2017-11-03 at 11.23.26-1.png

Aside from the error with the recipient name field, this email looks quite convincing. The message tells the intended victim that their Netflix billing information has been invalidated and urges them to update their details on the website. If the recipient clicks the link in the email they are taken to a fake Netflix page, that asks them to log in and then enter their personal information, including credit card details.

Of course, this website is completely bogus and is just a mechanism for the scammers to steal the victim’s identity and credit card information.

The fake Netflix site this scam is using is built on a compromised WordPress blog. Scammers can break into WordPress sites by making use of vulnerabilities in blog plugins and once in, they can make the website look enough like a real Netflix login page to trick their victims – as shown in the screenshot above.

Screen Shot 2017-11-03 at 11.24.52.png

Screen Shot 2017-11-03 at 11.25.22.png

With the detailed data the fake website form asks for: address; credit card details; driver’s license; mother’s maiden name; etc, the scammers could potentially execute an identity theft and gain access to the victim’s bank accounts as well as their credit cards.

Once the fake website has collected all the sensitive data the scammers want, the victim is shown a reassuring ‘reactivation’ screen.

Screen Shot 2017-11-03 at 11.26.15.png

If you receive an email from Netflix today, ‘Chill,’ but don’t click without thinking first. Scammers can make their fake emails and bogus websites look pretty convincing, so it’s always a good idea to check carefully that the email comes from the actual company domain and not a scammer.

Think Before You Click:

– Always hover your mouse over links within emails and check the domain they’re pointing to. If they look suspicious or unfamiliar don’t open them.

– Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware.

Steps you can take to keep your mobile device safe.

Steps you can take to keep your mobile device safe.

 

(Photo from – https://www.mywot.com/en/blog/6-safe-web-surfing-tips)

Taking precautions on a regular basis can reduce the risk your home or mobile devices will be comprised. There are a few setting options you can enable that will allow you to surf and shop online securely.

  • Did you know aside from locking your mobile device, you may also be able to lock the applications as well.
    • Some applications have the option to be locked separately. Check within the applications settings for options.
    • Android users can also download an app that will allow them to lock additional applications that may not have that option built in.
    • IOS doesn’t offer additional applications with this option, however many apps are offering the option to use fingerprint recognition.
  • If you’re done updating your status, tracking your shipping, and double tapping cat pictures, log out.
    • It may make things easy for you to stay logged into your accounts on your mobile device, but it also makes it easier to compromise your device.
    • If you employ a password manager you don’t have to worry about saving your log in credentials on each app, this way if your device is compromised your accounts won’t be.
  • Android users have the option of installing additional antivirus to their mobile devices
  • Don’t jailbreak your device.
    • The steps you have to take to allow your device to be jailbroken leaves it vulnerable to attacks, by disabling built in security.
  • Avoid public networks when you can.
    • While free wifi is very appealing, using public networks can make you vulnerable to attack.
  • Take advantage of device location offered through your cell or OS provider

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.

Encrypt your mobile devices.

Encrypt your mobile devices.

(Photo from – http://www.androidauthority.com/how-to-encrypt-android-device-326700/)

Encrypting important files on your desktop, laptop, or mobile device will ensure that if the device is compromised, the hacker won’t be able to read these important files.

  • To encrypt your files on Mac visit: http://www.hongkiat.com/blog/encrypt-mac-folder/
    • This site will walk you through the process of encrypting your files.
  • An alternative to encrypting your mobile device would be to keep all personal information off of the device.
    • Limiting the amount of confidential information on your cellphone can greatly reduce the risk of being compromised if the device is lost or stolen.

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu