Docs Information Security

Staying Secure While Off Campus

Image Description
Taube, Dan Published on Apr 02, 2020 

Photo by Thought Catalog on Unsplash

Information and Tips for Remote Users

One of the strongest protections the University relies upon is the campus network itself. When connected to the wired or wireless network, users benefit from systems that monitor and block various threats. These can range from bad actors trying to get in to malicious software trying to get out. The safety provided by these systems is naturally not available when users are off campus. With the recent shift to a remote lifestyle for most of the University community, I would like to share some ways to stay secure.

Stop. Think. Connect.™

STOP. THINK. CONNECT.™ is a global online safety awareness campaign to help all digital citizens stay safer and more secure online. It was developed by a coalition of private companies, nonprofits and government organizations. Below are some of the key tips they promote in this campaign.

  • When in doubt, throw it out:  Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
     
  • Get savvy about Wi-Fi hotspots:  Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
     
  • Protect your data:  Check to be sure the site is security enabled. Look for web addresses with “https://” or “shttp://,” which means the site takes extra measures to help secure your information. “Http://” is not secure.
  • Keep security software current:  Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.
     
  • Automate software updates:  Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
     
  • Protect all devices that connect to the Internet:  Along with computers, smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.
     
  • Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
  • Make  your password a sentence:  A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
     
  • Unique account, unique password:  Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords. 
  • Think before you act:  Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal information.
     
  • Back it up:  Protect your valuable work, music, photos and other digital information by making an electronic copy and storing it safely.

Recognizing Social Engineering Attacks

The following comes from an edition of the security awareness newsletter, OUCH!, published by the SANS Institute called, "Social Engineering."

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do. The concept of social engineering is not new; it has existed for thousands of years. Think of scammers or con artists, it is the very same idea. What makes today’s technology so much more effective for cyber attackers is you cannot physically see them; they can easily pretend to be anything or anyone they want and target millions of people around the world,  including you. In addition, social engineering attacks can bypass many security technologies.

Tech Support Example

You receive a phone call from someone claiming to be from a computer support company, your ISP, or Microsoft Tech Support. The caller explains that your computer is actively scanning the Internet. They believe it is infected and have been tasked with helping you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected.

For example, they may ask you to check if you have certain files on your computer and walk you through how to find them. When you locate these files, the caller assures you that these files prove that your computer is infected, when in reality they are common system files found on almost every computer in the world.  Once they have tricked you into believing your computer is infected, they pressure you into buying their security software or giving them remote access to your computer so they can fix it. However, the software they are selling is actually a malicious program. If you purchase and install it, not only have they fooled you into infecting your computer, but you just paid them to do it. If you give them remote access to your computer, they are going to take it over, steal your data, or use it for their bidding.

Executive Fraud Example

Another example is an email attack called CEO Fraud, which most often happens at work. This is when a cyber attacker researches your organization online and identifies the name of your boss or coworker. The attacker then crafts an email pretending to be from that person and sends the email to you. The email urgently asks you to take an action, such as conducting a wire transfer or emailing sensitive employee information. Quite often, these emails pretend there is an emergency that urgently requires you to bypass standard security procedures. For example, they may ask you to send the highly sensitive information to a personal @gmail.com account.

What makes targeted attacks like these so dangerous is the cyber attackers do their research beforehand. In addition, security technologies like anti-virus or firewalls cannot detect or stop these attacks because there is no malware or malicious links involved.

Fortunately, stopping such attacks is simpler then you may think—common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues of a social engineering attack include:

  • Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake.
  • Someone asking for information they should not have access to or should already know, such as your account numbers.
  • Someone asking for your password. No legitimate organization will ever ask you for that.
  • Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work.
  • Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery.
  • You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.

If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. If the attack is work related, be sure to report it to your help desk or information security team right away.

You can forward suspicious emails to abuse@ilstu.edu and the Information Security Office will review them.

Keeping Personal Data Private

Many of us work with personal data at some point. In almost all scenarios where we work with this data, we are required to practice care and diligence in keeping it private and secure. The information below explains this type of data and our shared responsibility to protect it.

In general, personal data, also known as personal information or "personally identifiable information" (PII), is any information relating to an identifiable person. To determine whether the data you use meets this definition, ask yourself the following question:

Can an individual be identified from the data, or, from the data and other information currently in, or likely to come into, your possession?

If you are able to identify an individual person from the data, you have personal data.

Important

Data use and privacy regulation often provides its own definition of "personal" data. Be sure to understand any applicable regulation for your specific data use.

These are a few common examples of personal data used at the University:

  • Name
  • Social Security Number (SSN)
  • Home/personal address and phone

These are a few examples of data that is not inherently personal unless linked, or capable of being linked, to the above:

  • Date of birth
  • Race
  • Religion

With the variety of operations and activities at the University, there is a wide variety of applicable regulations and policy you should be aware of. The following provides direct links to external resources of information for review.

Family Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Biley Act (GLBA)

  • Federal regulation over student data
  • Applicable due to the University participating in federal assistance programs

Payment Card Industry Data Security Standards (PCI DSS)

Identity Protection Act (IPA)

General Data Protection Regulation (GDPR)

What about the University VPN?

In general, the use of a VPN will provide additional protection to your data as it goes across networks and the internet. However, the University-specific VPN service will only provide this protection for communications going to University resources. Its primary use is to enable external access to restricted resources such as servers, databases, or select pages within iPeople.

Below is an illustration of a standard VPN and how traffic flows (full tunnel) with a comparison to the University VPN and how it flows (split-tunnel).

Full vs Split Tunnel VPN