Security and Education
Did you know?
We consider it our responsibility to keep you safe and well-informed. This education center is designed to provide helpful banking and safety information. If you have additional questions or concerns after watching these educational videos and reviewing this information, please contact us for more details.
Customer Education: How we keep you safe
First Federal Savings is invested in keeping your financial information secure. We have specific procedures in place for contacting customers to keep your information and identity safe. The document below outlines the ways we will contact you, it also warns against providing account or personal information to outside sources. Please review this material and trust your instincts. Whenever something seems suspicious refuse to provide your information and contact us immediately at 800-589-8850.
Learn More: About Combating Fraud
Overview of Security
The Internet Banking login process includes several layers of security. This security is intended to prevent unauthorized access to your account, validate your identity, protect your account information from fraudulent use, and prevent the theft of your identity.
Learn More: Overview of Security
Security Updates:
Check here for the latest security alerts and notifications.
Click to view Vishing-Phone Calls Attacks and Scams
Click to view Securing Wi-Fi At Home
What is Ransomware? |
Ransomware is a type of malicious software, or malware, that blocks access to a system, device, or file until a ransom is paid. It is an illegal, moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website. Ransomware works by encrypting files on the infected system (crypto ransomware), threatening to erase files (wiper ransomware), or blocking system access (locker ransomware) for the victim. The ransom amount and contact information for the cyber threat actor (CTA) is typically included in a ransom note that appears on the victim’s screen after their files are locked or encrypted. Sometimes the CTA only includes contact information in the note and will likely attempt to negotiate the ransom amount once they are contacted. The ransom demand is usually in the form of cryptocurrency, such as Bitcoin, and can range from as little as several hundred dollars up to and exceeding one million dollars. It is not uncharacteristic to see multi-million-dollar ransom demands in the current threat landscape. Ransomware is primarily delivered through the following means:
|
Why is Ransomware Awareness Important? |
Ransomware is a growing and expensive problem. In 2019, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed a 153% increase in the number of reported state, local, tribal, and territorial (SLTT) government ransomware attacks from the previous year. Many of these incidents resulted in significant network downtime, delayed services to constituents, and costly remediation efforts. Victims of ransomware are not only at risk of losing access to their systems and files. In many cases, they may also experience financial loss due to legal costs, purchasing credit monitoring services for employees/customers, or ultimately deciding to pay the ransom. The effects of a ransomware attack are particularly harmful when it impacts emergency services and critical infrastructure, such as 911 call centers and hospitals. Additionally, CTAs target managed service providers (MSPs), a company that manages a customer's Information Technology (IT) infrastructure, to push out ransomware to multiple entities. This occurs when CTAs compromise an MSP and use their existing infrastructure to disseminate the ransomware to the MSP’s clientele. This exploits the trusted relationship between the customer and their MSP. Over the past few years, the MS-ISAC observed an increase in means that allow CTAs to evade detection and maximize the impact of their attacks. One such means includes what is called “living off the land” (LOTL): deploying publicly-available penetration testing suites or tools (e.g., Cobalt Strike, Metasploit, or Mimikatz), to specifically target domain controllers and Active Directory to gain network wide access and deploy fileless ransomware to evade any signature-based antivirus. |
What Can You Do About Ransomware? |
Defending against ransomware requires a holistic, all-hands-on-deck approach that brings together your entire organization. While ransomware infections are not entirely preventable due to the effectiveness of well-crafted phishing emails and drive-by downloads from otherwise legitimate sites, organizations can significantly reduce the risk of ransomware by implementing cybersecurity policies and procedures and improving cybersecurity awareness and practices of all employees. It is up to all of us to help prevent ransomware from successfully infecting our systems. To increase the likelihood of preventing ransomware infections, organizations must implement a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents. This program should include organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails. When employees can spot and avoid malicious emails, everyone plays a part in protecting the organization. If your organization becomes infected with ransomware, there are some things you can do to respond. The most effective strategy to mitigate the risk of data loss resulting from a successful ransomware attack is having a comprehensive data backup process in place; however, backups must be stored off the network and tested regularly to ensure integrity. |
Reporting Ransomware |
If your organization is the victim of a ransomware infection, follow your organization’s incident response procedures to report it. Alternatively, the Cybersecurity and Infrastructure Security Agency (CISA) provides a secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. To submit a report, visit https://us-cert.cisa.gov/report. |
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
First Federal Savings of Lorain in coordination with our service provider continually innovates cybersecurity and data protection solutions. As a forthcoming innovation, Mobile Banking iOS and Android mobile banking applications (apps) will be updated with security enhancements in the Mobiliti 20.1.100 release version.
All Mobiliti clients will be required to update to iOS and Android app versions 20.1.100 or higher. Clients with the Client Branded App who are blocked from receiving this important update may experience interruption of their mobile banking service until they successfully address any issues blocking the release of the 20.1.100 or higher apps.
By the end of 2020, all consumer devices will be required to upgrade to a 20.1.100 or higher app version. A small percentage of users may be prevented from upgrading to this version if their device can only support old operating system versions, i.e. Android 6 (2015) and below, iOS 10 (2016) and below. Rooted/jailbroken devices will also be blocked from using mobile banking.
Currently Version 20.2.300 is available at the Apple Store for iphones and Google Play for Android devices.
If you receive unsolicited or unexpected calls where the callers claim they are from any national company and claim they need to access to your computer, hang up. Scammers are calling potential victims and are pretending to be from a number of companies including Geek Squad, Microsoft, and MacAfee. The scammers' aim is to gain access to their potential victims' computers and steal their account credentials, financial and personal information by installing spyware and other malware.
If you have already been tricked, please change your passwords, scan your computer for malware, check and report any fraudulent activities to the bank and the local authorities.
Remember companies will not contact you first. The Geek Squad for example will never reach out to you in a phone call, you must contact them first. And, Geek Squad will always ask you for your membership number before proceeding. But, if you are still unsure if the call is legitimate, hang-up and call the company back at a legitimate phone number. The Geek Squad can be contacted directly at 1-800-433-5778.
Remember never to give out or "verify" personal information to anyone who calls you over the phone. This goes for social security numbers, banking numbers, credit card numbers, Online banking credentials and anything personal.
Resources:
Best Buy Geek Squad Support:
PSA: Beware of Windows 10 Activation Tech Support Scams
http://www.groovypost.com/news/beware-of-window...
Protect yourself from tech support scams - Microsoft Support
https://support.microsoft.com/en-us/help/401340...
Beware of scams and criminals using fear/intimidation, trickery, urgency or disinformation related to the coronavirus (COVID-19) to attempt to steal your sensitive, personal or account information. Watch out for strange calls, emails, texts or websites that look like they are coming from legitimate businesses or government agencies asking for information like Social Security Number, usernames/passwords (login info), account numbers, credit or debit card numbers, PINs, etc. The Bank will not request such information through email/text/outbound calls.
10 Tips to Security Configure Your New Devices
The holiday season is upon us, which means shopping for the latest gadget is in full swing. With the massive number of discounts that are available this year, it makes sense for you to buy that latest smart device, right? However, as impressive as the latest iPhone or gaming computer might be, ensuring you’re able to properly secure these devices is more important than ever! Any device that connects to the internet is potentially vulnerable and could become compromised.
Here are several tips to keep in mind that can help you securely configure your new devices:
Secure Configuration Tips
1. Adjust Factory-Default Configurations on Hardware and Change Default Passwords
Passwords are a common form of authentication and are often the only barrier between cybercriminals and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. But did you know those passwords can easily be found online? To better secure your digital devices it’s important to change the factory-set default password. Be sure to replace it with a strong and unique password or passphrase for each account.
2. Secure your Wi-Fi Network with Encryption
Your home’s wireless router is the primary entrance for cybercriminals to access your connected devices. To enhance your defenses, use Wi-Fi Protected Access 3 (WPA3). WPA3 is currently the strongest form of encryption for Wi-Fi. Other methods are outdated and more vulnerable to exploitation.
3. Double Your Login Protection
Enable multi-factor authentication (MFA) to ensure that only the person who has access to your account is you. If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a secure token. For instance, with an iPhone you can utilize your screen lock feature with a pin or password.
4. Disable Location Services and Remote Connectivity
Location services might allow anyone to see where you are at any given time. Consider disabling this feature when you are not using your device to further secure your private information. Additionally, most mobile devices are equipped with wireless technologies such as Bluetooth that can be used to connect to other devices or computers. Consider disabling these features when not in use as well!
5. Safeguard Against Eavesdropping
Disconnect digital assistants, such as your Amazon Alexa, when not in use. Limit conversation near baby monitors, audio recordable toys, and digital assistants. Be sure to cover cameras on toys, laptops, and monitoring devices when they are not in use.
6. Don’t Broadcast Your Wi-Fi Network Name
To prevent outsiders from easily accessing your network, avoid publicizing your Wi-Fi network name, or service set identifier (SSID). All Wi-Fi routers allow users to disable broadcasting their device’s SSID. Doing so will make it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities.
7. Install a Network Firewall
Install a firewall at the boundary of your home network to defend against external threats. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. Most wireless routers come with a configurable, built-in network firewall that includes features such as access controls, web-filtering, and denial-of-service (DoS) defense, that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the security of your network.
Please Note: Your internet service provider (ISP) may be able to help you determine whether your firewall has the most appropriate settings for your particular equipment and environment.
8. Install Firewalls on Network Devices
In addition to a network firewall, consider installing a firewall on all computers connected to your network. Often referred to as host or software-based, these firewalls inspect and filter a computer’s inbound and outbound network traffic based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with a built-in, customizable, and feature-rich firewall. Additionally, most vendors bundle their antivirus software with additional security features such as parental controls, email protection, and malicious website blocking.
9. Remove Unnecessary Services and Software & Install Antivirus Software
Disable all unnecessary services to reduce the attack surface of your network and devices, including your router. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increased attack surface of your network environment. Additionally, a reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use, allowing for automatic virus definition updates to ensure maximum protection against the latest threats.
10. Update and Patch Regularly
Manufacturers will issue updates as they discover vulnerabilities in their products. The perfect example being all of the update notifications you receive on your iPhone! Configuring your device to receive automatic updates makes this easier for many devices, such as computers, phones, tablets, and other smart devices. However, if you need to manually update your device, make sure you are only applying updates directly from the manufacturer (i.e. Apple), as third-party sites and applications are unreliable and can result in an infected device.
Additional Resources:
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
8 Shopping Tips for the Holiday Season
It’s that time of year again, holiday shopping has begun! Everyone is looking for those unique gifts, hot toys and cool electronics. Whether it is a hard-to-find toy for kids or the latest 4K smart TV. Black Friday sales seldom fail to pique the interests of even the most casual shoppers. Yet even after the chaos of Black Friday lies both Small Business Saturday and Cyber Monday. While it’s clear that businesses are after your dollars during the holidays, you should be aware that cybercriminals are on the lookout, too.
When it comes to holiday shopping, you need to be careful that you don’t fall prey to these criminals. Here are some tips to following for your holiday shopping:
Online Shopping Tips
1. Do not use public Wi-Fi for any shopping activity.
Public Wi-Fi networks can be very dangerous, especially during the holiday season. Public Wi-Fi can potentially grant hackers' access to your usernames, passwords, texts and emails. For instance, before you join a public Wi-Fi titled "Apple__Store," make sure you first look around to see if there's actually an Apple Store in your vicinity, and thus, confirm that it is a legitimate network. To help stay secure, you should always be on the lookout for the lock symbol on your webpage.
2. Look for the lock symbol on websites.
When visiting a website look for the “lock” symbol before entering any personal and/or credit card information. The lock may appear in the URL bar, or elsewhere in your browser. Additionally, check that the URL for the website has “https” in the beginning. These both indicate that the site uses encryption to protect your data.
3. Know what the product should cost.
If the deal is too good to be true, then it may be a scam. Check out the company on “ResellerRatings.com”. This site allows users to review online companies to share their experiences purchasing from those companies. This will give you an indication of what to expect when purchasing from them.
4. One-time use credit card numbers.
Many banks are now offering a single use credit card number for online shopping. This one-time number is associated with your account and can be used in place of your credit card number. This way, if the credit card number becomes exposed, it cannot be used again. Check with your credit card company to see if they have this option available.
5. Keep your computer secure.
When using your computer to do your holiday shopping, remember to keep your Anti-virus software up to date and apply all software patches. Never save usernames, passwords or credit card information in your browser and periodically clear your offline content, cookies and history. You will want to keep your computer as clean as possible for online shopping. The world of online shopping can bring lots of new products to your door step and can prove to be a lot of fun finding that special gift. Just remember to be careful so that you don’t make your data a special gift to cybercriminals.
In-Store Shopping Tips
6. Always use credit cards for purchases.
Avoid using your ATM or debit card while shopping. In the event that your debit card is compromised, criminals can have direct access to the funds from your bank account. This could cause you to miss bill payments and overdraw your account. When using a credit card, you are not using funds associated with your bank account. This means you are better protected by your credit card company’s fraud protection program. If you pay off the credit card balance each month, you won’t pay interest and your banking information will be protected.
7. Don’t leave purchases in the car unattended.
Criminals can be watching and will consider breaking into your car to get the merchandise you just purchased. If you must leave some items in your car, consider leaving them in the trunk or glove compartment rather than in a visible location.
8. Beware of “porch pirates.”
When shopping online and receiving purchases by mail, make sure you are always tracking your packages. The US Postal Service, FedEX and UPS all have systems to track your packages, and all three utilize tracking numbers that can be used to figure out where your item is and when it should be delivered to your home. However, the only surefire way to thwart porch pirates is to not have packages delivered to your home at all. Consider having your holiday packages delivered to a family member, your workplace, or a trusted neighbor!
Remember, always trust your instincts. If an email or an attachment seem suspicious, don't let your curiosity put your computer at risk! ~ Happy Holidays and safe shopping!
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Own IT. – Secure IT. – Protect IT.
The 16th annual National Cybersecurity Awareness Month (NCSAM) is in full swing! Held every October, NCSAM has been a collaborative effort between government and industry to raise awareness about not only the importance of cybersecurity, but also ensure that everyone has access to the appropriate resources they need to be safer and more secure online.
Since NCSAM’s inception (under the leadership of the U.S. Department of Homeland Security and the National Cyber Security Alliance, or NCSA), it has vastly accelerated, reaching a multitude of consumers, both small and medium-sized businesses, corporations, educational institutions and an exponential amount of young people across the country.
Following the success of the ‘Our Shared Responsibility’ theme last year, CISA and NCSA have now shifted towards a more personalized approach, gearing their message towards individual accountability. This year’s overarching message – Own IT. Secure IT. Protect IT. – has been designed to not only encourage personal accountability and proactive behavior in digital privacy, but also promote security best practices, consumer device privacy, e-commerce security, as well as various cybersecurity focused careers. Below are some of the highlighted calls to action and their key messages:
Own IT.
We live in a world in which we are constantly connected, so cybersecurity cannot be limited to the home or office. When you’re traveling, it is always important to practice safe online behavior and take proactive steps to secure your smart devices. With every social media account you sign up for, every picture you post, and status you update, you are sharing information about yourself with the world.
- Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you.
- Update your privacy settings: Set the privacy and security settings to your comfort level for information sharing. Keep tabs on your apps and disable geotagging (which allows anyone to see where you are).
- Connect only with people you trust: While some social networks might seem safer, always keep your connections to people you know and trust.
Secure IT.
Have you noticed how often security breaches, stolen data, and even identity theft, are front-page headlines nowadays? Cybercriminals attempt to lure users to click on a link or open an attachment that may infect their computers. These emails might also request personal information such as bank account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, these attackers now possess access to their personal accounts.
- Avoid using common words in your password: Substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A”/
- Be up to date: Keep your software updated to the latest version available. Turn on automatic updates so you don’t have to think about it!
- Think before you act: Be wary of communications which implore you to act fast. Many phishing emails create urgency, instilling fear that your account or information is in jeopardy.
Protect IT.
Today’s technology allows us to connect around the world through banking, shopping, streaming, and more. This added convenience undoubtedly comes with an increased risk of identity theft and scams. More and more home devices (such as thermostats, door locks, etc.) are now connected. While this may save us time and money, it poses new security risks.
- Secure your Wi-Fi network: Your home’s wireless router is the primary entrance for cybercriminals to access all of your connected devices, and you can better secure your Wi-Fi network and devices by changing the factory-set default password and username for each one.
- Know what to look for:
- Identity Theft – bills for products or services you did not purchase, suspicious charges on your credit cards, or any changes to your accounts that you did not authorize.
- Imposter Scams – an imposter may contact you saying they are from a trusted organization informing you that your SSN has been suspended, or your account has been locked, while asking for your sensitive information or payment to fix the issue.
- Debt Collection Scams – scammers may attempt to collect on a fraudulent debt. Debt collector scammers typically request payment by wire transfers, credit cards, or gift cards.
Visit these sites to learn more:
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Cybersecurity Tips for K-12 Kids, Family, and Friends
Every child should be taught how to be safe online. In the new digital world, there are technological wonders, which often introduce cyber threats of many kinds. The online world can be a place of inappropriate conduct and content, where kids may feel anonymous. There are bullies, predators, hackers, and scammers that may pose a threat to your children. These factors can make it challenging for parents to guide their children today on interacting with others through technology. Providing this important guidance on online safety and privacy begins with talking about it and encouraging safe and smart decisions about online activity. Let’s explore some concepts and tips that apply to keeping everyone safe online, regardless of age!
What are the risks?
The online world has many cyber risks and concerning activities for kids and parents to recognize. The following are some of the cyber risks:
- Cyberbullying is bullying that happens online. It can happen in an email, a text message, an app, an online game, or on a social networking site.
- Phishing/Identity Theft is when a scam artist sends text, email, or pop-up messages in a browser to get people to share their personal information. They can then use that information to commit identity theft.
- Sexting is the sending or forwarding of sexually explicit photos, videos, or messages from a mobile phone. In addition to risking their reputations, friendships, and safety, this could be illegal activity.
- Social Networking can help kids connect with family and friends, but it can invite danger if not used appropriately. Sharing too much information, posting pictures, videos, or words can damage reputation, hurt someone else, or invite a predator to contact the user. Once something is online, it may not easily be removed. Oversharing may be leveraged by online criminals to facilitate identity theft.
What can you do?
- Start at an early age! As soon as children can use a computing device, it is time to talk to them about using it safely. Parents and family have the best opportunity to teach children!
- Know what your kids are doing. Consider having a common area in the house for the family to do online activity, where children can feel independent, but not alone.
- Keep an open and honest environment. Let your children know they can come to you with any concerns or questions about their online experience.
- Protect your children’s information. Don’t over-share information about your children, and teach them this principle. Set social media accounts so only approved friends can see their content.
- Respond appropriately to cyberbullying. Tell children to ignore or block bullies, unless it becomes threatening. Report abuse to the website where it is taking place, or if you fear for your child’s safety, report it to the authorities.
- Configure the security and privacy features on devices. Change default settings on your devices and enable security features like strong passwords, auto-updates, etc.
- Keep all your computers and mobile computing devices up to date with the latest security patches and anti-malware software.
- Consider installing or enabling parental controls on devices.
- Teach kids to be cautious of suspicious messages. Forward phishing emails to spam@uce.gov and reportphishing@antiphishing.org.
Additional Resources:
https://www.consumer.ftc.gov/features/feature-0038-onguardonline
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Careers in Cybersecurity: Learn More or Get Involved!
Technology is expanding its reach over our daily lives and is becoming increasingly necessary in modern society. While change can be daunting, it brings new opportunities that did not exist when we were much younger, or even just a few years ago. This opens the door for new and exciting (not to mention realistic) careers we can chase, like cybersecurity.
Twenty years ago, society and the media focused on the Y2K bug and ensuring computers would survive the transition from 12/31/1999 to 1/1/2000. Currently, technology headlines are dominated by breaches and ransomware attacks, directly impacting people everywhere. It is evident that the cybersecurity field needs capable professionals now more than ever.
You may be interested in becoming one of those people, or know a student or colleague that may have interest in this discipline. Let’s explore transitioning into the cybersecurity field, what skills are needed, and what career pathways are available.
Consider the skills and talents you use every day. Aside from technical abilities, many skills that transfer into the field of cybersecurity may surprise you. Communication and writing skills lend to effectively conveying the risk to all levels of an organization. The ability to analyze data gives an advantage when defining metrics. Attention to detail helps when analyzing legislation or conducting digital forensics. See below for more examples of skills:
Soft Skills
|
Soft Skills
|
|
|
As the field of cybersecurity continues to explode, more and more positions and pathways are created. It is important to note that cybersecurity can be broken into two distinct focus areas: security management and security operations. Management focuses on policies, procedures, education initiatives, and the governance around all elements of a security program. Operations on the other hand, focuses more on the technical side of security such as device management, penetration testing, event monitoring, etc. While considering your path, think about which option appeals to you more. The NICE framework is a great career pathing guide as it standardizes career paths and job titles and provides lists of core competencies and skills.
The Cyber Seek careers site provides a place to consider job paths, while also looking at current openings around the United States.
As you explore the above resources and career paths, take a look into the resources below on professional development and training as well:
Federal Virtual Training Environment (FedVTE) – 800+ hours of no-cost cyber training for employees of State, Local, Tribal, and Territorial governments and US veterans.
SANS Institute – Offers paid professional development and certification courses and more
NSA Centers of Academic Excellence – Identified and certified institutions of education recommended for study in cybersecurity
Although cybersecurity was not as common or distinct of a career path in the distant past, we are seeing it more prominently represented as an option in education. The need to introduce children to cybersecurity at a young age becomes critical to help fill the skills gap in the field. See these examples below that can be shared with any young future cyber professionals you may know!
CyberPatriot – For middle school students to learn cybersecurity in team events
Girl Scouts and HPE Cybersecurity Game – For Girl Scouts aged 9-11 to learn cybersecurity
SANS CyberStart – For High School students to learn cybersecurity through challenges/games
These initiatives are gaining interest and are ensuring that kids can envision becoming a cybersecurity forensic investigator, a white hat hacker, or one of the most in demand security consultants in the country.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Security Summit warns of new IRS impersonation email scam; reminds taxpayers the IRS does not send unsolicited emails
IR-2019-145, August 22, 2019
WASHINGTON — The Internal Revenue Service and its Security Summit partners today warned taxpayers and tax professionals about a new IRS impersonation scam campaign spreading nationally on email. Remember: the IRS does not send unsolicited emails and never emails taxpayers about the status of refunds.
The IRS this week detected this new scam as taxpayers began notifying phishing@irs.gov about unsolicited emails from IRS imposters. The email subject line may vary, but recent examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder."
The emails have links that show an IRS.gov-like website with details pretending to be about the taxpayer's refund, electronic return or tax account. The emails contain a "temporary password" or "one-time password" to "access" the files to submit the refund. But when taxpayers try to access these, it turns out to be a malicious file.
"The IRS does not send emails about your tax refund or sensitive financial information," said IRS Commissioner Chuck Rettig. "This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on-guard at all times."
This new scam uses dozens of compromised websites and web addresses that pose as IRS.gov, making it a challenge to shut down. By infecting computers with malware, these imposters may gain control of the taxpayer's computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.
The IRS, state tax agencies and the tax industry, which work together in the Security Summit effort, have made progress in their efforts to fight stolen identity refund fraud. But people remain vulnerable to scams by IRS imposters sending fake emails or harrassing phone calls.
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
The IRS also doesn't call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes. See Report Phishing and Online Scams for more details.
Typical travelers heading out on their summer vacation check that they have the right supplies and clothes for their trip before they hit the road. Expert travelers will be also checking to ensure they are educated and prepared to be cyber-safe with their devices and data while on the road. Thinking of your smartphones and devices as being just as important as your wallet is a proper step in the right direction. These devices contain everything from your banking and payment information to your treasured family photos, and ensuring they are secure and protected when away from home is paramount. In partnership with the National Cybersecurity Alliance (NCSA), we have put together some key tips, strategies, and resources to aid you in being secure during your travels.
To do before your trip:
Update your devices: One of the most simple and effective ways to stay cyber-secure is to continuously update your devices. Those updates don’t just contain new features, but fix security flaws and keep you protected!
Password/Passcode protect your devices: Always establish a strong passcode with at least 6 numbers or a swipe pattern with at least 1 turn of direction when protecting the lock screen of your smartphone. On laptops, a minimum of 10 character password or phrase is recommended including uppercase and lowercase letters, special characters, and numbers.
Set your device to lock after an amount of time: Once you have the passcode, password, or swipe pattern established, you should set an automatic device lock prompting for the access code after a specified time of inactivity. This will prevent a criminal from getting onto your device if you accidentally leave it unlocked.
Book your trip with trusted sites: When planning your trip and booking transportation, lodging, and experiences, it is important to complete those transactions with trusted, known businesses. If possible, double check the reviews and reputation of a site you are unfamiliar with, but are considering to use for your booking. By sticking to reputable sites, you guarantee a higher standard of security for your data and transaction.
Staying secure and connected during your trip:
Keep track of your devices: Not only are your devices themselves worth a great deal of money, but your sensitive information that is accessible by that device is also valuable. Ensure that you keep your devices close at hand or secured away safely when not in use. Theft of mobile devices, from smartphones to tablets and laptops, is all too common and can spoil a fun trip to a great extent.
Limit your activity on public Wi-Fi networks: Public Wi-Fi that does not require credentials or logging in is not protected by encryption, so browsing and activity is not secure from prying eyes. To ensure your information is not put at risk, avoid logging into your personal accounts or making transactions while on public or hotel networks.
- Use your phone carrier’s internet connection, or use your phone as a personal hotspot (if your cell carrier’s plan allows) when logging into personal accounts or conducting transactions.
- Ensure your device is set to ask your permission before connecting to a wireless network while on your trip.
- If you intend to use a hotel or establishment’s customer wireless network, verify what network is the correct one to use with a member of the staff.
Don’t overshare on social media: Consider posting updates about your trip after you return. Criminals may see that you are away from home based on social media content and attempt to steal from your home! If you also share too many details about where you are on your trip, some scammers may attempt to contact your family and friends with a variety of scam tactics. Additionally, consider setting your social media accounts to only allow friends to view your posts and content. Tips on privacy for safe social media use can be found with more detail in our prior newsletter.
By following these tips and being a cyber-safe traveler, you will have a smooth and enjoyable vacation! There are more resources available from NCSA and our partners on staying secure on trips and at home, check them out below to learn more:
https://ontech.com/cyber-security-summer-travel/
https://www.cisecurity.org/newsletter/securing-devices-by-making-simple-changes/
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Have you noticed how often security breaches, stolen data, and identity theft are consistently front-page news these days? Perhaps you, or someone you know, are victims of cyber criminals who stole personal information, banking credentials, or more. As these incidents become more prevalent, you should consider using multi-factor authentication, often also called strong authentication, or two-factor authentication. This technology may already be familiar to you, as many banking and financial institutions require both a password and one of the following to log in: a call, email, or text containing a code. By applying these principles of verification to more of your personal accounts, such as email, social media, and more, you can better secure your information and identity online.
What it is
Multifactor authentication (MFA) is defined as a security process that requires more than one method of authentication from independent sources to verify the user’s identity. In other words, a person wishing to use the system is given access only after providing two or more pieces of information, which uniquely identifies them.
How it works
There are three categories of credentials: something you either know, have, or are. Here are some examples in each category.
Something you know
|
Something you have
|
Something you are
|
In order to gain access, your credentials must come from at least two different categories. One of the most common methods is to login using your user name and password. Then a unique one-time code will be generated and sent to your phone or email, which you would subsequently enter within the allotted amount of time. This unique code is the second factor.
When should it be used?
MFA should be used to add an additional layer of security around sites containing sensitive information, or whenever enhanced security is desirable. MFA makes it more difficult for unauthorized people to log in as the account holder. According to the National Institute of Standards and Technology (NIST) MFA should be used whenever possible, especially when it comes to your most sensitive data – like your primary email, financial accounts, and health records. Some organizations will require you to use MFA; with others, it is optional. If you have the option to enable it, you should take the initiative to do so to protect your data and your identity.
Activate MFA on your accounts right away!
To learn how to activate MFA on your social media accounts, head to the Lock Down Your Login site, which provides instructions on how to apply this fantastic form of security to many common websites and software products you may use. Lock Down Your Login is a resource created by the National Cyber Security Alliance and the U.S. Department of Homeland Security through their Stop Think Connect campaign to empower citizens with cybersecurity knowledge and practices.
If any of your accounts are not listed on that resource site, look at your account privacy settings or user profile and check whether MFA is an available option. If you see it there, consider implementing it right away.
Conclusion
User name and password are no longer sufficient to protect accounts with sensitive information. By using multifactor authentication you can protect these accounts reduce the risk of online fraud and identify theft. Consider activating this feature on all your social media accounts.
Resources:
https://www.us-cert.gov/ncas/tips/ST05-012
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS
Share Your Information With Care
It is very easy to find any information you need in today’s connected world. Have you ever Googled yourself to see what information about you is online? A search can often provide your address history, phone number, age, birthdate, employment information, public records, and social media accounts. Consider what can be done with Personally Identifiable Information (PII) from the perspective of a cyber-criminal looking to commit identity theft or other crimes.
Children, teens, and senior citizens are all groups who especially may not realize how vulnerable they are to being a victim of cyber-crime. Senior citizens may be more trusting of the material that is presented to them online. Children and teens are growing up with technology, and may be using it to communicate with each other with only a recreational level of understanding. They may not realize that once you post online, it rarely goes away.
In order to keep information safe or private, we need to take care in sharing it, and teach cyber privacy to those who may not understand its importance. Here are examples of how we are asked to provide information, or how people share information that should be kept private:
Store loyalty and other accounts online – When you sign up for a store loyalty program or other online accounts, you are asked to provide information such as name, address, phone number, birthdate, email address, etc. By providing this, you can get discounts on the merchandise they are selling, or can receive promotions by email. However, is that information you provide kept private, or is it sold to other companies so they can market to you? Read the terms of use and privacy policy before signing up for such a program.
Phishing Emails – Cyber criminals will offer false and unbelievable deals to get you to click on a link and provide them with your information. You may hear about a loan offer, or a notification that your order shipped and that you need to log in by clicking their link to track it. Criminals seek your information in an effort to steal your identity and use it to open up fraudulent accounts in your name. Always shop with trusted vendors, and never follow an unsolicited link in an email asking you to log in to an account. Instead head to the website you normally use by typing it into your browser to check on your account.
Fraudulent phone calls (Vishing) – Criminals may call saying they are from Microsoft or another device/software company, telling you that your software has expired or your device is infected with malware. They may ask for money to renew a license, as a method to complete the fraudulent activity. Other criminals may pose as the IRS, pressuring you into paying taxes. Never offer payment information or personal information to someone calling you unsolicited. Always end the call and attempt to contact the organization through a publicly listed phone number that is legitimate, then see if you need to work with them on a problem.
Social Media Sites – These sites provide a relaxed atmosphere where you can chat with friends and family. The issue is that anything you post or share is likely a permanent submission that many others can access online. Oversharing on social media may lead to you voluntarily giving up answers to account security questions, like the color of your car or the town where you were born. Also, posting about being on vacation sends a signal to criminals that your home may be unoccupied and a great target for a robbery! With all this information about you on social media, be sure to set your account privacy settings so only friends can view your content. Lastly, consider deleting old, unused social media accounts to cut down on your digital footprint.
Whenever communicating with people or posting online, avoid sharing too much. When receiving emails, mail or calls asking for sensitive information (birthdate, social security number, credit card, etc.), always contact them at the legitimate address or phone number you normally use for that organization. Do not share information if you do not initiate the communication!
Below are resources on protecting privacy and identity along with practices for online security. These help you to protect yourself, your children, and your elders from being victims of a crime.
Resources:
Federal Trade Commission:
https://consumer.ftc.gov/identity-theft-and-online-security/online-privacy-and-security
https://www.consumer.ftc.gov/articles/0033a-share-care
https://consumer.ftc.gov/identity-theft-and-online-security/protecting-kids-online
Stay Safe Online:
Family Online Safety Institute:
https://www.fosi.org/good-digital-parenting/
Protect Seniors Online:
https://www.protectseniorsonline.com/
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
How to Spot and Avoid Common Scams
Have you ever gotten an email from someone claiming to be royalty? In their email they tell you that they will inherit millions of dollars, but need your money and bank details to get access to that inheritance. You know this email isn’t legitimate, so you delete it, yet there are many more scams being perpetrated by criminals that sound more believable and aren’t as easy to spot. Learning to identify and avoid these scams is the first step in protecting yourself from these schemes. Senior Citizens are often particularly vulnerable to some of these fraud campaigns. The world today is full of cybercriminals launching both phishing emails, and the tried and true phone scams that never fell out of fashion. Protecting not only your finances, but also your data from these scams is more important now than ever.
Phone Scams
Scammers who operate by phone can seem legitimate and are typically very persuasive! To draw you in to their scam, they might:
- Sound friendly, call you by your first name, and make small talk to get to know you
- Claim to work for a company or organization you trust such as: a bank, a software or other vendor you use, the police department, or a government agency
- Threaten you with fines or charges that must be paid immediately, (for example the IRS)
- Mention exaggerated or fake prizes, products, or services such as credit and loans, extended car warranties, charitable causes, or computer support
- Ask for login credentials or personal sensitive information
- Request payments to be made using odd methods, like gift cards
- Use prerecorded messages, or robocalls
If you receive a suspicious phone call or robocall, the easiest solution is to hang up. You can then block the caller’s phone number and register your phone number on the Federal Trade Commissions’ National Do Not Call Registry (https://www.ftc.gov/donotcall).1
Email Scams
Phishing emails are convincing and trick many people into providing personal data. These emails tend to be written versions of the scam phone calls described above. Some signs of phishing emails are:
- Imploring you to act immediately, offering something that sounds too good to be true, or asking for personal or financial information2
- Emails appearing to be from executive leadership you work with requesting information about you or colleagues that they usually do not request (for example, W2s)
- Unexpected emails appearing to be from people, organizations, or companies you trust that will ask you to click on a link and then disclose personal information.3 Always hover your mouse over the link to see if it will direct you to a legitimate website
- Typos, vague and general wording, and nonspecific greetings like “Dear customer”3
Beware that many scam and phishing emails look legitimate! An email pretending to be a company might contain pictures or text mimicking the company’s real emails. If you’re unsure about an email you received, there are some steps you can take to protect yourself:
- Do not click links or open attachments in emails you were not expecting3
- Do not enter any personal, login, or financial information when prompted by an unsolicited email 3
- Do not respond to or forward emails you suspect to be a scam3
- If in doubt, contact the person or organization the email claims to have been sent by using contact information you find for yourself on their official website3
If you get scam phone calls or phishing emails at home, hang up or delete the emails. If you get scam phone calls or phishing emails at work, let your organization’s security or Information Technology team know so they can help protect others from these scams! Additionally, please educate your parents and grandparents on these scams, as they are becoming only more and more common.
Resources:
- https://www.consumer.ftc.gov/articles/0076-phone-scams
- https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice
- https://staysafeonline.org/theft-fraud-cybercrime/phishing/
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Staying Safe From Tax Scams
As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!
How is tax fraud perpetrated?
The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.
Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.
Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:
- Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
- Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
- Threaten you with jail or lawsuits for non-payment.
- Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
- Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.
How can you protect yourself from tax fraud?
- File your taxes as soon as you can…before the scammers do it for you!
- Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
- Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
- Don’t open attachments from unsolicited messages, as they may contain malware.
- Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
- Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
- Shred all unneeded or old documents containing confidential and financial information.
- Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.
If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its phishing@irs.gov email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
January 28th-National Data Privacy Day
Safeguard your data and your privacy!
In the past year, we saw a significant number of data breaches impacting the privacy of individuals. According to the Privacy Rights Clearinghouse, in 2018, 807 publicly disclosed breaches exposed 1.4 billion records. While this is a decrease from 2017’s 2 billion records exposed, the problem remains enormous because so many websites, social media outlets, and devices contain our information.
With January 28th being National Data Privacy Day, take some time to consider what types of personal information you should be protecting, and how to do so in a few different ways.
General Personally Identifiable Information
Personally identifiable information or (PII) can be any data that identifies you as a specific individual. This information should be kept private and not shared with others. Examples of PII include your Social Security Number, or your name in combination with your date or place of birth.
Recommendations: Be aware of what you post publically or submit through applications or services. Consider with whom you share your PII, and give extra scrutiny and consideration as to whether you really need to share this information. If someone contacts you requesting PII through email, social media, or a phone call, do not provide the information. If it is a phone call that you think is legitimate, hang up and call the organization back through a publicly listed telephone number so you can verify the caller is who they say they are.
Information About Your Location
Giving out your location when away from home on social media is a privacy risk. This practice can result in your home being targeted for burglary. Additionally, your family and friends may be targeted by scammers seeking financial assistance on your behalf to help with a non-existent “travel emergency.” Three popular methods of this type of location sharing are geotagging (adding a location tag to a social media post or picture), posting a photo in which the background can be easily identified (like Times Square or the Eiffel tower), or “checking in” at a business.
Allowing apps to use your phone’s location services has its own privacy concerns, as the app is likely recording or using that data, and may automatically add geotagging to social media interactions in that app as a result!
Recommendations: Customize your location settings to minimize sharing your location with websites and applications, especially on your mobile devices. You can geotag social media posts, pictures, or videos after returning from vacation, going out to eat, or that business trip. Also, check the privacy settings of apps to make sure they don’t need access to your location. At a minimum, ensure your social media settings are set to only show your posts and profile to friends.
Security Questions and Social Media
Security questions are a way to authenticate your identity and are an extra layer of security on accounts, which makes it extra important to not post these answers on social media. Posting a picture or writing a post about your first car’s make and model, or color of your car, childhood address, favorite ice cream flavor, mother’s maiden name, or elementary school is a bad idea. These are common security questions and by posting this information, you give away the answers, allowing cybercriminals to potentially access your accounts.
Recommendations: When on social media, be aware of what you post (including pictures!) and how it relates to the security questions you selected for your various accounts.
Website/Application Privacy Settings and Permission
All websites and applications have privacy settings. These settings help you control what others are allowed to see, as well as manage your online experience. You should be familiar with these privacy settings and customize them to protect your information. Additionally, when creating an account on a website or application and agreeing to their services, understand what you are giving them permission to do with the data you provide.
Take Responsibility
Protecting your privacy starts with you. Website owners, websites, and service providers have a responsibility to protect your privacy. However, it is up to you to understand the privacy settings on social media, online accounts, and your devices. Knowing these settings, you will be able to customize them for greater security.
Take ownership of your privacy and read privacy policies and end user license agreements on websites (including social media), and update your settings whenever new privacy features are available.
For More Information:
National Cybersecurity Alliance
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Security and Privacy in the Connected Home
Stay cyber-safe with your Internet of Things (IoT) devices!
Did you ever wonder what it would be like to have a smart home? You could remotely change the temperature in your house, you could tell your lights to come on, or ask your refrigerator if you need to get milk at the grocery store, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.
The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives, and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.
Personal Digital Assistants
Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a give-away that you are not home.
Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.
Smart Thermostats and Other Smart Home Devices
Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.
IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.
Gaming Consoles
Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.
Here are a few tips to follow in building your smart home with IoT devices:
- If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.
- Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.
- Setup a separate unique, strong password for every device. Don’t share credentials across devices.
- Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.
- Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.
- When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.
Remember these tips over the holidays as you receive and give gifts. This will ensure you don’t give cybercriminals the holiday gift of your sensitive data!
The information provided from the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and customers to help educate them to behave in a more secure manner within their work environment or home While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Personal environment.
Staying Secure While Shopping Online
Making #CyberMonday #CyberSecure
It is that time of year where so many people prepare to purchase gifts for friends, family, and loved ones. Though it can be convenient to avoid the lines and rush for that latest Black Friday deal by shopping online, this also carries some risk. Cybercriminals are always working to steal your personal and payment information and the holiday shopping season is the perfect opportunity for this to happen. By following a few key practices, you can greatly lower your chances of becoming a victim of identity theft or fraud.
Choose Trusted Online Retailers and Apps
Always shop only with trusted online retailers. That means using a retailer you already know or one that is verified through another trusted entity. If you find a new possible shop to do business with, but are unsure about its reputation, try to find reviews from trusted sources such as the Better Business Bureau. It is important to stick to trusted review sources because there are several ways to fake online reviews, and there are places where cybercriminals can pay other criminals to post positive reviews. Even though an untrusted site might have the best prices, it is worth it to use a trusted online shop that is known to safeguard your information and purchases.
The same advice applies when downloading apps to help with your online shopping. Whether you are downloading a store app to get a coupon, a deal aggregator app to comparison shop, or a reward app that ensures you get points or cashback, it is important to stick to trusted apps from known developers. Unfortunately, fake apps appear in the app stores, purporting to be from a trusted source while other apps exist to capture your data without providing the services they claim to support. You can avoid many malicious apps by downloading your apps from Google Play, Apple App Store, Microsoft Store, or another trusted platform, selectively choosing which apps to download, and making sure you carefully read the permissions and app reviews.
Secure your Device, Connectivity, and Accounts
Keep your devices up-to-date, especially those you shop and bank with – Simply updating the device that you use for conducting your online shopping is a key cybersecurity practice. By keeping the device up-to-date with current patches and software, you ensure you have the manufacturer’s latest security fixes in place.
Never use a public computer when shopping or banking – Using a public computer, like those found at libraries, can expose you to greater risk. It is best to use a trusted home device and network for anything involving financial transactions.
Never shop or conduct banking on unencrypted or public Wi-Fi – It is best to always conduct financial transactions or log on to sensitive accounts via a trusted Wi-Fi networks. Ideally, this should be from your home network, which should require a password and use WPA2 encryption.
Look for the lock icon on your browser - When a site has a lock icon on the browser window, or in the URL bar, it indicates that your communications with the site are encrypted. If you do not see a lock, look for “https” at the beginning of the URL, as this is the same thing as the lock.
Check out as a guest – By checking out as a guest, you prevent the online retailer from storing your personal account and financial information. This minimizes the amount of information that could be lost if the retailer is compromised. If you have or need an account with a retail website:
- Use a strong password – Be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters.
- Don’t save your payment information with retailers – If you have an established account with a retailer, do not store your payment information with them. In the case of an account compromise, stored payment information may allow a criminal to make purchases using your financial information.
Be Wary of Fraudulent Emails and Advertisements
Look out for suspicious or unexpected emails – A common tactic of cybercriminals year round is to send fraudulent emails seeking to get you to click a link or open an attachment. When it comes to this time of year, they may make an email look like it contains tracking information for a shipment or a promotion for a store. The link or attachment might download malware or try to get you to enter your user credentials in a convincing, yet fraudulent login screen, so they can steal your password. Always avoid clicking direct links in emails, and if you receive an email with a tracking number in it, head to the shipping carrier’s website in your browser and copy and paste the tracking number itself into the site.
Avoid clicking advertisements or pop-up windows of any kind – Advertisements embedded in websites and pop-ups have been known to be compromised by cybercriminals to distribute malware. It is best to avoid clicking them altogether.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
National Cybersecurity Awareness Month
The 15th annual National Cybersecurity Awareness Month (NCSAM) is here! October 1st kicked off this month-long campaign devoted to ensuring everyone has the resources they need to stay safe online. NCSAM is an effort co-led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security, and is championed by the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Each week of October highlights a theme that contributes to that “Shared Responsibility” of online safety and security. In partnership with NCSA, below we have provided some tips for how to make the most of those themes and strengthen our individual and national cybersecurity!
Week 1: Make Your Home a Haven for Online Safety
Easy-to-learn life lessons for online safety and privacy begin with parents and caregivers leading the way. Family members may be using the Internet to engage in social media, adjust the home thermostat, or to shop for the latest connected toy. This makes it vital to ensure that the entire household ‒ including children – learn to use the Internet safely and responsibly, and that networks and mobile devices are secure. Three of NCSA’s top tips include the following:
- Keep a clean machine: Keep all software on Internet-connected devices, including personal computers, smartphones and tablets, up-to-date to reduce risk of infection from ransomware and malware.
- Lock down your login: Your usernames and passwords are not enough to protect key accounts like email, banking, and social media. Fortify your online accounts and enable the strongest authentication tools available, such as biometrics, or two-factor authentication.
- Share the best of yourself online: Before posting online, think about what others might learn about you and who might see it in the future, such as teachers, parents, colleges, and potential employers.
Week 2: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
A key risk to our economy and security continues to be the shortage of cybersecurity professionals to safeguard our ever-expanding cyber ecosystem. There are limitless opportunities for students and individuals looking for a new career or re-entering the workforce. Here are some tried and true tips for cyber job seekers at any age:
- Get Credentialed: Four out of five cybersecurity jobs require a college degree. Certifications can also be valuable to display your specialized knowledge. DHS offers free online, on-demand courses through the Federal Virtual Training Environment that provide great learning opportunities for veterans.
- Get Involved: Test the waters through volunteer work and internships. Offer to help technical professionals at your school or workplace to gain experience. You could even consider joining local clubs or groups, such as those on MeetUp. (Remember to be safe when meeting people or going to new places!)
- Keep Up with the Buzz: Follow top cybersecurity personalities on Facebook, Twitter, LinkedIn, and news websites and blogs.
Week 3: It’s Everyone’s Job to Ensure Online Safety at Work
When you are on the job, your organization’s online safety and security is also part of your responsibility. NCSA’s CyberSecure My Business™ will be a cornerstone for Week 3. The program is a series of in-person and highly interactive workshops based on the NIST Cybersecurity Framework to educate the community about:
- understanding which business assets (“digital crown jewels”) others want;
- learning how to protect those assets;
- detecting when something has gone wrong;
- reacting quickly to minimize impact and implement an action plan; and
- learning what resources are needed to recover after a breach.
Additional components include monthly webinars, online portal resources, and monthly newsletters summarizing the latest cybersecurity news. NCSA has also created a Cybersecurity Awareness Toolkit, for small and medium businesses which is packed with easy-to-use tips and practical information.
Week 4: Safeguarding the Nation’s Critical Infrastructure
Our daily lives depend on 16 critical infrastructure sectors, which supply food, water, financial services, public health, government services, communications, transportation, and power along with other critical functionality. A disruption to this system, most of which is operated via the Internet, can result in significant and even catastrophic consequences. Week 4 will highlight the roles the public can play in keeping it safe. Two easy tips everyone should practice to help protect the country’s critical infrastructure are:
- When in doubt, throw it out:Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, it’s best to delete it.
- Safer for me, more secure for all: What you do online affects everyone. Good online habits help the nation’s digital community.
Visit these sites to learn more:
DHS and NCSAM |
StopThinkConnect |
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Avoiding Many Types of Malware
From the MS-ISAC Group
Every day as we use our devices, browse the Internet, and open emails, we are also exposing those devices to potential malware (malicious software). Malware is any software that is designed to cause damage to and/or unauthorized access to devices or networks. Malware comes in many forms, all of which can have negative effects for your device and for you. With a little extra vigilance, and some good habits and practices, you can greatly reduce your likelihood of having a device infected with malware and can minimize the impact to your device, data, and life, in the event that it does become infected. Below we will explore a few common types of malware and their impacts, as well as some tips and practices that can help you as you go about your connected life.
Common Types of Malware and Their Effects
Ransomware – Ransomware is malware that stops you from being able to access your files, usually by encrypting them, and then requests payment to decrypt the files, restoring your access. Most commonly, ransomware asks for payment in bitcoin, which is a popular cryptocurrency. Unfortunately, paying the ransom does not guarantee restoring access to your files.
Trojan Horses (a.k.a. trojans) – This malware takes its name from the classic story of the Greek army sneaking soldiers into the city of Troy hidden inside a large wooden horse. Trojans of the malware variety behave in much the same way, by appearing to be legitimate apps or software that you want to install. Some trojans allow an attacker full access to your device, others steal banking and personally sensitive information, and others are simply used to download additional malware, like ransomware.
Keyloggers – This type of malware records your keystrokes and sends them to a cyber threat actor, giving them access to your usernames, passwords, and any other sensitive information you have entered using your keyboard. With this information, the cyber threat actor can access your online accounts or commit identity theft.
Tips and Practices for Avoiding and Surviving a Malware Infection
- Update and patch your devices and software. Vendors release updates and patches in order to fix security issues, not just to fix functionality! Many types of malware can be foiled by keeping your software up-to-date by accepting the updates when you get a notice about them.
- Never click suspicious or untrusted links. Even if the URL comes from a company or person you know, it is always safest to manually type in their URL. At the least, hover over the link to discover where it’s really sending you, as some malicious actors send emails that look convincing. This advice is also true for links in emails, documents, and on social media platforms, as malicious links are commonly posted to such sites. For more information on spotting suspicious emails and checking URLs, head to our past newsletter on this topic.
- Only download from trusted sources. When looking to download an app or software, only do so from a trusted vendor or source. On mobile devices, ensure that you only download apps from the Google Play store and Apple App Store, which are the trusted sources for Android and iOS devices.
- Backup your data and be sure the backups are good! Backing up your data, whether by doing a complete backup of your whole device or just key files, is the best way to protect those important files and pictures against ransomware and other data loss. For best practices and more information on backups, please reference our recent newsletter on this topic.
- Use antivirus and other protective software on your device. If your computer or router has built in protections like antivirus or a firewall, ensure you have those enabled. Otherwise, buy or download an antivirus product from a trusted vendor. This is important for both your computers and your smartphones!
- Configure your devices with some security in mind. By setting up your devices with some basic security settings enabled, you will not only protect against some malware, but against other forms of malicious activity and access. For tips on configuring your devices, please see our past newsletter on this topic.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
From the, MS-ISAC GROUP
We all know it happens – our home computers crash, malware infects them, or somebody downloads that cool, new program that crashes everything! While there are many tips and tricks of great value for preventing your devices and data from being compromised, it is important to also have a backup of your information in case something goes wrong.
Backups are copies of key information or data that are stored separately from your device. By storing these separately, you can restore your data or device using these backups and get right back to full working order. With threats of Ransomware, which encrypts and renders your personal files inaccessible, this is a real concern. Below we will explore some key concepts on creating and will provide resources that assist you in making decisions on how to best create this essential type of redundancy in your life.
Choosing what to backup
When thinking about a backup system the first thing to decide is how much you want to backup. Are you okay storing key documents, pictures, and files or do you want your full system backed-up? If you’re concerned about rebuilding a full system, and having all the license information to make it functional, then you probably want a more complete backup option. If you just want to protect important files, then a system where you choose what to save would work well.
How can you create a backup of just key files?
If you are looking to store copies of your important files, you can copy them to your preferred method of backup periodically. This is accomplished by selecting the folders or files you want to backup, and copying them to the storage device or media. This is made especially easy if you make a habit of organizing your important files into just a few folders. This is a very simple and easy approach, and guarantees that your tax documents, digital receipts, pictures, and other important records remain available.
How can you create a complete backup of your device’s data?
If you are looking to create a more comprehensive backup, your devices likely have utilities built in that allow for easy creation of backups. These may allow you to set a complete copy of your device’s data aside that would allow you to restore it to full working order following an infection or issue. Seek out guidance or tips from your device’s vendor to determine what utilities are available to you for creating backups. The Stay Safe Online guide linked below has links to top vendor’s backup guides that can assist you through the process.
Choosing where to store your backed-up data
Regardless of what you want to save, one of the key ways to keep your backed-up data safe, is to disconnect the storage media after you make the backup. This is important in the event that you are infected with malware. You do not want copies of data to also be infected. (Ransomware does look for backups to infect.)
This also helps in case your device or where you store it is lost, stolen, or physically destroyed. Keeping a separate backup on a different physical storage device, or in the cloud, is a way to better secure your data from this type of problem.
Cloud services for storing backups can be a convenient solution, though they may come at a cost and some individuals may not like the fact that they will not have a copy in hand on physical storage media. Having the backup outside your immediate possession can be helpful if you are concerned about a physical problem, such as loss or damage. Some of these services save multiple versions of your backup, which better secures against infected files corrupting the cloud backup. |
External hard drives or removable media (DVDs, USB drives, etc.) are the other most common option. You simply need to copy the data you want to save to the external hard drive or media chosen. Consider keeping the external drive disconnected and in a separate location from your devices while not making backups, as this insures against malware getting on the backup copy. |
How often should you back up files and systems?
The frequency with which you back up your data or systems is an important component of this process. Consider making your backups on a weekly basis, with a minimum frequency of monthly backups. Your decision will be influenced by how often you update your data.
In conclusion, spend time considering how vital the data on each of your devices is. Then consider the best type of backup strategy for your needs and base a timeline of how frequently you make the copies off those needs as well. By adding this simple process to your safe computing habits, you can build in more reliability and recoverability. If you are ever the victim of a malware infection or cyber-attack, you will surely be glad you took the time to make backups!
Suggested resources:
https://staysafeonline.org/stay-safe-online/online-safety-basics/back-it-up/
https://www.us-cert.gov/sites/default/files/publications/data_backup_options.pdf
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS
From the Information Security Office
This month, in partnership with the National Cyber Security Alliance, we aim to provide some valuable tips on staying cyber safe while heading on a summer vacation. Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.
Getting Ready to Go:
Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.
- Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.
- Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).
- Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!
- Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your app’s access to services on your device, like location services.
- Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away. Do not post of your pending vacation destination on social media. That information is an open invitation for trouble.
While on the Go:
Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.
- Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.
- Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.
- Protect your $$$:Be sure to shop or bank only on secure sites. Web addresses with ‘https://’ and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.
- Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.
- Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.
- Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.
Armed with these tips and practices, you should have a happy and cyber safe vacation ahead of you. To learn more about staying cyber safe and secure while travelling, head to the MS-ISAC’s Security Primer covering this topic. For more information on NCSA, including countless resources on staying cyber secure, please visit staysafeonline.org.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
From the MS-ISAC Group
The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”[1] When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.
Message #1
Subject: Low Cost Dream Vacation loans!!!
Dear John,
We understand that money can be tight and you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.
Please email your completed form to VacationLoans@worldbankandtrust.com.
Your dream vacation is just a few clicks away!
Dr. Stephen Strange
World Bank and Trust
177a Bleecker Street, New York, NY10012
What did you notice in message #1?
In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker.
Message #2
Subject: Free Amazon Gift Card!!!
Dear Sally,
You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner.
www.amozan.com/giftredemption2321
What did you notice in message #2?
Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.
Message #3
Subject: Urgent – Take Action Before Your Email Account is Deactivated
Dear User,
Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.
Thank you,
Information Technology
Helpdesk Support Team
What did you notice in message #3?
This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.
With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:
- If it seems too good to be true, it probably is;
- Hover your cursor over links in messages to find where the link is actually going;
- Look for misspellings and poor grammar, which can be good signs a message is a fraud;
- And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).
Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/
1https://www.consumer.ftc.gov/articles/0003-phishing
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
From the desk of Thomas F. Duffy, MS-ISAC Chair
While spring cleaning your home and, if you’re like me, the top of your desk, consider also cleaning up your information footprint. Your information footprint is how much information about you is recorded and available in both digital and paper formats. Cleaning up your footprint can mean examining social media, online accounts, and even paper records containing sensitive information. While we may use a few key digital devices and services on a regular basis, they often contain more information about us than is necessary. It’s also likely that devices and services we don’t use anymore may still contain information. You might have that pile of paper you’ve been meaning to shred for a while, making this an opportune time to spring clean your information footprint. By spending a little bit of time and effort, you can better secure your information to safeguard against various forms of identity theft.
Disks, Hard Drives, and USB drives, Oh My!
Over the years, it’s easy to accumulate a mass of CD’s, DVD’s, hard drives, and USB drives that are no longer needed or with data that is no longer needed stored on them. If you have hard drives or USB drives with old data but want to continue to use them, consider following US-CERT’s guidance on how to securely clean the data off of these items before properly recycling them. Many shredders, including those rated for home use, can shred CDs and DVDs. If your shredder can’t handle them, check your local community for shredding days as many towns, schools, and office supply businesses will sponsor shredding events.
Clean Up Your Paper Trail
Many of us have a large quantity of paper documents that may contain sensitive information about ourselves, financial accounts, government identification information, tax returns, and more. Take some time to go through these documents this spring and check whether it is something you truly need to hold onto. If the answer is no, be sure to securely dispose of it by shredding it and recycling the shredded pieces. Simply ripping up sensitive documents is not enough to guarantee your information is unreadable.
Not sure how long you should hold on to those old documents? The Federal Trade Commission (FTC) has a handy website – “A Pack Rat’s Guide to Shredding” with information on how long you should hold on to those documents!
Closing Old Online Accounts
It is common for people to use many different shopping sites, social media outlets, online storage, clubs, and other online outlets that require you to enter, store, and sometimes share information from or about you. If you are no longer using any of these accounts, consider removing information that may be sensitive and consider closing them out if you do not plan to use them again. Sometimes, it is easiest to check out as a guest when shopping online at a place that you rarely, if ever, patronize. Checking out as a guest should minimize the data retained about you.
Old Social Media Accounts
Remember MySpace? LiveJournal? Do you still have that old email account or an account on an old dating website? As we move from Myspace to Facebook to Twitter, Instagram, and the other latest and greatest social media platforms, our old accounts and information are left behind, filled with personal details. Consider closing out social media accounts that you no longer use, as it will reduce your digital footprint. Keep in mind that all social media platforms have different policies when deleting old accounts and content. Be sure to read the policy. And, don’t forget to remove the app from your smartphone, too!
Oversharing on Social Media That You Do Use
If you frequently use a social media or online account but it contains lots of personal details or information that you now think should be safeguarded more closely, consider removing it from your profile or deleting the posted content. Think about if the information you continue to share could be used against you or combined with other information to be used against you. Enough pieces of personal information combined together can be very useful to cybercriminals.
Being aware of any information that you share that could be used to respond to “Challenge” questions, which are frequently used to reset passwords. What does that mean? How could information be combined to be used against you? Think about your online bank account. If you forget your password what types of questions do they ask? Probably something about the color of your car, your mother’s maiden name, your birthday, or pets’ names. Did you post a picture of your new car? Friend your mother or her brother on social media? Answer a meme about your birth month and day? Share adorable pictures of Fluffy? If you did, you’ve helped someone find out the answers to your bank’s security questions!
This is the case for many of the pieces of information you may share online and many online accounts that use challenge questions to reset passwords. Information commonly used for challenge questions include the above examples and other details, such as your favorite sports team, vacation spot, fruit, ice cream, type of reading material, youngest sibling, elementary school name, and so on. As you clean up your data think about what information could be used to answer your security questions and try to remove that data from your social media accounts.
In closing, these short tips can make a world of difference in lowering your information’s exposure to others. By questioning if you need to share or provide certain information online as you move forward, you can save yourself from many of the unnecessary overexposures we discuss here. Additionally, by taking a look at both your digital and paper trails to do these activities on a routine basis, you can be sure to keep overexposure in check.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Privacy Rights:
Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:
- Not collecting more information than they need to conduct their business with you;
- Informing you of what they will do with the information that they collect and not doing more with it than they have promised;
- Retaining the information for only as long as it is needed and then properly destroying the information;
- Not sharing your information with others without your permission, except as required by law;
- Allowing you to review and correct information if necessary.
To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.
Privacy is a Shared Responsibility:
While organizations and websites have a responsibility to protect your privacy, which most will outline in their privacy policy, this is also your responsibility. Social media users are especially susceptible to privacy concerns. Individuals voluntarily place enormous amounts of information about themselves, their friends, and associates, on social media. It is critical that everyone is aware of the information they post on social media services, such as Facebook, LinkedIn, Instagram, Snapchat, and Twitter. This awareness is not limited to what you post about yourself, but what you post about others as well!
Identity Theft Protection:
Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.
If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.
Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.
For More Information:
US-CERT Data Privacy Day Events
Online Trust Alliance Data Privacy & Protection website.
Forbes, Data Privacy Day: Easy Tips to Protect Your Privacy
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
Protect your identity and accounts
- Do not click suspicious links or open unexpected attachments or texts. Be aware of Phishing emails and Smishing texts.
- Do not provide account info to links in emails or texts.
- Do not provide account information over the phone to live or automated systems other than FFSL Touch Tel Phone Banking at:
Toll Free: (888) 378-2067
Lorain: (440) 282-2961
Huron: (419) 433-9629
Sandusky: (419) 624-9663
Port Clinton: (419) 734-7477
- Always verify the identity of the person on the phone by calling back a known number, which are listed under FFSL Methods of Contact.
- Do not use unknown or unsafe devices to access your account. This includes cell phones, tablets or computers.
- Use only phones, tablets and computer with the latest software and security patches.
Use auto-update for all programs to receive the latest security patches. See Securing Your Device.
Windows XP and Windows Vista (as of 4/11/2017) are no longer updated by Microsoft. Consider Upgrading to Windows 10.
Use anti-virus software and keep it updated. See Securing Your Device.
Keep your browser updated. See Securing Your Device.
We are providing these instructions as a courtesy only. We cannot and will not provide any support beyond providing these written instructions. Do not call for technical support.
- Even with these recommendations, you the consumer must remain vigilant and suspicious of requests for information in order to protect yourself. Be very careful and report all suspicious activity to FFSL immediately.
- Report fraud immediately. Call us at (800) 589-8850.
- Click here for Approved FFSL Methods of Contact.
- Click here to download All FFSL Security & Education Information.
Phishing Email
Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information.
SMiShing Text
SmiShing is about sending false, fake text messages, claiming the mobile user that they have won a free product or need to enter information.
Securing Devices
Choose your appropriate device below for instruction on how to increase security measure.
Windows • iOS • Android
Online Banking Security
Online Banking security is intended to prevent unauthorized access to your account, validate your identity, protect your account information from fraudulent use, and prevent the theft of your identity.
7 Tips to Prevent Tax ID Fraud
SALEM, Ore., January 25, 2017 – As the 2017 tax season gets underway, the Oregon Bankers Association (OBA) is urging all Oregonians to take extra precaution when filing their return to prevent their exposure to tax fraud.
“Fraudsters are using very clever tactics to get a hold of your personal information and submit false tax claims,” said OBA President and CEO Linda Navarro. “Consumers must be suspicious of any communication from the IRS – through email, text or social media – that requests personal information, and should keep a watchful eye out for missing W-2s and mail containing sensitive financial information.”
Tax identity fraud takes place when a criminal files a false tax return using a stolen Social Security number in order to fraudulently claim the refund. Identity thieves generally file false claims early in the year and victims are unaware until they file a return and learn one has already been filed in their name.
To help consumers prevent tax ID fraud, the OBA is offering the following tips:
- File early. File your tax return as soon as you’re able giving criminals less time to use your information to file a false return.
- File on a protected Wi-Fi network. If you’re using an online service to file your return, be sure you’re connected to a password-protected personal network. Avoid using public networks like a Wi-Fi hotspot at a coffee shop.
- Use a secure mailbox. If you’re filing by mail, drop your tax return at the post office or an official postal box instead of your mailbox at home. Some criminals look for completed tax return forms in home mailboxes during tax season.
- Find a tax preparer you trust. If you’re planning to hire someone to do your taxes, get recommendations and research a tax preparer thoroughly before handing over all of your financial information.
- Shred what you don’t need. Once you’ve completed your tax return, shred the sensitive documents that you no longer need and safely file away the ones you do.
- Beware of phishing scams by email, text or phone. Scammers may try to solicit sensitive information by impersonating the IRS. Know that the IRS will not contact you by email, text or social media. If the IRS needs information, they will contact you by mail first.
- Keep an eye out for missing mail. Fraudsters look for W-2s, tax refunds or other mail containing your financial information. If you don’t receive your W-2s, and your employer indicates they’ve been mailed, or it looks like it has been previously opened upon delivery, contact the IRS immediately.
If you believe you are a victim of tax identity theft or if the IRS denies your tax return because one has previously been filed under your name, alert the IRS Identity Protection Specialized Unit at 1-800-908-4490. In addition, you should:
- Respond immediately to any IRS notice and complete IRS Form 14039, Identity Theft Affidavit.
- Contact your bank immediately, and close any accounts opened without your permission or tampered with.
- Contact the three major credit bureaus to place a fraud alert on your credit records:
- Equifax, www.Equifax.com, 1-800-525-6285
- Experian, www.Experian.com, 1-888-397-3742
- TransUnion, www.TransUnion.com, 1-800-680-7289
- Continue to pay your taxes and file your tax return, even if you must do so by paper.
More information about tax identity theft is available from the FTC at ftc.gov/taxidtheft and the IRS at irs.gov/identitytheft
There is a new scam you need to watch out for if you log into any of your accounts and have to wait for a text message sent to your phone to enter and only then log in. This more secure system is called "2-factor authentication". These two factors are:
- one thing you need to know-- your password
- one thing you have to have-- the text code on your phone
Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced -- yours may be one of them -- and they are using these for this scam.
They send you a fake (spoofed) text that looks like it's from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.
In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account!
TIP TO STAY SAFE
If your accounts are protected by 2-factor authentication of this sort, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.
Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.
Remember, Think Before You Click!"
Customers have been receiving calls from individuals claiming to be from banking institutions. The callers are telling customers that their Debit Card has been compromised in an attempt to get information from them. From the information that we have received it appears that the call system is automated and usually appears as an "Unknown Number".
If you feel you have received one of these calls, please contact our Electronic Banking department (440) 282-6188 to report it.
Please remember that we will never contact you by phone, if your card is compromised. You will be notified by mail. Additionally, we will NEVER ask you for your full card number, account numbers, social security number or any other personal information over the phone.
Please Read Carefully:
Identity thieves are sending text messages to Ohio residents asking them to call their bank to reactivate debit/credit card accounts. The phone number used connects to a fraudulent group that steals card information. They try to make the phone number look local to your area. Often, the target of the text may not even have an account at the bank listed in the message. This is a nationwide scam. Notify your bank and the bank referenced in the message immediately, if you receive one of these text messages.
To notify First Federal Savings of Lorain, call our Electronic Banking Department at (440) 282-6197 or email customersupport@firstfedlorain.com
Online Phishing Attempt September 2, 2014