National Cyber Security Awareness Month 2017 Weekly Topics

Use strong passwords. Creating a secure password is not as hard as it seems. Good passwords should not be easily guessed and should not include personal information, any part of your name, relative’s, or pet’s names, Social Security number, birthday, or words commonly found in a dictionary. Instead of random characters you can create a passphrase – a sequence of words that would be memorable and meaningful to you only. Passphrases should have at least twelve characters, upper and lower case letters, numbers, special characters such as $, !, ?, # and &. For example, a phrase like “To Be or Not to Be” can become a passphrase “2B<>2bE!” or “Mississippi” could become “Mrs.Ippi.” Check the strength of your passwords. Visit the following website that calculates how long it would take a regular desktop PC to crack the password using a brute-force attack: http://howsecureismypassword.net/.

The average person is faced with numerous password protected websites. Password managers can capture passwords from sites you are using and automatically fill in saved log-ins and forms. They can also help to generate strong passwords for you.

Whether we’re traveling out-of-town or just across-town, we like to be connected. In most cases mobile devices may include a data plan from our wireless carrier, but we often seek out a WiFi connection so we don’t exceed our data cap or, in some cases, for faster access. Be aware that connecting to a public WiFi network can put you and your data at risk. You have to be sure you trust both the security and the operator of the network to which you are about to connect. Follow these tips to improve your WiFi security:

• Pick the Correct Network – Often your device will present you with multiple versions of the network name e.g. HotelGuest, HotelStaff, HotelFreeWifi. When in doubt, verify the correct network name and any sign-in credentials to be used by contacting someone from the front desk or conference center staff.
• Pick a Secure Network – Look for a network which has a lock icon beside its name. This means that a sign-in is required and would use a credential provided to you as a guest.
• Be Your Own Hotspot – Many mobile carriers allow you to use your smart-phone or tablet as a personal hotspot. While this still counts against any data plan caps, you can at least be confident that the network is secure when you connect with your laptop.
• Use Secure Webpages/Avoid Personal Data – If your only option is to connect to an unsecured, public hotspot be sure the webpages you use are secured using SSL. Look at the web URL and make sure it starts with HTTPS:// and also look for the ‘lock’ icon  or other secure-connection indicator in your web browser. Performing routine, low-risk activities such as reading  online news or watching a YouTube video is OK; but wait until you connect to a secure/trusted network before starting to work or passing sensitive personal, medical or financial data.
• Use a Virtual Private Network (VPN) Connection – Many organizations (including Marshall) will provide a VPN service for their community to use. Once a VPN connection is established, all data is passed within a secure tunnel between your device and across the Internet back to the VPN provider. Click here for information on the MUNet VPN service.

The Internet contains a vast collection of websites and content providers. Be aware that there are some websites which can put you and your data at risk. Follow these pointers to ensure your computer or mobile device is not vulnerable when browsing the web:

• Keep your device OS up-to-date – Whether you have a PC, Mac, tablet or phone, understand how to check for and apply the latest security updates for the operating system (OS) of your device.
  • Windows Updates
  • Mac Software Update
  • iOS for iPhone/iPad – Settings -> General -> Software Update
  • Android for phone or table – Settings -> About (or System) -> Software Update
• Keep your browser up-to-date – If you keep your device OS updated, then its default web browser (Edge, IE, Safari, etc.) will be automatically updated. However if you are using an alternative web browser, you may need to take an extra step. Common browsers include Mozilla Firefox, Google Chrome, and Opera. Take a moment and check with the vendor’s website to make sure you are running the latest version. In most cases, these products are all now configured to auto-update when a new release comes out. Check your version to be safe.
• Keep your browser plug-ins up-to-date – Today’s browsers provide you with a lot of functionality. But in some cases, they rely on components called ‘plug-ins’ to provide additional features. Common plug-ins include Adobe Acrobat Reader, Adobe FlashPlayer, and Oracle Java. Online criminals and hackers regularly target vulnerabilities present in these plug-ins because they are installed on most computers and frequently are not updated regularly.
  • Web Security TIP:  Received an e-mail which contains a link to a suspicious website? If you have a mobile device which runs iOS or Android, and your device is up-to-date, you may consider previewing the link on this device before opening on your computer. Mobile web browsers do not use plug-ins and so are not susceptible to the types of malware which may be targeting a desktop or laptop. If it is suspicious, delete it.
• Keep your e-mail application up-to-date – If you use a full-featured e-mail application such as Microsoft Outlook, Mac Mail, or similar, be sure to regularly check for updates on these products as well. These apps may be configured to check for updates as part of the same Microsoft Update or Apple Update process used by your operating system. MacOS, iOS and Android users should also check the AppStore on a regular basis for updates.

Whether you have a Windows PC or an Apple Mac, having antivirus protection is important. Marshall students, faculty and staff are licensed to use Symantec Endpoint Protection antivirus software on their personally owned computers. You may download it from https://www.marshall.edu/antivirus. It is also important to keep both your antivirus software and its definitions updated. Out-of-date or expired antivirus products cannot protect your computer against current malware threats. Scan your computer for viruses regularly. Malwarebytes is a very effective malware scanner. A free version is available for personal use at http://malwarebytes.org/

Learn more about installing Marshall’s antivirus and how to avoid malware infections at https://www.marshall.edu/it/files/2017Malware.pdf.

A phishing email is an email intended to trick the recipient into giving up personal information such as account credentials, credit card numbers, or social security numbers. Some phishing emails threaten a dire consequence if you don’t respond. The messages direct you to a website that looks just like a legitimate organization’s site, but it isn’t. It is a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

You should think twice before clicking a link or opening an attachment in any email, even ones coming from someone you know. There are several ways of identifying a phishing email. If the email looks like it is coming from a company, such as a bank, UPS, or Amazon, check the sender’s email address. If it is not from the business’s domain – such as info@amazon.com – it is likely not a legitimate message from that company.

You can also hover your mouse over a hyperlink in an email and the web address will be revealed without you having to click on it to visit the potentially malicious website. If the URLs in an email don’t match with the business’s website, don’t click on the link.

For more tips about phishing, visit https://www.marshall.edu/it/departments/information-security/phishing-scams/

Multi-factor authentication is a great way to secure your accounts. In addition to a password, you need a temporary, random code that is sent to your mobile device or authentication app in order to authenticate. This means that for a cyber criminal to log into your account, they would need both your password and access to your mobile device.

Most popular websites allow you to turn on multi- or two-factor authentication. Below are tutorials for some of the most popular sites. Check with your banking and credit card companies’ websites to see if they offer multi-factor authentication methods so you can secure your financial information, as well.

• GOOGLE: Enabling 2-Step Verification
• FACEBOOK: Enabling Login Approvals
• TWITTER: Enable Login Verification
• SNAPCHAT: How to Turn On 2FA
• LINKED IN: Turning Two-Step Verification On and Off
• AMAZON: Turning on Two-Step Verification
• YAHOO: Two-Step Verification
• APPLE: Two-Factor Authentication for Apple ID

It is important to regularly download updates and patches for operating systems and other software. Unpatched and out-of-date operating systems and applications are the primary target for malware infection and dissemination. Malicious exploits develop very rapidly and updating just the operating system alone is no longer sufficient. Malware authors are constantly looking for a new attack surface in commonly used programs such as Adobe PDF Reader, Adobe Flash and Microsoft Office. According to the SANS paper “The Top Cyber Security Risks,” application vulnerabilities exceed OS vulnerabilities.

Marshall University has a licensed system called Quest KACE K1000 Management Appliance. All university-owned computers have a lightweight KACE client installed on them which will periodically remind the computer user when critical software updates are needed and ask for permission before downloading and installing those updates.

For questions about the Quest KACE appliance, please contact the IT Service Desk at itservicedesk@marshall.edu.

The MU Information Security office strongly recommends using antivirus and provides an antivirus software solution, Symantec® Endpoint Protection (SEP), to all current Marshall students, faculty, and staff at no extra charge.

The use of Symantec Endpoint Protection on personally owned devices is optional, but highly encouraged. University owned devices all have a Symantec Endpoint Protection client installed and these clients are managed by a central server housed in the IT department. Using a managed client allows the university to detect threats on clients and block attacks such as zero-day or ransomware attacks.

To download Marshall’s licensed antivirus software, visit www.marshall.edu/antivirus.

The Internet of Things, or IoT, is any device that sends and/or receives data automatically via the web. This rapidly expanding set of “things” includes tags, sensors, and devices that interact with people and share information, machine to machine.

These technologies provide a level of convenience to our lives, but they require that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed. Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones.

Types of IoT all contain sensing devices, which allow consumers to control remotely. They collect data and communicate with each other providing many benefits for daily activities. Types of IoT devices include:

Cars

• Direct you to an open parking spot
• Email maintenance alerts
• Offer alternative routes in bad traffic

Wearables

• Track eating, sleeping, and exercise habits to help you maintain a healthy lifestyle

Healthcare

• Transfers basic information to your physician and may cut down number of office visits
• Sends alerts if an emergency occurs

Lighting

• Tracks your daily patterns with utilities adjusting accordingly

Appliances

• Allow you to turn on or off your appliances remotely, such as preheating your oven when you’re away from home

Home Security

• Locks and unlocks doors remotely
• Added layer of protection with video cameras
• Alarms provide emergency notification of intrusion or fire

These devices make our lives easier and provide invaluable benefits, however we can only reap these benefits when our IoT devices are safe and secure. Below are three simple steps you can take to keep your IoT devices secure:

1. Keep a clean machine. Like your phone or PC, keep any device that connects to the internet free from viruses, malware, and other online threats. Update apps you use to control devices whenever a new version is available.
2. Think twice about your device. Have a solid understanding of how a device works, the nature of its connection to the internet, and the kinds of information that is stored and transmitted.
3. You are only as strong as the network to which you connect. If you haven’t’ properly secured the network your devices are connecting to with proper passwords, updated software, and maintenance of other connected devices, your IoT could be vulnerable.

The cybersecurity industry is booming. The average cybersecurity professional earns three times more than the average worker, and according to the U.S. Bureau of Labor Statistics, jobs as network systems and information security professionals are expected to grow by 53% in the next four years. Here are some more tips on how you can reach your cybersecurity career goals:

Get Credentialed. Four out of five cybersecurity jobs require a college degree.

Get Experience. Get involved and test the waters through volunteer work and internships. Offer to help IT professors at school to gain experience. Or become a white hat hacker and help top tech companies find bugs within their software. Facebook, Google, Microsoft, Yahoo!, and PayPal all have “bug bounty programs,” or rewards for reporting vulnerabilities.

Get in the Game. Check out these great ways to learn about cybersecurity in a competitive environment:

• Take part in a U.S. Cyber Challenge – uscyberchallenge.org
• Check out the Global CyberLympics – cyberlympics.org

Get Smart. Keep up with the buzz on internet security. Follow top cybersecurity personalities on Facebook or Twitter and read up on the top headlines. Join the conversation #NCSAM on Twitter and Facebook – https://staysafeonline.org/get-involved/

Get Ready. To find out whether a cybersecurity career is right for you, a great place to start is the National Initiative for Cybersecurity Careers and Studies (NICCS). From career resources to learning more about job profiles, NICCS is a go-to guide on becoming a cybersecurity professional – https://niccs.us-cert.gov/

• https://www.onetonline.org – Tool for career exploration and job analysis; Great for people seeking first jobs, new jobs, or better jobs.
• https://www.usajobs.gov – Search and apply for federal jobs; Learn about unique hiring paths for veterans, students, graduates, individuals with a disability, and more.
• https://www.dice.com – Career website which serves information technology and engineering professionals; Has approximately 60,000 technology job listings.
• https://www.marshall.edu/careereducation/ – Marshall University’s Career Services website; Has resources for job search and career development opportunities.
• https://marshall.joinhandshake.com/login – Marshall University resource available to students and alumni to find part-time, full-time and internship opportunities; Research local, regional, national, and international employers; Explore career trends, salaries, skills needed, etc. Access also available through MyMU.
• MU Career Service FREE services for alumni.
  • Career Assessment and Planning
  • Resume Development and Revision Assistance
  • JobTrax Career Management System
  • Career Expos and Individual Employer Recruiting Events
  • Mock Interviews
  • Professional Skill Development Opportunities
  • Job Search and Networking Assistance

Open Monday – Friday 8am-5pm. Walk-ins welcome. For more information or to schedule an individual appointment, call (304)696-2370 or email career-graduateadmissions@marshall.edu.

• Digital Forensics & Information Assurance degree program – Prepares students to meet the challenges of today’s cyber threats. Digital forensics and information assurance skills are in high demand in law enforcement, business, government, defense, intelligence, and the private sector. The program has a solid foundation in science, technology, and communication skills. Students learn to conduct forensic analysis on a variety of devices and systems, defend a network, testify in court, and conduct penetration tests, among other skills. Hands-on labs and experiences are a central part of the program. Students are exposed to a wide array of professional tools including hardware and software.
• Information Assurance Certificate Program – Evidence of information assurance coursework is required for many government and private industry positions. This certificate will meet the government requirements for certification and continuing education for several information security certifications including Security+, CEH, and CISSP.

Our nation’s critical infrastructure runs on the internet. The systems that enable us to live our daily lives – the electrical system, financial institutions, transportation systems, and more – are all dependent on a digital ecosystem. As cyber breaches continue to rise in frequency and scale, it is critical for all Americans to understand their role and take steps to protect our critical infrastructure.

Each day, people connect to the nation’s critical infrastructure without even realizing it from their mobile devices and computers. Here are some ways to do your part in helping secure our critical infrastructure.

• Keep a clean machine. Keep the security software, OS, and web browser on your devices updated to prevent attackers from being able to take advantage of known vulnerabilities.
• Enable stronger authentication. Always enable strong authentication for an extra layer of security beyond the password. Strong authentication helps verify a user has authorized access to an online account. For more information about authentication, visit the new Lock Down Your Login Campaign at www.lockdownyourlogin.com.
• When in doubt, throw it out. Links in email and online posts are often the way cyber criminals compromise your mobile devices. If it looks suspicious – even if you know the source – it’s best to delete or mark it as “junk” email.
• Make your passwords long and strong. Use complex passwords with a combination of numbers, symbols, and letters. Use unique passwords for different accounts.
• Secure your WiFi network. Your home’s wireless router is the gateway entrance for cyber criminals to access all of your connected devices. Secure your WiFi network by changing the factory-set default username and password.