Security Awareness

ITS Security Training

Fall 2017
 You are the target…
• You, and your access to University data, are
now the primary target of hackers.
• Gaining access to your login information
allows them to impersonate you, or use
your computer, to gain access to UofM
systems and data.
• Technology can address only a fraction of
security risks.
 Security Awareness Basics
• University Policies
• Password Security
• Email Security
• Safe Browsing
• Ransomware
• Privacy
• Data Security and Encryption
• Mobile Device Security
• Duo Account Security
• Securing The Human Training
• Reporting an incident
• Reminders
• Other Security Resources
 UofM IT Security Policies and Guidelines
Policies:
• UM1337 – Data Access
• UM1535 – Acceptable Use of IT Resources
• UM1566 – Security and Protection of IT Resources
• UM1691 – Campus Data Security
• UM1804 – Information Security Program
• UM1805 – Email Use

Guidelines and Best Practices:

• http://
www.memphis.edu/its/security/policies-guidelines.php
• http://www.memphis.edu/its/security/best-practices.php
 Password Security
• Password Reuse
• Maintain different credentials per service. Hackers know it’s hard to keep
up with multiple passwords. If they get one, they will use it against other
services hoping to gain additional access. Never use your University of
Memphis credentials with another service.
• Password Complexity
• Avoid over-simplified or very short passwords.
• Use longer passwords composed of standard words that you can remember
or the first letter in a sentence or phrase. The longer the password, the
more difficult to crack.
• The University of Memphis enforces a standard set of complexity
requirements to help create strong passwords.
• Password Change Frequency
• Frequency can be as important as complexity. Expired passwords are
useless.
• The University of Memphis currently enforces a 6 month expiration policy.
 Password Management
• ITS will never ask you for your password.
• Avoid writing passwords down or keeping them in an
insecure text file or document.
• Email is not a password management system. Never
email your password to anyone (including yourself).

• A password management utility is one option for storing

personal passwords. Many exist that work on desktops
and mobile devices. These encrypt your passwords and
many will also help you generate complex passwords.
• 1Password and LastPass are examples of password
management utilities.
 Email Security
• Email is one of the most common and most successful
attacks on the internet. Recent statistics cite up to 90% of
successful attacks against businesses begin with a malicious
email.
• Emails can contain malicious files like virus and malware,
link to malicious web sites, or try to coerce or convince you to
give away personal information, like your username and
password.
• Cybercriminals using email to attack businesses are
becoming more and more effective at evading detection –
technology alone is only marginally effective at blocking
these new email threats.
 Email Do’s and Don’ts
Do:
• Always verify the sender of a message.
• Always hover over web page links (URLs) in email messages to see
where they link to – beware URL shortening services (like bit.ly) that
may obscure the final web site destination.
• Be skeptical of messages with odd spelling/grammar, improper logos
or that ask you to upgrade or verify your account.
• Report suspicious emails to [email protected].

Don’t:
• Open an attachment from an unknown sender. Consider the source
and whether or not the file was expected.
• Click on a link from an unknown sender.
• Email someone your username or password.
 Email Threat Examples
• Phishing
• Viruses and Malware
• Email Spoofing
• Other Scams
 Phishing
• Phishing is the attempt to obtain sensitive information such as
usernames, passwords, and credit card details (and, indirectly, money),
often for malicious reasons, by disguising as a trustworthy entity in an
electronic communication. (Wikipedia - https://en.wikipedia.org/wiki/Phishing )
• Common phishing scams attempt to use coercion or scare tactics to
get you to enter your username and password into a phony web site,
such as:
• A “required action” as a part of a system or quota upgrade
• A “required action” to prevent email account closure
• A “trusted” vendor, such as a fake Dropbox or Google alert
• A “legitimate” banking alert
• Once they have your password, phishers use your account credentials
to send more phishing messages, change financial account information
or redirect checks/deposits.
Phishing Examples
 Viruses and Malware
• Cybercriminals also use attachments to spread viruses or
other malicious software (malware) to steal or destroy data.
• Malware can install keyloggers to capture everything you
type, control your webcam/microphone, or send all of your
data to remote servers that the criminal controls.
• The attachment typically arrives as Word, Excel or PDF file
and has to be opened before the malware triggers.
• Malware will take advantage of unpatched software.
• Some Word/Excel malware require you to enable Macros –
always be suspicious of an attachment that requests you to
“lower” your security settings when opening.
 Email Spoofing
• Also called Business Email Compromise, email
spoofing typically uses an email address that mimics a
trusted party, such as a manager, executive or co-
worker, and can be difficult to recognize (especially on
mobile devices).
• Typically these scams involve a wire transfer or request
for sensitive files, such as W-2s or legal documents.
• There is usually some urgency involved to prevent the
recipient from following up on the request directly or
following procedures.
Email Spoofing Example
 Advance-Fee Scams
• Most other email scams involve advance-fees and check fraud,
attempting to gain your confidence to move money on the
criminal’s behalf.
• Nigerian “419” scams are the classic example – your help is
needed to move a large amount of money out of a foreign country
because someone is ill, has died, or the country’s government is
after it. The victim wires money to assist and never receives
anything in return.
• New variations include job offers – a sizable wage is sent in
advance for a low amount of work, deposited, then requested to
be transferred to another source for payment of some debt.
Original check bounces and the victim has just wired their own
money to the criminal.
 Safe Web Browsing
• Keep your browser software version up-to-date.
• Keep any browser plug-ins up-to-date; especially Adobe Flash
and Java, as these are targeted frequently.
• Hover over URLs and links.
• Make use of pop-up and ad blockers.
• Be aware of where Google or other web searches are sending
you.
• Be careful when downloading software from the internet.
• If a website requests user information of any kind, make sure
that website is using HTTPS. Look for the padlock or other
indicators that the page is secure, such as a site that begins
with https://
 Ransomware
• Ransomware is a new type of malware that encrypts
documents, pictures and other files, making them
unreadable. The attacker then holds the decryption key for
ransom until you agree to pay money, usually through an
untraceable method such as BitCoin or other digital
currency.
• Ransomware assumes that you’ll pay to recover your files –
if you back them up regularly, you have no need to pay the
ransom.
• On UofM machines, store files on your network (H:) drives,
UMdrive, etc. At home, use external drives or trusted cloud
services.
 Privacy
• Social media and networking sites, by definition, collect,
maintain, and share personal identification.
• Be mindful of what information you share about yourself and
your family online or with others in electronic
communications.
• Social networking sites can be used by attackers to collect
information about you to use against you. Social engineering
attempts to use information the attacker knows about you
and your relationships with others to your build trust.
• Always check your sharing settings to limit the information
you share with public or untrusted users.
 Data Security and Encryption
• Per policy UM1691, UofM employees are responsible for ensuring the security of the data
that they access.
• Restricted or other sensitive data, as defined by the Classification of University Data
document, should never be stored on insecure or unsupported storage platforms.
• Dropbox, Box, Google Drive, and other cloud platforms are not appropriate for the
storage of Restricted University data.
• See https://www.memphis.edu/its/security/data-storage-guidelines.php for further
guidelines on storing University electronic data.
• Restricted and/or sensitive data should be encrypted whenever possible. Supported
encryption technologies are described at
http://www.memphis.edu/its/security/policies-guidelines.php. Your LSP can assist with
encrypting data.
• Keeping sensitive data on campus servers alleviates the risk of a stolen mobile device or
compromised home computer.
• When disposing of old devices (desktops, laptops, flash drives, phones), ensure all
sensitive data has been securely deleted. LSPs will assist with this process on UofM-
owned equipment.
 Mobile Device Security
• Keep your device software up to date – unpatched software leaves your
device vulnerable to attack. Install operating system updates as well as
updates to applications.
• Have anti-virus and/or anti-malware software installed, enabled and set
to automatically update.
• Never leave your laptop or mobile device unattended. Thefts do happen.
• Encrypt laptops and external media that contains restricted or sensitive
data.
• Make sure you backup your data frequently in case your device is ever lost
or stolen.
• Ensure access to your mobile device is protected with a passcode and use
built-in encryption settings to ensure that your data is safe if your device is
ever lost or stolen.
• Consider using a remote tracking/wipe function if supported. For iOS
devices, iCloud provides the “Find my iPhone” service for free. Android
and other mobile operating systems also have similar functionality.
 Duo Account Security
• Duo Account Security is a multi-factor authentication (MFA)
solution that allows you to use a second factor that you have or
have access to when you log in to your account.

• That second factor could be an app on a mobile device or

receiving a phone call or text message, or even a one-time
passcode.

• Whichever factor is used, the important thing is that should

someone obtain your username and password, they will not
have access to your phone or other device and would not be
able to complete the login process.
 SANS Securing The Human
• Security Awareness Training is mandatory
for all Banner Finance / HR users.
• Training must be taken once a year and
consists of a group of short videos
followed by short quizzes.
• Certificate of completion can be printed
at end of assessments.
• https://sso.securingthehuman.org/uofmemphis
 Reporting Incidents
• Phishing / Spam email messages can be
reported to [email protected].
• Real security incidents, such as
compromised credentials, compromised
system or evidence of data
exposure/release, can be reported using
our online form at https://
www.memphis.edu/its/security/incident-report.php.
 Reminders…
• ITS will never ask…
• … for your password via email or over the phone.
• … for you to “confirm”, “upgrade” or “reactivate”
your account via email.
• … for you to follow a link to clean a virus from
your email mailbox.
• … for you to update or increase your email
quota.
• When in doubt, forward suspicious emails to
[email protected].
 Other Security Resources
• ITS Security website
• https://www.memphis.edu/its/security
• CIO blog
• https://blogs.memphis.edu/cio
• Stay Safe Online – National Cyber Security Alliance
• https://www.staysafeonline.org
• US-CERT
• https://www.us-cert.gov
• FTC Privacy, Identity & Online Security
• https://
www.consumer.ftc.gov/topics/privacy-identity-online-security
• SANS Cyber Security Awareness
• https://cyberaware.securingthehuman.org
Open Discussion
 THANK YOU!

ITS Security
http://www.memphis.edu/its/security/