NYU Wordpress Theme

Today is National Password Day

National Password Day is all about caring, but no sharing! Remember, do not use passwords that can be easily guessed . . . . 

Image with "No Nicknames", "No Birthdays", "No Quotations" and "No Pets"

Image courtesy of nakedsecurity 

Please also be reminded to activate Multi-Factor Authentication (“MFA”)  on all available accounts as MFA protects you if your credentials get compromised by requiring authentication via devices that you own/register. For information on NYU MFA, see: http://www.nyu.edu/it/mfa

For more information, please see:

  • https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
  • Connect, Under Lock and Passphrase

 

National Consumer Protection Week (3/3-3/9)

Screenshot of a partial image of a coin jar with text on the right side reading "National Consumer Protection week March 3 - 9

National Consumer Protection Week begins on March 3rd! For information on identity theft, common scams and recommendations geared to consumers, check out the Federal Trade Commission’s (“FTC”) list of planned events. 

Additional Resources:

Annual Data Privacy Day (January 28th)

Data Privacy Day (“DPD”) is held annually on January 28th and is an international effort to create awareness around the importance of respecting privacy, safeguarding data and enabling trust. This year, DPD will spotlight the value of information. If you are seeking to better manage your privacy and how your data is collected and shared, you may be interested in the DPD 2019 event livestream. Please visit the following StaySafeOnline web page powered by NSCA (National Cyber Security Alliance), https://staysafeonline.org/dpd19-live/ for more information.

Additional Resources:

Make Your Holidays Happy With IoT Device Security

The internet of things (IoT) has introduced many smart devices with features that make our lives considerably more convenient by applying connectivity to everyday tasks. However, these conveniences also introduce both security and privacy concerns that need to be proactively addressed such as data and credential theft, spying and manipulation via device settings/functions. The following are best practices you can use to address the security concerns presented by IoT devices:

  • Immediately change default credentials. Malicious actors know or can easily obtain the manufacturer’s default credentials. 
  • Enable MFA (multi-factor authentication) on all devices which support it as MFA will further protect your devices if your credentials are compromised or stolen.
  • Review device default privacy and security settings – these settings are chosen by manufacturers, make sure they work for you and reset as/if necessary.
  • Disable features you don’t plan to use – doing so minimizes the device’s attack surface or potential for manipulation.
  • Keep device firmware up-to-date – apply updates/patches promptly as malicious actors seek to exploit known vulnerabilities which are addressed by patches.
  • Do not connect IoT devices to untrusted networks such as public WiFi networks – malicious actors may target devices connecting to these networks.
  • Secure your home WiFi network.
    • Use long and unique passwords for each device. For password tips please see the following Connect article, Under Lock and Passphrase.
    • Set up a firewall at your router to act as a barrier between your devices and possible threat actors.
    • Consider disabling SSID broadcasting. This prevents automatic transmission of your network name or SSID into the open air. If disabled, users will have to know your network name to connect to it. For more information, please see the following article from Lifewire: Disable SSID Broadcast to Hide Your Wi-Fi Network.

Additionally, for tips on router security, see the following NYU IT Security News & Alerts blog post: Home WiFi Router Security: What You Should Know.

Happy Holidays!

Decorative screenshot showing candy canes, small gold pine cones, small gifts in gold wrapping paper with red ribbon and holiday garland

 

Shop Safely This Holiday Season & Beyond

holiday themed image showing open laptop with credit card near track-pad, coffee and holiday themed items are visible near the laptop

 

The holiday season is the ideal time for cybercriminals to take advantage of unsuspecting or inattentive online shoppers. Protect your purchases, your sensitive information, your devices and the the data stored thereon by making sure these precautions are part of your online shopping habits:

  • Regularly patch/update all of your devices – this is a general best practice – all internet connected devices, including IoT devices, should be regularly patched and updated. Patches address known vulnerabilities which malicious actors seek to exploit.
  • Strengthen your logins – fortify your online accounts whenever possible with the strongest authentication available, whether it’s multi-factor authentication (“MFA”) which involves authentication with a device and an application or code, or biometric authentication which may involve the use of a fingerprint or facial recognition software.
    For more information on NYU MFA, please visit: http://www.nyu.edu/it/mfa
  • Protect your devices with antivirus software – which will protect you from known viruses, spyware and malware.
    • NYU supported antivirus and malware protection software (for Windows or Mac) is available to all NYU degree seeking students, faculty, staff, and all NYUHome-eligible consultants for use on their personal and NYU-owned devices that connect to NYU-NET. Please see the Symantec Endpoint Protection access and eligibility KBase article for more information.
  • Be savvy about WiFi usage
    • Refrain from online shopping, performing financial transactions or accessing any of your online accounts on public WiFi even if it’s password protected. Although your local coffee shop may offer password protected WiFi, a hacker could be among the patrons and may be spying on all network activity and stealing credentials and other sensitive information.
    • If you must use public WiFi, connect to a virtual private network (“VPN”) first. For more information on NYU VPN, please visit: http://www.nyu.edu/it/vpn
    • To prevent your device from auto-connecting to open networks and to prevent other devices from connecting to your device(s), turn off WiFi and Bluetooth when not in use, or with respect to WiFi, make sure that you’ve set your device to ask you before it joins open networks.
  • Refrain from using public computers to access any of your accounts or sensitive information  – these computers may be infected with spyware or keystroke loggers.  
    • If you must use a public computer to access personal accounts/sensitive information, it is recommended that you change your password for all accounts you’ve accessed using a trusted device asap.
  • Phishing alert! Analyze email deals and always visit sites of interest by searching for sites or by typing URLs into your browser’s address bar – remember that it is not advisable to visit sites via embedded links in email messages. These embedded links may lead you to a forged login prompt where your credentials are stolen once you’ve entered them and the redirect may be to a spoofed website.
  • Shop on reputable websites – buy from known and trusted sellers.  Look for the green padlock icon image of green padlock iconin your browser’s address bar followed by “https://” before entering your payment information.  Remember, if an offered deal sounds too good to be true, it most likely is! Please also be aware that customer testimonials are not proof of the legitimacy of a website as testimonials can be forged.
  • Your personal information has value, protect it – be alert to the types of information being sought when completing a transaction and fill out required fields only. If the information is not necessary, don’t supply it.
  • Safeguard your devices against theft and lock your devices when not in use – when on the go, your devices should always be in a secured location or within your reach and screens should be locked when not in use.
  • Be aware of identity theft – closely monitor your financial accounts for transactions you did not make/authorize.
    • For tips on preventing and correcting identity theft, please see the following NYU IT Connect article: Protect Who You Are Online.

NCSAM 2018 (National Cybersecurity Awareness Month)

October is National Cybersecurity Awareness Month (“NCSAM”). The overall theme of NSCAM is that security is everyone’s shared responsibility, and the month of October is dedicated to education about cyber threats, including tips and best practices.    

NYU’s National Cybersecurity Awareness Month 2018 themes are:

  • Learn to Spot a Phony
  • IT Safety & Security at Home
  • Don’t Get Scammed by Short URLs
  • Are you Password Savvy?

Learn More and Earn a Chance to Win a Prize!

Throughout October, visit the Security Awareness website for new information, including short informational videos and quizzes that offer a chance to win movie tickets!

More Information

  • As always, tune into the  IT Security News & Alerts blog for important announcements, and subscribe at the right to receive a copy of each post by email as soon as it’s published.
  • Check out Connect: IT at NYU for information security articles and news.
  • Finally, be on the lookout for NYU IT Facebook and Twitter posts throughout NCSAM for timely and informational tips and reminders.  

NJCCIC Membership

A recommended resource for anyone interested in receiving additional alerts, advisories and bulletins regarding emerging and cyber related threat intelligence is the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). To receive information from NJCCIC, (free) membership is required. To join, please visit the NJCCIC membership web page. For more information on the NJCCIC, and to to access available updates and resources, please visit the NJCCIC home page.

Home WiFi Router Security: What You Should Know

What a Router Does

Routers typically can create at least two different networks, one for private use and one for guest access. Routers also connect multiple networks and forward packets destined for its own or other networks.  All of your devices (laptop, phone, tablet . . .etc) therefore talk to the router, and the router in turn connects to a modem and protects your devices with a firewall. 

Why Router Security is Important

A secure home router is an essential component of your personal information security as your router connects to the outside world, and may be targeted by automated scans and exploits that may not be visible to you. Additionally, please be aware of the following:

  • Although your router does not store information, sensitive information passes through it when you access various online accounts and services, and this data can be compromised if your router is hacked.
  • A compromised router can also be used to attack other devices on your local network such as your phone, tablet, laptop or smart devices, and can be used to launch denial of service attacks.  

Security Focused Routers

Some users opt to purchase security focused routers which offer auto updates. However there are a number of factors to be considered when evaluating security focused routers. These types of routers can be costly and often offer limited customization ability and annual subscriptions for services. It is recommended that before swapping a device provided by your ISP, that you confirm that:

  • the router provided by your ISP is a separate device vs. single device (known as a “gateway”) which contains both the modem and the router.
  • you can bring your own device onto the network.
  • all available ISP provided services will work with the router you’re considering.  
  • the router you purchase will continue receiving firmware updates (product life cycles are often short, so you want to be sure that you’re not purchasing an end of life product).

Examples of security focused routers include:

Configuring and Securing Your Home WiFi Router

The primary recommendation is that you change the default administrator username and password that comes with your router.  For instructions and other recommendations for your home setup, please see the following article from the NJCCIC, How to Configure and Secure a Home Wi-Fi Router. A supplemental recommendation is to periodically reboot your router as some malware strains will not survive a reboot.  

Additionally, you can periodically check to see a list of devices that are connected to your router.  To do so:

  • Go to an internet browser on one of your connected devices.
  • Go to www.routerlogin.net
  • Enter the router username and password
  • Select Attached Devices
    • To update this screen, click the Refresh button

If you see unfamiliar connected devices, you can change/reset your WiFi password.

Resources

 

The Top Seven End User Risks

The top seven end-user risks found in most organizations have been identified by SANS, and are detailed herein along with relevant NYU resources to help you combat these risks and stay secure in your work and personal lives.

Lack of situational awareness

Refers to people not realizing that they are targets. Awareness of social engineering strategies being used by scammers and utilizing awareness resources are strategies that can be used to address a lack of situational awareness. For more information on social engineering, see the following Connect article, Social Engineering Attacks and How You Can Protect Yourself. For NYU awareness resources generally, see NYU’s Security Awareness web page.  Additionally, a subscription to this blog will provide you with up-to-date and timely information on information security threats and resources (the subscription option is visible along the right side of the blog).

Phishing

Refers to the targeting of individuals or groups using email, text messaging, phone calls or social media updates/messaging. For more information on these types of attacks and recommendations on how to protect yourself, please see the following Connect article, Phishing, Spear Phishing, and Whaling.  

Password reuse

Refers to the same password being used for multiple accounts. Once a scammer steals one password, that password will be tried in a variety of sites. Do not let the compromise of one account occasion the compromise of other accounts. Each account password should be unique and lengthy (12+ characters). Password length vs. complexity has been shown as the primary password safeguard. Further, consider using passphrases instead of passwords. For more information on password best practices, please see the following Connect article, Under Lock and Passphrase.

Using Unpatched or Poorly Configured Devices (BYOD)

Secure your devices by performing application and system updates/patching frequently, or as updates become available. Updates address known vulnerabilities which scammers will attempt to exploit on unpatched devices. For  specific recommendations, please see the following blog post from the IT Security News & Alerts blog on Securing Your Mobile Device. Additionally, please see the following NYU KnowledgeBase articles, iPhone, iPod Touch & iPad security and Android security.

Indiscriminate Use of Mobile Media

Is a reminder to use WiFi and bluetooth best practices (for more information, see the above-referenced blog post). Additionally, 

  • no restricted data should be stored on your mobile devices. For information on NYU data classification and what comprises restricted data, please see the following webpage containing the NYU Data Classification Table.
  • install only well reviewed applications from reliable and trusted sources, such as Google Play or the App Store. Grant installed applications the minimum permissions necessary.  If you are not comfortable with the minimum permission levels, do not install the application. 

Data Leakage via Social Networking

Refers to the fact that social engineers regularly review social media sites and gather information on individuals and groups to target in attacks. For this reason, it is important to limit what you share about yourself yourself and others.  For example, none of your answers to security challenge questions, such as “what street did you grow up on?” should be posted on social media. For tips on social media use, see the following following blog post from the IT Security News & Alerts blog on Safe Social Networking.

Accidental Disclosure/Loss

Refers to the loss of mobile devices or physical media such as flash drives and to the unintended disclosure of information.

  • To avoid unintended email disclosure, a recommended best practice is to proofread the list of message recipients before sending an email as inadvertent disclosure sometimes occurs due to the auto-complete feature or use of “Reply to all” unintentionally.
  • With respect to flash drives, encrypted flash drives which require a PIN or password to access content are the most secure as the data will remain protected even if the drive is lost or stolen.
  • Please be reminded that any lost or stolen NYU provided mobile devices must be reported to NYU Public Safety at 2112-998-2222.

Reporting Tax-Related Identity Theft

As a follow up to the blog post on Tax Identity Theft Awareness Week, please note that the FTC has the following site, https://identitytheft.gov/#_blank, where consumers can report identity theft including tax-related identity theft.  Tax-related identity theft occurs when someone uses your social security number to file a tax return and claim a refund.  For additional information, please see the FTC Consumer Information web page on A new way to report tax identity theft

For information on ways to prevent and recover from identity theft, please see the following Connect article:  

Protect Who You Are Online