Skip to content

Other ways to search: Events Calendar | UTHSC News

Tip of the Week

spar

 

 

Use a Few Personal Email Accounts

Email is used for many different things. You often have to give an email address to create an online account, be added to a mailing list, converse with friends and family, and a host of other reasons. It is a good idea to have distinct email accounts for these different needs. Worried about your inbox filling up with spam? Have one just to give out when it is required online. Have another more personal one to give to loved ones. And always keep your UTHSC account for UT business only. (9/16/2022)


Keep a Clean Desk and a Clear Screen

For security purposes, having a clean desk involves removing any sensitive information from your desk every day, no matter where your desk may be located. This includes USB sticks, notebooks, business cards, and printed documents. Inadvertently leaving them out is an invitation to data theft. Don’t assume because you lock an office door, or you work from home, that information on your desk is safe. 

Having a clear screen means that you lock your device when you leave it unattended so that someone else cannot view potentially sensitive information. Don’t wait for the 10-minute lock to take effect on UTHSC devices, but lock the screen when you leave your desk. The keyboard shortcut for locking on a Windows device is the Windows Key + L. For Macs, Command + Control + Q. (9/9/2022)


Don’t Assume You’re Safe

It can be easy to shrug off the danger of a cyberattack as something that won’t happen to you because you’re just a regular person with an everyday life. But if your information ends up in the wrong hands, hackers don’t care. One of the most dangerous threats to cybersecurity is complacency. Be sure to proactively try and prevent your data and information from being compromised so you won’t have to try to fix it should the worst happen. (9/2/2022)


Who is the CISO in Your House?

We all take on different roles in our households, whether we live with family, friends, or even alone, and have to shoulder all the jobs ourselves. Cook, maid, tutor, but also, chief financial officer (CFO) and chief executive officer (CEO). Every family should also have a designated chief information security officer (CISO), an individual that makes sure all assets are adequately protected.

Your home, cars, bank accounts, personal information, and other assets are highly valuable in both the physical and cyber worlds. They need to be protected. At UTHSC, we develop and implement security controls to make sure people who shouldn’t access information don’t. We have passwords, two-factor authentication, encryption, badge access to certain areas, and other controls in place. 

So, who does that for your belongings? Who checks the doors and windows, installs security cameras, changes the default password on the wi-fi access point, and updates software on all the family members’ devices?

There needs to be someone in charge of doing these things, and it should not be a teenager just because “they know the most about that technical stuff”.  They can be IT Consultants, but they shouldn’t be making the decisions about what controls to put in place. 

If you are more security conscious at home, you will bring that culture to campus. If you want any advice on personal security controls, please contact the Office of Cybersecurity at itsecurity@uthsc.edu for a consultation. We’d be happy to help.  (8/26/2022)


Piggybacking: Physical Social Engineering

When discussing social engineering, or the art of human manipulation, we usually are talking about phishing emails. However, there is another form that you need to be aware of and cautious about. Piggybacking, or tailgating, is a technique to gain physical access to restricted areas by following a person that has access. 

Tailgaiting most often occurs when an employee holds the door for another person out of politeness. Not that we want everyone to be rude, but all reasonable people can understand that we cannot sacrifice security for politeness. It is OK to question the need for a person’s access to a building, floor, lab, or department. If you see a suspicious  individual loitering or trying to gain access to UTHSC resources, Campus Police can back you up by calling them at 448-4444. (8/19/2022)


Take Time To Limit Exposure of Private Information

Default options on certain websites may be chosen for ease, not security. For instance, avoid allowing a website to remember your password. If your password is stored, your profile and any account information provided on that site are readily available if an attacker gains access to your computer. Better security would be to engage in a password manager that would create complex passwords for you and manage their use. 

Additionally, evaluate your settings on websites used for social networking. The nature of those sites is to share information, but you can restrict access to limit who can see that information. Check your privacy settings for these accounts.  (08/12/2022)


Be careful with links and when entering website addresses

Use caution when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact the ITS Service Desk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net).

For an example, see the right-hand side of our phishing SPAR page.  (08/05/2022)


Back Up Data On Your Devices Before Traveling

Many applications allow you to set up regular automated backups of your data, which is great for day-to-day data preservation. But when you’re traveling, particularly internationally, this could be costly or ineffective due to connectivity or restrictions on your plan. To ensure you have a reliable account of your data before you go away, perform a manual backup which, should the worst happen, you can recover on your return. That way all you will have lost is whatever you’ve accumulated or changed whilst on your trip. (07/28/2022)


Activate Administrator Privileges to Protect Yourself and Your Family

Having local admin rights means that you have full control over a local computer, including the authority to add and remove hardware and software. If you have a family or shared computer, make sure everyone using the device is protected by adding administrative controls to restrict downloads and installations.

Many modern operating systems allow you to require approval from an administrator (i.e., primary user) before executing scripts, device drivers, and system firmware. Adding this feature will make sure those that are less tech-savvy, whether young or old, do not install harmful software when they fall for a phish.

To set up an account as an administrator in Windows:

    • Click the Windows Start button
    • Click Settings
    • Select Accounts
    • Choose Family & other users
    • Click on your user account under the Other users panel
    • Select Change account type
    • Choose Administrator from the dropdown

As the administrator, your password or PIN will be required to authorize downloads and installations on the computer

If you have Macs, Apple has a support page guiding you through the setup. (07/22/2022)


Only Use Your Own Devices and Do Not Let Others Use Yours

Especially when you want to do anything that requires you to log in, avoid using other people’s computers or devices. This goes for public access machines in cafes or libraries too. Bad actors can install a type of malware known as a keylogger, which tracks every keystroke and stores it, allowing them to discover your credentials and passwords. Additionally, be very careful of who you allow to access your devices, to ensure they aren’t installing malicious software too. (07/15/2022)


Be Cautious of Amazon Prime “Deals”

Amazon Prime Days for 2022 are next Tuesday and Wednesday, July 12-13. No, this is not an advertisement for Amazon Prime but a warning that scammers take advantage of these large-scale events to phish their way into your money and personal information. Be cautious of any “too good to be true” deals and verify that any correspondence you receive is legitimate, whether it comes via email, text, or phone call. (07/08/2022)


Parental Controls Aren’t Just for Kids

Parental controls are generally used to protect children from certain things on the internet, allowing them to browse freely without the risk of coming across harmful content. But they can be used by adults to protect themselves from potential security risks too. Delve into the specifics of parental control settings — such as blocking gambling sites — and make use of their customizability to tailor your browsing experience and take the pressure off. (07/01/2022)


USB Cords Are Used For More Than Charging

A USB cord can be used to transfer data as well as charge a device. Whenever you connect a device to a computer, both the device and the computer may be compromised. If you have a device that charges through USB, only connect it to trusted computers. Connecting such a device to a public computer could represent a security risk. You can also purchase an adapter that will allow you to charge the device directly in an electrical outlet. (06/24/2022)


What Google Knows About You

We’ve talked about privacy settings for online accounts and social media before. But do you REALLY know what Google knows about you? Go to Takeout.google.com to find out. There are about 50 different types of activities that include browsing history, location history, calendar info, contacts, where you’ve driven to, where you’ve shopped, and so much more. You select the data you want to know about, then export it. 

What can you do to limit the information Google keeps and shares? You can go to https://myaccount.google.com/data-and-privacy and start toggling off anything you don’t want Google to share. And while you are there, go to https://myaccount.google.com/security and turn on “2-step verification”. This will protect your account if someone, for example, phished you and got hold of your password. Now, because they won’t have the code sent to your phone, the password would not be enough to take over your account. This is why we use DUO at UTHSC, to protect you and your information.  (06/17/2022)


Email Spam – Don’t Click the Links

Certain spam messages use generators that try alternatives of email addresses of domains. If you click a link inside an email message or reply to a particular address, you may have just confirmed that your email address is valid. Unwanted messages that offer an “unsubscribe” option are particularly tempting, but this is frequently just a technique for gathering usable addresses that are targeted for more spam. (06/10/2022)


Identify Social Engineering Patterns in Chats and Direct Messages

Chats and direct messages (DMs) are essential features of platforms like social media networks and online gaming services. Their acceptance makes them common channels for social engineering scams, though. Don’t click suspicious links or give out sensitive information in these online exchanges, particularly not to people you’ve just virtually met. (06/03/2022)


Protect Your Personal Data When You’re Not At Home

Even if you’re not home and using your devices, hackers could still break their way into your network or crack your computer. One way to ensure this doesn’t happen is to disconnect the device from your internet connection entirely. Without a network connection, they can’t access your device or steal your data. But you can also take this one step further by turning off your Wi-FI before leaving the house. This way you won’t need to disconnect every device one by one. (05/27/2022)


Think Twice Before Saving Your Payment Information Online

If you frequently shop from one particular website you may be tempted to save your payment information for a faster checkout process. Although quick and convenient, saving credit card numbers online means putting your financial information in the hands of someone else. If that data were ever compromised, your credit card information could be stolen by malicious hackers. When it comes to protecting your personal data, it’s better to be safe than sorry. (5/20/2022)


Shop Online Only From Secure Websites

Whether you’re shopping for a birthday present, holiday or just treating yourself to something special, ensure you’re doing so from a safe and reputable website. Anytime you input sensitive information, like credit card numbers, you risk exposing yourself to malicious third parties. Check that the website you’re buying from uses SSL protection by taking a quick glance at the URL. If it includes an “s” at the end of the “http,” that means you’re good to go. *05/13/2022)


Know the dangers of contactless payment methods

Contactless payment refers to using your smartphone, smartwatch, or other wearables to make digital payments in lieu of physical tender. This can be a great convenience for people that prefer to leave their wallet at home, but also spells a great danger if your device falls into the wrong hands, especially if you’re using a smartphone. Why? Because many contactless payment methods can be used on mobile phones without needing to input a passcode. In many countries, including the U.S., smartphones can be used as transportation cards for public transit. (05/06/2022)


Beware of Phishing Scams Disguised as Social Media Games

Have you ever completed a quiz on Facebook? Although questionnaires are good fun, cybercriminals sometimes design them to solicit personal information. Be wary of any that ask you to share personal information in the comments section, such as your first job or your pet’s name. These are often the type of questions used to authenticate login credentials or request a change of password. Watch out for any that ask you to provide sensitive information over social media or come from a suspicious source.

Remember to report any suspicious correspondence you receive on your UTHSC accounts to abuse@uthsc.edu.  (4/29/2022)


Plugins Can Be Security Risks. Only Use the Plugins You Need

While plugins can make browsing easier, plugins can also represent security risks. Keep the number of plugins you use at a minimum. Uninstall or disable any plugins that you are not using and keep the plugins that you do use updated often to protect yourself against security issues. Only install plugins from reputable companies. (4/22/2022)


Traveling this Weekend? Keep Your Devices Safe At All Times

It’s best to limit the devices you take with you on trips to a minimum. Whether it be a smartphone, tablet, or computer, any one of these devices could expose your personal information if it’s misplaced or falls into the wrong hands. If you can’t bring them with you, tablets and computers are best left in the hotel room, in a safe or at least not visible. Smartphones should be kept with you at all times. Criminals are known to target tourists, and smartphones contain hoards of private data – including itinerary and travel information. Take extra caution when traveling and secure your devices at all times. (4/14/2022)


Use Common Sense When Posting Online

Before posting something online, think about what value it provides and consider the consequences of having that information available to the public. The more information an attacker can gather about you, the easier it is to pretend to be you. Portray yourself online in the way you would behave in your daily life, particularly when it involves protecting yourself. (4/8/2022)


Fraud Can Occur Through Bank Accounts and Credit Cards Without Notice

Fraudulent or simply incorrect transactions may occasionally hit your bank accounts or credit cards without you noticing. Some criminals will even test out new bank accounts or credit cards by putting through very small transactions, which will usually go unnoticed. Check your accounts often and follow up on any unusual activity. Even a small deposit in your transactions might actually be a criminal trying to determine whether your account is active. (4/1/2022)


Social Engineering + Unpatched Vulnerability = Hacked

For this week’s tip, we offer a video from Rachel Tobac, who is known for being a social engineer and ethical hacker. In the video, she explains how she hacked billionaire Jeffrey Katzenberg by exploiting an unpatched vulnerability on his computer and pretending to be someone he knew and trusted.

In this video, you can learn how the bad actors:

  • spoof phone numbers
  • create a very similar email address for someone you trust
  • use voice modulators to pretend to be someone you trust
  • exploit an unpatched system
  • steal information

If you think you are safe because you are not a billionaire, don’t have a large social media presence or lots of “valuable” information, think again. You and your data are valuable! (3/25/2022)


Resolutions to Stay Safe Online and Practice Good Cyber Hygiene

How are those New Year’s resolutions going? Lenten resolutions? It is never too late to resolve yourself to improve habits. With the increased global threat of cyberwarfare, now is a great time to review how to protect yourself and your loved ones online and practice good cyber hygiene.

Resolutions:

  • I will not say, “I’ll install those updates later.” – Keeping your devices, applications, and software up to date is one of the most important things you can do to keep your data safe and secure. For example, do you know that Windows 10 version 1909’s end of life is May 11, 2022 (less than two months)? Whether your UTHSC device or a personal one, check for updates! Not just operating systems but applications and browsers too. If you aren’t using software anymore, uninstall it.
  • I will set up multi-factor authentication – We use Duo at UTHSC, but if you have any personal account with sensitive information, protect it with another layer besides just a password. And we mean Google and social media accounts. They are a wealth of information about you!
  • I will not click on links in messages I’m not expecting – note that we no longer say emails because the bad actors are using other platforms to get your attention now. Texting, social media, and even calling directly are ways to social engineer you. Don’t engage in suspicious communications. If they are delivered to your UTHSC accounts, forward them to abuse@uthsc.edu for examination.
  • I will monitor my credit and banking information – are you still old school enough to wait for a paper statement each month from your bank? Do you know how much activity bad actors can do in that time frame? Set up online monitoring (behind strong authentication practices) and know your credit score to keep your identity yours.
  • I will back up my data – what would you do if your information got erased from your device? Do you have a backup? If so, where is it? Creating routine backups of important files and data on secure hard drives or in the cloud can help protect against data loss in case of corrupted files or a data breach.

For more information on Security Preparedness and Response (SPAR) topics, visit the Office of Cybersecurity’s homepage. (3/18/2022)


Try Using Nonsensical Phrases for Passwords

We remind you constantly to use strong, unique passwords for your separate accounts. So here is some advice on how to do just that! Try using your own terms by thinking of nonsensical phrases – e.g. “the Seahorse and the Plumber were preparing four pancakes!” and abbreviate it into a string [tSatPwp4p!]. Extra tip — don’t say your phrases out loud while you type them! (3/11/2022)


Be Mindful of Insider Threats

As tough as it is to believe, some cyberattacks originate from inside the company under attack. Whether it be a malicious insider or a careless employee, plenty of data breaches occur from within an organization.

An insider threat is a human security risk that originates within an organization. According to the 2019 Verizon Data Breach Investigation Report, a third of all data breaches within organizations involve internal staff. Part of patient safety and protection of our University is knowing what is acceptable while accessing UTHSC technology, data, and resources. Help combat insider threats by understanding your responsibilities and reporting violations that expose us all to this threat.

Any violations or suspicious behavior should be reported to the Office of Cybersecurity at itsecurity@uthsc.edu.

Examples of an insider threat include:

  • Malicious Insiders
    • a disgruntled employee
    • someone who has access to information they shouldn’t
  • Negligent Insiders
    • someone tricked by social engineering
    • someone who doesn’t know how to protect the data they have

Both negligent and malicious insiders are highly dangerous. Their actions must be detected before any harm is done, such as granting access to sensitive data, bypassing approved security protocols, or leaking data.

Insider threats can be difficult to spot, and vigilance is needed from the UTHSC community to protect our assets. Here are some signs to watch for:

  • personality and behavioral changes
  • disagreements with coworkers/campus policies
  • accessing large amounts of data if that is not normal work processes 
  • odd working hours
  • attempts to move data offsite
  • staff and/or Students permanently leaving campus
  • unauthorized attempts to access servers and data
  • authorized but unusual access to servers and data
  • financial distress/unexplained financial gain     (3/4/2022)

Don’t Be Truthful On Your Security Questions

This might seem like unexpected advice but think about it: If someone finds key details about you online, that information may help answer the security questions for accessing an important account. Consider not being completely truthful on purpose to deceive would-be attackers. Another option is to select opinion-based questions like “What is your favorite color?” (2/25/2022)


QR Code Scams and the Super Bowl

If you watched the commercials during the Super Bowl last Sunday, you probably saw a QR Code bouncing on your screen. For 20 million viewers who were curious enough to scan the QR Code WITHOUT KNOWING ANYTHING ABOUT IT, the code took them to a Coinbase website. Only in the ad’s final seconds was it revealed who sponsored the commercial.

Last month, the FBI warned the public to guard against QR code scams, but 20 million people in less than a minute did two things:

  • crashed the Coinbase’s website
  • proved to scammers that the average person will fall for a scam if delivered in a way we trust

Criminals can circulate look-alike QR codes to try and trick unsuspecting users into loading up scam websites. For example, a QR code can be designed to lead you to a seemingly legitimate website from a company you trust. But in reality, the landing page has been designed to log your email address, password, or credit card information and hand it off to scammers.

QR code technology is basically a barcode. Once scanned, it will decode into a URL that if tapped, will direct the user to a webpage. To protect yourself, double-check the URL to make sure it looks authentic. Use your SPAR training to examine the URL for misspellings or wrong words. If possible, the safest thing to do is bypass the QR code itself and check out official websites through a browser. And please, don’t scan a QR code you know nothing about! (2/18/2022)


Turn off automatic Wi-Fi connection on your smartphone device

Most smartphones have features that save on cellular data usage. For example, phones can automatically detect previously used Wi-Fi networks and connect to them when within range. Although you may save on data, you also risk compromising your device’s security. Public networks are less secure, therefore they are more susceptible to attacks. Prevent this issue by turning off this capability.

Here’s how to do it on an iPhone:

Open the Settings app.
Press Wi-Fi.
Select the network.
Choose Auto-join Off.
Here’s how to do it on an Android:

Open the Settings app.
Press Network & internet.
Select the Wi-Fi preferences option.
Toggle off Connect to open network.
Personal note – it was a little more complicated on my own Android device. I had to go to Connections, select the Network to which I am currently connected, then select to turn off “Auto reconnect”.

Bottom line? Make sure your mobile device isn’t available to be seen by public networks you don’t want. (2/11/2022)


Be Careful With Apple AirTags

You may have seen news reports of people being notified (by their phone) that an Apple AirTag “has been moving with you for a while”. These AirTags were designed as tracking devices to help owners locate frequently lost items, like a wallet or keys. But with most things designed with the best of intentions, bad actors find ways to exploit them.

Apple’s AirTag is a button-sized device that can be attached to things to keep track of them. They use Bluetooth and Near-field communication (NFC) to anonymously communicate with a nearby iPhone through Apple’s “Find My” feature. In doing so, they can be used to actively monitor the device’s real-time location. Although equipped with security safeguards, AirTags can easily be abused for malicious intent. If you find one in your belongings or attached to your car, remove the device and discard it immediately. (2/4/2022)


Keeping You Personal and Business Life Separate

While the UT Acceptable Use Policy does not prohibit using UT resources for personal use, it is always a best practice to keep your personal and business lives separate, for many reasons.

If you leave UTHSC in good standing, faculty and staff have 30 days retention of their Microsoft account, students have one year. Any email or file stored in your OneDrive can be accessed by UTHSC and others under the Freedom of Information Act (FIOA).

Carbon Black has picked up some installations of TurboTax software. The only reason this software would be on business devices is if someone is filing their personal taxes using UT resources. Again, while not prohibited, it is not a best practice. Do you want UT to see your personal information?  Review both the UT System Acceptable Use Policy as well as the UTHSC Acceptable Use Standard to understand what is allowed. (1/28/2022)


If You Receive a Gift Card Offer, It Could Be a Trap

A popular trend in phishing scams is the unsolicited gift card prize offer. Malicious scammers pose as legitimate companies, like Amazon or Apple, and send convincing offers to their targets. They claim the target has the chance to win a valuable gift card, but they’ll need to act now if they want to win. Clicking their link will direct the target to their malicious website, where malware is surely waiting to strike. Take these steps if you receive a suspicious offer:

  • Look for inconsistencies in their messaging
    Check for misspellings, especially in the link
    Delete the email — the risk is never worth the reward

If you receive an email such as this to your UTHSC account, forward it to abuse@uthsc.edu for examination. (1/21/2022)


Check Your Bank Account Statements Regularly

This week’s tip is a reminder to check your banking and credit card accounts regularly to ensure there are no unauthorized charges or withdrawals. If you receive paper statements, shred them before throwing them away. If you use an app or another means of accessing account information, make sure access is secure. Don’t rely just on notifications you might have set up to alert you to issues. Monitor wisely.

Recent events have seen an increase in the use of online shopping, mobile payments, and online banking, it’s more important than ever to watch your financial accounts for possible fraud. (1/14/2022)


Lock Your Mobile Device

This week’s tip is a reminder to use some type of locking mechanism for your mobile devices, whether that is a PIN, password, or biometrics. Besides the fact that a lock screen can help stop “butt-dialing” or opening applications when you don’t want to, locking the device protects the data on that device.

A bonus tip – be careful what you use as your lock screen display. While you might want to see a picture of your family, think cautiously about using any picture that can give away personal information. (1/7/2022)


Change Your Password If You Are Part Of a Data Breach

New shocking data shows how unconcerned victims are after being notified of a data breach involving their credentials or personal information. A data breach is serious business and only represents the beginning of what can become a sequence of malicious events in the future involving the stolen data. If you have been notified that you have been compromised, take steps to secure your accounts. This includes changing your password on all compromised accounts and NOT reusing passwords for multiple accounts.

But new data from the Identity Theft Resource Center’s Data Breach Notice Research report shows very few victims take all the appropriate action to properly secure their accounts once receiving notice of a data breach. According to the report:

  • 48% only change the password for the affected account, despite 85% of respondents admitting they use the same password across multiple accounts
  • 22% changed passwords on all their accounts
  • 16% of victims take no action at all

When asked why good password hygiene (which includes unique passwords for each account) isn’t being used, the following reasons were identified:

  • 52% said it’s too difficult to remember their passwords
  • 48% don’t trust or know how to use password managers
  • 46% don’t think it’s important or believe their password practices are good enough

Use your SPAR training! Be prepared to respond to these breaches by securing your accounts. (12/17/2021)


Beware of Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many organizations getting hacked, bad actors simply purchase databases with personal information on millions of people, then use that data to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number, or birth date in it does not mean it is legitimate. (12/3/2021)


Stay Safe During Black Friday & Cyber Monday

Cybercriminals are at it again with holiday phishing scams. Because of the popularity of online shopping, retailers’ online Black Friday deals attract more and more scammers every year. Cyber Monday will also mean big online sales. It is reported that 1 in 4 victims fell for fraud during the holidays.

For many of us, the holiday season is about friends, family, food, and shopping! Two of the busiest shopping days of the year, Black Friday and Cyber Monday, are coming up. Unfortunately, while you’re looking for the perfect gift, cybercriminals are looking for ways to scam you. Follow the tips below to shop safely:

  1. Never install unfamiliar software – There are hundreds of shopping apps out there. Some of these apps may be malicious, so only use apps that you know and trust. When you download software or apps, be sure to download from verified sources such as the App Store or Google Play. You can verify that an app is legitimate by reading the app’s reviews, checking the number of app downloads, and looking up the app’s developer.
  2. Verify attachments are safe before downloading them – A common tactic among cybercriminals is to create phony email notifications from a retailer or postal service. These notifications often include a malicious attachment. The cybercriminals may claim that there was an update to your order or that your package has been delayed, but you’ll have to download the attachment to find out more. Don’t fall for this trick! Before you open the attachment, contact the retailer or postal service to verify that the notification is legitimate. You can also look up your order directly on the website where you made the purchase.
  3. Verify links before clicking – Watch out for malicious advertisements, otherwise known as malvertising. Malvertising is when cybercriminals use ads to spread malware or to trick users into providing sensitive information. When online shopping, only click on an ad or link from a reputable source, such as a retailer’s official social media profile. To be extra careful, use your browser to navigate to the store’s official website to shop instead. (11/24/2021)

Know If You Have Been Part of a Data Breach

Cybersecurity incidents have become national headlines, with ransomware being a hot topic. Other incidents, like data breaches, are also happening, and reports of these breaches, especially in healthcare, are occurring more and more frequently. A recent survey shows an alarming disconnect between breaches and patients’ knowledge of those breaches.

This survey, conducted by Censuswide involved 2,000 U.S. patients on their views on cybersecurity and data breaches in healthcare.

The survey of patients revealed a third had been the victim of a healthcare cyberattack, and while almost half of the patients (49%) said they would change healthcare provider if it experienced a ransomware attack, many patients are unaware of the extent of recent cyberattacks and how frequently they are now being reported. In 2018, healthcare data breaches were reported at a rate of 1 per day. In the past year, there have been 7 months when data breaches have been reported at a rate of more than 2 per day.

Despite extensive media reports about healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients said they had not heard about any healthcare cyberattacks in the past two years, clearly showing many patients are unaware of the risk of ransomware and other cyberattacks. However, patients are aware of the impact those attacks may have, with 73% of potential patients understanding a cyberattack could impact the quality of care they receive.

When potential patients were asked about their privacy concerns, 52% said they were worried a cyberattack would shut down hospital operations and potentially affect patient care, and 37% said they were concerned about the privacy of information accessible through online portals.

There certainly appears to be trust issues, as only 23% of potential patients said they trusted their healthcare provider with their sensitive personal data. By comparison, 30% said they trusted their best friend with that information.

Know your facts. It is OK to ask about your data and if it has been involved in a data breach. Certain notifications are required by law, but that can vary from state to state.

Remember your SPAR training and be prepared to respond to an attack or a breach of your information. (11/19/2021)


Don’t Lose That Device

Did you know you are 100 times more likely to lose a laptop or mobile device than have them stolen? Always double-check to make sure you have your devices with you. When traveling, be mindful when leaving airport security, exiting your taxi or ride-share, or checking out of your hotel. Be prepared to respond if this happens. Have an app that will help “find your phone” set up. Also, have a way of remotely wiping the device if you cannot find it. (11/12/2021)


Accidents Happen Even With Data Leaks

Accidents are a leading cause of information leaks and loss. Always be careful about your actions.

Accidents happen, but they can also be disastrous. Accidents, such as accidentally leaving data in an unsecured place, are a leading cause of information leaks. Always be conscientious about your actions when you are dealing with confidential and sensitive information. If you have accidentally caused a data breach or data loss, you should immediately notify the Office of Cybersecurity at itsecurity@uthsc.edu so that the issue can be dealt with in a timely fashion. Don’t try to resolve the problem on your own. (11/5/2021)


Don’t Become a Victim Twice to Identity Thieves

Fake identity theft recovery services will target victims of identity theft. Hang up on these scammers.

After an incident of identity theft, you may get a call from a telemarketer offering to help you recover your stolen money or offering a service that will help secure you from future identity theft. These telemarketers are con artists who specifically target victims of identity theft. They will not recover your money; they will simply ask you to pay them for their services and will take additional money from you. Hang up immediately. Don’t become a victim twice! (10/29/2021)


Shred Personal Documents at Home

Not all stealing occurs online. Many identity thefts occur every year through the use of physical documents that were thrown away in the trash. Rather than throw out your personal information, invest in a small shredder and shred all of your documents before you get rid of them. (10/28/2021)


Check Your Credit Report Regularly to Protect Yourself from Identity Theft

Identity theft is becoming more common and can happen at any time. You can protect yourself from identity theft by checking your credit score and credit report regularly. Look for any irregularities and notify credit bureaus at once if you notice anomalies.

Credit Karma, Experian, and Equifax are three widely used organizations where you can check scores. If you see a large, unexpected shift in that score, you can request a free credit report once per year by:

Request Your Free Credit Report:

Online: Visit AnnualCreditReport.com

By Phone: Call 1-877-322-8228. For TTY service, call 711 and ask the relay operator for 1-800-821-7232.

By Mail: Complete the Annual Credit Report Request Form (PDF, Download Adobe Reader) and mail it to:
Annual Credit Report Request Service
PO Box 105281

Atlanta, GA 30348-5281 (10/27/2021)


Protect Your Identity By Keeping Your Social Media Presence Clean

On your social media accounts, minimize the amount of personal information that you display. In particular, minimize how visible your information is to any untrusted individuals. This way, those who are not approved to be your friend or contact on the platform will be less likely to view your personal information. Most sites offer this as a privacy option in the settings for your account. (10/26/2021)


Pay Attention to Data Breaches to Protect Your Identity

Identity thieves often target large retail chains and other organizations to steal customer data. Pay attention to any data breaches announced in the media. A lot of the time, it isn’t you that gives away your information, it is someone else who has access to that data. Keep informed about breaches. If you are part of one, change your password ASAP and monitor activity.

https://haveibeenpwned.com/ is a great website you can use to check email addresses for data breaches. (10/25/2021)


Be On Guard Against Unknown People Asking For Sensitive Data

Social engineers may try to trick you into giving away sensitive information, such as user login names and passwords or credit card numbers. They may pose as authorized users or members of a security firm, for example. Remain on guard and verify the identity of any person making an unsolicited request before you give away information by phone, email, or in person. (10/22/2021)


Most Ransomware Attacks Begin Because of a Human Act

Today’s tip is a reminder that most of the time, a ransomware attack is successful because of something a human did. Clicking a link, downloading an attachment, or logging into an unsafe site, are the most common ways ransomware other malware get on devices and networks. Always be suspicious when examining emails and other communications and never log into a questionable site. (10/21/2021)


What to do if You are Hit with Ransomware

Today’s tip is a checklist of things to do if you are hit with ransomware and your files are encrypted. The first thing to do is REPORT IT. If it happens to a UTHSC device, contact the Office of Cybersecurity or the Service Desk. If it is your personal device, contact your local office of the FBI or the Secret Service.

Also:

  • Determine the systems impacted and isolate them. This means taking it off the network by unplugging an ethernet cable or disabling Wi-Fi.
    • Is it one computer?
    • What applications did that device have access to?
    • Do you have to take the entire network offline?
  • Communicate by “out-of-band” methods in case the bad actors are monitoring communications, i.e. emails.
  • Power down devices ONLY if you cannot disconnect from the network
    • This can save potential evidence
  • Triage impacted systems for restoration and recovery
    • Prioritize based on criticality
    • Review backups and run antivirus / antimalware scans on the backups to see if they are infected

If it is your personal device:

  • Disconnect or power down
  • On a non-infected device, do an online search to determine the kind of ransomware and see if a decryption key is already available
  • Report the crime!

(10/20/2021)


Best Practices to Minimize Ransomware Risks

Best Practices to Minimize Ransomware Risks

  1. Back up your data, system images, and configurations. Test these backups and keep them offline.
  2. Use multi-factor authentication whenever possible
  3. Keep systems updated and patched
  4. Make sure your antivirus / antimalware application is up-to-date
  5. Review and exercise your incident response plan. Yes, even as a person, you should have a plan. Just like for physical security, you and your family have discussed how to get out of the house in case of fire and where to meet outside of the home, you need a plan for cybersecurity incidents. What is the plan for troubleshooting and fixing a device? Make the plan. (10/19/2021)

Ransomware in Education

This week’s Cybersecurity Awareness Month theme is Ransomware, so each tip this week will be related to that topic. Today, we talk about how widespread ransomware is in the education sector. Limited budgets and staffing makes the educational sector an attractive target, with the pandemic worsening the issue.

Here are some stats:

  • Ransomware attacks against universities increased by 100% between 2019 and 2020. (BlueVoyant, 2021)
  • The education sector was the least prepared of any sector to deal with cyberattacks (Security Scorecard)
  • 1,681 schools, colleges, and universities were victims of ransomware in 2020 (Emsisoft)

(10/18/2021)


Everyone Falls Eventually – What To Do When the Phish Gets You

This last tip during Social Engineering & Phishing week is a reminder that if you fall for a phish (which will happen to everyone), take action immediately. If it is UTHSC related, contact the ITS Service Desk or Office of Cybersecurity to start an investigation. If it is your personal data, contact the institution that was impersonated, i.e. your bank, to get control back of your information. (10/15/2021)


Different Types of Social Engineering (Not Just Phishing)

10 Types of Social Engineering Attacks

To prevent a social engineering attack, you need to understand what they look like and how you might be targeted. These are the 10 most common types of social engineering attacks to be aware of.

1. Phishing

Phishing is the most common type of social engineering attack, typically using spoofed email addresses and links to trick people into providing login credentials, credit card numbers, or other personal information. Variations of phishing attacks include:

  • Angler phishing – using spoofed customer service accounts on social media
  • Spear phishing – phishing attacks that target specific organizations or individuals

2. Whaling

Whaling is another common variation of phishing that specifically targets top-level business executives and the heads of government agencies. Whaling attacks usually spoof the email addresses of other high-ranking people in the company or agency and contain urgent messaging about a fake emergency or time-sensitive opportunity. Successful whaling attacks can expose a lot of confidential, sensitive information due to the high-level network access these executives and directors have.

3. Diversion Theft

In an old-school diversion theft scheme, the thief persuades a delivery driver or courier to travel to the wrong location or hand off a parcel to someone other than the intended recipient. In an online diversion theft scheme, a thief steals sensitive data by tricking the victim into sending it to or sharing it with the wrong person. The thief often accomplishes this by spoofing the email address of someone in the victim’s company—an auditing firm or a financial institution, for example.

4. Baiting

Baiting is a type of social engineering attack that lures victims into providing sensitive information or credentials by promising something of value for free. For example, the victim receives an email that promises a free gift card if they click a link to take a survey. The link might redirect them to a spoofed Office 365 login page that captures their email address and password and sends them to a malicious actor.

5. Honey Trap

In a honey trap attack, the perpetrator pretends to be romantically or sexually interested in the victim and lures them into an online relationship. The attacker then persuades the victim to reveal confidential information or pay them large sums of money.

6. Pretexting

Pretexting is a fairly sophisticated type of social engineering attack in which a scammer creates a pretext or fabricated scenario—pretending to be an IRS auditor, for example—to con someone into providing sensitive personal or financial information, such as their social security number. In this type of attack, someone can also physically acquire access to your data by pretending to be a vendor, delivery driver, or contractor to gain your staff’s trust.

7. SMS Phishing

SMS phishing is becoming a much larger problem as more organizations embrace texting as a primary method of communication. In one method of SMS phishing, scammers send text messages that spoof multi-factor authentication requests and redirect victims to malicious web pages that collect their credentials or install malware on their phones.

8. Scareware

Scareware is a form of social engineering in which a scammer inserts malicious code into a webpage that causes pop-up windows with flashing colors and alarming sounds to appear. These pop-up windows will falsely alert you to a virus that’s been installed on your system. You’ll be told to purchase and download their security software, and the scammers will either steal your credit card information, install real viruses on your system, or (most likely) both.

9. Tailgating/Piggybacking

Tailgating, also known as piggybacking, is a social engineering tactic in which an attacker physically follows someone into a secure or restricted area. Sometimes the scammer will pretend they forgot their access card, or they’ll engage someone in an animated conversation on their way into the area so their lack of authorized identification goes unnoticed.

10. Watering Hole

In a watering hole attack, a hacker infects a legitimate website that their targets are known to visit. Then, when their chosen victims log into the site, the hacker either captures their credentials and uses them to breach the target’s network, or they install a backdoor trojan to access the network. (10/14/2021)


Ways to Avoid Being a Victim of a Phish

Do Don’t
Keep your software and browsers up to date Click on any links in any email sent from unknown or suspicious senders
Hover over links to identify obvious fakes; make sure that an embedded link is taking you to the exact website it purports to be Send an email the looks suspicious to friends or family as this could spread a phishing attack to unsuspecting loved ones
Take your time and inspect emails for obvious red flags: misspelled words and bad grammar, incorrect URL domains, unprofessional and suspicious visuals, and unrecognized senders Download content that your browser or security software alerts you may be malicious
Instead of clicking on a link provided in an email, visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on their webpage Give away personal information like your credit card number, home address, or social security number to a site or email address you think may be suspicious

(10/13/2021)


What to do if You are a Victim of Social Engineering

If you believe you fell for a phish, there are many things to do. If it involves any UTHSC data or device, contact the Office of Cybersecurity (itsecurity@uthsc.edu) or the ITS Service Desk (901.448.2222 or uthsc.edu/techconnect) to start an investigation. The most common action we will advise you to take is to change your password and take control back over your account.

If it happened to you personally, there are still actions to take:

  • If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Watch for other signs of identity theft.
  • Consider reporting the attack to the police, and file a report with the Federal Trade Commission.

Taking action is the best way to stay in control of your information. We no longer live in an environment where “wait and see” helps the victim at all. (10/12/2021)


Common Indicators of a Phishing Attempt

What are common indicators of phishing attempts?

  • Suspicious sender’s address. The sender’s address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
  • Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
  • Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
  • Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
  • Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first. (10/11/2021)

When in Doubt, Throw It Out

Links in email, tweets, texts, posts, social media messages, and online advertising are the easiest way for cybercriminals to get sensitive information. Be wary of clicking on links or downloading anything that comes from a  stranger or that you were not expecting. Essentially, just don’t trust links. It is very much OK to delete them! (10/8/2021)


Own Your Role in Cybersecurity – Own your Online Presence

Every time you sign up for a new account, download a new app or get a new device, immediately configure the privacy and security settings to your comfort level for information sharing. Regularly check these settings (at least once a year) to ensure they stay configured to your comfort level. (10/7/2021)


Never Reuse Passwords

If you reuse passwords, a breach of one account becomes a breach of all of your accounts.

If you use the same password for all of your accounts and a single account is breached, all of your accounts will become vulnerable. Always use completely unique passwords for each of your accounts. Don’t use variations of your password for separate sites, such as a base password that has a single alteration each time; these can be guessed. (10/6/2021)


Simple Security Tips for Working or Studying Remotely

For most of us, working or studying remotely, whether full-time or hybrid, has become the new normal. Everyone should take a moment to review some best practices for working or studying remotely.

  • Only use approved tools. Only use organization-approved software and tools for work or study, including company-provided or approved video conferencing and collaboration tools to initiate and schedule meetings. This means Zoom or MS Teams.
  • Secure your meeting. Tailor security precautions to be appropriate for the intended audience. Plan for what to do if a public meeting is disrupted. Take precautions to ensure your meeting is only attended by intended individuals.
  • Secure your information. Tailor your security precautions appropriate to the sensitivity of your data. Only share data necessary to accomplish the goals of your meeting. For more information about UTHSC’s data classification standard see Standard-InfoSec-GP-002-Data & System Classification.
  • Secure yourself. Take precautions to avoid unintentionally revealing information. Ensure home networks are secured. (10/5/2021)

Be Cyber Secure At Work

Organizations face significant financial loss when a cyber-attack occurs. In 2020, a sharp increase was reported in cyberattacks that target organizations using stolen logins and passwords. Cybercriminals often rely on human error—employees failing to install software patches or clicking on malicious links—to gain access to systems.

Here are some simple tips to stay safe at work:

  • Treat business information as personal information. Business information typically includes a mix of personal and proprietary data. While you may think of trade secrets and company credit accounts, it also includes
    employee personally identifiable information (PII) through tax forms and payroll accounts. Do not share PII with unknown parties or over unsecured networks.
  • Don’t make passwords easy to guess. As “smart” or data-driven technology evolves, it is important to remember that security measures only work if used correctly by employees. Smart technology runs on data, meaning devices such as smartphones, laptop computers, wireless printers, and other devices are constantly exchanging data to complete tasks. Take proper security precautions and ensure correct configuration to wireless devices in
    order to prevent data breaches.
  • Stay up to date. Keep your software updated to the latest version available. Maintain your security settings to keep your information safe by turning on automatic updates so you don’t have to think about it and set your
    security software to run regular scans.
  • Social media is part of the fraud toolset. By searching Google and scanning your organization’s social media sites, cybercriminals can gather information about your partners and vendors, as well as human resources and
    finance departments. Employees should avoid oversharing on social media and should not conduct official business, exchange payments, or share PII on social media platforms.
  • It only takes one time. Data breaches do not typically happen when a cybercriminal has hacked into an organization’s infrastructure. Many data breaches can be traced back to a single security vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages after reporting or forwarding all phishing attempts to abuse@uthsc.edu, so that any necessary organizational updates, alerts, or changes can be put into place.

#BeCyberSmart  (10/4/2021)


Check Your Browser’s Security Settings

To start Cybersecurity Awareness Month, the tip today is about your web browser. Whether you use Chrome, Safari, Firefox, Edge, or others, most have a selection of security settings. Give yourself additional protection against malicious attacks. Choose higher levels of security. These settings can block certain types of scripts from running and reduce the permissions settings of the websites. (10/1/2021)


Phishing Can Be Smishing Attacks

Smishing is phishing via text or SMS messaging. Have you gotten a text from FedEx, Amazon, or your phone carrier that you KNOW didn’t come from them? That is smishing. Preparedness training has concentrated on emails so much that bad actors are looking for another way to reach susceptible people.

Wizer, an Information Security Training company, has put together five (5) scenarios in a blog post that are eye-opening from both a business and personal perspective.

Each scenario has a video, less than a minute in length, showing how this can happen to you:

Share these with family and friends. The more people are aware, the more prepared they are for an attack, no matter what form it takes. (9/24/2021)


Only Provide Your Social Security Number if Absolutely Necessary

Only give out your social security number if it is absolutely necessary and you have verified the identity of the person requesting it.

Your Social Security Number is often requested and used by organizations to help identify you and to access your confidential records. If someone asks for your Social Security Number, ask if there is some other way to verify your identity. Only give your information out if you have verified the requester's identity, for example, by calling a known and publicly posted phone number. Never give out your Social Security Number to an unknown person who calls you. (9/17/2021)


Make Sure You Have Physical Privacy When Sending Confidential Information)

Confidential emails can be read over your shoulder. Be sure you have privacy when sending email.

Not all security and data breaches need to be high tech. Confidential or sensitive information could be gathered by simply looking over your shoulder as you send an email. As an example, banking data could be memorized at a glance by someone walking past. Always make sure that no one else is in view of your screen when you send confidential information. (9/10/2021)


Emails May Not Be From Who They Seem To Be

Don’t automatically trust emails from friends and colleagues.

Malicious users can send emails that appear to have come from anyone. An email from a friend or colleague may have come from a hacked account or have the name spoofed. Contact your friend or colleague directly if you have concerns about an email they have sent to you and do not transmit personal or sensitive data through email. Do not respond directly to the email until certain it came from a valid source.

If you are suspicious of any email in your UTHSC inbox, forward it to abuse@uthsc.edu for examination, or use the “Report Message” icon in Outlook. This icon is located in the top ribbon, under the Protection area of the Home tab. (9/3/2021)


Always make sure that you connect to the right Wi-Fi network

Network names may be misleading. Whenever you’re connecting to a new Wi-Fi network, you should ask someone what the correct Wi-Fi name should be. You should never assume based on name which Wi-Fi connection is the correct one; anyone can create a Wi-Fi access point under any name designed to collect information. A Wi-Fi network named “CoffeeShopGuests” at a coffee shop may be created by someone who is actually down the street. Once you are connected to a Wi-Fi access point, the data you transmit can become vulnerable. (8/27/2021)


How to FIND and DELETE Old, Unused Accounts

We all have accounts we no longer use, but some apps and website make deleting your profile very hard to do. Ignoring them is easier, but that creates a major security threat to your personal information. We preach all the time about know where your data is so that you can protect it. The first problem is finding these old accounts. Then you have to take the time to delete the account.

Some of this is complicated, so here is the article from which this information is coming: https://lifehacker.com/how-to-find-and-delete-all-your-old-unused-accounts-1847470037 

Step 1 - How to Find Old Accounts

The first place to search is in your web browser. Most modern browsers can save login info for any websites you access, and you can quickly find any accounts you’ve saved from the settings menu. Here’s where to look in Chrome, Edge, Firefox, and Safari:

  • Chrome: Go to Settings > Passwords.
  • Edge: Go to Settings > Profiles > Passwords > Saved Passwords.
  • Firefox: Go to Preferences > Privacy and Security > Saved Logins.
  • Safari: Go to Preferences > Passwords.

Also check social media accounts profiles that you might have used to log into accounts using those credentials:

  • Apple ID: On your iPhone or iPad, go to Settings > Password and Security > Apps Using Your Apple ID.
  • Facebook: Go to Settings > Apps and Websites.
  • Google: Go to myaccount.google.com then click “Security.” Check under “Third-party apps with account access” and “Signing in to other sites.”
  • Instagram: Go to Settings > Security > Apps and Websites
  • Twitter: Go to Settings and privacy > Account > Apps and Sessions > Connected Apps.

Step 2 - Recover Your Passwords

It is has been years, you probably don't remember the password, but you need to be in control of the account in order to delete it. Hopefully you still have access to the email address used when setting up these accounts, so a "recover username" or "recover password" link is helpful. 

Step 3 - Delete the Account

This is where it gets complicated, as different accounts will have different ways of deleting information. And they want to keep your data, so they make it hard to do. Read the article (https://lifehacker.com/how-to-find-and-delete-all-your-old-unused-accounts-1847470037 - if you didn't see it up top) for suggestions on how to delete some accounts, but if you have no luck, contact that company and have them do the work.  (8/20/2021)


Trust your Gut Feelings

Often, you may pick up on suspicious situations subconsciously before you can consciously recognize them. If you feel troubled by an email, instant message, or even phone call you should trust yourself and investigate further. You may be the target of a scam artist. There is nothing to be lost by checking.

Contact the Office of Cybersecurity at itsecurity@uthsc.edu or the ITS Service Desk at 901.448.2222 for assistance. (8/13/2021)


If Your Credit Card is Rejected, It May Be a Sign of Identity Theft

Having your credit card inexplicably rejected isn’t just embarrassing–it can also be a warning sign. If your credit card is rejected you should immediately call the number on the back of the card to talk to your credit card company or bank. Your credit card could have been frozen due to suspected identity theft. Many banks will freeze your credit card if they see you making purchases in an area far away or completing transactions that are otherwise unusual for you. Your card could also potentially be declined because an identity thief has maxed it out. Either way, you will want to resolve the situation quickly. (8/6/2021)


Staying at a hotel? Store devices in a safe, locked location

Criminals prey on people who are traveling, and if they get a hold of your laptop, tablet, or smartphone in your hotel room, they may access your organization’s sensitive data. Any time that you need to work remotely and are staying in a hotel, protect your organization’s information by storing all devices as securely as possible. If there is no safe in your room, ask the front desk if they have a general-purpose hotel safe that you can use. Secure your items by locking them up in luggage when they are not in use. (7/30/2021)

Criminals Impersonate People You Know Via Social Media

Cyber thieves will try to make you think they are a known friend via social networks. If you receive a suspicious email or post via sites such as Facebook or Twitter, be prepared and be on guard. A hacker may have taken over your friend’s account, and be using it to send out messages to every contact to scam them out of money. For example, you may get a message that a friend who is traveling abroad, has lost his luggage and wallet and needs you to transfer funds immediately to help him get home. Before taking action, respond by verifying the message is real. And by that, we mean use another means besides responding to a message that might be controlled by the criminal.  (7/23/2021)


When It Is Okay to LIE

We have been taught from an early age to always tell the truth. However, there is an area in cybersecurity where you are encouraged to lie – Security Questions. These pesky questions like “mother’s maiden name” and “name of your high school” are designed to prove you are really you, but are the true answers easy to find?

SPAR – Security Preparedness and Response

Just like you must protect your passwords, you must protect any data that can easily identify who you are from those wanting to steal your information and identity. Therefore, be prepared to use false information in answering these security questions. Respond to these question with false information.  The trick is you have to remember your lie. Make the answers something only YOU would know.

Finding personal information on the web has never been easier. We share too much. If a hacker wants to steal your identity, all they need to know are the answers to these questions to take over accounts and lock you out. (7/16/2021)


Protect your Data with Regular Backups

Protect your data with regular backups. External drives and off site backups will ensure data is protected.

Many things can lead to a loss of the data on your computer. Fires, floods, earthquakes, and even something as simple as a damaged hard drive could erase all of the information you have. Be prepared to protect yourself  with an external drive and protect yourself off-site with web backups or cloud backup solutions. Remember that your backups should be password protected and encrypted just like your computer is.

How should you respond to the loss of data? For UTHSC devices, contact ITS to start the process of investigation and remediation. For personal devices, contact the seller or manufacture to troubleshoot the issue if you don't immediately see what the problem is, i.e. you had a flood. Purchase protection plans may cover repairs. (7/2/2021)


Web Browsers – Only Use the Latest Version

This week’s tip is a reminder about using older versions of web browsers. DON’T DO IT! Old web browsers may have unpatched security issues that have been discovered, creating a high risk for yourself and UTHSC if used. Use only the latest version of a browser to access the web. Also, set browsers to auto update to the most recent version so your computer is protected from new exploits.

Another tip – if you have multiple browsers on your machine, i.e. Internet Explorer, Edge, Mozilla Firefox, Google Chrome, Apple Safari, but you don’t launch and use them regularly, remove them. They are a vulnerability to your device. (While you are at it, remove ANY application that you don’t use. Why keep it?)

Did you know that Microsoft will end support of Internet Explorer 11 on June 15, 2022? The newer replacement from Microsoft, Edge, has been available for years and will continue to be supported after IE is retired.

Our Patch Management Team does push out updates for certain applications and operating systems to UTHSC devices. Apple device updates are pushed through the cloud. However, Windows machines must be connected to the UTHSC network in order to get the updates. Per policy, UTHSC devices should be powered on over the weekend to receive these updates. If working remote, they need to be connected through the UTHSC VPN. (6/25/2021)


Avoid Ransomware Through Good Security Habits

Some malware programs will require that you pay to unlock your system. Avoid “ransomware” through good system security habits.

Malware programs called “ransomware” will infect your computer and demand that you pay a “ransom” to the creator of the program to remove it. Paying the ransom will only give the creator of the program access to your personal and financial information. You can avoid ransomware by keeping your operating system updated, using an antivirus program and conducting regular system scans. Most of the time, ransomware can be removed the same way as malware using an antivirus program. Sometimes a more thorough “cleaning” is necessary.

If you think you are a victim of ransomware on your UTHSC device, contact the Office of Cybersecurity (itsecurity@uthsc.edu, 901.448.1880) immediately for remediation. More information on how to prepare and respond will be coming next week.

All of these weekly tips are stored on the Office of Cybersecurity’s Tip Archive. As there are almost four years worth of tips, to find one on a certain topic you can use the Ctrl+F (Windows) or Command+F (MAC) to search the page. (6/18/2021)


Securely Using Mobile Apps

This tip comes from the SANS OUCH! Newsletter

by Domenica Crognale

Overview

Mobile devices, such as tablets, smartphones, and smartwatches, have become one of the primary technologies we use in both our personal and professional lives. What makes these devices so powerful are the thousands of apps we can choose from. These apps enable us to be more productive, communicate and share with others, train and educate, or just have more fun. Here are steps you can take to securely use and make the most of today’s mobile apps.

Obtaining Safe Mobile Apps 

Cyber criminals have mastered their skills at creating and distributing malicious apps that appear to be legitimate. If you install one of these apps, criminals can often take complete control of your mobile device or data. This is why you want to ensure you only download safe mobile apps from trusted sources. What you may not realize is that the brand of mobile device you use determines your options for downloading apps.

For Apple devices, only download mobile apps from the Apple App Store. The advantage here is that Apple does a security check of all mobile apps before they are made available to customers. While Apple cannot catch all malicious apps, this managed environment dramatically reduces the risk of downloading one. In addition, if Apple does find an app that it believes is malicious, it will quickly remove it.

For Android devices, only download mobile apps from Google Play, which is maintained by Google. Similar to Apple, Google does a security check of all apps before they are made available to customers. The difference with Android devices is that you can also enable certain options that allow you to download mobile apps from other sources. We highly recommend against this since anyone, including cyber criminals, can easily create and distribute malicious mobile apps and trick you into infecting your mobile device.

Regardless of which brand you are using, research an app before downloading it. Look at how long the mobile app has been available, how many people have used it, and who the vendor is. The longer an app has been publicly available, the more people that have used and left positive comments about it, and the more often the app vendors update it, the more likely the app can be trusted. In addition, install only apps you need and use. Ask yourself, “Do I really need this app?” Not only does each app potentially bring new vulnerabilities but also new privacy issues. If you stop using an app or no longer find it useful, remove it from your mobile device (you can always add it back later if you find you truly need it).

Apps Privacy and Permissions 

Once installed, make sure the app is protecting your privacy. Does that app really need access to your location, microphone, or contacts? When you enable permissions, you may be allowing the creator of that app to track you, even allowing them to share or sell your information to others. If you do not wish to grant these permissions, simply deny the permission request, grant the app the permission only when it’s actively being used, or shop around for another app that meets your requirements. Remember, you have lots of choices out there.

Updating Apps 

Mobile apps, just like your computer and mobile device operating system, must be updated. Criminals are constantly searching for and finding new weaknesses in apps and developing ways to exploit these weaknesses. The app’s developers create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. Most devices allow you to configure your system to automatically update mobile apps. We highly recommend enabling this setting. Mobile apps are key to making the most of your devices. Just be careful of the ones you select and make sure you use them safely and securely. (6/11/2021)


Don’t Be Afraid to Say No

Social engineers prey on the good-mannered. Don’t be afraid to say no.

Social engineers try to convince people to do things by preying on their urge to be good-mannered and polite. If someone asks you to give them personal information or to give them access to confidential information, don’t be afraid to be direct and say no. A social engineer encounter can be through telephone, email, or even in person. Anyone suspicious should be denied access until you can verify their identity. (6/4/2021)


Insider Threats are Real – Data Breaches do Occur from Within

Data breaches from within do occur. Limit access to sensitive information on a need to know basis.

To combat the malicious insider threats, limit the access of sensitive data on a need to know basis. Don’t send any data to someone who does not need to work with this data and is not authorized to access the data. If in doubt,  consult with your supervisor regarding who has access to what information. More information about insider threat can be found  on the Office of Cybersecurity’s webpage.

Now, about The Inside Man.  The series is about an IT security analyst starting a new job where no one suspects he is already inside their most secure systems or that sinister forces are pulling his strings. This series delivers an entertaining, movie-like experience with a compelling story. It is available on Amazon Prime and runs 1 hour and 17 minutes (set in London, so the British accents are a plus).  It engages in topics that are more than just work related, so watching as a family is highly recommended.

A different security issue is addressed in each of The Inside Man episodes and include:

  • Episode 1: The New Guy –> Issue: Social Engineering
  • Episode 2: Social Hour –> Issue: Social Media
  • Episode 3: On Our Side –> Issue: Phishing Attacks
  • Episode 4: Surprise –> Issue: Document Disposal
  • Episode 5: Takeaways –> Issue: Clear Desktop Policy
  • Episode 6: Masquerade –> Issue: Cloud Services
  • Episode 7: Buying Time –> Issue: Passwords
  • Episode 8: Taken –> Issue: Ransomware
  • Episode 9: Where The Wild Things Are –> Issue: Travel
  • Episode 10: Keep Your Friends Close –> Issue: App Security and Permissions
  • Episode 11: The Sound Of Trumpets –> Issue: External Devices
  • Episode 12: Checkmate –> Issue: Insider Threats

(5/28/2021)


Don’t talk about sensitive information in public

People may be listening to you speak. Don’t talk about sensitive information when in public.

When you’re in public and speaking on your mobile phone anyone could be listening. Don’t discuss sensitive information such as workplace information or personally identifiable data while you’re in public.  Someone could gather enough information from you to either log into one of your accounts or even steal your identity. Instead, excuse yourself from the conversation until in private.

I personally think of this every time I pick up a prescription. The pharmacist or tech as for my last name and date of birth. I take a moment to look around and if ANYONE is within listening distance, I ask for a piece of paper to write it down, then take the paper to shred later. I’ve started some great discussions with people asking why I do that. (5/21/2021)


Devote a Single Credit Card for Online Purchases to Minimize Risk

Stay one step ahead of thieves: devote a single credit card for online purchases to minimize your risk.

If you have more than one credit card, it might be tempting to use them all when you are shopping online at different sites. However, it’s prudent to designate one credit card for all your Internet transactions. That way, if an organization you’re buying items from is attacked by hackers, you will only need to report one credit card stolen to your financial institution and you’ll easily know which of your credit cards is affected. Additionally, you’ll still be able to use your other credit cards to purchase vitally needed goods and services while you await replacement of the stolen card. (5/14/2021)


Use Pass Phrases instead of Passwords

Pass phrases are more secure than traditional passwords. Use long pass phrases when securing sensitive data.

A pass phrase is a long phrase that is used in place of a password, such as “IamGoingtoEataPie!” Pass phrases are easier to remember than traditional passwords and more difficult for a hacker to guess. Use proper capitalization and punctuation in your pass phrase to increase its complexity and make it even more secure. Use a phrase that you’ll find easy to remember and resist the urge to write it down or store it in a  computer file.

Learn more about passwords and view some resources on the Office of Cybersecurity’s password webpage. (5/7/2021)


Never plug in a free or found USB drive into your computer

USB drives can carry viruses. Never plug in a free or found USB drive into your computer. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. You should never plug in a USB drive that you have received for free or found somewhere on campus; even if the USB drive was found at UTHSC, it might still have a virus on it. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place.

If you find a USB drive on campus, turn it into ITS (6th floor, Alexander) for review. (4/30/2021)


 

Do not install software on your UTHSC owned device unless it has been approved

Unauthorized software can contain viruses and other forms of malware, and can cause conflicts with other applications. The software must be properly accounted for and follow proper licensing requirements. If you need software that is not approved or authorized for your computer, contact your supervisor or Procurement’s webpage for more information. (4/23/2021)


Legitimate emails usually don’t demand immediate action

If an email is sent to you that requests that you take an immediate action, you should be skeptical. Rather than responding to the email, you should call or otherwise directly contact the sending party for more  information. Immediate action is usually used to make you rush, so that you don’t notice other warning signs and wants you to make a response based on emotions, not logic or training. (4/16/2021)


Never Let a Stranger Use Your Computer or Mobile Device

Strangers on your computer may attempt to access confidential files. Never let a stranger use your computer.

Strangers may attempt to gain access to your computer so that they can access sensitive or confidential documents. They may give you a reason that they need to use your computer, such as a personal favor. Anyone on your computer will have access to the files and systems that you have access to. You should never let a stranger access either your work or home computer. (4/9/2021)


Encrypt Sensitive Information when Emailing

This week’s tip is a reminder that if you email sensitive information, you need to encrypt that email or use the UT Vault. Even if you are emailing another @uthsc.edu email address, encryption is still very necessary.

Information on using encrypted email can be found on the Office of Cybersecurity’s webpage.

Information about using the UT Vault can be found in the ITS Service Catalog about the Vault.

If you are unsure about the classification of the data you are sending, reference our Data Classification and Data Security standards.

Remember that your UTHSC email is not your personal email and is subject to disclosure and audit. Protect the data for which you are responsible. (4/1/2021)


Viruses Can Infect a Device in Many Ways

There are many ways in which malware may infect a system. USB drives, emailed files, instant messaging, web links, and applications are all among the major ways that a virus may be introduced. Comprehensive antivirus utilities may be used to scan risky files, and you can protect yourself and your system by avoiding any links, files, and removable media devices. (3/26/2021)


Don’t Unsubscribe from Unsolicited Emails

Spam emails may use the “unsubscribe” option to determine whether your email address is active.

Spam emails may prompt you to unsubscribe from them. When you click the unsubscribe link, you could potentially be redirected to malware. The Spam sender could also use your response to determine your email account is active; they could then either continue sending you emails or even sell your email to another spammer. Don’t unsubscribe from unsolicited emails. Just delete them. (3/19/2021)


Streaming Services and Malware

The idea for this tip was thought up with the start of March Madness and people trying to stream games from any website that will let them. Unfortunately, there are apps that let you watch illegal pirated content, and hackers are using those apps to spread malware.

If malicious software on the pirate app gets inside your wireless network, it may try to infect other devices connected to your network. That could put at risk the computer you use for sensitive transactions like online banking or shopping. It could also expose your photos and other personal information. The malware could allow hackers to:

  • Steal your credit card information and sell it to other hackers on the dark web.
  • Steal the log in credentials for sites you shop on and go on a spending spree.
  • Steal the log in credentials for your bank account and steal your money.
  • Use your computer to commit crimes.

Malware may also make your computer slow or non-responsive, serve pop-up windows or ads, or take you to sites you didn’t want to visit.

If you want to avoid downloading malware when you stream video, don’t watch pirated content. Period. Not online and not through a video streaming device. (3/19/2021)


What to Do Before You Get Rid of Your Cell Phone

Back It Up

If you’re going to upgrade, sell, give away, or recycle your phone, the first thing you should do is back up your data.

Remove SIM and SD Cards

If your phone has a SIM card, it may store your personal information. Remove the SIM card. If you’re going to keep the same phone number, you may be able to transfer your SIM card to your new phone. If you’re not going to re-use the SIM card, destroy it.

If your phone has an SD memory card for storage, remove it.

Erase Your Personal Information

Remove the information from your phone by restoring or resetting it. Make sure you erased things like your contacts, text messages, photos, videos, and your search and browsing history.

Disconnect From Accounts and Devices

After you erase the information on your phone, make sure you’ve disconnected it from devices and accounts.

  • Confirm that your account or Wi-Fi passwords aren’t still stored on the phone.
  • Check that your phone isn’t paired with other devices, like a watch or a vehicle.
  • If you use you 2-step verification or multi-factor authentication to log in to any accounts, remove your phone from the list of trusted devices.
  • If you’re not keeping your phone number, change the number on file with any accounts or services that may be using it to identify you.

Recycling Your Phone

If you aren’t going to trade in, sell, or give away your phone, consider recycling it. The Environmental Protection Agency has information about where you can recycle your phone. You can also check with the phone manufacturer, your wireless service provider, or a local electronics store.

The entire article can be found on the FTCs website. And always, you can contact the Office of Cybersecurity at itsecurity@uthsc.edu for more information. (3/12/2021)


PIN Codes Need Protection Just Like Passwords

Use caution when disclosing personal information such as PIN codes. These codes, just like passwords, need to be protected and never shared, even with your bank. Be mindful of your surroundings when entering a PIN. Make sure no one is watching. (3/5/2021)


Never Reuse Passwords – Consider a Password Manager

If you reuse passwords, a breach of one account becomes a breach for all of your accounts. Never reuse your passwords.

Easier said than done? Consider using a password manager.

According to research done by NordPass, a password manager company, the average person had 70-80 passwords in 2020. Anyone would be tempted to reuse passwords for different accounts. No one can remember that many, especially if the accounts are ones not frequented daily. A password manager can help.

Password managers are just what the name implies. They help manage passwords. They can create long, complex passwords for you and store ones you create yourself, all within an encrypted vault. When you need a password to access an account, the password manager has it for you (without looking at a sticky note).

Word of caution – you need a good password for your password manager and you must remember it.  You cannot access all those passwords you stored without it.

The Office of Cybersecurity does not have a specific recommendation for a password manager, but PC Magazine has conducted a good evaluation on what is on the market now. (2/26/2021)


Emotions Play a Part in Phishing Attempts

Social engineering is the art of human manipulation. Bad actors know that if they can make their targets FEEL something, whether fear, excitement, worry, jealously, or a host of other emotions, they can make those targets act before thinking. They have hooked their phish. Check out the Office of Cyberscurity’s Phishing webpage  for a quick 1:21 minute video about how this all works. While on the page, review how to spot a phish and how to write emails that don’t look phishy (as well as other great information). (2/19/2021)


Clean Up your Data

Call it a New Year’s Resolution, Lenten Resolution, or just Spring Cleaning, you should periodically review files you have to see if you still need them. Information that is no longer needed, especially if it is sensitive or confidential, should be deleted. It is just good cyber hygiene. (2/12/2021)


Let’s Talk Email (Signatures and Contacts)

This week’s tip is a 2-for-1 deal. First, a reminder that UTHSC has a standardized email signature, and there are security reasons why to use it. Second, it is time to clean out old contacts and groups from your Contact list. Why give yourself an opportunity to send information to an unintended audience?

Email Signatures

Using standardized email signatures is a simple and effective tool that aids in detection of phishing attacks. When all members of an organization follow the format of applying their email signature line consistently across the enterprise, it serves as a quick visual check that an email may or may not be legitimate.

Although it is easily duplicated by a nefarious actor; any deviation to the standard email signature format can serve as one more red flag that the email you received is a phishing attack.

UTHSC does require a standardized email signature line. You can find a tool HERE (NetID and Password required) which formats this required email signature for you. For more tips on how to spot phishing emails, and how to report and respond to them, and other cybersecurity tips visit the Office of Cybersecurity webpage HERE.

Old Contacts or Contact Groups

We all want to work smarter, not harder. An easy way of doing this is creating Contact Groups in Outlook (or other email platforms) for ease of sending emails to the same group of people consistently. However, as jobs and responsibilities change, keeping those old groups may lead to sending information to the wrong people, potentially causing harm to the University. Deleting old contact groups or reviewing and updating ones still needed are good security practices to make sure your communications are only going to the correct individuals. (2/5/2021)


Be very wary of anyone wanting to remote into your computer

One social engineering technique is a scammer advising you that your device has a virus or been doing something suspicious. They pretend to be from a reputable company and offer to help clean up the problem. All they need is remote access to your device, and money (credit card number) to assist you. DON’T FALL FOR IT!

There is always a worry that your device will become infected or compromised in some way. Having someone call you, with a sense of urgency, offering to fix an issue may seem like a wonderful idea. But what they are after are a few things:

  • credit card information or banking information, to pay for the “service” they are providing
  • access to your device in order to steal your personal information
  • access to your device to download malicious software, to make it do whatever they want
  • many, many other bad things

The Office of Cybersecurity has a Compromised Computer webpage with tips on what to look for if you think your device may be compromised. Don’t take the word of someone on the phone that you have never met that there is something wrong with your machine. Just like with any other social engineering attempt, verify who that person is by another means, i.e. calling the company back using a known phone number (NOT one they give you over the phone). (1/29/2021)


Social networks can be used to spread malware

Never click on unknown links or download files through social media accounts.

Links and files on social networks can include viruses and malware. Never click on links from people that you don’t know and don’t download files that are sent to you through a social media platform. Be skeptical  of any links that look unusual, such as a link that comes from someone you haven’t spoken to in a long time. Even someone you know could have their account hacked and used to send out malware.

If you think your device may have malware or compromised in some way, we have advice at Compromised Computers or Devices. (1/22/2021)


Block scammers to reduce the risk of them contacting you again

You got an email/text/phone call/instant message that you know is a scam. What do you do? First, don’t respond to them in any way. By responding to a scam in whatever format they try to contact you, you let them know that there is an actual person at the other end. You have just elevated yourself in the eyes of the scammers.

Once you have identified someone as a scammer you should block them to prevent them from contacting you again. On most instant messenger services, you can simply right click on the person’s name and then select the “block” option. This will ensure that they cannot contact you or even see you online. You can also block emails by going into your options and adding the person’s email address to your “Blocked Addresses” lists. If you do not block a scammer, they may continue bothering you or sending you potentially harmful files and links.

Report any suspicious messages received via official UTHSC means to abuse@uthsc.edu.

Visit the Office of Cybersecurity’s redesigned webpage for more information about this and other awareness topics and resources we provide. (1/15/2021)


Keep your computer secured and learn to recognize the signs of infection

A virus or malicious program may not directly damage your computer but may instead turn it into a zombie. A zombie computer is a computer that a hacker can direct to complete certain tasks, such as attacking another target. Always keep your devices secured with antivirus protection to avoid this and complete a full system scan if you suspect your computer has been compromised. A compromised computer may begin running sluggishly, start crashing or begin performing tasks on its own.

UTHSC devices should have Carbon Black installed. You can check to see if it is installed by searching your applications. For Windows, it will be an icon in the bottom right hand corner of the screen (you may need to click on the up arrow), or go to the Start button and start typing Carbon Black.  For MACs, the CB icon would be at the top of the screen, or look in /Applications for the folder “VMware Carbon Black Cloud”.  Contact the ITS Help Desk (901.448.2222) if you don’t see Carbon Black on your UTHSC owned device.

For personal devices, anti-malware and antivirus protection should come from a reputable source. Windows 10 has Windows Defender already built into the operating system.

Students are eligible for one copy of the standard consumer version of Malwarebytes, provided at no additional cost to each student. Obtain your personal copy of Malwarebytes by going to https://my.malwarebytes.com/en/edu/email and entering your netid@uthsc.edu address.  You will be emailed a link to download Malwarebytes. (1/8/2021)


Social Networks Can Be Used to Spread Malware

Links and files on social networks can include viruses and malware. Never click on links from people that you don’t know and don’t download files that are sent to you through a social media platform. Be skeptical of any links that look unusual, such as a link that comes from someone you haven’t spoken to in a long time. Even someone you know could have their account hacked and used to send out malware. (12/18/2020


Update your browser extensions and plugins

Old browser plugins may have security vulnerabilities. Update regularly to protect your computer. For your UTHSC windows device, connect it to the VPN over the weekend to get updates. MACs are updated through the cloud. But don’t forget about your personal devices! Browser plugins, such as Flash, Java, and Acrobat, may become out of date and represent a security risk.

Update them on a regular basis or set them to update themselves automatically to ensure your computer is protected. Make sure to restart after updating.

A simple Google search will give direction on how to update whichever browser you use. Make sure you update all the browsers on your device. (12/11/2020)


NEVER Share Your Password

Even if you trust someone, you should never give out your password. Your communications could be intercepted, the other person may write your password down or save it somewhere, or the other person’s computer may be infected with malware. You cannot control what happens to your password after you give it out. The only solution is to never share your password with anyone else, regardless of how much you trust them. No one should ever need your password. (12/4/2020)


Children and Online Dangers – Educate Them Early

Children will face many dangers online: cyberbullying, predators, and even oversharing. Teach the children in your family about the risks they face online once they begin using the Internet, and encourage them to always follow their instincts and talk to an adult if something does not seem right. Monitoring their Internet usage and social media accounts will reduce risks further. (11/25/2020)


Holiday (Online) Shopping Reminders

With the upcoming holiday season, many of us will be searching for the ideal gifts that are “all the rage” and will be appreciated. We all know online shopping has become easier, especially with the increased use of mobile devices. Unfortunately, this is also the season where cyber criminals are on the lookout, creating fake shopping websites to scam and steal, infiltrating home networks, and even taking advantage of those recently received gifts such as smart home devices and smartphones.

So, while you’re out there deciding on the perfect gifts, use some holiday reference to remember these tips:

There’s no place like home for the holidays… for safer online shopping. Ensure your Wi-Fi Access Point (WAP) is secure!

  1. Change the SSID (Service Set Identifier) from the default router name to one unique to you and not easily guessed by “roamers.” Check your instructions that come with your router or call your provider for help.
  2. Also, change the default administrator password to the router.  Leaving a default passphrase unchanged makes it much easier for hackers to access your network.
  3. Ensure the passphrase is strong and remember – you only need to enter the password once for each of your devices!
  4. Many wireless networks support what is called a Guest Network. This allows visitors to connect to the Internet but protects your home network, as they cannot connect to any of the other devices on your home network.
  5. The next step is knowing what devices are connected to your wireless home network and making sure all those devices are secure.
  6. Hackers are making their list, checking it twice, and going to find out who’s locking their device…. the bad guys look for unlocked and unsecured devices, exposing your personal information to peeping and snooping eyes.
  7. If your locked device is lost or stolen, the lock itself will be the first line of defense against a security breach, and the screen lock enables encryption.  Depending on your device, you can set screen locks by:
    1. PIN
    2. Password/Passphrase
    3. Fingerprint / Facial Recognition

Also, if you’re one of the lucky ones to receive a new device as a gift, remember:

  1. Keep the device updated and even enable automatic updating.
  2. Only download mobile apps from trusted sources; the bad guys create mobile apps that appear to be legitimate but are actually malware.
  3. If you’re disposing of a mobile device, or even passing it down to someone not as lucky, ensure it is wiped!  That device has a wealth of information on it; wipe before disposing it.
  4. If you get a new phone, be sure and add it to your DUO account. For information about DUO, see https://www.uthsc.edu/its/cybersecurity/duo/.
  5. And – above all – To stay healthy and wealthy, you’ve got to be wise…. Keep your cyber smarts, be vigilant while out there in the internet mall.

Maintain your cyber hygiene, exercise caution just as you would with your belongings in a crowded store.  Keep your cyber information secure while enjoying safe holiday shopping online, and be mindful to:

  1. Do business with retailers you trust and even purchased with in the past.
  2. Cyber Monday, Black Friday – while we’ll see a host of awesome deals, compare prices and pictures of your preferred merchandise.
  3. Don’t use your debit card for online purchases; credit cards usually provide better liability protection both online and offline.
  4. Check up on Holiday Hackers – set up credit card statement alerts and review your statement at least once a week. (11/20/2020)

Back up key data on your mobile devices on a regular basis

Last week’s tip was about ransomware and a reminder to back up your data regularly. This week’s tip is a reminder to don’t forget the data that is on your mobile devices also.

Just as you must back up the data on your desktop or laptop computer in case of hard drive failure, loss, or theft, it’s equally important to back up the crucial data that you store on your mobile device. Otherwise, this data could be lost forever if your mobile device is lost, stolen, or suffers a hardware failure. (11/13/2020)


Worried about Ransomware? Try the 3-2-1 Defense

The threat of ransomware is becoming more and more real. Whether the bad guys get in through a phishing email or by exploiting a vulnerability due to an unpatched machine, the idea that our/your data is locked up and can’t be accessed is a scary one.

What is the 3-2-1 defense?  It is pretty easy actually.

  • 3 copies of important data on
  • 2 different types of media, with at least
  • 1 of these copies off-site. 

What does this mean to you?  Take tax returns for example. You use software to create and file your federal income tax return. You store one copy on the computer you are using. Print out another copy and keep it in a secure place inside the home. Copy the electronic file to an encrypted external hard drive, thumb drive, USB stick and store that at a family member’s house. 3-2-1.

If you have any questions about ransomware or any other cybersecurity topic, the Office of Cybersecurity can be reached at itsecurity@uthsc.edu or 9001.448.1880. (11/6/2020)


Vishing – the Art of Phishing using Voice

A quick word of warning. Vishing, or voice phishing, is real, and you have probably been inundated with it. Also known as phone scams, these types of social engineering attempts work because it is easier to persuade someone to do something outside of normal behavior through voice than written word.

Have you or a family member gotten a call from the “Social Security Administration” that your account has been suspected of fraudulent activity and is suspended?  How about from your local power company saying your bill is delinquent, but can be paid with a gift card.

Bottom line, not all scams come via email. Don’t let yourself get suckered into taking action based on an unexpected phone call. Verify the information, not by ANY contact information the caller gives you, but from a known source, like an invoice or reputable web page. (10/30/2020)


Phishing - Can't Mention It Enough

Do we mention phishing too much? Doesn’t everyone know how to spot a phish by now? Apparently not. We still have way too many people who will fall for a phish. Want to know more about phishing, such as how to NOT fall for one, what are common themes, what different terms mean, and how to write an email that doesn’t sound phishy? Check out https://uthsc.edu/its/cybersecurity/phishing.php.

Report any suspicious correspondence to abuse@uthsc.edu. We can check to see if it is a legitimate email or a threat to our campus.(10/23/2020)


What to Report?

The quick answer is “anything suspicious”. But, if you want a more detailed explanation, see the Office of Cybersecurity’s webpage, What to Report. (10/9/2020)


Cleaning Out Your Old Data and Devices

During National Cybersecurity Awareness Month, these tips are going to be a little more in depth on specific steps you can take to help yourself be cybersecure. Today we look at old data and devices. Whether digital (old online accounts) or physical (old devices), not keeping information current exposes you to a lot of risk in the cyber world.

The Center for Internet Security (CIS) has created a newsletter concerning old data and devices. The information is below, but the original article can be found here in case you want to subscribe to their newsletter yourself or look at past articles.

Cleaning Out Your Old Data and Devices

Over the years, many of us have accumulated a mountain of CDs, hard drives, devices, online accounts, and other mediums that store information that are out there and unused. Outside of the key information you kept stored on purpose for long term use or retrieval, it is good to periodically assess and dispose of unneeded storage media and information. These days, information may be split between physical items you have in your possession and online accounts or cloud-based storage. This month’s newsletter will provide some details on how to manage your information and data, as well as how to safely dispose of those pieces you do not need any longer.

Cleaning up Online Accounts and Cloud Storage:

  • Clean your social media presence: It may have been years since you logged into an old social media platform that you no longer use. If that’s the case, consider removing any personally identifiable information like address, date of birth, and other less sensitive details from the account. Furthermore, consider closing the account entirely if you don’t think you’ll have reason to use it anymore. The fewer places you have personal information stored online, the better!
  • Keep your social media presence clean: On social media accounts that you still use, minimize the amount of personal information that you display. In particular, minimize how visible your information is to any untrusted individuals. This is especially important as those who are not approved to be your friend or contact on the platform will be less likely to view your personal information. Most sites offer this as a privacy option in the settings for your account.
  • Close old shopping and rewards accounts: If you do not plan on shopping on a particular site, please consider removing any payment or personal information and closing the account. If you rarely shop on a web site, consider if it’s necessary to maintain a user account. Most retail sites have a guest account option for temporary use and lessens the likelihood of your information being saved.
  • Cloud storage and files: Many of us use cloud storage services of some sort, whether just for storing our photos from our devices, or for backing up and storing important files. Consider clearing out data and information periodically from these storage accounts that you will not need access to in the future.

Physical Storage – Digital and Paper:

  • CDs, DVDs, Floppy Disks, and other plastic disk media: CD and DVD discs can be shredded in many common household paper shredders (check to ensure your shredder is rated for this). After validating if you need the information or not, consider this best and irreversible method for destroying the unneeded information and the medium. Floppy disks (if you still have any!) can be destroyed by splitting open the plastic casing, removing the soft disk itself, popping out the metal hub, and then feeding the soft disk without that metal center into a household paper shredder.
  • Hard disk drives, Solid State Drives, and USB flash drives: When you are looking to get rid of an old computer (or another device with a hard drive) that you perhaps don’t use anymore, you should properly clean your data off the device before disposing of it or selling/donating it. You will want to ensure you properly move those family photos, important records, and everything else you want to keep onto a newer device or a disk/thumb drive before beginning the process of cleaning the data off. Next, you will want to either physically destroy the drive or perform the proper process of overwriting by using a utility to permanently erase the data. For physical destruction of drives, either utilize a paid service to properly destroy the device, or follow the US-CERT guidance linked below. For overwriting or permanent erasure of data, there are many software utilities available to perform these operations, some of which may be included with your operating system. US-CERT also provides guidance on some utilities and ways to do this properly. It is important to follow this guidance because simply moving files to the recycle bin or hitting delete doesn’t make them permanently as the information can be easily recovered if that’s all that has been done! This means your sensitive data is still possibly available to a malicious actor.

Smartphones, Tablets, Gaming Consoles, and other devices:

Perform a “hard reset” which will bring the device back to factory settings and remove your data securely. Always ensure no accounts are permanently logged in on the device. You can consult the maker of the device when seeking guidance on how to locate this setting or utility for that particular make and model.

Don’t Use Personal Information in Your Username

Revealing any personal information can be dangerous. We’ve warned everyone in the past about using birthdates, names of kids or pets, and other personal information when creating passwords, but keep that information out of your username when creating that as well.

Including sensitive information in your social media and other online account usernames could inadvertently lead to identity theft. Do not put information such as your age in your username; an identity thief could use this information to derive your date of birth.

Similarly, don’t reveal to the public maiden names, locations of birth, or current addresses. (9/25/2020)


Cyberbullying is a crime

Cyberbullying isn’t something that just happens to school-aged children, or a matter for K-12 school officials. This type of bullying, also called online bullying, can happen to anyone, at any age who has an online presence. It is a crime and should be reported to local authorities. Whether it is happening to you, your child, your sibling or a friend, reporting it helps stop it.

Document everything and contact local authorities as well as school officials if it is happening in school. If a child is the victim of this type of crime, it also sends a message that they are protected and what is happening to them is wrong.

More information and resources can be found at https://www.stopbullying.gov/cyberbullying/what-is-it and feel free to reach out to the Office of Cybersecurity at itsecurity@uthsc.edu.  (9/18/2020)


Test the Strength of your Password

This week’s tip is a reminder about using strong, easy to remember but hard to guess, passwords or passphrases. There is a site, https://howsecureismypassword.net/, where you can test the strength of your password and how long it would take someone to guess it. Also, remember to use different passwords for every account. Reusing passwords makes it easy for someone to get into your entire life. (9/11/2020)


Limit who as access to your data

No matter if it is your personal data (information) or UTHSC data for which you are responsible, limit the access to sensitive data on a need to know basis. This will combat insider threats. Don’t send any data to someone who does not need to work with the data and is not authorized to do so. Periodically review who as access and remove those who don’t need it anymore.

If you wish to discuss insider threats, the classification of your data, or any other cybersecurity topic, contact the Office of Cybersecurity at itsecurity@uthsc.edu.

(9/4/2020)


Use trusted vendors and their apps, rather than a link

Hackers have become very adept at spoofing vendor webpages. Always shop with trusted vendors and type in the web address
whenever possible instead of following a link. If you’re on your phone, download the vendor’s app from Google Play Store or
Apple’s App Store, and use the app instead of a link out to a browser window. (8/28/2020)


Email and Texting can be used to spread malware

As myself and MANY people I know got a text message on August 14 supposedly from ATandT about an “unsuccessful payment”, this week’s tip is a reminder that messages sent through email and instant messaging (IM) services may link to malware or viruses. You should avoid clicking on links or installing files that you receive through these services – even something that looks like a document or an image may be unsafe, especially if it comes from an unknown sender.

If you have any questions about any message you receive regarding UTHSC, don’t hesitate to forward that to abuse@uthsc.edu for examination.  (8/21/2020)


Virtual Conferencing – remain vigilant!

This week’s tip is one we’ve talked about before, and keep reminding people about, because we keep getting advisories from different agencies and groups that virtual conferences are still being hacked and used to get personal information from attendees. SANS, a reputable security awareness organization, has published a newsletter with tips on safely conducting conferences, no matter the platform.  (8/14/2020)


Confidentiality and Telehealth

This week’s tip is a direct response to a question asked to our Chief Information Security Officer (CISO), Dennis Leber regarding the use of teletherapy and the confidentiality of those sessions. Whether you are in a clinic setting or not, you may have personally thought about visiting the doctor online instead of in person. The platform used in these sessions matter.

Q. Will [my clinic] be able to do FaceTime or GoogleDuo for the telehealth sessions?

A. What seems like a question with an easy answer is not so simple. Under the current declared pandemic, FaceTime and Duo are allowed by exception from HHS to utilize as a last resort to provide teletheraphy, telehealth, telemedicine, etc. This also pertains to the University’s Zoom accounts, the current Zoom accounts are not HIPAA compliant.

However; the use of our current Zoom is appropriate under direction of HHS due to the pandemic to provide services to patients that cannot be served otherwise. I recommend the use of Teams; that solution has a Business Associates Agreement (BAA) in place and the security of that solution present a lower risk to violating a patient’s privacy and security.

There is more to HIPAA than “compliant” software; one of the most overlooked items is, who has access to the patient data. When evaluating anything as HIPAA compliant this must be the paramount consideration.

Zoom was not developed, nor originally intended for Healthcare, nor telehealth.  Zoom’s intent is/was to provide a mechanism to enable business meetings. There are no original features of Zoom that consider the security and privacy rules of HIPAA.

Zoom has recently; after exposure of misleading customers of their privacy and encryption failures, developed a Healthcare version of Zoom.

With that said; We are under an exception, due to the National Pandemic. That declaration provides discretion from the Office of Civil Rights (OCR) in the levy of fines for use of non-HIPAA compliant solutions. Zoom is specifically called out as one of the non-compliant solutions. (link below to that announcement) Teams, Zoom Healthcare, and others are later listed as the compliant solutions that require a pairing of a BAA.

https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Health and Human Services (HHS) points out that due diligence must occur through this emergency exception to reduce the risk of exposure of patient data. The announcement also states providers must inform the patient that the use of a non-secure tool is utilized during their session.

We (UTHSC) are in the process of implementing sub-accounts for all our users that require HIPAA “compliant” Zoom sessions. This is still a few weeks out before available, but will be deemed a HIPAA compliant Zoom account. Announcements will precede the release of the solution. We have a few efforts in selection of telehealth solutions which serves all users requirements across our University so we may provide a standard telehealth product to the enterprise.  

Key items to consider:

  • The discretion by OCR is temporary, and focused on COVID-19 treatment
  • Use of Zoom under the exception forms expectations of its use and security to faculty and providers that will end. The exception must be utilized as a last resort, and after the risk are evaluated, to provide care to a patient; not the sweeping default,. The link above speaks to that
  • HIPAA protection goes beyond technology; it is truly the example of people, processes, and technology, in that order. It is paramount that people understand what constitutes HIPAA data, the processes in protecting that data, and if using technology, how all that ties together.
    • An example of current Zoom risk: a provider saves their patient’s information as contacts in their Zoom account – Your patient’s name, email address, phone number, address, etc. all fall under data you must protect. If you add your patients as contacts in Zoom, send them meeting invitations, or store any other patient PII in your zoom account, you could be violating HIPAA if you have not utilized a HIPAA “compliant” solution.
  • The BAA defines the controls in place that deem a solution must follow in regards to the technical controls spelled out by HHS – https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es
  • We (UTHSC) are a covered entity; access to patient data is required in the course of doing one’s job. I refer back to the statement; consideration of who has access and why. Then protection of that data once we have control over it.

Let the Office of Cybersecurity know your questions. We are always available, and here to help enable you to accomplish your goals, and reduce the risk to your data from breaches. Willie Simon is the Deputy HIPAA Security Officer and leading efforts in the telehealth tool selection, and Melanie Burlison serves as the HIPAA Privacy Officer. You can reach out to any of us at anytime for your HIPAA and security needs. Also feel free to reach out to the Office of Cybersecurity at itsecurity@uthsc.edu or 901.448.1880.  (8/7/2020)


Why Standardized Email Signatures are Important

UTHSC team, you may ask yourself why the Chief Information Security Officer is addressing email signatures. It is actually a simple and effective tool that aids in detection of phishing attacks. When all members of an organization follow the format of applying their email signature line consistently across the enterprise, then it serves as a quick visual check that an email may or may not be legitimate. 

Although it is easily duplicated by a nefarious actor; any deviation to the standard email signature format can serve as one more red flag that the email you received is a phishing attack. 

UTHSC does require a standardized email signature line. You can find a tool HERE (NETID and Password required) which formats this required email signature for you. For more tips on how to spot phishing emails, and how to report and respond to them, and other cybersecurity tips visit the Office of Cybersecurity webpage HERE. (7/31/2020)


Mother’s Maiden name can be used by identity theives. Keep it safe.

This week’s tip is a reminder about keeping all types of personal information safe. In addition to passwords and birthdays, your mother’s maiden name can also be used to steal your identity. A mother’s maiden
name has long been used as a verification question for financial accounts, and social media has made it so that maiden names are often displayed alongside married names. (7/24/2020)


Securing Home Devices

We have reminded you in the past about securing home networks and devices, especially during this time of working/studying remotely. But HOW?!?!?! The Center for Internet Security (CIS) has produced a 30-minute recorded webinar on tips for security small office and home networks. The webinar can be found at https://www.cisecurity.org/webinar/securing-home-networks-small-office-equipment/ (7/17/2020)


Shredding Hardcopy PII Files

This week’s tip is a reminder to shred all hardcopy files containing personally identifying information (PII) before you dispose of them. Criminals often go through unguarded garbage cans and recycling bins in an attempt to find documents that contain personally
identifying information (PII).  They can use PII to steal people’s identities, such as of your fellow employees, fellow students, or the patients UTHSC serves. By shredding all hard copy files with PII before you put them in the trash or send them for recycling, you will prevent criminals from accessing confidential data. (7/10/2020)


Insider Threats

In this week’s tip, we talk about Insider Threat, which is a security risk that come from within an organization. While it can be, it doesn’t necessarily mean the threat is a disgruntled employee. It could be someone socially engineered to do a bad thing, or someone who as access to information they shouldn’t and doesn’t know how to protect it.

Why should we care? – According to the 2019 Verizon Data Bread Investigations Report, 34% of data breaches involve internal actors.

What can we do? – a lot of things!

  • Notice odd behavior in coworkers. Are they trying to violate policies or bypass security? Are they disgruntled?
  • If  you are a data or system owner, make sure that security controls are in place so that only the people who need access to the data have it, and only at the level they need to do their job (least privilege).
  • Monitor access to your data.
  • Train staff to adopt a data security mindset.

So now you are thinking about our campus and organization. Think beyond that.

What if the insider threat was to your family and your child is the one being socially engineered to give away a password or access to the “home” computer that has banking information on it?

What if the insider threat was a member of your church committee that has access to funds to help your charity organizations?

If you want to have a deeper discussion about insider threats or any other cybersecurity topic, please reach out to the Office of Cybersecurity at itsecurity@uthsc.edu or 901.448.1880. We’d love to talk with you and your group. (7/2/2020)


Virtual Conferencing Platform Security Tips

This week’s tip comes from the Center for Internet Security (CIS) and takes a broader look at securing conferencing applications, no matter which one you use. The majority of security issues have a lot to do with the users’ familiarity with the applications and their proper usage. First to remember is to download an application for a reputable source (we tell you this with any application). If using Microsoft Teams, make sure you are using your UTHSC O365 account.

The entire article can be found at CIS’s website, https://www.cisecurity.org/newsletter/virtual-conference-platform-security-tips/.

(6/26/2020)


Internet Safety for Kids

As a center for higher education, we tend to talk more about tips regarding the workplace. However, we all have family and friends with kids who need to be taught safe ways to using the internet. We have found a lot of useful information; videos, articles and FAQs at this information security training site, https://web.wizer-training.com/kids-internet-safety Learn how to help kids online! (6/19/2020)


Reusing Passwords

This week’s tip is a reminder about how reusing passwords can get you into trouble. If you use the same password for different accounts, say for Instagram, your bank, UTHSC, and Amazon, if one of those organizations gets hacked and your credentials exposed, all someone would need to do is start searching for that same email address at different sites and plug in that password to gain access.

This week, we were notified that the Chronicle of Higher Education potentially was hacked and 3.5M members credentials were exposed. For UTHSC, that was 129 email addresses. Dennis Leber, our Chief Information Security Officer (CISO), advised those individuals and recommended directly to them to change the password for that site and whatever other sites with whom they might have used the same password.

Stay safe everyone! And make really strong, fun passwords! (6/12/2020)


Maintaining a Cyber Secure Home

Overview

In the past, building a home network was nothing more than installing a wireless router and several computers. Today, as so many of us are working, connecting, or learning from home, we have to pay more attention to creating a strong cyber secure home. Here are four simple steps to do just that.

Your Wireless Network

Almost every home network starts with a wireless (or Wi-Fi) network. This is what enables your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. They both work the same way: by broadcasting wireless signals which allow the devices in your house to connect to the Internet. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it.

  1. Change the default administrator password to your Internet router or wireless access point, whichever is controlling your wireless network. The administrator account is what allows you to configure the settings for your wireless network.
  2. Ensure that only devices you trust can connect to your wireless network. Do this by enabling strong security. Doing so requires a password to connect to your home network and encrypts online activities once connected.
  3. Ensure the password used to connect to your wireless network is a strong password that is different from the administrator password. Remember, your devices store passwords, so you only need to enter the password once for each device.

If you’re not sure how to do these steps, check your Internet Service Provider’s website or check the website of the vendor for your router or wireless access point.

Passwords

Use a strong, unique password for each of your devices and online accounts. The key words here are strong and unique. The longer your password the stronger it is. Try using a series of words that are easy to remember, such as sunshine-doughnuts-happy.

A unique password means using a different password for each device and online account. Use a password manager to remember all those strong passwords, which is a security program that securely stores all your passwords for you in an encrypted, virtual safe.

Additionally, enable two-step verification whenever available, especially for your online accounts. It uses your password, but also adds a second authentication step, such as a code sent to your smartphone or an app on your smartphone that generates the code for you. This is probably the most important step you can take, and it’s much easier than you think.

Your Devices

The next step is knowing what devices are connected to your wireless home network and making sure all of those devices are trusted and secure. This used to be simple when you had just a computer. However, today almost anything can connect to your home network, including your smartphones, TVs, gaming consoles, baby monitors, printers, speakers, or perhaps even your car. Once you have identified all the devices on your home network, ensure that each of them is secure. The best way to do this is to change any default passwords on them and enable automatic updating wherever possible.

Backups

Sometimes, no matter how careful you are, you may be hacked. If that is the case, often the only way you can recover your personal information is to restore from a backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most mobile devices support automatic backups to the Cloud. For most computers, you may have to purchase some type of backup software or service, which are relatively low-priced and simple to use.

(6/5/2020)


Shopping Online Securely

I bet we’ve all increased our online shopping in the past few months. When you restrict going out, the internet is the way to shop. This week’s tip is a reminder that when shopping online, use credit cards instead of debit cards. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit cards are even more secure. (5/29/2020)


 

Phishing Currently in Use and What to Expect

We’ve mentioned COVID-19 phishing email and scams a few times in the past months, but the vast numbers of these attacks makes it necessary to remind as many people as we can of these scams. There has been an estimated 192,000 coronavirus-related phishing attacks per week over the past three weeks.

Also in the past three weeks, almost 20,000 new coroavirus-related web addresses were registered. An estimated 17% of them are fraudulent, malicious or suspicious.

What’s next for these phishers? Mortgage rescue scams and help with bills in general. With the “new normal” of government assistance, phishers have been designing campaigns to lure people by pretending to be banks, other lenders, or different government agencies offering to help out with bills, debt reduction and specifically mortgage help, as that is usually the largest purchase an individual makes.

Be on the lookout for the scams.  Remember the first principle of spotting a phish – if something looks like it is too good to be true, it probably is.

If you have any questions about emails received to your UTHSC account, forward them to abuse@uthsc.edu.  We’ll let you know if they are a phish, scam, or a legitimate email.  If it is a scam, you are probably not the only one that got it.  After it is reported, we can take steps to stop it reaching others in our community.

(5/15/2020)


World Password Day 2020!

This one may not have been on your radar, but the first Thursday in May is WORLD PASSWORD DAY! Take this time to think about the passwords you use, and when was the last time you reviewed them.

* A strong password should be a combination of characters such as commas, per cent signs, parentheses, upper-case letters, lower-case letters and numbers.

* Make your password as long as possible, to make it extremely tedious for a brute force attacker to crack your password. (Note, passwords of around three letters take less than a second to crack)

* Do not use a word that would be in the dictionary or letters that are sequential on a keyboard. If your passphrase does not make any sense then it harder to crack.

* First write up a random passphrase and then going letter by letter keep adding either a upper-case letter, a number or a symbol.

Do not use obvious details like your name, date of birth, place where you live in the password. All of that can easily be discovered online.

*Enable two-factor authentication. This will help you even if your password gets compromised, as the hacker would need your smartphone to gain access.

*Do not keep one password for all your accounts, as it will become the master key to your life, which if lost, will have serious consequences.

(5/7/2020)


Stay one step ahead of thieves: devote a single credit card for online purchases to minimize your risk

As we are becoming more and more comfortable with online shopping, this week’s tip is an idea on how to minimize your risk when doing so. If you have more than one credit card, it might be tempting to use them all when you are shopping online at different sites. However, it’s prudent to designate one credit card for all your internet transactions.  That way, if an organization you’re buying items from is attacked by hackers, you will only need to report one credit card stolen to your financial institution and you’ll easily know which of your credit cards is affected. Additionally, you’ll still be able to use your other credit cards to purchase vitally needed goods and services while you await replacement of the stolen card. (5/1/2020)


Sharing Personal Information Helps Scam Artists

This week’s tip is a reminder about sharing personal information in social media. In this time of social distancing, we’ve been drawn to social media to stay connected. We are encouraged to share information about ourselves like pets’ names, the types of cars we own, and mothers’ maiden names, which are goldmines for criminals seeking answers to account security questions.

Even if you haven’t used personal information for security questions, sharing excessive information about yourself can allow attackers to craft targeted social engineering attacks against you.

People like to share things about themselves online for the same reasons they like to talk about themselves in real life. On the Internet, however, this information is potentially available to anyone in the world. Even if your profile information is only visible to people you’ve added as friends, there are many ways it could still end up on the open internet.

So if you get one of those “This looks like fun to learn more about each other” questionnaires, here are the answers to use:

  • First job – Stop
  • Current job – Sending
  • Dream job – Your
  • Favorite food – Potential
  • Favorite dog – Passwords
  • Favorite footwear – Or
  • Favorite chocolate bar – Memorable 
  • Favorite ice cream flavor – Data
  • Your vehicle color – To
  • Favorite holiday – People
  • Night owl or early bird? – Who 
  • Favorite day of the week – Collect
  • Tattoos? – This
  • Favorite color – For
  • Mother’s maiden name – Social
  • Father’s middle name –  Engineering

(Your mother’s maiden name better not be Social!)

(4/24/2020)


Securing that Home Network

This week’s tip is about your home network and ALLLLLLLL the devices that are on that network. While we tend to concentrate on UTHSC information, with a majority of our campus studying and working from home, take a moment to think about your home network and how to keep it safe.

The three top things you can do to secure your home network are:

  1. change your device’s default password. Whether it is a router, gateway, or whatever name your internet provider uses, if you haven’t changed the password on it, then it is already known outside of your home. 
  2. keep the software up-to-date. 
  3. if you don’t use the remote access feature, disable it. 

Think about all the devices that are on your network right now. Not just the computer you are using right now, how about the computers of all the family members stuck inside with you.  Their mobile devices (smart phones, kindles, watches, etc.).  How about smart appliances, such as your TV or refrigerator? Gaming platforms? Baby or pet cameras?  There are probably more devices on your network that you think. 

Check those privacy settings on that router or gateway and do your best to keep your information and devices private. 

(4/17/2020)


Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many hacked organizations, cyber criminals simply purchase databases with personal information on millions of people, then use that information to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number or birth date in it does not mean it is legitimate.

Forward any suspicious scam to abuse@uthsc.edu.

(04/03/20)


Tips for Working Remote – Secure your Zoom Meetings

Meeting Settings:

  • Enable Require a password when scheduling new meetings or webinars through the Meeting tab of your Settings. Participants will then be required to enter a password to join the meeting. See Meeting and Webinar Passwords for more information.
  • Send participants to the Waiting Room. (Meetings only) Only the host can allow participants in the Waiting Room into the live meeting. See Waiting Room for more information.
  • Disable Join before hosts to ensure participants are not able to join the meeting before the host arrives. See Scheduling meetings for more information.
  • Disable In Meeting Chat through your Profile settings. Here you can toggle off allowing participants to chat. This is also where you can prevent users from saving chat. See Disabling In-Meeting Chat for more information.
  • Ensure only hosts can share their screen through Settings by un-checking Participants under Who can Share? See Managing participants in a meeting for more information. This is on by default.
  • Disable File Transfer in Settings, which will ensure participants are not allowed to share files in the in-meeting chat during the meeting. See In-Meeting File Transfer for more information.
  • Stop a participants video stream to ensure participants are not on video through Manage Participants. See Managing participants in a meeting for more information.
  • Click to Mask phone numbers in the participant list through the Telephone tab in Settings. This masks all telephone numbers called into the meeting.

Settings when scheduling your meeting or webinar:

  • Mute all participants that are already in the meeting and new participants joining the meeting through Manage Participants. You will be asked to confirm if you’d like to allow participants to unmute themselves. You can choose to uncheck this option. See Mute All And Unmute All for more information.
  • Lock your meeting allows hosts to lock the meeting right at the start (or when enough attendees have joined). At the point a meeting is locked, no other participants are able to join the meeting. See Can I Restrict My Meeting Capacity for more information.
  • Put participants On Hold through Manage Participants while in a meeting. When a user is put on hold, they will be taken out of the meeting until the host clicks to take the user off hold. See Attendee On Hold for more information.
  • Disable private chat through Manage Participants. This prohibits participants from private chatting with other participants. See In-Meeting Chat for more information. (04/03/20)

Cybersecurity – Why you Don’t Click on Links with “COVID”, “Corona” or “Vaccine” in them

It is pretty well known that you shouldn’t click on links in emails or what you find on social media. However, especially now when we are looking for the latest info about COVID-19, it is hard not to.

In one day alone in early March, registration for sites with “corona”, “covid”, or “vaccine” was over 800! Some were real sites, but some were not. Read more to read a real life example of a phish.

Stay safe (and healthy)! (04/01/20)


COVID-19 Phishing Scams

We have mentioned this before, but there continues to be a rise in phishing attacks and social engineering schemes using everyone’s concern about COVID-19. People will contact you posing as staff looking to gain access to our network. Fake COVID-19 websites are everyone, with the intent of downloading malware if you visit them. If in doubt, error on the side of caution and safety.

(03/27/20)


Tips for Working Remote – Default passwords on home routers

In this world of telecommuting, ensure your home router is not using the default out-of-the-box username and password. Are you still using the username and password that on a sticker on the side of the router? A quick Google search can help with steps to change your password. If you need help, contact your Internet provider.

(03/27/20)


Tips for Working Remote – using your own device

As many of our workforce and most of our student population have moved to working from home, we will be highlighting some tips that can be found on our working remote resource page, https://uthsc.edu/its/remote-work.

If you are using your home computer, make sure you have a password on it. Make a separate account for UTHSC work and don’t share that password with others who live with you.

(03/26/20)


Cybersecurity Fun (and Informative) Videos

The National Cyber Security Alliance has teamed up with sponsors to create some fun videos on potential security treats and best practices on different topics. This month’s topic is about what can happen if your laptop is stolen. The two minute video can be found on the Information Security webpage, https://uthsc.edu/its/information-security along with the two previous videos.

(03/23/20)


Learning / Working Remotely

In our new normal, many organizations are giving suggestions on the best way to “telecommute” or work remotely or learn online. NIST (National Institue of Standards and Technology) has a good link that is user friendly: https://www.nist.gov/blogs/cybersecurity-insights/telework-security-basics.

Remember to continue to be cysbersecurity conscious. Know your surroundings. Know that scammers are out there. Lock your computer when not in use. Many of our applications are web based and do not need a VPN to gain access. DUO (2-factor authentication) is used to protect many applications now.

Stay safe (and healthy)! (03/20/20)


Defending against COVID-19 Cyber Scams

Cybersecurity and Infrastructure Security Agency (CISA)

Defending Against COVID-19 Cyber Scams

The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.

CISA encourages individuals to remain vigilant and take the following precautions.


Slam the SCAM

From the Office of the Inspector General, Social Security Administration

WHAT IS SLAM THE SCAM?

The Inspector General of Social Security, Gail S. Ennis, has designated a National “Slam the Scam” Day to warn Americans about widespread phone scams where callers impersonate government officials, most often Social Security, to gain your trust and steal your money. This is a National Consumer Protection Week initiative.

News Release: Inspector General Announces National “Slam the Scam” Day

On Thursday, March 5 at 11 a.m. ET, AARP will release a webinar with a consumer protection message from the Federal Trade Commission and colleagues from Medicare, the Internal Revenue Service, the Census Bureau, and SSA. During this webinar, you will learn how to recognize, report and keep you and your loved ones safe from government imposter scams. You can register for the event.

Also on Thursday at 11 a.m., we will be on Twitter with @USAgov participating in a #SlamTheScam chat, followed by a 1 p.m. ET Spanish-language chat hosted by @USAgovespanol. Please use #SlamTheScam when you tweet about phone scams to help us trend on Twitter and help spread the word. Then, at 7 p.m., we will be on Facebook Live with Social Security, to answer your questions and deliver our key messages:

  • HANG UP on phone scams
  • TELL your friends and family

Let’s SLAM phone scams together!

Please follow us on Facebook and Twitter for news about National Slam the Scam Day Events!

(03/05/20)


Email scams happen to everyone

Did you hear this week about Shark Tank judge, Barbara Corcoran, losing close to $400,000 in a phish? It really can happen to anyone! This week’s tip is a reminder on how to spot phishy emails. Is someone asking you to do something against policy or outside of normal practices? Do you know the sender and can verify the email address is theirs?

At UTHSC, external emails contain [Ext] in the subject line if it is coming from an outside source. Use this reminder if an email looks like it is coming from a coworker, supervisor or professor. It is probably not from them, no matter what the name says.

Is the sender asking you for personal information? If so, use another way of communication to verify they sent the email. Go old school and call them on the phone. HOWEVER, don’t use the phone number they provide in the email! Use a phone number that you already have or can obtain from a reputable source.

Don’t click on a link in an email unless you verify the source and know where you are going to end up. Hover over the link, or with mobile devices, press and hold the link to see the actual URL. Read the URL carefully. Make sure it is going to bankofamerica.com and not bank0fam3rica.com. You might have caught the 3 instead of the “e”, but did you catch that the “o” in “of” was a zero?

If you receive any suspicious emails, forward them to abuse@uthsc.edu. we can advise you if they are from a credible source or a scam.

Any questions about phishing or any other Information Security topic, please reach out to your Information Security Team at itsecurity@uthsc.edu or 901.448.1880. (02/28/20)


Coronavirus-themed Spam Spreads Malware

Cyber Threat Actors Expected to Leverage Coronavirus Outbreak

February 2020 Volume 15 Issue 2
From the desk of Thomas F. Duffy, MS-ISAC Chair

Cyber threat actors (CTA) leverage interest during public health threats and other high-profile events in order to conduct financial fraud and disseminate malware. We expect that this trend will continue with the emergence of new and recycled scams involving financial fraud and malware related to the coronavirus outbreak.

Malicious actors are likely to post links to fake charities and fraudulent websites that solicit donations for relief efforts or deliver malware. The MS-ISAC observed similar scams and malware dissemination campaigns in response to previous high-profile events including Hurricane Harvey, the Boston Marathon bombing, the Royal Wedding, and the Tennessee wildfires. Its highly likely that more scams and malware will follow over the course of the response period. Internet users should exercise caution before opening related emails, clicking links, visiting websites, or making donations to coronavirus relief efforts.

Warning Signs

As of February 1, 2020, the MS-ISAC had observed the registration of names containing the phrase “coronavirus.” The majority of these new domains include a combination of the words “help,” “relief,” “victims,” and “recover.” Most of the domains appear to be currently under development. However, as a few appear malicious and the domains themselves appear suspect, these domains should be viewed with caution. More domain registrations related to the coronavirus are likely to follow in the coming days.

The potential of misinformation during times of high-profile global events and public health threats is high and users should verify information before trusting or reacting to posts seen on social media. Malicious actors often use social media to post false information or links to malicious websites. The MS-ISAC observed similar tactics in the days following Hurricane Irma’s landfall and other natural disasters.

It is likely that CTAs will also capitalize on the outbreak to send phishing emails with links to malicious websites advertising relevant information. It is possible these websites will contain malware or be phishing websites requesting login credentials. Other malicious spam will likely contain links to, or attachments with, embedded malware. Victims who click on links or open malicious attachments risk compromising their computer to malicious actors.

How to Avoid Being the Victim

The MS-ISAC recommends that users adhere to the following guidelines when reacting to high-profile events, including news associated with the coronavirus, and solicitations for donations:

  • Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source.
  • Be cautious of emails or websites that claim to provide information, pictures, and videos.
  • Do not open unsolicited (spam) emails or click on the links or attachments in those emails.
  • Never reveal personal or financial information in an email or to an untrusted website.
  • Do not go to an untrusted or unfamiliar website to view the event or information regarding it.
  • Malicious websites often imitate a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs .org).

The MS-ISAC recommends that technical administrators adhere to the following guidelines when reacting to and protecting their networks and users during high-profile events, including news associated with coronavirus:

  • Warn users of the threats associated with scams, phishing, and malware associated with high-profile events and train users about social engineering attempts.
  • Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall.
  • Flag emails from external sources with a warning banner.
  • Implement DMARC to filter out spoofed emails.

(02/21/20)


How to Make a Strong Password

With the initiative announced this week for everyone on campus to change their password, why not make it a strong one? Newsweek published an article last Saturday on 7 Tips to Create a Hack-Proof Password You’ll Actually Remember.

The article actually explains why it is so very important to have a strong, unique password. It needs to be memorable, but not personal (names of family members, pets, birth dates). The longer it is, the more complex and hard to guess. Never repeat or reuse passwords. All-in-all, lots of great information. (02/14/20)


Remove all Sensitive Data before Disposing of Devices

This week’s tip is a reminder that when you replace a computer, phone, tablet, etc., make sure you delete all sensitive data from the old device. It’s been a little over a month since you got your new electronic gadget for Christmas. You kept the old around “just in case”, but now you can throw it away. Digitally wipe it clean before you dispose of it.

If you are replace your computer or mobile device, it’s important to digitally wipe it clean before you dispose of it. Use a secure data deletion program and reformat hard drives and removable media to erase all traces of your information. You should also remember to clear the registry that contains much useful information. There are commercial products available to help you with this. (02/07/20)


Tax Identity Theft Awareness Week

Next week is Tax Identity Theft Awareness Week. What is tax identity theft? It is when someone uses your Social Security number to file a tax return in your name and steals your refund. With tax season now here, the FTC (Federal Trade Commission) is offering webinars and tips to fight against tax identity theft.

Tax Identity Theft Awareness Week is February 3-7. The Federal Trade Commission (FTC) Tax Identity Theft Awareness Week webpage will provide webinars and other resources from FTC and its partners throughout the week to help educate the public on how to protect against identity theft this tax season.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages taxpayers, businesses, and tax professionals to review the FTC announcement and the following resources for more information:

CISA’s Tip on Preventing and Responding to Identity Theft
FTC’s article on Tax-Related Identity Theft
Internal Revenue Service’s Taxpayer Guide to Identity Theft

(01/31/20)


Never share your passwords

This week’s tip is a reminder to never share you passwords. Not only is it against University policy, it is just a bad practice. A shared password is an unsecure password. Even if you trust an individual, never give them your password to any application. (01/24/20)


Passwords

Create passwords that cannot be found in a dictionary or easily guessed.
If your password can be easily guessed, it weakens the security and might lead to a breach of your or UTHSC data. Don’t choose passwords that use names or special dates, like birthdays and anniversaries. Attackers search the social networking websites for personal details like these and try them as passwords. (01/10/20)


Secure New Internet-Connected Devices

During the holidays, internet-connected devices—also known as Internet of Things (IoT) devices—are popular gifts. These include smart cameras, smart TVs, watches, toys, phones, and tablets. Although this technology provides added convenience to our lives, it often requires that we share personal and financial information over the internet. The security of this information, and the security of these devices, is not guaranteed. For example, vendors often store personal information in databases, which may be vulnerable to cyberattacks or unintentionally exposed to the internet. Information breaches or leaks can enable malicious cyber actors to engage in identify theft and phishing scams.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users review CISA Tips on Securing the Internet of Things, Preventing and Responding to Identity Theft, and Avoiding Social Engineering and Phishing Attacks, as well as the following steps to make IoT devices more secure:

    • Use multi-factor authentication when available. Many manufacturers offer users the option to protect accounts with multi-factor authentication (MFA). MFA adds another layer of security and can significantly reduce the impact of a password compromise because the malicious cyber actor needs the other factor—often the user’s mobile phone—for authentication. See Supplementing Passwords for more information.
    • Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.
    • Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings—particularly security settings—and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
    • Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
    • Connect carefully. Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the internet is necessary. If it isn’t, disconnect. See Home Network Security for more information. (12/31/19)

Stay on Top of Your Information

In this day and age, you need to know what information about you is out there and being used by others. One way of checking to see if your email address has been part of a breach is to use a monitoring service. One of these is monitor.firefox.com. Entering your email address will show if it has been part of a breach and what information might be compromised.

If you see your email address has being part of a breach, and you haven’t changed your password since the date of the breach, CHANGE YOUR PASSWORD on that account. Continually monitoring online activity is the best way of making sure your information is protected. (12/20/19)


What is SMiShing?

SMiShing involves text messages sent to you in an attempt to get you to visit a link or send personal or confidential data to the sender. The text message may claim to be from your cell phone provider and request your payment information, or may prompt you to click on a link and fill out a form to gain access to a prize. You should delete any unsolicited text messages; they are almost always attempts to gain personal or confidential data from you. (12/13/19)


Links Can Be Misleading - Take Another Look

Don’t just click on links that you have received through email or instant messenger. Even if the link text looks like a URL, the link could be going somewhere else. Instead, move your mouse pointer over the link without clicking on it. Look at where the link is going in the status bar. If the link is not going where it should be or is pointing to a file (such as a .exe), don’t click on the link. (12/06/19)


Delivery Phishing Scams

Holiday season is here, and we are all shopping more and more online. Scammers know that, and send out phishing emails letting you “track your packages” or “monitor your deliveries.”  DO NOT CLICK ON LINKS IN EMAILS! If you have had something shipped and wish to track it, go directly to the website where you purchased your items and track the package there. Don’t trust those email links! (11/27/19)


Report if you think you are a victim

Many phishing attacks can be quite convincing and you may not realize that you have fallen victim to one until too late. If you feel that you may have accidentally given out sensitive or confidential data, you should immediately contact the Service Desk or IT Security. They will be able to determine whether the email or call you received was legitimate.

IT Security can be reached at itsecurity@uthsc.edu or 901.448.1880.

Visit the ITS Service Desk for their Contact information.

It is much easier to investigate and contain an incident that happened 30 minutes ago, compared to 30 days ago! (11/22/19)


Suspicious calls or emails

If you are suspicious about a call or an email you receive, report it to IT Security. Anyone can contact you asking for information or to complete a task. If you believe that someone is attempting to get sensitive information that could lead to a security breach or lost revenue for you, report the contact to itsecurity@uthsc.edu. We can let you know if the incident is legitimate and try to stop is from happening to others on campus. (11/15/19)


Fun Video about Passwords

The National Cyber Security Alliance has teamed up with sponsors to create some fun videos on potential security treats and best practices on different topics. They will be released every couple of months.

The first video can be found at https://staysafeonline.org/blog/free-and-fun-security-awareness-videos-brought-to-you-by-adobe-the-national-cyber-security-alliance-and-speechless-inc/

Don’t forget to read the article underneath the video for some best practices on passwords! (11/08/19)


Keep your Laptops and Mobile Devices Safe

You should always secure your mobile device or laptop, especially when traveling or in an unfamiliar area. Your mobile device or laptop may have sensitive personal information on it. Never bring a device that contains work information anywhere if it isn’t necessary, and always keep an eye on your mobile device or laptop. Encrypt the data on your device or laptop, and ensure that it is password protected. If using a laptop for a long time in a single location, use a cable lock to ensure physical security. (11/01/19)


Encrypted Email – You Can Use It!

This week’s tip is a reminder that you have the ability to send sensitive information via email by encrypting the email. Any data considered Confidential and/or Classified (such as data covered by HIPPA and FERPA) should be encrypted if sent via electronic mail. Just type the work “encrypt” in the subject line when sending from your UTHSC email account on campus.

Use of the UT Vault is also a secure way of sending information.

The Email Best Practices policy can be found here: https://uthsc.policymedical.net/policymed/anonymous/docViewer?stoken=de47aa28-16aa-408b-9c96-cb04f232964fanddtoken=e9dbad30-2063-44a4-bc3d-bb19a50814a4 Specific information about email encryption can be found in section 1.f.

All UTHSC policies, standards and practices can be found here: https://uthsc.policymedical.net/policymed/artifact/list

Stay safe and keep your information safe also! (10/25/19)


Beware of a Gift Card Scam on Campus

Have you received an email recently from your “dean”, “department head” or another authority figure asking if you are available to help them? This is a new attempt at the gift card scheme. Phishers are using gmail accounts, but spoofing the name of representatives from our campus, so at first glance it appears as if it coming from them.

The email usually just asks if you are available. If you are nice enough to respond, they will tell you that they are away from campus “in a conference where they don’t have access to their UTHSC email”, and ask you to purchase gift cards with a promise of reimbursement when they get back.

We’ve seen the request for a present for a family member or to cheer up cancer patients. This is all a scheme. What they are hoping you will do is purchase the cards, scratch off the identifying number on the back and then text the information to the scammer (since they don’t have access to their email – they give out a phone number to text the information to).

Here’s what to do to protect yourself for this and all emails.

  • Look at the email address of the sender, not just the display name. Is it someone you know?
  • Are you expecting the email from the sender?
  • Is there a sense of urgency, meaning they need it done within a certain amount of time?

Stay safe out there. Any suspicious email should be forwarded to abuse@uthsc.edu for examination. We will let you know if it is valid or not.  (10/18/19)


Beware of Accepting Free or Found USB Flash Drives

Beware of accepting free or found USB flash drives. They may contain viruses and/or malware that can compromise your computer.

We’re accustomed to getting free promotional items, such as t-shirts or coffee mugs with company logos on them through the mail and at trade shows. Think twice before accepting a USB flash drive as a gift or using a flash drive that you’ve found in some random location. Criminals often put viruses and malware on USB drives and leave them around, hoping victims will pick them up and use them in their computers.

Protect UTHSC’s network and your computer by avoiding mysterious found or “gift” USB drives. (10/18/19)


Phishing

This week’s tip is a phishing quiz. Google had put together a quiz where you have to know (guess) if an email is a phish or real. It will ask you to make up a name and email address. Use fake information. It is only wanting to show how phishers can personalize fake emails. The quiz can be found at  https://phishingquiz.withgoogle.com/.

Some of them are real. You have to know your stuff! (05/17/19)


Pirated Software

This week’s tip is about the dangers of pirated software. You may think you are getting “a great deal” by buying non-licensed software, but there are hidden costs.

Many pirated copies of software contain malware that can infect your computer.

What you purchased may not even work. Most software companies have implemented a way of checking the registration.

This type of software also does not receive security updates, leaving your computer vulnerable to exploitation.

And then there is legal issues. Legally, you are basically denying the developer their legal compensation for the use of their software. Computer piracy is illegal. There are stiff penalties for breaking the law.

Be smart – only use licensed software to conduct UTHSC or your personal business. (05/10/19)


Bluetooth

This week’s tip is a recommendation to turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (05/03/19)


Email Attachments

This week’s tip is a reminder to use caution when opening email attachments.

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/26/19)


Notre Dame Email Scams

This week’s tip comes a couple of days early, as we have been advised by multiple security organizations and agencies about scams around the Notre Dame Cathedral burning. Usually the scammers come out when a national or international event has taken place. If you wish do donate to this or any cause, make sure your donation is going to a reputable agency or organization.

Bad guys are exploiting the recent fire at the Notre Dame Cathedral in Paris. There are fake Facebook pages, tweets are going out with misinformation and fake charity websites are soon to follow. Bad guys are going to try to shock you and manipulate you into doing something in their interest. 

Don’t fall for any scams, and do not click on any links in emails, texts or social media. Whatever you see in the coming weeks about Notre Dame… THINK BEFORE YOU CLICK. (04/18/19)


Encrypting Mobile Devices

This week’s tip is about encrypting mobile devices. Data that is not encrypted on a mobile device could be easily accessed if the device is lost or stolen. If you need to keep sensitive data on your mobile device and have authorization to do so, password protect the device and consider encrypting the data.

Full device encryption for Android devices / Apple devices. (04/12/19)


Beware of Phone Scams

This week’s tip is a reminder that not all sneaky, phishing attacks come through email. More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It’s most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you. (04/05/19)


Clues You've Been Hacked

This week, instead of a tip, we have clues to recognize if you have been hacked. Staying vigilant about your information and your privacy settings is the best way of keeping you safe.

Some of the most common indicators that you may have been include the following: Your friends tell you that they have received odd emails or messages from you, messages you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. You receive a pop-up message informing you that the files on your computer have been encrypted and you must pay a ransom to recover them. (03/29/19)


Facebook and Your Password

With the announcement this week that Facebook stored millions of user’s passwords in plain text (not encrypted, easily read), this week’s tip is about passwords and social media. Enabling two-factor authentication on any account you have helps protect your information, even with social media. Also — change your Facebook password and update your privacy settings.

You can Google “Facebook Passwords” and get many articles about the recent disclosure. Here is one: https://www.wired.com/story/facebook-passwords-plaintext-change-yours/

Basic Facebook privacy settings can be found here: https://www.facebook.com/help/325807937506242 (03/22/19)


Two-Factor Authentication (2FA)

No one calls signing in with a password “single-factor authentication”, but that is what it is. You use only one way of proving you are who you say you are for whatever system you are logging into, whether your O365 account at UTHSC, or Facebook, or your bank.

A more secure way of logging in is two-factor authentication.  This means that you use two differentmethods to prove who you are.

When using 2FA, you have to use two out of three methods to prove yourself:

  • Something you know (password)
  • Something you have (smart phone)
  • Something you are (biometric scan, i.e. fingerprint)

Actually, 2FA is already on campus. If you’ve ever been a member of the fitness center (located in the SAC) you use 2FA. To get in, you have to type out your employee or student number (something you know), then place your right hand on a scanner (something you are). Both are needed to gain access.

2FA is a security measure.  With 2FA, even if someone steals or guesses your password, without your smart phone verifying you are who you say you are, they can’t get into your account. When you log into an application that requires 2FA, a notification will appear on your phone asking your to either accept or deny access.

More communication on how we are going to implement this new feature will be coming. We hope everyone will use their smart phone as a verification source, but if you do not have a smart phone, we will have another way for you to use 2FA. (03/15/19)


Review Your Statements!

This week’s tip is a reminder to review your bank, credit card and any financial statements regularly to check for unauthorized activity. Also, if your bank or financial institution’s online banking does not offer/require two-factor authentication to log into your account, FIND ANOTHER BANK. 2FA is much more secure than just a password or PIN. (03/08/19)


Clues You've Been Hacked

This week’s tip is about some clues you should watch for to see if you’ve been hacked. Your friends tell you that they have received odd emails or messages from you, that you know you did not send. Your password no longer works for one of your accounts, even though you know you never changed the password. Your anti-virus informs you that one of your files or computer is infected. Stay vigilant! (03/01/19)


Social Media and Privacy

This week’s tip is a reminder about social media and privacy. Facebook, and other social media outlets, have been in the news because of investigations on how private they keep your data. Be mindful of your privacy settings on these applications. Make them as private as possible.
Also be aware of what you post, the site’s Terms and Conditions, and make a strong passphrase.
Awareness is the key! (02/22/19)


Mobile Device Data

This week’s tip is a reminder to back up your key data on mobile devices on a regular basis. Just as you must back up the data on your desktop or laptop computer in case of hard drive failure, loss, or theft, it’s equally important to back up the crucial data that you store on your mobile device. Otherwise, this data could be lost forever if your mobile device is lost, stolen, or suffers a hardware failure. Both Android and Apple have automatic backup options. (02/15/19)


Passphrase

This week’s tip is about passwords. The best password is a passphrase. Use as many characters as possible in your password. The longer it is, the harder it is for a hacker to guess. Make sure it is something you can remember though. Keep in mind that a good password is easy to remember, but hard to guess. (02/07/19)


Email Attachments

This week’s tip is a reminder to be cautious when opening email attachments. Cyber criminals will hack into people’s computers by sending emails with infected attachments. People are tricked into opening these attachments since they appear to come from someone they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.  (02/01/19)


Helpful Tools

This week’s tip is some helpful tools you can use to know some things about your online presence.

First, search yourself online. See what information is publicly available about you and your family.  This is as easy as using Google, Yahoo, Bing or any other search engine.  Type out your official given name, and any variations of your name (nicknames) that you are called. Check children’s, elderly parent’s or other family members that may not know how to search.

Second, test your passwords to see how strong they really are. You can Google “Password tester” or try this website, https://howsecureismypassword.net/. Here, you can type out any password or passphrase you use and see how quickly a bad guy could guess it.

Third, check your email addresses to see if they have been part of any data breaches. The website https://haveibeenpwned.com/ allows you to check any email address to see if that account as been compromised in a data breach. If so, it tells you in what breach they found that email address.

If, when researching, you find your email address is part of a breach that has happened since you last password reset, CHANGE YOUR PASSWORD on that account.

Any questions about using these tools, contact the Information Security Team at itsecurity@uthsc.edu.

Stay safe! (01/25/19)


Tax Season

With the W2s available, it is the official start of the tax season. Be aware that every year, there are those who want to scam you out of your return, pretend to be the IRS demanding back taxes, or steal your identity with your tax documents. Remember your Information Security Training about social engineering and phishing. Read more for a more detailed explanation and helpful resources.

It’s Tax season – Don’t be a victim!

ts tax season and soon, the W-2’s and associated forms will start circulating, which means we must be aware of tax scams. In past years, there have been three popular scams criminals have used that people fall victim too. The three scams include falsifying tax returns and filing them in a victim’s name, calling a victim and pretending to be Internal Revenue Service (IRS) agents and phishing e-mails.

Falsifying tax returns and filing them in a victim’s name can occur when a malicious actor finds or receives information about the tax filer, including the filer’s name, address, date of birth and Social Security number. The malicious actor then uses this information to file a malicious tax return, citing as many deductions as possible, in order to create the largest tax return possible.

Another scam occurs when the malicious actor contacts the victim and tries to convince the victim to do something, such as immediately paying a fine or providing their financial information so a refund can be issued. In these instances, the malicious actor uses what they know about the victim, often information gained for a data breach or social networking website, to convince the victim that the caller has access to the victim’s tax information. Frequently during these calls, the caller will pretend to be an IRS agent.

In the third type of tax scam, malicious actors use tax-related spam, phishing emails, and fraudulent websites to trick victims into providing login names, passwords, or additional information, which can be used in further fraud. Other emails or websites may also download malware to a person’s computer that may make them vulnerable to tax fraud.

Be Cautious

  • Watch for “spoofed” websites that look like the official website but are not.
  • Don’t be fooled by unsolicited calls. The IRS will never call to demand immediate payment or require you to use a specific payment method such as pre-loaded debit or credit cards, or wire transfers. They will never claim anything is “urgent” or due immediately, nor will they request payment over the phone. If you owe taxes, the IRS will first mail you a bill, before contacting you through another medium.
  • The IRS will not be hostile, insulting, or threatening, nor will they threaten to involve law enforcement in order to have you arrested or deported.
  • Sometimes malicious actors change their Caller ID to say they are the IRS. If you’re not sure, ask for the agent’s name, hang up, and call the IRS (or your state tax agency) back using a phone number from their official website.

Recommendations

If you believe you are the victim of identity theft or identity fraud, there are a couple of steps you should take:

  1. File a report with your local law enforcement agency.
  2. File a report with the Federal Trade Commission (FTC) at identitytheft.gov.
  3. File a report with the three major credit bureaus and request a “fraud alert” for your account (Equifax – equifax.com, Experian – www.experian.com, TransUnion –www.transunion.com)

If you receive spam or a phishing email about your taxes, do not click on the links or open any attachments, instead, forward the email to phishing@irs.gov. Other tax scams or frauds can be reported according to the directions on this IRS Suspected Tax Fraud web page.

This week’s tip comes from our friends in Knoxville, from the OIT’s IT Weekly Newsletter. (01/18/19)


Be Suspicious!

This week’s tip is a reminder to be suspicious of people you don’t know who ask for sensitive information. “Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers. Don’t fall for it!

Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information.  (01/14/19)


Securing New Devices

Three weeks ago, the tip of the week was about securing mobile devices when traveling during the holidays. But what if you got a NEW device as a gift? Did you get a new smart TV, phone, watch or toy? Do you know how to make a device more secure when you set it up? Here are some helpful tips hopefully you already have put in place, but if not...do so!

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

Brought to you by US-CERT (United States Computer Emergency Readiness Team),  (01/04/19)


Online Shopping

This week’s tip will be the last one for this year. While hopefully you have completed your holiday shopping, this tip is a suggestion for shopping online.
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

Have a wonderful and safe holiday break. Remember to keep your information secure, not matter what form it takes.  (12/21/18)


Holiday Travel

This week’s tip is about securing your mobile devices during holiday travel. It comes from the United States Computer Emergency Readiness Team (US-CERT). There are a number of tips and explanations if you read more.

Know the risks

Your smartphone, tablet, or other device is a full-fledged computer. It is susceptible to risks inherent in online transactions. When shopping, banking, or sharing personal information online, take the same precautions with your smartphone or other device that you do with your personal computer — and then some. The mobile nature of these devices means that you should also take precautions for the physical security of your device (see Protecting Portable Devices: Physical Security for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

Avoid using open Wi-Fi networks to conduct personal business, bank, or shop online. Open Wi-Fi networks at places such as airports, coffee shops, and other public locations present an opportunity for attackers to intercept sensitive information that you would provide to complete an online transaction.

If you simply must check your bank balance or make an online purchase while you are traveling, turn off your device’s Wi-Fi connection and use your mobile device’s cellular data internet connection instead of making the transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

Bluetooth-enabled accessories can be helpful, such as earpieces for hands-free talking and external keyboards for ease of typing. When these devices are not in use, turn off the Bluetooth setting on your phone. Cyber criminals have the capability to pair with your phone’s open Bluetooth connection when you are not using it and steal personal information.

Be cautious when charging

Avoid connecting your mobile device to any computer or charging station that you do not control, such as a charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can allow software running on that computer to interact with the phone in ways that a user may not anticipate. As a result, a malicious computer could gain access to your sensitive data or install new software.

Don’t fall victim to phishing scams

If you are in the shopping mode, an email that appears to be from a legitimate retailer might be difficult to resist. If the deal looks too good to be true, or the link in the email or attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

If you notice that one of your online accounts has been hacked, call the bank, store, or credit card company that owns your account. Reporting fraud in a timely manner helps minimize the impact and lessens your personal liability. You should also change your account passwords for any online services associated with your mobile device using a different computer that you control. If you are the victim of identity theft, additional information is available from https://www.idtheft.gov/.

For even more information about keeping your devices safe, read Cybersecurity for Electronic Devices. (12/14/18)


Check the Sender

This week’s tip is about checking your email on mobile devices and finding out the sender’s actual email address. Most apps only show the “display name” of the sender on screen and not the email address with whom it is associated. However, if a friend or colleague’s name is spoofed, it looks like the email is from them. On most apps, you can click on, or press and hold on, the sender’s name in the email to see the details about the sender’s email address. If this doesn’t work, research how to see the email address for the specific app and device you are using. (12/07/18)


Protecting Against Identity Theft

As the holidays draw near, many consumers turn to the Internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:

If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan. (11/30/18)


Holiday Shopping

At this time of year, we cannot stress enough to be cautious in holiday shopping, whether online or in person. If shopping online, make sure the website is secure with an https:// or a lock icon by the URL field.

Don’t click on links wanting you to track your holiday packages. Go to the shipping site directly. Be aware of who is handling your credit card when it is not in your possession.

Lifelock has a good article on tips for online shopping. It can be found at https://www.lifelock.com/learn-internet-security-safe-holiday-online-shopping-tips.html.

(Or search the Internet and find the article instead of clicking on a link!) (11/21/18)


National Fraud Day

November 11th, was Veterans Day. We want to take a moment to thank all Veterans for their service.

Yesterday was also National Fraud Day. Unfortunately, fraud is a worsening problem. According to Javelin Strategy and Research, there were 16.7 million victims of identity fraud in 2017, beating the previous year’s record high. The total cost of that identity theft was a staggering $16.8 billion, and nearly a third of US consumers had to be notified of some sort of breach (remember the Equifax breach? There’s a good chance that you were one of the 143 million people affected by it). Account takeovers also tripled in 2017, causing a total of $5.1 billion in damages. On an individual level, each victim paid an average of $290 out-of-pocket and spent 15 hours trying to resolve the fraud. Not the way I’d like to spend my spare time or money!

So how can we as consumers protect ourselves? Passwords are a great place to start. Of those that participated in the Consumer Fraud Awareness survey by Shred-It, half felt that their security practices made them vulnerable (49%) and admitted to reusing passwords and PINs (51%). Clearly, consumers understand that bad password habits make them vulnerable, but they don’t change these habits. Perhaps the thought of having a strong password for each online account is too daunting. If you feel that way, maybe a password manager is an option to consider. At the very least, make sure that your financial accounts have strong passwords, even if it requires a little extra effort to remember them. Another option is good old-fashioned pen and paper. While you don’t want to leave Post-it notes with your most sensitive passwords on every surface of your cubicle or office, writing down an important password and keeping it a fireproof lockbox is never a bad idea when the alternative is creating a weak password or reusing a password.

Finally, keep an eye on your accounts. You won’t be able to respond to an incident if you don’t know that it’s happened. Check your bank statements frequently and don’t forget that you’re entitled to one free credit check a year from each of the Big Three credit reporting agencies. If you spread these checks out throughout the year, you can check your credit at annualcreditreport.com for free every few months to make sure that someone hasn’t stolen your identity and is opening up lines of credit in your name.

Article: https://threatpost.com/threatlist-despite-fraud-awareness-password-reuse-persists-for-half-of-u-s-consumers/138846/   (11/16/18)


Ctrl-Alt-Delete

This week’s tip is a reminder that when you leave your seat, Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power. (11/02/18)


What is a Social Engineer?

This week’s tip is a reminder never to give out information without first verifying the identity of the person requesting it. A social engineer is a person who attempts to get confidential information purely through social skills, such as by calling and asking for passwords or other sensitive information. They will often claim to be a member of your organization or an organization that works directly with you, and may even know detailed information about your organization and your coworkers. Never give out information to anyone without verifying their identity first. Use a second means of communication to verify. The means that you shouldn’t reply to an email for verification but pick up a phone and call the requester, or go see them in person. (10/26/18)


Encrypt Sensitive Data

This week’s tip is a reminder to encrypt any sensitive data when stored and transmitted. This goes for internal emails also, not just information leaving the UTHSC system. The use of the vault (https://vault.utk.edu) is the best way to send confidential files quickly and securely. You can also encrypt emails by adding the word “encrypt” to the subject line of any email from the UTHSC domain.

More information about email encryption can be found at https://www.uthsc.edu/its/information-security/encrypt-your-email.php. (10/19/18)


Lock Your Mobile Devices

This week’s tip is short and sweet. Lock your mobile devices. Every one of them. Make sure your family members are locking theirs also. Think of how many apps that have passwords that your phone or tablet automatically store so that you don’t sign in every time you launch the app. Think about how much information someone could get if they got your phone and could access all that data. (10/12/18)


IoT Devices

The world’s population in 7.2 billion people. There are 255 births globally per minute. What is growing faster than that population? The Internet of Things. By 2020, it is estimated that there will be almost 31 billion IoT devices. Each one of these devices that connect you to the internet is a way into your network and your information. Change the default password on all these devices!

These are your smartphones, your in-home monitoring devices, your doorbells, kitchen appliances, TVs, insulin pumps, heart monitors, lawn mowers (believe it or not!), tablets…..and the list goes on and on. (10/10/18)


National Cybersecurity Awareness Month is Here!

This week’s theme for National Cybersecurity Awaremenss Month is “Make your Home a Haven for Online Safety”. Our UTHSC community consists of members from every generation with different thoughts on technology. What we all have in common though, is a need for safety when using the internet, whether at home or at work.

Did you know that 48% of U.S. consumers intend to buy at least one smart home device in 2018? Privacy and security are of great concern when purchasing these devices. Everyone, no matter what generation, needs to continuously learn about and practice good cybersecurity at home .

Don’t be the weakest link!  Tips for staying safe online can be found at Stay Safe Online. (10/04/18)


USB Drives and Viruses

This week’s tip is a caution about USB drives. Remember the USB drives can carry viruses. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. Never plug in an unknown USB into your device. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place. (09/27/18)


Seriously - Never Share Your Password!

This week’s tip is a reminder to NEVER SHARE YOUR PASSWORD. If anyone is asking for your password, it is NOT for a legitimate reason. Your password is your gateway to whatever system you are accessing, whether it is a system on campus with your NetID, or your banking information, social media accounts, or other systems. Don’t give your access away. Keep your passwords private! (09/20/18)


Don't Click on Phishing Links

Because of the persistent phishing attempt that happened last Friday afternoon and over the weekend, this week’s tip is a reminder to not click on links in emails. While the phish was cleverly created, using a Subject line from a compromised account that was a current conversation, a hover over the link would have alerted everyone that it was not an Office 365 or Outlook message.

Take time before clicking on links to verify it is to a site you are expecting.  This attack was widespread because it was pretty clever. We have to be just a clever and vigilant!

If your account was compromised and you have yet to speak to the Information Security Team about the content of your UTHSC emails, please contact the team at 901-448-1880.  (09/14/18)


National Preparedness Month

September is National Preparedness Month. While this is usually thought of readiness for a natural disaster, the same is true about preparing for a cyber-related event, such as identity theft of ransomware attack.

People are encouraged to be prepared in case of a cyber-related event by regularly backing up files, keeping digital copies of important documents somewhere other than your computer (e.g., in the cloud), and regularly running antivirus scans.

Learn more about individual and family emergency preparedness at Ready.gov. For additional resources on preparing for and responding to unexpected cyber-related events, see Ready.gov/Cybersecurity and the following NCICC (National Cybersecurity and Communications Integration Center) Tips:

Stay safe and prepared!  (09/07/18)


Don't Open Attachments

This week’s tip (reminder) is about not opening attachments in emails. If you are not expecting a document to be delivered to you, proceed with caution! Email is an easy gateway to your devices and information. Macros in word documents or PDFs can trigger things to happen that you aren’t even aware of. If you receive an attachment you are not expecting, contact the sender to ask about it. Don’t reply to the email, but use a second way of communication to verify. (08/31/18)


Change that Password

This week’s tip is to change you password immediately if you suspect that you have been compromised. This applies to your UTHSC NetID password, your banking accounts, social media accounts and everything else that is password protected. Also, NEVER use the same password for multiple accounts. Each account should have their own unique password. (08/24/18)


Just Don't Click!

This week’s tip is a reminder not to click on links in emails, even if it is from someone you supposedly know. UTHSC was hit hard this week with many people giving away their NetID passwords in a phishing scam. The phishers then used the Sent Items of those compromised accounts to pretend to “continue” a conversation, using the Subject line of a previous email, but asking the person to click on a link and sign in to read a message. This gave the bad people even more NetIDs and passwords to continue the phish.

Remember:

  • Do not click on links in emails!!!!!
  • If you have concerns about an email, call the person and ask if it is legitimate. DO NOT reply to the email, as the bad people have control of the account. Use a second means of communication.
  • Hover over links in emails to see exactly where they want you to go.
  • Do not click on links in emails!!!!!
  • Report any suspicious emails to abuse@uthsc.edu. The quicker we know, the faster we can stop the attack.
  • Do not click on links in emails!!!!!

Stay safe out there in the cyber world!

For more information, or if you would like an Information Security Team member come talk to your group about this or any other InfoSec topic, contact the team at itsecurity@uthsc.edu. (08/17/18)


Password Protection and Reporting Suspicious Emails

Part One

You have been advised time and again not to share your password with anyone. That’s great! You know it and live it. But what happens when someone asks for it? You know not to give it out, but what do you say to this person (on the phone or in front of you)? You don’t what to be “rude,” you want to be accommodating, you are starting to stress because you don’t know how to respond.

Here is your response: “I have been told never to share my password with anyone. I will not give it to you.”  THE END

If they insist, simple repeat the script. It is all you need to say.

Part Two

This campus cannot be protected without the you the people. And yes, I mean you – each and every single one of you. It is so invaluable when a scam or phishing email is reported to abuse@uthsc.edu. As soon as it is reported, we go to work. If it is a link to a bad URL, we work with Networking to block the site so no one can get to it while on our network. If it is a wide-spread attack or a malicious download, we work with Systems to remove the email from everyone’s inbox so that no one has to even see it. Timeliness is the key. The sooner we know, the sooner we can act. Most of the time, the bad people don’t send the bad emails to us personally, so we don’t know about it until someone reports it.

So, the big, well deserved THANK YOU goes out to everyone who reports these phishes and scams to abuse@uthsc.edu. Your help is appreciated more than you know. We invite everyone to send in your suspicious emails. Even if you are unsure, forward to us. We’ll let you know if it is legitimate. Better safe than sorry (08/10/18)


Toolbar Downloads

This week’s tip is about those pesky toolbars that software downloads want you to load.  These usually come as a small check mark when downloading software (as a “free” install). These toolbars can be a nuisance or even malicious. Be cautious on what you download! (08/03/18)


Protect Your Personal Information

Companies you do business with should never ask for your account information, credit card numbers or password in an email. If you have any questions about an email you receive that supposedly came from your financial institution or service provider, contact them directly (not replying to the email) to verify. (07/27/18)


Tech Support Scams

The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. (07/20/18)


Use Care When Logging In

This week’s tip is a reminder to be careful WHERE you login. Don’t login to untrusted devices. A password is only as secure as the computer or network it is used on. As such, never log in to a sensitive account from a public computer, such as computers in a cyber cafe, hotel lobby or conference hall. (07/13/18)


Don't Click Links!

At least in unsolicited emails, that is.  Holiday weeks usually see a spike in phishing attempts, and this week was no exception. Did you get an email this week with a subject of “Thank you for your contribution” or “Termination Notice”? How about “Update Required!!” or “PART TIME JOB OPPORTUNITY”? (Got to love the ALL CAPS!). (07/06/18)


Managing Your Privacy Settings Online

You get great advise that you need to manage your privacy settings, but how do you go about doing that on each app that you have? The National Cyber Security Alliance has a great web page that gives clear instructions on how to manage your privacy settings for many common apps. (06/29/18)


Safety Awareness Month

Does anyone know what June is? It still is Internet Safety Awareness Month. This week’s tip is about malware, ransomware and botnets. Botnets? What are those? Can they hurt my devices? Educating yourself about what is out there that can harm you is half the battle of keeping safe. Learn more about it!

The National Cyber Security Alliance has an article about all of these issues.  They even have tip sheets that would be great for your office area, or your family members. (06/22/18)


Backups!

These days, our digital devices contain vast amounts of data, from family photos and music collections to financial/health records and personal contacts. While convenient, storing all this information on a computer or mobile phone comes with the risk of being lost. Here's the entire article about the importance of backing it up! (06/15/18)


Shopping Online

Let’s talk about online shopping. There are many ways to stay safe online when you shop. The National Cyber Security Alliance has a comprehensive article about how to protect yourself when shopping online.  (06/08/18)


Internet Safety Month

June is Internet Safety Month, so all the tips this month will have the theme of Internet Safety. This week’s tip is about Spam and Phishing. Wait-isn’t that about emails?
While you would normally associate those attacks by receiving emails, they can come from other sources such as social media and other communications. And they most likely want you to access the internet to gain your information.

Here are some tips on how to avoid being a victim:

  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Before sending or entering sensitive information online, check the security of the website.
  • Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • If you are unsure whether an email request is legitimate, forward the email to abuse@uthsc.edu. We can check it out, and if it is a malicious email, we can block the website so other campus members cannot click on the link.
  • Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

The National Cyber Security Alliance's full article about Spam and Phishing.

Stay safe in the world wide web! (06/01/18)


What is Malware?

Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (05/25/18)


Stow It!

Any time that you are staying somewhere away from home, protect your information by storing all devices as securely as possible. If there is no safe in your hotel room, ask the front desk if they have a general-purpose hotel safe that you can use. Otherwise, you should secure your items by locking them up in luggage whenever you are not using them. 05/18/18)


Bluetooth

This week’s tip is about Bluetooth. When not in use, turn it off. Not only does this make it more secure, but it also saves battery life. (05/10/18)


Never Share Your Password

NEVER to give your password to anyone. Once it is no longer a secret, it is no longer secure. If anyone calls saying they are from the help desk or tech support team and asks for your password, they are not legitimate. It is someone trying to access your credentials.

Twitter announced yesterday that everyone with an account should change their password. It seems as if Twitter stored everyone’s password in an internal file that was not encrypted. While they claim that the password file was not breached or exposed in any way, they are recommending that every Twitter account user change their password. Might be a good time to update those privacy settings, too! (05/04/18)


Lock It Up!

When away from your devices, whether it is a quick trip to get a cup of coffee down the hall or going to a meeting, lock your devices so others cannot gain access. Leaving your seat? Ctrl–Alt–Delete! Make sure you lock your workstation or laptop while you are away from it. On a Mac? Try Control–Shift–Eject/Power.  (04/27/18)


Keep an Eye on Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (04/20/18)


Mobile Apps and Social Media

With an estimated 87 million Facebook user’s information disclosed, now is a great time to check your privacy settings on all social media accounts and mobile apps. Also, make sure that your mobile apps come from trusted sources. If an app is brand new, has few reviews or many negative reviews, then choose a different one. (04/13/18)


Review All Programs on your Devices

Decide if you still use them or if they can be removed. Outdated software and operation systems (OS) are unlocked doors into your information. Just like you clean out your refrigerator, pantry or closet in a timely manner, do the same to your electronic devices……all of them! (04/06/18)


Securely Disposing of Your Mobile Device

(by Heather Mahalik, Digital Forensics Expert)

There is most likely a tremendous amount of sensitive information on your mobile device.  Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to be sure you first erase all of that sensitive information. You may not realize it, but simply deleting data is not enough; it can easily be recovered using free tools found on the Internet.  Instead, you need to securely erase all the data on your device, which is called wiping. This actually overwrites the information, ensuring it cannot be recovered or rendering it unrecoverable. Remember, before you wipe all of your data, you most likely want to back it up first. This way, you can easily rebuild your new device.

The easiest way to securely wipe your device is use its “factory reset” function. This will return the device to the condition it was in when you first bought it. We have found that factory reset will provide the most secure and  simplest method for removing data from your mobile device. The factory reset function varies among devices; listed below are the steps for the two most popular devices:

Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
Android Devices: Settings | Privacy | Factory Data Reset
Unfortunately, removing personal data from Windows Phone devices is not as simple as a factory reset. More research is being conducted on methods to ensure your personal data is wiped from the device. If you still have questions about how to do a factory reset, check your owner’s manual or manufacturer’s website. Remember, simply deleting your personal data is not enough, as it can be easily recovered. (03/29/18)


Outlook's Preview Pane

Use Outlook’s preview pane to view attachments for credibility before opening. Don’t open attachments that you are not expecting, or from people you don’t know. (03/23/18)


Scams Specifically Designed for Universities and their Students

Arizona State University created a public service video using some pieces of an actual scam one of their international students recorded. The two minute video has some very good tips and advice. It can be found at https://youtu.be/U7KV6h67U40.

(Thank you Connie Childs from International Affairs for forwarding!  If you have a tip you would like to share or a topic you would like discussed in these weekly tips, please email Chris Madeksho, Information Security Coordinator, at mmadeksh@uthsc.edu. (03/16/18)


Detecting Fraud

Review your bank, credit card and financial statements regularly to identify unauthorized activity. This is one of the most effective ways to quickly detect if your bank account, credit card or identity has been compromised. (03/09/18)


Protect Your Social Media

A strong password or passphrase is key to keeping your information private. Also, check the privacy settings to make sure that you are not sharing information you don’t want to. Last, use two-factor authentication whenever possible. (03/02/18)


Prevent Device Loss

According to the Verizon DBIR report, you are 100 times more likely to lose a laptop or mobile devices than have it stolen. When traveling, always double-check to make sure you have your mobile device with you, such as when leaving airport security, exiting your taxi or checking out of your hotel. (02/23/18)


Scams, Scams, Scams and more Scams!

This week’s tip is a reminder that there are always numerous scams where criminals are trying to social engineer you out of money or your personal information. They use whatever scheme that works.

Examples are calls/texts from the IRS stating you owe taxes.  How about a donation to help fund the Olympic team on their quest for gold? In the news this morning was the “Love Scam” where people are getting messages that someone has compromising pictures of them, or proof that they did inappropriate acts and will make the situation go away for just a little fee.

The Online Threat Alerts website keeps track of the latest online scams.

Stay safe everyone!  If something looks too good to be true, it probably is.  If you have any questions about an email, phone call or text message, don’t hesitate to contact the Information Security team at itsecurity@uthsc.edu for help. (02/16/18)


Email Attachments

We’ve had a rash of phishing attempts on campus with attached “receipts” or “invoices” that need attention. If you are not expecting an invoice or a receipt for something you purchased, DO NOT OPEN THE ATTACHMENT. It is probably meant for malicious purposes. Send any questionable emails to abuse@uthsc.edu. (02/09/18)


Trust Your Instincts

Common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.  If you receive any such message, report it to abuse@uthsc.edu.  We can let you know if it is a legitimate message or if you are being phished.

Two of the modules in the Information Security Training is about Social Engineering and Email, Phishing and Messaging. These along with the other modules are helpful information for everyone personally.

Make sure you and your coworkers have completed the Information Security Training for the 2017-18 academic year. The information you receive is very much worth the 30-40 minutes of your time. (And it is required training.) (02/02/18)


Malware

Malware is software–a computer program–used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others. (01/26/18)


Social Engineers

This week’s tip, from inspiredelearning.com, is to be be suspicious of people you don’t know who ask for information.

“Social engineers” use lies and manipulation to trick people into giving away sensitive information, such as usernames, passwords, and credit card numbers.  Don’t fall for it!  Follow these best practices: always maintain a healthy sense of skepticism when dealing with unknown individuals, especially if they ask for any internal or sensitive information. (01/18/18)


Major News Events and Phishing

When a major news event happens, cyber criminals will take advantage of the incident and send phishing emails with a subject line related to the event. These phishing emails often include a link to malicious websites, an infected attachment or are a scam designed to trick you out of your money. (01/05/18)


Fradulent Emails

The FBI Internet Crime Complaint Center is warning consumers about a fraudulent email scam. The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyberattacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in financial loss you should contact your bank immediately.

If you unintentionally visited or encountered a site suspected of utilizing this scam, you may also report it to your local FBI Office and/or the Internet Crime Complaint Center (IC3): www.ic3.gov. (12/22/17) 


Multi-factor Authentication

Multi-factor authentication is the practice of needing more than just a password to log into a system or application. It is one of the best ways to secure any account. Usually the second step is a code that is sent to an outside receiver, such as a cell phone. If you don’t have both the password and the pass code, you don’t get in. Many services, such as Google and Facebook allow a user to have two-factor authentication. (12/15/17) 


Don't Fall for It!

There are two prevalent holiday themed phishing schemes that happen this time every year. The most common is the email letting you “track your package” by clicking on a link. Don’t fall for it.  If you really are expecting a package, or get a notification about a delivery, go to the website from which you purchased the item and track your order from there.

The second phishing scheme that is gaining in popularity are fake shopping sites.  These are sites either found on social media or delivered via email, enticing you with a product that would make a great gift for a loved one. They want you to click on the link to go shopping, and the website might even look legit.  However, all they are wanting is your credit card and other personal information. Only go to trusted site to do any holiday, online shopping.

When shopping online, look for https:// in the URL or a green lock symbol to verify that the site you are on is secure. (12/08/17) 


National Tax Security Awareness Week

This week has been designated at National Tax Security Awareness Week. The IRS has been publishing tips and news releases all week to encourage both individual and business taxpayers to take steps to protect their tax data and identities in advance of the 2018 filing season. All their information can be found at https://www.irs.gov/newsroom/national-tax-security-awareness-week-2017. (12/01/17) 


Shopping Tips

Be cautious of emails or texts you receive that look like they are from shipping companies wanting you to “track” a package. Do you click on links in emails?  NO!!!! Think if you even have a package to track. If so, go to the shipping company’s webpage to track it. Other holiday schemes seen every year are fake charities hoping to cash in on your generosity. Never respond to an email from a person you do not know.

Shopping online this season? Be careful about what personal and financial information you give away and to whom. Make sure that you are on a secure website (https://) or see the lock symbol next to the URL.

Also – think about what you are buying. Are you purchasing something that either you or the person receiving the gift will connect to the internet? Make sure it is secure.

There is an Online Holiday Shopping tip sheet from the National Cyber Security Alliance that can be found here:  https://staysafeonline.org/resource/happy-online-holiday-shopping/. (11/22/17) 


Never Share Your Password

This week’s tip is a reminder NEVER to give your password to anyone. Once it is given out, it is no longer secure. The Help Desk will never ask for your password. If someone calls you and asks for your password while saying they are from the Help Desk or Tech Support team, it is an attacker attempting to gain access to your account.

Be cautious of anyone asking for personal or sensitive information if you are not completely sure of who they are. Just because they say they are from your bank, doctor’s office, or another trusted place, doesn’t mean that they really are.  Use another means of validating their request for information, such as visiting their website directly from a browser, or calling them directly (not from a phone number listed in an email). (11/17/17) 


You're the Weakest Link

This week’s tip is a reminder that you are the weakest link regarding the security of your information. You don’t have a firewall protecting what you say.

Sites have requirements on passwords (how long, special characters, etc.), but if you still use your name and your birthdate, bad guys can figure it out.

If you post everything about you online, bad guys will learn your habits, your family’s information, and who your best friend is. They can also find out when your entire family is on vacation and know when you will be out of your house for an entire week.  Why???  BECAUSE YOU TOLD THEM.

Be cautious about what you say, who you say it to, what you post online and what you receive in email or test messaging.

All this information is covered in this year’s Information Security Training, available now in Blackboard. (11/10/17) 


Clean Machine

Keep a clean machine. Cyber criminals frequently exploit vulnerabilities in old software for their attacks, which is why it is essential to regularly update the software on your Internet-connected devices (including PCs, smartphones, and tablets) to reduce the risk of infection from viruses and malware. (11/03/17) 


Share with Care

Share with care. Think before posting about yourself and others online. Once you post something publically, it can never be fully deleted, so use caution. Consider what a post reveals, who might see it, and how it could be perceived now and in the future. Remember that future job recruiters and employers will likely look at your social media history and online presence, so make sure that you maintain a good reputation online. (10/27/17)


Value it. Protect it.

Treat personal information like money. Value it. Protect it. Information about you, such as your purchase history and location, has value – just like money. Not all apps and websites are reputable, so it’s up to you to protect your data from being misused. Be sure to read privacy policies and know what information an app, device, or website will collect about you to determine if you really want to share such details. Always be cautious about who you give your information to online. Research an app or device manufacturer or read independent reviews of a website before you trust them. (10/19/17)


Own Your Online Presence

Control and limit who can see your information online by checking the privacy and security settings on your accounts and apps. Anything you post publicly could potentially be seen by a cyber criminal, so keep your personal information private. Your phone number, birthdate, address, and even pictures that show the license plate on your vehicle should not be posted publicly. You should also turn off geotagging and location features on your mobile devices so criminals don’t know where you are in real time. (10/13/17)


National Cyber Security Month

In conjunction with National Cyber Security Month, these weekly tips in October will be brought to you the Department of Homeland Security.

One small step can make a big difference in your online security. Each week during NCSAM, we’re sharing a quick and easy tip that you can try today to better protect yourself online.

Lock down your login. Usernames and passwords are often not enough to protect important accounts like email, banking, and social media. Fortify your accounts by enabling the strongest authentication tools available, such as multi-factor authentication for your online accounts and fingerprint identification and security keys to lock your mobile device.

The White House launched the “Lock Down Your Login” campaign to encourage all Americans to enable stronger authentication. Visit www.lockdownyourlogin.com for more information. (10/05/17) 


Bluetooth

Turn off Bluetooth if you are not using it on your computer or device. Not only does this make it more secure, but it also saves battery life. (09/29/17)


Email Attachments

A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it. (09/22/17)


CEO Fraud

CEO Fraud is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, teacher or someone else in authority in our organization, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures. (09/15/17)


Protect Your Personal Information

With the announcement from Equifax yesterday about a breach of data affecting some 143 million Americans’ personal information, the Information Security Team would like to remind everyone what steps you can take to stay safer and more secure online. These tips come from the National Cyber Security Alliance.

Following any breach, everyone can better protect their accounts by following these steps to stay safer and more secure online, including:

  • Lock down your login. Use strong authentication — more than a username and password to access accounts — to protect your most valuable accounts, including email, social media and financial.
  • Keep clean machines: Prevent infections by updating critical software as soon as patches or new operating system versions are available. This includes mobile and other internet-connected devices.
  • Monitor activity on your financial and credit card accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website identitytheft.gov.
  • When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts, and get information only from legitimate sources. (09/08/17) 
Sep 22, 2022