Feb 2021 

Top 4 COVID-19 Scams to Watch Out For

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Jan 2021 

Securing New Devices / Data Privacy Day

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Dec 2020 

Ten Cybersecurity Shopping Tips for the Holiday Season

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Nov 2020 

What You Need to Know About Ransomware

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Oct 2020 

Securing Your Remote Office

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Sept 2020 

Malware, Malicious Domains, and More: How Cybercriminals Attack SLTT Organizations

Cybercriminals’ SLTT Playbook

One of cybercriminals’ favorite attack vectors against SLTT organizations is malware. Malware is malicious software designed to perform malicious actions on a device. It can be introduced to a system in various forms such as emails or malicious websites. Various types of malware have distinct capabilities dependent on their intended purpose, such as disclosing confidential information, altering data in a system, providing remote access to a system, issuing commands to a system, or destroying files or systems.

• - Trojans are malware that appears to be a legitimate application or software that can be installed. Trojans can provide a backdoor to an attacker and subsequently full access to the device, allowing the attacker to steal banking and sensitive information, or download additional malware. Findings from the 2020 Verizon DBIR show that trojan variants were involved in over 50% of malware incidents in the public sector.
• - Downloaders or Droppers are malware, which in addition to their own malicious actions, allow for other, often more dangerous, malware to infiltrate the infected system. Data collected by the 2020 Verizon DBIR shows that nearly 25% of public sector incidents involved a downloader or dropper.
• - Spyware is malware that records keystrokes, listens in via computer microphones, accesses webcams, or takes screenshots and sends the information to a malicious actor. This type of malware may give actors access to usernames, passwords, any other sensitive information entered using the keyboard or visible on the monitor, and potentially information viewable through the webcam. Keyloggers, which mainly record keystrokes, are the most common type of spyware and ZeuS, the most famous keylogger, has been on the MS-ISAC’s Top 10 Malware list for several years.
• - Click Fraud is malware that generates fake automatic clicks to ad-laden websites. These ads create revenue when clicked on. The more clicks, the more revenue that is generated. Kovter, one of the more prolific versions of click fraud, has been on the MS-ISAC’s Top 10 Malware list for the past few years.

Protecting Your Organization from Malware

Malware most commonly finds its way into SLTT organizations through either malspam, unsolicited emails that either direct users to malicious websites or trick users into downloading or opening malware, or malvertisements, malware introduced through malicious advertisements. The common thread between these vectors and the various types of malware they can introduce to your organization’s IT systems is that they almost always involve either users or the malicious software they unintentionally download connecting to malicious web domains.

To help SLTT organizations protect themselves against these common types of cyber-attacks, the Center of Internet Security (CIS) is partnering through the MS-ISAC and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) with the U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and Akamai to offer its new Malicious Domain Blocking and Reporting (MDBR) service at no cost to U.S. SLTT government members of the MS- and EI-ISACs. The service allows SLTT security teams to quickly add an additional layer of cybersecurity protection against their systems connecting to malicious web domains and to enhance their existing network defenses.

For organizations not eligible to join the MS- or EI-ISAC, similar protection can be obtained through Quad9. Quad9 is a no-cost, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy. Quad9 was developed by the Global Cyber Alliance (GCA), an international nonprofit organization founded by a partnership of law enforcement and research organizations focused on combating systemic cyber risk in real, measurable ways (CIS is a founding organization of GCA).

About Malicious Domain Blocking and Reporting (MDBR)

The MDBR service is only available to members of the MS- and EI-ISAC. For those who are not eligible for membership, please see the section below on Quad9 for a similar service available to the General Public.
MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats and limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain. In just the first five weeks of service, the MDBR service blocked 10 million malicious requests from more than 300 SLTT entities.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known or suspected malicious domains. Attempts to access known malicious domains, such as those associated with malware, phishing, or ransomware, are blocked and logged.
Akamai provides all logged data to the MS- and EI-ISACs’ Security Operations Center (SOC), including both successful and blocked DNS requests. The SOC uses this data to perform detailed analysis and reporting for the betterment of the SLTT community, as well as regular organization-specific reporting and intelligence services. If necessary, remediation assistance is provided for each SLTT organization that implements the service.

Any U.S. SLTT government entity that is a member of the MS- or EI-ISAC can sign up for MDBR. They are able to take advantage of this additional layer of cybersecurity protection at absolutely no cost, courtesy of funding support provided by CISA.

To learn more about MDBR and sign up your organization for the service, please visit our website.

About Quad9

Quad9 blocks against known malicious domains, preventing your organization’s computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types an address into their web browser, Quad9 checks the site against a list of domains compiled from over 18 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains that are based on heuristics examining factors such as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkage to other sites, as well as individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match. Quad9 routes your organization’s DNS queries through a secure network of servers around the globe.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Aug 2020 

Working Remotely: How to be Safe, Secure, and Successful

Between working at the office, or school, or remotely, the principles of security can become something of a moving target. For some, this creates an uncertainty with making sure that the right policies are applied. Reducing risk on at-home networks, keeping information secure during virtual meetings and having a strong password policy are some best practices that can be implemented quickly and effectively from wherever you are working.

Reducing Risk on Home Networks

Home IT devices, such as unsecured off-site routers, modems, and other network devices are subject to many of the same threats as on-site business devices. They can be attacked from any device on the internet. Remote devices are also vulnerable to unauthorized access from neighbors and passersby.

As we continue to work, attend school, and connect with friends and family remotely, there are steps you can take to reduce the risk and improve the security of home networks. Consider the following list to gauge the amount of risk involved and improve the security of your home network:

• - Are your network devices physically secured?
• - Have you changed the default manufacturer/administrative account password on your network devices (modem and router)? Many routers will come preconfigured with a password. The default password for most router models are easily accessible on the internet, making it extremely important to change the administrative passwords and not use the default.
• - Do you have a unique password and two-factor authentication (2FA) enabled on your network devices (modem and router)?
• - Do you have a password policy in place? Do you have a unique password and 2FA enabled on your internet service provider's web portal?
• - If you use a mobile application for network management, do you have a unique password and 2FA enabled?
• - Have you installed the latest updates for your network devices (i.e., modem, router, laptop/PC) or have you enabled auto-update with the device’s administration page?
• - Does your network device (router/modem) support Wi-Fi Protected Access Version 2 (WPA2) or Wi-Fi Protected Access Version 3 (WPA3)? WPA2 should be the minimum.
• - Have you turned off/disabled Wireless Protected Setup (WPS) and Universal Plug and Play (UPnP) on your network? If enabled, these might allow attackers to connect to your devices without permission.
• - Have you changed the Wi-Fi network name to something unique that doesn’t provide any identifying information?
• - Have you enabled firewall on your network devices?
• - Have you disabled remote management? Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration.
• - Have you hardened your device by removing ports, software or services that are unused or unwanted?
• - Do you run updated antivirus and malware protection on your device?

Security during virtual meetings

In order to help protect you and your organization from potential threats, here are some cybersecurity tips on how to securely configure your virtual meetings, whether they be for work or your classroom experience:

Sharing of your information assets during virtual meetings

• - Avoid adding your meeting to any public calendars or posting it on social media

• - Require participants to enter an access code
• - Avoid reusing access codes or meeting pins
• - Distribute the meeting link and access code directly to the intended participants
• - Remind invited guests not to share the access code
• - Before sharing your screen, close unused windows to ensure you do not share sensitive or confidential information
• - Use a privacy shield or cover over your webcam when it is not in use

Managing your information assets and password policy

• - Use your organization’s provided services and devices

• - Do not record the meeting unless it is necessary and be aware that others may be able to record the meeting
• - Disable the “Anyone Can Share” feature to prevent unauthorized screen sharing
• - Muting users on entry can prevent potential disruptions
• - Prevent users from sharing video by default; allow video sharing only when necessary
• - Validate the participant list against invited attendees, or have participants identify themselves as they join the meeting
• - Do not trust the safety of links shared in meeting chats
• - Schedule “Unlisted” meetings and hide specific details, such as its host, topic, and starting time
• - Do not allow attendees to “Join Before Host”
• - Set up each meeting to require all attendees to enter a password
• - Create a unique password comprised of upper, lower case, numbers, and special characters for each meeting
• - Exclude the meeting password from attendee email invitations. Provide the password to attendees via a separate email or by phone
• - On reoccurring meetings, always check to ensure one-time attendees are not included in subsequent meetings or meeting chat threads.
• - Do not list personal information, such as location, phone number, or date of birth on your Skype profile

Remember, just like you protect your physical assets (shed, kayak, or bike) with a padlock, you need to lock down connectivity devices to protect information assets! A resilient cybersecurity mindset contributes towards being able to have a clear view of the objectives. For some, end points might have become a primary concern, for others, the corporate assets might have become even more susceptible in light of the increased amounts of ransomware. This dual pronged problem especially became more evident during this new world of COVID-19 with more staff working remotely.

Have you identified more risk than you initially realized? More information and mitigation techniques can be found at Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).

Additional Resources

CIS Password Policy Guide

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

July 2020 

6 Common Elderly Scams to Watch Out For And How To Stay Safe

A scam can be initiated via the computer (email, internet, social media), text, postal mail, in person, or a phone call. No matter the origin of the scam, the characteristics are the same:

• - First, there is something to pique your interest – someone in trouble, big discount offers, lottery win.
• - Second, the individual contacting you seems trustworthy, super friendly, and seems to care about you.
• - Third, there’s a deadline associated with the offer – act fast, act now.

There will always be scams, particularly those targeted at seniors. This month’s newsletter identifies some common scams and some tips to help you take control of the situation and stay safe and stay in control.

Grandparent Scam

One of the most common scams presented to seniors is the Grandparent Scam. The caller claims to be a relative, a grandson or granddaughter, and the call is urgent. Typically, the grandchild is out of town and is in trouble, needs money fast for some emergency, and doesn’t want the rest of the family to know. The caller may have bits of information, some of which could be collected from sources like social media, and prompts the senior to provide more information, making the call appear genuine.

This is not a legitimate call. Hang up the phone and contact your family or the authorities.

Sweepstakes Scam

In this case, the scammer would send their target a check or something else of value, whether in the mail, email, text or phone call, that indicates the recipient won something. In order to claim the “prize,” the recipient may have to send a check or money order to cover taxes and fees, and may be asked for banking information to deposit the winnings, or to buy something to enter the contest. This is so the scammer can obtain private banking information. The name of the sweepstakes may seem familiar – quite often scammers will do this to make it recognizable.

Legitimate contents do not ask for money or financial information up front. Do not respond to these messages with a check, money order or cash. It is always best to never provide identifying information to anyone over the phone, text, or email especially your bank account information.

Home Improvement Scam

Scammers target seniors by providing home improvement services in order to gain access to their home, belongings, and personal information. They will arrive at their target’s house, offer free inspections, or offer services to fix something they deem “needs work”. Scammer will pretend to be working for the local town or county to appear more legitimate.

The homeowner should stay in control of the situation and not be intimidated by the person at their door.

• - Never let them in your home.
• - Be suspicious of unsolicited offers, and ask for identification.
• - If work does need to be done, ask friends and neighbors who they would recommend. Be sure to get references, and only used licensed contractors.
• - Never pay the full amount up front. Pay as the work is completed according to a contract.

Telemarketer Scam

Scammers will target seniors in an effort to obtain financial information by claiming to be from an important institution such as a credit card company, Microsoft, Social Security Administration, Internal Revenue Service, phone company, power company, and so on. Never feel pressured to commit to anything over the phone.

• - Don’t rely upon caller ID to let you know who the call is coming from. Technology today allows for calls to be masked and appear to be from a number you know or can associate with, but it is not.
• - Never give out personal information to an unsolicited caller. Never provide birthday, social security number (even the last 4 digits), your mother’s maiden name, pet’s name, bank account information or anything that can be used as password or identifying information.
• - Hang up and contact the company the caller claims to be with directly if you feel you need to talk to them. Refer to your copy of your phone bill, power bill, or the number on the back of your credit card or bank card to initiate contact.

Internet Scams

There are many ways scammers are using technology to take advantage of seniors. Whether it is a special offer via email, attempts to acquire your user name and password via a scheme, or skimming of information while shopping online, there are ways you can be in control and keep your information safe. If you are computer-savvy, keep these tips in mind to keep your information safe:

Never click on links in emails.

Don’t open attachments for special offers.

• - Be careful of free offers over holidays.
• - Watch for malicious adds and popups.
• - Don’t shop over public wi-fi.
• - Be suspicious of gift card scams –buy from trusted sources.
• - Know what your product costs.
• - Make sure the site is secure – look for the “lock” icon and “https” on your browser address bar when shopping.
• - Make sure all computer anti-virus, malware, and security software is up to date.
• - Don’t save credit card information online; check out as guest if offered on the site.

Charities

While there are many charities that are worthy of your donations, be sure you know who you are donating to.

• - Always verify the charity before making any donation by checking with your Attorney General’s office.
• - Know what the charity is doing with your contribution.
• - Avoid charities that will not answer your questions or provide written information about their programs or finances.
• - Talk with family, friends, or trusted sources before giving to charity.
• - Do not give on the spot before doing research on the charity
• - Never give cash or purchase gift cards for payment.

If you feel you have been scammed, or are concerned that you are a victim of fraud, contact your local law enforcement immediately. Remember to keep a close eye on bank and credit card statements, and report any unusual activity.

Stay informed. Remember, you are in control!

Additional resources

• https://ag.ny.gov/sites/default/files/smart_seniors.pdf

• https://www.cisecurity.org/newsletter/how-to-spot-and-avoid-common-scams/
• https://ag.ny.gov/sites/default/files/smart_seniors.pdf
• https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/elder-fraud
• https://www.guidestar.org/
• https://www.charitynavigator.org/

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

June 2020 

Virtual Conferencing Platform Security Tips

 With the recent move for many to working from home, there are a lot of questions around virtual conferencing platforms. Much of the attention has focused on the security of some platforms compared to others. However, the majority of the security issues actually have a lot to do with the users' familiarity with these platforms and their proper usage.

The first thing to remember is this: If you are going to download a virtual conferencing application, be certain the download is from a reputable source. Most often the company will host the download themselves or have a link to the download on their website. It is advisable not to trust a download from third-party if you were not directed there by the official website.

Security concerns regarding virtual conferencing

Encryption may not be adequate to secure sensitive information or to protect the privacy of individuals.

• - End-to-end encryption is not an easy task for real-time audio or video connections. In most use cases it takes special hardware or software. It is very important to remember that some topics should not be discussed over a virtual conference. This is especially true regarding sensitive data, personally identifiable information (PII), and regulated data such as the Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Rule (COPPA), Federal Tax Information (FTI).
• - Consider where encryption key distribution servers are located when evaluating a company’s offerings. Researchers have found that some companies' encryption key distribution servers for U.S.-based meeting sessions were located in Beijing, China. In such situations, companies may be obligated to disclose meeting encryption keys to the Chinese government.
• - Just because a company advertises encryption, doesn’t mean that the best version of encryption being utilized.

Figure 1: Tux the Penguin Encrypted in ECB vs Pseudo-Random Encryption
Source github picoctf-2019-solutions/Cryptography/aes-abc/readme.md

Virtual conferencing applications are vulnerable to multiple attacks

• - Malicious actors are creating fake installation files for multiple meeting platforms including Zoom Meetings, MS Teams, and Google Classroom.
• - Some conferencing platforms have been “conference bombed.” This is when an uninvited guest gains access with the intention to disrupt or eavesdrop on the meeting.
• - Virtual conference meeting users have been targeted to capture potentially sensitive data disclosed during meetings. As well, recorded meetings may not be stored by their meeting host in a secure manner. Attackers have accessed a virtual conferencing meeting provider’s files stored on a provider’s computer and unsecured public cloud environments.

Guidelines for Virtual Conferencing

• - If possible, NEVER share sensitive or regulated data during virtual conference meetings.
• - Become familiar with who may record your meeting. Be aware that individuals may choose to record a meeting using audio or video recording tools outside of the meeting software.
• - Download virtual conferencing clients directly from the manufacturer or your service provider.
• - Always run the newest version of the conferencing client (if required to download and install a client).
• - Password protect each meeting with a unique and complex password using letters, numbers and special characters.
• - Password protect recordings of meetings with a unique and complex password using letters, numbers and special characters.
• - Do not share your meeting link in public forums or on social media. In the event you must advertise your meeting publicly, remove the password embedded in the link and ask attendees to contact the organizer for the password.
• - Use a meeting ID rather than the personal ID associated with a virtual conferencing account. This way the meeting ID should change for each meeting.
• - Disable sharing for all attendees except for the meeting host.
• - Use the waiting room/lobby feature when it is available. This requires the organizers to admit people singly (for small meetings) or all at once (for larger meetings). If an attendee seems suspicious, the waiting room feature allows organizers to prevent them from joining the meeting.
• - Remove and block anyone from meeting rooms with an unrecognizable or unverifiable identity. Once removed, the person or people cannot come back in.

Taking the above steps will help ensure your organization's virtual meetings will remain secure while employees connect and collaborate through these platforms.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

May 2020 

6 Steps to Securing IoT Devices and Taking Back Your Privacy

 In today's world we are more connected than ever — not only to each other, but to our devices. For example, people now have the ability to open and close their garage doors and even start their cars directly from their phones. But what information do we put at risk when we do all of these amazing things? Securing Internet of Things (IoT) devices and keeping personally identifiable information (PII) safe and secure these days is of the utmost importance.

IoT Information Collection

When you buy the latest IoT device, you need to be aware of two things: First, IoT devices collect your information, and second, that information is always accessible.

So, what exactly is information collection? Think of a common steaming service, like Netflix. Once you sign up, you'll start receiving emails from Netflix letting you know they’ve added a new TV show that you might enjoy. And the thing is, they’re usually right! That's because your viewing history and ratings have been transmitted through an algorithm to determine what else you’d be willing to watch, and thus, continue your subscription. Now imagine every device you have on your home network collecting this type of information. It's a scary thought!

Keeping Your Information Secure on IoT Devices

 While technology enables you to control your life from your fingertips, your information is at everyone else’s fingertips as well. Security isn’t fun or flashy, and because of this, some companies do not give it the consideration it deserves before they bring their products to market.

Very often when you buy an IoT device or utilize a company’s service you have unknowingly allowed them to collect information about you. That agreement you have to sign before you can use any of their items is written by their lawyers, and unfortunately, without saying yes you can’t use that fancy new gadget. All of these companies know it, which is why hundreds of pages sit between you and your new purchase.

6 Steps to Protect Yourself and Your Devices

1. 1. Change Default Passwords
   On devices that are connected to your network you should always make sure you change the default password. It doesn't matter if it's a new security camera or a new fridge. Creating new credentials is the very first step in securing your IoT devices and protecting your privacy. Research has shown that a “passphrase” is safer than a password. What does this mean? It means 1qaz!QAZ is less secure than Mydogsliketochasethechickensaroundtheyard! which is also much easier to remember.
2. 2. Automatic Patches and Updates
   In today's "set it and forget it" society, many electronic devices can take care of themselves. Quite often technology has a setting that allow for automatic updates. This is an important setting to turn on when securing IoT devices.
3. 3. Set-up Multi-factor Authentication (MFA)
   MFA security settings are growing in popularity. This is as simple as receiving a text or code that you need to type in while signing on to a system. Often times within the account preferences of your device, you can set up an Authentication Application. If you can’t find this option call customer service, chances are it exists somewhere.
4. 4. Utilize a Password Manager
   Keep usernames and passwords unique. Most password manager applications can generate a random password for you, and will allow you to store them safely.
5. 5. Update Default Settings
   Check to see which settings are turned on by default, especially if you don't know what they mean. If you are unfamiliar with FTP or UPnP, chances are you are not going to use them, or even notice that they are off.
6. 6. Avoid Public Wi-Fi
   It may be convenient to connect to a public Wi-Fi, but think again! If the Wi-Fi network does not require a password, then anyone can listen in on your computer’s information. Some public Wi-Fi networks are deliberately set up in the hopes that people will use it so they can steal information or credentials.
   
   Remember that just like you lock your front door to protect the valuables inside, these days you also need to lock your IoT devices to protect your information and your privacy.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

April 2020 

What You Need to Know About COVID-19 Scams

  Taking advantage of current events is a common tactic that cybercriminals use to fuel their malicious activities. With the global pandemic of COVID-19 and an overwhelming desire for the most current information, it can be difficult for users to ensure they are clicking on reliable resources. So far, the MS-ISAC has seen malicious activity come through just about every channel: email, social media, text and phone messages, and misleading or malicious websites.

The range of current malicious activity attempting to exploit COVID-19 worldwide varies. A few common examples include:

• - Fake tests or cures. Individuals and businesses have been selling or marketing fake “cures” or “test kits” for COVID-19. These cures and test kits are unreliable, at best, and the scammers are simply taking advantage of the current pandemic to re-label products intended for other purposes. For more information on fraudulent actors and tests, check out resources from the U.S. Food and Drug Administration (FDA).
• - Illegitimate health organizations. Cyber criminals posing as affiliates to the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), doctor’s offices, and other health organizations will try to get you to click on a link, visit a website, open an attachment that is infected with malware, or share sensitive information. This malicious activity might originate as a notice that you have been infected, your COVID-19 test results came back, or as a news story about what is happening around the world.
• - Malicious websites. Fake websites and applications that claim to share COVID-19 related information will actually install malware, steal your personal information, or cause other harm. In these instances, the websites and applications may claim to share news, testing results, or other resources. However, they are only seeking login credentials, bank account information, or a means to infect your devices with malware.
• - Fraudulent charities. There has been an uptick in websites seeking donations for illegitimate or non-existent charitable organizations. Fake charity and donation websites will try to take advantage of one’s good will. Instead of donating the money to a good cause, these fake charities keep it for themselves.

Government Efforts to Reduce COVID-19 Malicious Activity

  The Department of Justice (DOJ) is actively seeking to detect, investigate, and prosecute cyber threat actors associated with any wrongdoing related to COVID-19. In a memo to the U.S. Attorneys, Attorney General William Barr said, "The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated." Individually, most state law enforcement agencies and other judicial officials are also treating these malicious actions as a high priority. More information can be found at https://www.justice.gov/coronavirus.

Additionally, the FDA has been taking action to protect consumers from fraudulent and deceptive actors who are taking advantage of COVID-19 by marketing tests that pose risks to patient health. If you are aware of any fraudulent test kits or other suspect medical equipment for COVID-19, you can report them to the FDA by emailing FDA-COVID-19-Fraudulent-Products@fda.hhs.gov. The FDA is now aggressively monitoring and pursuing those who place the public health at risk and are holding these malicious actors accountable.

Recommendations

 Exercise extreme caution in handling any email with COVID-19-related subject lines, attachments, or hyperlinks in emails, online apps, and web searches, especially unsolicited ones. Additionally, be wary of social media posts, text messages, or phone calls with similar messages. Be vigilant, as cyber actors are very likely to adapt and evolve to the nation’s situation and continue to use new methods to exploit COVID-19 worldwide. By taking the four precautions below, you can better protect yourself from these threats:

• - Avoid clicking on links and attachments in unsolicited or unusual emails, text messages, and social media posts.
• - Only utilize trusted sources, such as government websites, for accurate and fact-based information pertaining to the pandemic situation.
  • - Federal Emergency Management Agency (FEMA) recommends only visiting trusted sources for information such as coronavirus.gov, or your state and local government’s official websites (and associated social media accounts) for instructions and information specific to your community.
• - NEVER give out your personal information, including banking information, Social Security Number, or other personally identifiable information over the phone or email.
• - Always verify a charity’s authenticity before making donations. For assistance with verification, utilize the Federal Trade Commission’s (FTC) page on Charity Scams.

For more information

 If you think you’re a victim of a scam or attempted fraud involving COVID-19, or you think you know of a scam or fraud, you can report it without leaving your home:

• - Contact the National Center for Disaster Fraud Hotline via email at disaster@leo.gov at 866-720-5721 or the FEMA Disaster Fraud Hotline at 866-720-5721 to report frauds and scams, including personal protective equipment (PPE) hoarding or price gouging;
• - Report scams and frauds to the Cybercrime Support Network ; and
• - File a complaint for criminal activity by contacting your local law enforcement agency.

Additional Resources

• - CDC, FEMA, and White House | COVID-19
• - CDC | COVID-19-Related Phone Scams and Phishing Attacks
• - CDC | Know the facts about coronavirus disease 2019
• - CISA | Security Tip: Using Caution with Email Attachments
• - CISA | Risk Management for Novel Coronavirus
• - CISA | Information & Updates on COVID-19
• - FBI | FBI Exec Discusses COVID-19-Related Schemes
• - FEMA | Coronavirus Rumor Control
• - U.S. DOJ | Coronavirus

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

March 2020 

Social Media: The Pros, Cons and the Security Policy

Risks & rewards of social media

  Social media is a great tool in your organization’s communications toolbox. Many Americans have accounts on at least one platform and expect to find pages for their favorite brands and communities. If used correctly, it can have many benefits:

• - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about.
• - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business.
• - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.

 Of course, the unicorn is the post that goes viral for the right reasons. However, not everything looks rosy when it comes to organizations using social media.

Building a security-focused social media plan

  Privacy and security risks associated with social media platforms only increase as the number of users and platforms grow. Cybercriminals mine social media accounts to get valuable intelligence that they can use in malicious campaigns. All organizations should develop a social media policy that takes cybersecurity and privacy into account. The first step is to develop a social media policy that includes what can be posted, who can post, and on what devices (e.g., can they use their personal device, or does it have to be a company-owned device?), and who is responsible for keeping and changing passwords. These are just some of the things that should be addressed; there are guides that will help you write a detailed plan.

Below are a few tips for developing a secure social media plan in your organization:

• - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about.
• - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business.
• - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.

Securing our connected future

 Social media has proven to be a powerful communications tool for both business and government organizations, but its powers can be used to harm as well as help. A solid social media policy and security plan that is implemented with care, will vastly improve your social media strategy and protect employees’ privacy.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.