For two years, you’ve accumulated digital clutter and technical debt at a rate previously considered impossible, at least pre-pandemic. The good news is that spring has sprung, and spring is the time when we all agree to pretend we enjoy cleaning. We power through, at least until there’s a clear path from our WFH desk to the fridge. And we feel a little better when we see the results. In that same spirit, let’s take a moment to clear a virtual path and shore up our digital defenses because winter is always around the corner.

Delete with a vengeance. Be brutal. Be the digital minimalist Marie Kondo would envy. Uninstall apps you don’t use, both on your phones and your computers. Delete files you no longer need. Wipe and securely dispose of electronic media and hard copies. Do you really need to keep those laserdiscs and floppies? Everything we retain has a chance of being lost or stolen. Every item carries a liability and weighs us down.

Reduce your attack surface. Removing unused software makes a dent. It also makes it easier for you to keep everything up to date (and you need to keep everything up to date). Now, let’s shift our focus to your accounts. Haven’t used a website in a year? Don’t just leave your account idle and your login credentials unnecessarily exposed. Close your account. Need help finding targets? Check your spam folder for all those privacy policy updates and Christmas in July promotions. Attackers can’t compromise accounts that don’t exist.

Review your records. Take a good look at your bank statements. This is the 21st century. There’s no need to shuffle through paper records if you don’t want to. Just pull out your phone and scroll. Hunt down the source of anything suspicious, and then do yourself the favor of identifying recurring services you can cancel to save some money too. For IT geeks, when’s the last time you’ve read through your systems’ logs? The concept is the same. Give ledgers and logs some love, and tidy-up things you find.

For the sake of all that is nerdy, turn on MFA! Look, we’re going to set the cleaning metaphor aside for a second because this is important. Multi-factor Authentication (MFA) is the annoyingly beneficial feature that prompts you for a single-use code when you login. App-based is best, but text-based is better than nothing. Enable it everywhere you can. Demand it everywhere you can’t. Your password will be stolen or guessed; that’s a given. When that happens, MFA might be the thing that saves you.

Let your bad passwords enjoy their retirement. It’s time. Sure, ‘badger95’ has served you well since high school, but it’s time for you to thank it and send it on its way. Any password you use for more than one service needs to go. Ditto for any password shorter than eight characters. Use a unique password for every site. And use long passwords. If you need to remember it, use a phrase instead of a word. Better yet, use a password manager and let it invent and remember strong passwords for you.

Google yourself and censor your social media. PR is not just for celebrities. Do a search to see what others find when they look you up. Click into the privacy section of your accounts on Facebook, Twitter, Instagram, Snapchat, and other apps. Turn off anything that feels creepy. Want to achieve real enlightenment? Try the “download my data” feature to see just what tech companies know about you. Oh, and keep calm.

E-liminate your e-waste. Everything eventually falls apart. Or it grows obsolete. If you’re stepping over piles of iMacs and Blackberrys, you know the pain. Stop procrastinating. Is there a school or shelter nearby that could benefit from a donation? Look into trade-in programs your vendors offer when you upgrade. Find a local electronics recycler. The dumpster should be your last resort. And don’t forget to wipe and, if needed, physically obliterate your storage devices like hard drives. A good recycler will even handle that for you and give you a certificate of destruction. Remember, NIST SP 800-88 R1 is your friend. Don’t know where to go to get rid of your old electronics? Here you can locate a recycling facility in your area.

Purge but verify. As we lay waste to our waste, a reasonable person could be forgiven for lying awake at night, wondering whether they’ve trashed something they’ll actually need. You’re right to worry. The antidote is backups. But backups are useless. Or at least they’re useless if they aren’t tested. Backing up is easy. Ensuring restores will work and include everything you need is tough. Backups are likewise worthless if you can’t get to them in an emergency or if they’re not isolated and ransomware encrypts them. Do backups, test restores, and practice your recovery procedures so that your first attempt will happen during calm, daylight hours and not at 2 a.m. in the midst of a real-world disaster.

Finally, be ruthless. Getting your analog and digital lives in order does more than improve your state of mind. It pushes back against the creeping fallout from our hectic daily routines. It eliminates dangers we might otherwise miss, dangers that can lead to compromise. Breaches are seldom the result of a single vulnerability. They arise from cascading failures. They represent a fallen house of cards. Get your house in order. Refuse to abide a mess. Protect yourself and your organization so you can rest easy!

With the NBA and NHL Finals and, of course, March Madness fast approaching, spring is a busy time for sports fans and people that like to gamble. Betting on sporting events can bring excitement–the possibility of financial reward and loss–and cybersecurity risks.

At first you might think to yourself, what does cybersecurity have to do with online sports betting? Due to the recent popularity of online betting, especially during the pandemic, online gambling sites have become a hot target for bad actors. This is because these sites collect and manage large amounts of financial and personal information. This means online gambling companies need to have many layers of defenses to protect themselves. Even with all these layers of defense, cyber threats are an ever-present risk to the industry and the millions of people accessing these sites every year.

According to a recent article from The Wall Street Journal, gambling during the Super Bowl this year reached record highs. It stands to reason that this increase in online betting will continue during the upcoming playoff season. Online betting is dependent on allowing users to easily access their sites, set up profiles, place bets, and more. However, ease of use and access should not supersede the need to protect users and their data.

With any seasonal, popular, or hot topic in the news, sporting events have become a prime target for spammers and bad actors. It might be sharing insider information on injuries, the latest upset, or a new deal, bad actors will leverage any headline that might be considered popular to get users to click on a link or open a document. Untrustworthy sites will even mimic popular sporting and betting sites to get people to click on a link and share their personal and financial information.

So, what can you do to protect yourself? Here are some helpful tips:

• Only use trustworthy online gambling sites that have good cybersecurity and privacy practices, such as enforcing strong passwords, multi-factor authentication, and more
• Only go to known and trustworthy news sites
• Use strong and unique passwords
• Review the privacy terms of online gambling sites before using them
• Watch out for phishing emails and spam
• If you’re using an app, make sure you have installed the latest software updates
• Keep your devices and firewalls up to date with antivirus and advanced threat protections
• Set up monitoring and alerts on your banking accounts
• Educate yourself, your organization, family, and loved ones on the cyber risks
• Set up internet filters to block traffic to online gambling sites
• Sporting events are exciting, and many feel that betting on the events heightens the experience. But don’t let your thrill of the game or the win cause you to lose—to a cyber incident.

If you or someone you know is struggling with a gambling addiction, please reach out to the National Problem Gambling Helpline for help.

Tax season is upon us, a time of year when the scammers go into overdrive. Be extra careful while online, and avoid activities that could put your identity and finances at risk. It doesn’t matter whether you owe money to the IRS or are expecting a refund, as the scammers will target you regardless of your situation.  
Let’s explore some common tax scams, warning signs that you may be victim, and steps you can take to protect yourself, your identity, and your finances.

Common Tax Scams

Cyber criminals use the same tried-and-true methods for tax scams as they do with other targeted attacks.

• Phishing: This tactic involves using email or malicious websites to infect your device or trick you into disclosing your information. Phishing emails may appear to come from real financial institutions, e-commerce sites, charitable organizations, or even government agencies such as the IRS.
• Phone Calls: This tactic involves making phone calls or leaving voicemails of an urgent or threatening nature. In the case of tax scams, the calls may advise you of a refund you are owed or demand that you settle an outstanding payment for back taxes. Caller ID spoofing may be used, making it appear like the person calling is from the IRS.

Scammers using these tactics generally attempt to create a sense of urgency, or have a good story that would tend to compel you to disclose personal information such as such as your date of birth, social security number, driver’s license number, or even usernames and passwords to your accounts. Watch out for these common scams:

• Refund Calculation Scam: “The IRS recalculated your refund. Congratulations, we found an error in the original calculation of your tax return and owe you additional money. Please verify your account information so we can make a deposit.”
• Stimulus Payment Scam: “Our records show that you have not claimed your COVID-19 stimulus payment. Please provide us with your information so we can send it to you.”
• Verification Scam: “We need to verify your W-2 and other personal information.  Please take pictures of your driver’s license, documents, and forms and send them to us.”
• Gift Card Scam: “You owe us back taxes and may be charged with a federal crime. You must pay a penalty to avoid being prosecuted. Purchase these gift cards and send them to us and we will wipe your record clean.”
• Fake Charity Scam: Scammers pose as a legitimate charity, often with a similar name as a real charity, to trick you into donating money to their own cause–filling their pockets.
• Fake Tax Preparers: Watch out for tax preparers that refuse to sign the returns they prepare. If they gain access to your information, they may file fraudulent tax returns redirecting your refund or attempt to access your bank accounts.

Warning Signs

Hopefully you have avoided the common tax scams, but the cyber criminals may have other methods of obtaining your information, such as data breaches of companies you do business with. Watch out for these warning signs that you may already be a victim.

• You attempt to file a tax return, either online or by mail, but are informed by the IRS or your state that they have already received one.
• You are informed by the IRS that an account has been registered in your name at IRS.gov even though you have never created one.
• You receive a transcript from the IRS that you did not request

How to Protect Yourself

• Identity Theft Resources
  • If you believe you have become a victim of Identity Theft, visit IdentityTheft.gov to report it and create a recovery plan.
  • For specific information and resources for tax-related identity theft, visit the Identity Theft Central web page on the IRS web site.
• E-mail and Internet Security Best Practices
  • Never use public Wi-Fi to file your taxes or conduct other business such as online banking. Only connect to networks that you trust.
  • Remember that IRS.gov is the only genuine website for the Internal Revenue Service. All Internet and email communications between you and the IRS would be through this site.
  • Never send sensitive information via email. If you receive an email from an unknown source or one that seems suspicious, do not reply.
  • Report tax-related phishing emails to Phishing@IRS.gov. Visit Tax Scams - How to Report Them on the IRS web site for additional information.
• IRS Representatives – Know How They Operate
  • The first point of contact by the IRS is typically via postal mail. The IRS will not contact you via email, text messaging, or your social network, nor does it advertise on websites.
  • IRS representatives always carry two forms of official credentials, and you can confirm their identity by calling a dedicated IRS telephone number for verification.
  • The IRS does not accept payments by gift cards.
  • Review How to know it’s really the IRS calling or knocking on your door on the IRS web site for additional information.
• Donating to Charities
  • Only donate to charitable organizations that you trust. Beware of charities that require you to give or send cash.
  • Verify charitable organizations using the Tax-Exempt Organization Search web page on the IRS web site.
• Using Tax Preparers
  • Beware of tax preparers that only accept cash payments or offer to claim fake deductions to inflate your tax refund.
  • Only use a preparer that can provide you with their Tax Preparer Identification. You can verify your tax preparer through the Directory of Federal Tax Return Preparers with Credentials and Select Qualifications on the IRS web site.
  • Visit Topic No. 254 How to Choose a Tax Return Preparer for best practices on selecting your tax preparer.
• Secure Your Identity
  • Get An Identity Protection PIN (IP PIN) from the IRS to prevent someone else from filing a tax return in your name.
  • Check with your state to see if they offer a similar program to file your state taxes.

While January 28, 2022 marks the 15th annual Data Privacy Day, each of us faces privacy concerns on a daily basis. If our private information becomes public, it can affect our credit ratings, employment options, and even our safety.

In this month’s cybersecurity tips newsletter, we’ll focus on steps you can take to maintain privacy on social media. If you’re one of the lucky few who can live your life unplugged from Facebook, TikTok, and the like, you’re in the clear. If you find yourself among the majority of us who either want or need to engage with others via social media, then here are some tips and tricks to stay safe and secure.

1. Protect Your Accounts

Social media accounts are under constant attack by cybercriminals. Your account can give a scammer a good way to infect your friends with messages that come from a trusted source (i.e., you). There are three simple steps you can take that will thwart most attacks:

• Use long, unique passphrases: Criminals get your account details from breaches and malware. If you use the same one everywhere, cybercriminals will have access to all of your accounts. Consider using a passphrase with multiple words, such as DenverIsBeautiful. It’s easy to remember and tougher to crack.
• Use Multi-factor Authentication (MFA): MFA, sometimes called two-factor authentication (2FA) or advanced authentication, makes it almost impossible for someone else to log in to your account, even if they have your password. You trade the minor inconvenience of entering a one-time code for the huge benefit of keeping the baddies out of your stuff. Turn this on everywhere you can!
• Update Everything: Yes, everything. Keep your operating systems current on your computers, phones, apps, and internet-connected devices. Turn-on automatic updates and reboot when prompted. Networks are usually not compromised because of brand new, 0-day vulnerabilities. Instead, they are breached because a patch was never installed for a bug that was fixed months (or years) prior.

2. Reduce Your Attack Surface

• Your attack surface is the sum of all the ways your information can be compromised. Every account with your personal data or app with a security flaw adds to it. You can reduce your potential vulnerability by deleting online accounts you no longer use and uninstalling apps you no longer need so they can’t be used against you. With fewer things to manage and update, you can focus on protecting what is actually important.

3. Tweak Your Privacy Settings

• All major services offer privacy settings to limit what you share publicly. It may take a bit of exploration to find them, but you can use these tools to control your exposure. Pay special attention to location settings, permissions for facial recognition, who can tag you, and who can see your posts. Also, check the details you publish such as your hometown, birthday, family members, and where you work. Consider removing all of them.
• If it’s allowed by the service you use, you can go a step further by not using real information, such as your full name or actual date of birth. Don’t forget to check who can find you by your phone number and remember to also change your vanity name or username so it won’t give you away.

4. Don't Let Your Photos Betray You

• The photographs you upload to social media or share elsewhere online can expose your face, your address, the valuables you keep at home, the car you drive, and more. Keep this in mind before you post an image that might tell a stranger things you’d rather keep to yourself. Avoid sharing anything with your house number, license plate, or documents in view. For your kid’s safety, watch what they share online as well.
• Photos uploaded to major social media sites are scrubbed so that the metadata – hidden details that live within a picture or video file – are removed. Not all services protect you in the same way, and these metadata are always present when you email a file. Unless you disable the feature, your camera app is probably set to store your location which makes it easy for a criminal to see the exact latitude and longitude where a photo or movie was taken.

Would You Like to Know More?

These links will lead you to more resources to help protect your privacy:

• National Cybersecurity Alliance: Data Privacy Week
• FTC: Protecting Your Privacy Online
• CISA: Online Privacy Tips

Conclusion

While it’s almost impossible to remain anonymous in 2022, there’s no reason to make it easier for criminals to take advantage of you. Information you share online, even if it’s restricted today, may go viral tomorrow. The best way to protect yourself is to avoid posting anything you wouldn’t want your grandmother to read in your local paper. You can’t regret a photo you never take.

• Once you upload a picture or write an angry tweet, you lose control of it, and anyone with a screenshot can continue to spread it long after you press the delete button. Search for yourself online every now and again to see what others will find when they look for you. Opt-out of any websites that share your personal details. Invest some time to ensure that a would-be attacker will be frustrated and move on to easier prey.
• Perfect privacy is impossible, but by being careful you can stack the odds in your favor. Stay safe, take care, and have a secure and Happy (Cyber) New Year!

Whether you are finishing your holiday shopping or celebrating early, this is the time when you will likely be adding new devices to your home. While you may be taking a holiday vacation, hackers don’t rest and are eagerly waiting for you to plug in your new devices so they can gain control.

This holiday season, stay one step ahead by securing your network and devices before cyber criminals get their chance.

1. Secure your Home Network

With a few configuration changes you can greatly enhance the security of your home network. If you are unsure of how to perform the following steps, please consult the product support documentation for your router.

• Change your router’s password from the default to a secure password. This will prevent others from accessing the router’s configuration, changing settings, and gaining visibility into your network.
• Enable automatic updates and install the latest router firmware. Keeping your router up to date with the latest firmware helps protect it as new vulnerabilities are discovered.
• Enable the router’s firewall. The firewall helps prevent the devices on your network from accessing malicious sites, as well as keeping outsiders on the outside of your network.
• Change the Wireless Network Name (SSID). The default wireless network name is typically the brand of the router, which can provide clues to outsiders as to what you are using and what vulnerabilities exist. Make sure you do not use your name, home address, or other personal information in your new SSID name. For added protection, disable broadcast of the wireless network name.
• Enable Wireless Encryption. Use Wi-Fi Protected Access 3 (WPA3) if supported by your device and choose a strong passphrase to connect devices to your network. When feasible, choose wired connections over wireless for enhanced security.
• Enable a Wireless Guest Network. A security best practice is to segregate network devices. Connect your computers, mobile devices, printers, and other trusted devices on your primary wireless network, while restricting devices such as Smart TVs, Personal Digital Assistants, and your refrigerator to the guest network.

2. Secure your Work-at-Home Devices

Here are tips when working remotely both over the holidays and at any time.

• Keep devices physically secured. Always keep your devices with you and store them in a secure location when not in use. Set an idle timeout such as a password protected screen saver to automatically lock the device when you are not using it.
• Keep devices up to date. Enable automatic updates and install the newest updates for the operating system, antivirus software, and other software when available.
• Secure data. Save your work files, e-mails, and other data to authorized locations in your organization’s network. Do not store your organization’s data in your personal e-mail, cloud storage, or USB devices.
• Use Secure Networks. Never connect your work-at-home devices to untrusted networks such as public Wi-Fi. Instead, use your cell phone connection or a personal mobile hotspot when you are working outside of your home. If using an untrusted network is absolutely required and supported by your organization, use a virtual private network (VPN) to keep your network communications encrypted.

3. Secure your Personal Devices

You may be tempted to plug in your new device and start to use it right away. Be sure to take a few minutes to configure security settings before you get started.

• Change Default Passwords. Some devices are configured with default passwords to simplify setup. If the password is not changed, these passwords are well-known and can give attackers full access to your device. Use strong and unique passwords for all your devices.
• Deactivate features that you don’t need. Many devices are equipped with features such as location services, remote connectivity, Wi-Fi, and bluetooth. Each feature that is turned on is a potential opening for an attacker to access your device and gain control. Only use the features that you need and turn them off when not in use. If you don’t need to connect a device to the internet, keep it offline and out of reach of hackers.
• Update and Patch Regularly. Manufacturers will issue updates as they discover vulnerabilities in their products. Configuring your device to receive automatic updates makes this easier for devices. However, if you need to manually update your device, make sure you are only applying updates directly from the manufacturer, as third-party sites and applications may be unreliable and can result in an infected device.
• Secure Accounts. Some personal devices such as gaming consoles require you to establish an account and maintain a subscription to access services. Pay close attention to the information being collected about you and the data that is visible to others. For gaming accounts, the default option may be to share the games that you play, when you are online, the number of hours played, and your contacts list to anyone who is subscribed to the same service. Change your privacy settings to only share data with people that you trust.

It is that time of year again, festivities, family gatherings and holiday shopping! Many consumers will avoid brick and mortar stores and choose to shop online instead. As such, it is important to remain vigilant and be aware of the cyber risks while online shopping. While legitimate businesses are after your money, so are cybercriminals. When it comes to holiday shopping, you should be wary of online criminals. The following 10 cybersecurity tips will make your online shopping experience less risky, not to mention keep you in the spirit of the season and safer from those on the “naughty list”.

1. Do Not use Public Wi-Fi for Shopping Activity

Public Wi-Fi networks can be very dangerous. While they may be convenient to use, they are not usually secure and can potentially grant hackers access to your personal information. Never log in to banking/financial sites or any site where the transaction involves sensitive personal data while logged into a public Wi-Fi network. If you do use public Wi-Fi networks, make sure that you are using a trusted network, that you do not allow it to connect automatically, and that you are completely logged out of it before logging into any site for transactions involving sensitive personal data. Please consider that it may be in your best interests to avoid public Wi-Fi networks altogether.

2. Make Sure eCommerce Shopping Sites are Legitimate and Secure

Shop at well-known retailers that you trust and where you have previously done business. Before entering your personal or financial information into an online commerce site, you must ensure that the site you are on is legitimate and can be trusted. Verify the site is the one you intended to visit by checking the URL. Also, look for the “lock” symbol in the URL bar and make sure “https” is in the beginning; indicating that encryption is used to protect your data.

3. Know What the Product Should Cost

Deal with legitimate vendors. The adage goes, “if it is too good to be true, then it probably is.” ‘Bait and switch’ or ‘teaser’ scams run rampant during the holiday season! Use a service like ResellerRatings.com; allowing users to review online companies and to share their experiences purchasing from those companies as part of your diligence in protecting your interests.

4. Do Not Use Debit Cards for Payment

When you are shopping online remember that it is best to use credit cards or payment services such as PayPal. Credit cards offer more consumer protections and less liability if your information were to be compromised. Alternatively, because debit cards are linked directly to a bank account, you are at a much greater risk if a criminal were to obtain this information. In a dispute regarding a purchase made with a debit card, you’ll be in a weaker position because the merchant will already have your money and it may take weeks to get it back. With a credit card you’ll have time to dispute a charge before any money is actually paid out.

5. Keep Systems Up-to-Date

Be sure to keep all of your internet accessible devices up-to-date. Most software updates improve security by patching vulnerabilities and preventing new exploitation attempts. This includes updates to your device operating system (OS), installed applications, and to your anti-virus software. This is one of the most important and easiest things you can do to help prevent criminals from exploiting vulnerabilities enabling them to access your information.

6. Think Before You Click

Scammers take advantage of the surge in holiday deals and communication to send out their own viruses and malware. Scams have significantly evolved in quality and can appear as legitimate discounts or reputable special offers. Be careful with messages regarding shipping confirmations and changes. Phishing scams include cleverly crafted messages that look like official shipping notifications. Always use official channels to stay updated. As always, NEVER open an email from someone you do not know, did not expect to receive, or from a site you have not visited.

7. Use Strong and Unique Passwords

Creating strong and unique passwords is still the best security practice for protecting your personal and financial information. Make sure your passwords are sufficiently long and complex utilizing a combination of upper- and lower-case letters, numbers, and special characters. Consider creating a cryptic passphrase that is longer than the typical password, but easy for you to remember and difficult to crack. MOST IMPORTANTLY, do not reuse passwords across multiple sites; especially between work and personal resources.

8. Avoid Saving Your Information While Shopping

Never save usernames, passwords or credit card information in your browser and periodically clear your offline content, cookies, and history. Avoid saving your payment information in your account profile when completing an online transaction. If the site autosaves your payment information, go in after the purchase and delete the stored payment details. Better yet, if the site has the option, check out as “guest” to avoid giving personal/payment information online.

9. Don’t Share More Than is Needed

Be alert to the kinds of information being collected to complete your transaction. If the site is requesting more data than you feel comfortable sharing then cancel the transaction and purchase elsewhere. You should only need to fill out required fields at checkout.

10. Monitor Your Financial Accounts

Even with good cyber hygiene and best practices, you may still find yourself a victim of a cyber scam. Pay close attention to bank and credit card accounts and be sure to monitor your credit report to ensure that there is nothing out of the ordinary.

For more information on holiday shopping safety, visit the following resources.

• https://us-cert.cisa.gov/ncas/current-activity/2020/11/24/online-holiday-shopping-scams
• https://staysafeonline.org/wp-content/uploads/2020/11/Online-Holiday-Shopping-1.pdf 

In its most recent annual Cost of a Data Breach report, the Ponemon Institute reviewed more than 500 incidents around the world. The results were sobering: the average data breach costs an organization $4.24 million, and takes 287 days to identify and contain.

That’s why Cybersecurity Awareness Month – designated every October for the last 18 years – is an important reminder of just how critical cybersecurity awareness is at all levels of government and across every industry.

The best way to protect your organization and yourself is by being able to recognize potential cyber threats, understand their significance, and sharing that knowledge with others. The weakest link in many cybersecurity programs is people. They make mistakes, it’s bound to happen. But if you can raise your end users’ awareness about cybersecurity across all of the platforms and devices they use, it can drastically reduce the likelihood of a mistake happening. Even more important – when a mistake does happen and you have a strong cybersecurity posture, people recognize it and know how to respond.

This October, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) are emphasizing the overarching theme of “Do your part. #BeCyberSmart.” Additionally, four weekly messages, have been established for Cybersecurity Awareness Month 2021.

Week 1: Be Cyber Smart

Knowing and sharing the cybersecurity basics is the foundation for any good awareness program. Knowledge is power, and that power should be shared. To be cyber smart you should assess your posture, implement a defense in depth strategy, ensure strong password and access management practices, patch regularly, and continually educate yourself and others in your organization.

Week 2: Fight the Phish!

Phishing is one of the most common ways that bad actors attack organizations, because it’s an easy and simple way to get in front of users. Fight back by implementing solutions that block phishing emails and educating users to identify those that would otherwise get through your defenses. Users who can quickly identify and report phishing emails can help tip the scales in your favor. The more people you have fighting phishing attacks, the stronger your organization’s cybersecurity posture will be. Learn more about how to prevent email compromise here.

Week 3: Explore. Experience. Share

The third week of October is Cybersecurity Career Awareness Week! The world of cybersecurity and the threat landscape is ever-changing, and that presents outstanding career opportunities for people who want to apply their skills and passion to this growing area. Week 3 is all about inspiring and promoting awareness and encouraging people to explore careers in cybersecurity by calling attention to the contributions they can make to our society and our economy in doing so.

The National Initiative for Cybersecurity Education (NICE) has put together some resources to help you learn more about career paths in cybersecurity.

Week 4: Cybersecurity First

Being online and connected is part of our everyday lives – from work, to shopping, to entertainment. So we also need to make sure cybersecurity is at the forefront of our minds every day. If you’re sharing information online, you should take a couple of seconds to validate that the receiver is a trusted source and is applying cyber best practices. Likewise, if you’re receiving information, you should make sure you’re doing everything possible to protect it from bad actors. Cybersecurity should be the first and last thing we consider when interacting with the digital environment.

These messages should be shared at all levels. We encourage you to take these Cybersecurity Awareness Month themes and develop short, but impactful weekly communications to everyone in your organization. Then post them on social media and other platforms to play your part in spreading the word. The more people we can encourage to be #BeCyberSmart, the more connected, informed, and protected our communities will be.

If you or your organization is interested in taking an active role in Cybersecurity Awareness Month, download CISA’s Cybersecurity Awareness Month 2021 Toolkit. It provides valuable messaging, articles, social media graphics, and other resources for promoting and modeling this important initiative. We at the MS-ISAC have developed social media templates that we encourage you to share to help promote the campaign and our goal to create an elevated level of cybersecurity posture across the United States.

We like to think we can trust our co-workers to do the right thing. Unfortunately, this is not always the case. Some people become insider threats; that is, they use their authorized access to systems to harm their organization. For example, someone may sell information from a database to a third party.

There are three types of insider threats:

1. Unintentional –This person does not intend to cause a threat, but they do so through carelessness. They may misplace their laptop or flash drive, fail to update software, or ignore instructions when setting up software or cloud storage. Their attention to detail may be poor and they can make mistakes that damage the organization, such as causing a breach by emailing data to the wrong person.
2. Intentional –This person intends to harm their organization and is often called a “malicious insider.” They may be in it for financial gain, to get revenge for some perceived slight, or for some other motivation. They may leak information to third parties for money or political beliefs, steal information to advance a side business, or destroy data to sabotage the organization.
3. Collusive or Third-party – Collusive threats occur when an insider collaborates with an outsider to compromise an organization. The outsider may recruit an insider to obtain information to commit fraud, intellectual property theft, espionage, or some other crime. Some insiders may be manipulated into becoming a threat and may not recognize that what they are doing is harmful. Third-party threats occur when the insider works for a contractor or vendor who has access to the organization’s network or facilities.

Some of the indicators of an intentional insider threat include:

• Life changes, such as financial, relationship, family, or work problems.
• Behavioral changes, such as signs of depression, anger, or possible drug or alcohol addiction. However, a colleague who seeks help is showing good judgment.
• Changes in work habits such as working through lunch, accessing or asking questions about information or systems not part of the scope of the colleague’s employment, or a disregard for security policies and practices.

Many unintentional insiders are:

• Poorly trained in cyber hygiene, either because the organization does not train staff or because they do not pay attention.
• Disorganized; loses laptops or flash drives.
• Unfamiliar with technology or thinks they know more than they do and do not follow instructions when installing new software or setting up cloud storage.

We all make mistakes, but many unintentional insiders simply do not pay attention to what they are doing. The lack of attention to detail puts their organization at risk for breaches and malware.

To reduce the likelihood of an insider threat, organizations should develop a comprehensive program that includes knowing the people within the organization, identifying the assets and prioritizing the risks, and establishing the proven operational approach of detect and identify – assess – manage.  Organizations should take extra steps to vet third party service providers to ensure they can access only necessary systems and areas of the building.

The Cybersecurity and Infrastructure Security Agency (CISA) has more information about insider threat mitigation at https://www.cisa.gov/insider-threat-mitigation.

As technology continues to evolve, the tools and toys available to your children increase in number and evolve in capabilities. Technology can be used to educate and inspire creativity in kids, but it also exposes them to a risky landscape most of us didn’t have to worry about during childhood.  Adults can discuss with children how the digital world is a great resource, but we must remain cyber aware. We all should be responsible with the information we share, and the ways we explore.

Here are a few things we should all do to protect our kids and our home networks.

Keep Software Updated

Think of all the devices in your household that connect to the internet - phones, tablets, computers, gaming systems, smart appliances, even lightbulbs! One of the most important things you can do to keep your devices safe is to ensure your devices are up to date and using the latest software. When your devices notify you about a software update, install the update right away, or set them to automatically update.  Those updates contain security patches that close loopholes that hackers can use to gain entry and access your data like your passwords, payment information, photos, and more.

Always make sure you know what apps are on your children’s devices, know what those apps do, and what type of information they monitor or collect.  This can be done easily by checking the app settings and privacy disclosures.

If you have children prone to installing anything that looks new and flashy, consider requiring a PIN or password you only know before allowing installation of new applications.

Implement Domain Name System (DNS) Filtering

As we all know, surfing the web can be a risky business.  While we can usually identify scams and malicious links, children may not catch on so quickly and see that the link their friend’s hacked account just sent them for a free game is a malicious website in disguise.

Implementing DNS filtering, which prevents devices on your network from connecting to known bad websites, is a free and easy way to help prevent everything from phishing and ransomware, to spyware and viruses.  It is so useful, some of largest IT companies in the world have joined forces to provide it for    DNS filtering can even be set up on your home router with very little effort, which will help protect anyone or device on your entire network. DNS filtering services can also be used to implement parental controls to deter kids to going to unwanted or inappropriate websites. You can additionally limit kids’ screen time and monitor their online surfing activity if you choose to do so. By doing this, you can create a family-friendly online space in your home while also protecting your identity and blocking cyber-villains.

Free DNS filtering options for families

• Quad 9: When your computer performs any Internet transaction that uses the DNS (and most transactions do), Quad9 blocks lookups of malicious hostnames from an up-to-the-minute list of threats.
• Cleanbrowsing: A free DNS system that focuses on privacy for households with children. It provides 3 free filter options and blocks most adult sites.
• OpenDNS: Owned by Cisco, OpenDNShas two free options: Family Shield and Home. These are incredibly useful for monitoring and preventing adult site access as well as general internet safety and performance.

Talk to Your Kids

Finally, make sure you talk to your kids about cybersecurity. Just like other issues that have the potential to harm our children, keeping an open line of communication regarding cybersecurity is vital to keeping them safe.

Outside of adjusting privacy settings and parental controls on devices your kids use, make sure they learn how to spot unusual behavior and encourage them to tell you about it. Teach your kids about proper online etiquette and encourage appropriate interactions.

Supervise their screen time and make sure you are in the know about who they talk to and interact with online. Talk to them about the importance of keeping some information private – such as your name, home address, and phone number.

Check their apps and devices frequently to make sure your kids haven’t turned on location sharing or made their social media accounts public to anyone and everyone.  As they get older, remind them that once information is online it can’t be taken back – it’s online forever.

Cybersecurity was not something past generations of parents had to worry about when raising their children but is a big part of all our lives now.  And even though we may not like all that comes with these technologies, they’re here to stay and it is imperative that we teach our children how to responsibly and safely use them. Let’s give our children the foundation they need to be able to safely and securely engage in today’s connected world.

In response to the pandemic, many end-users are now working from home instead of commuting to their business locations. Homes are being used as business offices, and computers and networks are being shared by family members. Families are taking classes, doing homework, and surfing the web in addition to performing business functions.

The data created may be stored locally or in the cloud. Backups may not happen until the device is returned to the office or the end-user manually backs it up. This new environment is ripe for cyber-attacks.

The Perils of Ransomware

Ransomware is one of those cyber-attacks that are on the rise. Ransomware is a type of malware that is normally delivered through a phishing message. The phishing message entices the reader to click on a link or open an attachment. When the recipient falls for the phish, the process of infecting the device is started. It initiates a connection back to the attacker’s device to receive instructions for encrypting the device.

Once the encryption is completed, the user is locked out of their data and the device. At this point, a ransomware note is displayed and a ransom is demanded in cryptocurrency (i.e. Bitcoin) to regain access to their data and their system.

Protect Your Family, Data, and Devices

So, what does this mean to you? How can you protect your family, data and devices from these cyber attackers? Here are some best practices for cyber hygiene that can help protect you from becoming a victim of ransomware:

• Don’t open any emails from someone you don’t know or that you aren’t expecting to receive.
• Don’t click on links in messages.
• Avoid opening attachments in messages. Download the attachments and scan them for malware before opening.
• If it sounds too good to be true, it probably is. Don’t give away any personal information that could allow an attacker to compromise your devices or steal your identity.
• Install anti-virus/anti-malware software on your device and keep it up to date.
• Apply patches to all applications and the operating system as they become available.
• Don’t browse suspicious sites. Cybercriminals count on users mistyping the name of a legitimate site. These sites are made to look like the legitimate site but are used to deliver malware to the device.
• Don’t respond to pop-up windows instructing you to call a number for support. Attackers use this method to steal your personal and credit card information. Once you allow them to remotely access your device, they will install additional malware on your device instead of removing it.

What to Do if You Get Infected with Ransomware

1. Don’t respond to a ransom note on the screen. Paying the ransom does not guarantee that you will gain access to your data and/or your system. The attackers will normally request payment in a form of cryptocurrency, like Bitcoin, that can’t be traced. Once the ransom is paid, your money is gone.
2. Seek professional assistance. Contact your employer’s IT security department and/or law enforcement to allow them to trace the source of the infection.
3. Using a separate non-infected device, change passwords on all accounts that were accessed from that device.
4. If you provided the attacker with personal and/or credit card information, put a fraud alert on your account at the three major credit reporting bureaus (Experian, TransUnion, and Equifax). This should prevent the cybercriminal from using your information to open new accounts in your name. If credit card information was provided, contact your credit card company to report it to their fraud department. They will normally issue you a new credit card number and shut down the old account to prevent it from being used fraudulently.

Many of the crimes that occur in real life happen on the internet too. Credit card fraud, identity theft, embezzlement, and more, all can be and are being done online.

Seniors and the elderly are often targeted for these cybercrimes. They tend to be more trusting than younger people and usually have better credit, and more wealth. This makes them more attractive to scammers.

Seniors are considered easy targets by criminals because they might not know how to report cybercrimes against them. In some cases, seniors can experience shame and guilt over the scam. They may also fear that their families will lose trust in their ability to continue to manage their own finances.

Cybercrimes Targeting Seniors

Here are some common cyber scams used against senior citizens and how to avoid them:

• Tech support scam: Criminals pose as technology support representatives and offer to fix non-existent computer issues. The scammers can gain remote access to victims’ devices and their stored sensitive information.
• Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide payments.
• Financial scam: Criminals target potential victims using illegitimate credentials from legitimate services, such as reverse mortgages or credit repair.
• Romance scam: Criminals pose as interested romantic partners on social media or dating websites, particularly targeting women and those who are recently widowed.

A new twist is to use the romance scam to recruit victims for other illegal activity. This could include using the victim’s bank account to launder illegally obtained money or apply for benefits in another person’s name. Institutions may become suspicious, especially if these transactions are out of character. They may close the victim's account, or even refer the account for prosecution, putting the senior citizen at risk for legal action.

Tips to Protect Seniors Against Cybercrimes

Here are some tips on how to protect yourself or someone you love from cybercrimes:

• If you use social media, limit the amount of personal information you post and only add people that you know.
• Resist the scammer’s urge for you to act quickly. Scammers are very skilled at manipulating emotions and will fabricate an emergency to persuade a victim to act without thinking.
• Search for information about the proposed offer and any contact information given by the scammer. There are people and agencies online or in your community who can tell you if an individual or business is a scam. Never be afraid to ask other people for help.
• Never send money or personally identifiable information to unverified people or businesses. Be suspicious about anyone who demands gift cards as payment.
• Use reputable antivirus software and firewalls and make sure you regularly update them. If possible, configure your device to automatically download and install updates.
• Disconnect from the internet and shut down your device if you see unusual pop-ups or get a locked screen. Pop-ups are often used by criminals to spread malicious software.
• Be cautious what you download. Never open email attachments from someone you don’t know.

What to Do if You're Targeted by a Scammer

If you think you are being targeted by a scammer:

• Never share financial account information, and do not allow anyone access to your accounts.
• Monitor your accounts and credit for unusual activity, such as large sums of money that you did not deposit or loans that you did not apply for.
• Contact your local law enforcement agency to file a report and notify your financial institutions.

Sources:

• https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/elder-fraud
• https://www.cisa.gov/publication/stopthinkconnect-older-american-resources
• https://cybersecurityventures.com/3-cyber-fraud-tactics-targeting-seniors-and-why-theyre-so-effective/

An email account can be compromised in a number of different ways. In some cases, your password may be weak and easily guessed or obtained through a public breach. In other cases, you may have clicked on a malicious link in an email, social networking site, or webpage. Or, you may have downloaded an app or file that contained malicious scripts.

In this edition of the security newsletter, we’ll look at potential warning signs that your email account may have been compromised, what you can do to recover, and steps you can take to help prevent it from happening again.

How to Tell if Your Email Account is Compromised

Here are some red flags that may indicate your account has been compromised:

1. You are unable to access your e-mail account. If an attacker gained access to your email address and password, they may have logged in and changed the password to lock you out of the account.
2. Your family, friends, and coworkers receive emails from you that you didn’t write. Once your email account is compromised, the attacker can use your email address to send spam or phishing emails to the contacts in your address book.
3. You see activity on your social media accounts that you didn’t post. Some social media sites use single sign-on (SSO) with credentials from other accounts (e.g. Google, Yahoo) so you can login to social media without having to create a separate username and password. If your email account is linked to your social media accounts or if you use the same username and password for all your accounts, the attacker can gain access to everything with a single username and password.
4. You notice your Sent messages folder is empty or includes messages that you did not send.

What to Do if Your Email Account is Compromised

Here are some steps you can take if your account has been compromised. If you think your account has been compromised but you are not sure, it is better to err on the side of caution and follow these steps:

1. Login to your email account and reset your password using a strong password.
   a. Use long passphrases to make passwords easier to remember and more secure.
   b.  Do not use information about yourself, the city where you were born, your age, or the names of relatives, friends, or pets.
   c.  Do not use common words such as the name of favorite sports team.
   d.  If you are unable to login, contact your email provider to find out how you can regain access.
2. End / sign out of all sessions on all devices. Even after you change your password, if the attacker has an active session, they may be able to continue to send emails from your account.
3. Reset any additional accounts that the attacker may have gained access to. These may include financial institutions, shopping sites, and social media sites. There may be references to these accounts in your email. Remember to use unique passwords for each and every account. If not, if one account gets compromised, they all become compromised.
4. Enable Multi-Factor Authentication (MFA) on your e-mail account. This provides an additional layer of protection to login to your email account. It requires a code from a text message, phone call, or authenticator app to further verify access. Visit STOP.THINK.CONNECT to learn how to activate MFA.
5. Review and change your security questions. If your email account was compromised from a device or location not matching your normal usage, it’s possible a malicious individual was able to answer your security questions.
6. Review your mailbox for any rules that you have not previously created. These rules can include message forwarding, deletion, or running unwanted applications.
7. Review outgoing messages and retract any malicious outgoing messages. In most cases, the attacker will not leave traces of any outgoing messages, but this should still be checked.
8. Contact the people in your email address book and let them know that your email was compromised. Remind them to delete any emails from you during the time your account was compromised to prevent them from becoming the next victim.
9. Verify if there is private or personally identifiable information in your e-mail that could be used maliciously.
10. Establish a routine where you change your password periodically. Consider changing your password on at least an annual basis (unless a breach requires it sooner).
11. Scan your computer for viruses and malware. This is especially important if you are experiencing problematic signs like unfamiliar applications loaded on your device, your computer operating slowly, or problems shutting down.

What Can I Do to Prevent an Email Account Compromise?

Good security best practices and safe browsing habits can help prevent your email account from being compromised in the future:

1. Make sure your devices are patched with the latest updates, including antivirus.
2. Set your security software, internet browser, and operating system to update automatically. Or, establish a routine to do this manually on a frequent basis.
3. Use unique strong passwords for account access.
4. Be wary of unexpected emails, especially when they contain links and/or attachments.
5. Verify the sender’s address. If you don’t recognize the address, don’t reply.
6. If an email request from a known contact seems out of place, verify the request by calling the sender on the phone.
7. Think twice before clicking a link. Always hover before clicking to see the address of the web site you are attempting to visit.
8. Never click text links like “Click Here” or “Unsubscribe,” or any other links in suspect emails.
9. Never input a password or your email address on an unknown site, and never provide your passwords to anyone.
10. Be vigilant when reviewing emails, as you may receive an email from a legitimate contact who has been compromised.
11. Don’t access your email account on a public computer or from a device using public Wi-Fi.

Additional Information

• CISA: Choosing and Protecting Passwords
• CIS: Securing Login Credentials
• Stay Safe Online: Hacked Accounts
• FTC: Hacked Email