It’s that time of the year again. Welcome [back] to college!

Information Security 2019-2020

The new school year is an exciting time for students, faculty, and staff. It is also prime time for cyber criminals to attempt to take advantage of people during this busy time of the year.

In recent years, universities—like everyone else—have become increasingly aware of online threats. Campuses have seen their payroll systems compromised by criminals who steal faculty and staff passwords, often by means of phishing emails, and then use those credentials to redirect direct deposit salary payments. Several universities have been targeted by ransomware attacks—including, just in the past month, Regis University and Stevens Institute of Technology. Some have seen email accounts compromised and used to send out those phishing messages. Because emails sent from authenticated addresses ending in .edu are often able to evade spam filters. The risk of intellectual property theft looms large for some campuses, especially research institutions such as Northwester University, as does the risk of spies or criminals using compromised servers on U.S. campuses as “hop points” to rout an attack directed at another target, like a government agency or private company.

So, it’s very much to their credit that so many schools have invested in security measures like two-factor authentication, automated backups of school systems, and training modules to educate their faculty, staff, and students on campus about the risks of phishing, malware, and weak passwords.

It all may sound scary and complicated, but there are many ways to stay safe online, and offline. So, here are some of my main recommendations:

For Students:

  • Watch out for emails supposedly containing “important information about your NU account,” or a alerting you that there’s a “problem with your registration”
  • Scams specifically designed to cheat students out of money, such as scholarship scams, fake “tuition payment processors”, textbook rental or book-buying scams, housing scams, tutoring scams, and work-from-home scams
  • “Tech support” scams where you get a call supposedly from “the Support Desk” or even “Microsoft” or “Apple” telling you there’s a problem with your computer
  • IRS impersonators demanding that students or their parents wire money immediately to pay a fake “federal student tax”
  • Messages asking for your login information, no matter how legitimate they may look. No one other than you need to know your passwords
  • Watch out for fake friend requests on social media, always confirm with your friends when you are with them
  • Be wary of fake Box or Google Doc notices – Only Box, OneDrive, and Google are certified Northwestern University cloud storage partners

For Faculty and Staff:

  • Start taking two-factor authentication more seriously. According to a new report from Microsoft, Two-factor, Multi-factor (MFA) helps prevent more than 99 percent of attempted account compromises. That means it protects you from being compromised and protects your email account from being hijacked to send spam (and, if you are on the payroll, it keeps your paycheck safe). If it is also required to access library databases or course management websites, that’s probably because administrators are concerned about protecting copyrighted materials stored on those networks. Learn more about DUO, Northwestern University Multi-factor Authentication (MFA) system.
  • Always use the VPN when you are off-campus or not at home, especially when you’re somewhere with unsecured Wi-Fi or in a foreign country whose networks you have reason to mistrust. If you’re traveling to China or Russia for work, ask your department to provide you with a clean loaner laptop to use for travel (where available); or, if you’re unable to secure a loaner laptop ask Northwestern University Information Technology for tips how to stay safe while traveling to those countries. Also, get yourself familiar with Northwestern VPN, and learn how to set it up.
  • Never respond to any emails or phone calls asking you for your passwords or other login credentials. Yes, even if they have the Northwestern University logo at the top and they come from “IT SYSTEMS SUPPORT” and the subject line is “URGENT: ACCOUNT EXPIRATION.” If you’re legitimately concerned that something may be wrong, call our IT help desk number, and call them and ask to confirm whether your account is about to expire. Do not call the number included in the phishing email!
  • If you click on the links in emails telling you to log in to a university system, always double-check, when the webpage loads, that the beginning of the address really is your school’s domain and that it has established a secure connection. If you have any doubt at all about the link or can’t see the full URL in the email, open up a new browser window and search for the relevant login page to be sure you’re not being misdirected.
  • If you weren’t expecting an attachment via email or if you receive attachments that seem even remotely suspicious — especially if they have a file type you don’t often see or even don’t recognize at the end of their names (.zip, .rar, .exe, .jar) or if they don’t have any file type extension at all. In Outlook Web App, you can often preview certain types of attachments or open them as webpages before downloading them onto your computer.
  • Enable full disk encryption on your computer. This is easy to do for both Mac and Windows, especially for your non-Northwestern managed computer(s) at home. You should also make sure your computer(s) locks and requires a password to access after being untouched or inactive for at most five minutes. All new computers that have been through the rigorous setup process performed by Northwestern Information Technology are enabled with full disk encryption. If your computer was not setup by a Northwestern Information Technology support technician, or are unsure, whether your computer has full disk encryption enabled, please contact the Northwestern University Information Technology department and they’ll be able to determine whether full disk encryption is enabled, or requires an appointment to enable it on your device(s).
  • Set up a system for online backups of your hard drive. Take advantage of Northwestern University’s cloud-based storage system, Box. Additionally, Northwestern University installs, and uses Code42 Crashplan PRO, for continuous backup. Don’t start the school year without feeling confident that if your laptop fell into the lake, was stolen, or was infected by ransomware, you would be able to start over from scratch without losing anything important. You may be confident you would never fall for any malware masquerading as an emailed calendar invite (though don’t get too confident there—we are all fallible), but your computer is connected to a larger campus network. Imagine your most gullible co-worker or classmate or student. Your security could be in their hands. Make sure you’re in a position to recover from their mistakes, as well as your own.
  • Never pay online extortion demands. This is an old tactic, used with new technology. It just encourages more ransomware attacks, and you might not get your information back anyway. And, if you have a reliable backup tool, or two, such as Box and Crashplan PRO, you can feel good knowing that you have your data intact, and can retrieve it from somewhere else.
  • Never give someone remote access to your computer. Even if they claim they’re calling from IT! Even if they know your name and your password and your ID number! Northwestern University Information Technology support will never call you out of nowhere, and especially unannounced!
  • Whenever you start to suspect whether something is maybe a little bit funny about an online message or phone call, it’s always better to take a little more time to check things out before responding. Even—especially—if you’re being told that your boss or someone you love asks you if you’re available and needs a gift card immediately.

Additional resources (Previous blog entries)

You can always review a list of samples of recent phishing attempts that Northwestern University Information Technology has caught on our network.

Check my previous blog entry Anatomy of a Phishing Attempt to learn how to spot (and stop) a phishing email.

Source from Slate.com.