Security Awareness Tips
Information security is an ever-evolving field. In an effort to combat security threats and disperse accurate, up-to-date information, we have compiled a list of glossary terms with which everyone needs to be familiar.
For more information on any of these topics, please get in touch with the information security team.
Phishing
Getting some "phishy" emails? Remember the mantra: STOP! VALIDATE! DELETE!
Learn more about phishing and what to look for here: A Deeper Dive: All About Phishing
Social engineering
Sometimes, hackers can get a little sneaky. Social engineering is when malicious actors forgo the use of complicated hacking techniques in favor of their own wits. So instead of using computing tools and technologies, they utilize psychological manipulation in order to get users (you!) to divulge personal information. Phishing is actually a form of social engineering.
Social engineering has been a wildly successful way to weasel money out of unsuspecting users. In fact, it is being used in more than two-thirds of hacking activities, according to by Social-Engineer.Org. And as more avenues of attack open up, humans have become the , displacing machines in the top spot.
Here are a couple examples of social engineering to become acquainted with.
Example 1: This is how hackers hack you using social engineering
In , a journalist has his cell phone account hacked during a demonstration at the DEF CON hacking conference. In a little under two minutes, the woman learns his personal email address, adds herself to his account, and changes the password. This is a stark example of just how easy it might be to trick telephone operators into giving your personal information away.
Example 2: CEO scam
This illustrates the craftiness of those malicious actors with a skit. Even though this video sets up a seemingly ridiculous and tongue-in-cheek premise of a hacker calling from his mom’s kitchen, the lesson behind it is real: Even if callers identify themselves as someone in a position of power, they could be trying to pull the wool over your eyes.
The best way to avoid the dangers of social engineering is to stay vigilant! If you experience anything suspicious (for instance, if you get an email from President Crawford asking for your bank account information), please contact InfoSec@MiamiOH.edu right away.
Ransomware
Ransomware is an important concept to understand within the information security field. This is a kind of malware that keeps users from accessing their systems by locking either the screen or files. A specialized kind of this family of malware is called ‘crypto-ransomware,’ in which the malicious program encrypts all of the user’s files, making it even more difficult to recover the data. These programs get their name from the fact that they hold data for ransom - asking for varying amounts of money in order to get the data unlocked.
Ransomware is a real threat. Research firm Cybersecurity Ventures predicted that in 2017, losses due to ransomware would skyrocket to , up from $325 million in 2015. This exorbitant amount includes the cost incurred from lost productivity, lost files, and damage of reputation, among others.
To protect against ransomware, there are a few things you can do:
- Back up your data.
- Update your computer’s software.
- Be suspicious of links sent to you in emails or social media messages, even if they appear to come from trusted friends.
If you suspect your computer has been compromised, immediately disconnect from the wireless network in order to prevent a possible infection from spreading.
VPN
In order to access 黑料社区 files and programs from a location off campus, you have to use what is called a ‘Virtual Private Network.’ This is essentially an added layer of protection on our proprietary data, keeping Miami information safe from anything malicious that may be lurking on outside networks.
When you sign in with your computer or mobile device, the VPN encrypts all data sent from your computer to Miami - meaning that even if a hacker were to intercept the information, it’s not that easily decoded. This comes in handy when you need to do some quick work from home or access a file (such as your W-2) from another device.
For more information about VPN, visit .
To learn about how to get the VPN client for your devices, read our helpful article in the August 2017 Tech Talk newsletter.
Password strength
Your MUnet password is used to log in to services like myMiami, Canvas, BannerWeb, Miami Directory, and email. We require that you change your password once every 180 or 365 days, depending on the complexity/strength of the code you choose. Essentially, the stronger the password, the more complex: For example, using letters, numbers, and special characters makes it harder for potential malicious actors to guess your password.
The full policy regarding how often, why, and when you change your password can be .
Check out our article on password security for some password dos and don’ts to ensure you’re making the best logins possible.
Two-factor authentication
This is an important concept when it comes to password strength. Two-factor authentication puts up another wall between your private information and would-be attackers. It requires users to fulfill a second step in order to log in to their accounts. Often, the service asks for a PIN or a temporary passcode that can be retrieved via an app or text message.
In order to strengthen our security practices even further, we are moving to Duo Security mandatory two-factor authentication on all protected Miami resources. Read more about that move and why we are doing it on the Duo frequently asked questions page.
Full Disk Encryption FAQs
In Fall 2017, 黑料社区 IT Services rolled out full disk encryption (FDE). Almost everyone who works at Miami has some confidential information, as defined in MUPIM 3.22, on their computers. By installing FDE, we are ensuring that none of that confidential data can be accessed if an employee’s Miami-issued laptop is lost or stolen. Here are several frequently asked questions about this new requirement, and how it will impact users.
I have a personal computer. How does this encryption rollout affect my personal computer?
Related: Will there be a way to get this encryption on personal computers that are used for University purposes, such as those used by contractors and part-time faculty members?
How does this affect files that I move from my encrypted computer to another location (Google Drive, USB drive, etc)?
What about USB drives?
We are not requiring encryption for USB drives attached to Miami laptops. The goal of this program is to remove the risk of confidential data being accessed from a stolen laptop. However, if you store confidential data on your USB drives, we recommend that you either delete the confidential data from your USB drive and instead store it on Google Drive or a network share drive, or that you encrypt your USB drive. If you would like assistance in encrypting a USB drive, please contact the IT Services Support Desk at 513 529-7900. Be aware that if you lose the password and recovery key associated with your USB drive, you will not be able to recover your data.
What about Parallels?
What about Linux laptops?
What if I’m off campus?
Why are we doing this? How does this benefit Miami?
We already take a number of steps to protect confidential information when it is “data in motion”, such as only allowing access to your email web interface via “https”. Protection for “data in motion” protects Miami data from someone who is able to eavesdrop on your network communication, and is especially important when you are outside of the Miami network, such as when you’re uptown at Kofenya or Starbucks.
This encryption software will protect confidential information when it is “data at rest”. Without encryption on your hard drive, a thief who steals your laptop will be able to access all of the data on your laptop whether or not they have your password. They can simply remove the hard drive, connect it to another computer that they control, and then access all of the data on your hard drive. By adding encryption to protect your “data at rest”, when the thief attempts to access the data on your hard drive they will only see encrypted data while all authorized users of the laptop will be able to access the data normally.