Share This

IT Security Student Guide

Office of Information Technology
0

IT Security Student Guide

E.L.U.D.E. For Students

How to E.L.U.D.E. CyberSecurity Threats @ CCNY  For Students

Office of Information Technology:
November 2016

IT Security Office
Email: ITsecurity@ccny.cuny.edu
Phone:  (212) 650-6565

For more information visit the CCNY Information Security website (http://www.ccny.cuny.edu/it/security)

PROTECTING YOUR INFORMATION AND YOUR FAMILY

As the internet and mobile devices proliferate, maintaining information security has become a vital part of all our lives. Of particular concern is guarding personally identifiable information (PII), which includes:

  • Social Security numbers and birthdates
  • Debit and credit card numbers
  • Userids with passwords
  • Student records (e.g., GPAs, transcripts, grades, test results)
  • Financial records (e.g., tax information, bills, insurance records, payroll information)
  • Health records
  • Drivers licenses or other government-issued identification

TECHtalk: Spring 2017
HACKS HAPPEN! How to E.L.U.D.E. cyber threats
Following these best practices will go a long way to protecting you from the worst


Environmental awareness of cyber threats, risks and best practices is essential protection

  • When possible, physically secure your computer with security cables/plates; always lock building/office doors and windows when your devices are unattended
  • Never leave mobile devices unattended; thieves can steal your hardware and identity
  • Use discretion when transmitting personal information via online resources (especially email and social networks); treat sensitive information like it could be there permanently, accessible to everyone.

Logins and passwords should always be enabled and strong

    • Use strong, hard to guess passwords: at least eight characters, including upper and lower case letters, numerals and symbols. Avoid common names, dictionary words, birthdates and anniversaries
    • Never ever share your password with anyone
    • Change your password at least every 90 days and use a unique password for each account
    • Always require a password to log in to your computer, especially at start-up; use a screensaver to automatically password-lock your unattended devices
    • Use a generic use account for daily tasks (browsing, email, working); use only administrative accounts for installing new software updates and system maintenance
    • Always log out of your computer workstations and applications, even if only away for moments.

Updates and upgrades provide up-to-date protection against ever evolving threats

  • Always check for and install critical updates and security patches before using software products, including operating systems, applications, browser plug-ins and add-ons; only use products that are maintained by their developer
  • Always use licensed and up-to-date malware protection to protect against attacks from malicious agents – viruses, worms, ransomware, rootkits and zombies!
  • Outdated programs contain security vulnerabilities; if you don’t need it, delete it.

Data and information management: Organize and isolate sensitive information to avoid risk

  • Be cautious when opening unexpected or suspicious email messages or websites, which may contain malicious attachments or links that appear legitimate
  • Classify and organize documents to minimize exposure of sensitive information (SSNs, financial records, credit card information, health records, etc). If you don’t need it delete it!
  • Ensure critical backup files are encrypted and securely stored on a safe, secure backup site
  • Learn how to securely delete sensitive information – emptying the trash is not enough.

Encryption securely scrambles data, making it nearly impossible to hack

  • Google how to layer file, folder and full disk encryption to protect your confidential data
  • Before transmitting confidential data ensure that data encryption protocols are in effect (e.g., HTTPS// for websites, SSL/TLS for file transfers)
  • Prior to disposal, storage devices (hard disks, DVDs, USB drives, smart phones, network storage, etc.) containing confidential information (SSNs, financial, health and academic records), must be securely overwritten or physically destroyed to prevent unauthorized disclosure.

TECHtalk: Fall 2016
BEST PRACTICES TO E.L.U.D.E CYBERSECURITY THREATS

nvironmental Awareness of cyber threats, risks, and best practices is essential protection

  1. Be careful when using online resources (commercial accounts, email and social networks): treat sensitive information like it will be there permanently, accessible to everyone.
  2. Disable online accounts and computer devices you no longer use.
  3. When possible, physically secure your computer with security cables/plates; always lock building/office doors and windows when your devices are unattended.
  4. Never leave mobile devices unattended; thieves can steal your hardware and identity.
  5. Regularly check your accounts, billing statements, and credit reports for suspicious activity.

ogins and Passwords should always be enabled and strong, respectively

  1. Use strong passwords that cannot be easily guessed or deciphered: at least eight characters including upper and lower case letters, numerals and symbols. Avoid using simple identifiers like common names, dictionary words, birthdates, and anniversaries.
  2. Use a unique password with each account (with a password manager, if necessary).
  3. Never, ever share your password or your account when logged in!
  4. Passwords are compromised all the time, so change your password at least every 180 days
  5. When available, configure your accounts to use two-factor authentication.
  6. Always require a password to login to your computer, especially at computer start-up; use a screensaver to automatically password-lock your unattended devices.
  7. Use a generic user account for daily tasks (browsing, email, working); only use administrative accounts for installing new software, updates and system maintenance.
  8. Always log out of your computer workstations, applications, social media websites, even if you will only be away for moments.

pdates and Upgrades provide up-to-date protection against always evolving threats

  1. On all your devices always check for and install critical updates and security patches before using software products—including operating systems, applications, browser plug-ins and add-ons; only use products that are currently maintained by their developer.
  2. Always use up-to-date malware protection to protect against cyberthreats.
  3. Outdated programs contain security vulnerabilities; if you don’t need it, delete it!

ata and Information Management organize and isolate sensitive information to avoid risk

  1. Exercise caution when opening unexpected or suspicious email messages or websites, which may contain malicious attachments or links that appear legitimate.
  2. Classify and organize sensitive information to minimize exposure; never email or post it on public websites or email them. If you don’t need it, delete it!
  3. Back up critical data in scheduled intervals and store it on a safe, secure backup site.
  4. Learn how to securely delete unneeded data that contains confidential information, emptying the trash is not enough.
  5. Before disposing of storage devices containing sensitive information use a special programs to securely delete data also consider physically destroying the hard drive/flash drive.

ncryption securely encodes data, scrambling it to make it resistant to hacks

  1. Learn to use encryption tools (e.g. Microsoft Bitlocker, 7-Zip, Macintosh FileVault, OS X Disk Utility, VeraCrypt, TrueCrypt) to protect information stored on your devices.
  2. Use layered file, folder and/or full disk encryption to protect confidential data.
  3. Before transmitting confidential information always ensure data encryption protocols are in effect and secure (e.g. HTTPS:// for websites and SSL/ TLS for file transfer).

 

INFORMATION SECURITY RESOURCES

SANS Ouch! Information Security Newsletters:
This free monthly security awareness newsletter is written by information security experts for a wide audience. Subscribe today!  (https://www.ccny.cuny.edu/it/security_sans_newsletters)

CUNY Security Awareness Program. This interactive program provides an overview of information security threats with best practices developed to keep you cyber-safe and secure. It takes approximately 30 minutes. (https://security.cuny.edu)

McAfee Anti Malware Software Download. The CUNY-licensed malware protection is available free to CUNY students, faculty, and staff for installation on personally owned devices. Download it from the CUNY Portal eMall. (See back page for download instructions.)

CCNY Password Reset Reset your password for applications maintained by OIT, including CityMail student email, CityCentral student portal, CCNY Wifi network, library databases, and Tech Center resources. If you ever suspect your CCNY account has been compromised, use this utility to immediately reset your password!  (https://reset.ccny.cuny.edu/student)

HOW DO I GUARD MYSELF FROM IDENTITY THEFT?

Identity theft is the fraudulent acquisition and use of a person's private identifying information, usually for financial gain; victims can suffer adverse financial and criminal consequences. These resources advise on understanding, avoiding, detecting, and reporting identity theft:

FTC Consumer Protection Information (https://www.consumer.ftc.gov/topics/privacy-identity-online-security)

FTC Identify Theft (https://identitytheft.gov/)

To proactively prevent identity fraud (credit card, mobile phone accounts) request free annual credit reports from the following three credit reporting agencies. For a nominal fee you can also establish a “security freeze” for each of your family members. If you suspect identity theft, use these same agencies to request a free “fraud alert” or “extended fraud alert.”

Equifax (http://www.equifax.com/CreditReportAssistance/) 1-888-766-0008

Experian (https://www.experian.com/fraud/center.html) 1-888-397-3742

TransUnion  (http://www.transunion.com/fraud-victim-resource/place-fraud-alert) 1-800-680-7289


GLOSSARY OF INFORMATION CYBER THREATS

Computer • An electronic device for storing and processing data, typically in binary form, according to instructions given to it in a program (e.g. laptop, desktop, mobile phone, game console, tablet, etc.).

Hacking • Using a computer to gain unauthorized control of a computer or access to data, often for fraudulent purposes.

Identity theft • The fraudulent acquisition and use of another person's private identifying information, usually for financial gain.

Keylogger • Software that records every keystroke typed, sending it to a covert, remote listening agent; a stealthy way to steal userids and passwords.

Malware • A general term used to describe malicious software designed to trick a computer user or infiltrate a computer, stealthily transmitted by many vectors, including email, websites, social media, USB drives, texts, wi-fi, advertising, browser plug-ins, and games.

Pharming • An attack intended to redirect a website's traffic to fraudulent site, often used to mimic legitimate and authoritative sites (e.g. banks, anti-virus software, invoices).

Phishing • Deceptive attempt to acquire sensitive information (i. e. usernames, passwords, and credit card details) by an agent masquerading as a trustworthy entity; threats include email, instant messaging, web sites, social media, and telephone calls.

Ransomware • Malicious software designed to encode a user’s documents using encryption and then demand a ransom to have those files restored. 

Rootkit • A stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer, using adaptive behavior to avoid detection and remediation.

Software vulnerability • A flaw in software programming exploitable by malware and hacking; meticulous software management (including patches, updates, removal) reduces risk.

Spam • The use of electronic messaging systems to send unsolicited bulk messages indiscriminately. Basically junk email.

Spyware/ Adware • Malware  or marketing software whose principal aim is to surreptitiously collect information by “spying” on the user.

Trojan • Disguised malware which appears to perform a benign or normal action but in fact performs a malicious action, such as transmitting a computer virus. Can appear to be a legitimate program or system resource.

Worm • Self-replicating malware that can move from computer to computer. Unlike a virus, it does not need to attach itself to an existing document or application.

Virus • Self-replicating malware that attaches itself to a digital document or application then spreads through copies of that document or application that are shared.

FREE McAFEE ANTI-MALWARE SOFTWARE DOWNLOAD

FREE McAfee Anti Malware Software • The CUNY-licensed malware protection is available free for CUNY students, faculty, and staff for installation on personally-owned devices.