How to ELUDE Cybersecurity Threats

As the internet and mobile devices proliferate, maintaining information security has become a vital part of all our lives. Of particular concern is protecting personally identifiable information (PII) that are considered confidential or sensitive against unauthorized access and fraud, which include:

• Social Security numbers and birthdates
• Debit and credit card numbers
• Userids with passwords
• Student records (i.e. GPAs, transcripts, grades, test results)
• Financial records (i.e. tax information, bills, insurance records, payroll information)
• Health records
• Drivers Licenses or other government-issued identification
• Citizenship status

This guide highlights the importance of learning to protect your sensitive information and vulnerable technology from cyber threats in the workplace and the home using five cybersecurity principles to E.L.U.D.E. cyber threats:

• Environmental Awareness
• Logins, Passwords, & Authentication
• Updates & Upgrades (Hardware, Software, Security)
• Data & Information Management
• Encryption (Storage and Transmission)

Today a pandemic of cyber threats, augmented by the prowess of artificial intelligence, is constantly probing all our technology devices, social networks, and commercial services to exploit porous vulnerabilities.

By vigilantly adopting all the following common sense cybersecurity best practices – in combination with the layers of cybersecurity measures provided by the college and university – together you can help us protect our community from exploitation and fraud.

Environmental Awareness of cyber threats, risks, and best practices is essential protection

1. Stay vigilant when using online resources (commercial accounts, email, and social media): treat sensitive information like it will be there permanently, accessible to everyone.
2. Disable online accounts and computer devices you no longer use.
3. When possible, physically secure your computer with security cables/plates; always lock building/office doors and windows when your devices are unattended.
4. Never leave mobile devices unattended; thieves can steal your hardware and identity.
5. Regularly check your accounts, billing statements, and credit reports for suspicious activity.

Logins, Strong Passwords and Multifactor Authentication should always be enabled

6. Use strong passwords that cannot be easily guessed or deciphered: at least eight characters including upper- and lower-case letters, numerals and symbols. Avoid using simple words: common names, dictionary words, birthdates, and anniversaries. Use Password Managers!
7. Use a unique password with each account (with a password manager, if necessary).
8. Never, ever share your password or your account when logged in!
9. Passwords are compromised all the time, so change your password at least every 180 days
10. When available, configure your accounts to use two-factor authentication.
11. Always require a password to login to your computer, especially at computer start-up; use a screensaver to automatically password-lock your unattended devices.
12. Use a generic user account for daily tasks (browsing, email, working); only use administrative accounts for installing new software, updates and system maintenance.
13. Always log out of your computer workstations, applications, social media websites, even if you will only be away for moments.

Updates and Upgrades provide up-to-date protection against always evolving threats

14. On all your devices always check for and install critical updates and security patches before using software products-including operating systems, applications, browser plug-ins and add-ons; only use products that are currently maintained by their developer.
15. Always use up-to-date malware protection and firewalls to protect against cyberthreats.
16. Outdated programs contain security vulnerabilities; if you don't need it, delete it!

Data and Information Management organize and isolate sensitive information to avoid risk

17. Stay vigilant when opening unexpected or suspicious email messages or websites, which may contain malicious attachments or links that appear legitimate.
18. Classify and organize sensitive information to minimize exposure; never email or post it on public websites or email them. If you don't need it, delete it!
19. Backup critical data in scheduled intervals and store it in a safe, secure backup site.
20. Learn how to securely delete unneeded data that contains confidential information, emptying the trash is not enough.
21. Before disposing of storage devices containing sensitive information use a specialized software procedures to securely delete data also consider physically destroying the hard drive/flash drive.

Encryption securely encodes data, scrambling it to make it resistant to hacks

22. Learn to use encryption tools (e.g. Microsoft Bitlocker, 7-Zip, Macintosh FileVault, OS X Disk Utility, VeraCrypt) to protect information stored on your devices.
23. Use layered file, folder, partition, and full disk encryption to protect confidential data.
24. Before transmitting confidential information always ensure data encryption protocols are in effect and secure (e.g. HTTPS:// for websites and SSL/ TLS for file transfer).

CUNY Cybersecurity Awareness Training
This recently updated interactive online program provides an overview of information security threats with best practices developed to teach you how to stay cyber-safe and secure. It takes approximately 45 minutes. Given the increasing potency of internet security threats, it is a wise investment of time.
Login to Blackboard > Organization > City College Cyber Security Course

CCNY Password Reset
Reset your password for applications maintained by OIT, including CityMail student email, Outlook faculty and staff email, City Central Student Portal, CCNY Wifi network, library databases, iMedia and Tech Center reservations, Tech Center desktop computer login, and many others. If you ever suspect your CCNY account has been compromised, use this utility to immediately reset your password!
https://reset.ccny.cuny.edu

Secure File Transfer
A secure email portal that allows users with CCNY credentials to securely transfer confidential and sensitive information and large data files by uploading the files to a secure server. A secure alternative to attaching files to regular email.
https://securetransfer.ccny.cuny.edu

CCNY FERPA Tutorial
This tutorial is intended to familiarize CUNY faculty and staff with Family Educational Rights and Privacy Act (FERPA) federal privacy laws that protect student educational rights. To stay sharp on what is and is not permissible about using and maintaining student records, faculty and staff are encouraged to take it annually. It takes about 12 minutes. Requires CCNY login credentials.
https://apps.ccny.cuny.edu/user/login

SANS Ouch! Newsletters and Podcasts
This free security awareness resources are produced by IT security professionals for a wide audience without presuming technical knowledge. Produced monthly each edition is edited by a renowned information security expert focusing on a single security topic, explaining actionable cybersecurity measures.
https://www.sans.org/security-resources

Center for Internet Security Benchmarks
This comprehensive collection of security configuration recommendations, metrics, and tools is an excellent resource for customizing IT device settings to strengthen security without compromising normal usage. Regularly updated for many platforms, including Macintosh, Windows (desktop and server), Linux and UNIX, routers, firewalls, switches, web servers and mobile devices! CUNY is a member of the Center for Internet Security, so use your CCNY email address to gain free access to this incredible repository.
https://www.cisecurity.org/cis-benchmarks

Install and Update Anti Malware Software
A good way to defend against cyber threats is to install trusted anti malware software. CUNY requires Cortex XDR for all college-issued devices. For personal use: Use the internet to find and research trustworthy anti-malware products. Evaluate it annually.

Multi-Factor Authentication (MFA) 
CCNY Email MFA Instructions
CUNY Applications MFA Instructions

If any sensitive non-public data has been compromised because of theft or loss of a computer or a laptop, portable device, breach of network security or through any other means, try your best to minimize the damage and:

• Change your password immediately: https://reset.ccny.cuny.edu
• Report it immediately to ITSecurity@ccny.cuny.edu or (212) 650-6565.

When using e-mail or other web services, you may encounter spam, phishing scams, obscene material, aggressive behavior or theft of your account or identity. If so, report immediately to CCNY IT Security Office:

• Report it immediately to ITSecurity@ccny.cuny.edu or (212) 650-6565.

Identity theft is the fraudulent acquisition and use of a person's private identifying information, usually for financial gain; victims can suffer adverse financial and criminal consequences. These resources provide information on understanding, avoiding, detecting, and reporting identity theft:

FTC Consumer Protection Information
https://www.consumer.ftc.gov/topics/privacy-identity-online-security

FTC Identify Theft
https://identitytheft.gov

To proactively prevent identity fraud (credit card, mobile phone accounts) request free annual credit reports from the following three credit reporting agencies. For a nominal fee you can also establish a "security freeze" for each of your family members. If you suspect identity theft, use these same agencies to request a free "fraud alert" or "extended fraud alert."

• Equifax: http://www.equifax.com/CreditReportAssistance / 1-888-766-0008
• Experian: https://www.experian.com/fraud/center.html / 1-888-397-3742
• TransUnion: http://www.transunion.com/fraud-victim-resource/place-fraud-alert  / 1-800-680-7289

Computer • device for storing and processing data according to instructions given to it in a program (e.g. laptop, desktop, mobile phone, game console, tablet, etc.).

Artificial intelligence (AI) • machine simulations of human intelligence that are programmed to think and act like humans, which can leverage all the following threats.

Bot • an automated software application that performs repetitive tasks over a network, many are designed with malicious intent.

Deep fake • using artificial intelligence to create fake but convincing audio or video of celebrities, political figures, and familiar people.

Hacking • using a computer to gain unauthorized control of a computer or access to data often for fraudulent purposes.

Identity theft • the fraudulent acquisition and use of another person's private identifying information, usually for financial gain.

Keylogger • software that records every keystroke typed, sending it to a covert, remote listening agent; a stealthy way to steal userids and passwords.

Malware • a general term used to describe malicious software designed to trick a computer user or infiltrate a computer, stealthily transmitted by many vectors, including email, websites, social media, USB drives, texts, Wi-Fi, advertising, browser plug-ins, and games.

Meta data • information collected from digital files and exchanged between computer systems that track user details, habits, and behavior that can be used to compromise privacy.

Pharming • an attack intended to redirect a website's traffic to fraudulent site, often used to mimic legitimate and authoritative sites (e.g. banks, anti-virus software, invoices).

Phishing • deceptive attempt to acquire sensitive information (i.e. usernames, passwords, and credit card details) by someone masquerading as a trustworthy entity; threat include email, instant messaging, web sites, social media, and telephone calls.

Ransomware • malicious software designed encode a user’s documents using encryption and then demand a ransom to have those files restored.

Rootkit • a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer, uses adaptive behavior to avoid detection and remediation.

Software vulnerability • a flaw in software programming exploitable by malware and hacking; meticulous software management (including patches, updates, removal) reduces risk.

Spyware/ Adware • malware or marketing software whose principal aim is to surreptitiously collect information by “spying” on the user.

Trojan • disguised malware that appears to perform a benign or normal action but in fact performs a malicious action, such as transmitting a computer virus.

Worm • self-replicating malware that can move from computer to computer. Unlike a virus, it does not need to attach itself to an existing document or application.

Virus • self-replicating malware that attaches itself to a digital document or application then spreads through copies of that document or application that are shared.

Vishing scam • voice phishing uses a phone call to trick a victim into giving money or revealing personal information. The caller may pretend to represent a family member, legitimate company, government agency, or other trusted institution.