Skip to content

Category: best practices

Published on

Securing Home Networks – Overview and Supporting Materials

GW IT Risk and Assurance provides various information and resources through workshops and webinars as well as posts to our blog site.  The team has compiled an overview of home network configuration focus areas and recommended changes.  This summary aligns to the Cybersecurity@Home Cyber Talk presentation.  Additional information is available on our in-depth Cybersecurity@Home page

Increasing Scope and Complexity of Home Networks

Image depicting expansion of home networks from computer devices to internet of things devices
Increased Scope of Home Network Vulnerabilities

Internet Connectivity Creates Potential Global Access to Home Networks through Gateways or Routers

  • Home network front door to the globe
  • Threat – devices are targeted directly; potentially providing attackers access to in-home devices, data, network activity

Wireless Services Expose Home Network Outdoors

  • Most home networks have WiFi services enabled
  • Threat – attackers and even pranksters can attack your network wirelessly from near your home

Securing Gateways / Routers

https://www.tomsguide.com/us/home-router-security,news-19245.html
Tom's Guide - Router Security
  • Change administrative credentials from default username and password
  • Set strong connection password (different from admin)
    • Enable WPA2  encryption or ideally WPA3 standard, if available, avoid WEP.
  • Change network name, or SSID, default names provide attackers information
    • Don’t use identifying information (names, street or apartment numbers)
  • Investigate / Set Parental Controls – applied to all or select devices
  • Configure Guest Network
    • Separate guest access from primary home network; could be used for some smart-home or IoT devices
  • Use 5GHz band  Wi-Fi not 2.4GHz band (all devices must support 5GHz)
    • 5GHz band signal travels less distance than the 2.4GHz band
  • Disable Wi-Fi Protected Setup, if possible
    • this capability can expedite initial setup, disable when not connecting devices.
  • Disable remote administration of firewall and router devices if not required.

Internet of Things (IoT) Safeguards for Home Network Security

Excerpted - 20 Expert-Approved Tips for In-Home IoT Security Forbes online 2024

Selecting IoT Solutions

  • Research Known Vulnerabilities – Google Before Purchasing
  • Learn Device [Security] Capabilities During [Before Purchase and] Setup
  • Buy Encrypted, Secure Versions Of Devices
  • Review Security Standards Prior To Purchase
  • Question Overly Complex or Intrusive Devices

Securing IoT Solutions

  • Change Default Passwords and Enable Multifactor Authentication
  • Establish Separate Passwords and Networks
  • Review And Limit Data and Service Access
  • Disable Features You Don’t Use – Does everything need connectivity?

Maintaining Secure IoT Solutions

  • Monitor Network Traffic
  • Ensure Awareness Of All Home Connected Devices
  • Update Firmware Regularly
  • Use a personal VPN on connected computers – consider a VPN for Home Network

Securing Home Networks – Parental Controls

There have been parental controls for television content for many years.  Similar in context to television parental controls, both devices and your home network have settings for parental controls.  This post addresses resources available from service providers and vendors.

DMV Internet Service Providers (ISPs) – Parental Control Resources

Internet Service Providers (ISPs) are core to internet connectivity and network security at home.  The following information focuses on Parental Control solutions available from the primary internet service providers in the DC, Maryland, and Virginia area.  The following resources are specific to implementing Parental Controls on ISP provided gateways (also known as routers).   

Note – some ISPs provide additional software to subscribers. For example, Cox provides a Cox Security Suite that offers additional controls.  ISPs may also provide device security software such as antivirus or antimalware.

More information available on the CyberSecurity@Home page and through our Webinar offerings.

unofficial GW hippo mascot holding a lockThis content is presented by the GW IT Cybersecurity Risk and Assurance team. #SecuringGW is a shared responsibility, if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

 

Published on

For GW Data Privacy Month a series of webinars, focused on privacy and information security best practices are being collaboratively presented by GW Information Security, GW Data Governance and the GW Privacy Office.  These sessions support the university’s commitment to protecting the privacy and security of institutional data and our community members personal information.

Additional Information available on the Risk and Assurance Blog Events Calendar.

Direct Actions to Secure Our Data

Account compromises impact individuals, families, organizations, and employers.  Your actions will assist in securing our data.  The following tips from the National Cybersecurity Alliance can assist you in keeping your personal information and GW data safe. 

The Core 4

As with most things in life, an ounce of cybersecurity prevention is worth a pound of cure. Follow our "Core 4" to show hackers you mean business.

1. Passwords / Password Managers

Use long, complex, and unique passwords. Every password should be at least 12 characters long and include letters, numbers, and symbols (like % or $). Ideally, your passwords should be random strings of characters, not recognizable words. Very importantly, each account should be protected by its own unique password. To create and store all these passwords, use a password manager!

2. Multi Factor Authentication

Switch on multi-factor authentication. Multi-factor authentication (MFA), sometimes called 2-factor authentication, adds a whole other level of security beyond your password. MFA will use biometrics, security keys, text messages, or an app to make sure you are you, even if a hacker gets access to your password. Enable MFA for any account that allows it!

3. Recognize and Report Phishing

Think before you click. Learn how to identity phishing messages, which will often try to inspire panic or urgency. Take a few seconds to read through the message and who sent it. With a little knowledge, you can spot most phishing attempts within moments.

4. Automatic Updates

Turn on automatic updates. The best way to get the latest, strongest security is to install software updates as soon as they are available - and the best way to know when they are available is to turn on automatic updates! Set it, forget it, and you won't regret it!

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Published on

Holiday Shopping Image

13 Tips for Online Safe Shopping

Adapted from content written by Kim Porter for NortonLifeLock Online shopping is easy to love. What’s more fun than finding what you need and—after a few clicks and a short wait—having it show up at your door Except when it doesn’t. It’s safe to say fake companies and identity thieves can turn the joy of buying into a hassle. What to do? Don’t click that buy button until you check out these tips to help you do safe online shopping.

  1. Shop where you trust
  2. Be Savvy about public Wi-Fi
  3. Use a VPN
  4. Use a strong passwords
  5. Check out the webpage security
  6. When in doubt, throw it out.
  7. Don’t give out more information than you need to
  8. Pay with a credit card
  9. Try a virtual credit card
  10. Check your statements regularly
  11. Mind the details
  12. Take action if you don’t get your stuff
  13. Report the company

Details on each tip provided below.

...continue reading "Holiday Season, Not Identity Theft Season"

Published on

If you think your social media or email account has been hacked, wrestle it away from the bad guys by acting fast.

Hackers use a bunch of different tactics to try to compromise people’s email, banking, social media, device, and other online accounts. Sometimes they do this to spam your friends with coupons, but other times they want to steal your money or identity. By alerting authorities and following a few steps, you can often retake control of your hacked account.

However, fast action is crucial. If you suspect that your digital account has been hacked, do something about it as soon as you can. Here’s what you need to know right now!

How does an account get hacked?

Security breaches happen in many ways – sometimes you might click on a bad link, or the company in charge of the account could be attacked. This is why cybersecurity is so important to us all, and why we at the National Cybersecurity Alliance are so hyped up about it!

Commonly, an account is hacked through phishing. This is when cybercriminals use misleading emails, social media posts, phone calls, texts, or DMs that lure you to click on a bad link or download a malicious attachment. If you take the bait, the hackers can get access to your device or account.

Another common way your account could be hacked is if there is a data breach that reveals your username and password. The company controlling the account in question could be hacked, for example. If you reuse passwords, if any platform you use is compromised then cybercriminals might know your password for many accounts. This is why you should have a unique password for each account and change your password ASAP if you find out a platform you use has had a breach.

Signs your account has been hacked

Does something seem off about one or more of your online accounts? Know the common symptoms of a hacked account.

  1. Unusual Social Media Activity: Your social media profile publishes posts that you didn’t create. Ditto for direct messages – hackers might use your account to send phishing DMs or posts to your followers. Often these posts encourage your friends to click on a link, download an app, or buy something through an online store.  
  2. Unexpected Messages to Friends: Friends and followers tell you that they received emails from your email address that you never sent, or DMs through social media that you never authored.   
  3. Unauthorized Login Notification: A company tells you that your information was lost via a data breach. In many places around the world, companies are required by law to tell you if they lost your data in a breach or cyber attack.  

What are 4 things to do when your account is hacked?

If you think an account is hacked, snap into action, and take a few quick steps to staunch the damage. You have the power to give cybercriminals the boot!

  1. Change Your Password: This will likely lock out the hacker. Unfortunately, it can also work the other way around: the hacker might change the password and lock you out. In this case, try using the “forgot my password” function to reset it. If that doesn’t work, contact the platform ASAP. If you used the same password for other accounts, you should change all of them, and start using unique passwords for every account. Use a password manager to generate and store all your passwords.  
  2. Notify your contacts: That your account was hacked. Let them know they may receive spam messages that look like you sent them. Tell your contacts they shouldn’t open these messages or click on any links contained in them. When the situation is cleared up, let everyone know that your accounts are secure again.   
  3. Update Your Security Software: Make sure your security software is up to date. Scan your system for malware, especially if you suspect your computer might be infected with a virus. Antivirus software will scan your device to check for any security issues. 
  4. Seek Assistance: Contact people who can help you. If you suspect someone has stolen money, this might mean calling the police and your bank. If a work account was breached, let your IT department know. If a social media or email account was hacked, alert the platform, and seek their help. If you think someone has stolen your identity, it is worth contacting the FTC. Let trusted friends and family know what you are going through so they can on the lookout for weird messages or posts from your account.  

Resources

Here’s where to turn if you have an account with one of these popular websites and you think its been hacked: 

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Published on

The following Infographic highlights 6 Phishing Red Flags. These tips will assist you in identifying malicious messages.

GW Information Technology Logo 6 Phishing Red Flags 1 - URGENT OR THREATENING LANGUAGE Phishing attempts often create a sense of urgency or use threatening language to prompt immediate action. Phases like

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Between all of your online accounts, whether personal or work accounts, you probably have many unique — and complex — passwords to manage.  And since you know better than to write them down in a notebook, have them on sticky notes hidden under your mouse pad, or stored digitally on your desktop, what are you supposed to do? 

Passwords are one of the most vulnerable cyber defenses used to protect our online accounts, as passwords are the only barrier between online accounts and cybercriminals who have a desire to access to our data and systems. Utilizing a password manager is a security best practice that cyber professionals are recommending for us.  

Along with other security tips, password managers minimize the risk of mis-managing our passwords. The question that arises here, are password managers secure, and what is our responsibility here to manage the password manager? 

What is a Password Manager?

A password manager is software that allows users to generate passwords, store, and manage account information including usernames and passwords all in one location. Password managers offer other features such as complex password suggestions, identifying weak or repeated passwords used, and alerting its users when their credentials appear compromises. When you use a password manager, you will set a password that is often referred to as the “master” password.  This will be the only password you will need to remember.

Password managers are available in different formats: 

  • An online service hosted by a third party and accessed through a website portal. This type is useful if you need access to the password manager from multiple devices. 
  • Software installed locally on a workstation that can operate either completely offline or connected to the internet to synchronize your information to a cloud database and get software updates.  

Are Password Managers Secure? 

Password managers can offer a high level of security level for account credentials and information, if best practices are used to secure their master password.  Whether you use, or planning to get, an online, or an offline password manager, you need to follow the following practices: 

  • Do your research and get a trusted password manager software that has a high reputation in the industry. 
  • Use a strong master password for your password manager account and never forget it. Some password manager vendors would never retrieve your account if you can’t remember your master password. 
  • Enable two-factor-authentication (2FA) to your password manager account for an extra layer of security.  
  • Keep your password manager software, web browsers, and all other software you use up-to-date. 
  • Audit the list of devices that are approved to access your password manager. 
  • For work-related accounts, always use password managers that are approved by your organization. Follow your organization’s policies, standards and procedures when processing, storing or sharing work-related data. 

Remember, if password managers are managed appropriately, they will offer you the level of security you are looking for to your online accounts’ passwords. 

This post is presented by the GW IT Cybersecurity Risk and Assurance team with information from CISA.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Longer passwords make brute force attacks more difficult. Brute force attacks involve malicious actors using powerful computers to guess your password. As you can see in the following chart provided by researchers at Hive Systems, the best protection against Brute Force attacks are complex passwords containing at least 13 upper and lower case letters.

It is estimated that passwords of this moderate complexity will take 241 million years to crack.

Adding numbers to the moderate complexity password containing 13 upper and lower case letters increases the password resilience against compromise to 2 billion years.

An even more secure password that adds symbols, would increase the 13 character password resilience to 11 billion years.

For extreme protection, particularly to guard against improvements in processing power of computers, an 18 character password containing numbers, upper and lower case letters, and symbols would take an estimated 19 quintillion years to compromise.

It is important to note that password complexity protects against automated guessing. A 13 character password that contains mixed case words may be difficult for a computer to compromise. However, access to personal information may enable a person to guess a password much more easily than a computer. Consider the implications of family names, birthdates, and occasions being shared on social media and how this information provides some contextual information that could assist someone in their password guessing attempts.

Source: Hive Systems https://www.hivesystems.io/password

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

GW Cyber Risk - One Minute Read

The FTC provides information concerning fake text messages you might receive. We have included excerpts of the content below as well as a link to the full article. The article describes the problem, provides examples, as well as offers tips on actions you can take if you receive fraudulent texts. Our bottom-line advice, validate text messages prior to taking actions they request using one or more of the following:

  • Pause and think before replying or following links. Even 'urgent' shipping notices can wait a few minutes.
  • Check you order history on merchants' websites. You have alternative means to check on order shipping status.
  • Review order confirmations and shipping updates in email messages to cross reference order messages.
  • Contact the sender, whether it is your boss or someone else, through a trusted method to verify they were the author and confirm details.

How to Recognize and Report Spam Text Messages - FTC Article

Excerpted from: https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages#what_to_do

If you have a cell phone, you probably use it dozens of times a day to text people you know. But have you ever gotten a text message from an unknown sender? It could be a scammer trying to steal your personal and financial information. Here’s how to handle and report unwanted text messages.

fraudulent SMS text example

Spam Text Messages and Phishing

Scammers send fake text messages to trick you into giving them your personal information — things like your password, account number, or Social Security number. If they get that information, they could gain access to your email, bank, or other accounts. Or they could sell your information to other scammers.

Scammers often try to get you to click on links in text messages by promising you something. Scammers might

  • promise free prizesgift cards, or coupons — but they’re not real
  • offer you a low or no interest credit card — but there’s no deal and probably no card
  • promise to help you pay off your student loans — but they won’t

Scammers also send fake messages that say they have information about your account or a transaction. Scammers might

  • say they’ve noticed some suspicious activity on your account — but they haven’t
  • claim there’s a problem with your payment information — but there isn’t
  • send you a fake invoice and tell you to contact them if you didn’t authorize the purchase — but it’s a scam
  • send you a package delivery notification— but it’s fake

The messages might ask you to give some personal information — like how much money you make, how much you owe, or your bank account, credit card, or Social Security number — to claim your gift or pursue the offer. Or they might tell you to click on a link to learn more about the issue. Some links might take you to a spoofed website that looks real but isn’t. If you log in, the scammers then might steal your username and password.

For more information and the full article please visit the FTC website https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

The following Infographic provided by Cybersecurity & Infrastructure Security Agency (CISA) contains ways for everyone to stay safe online. A download link for the infographic is provided below.

4 ways to stay safe online: Recognize & report phishing Delete phishing messages Use Strong Passwords Turn on Multifactor Authentication (MFA)
CISA Infographic - Tips to stay safe

Secure-Our-World-4-Easy-Ways-Stay-Safe-Online-Tip-Sheet-page-1Download

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Cybersecurity is a shared responsibility for everyone. You can help #secureoutworld through direct action. Account compromises impacts individuals, families, organizations, and employers. The following tips can assist you in keeping your information and GW data safe.

The Core 4

As with most things in life, an ounce of cybersecurity prevention is worth a pound of cure. Follow our "Core 4" to show hackers you mean business.

1. Passwords / Password Managers

Use long, complex, and unique passwords. Every password should be at least 12 characters long and include letters, numbers, and symbols (like % or $). Ideally, your passwords should be random strings of characters, not recognizable words. Very importantly, each account should be protected by its own unique password. To create and store all these passwords, use a password manager!

2. Multi Factor Authentication

Switch on multi-factor authentication. Multi-factor authentication (MFA), sometimes called 2-factor authentication, adds a whole other level of security beyond your password. MFA will use biometrics, security keys, text messages, or an app to make sure you are you, even if a hacker gets access to your password. Enable MFA for any account that allows it!

3. Recognize and Report Phishing

Think before you click. Learn how to identity phishing messages, which will often try to inspire panic or urgency. Take a few seconds to read through the message and who sent it. With a little knowledge, you can spot most phishing attempts within moments.

4. Automatic Updates

Turn on automatic updates. The best way to get the latest, strongest security is to install software updates as soon as they are available - and the best way to know when they are available is to turn on automatic updates! Set it, forget it, and you won't regret it!

Checkout the Events Calendar for details on webinars related to the Core 4 and other cybersecurity topics.

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

This blogpost is offered to you by the GW Information Security and Risk Services team. 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.