Skip to content

Category: Cybersecurity Awareness

Published on

GW IT Risk and Assurance provides information and resources through workshops and webinars as well as posts to our blog site.  The team is highlighting travel considerations in this post as everyone begins travel planning.

Travelers rely on technology to enhance vacation and travel experiences including finding entertainment, lodging and dining, sharing photos online, and the many other benefits of being connected. As you embark upon your next adventure, increase your safety by following simple practices to keep your vacation plans free from cybercriminal meddling.   To assist in your efforts, the team has prepared the following resources:

A Cyber Talk - Traveling Securely will present tips to ensuring your devices and data are as secure as possible while traveling.  Register for the Zoom session  scheduled for March 6 at 11:00 AM 

The team has also compiled a Cyber Secure Traveling Resource Page noting security risks and mitigation recommendations to consider prior to and while traveling.

unofficial GW hippo mascot holding a lockThis content is presented by the GW IT Cybersecurity Risk and Assurance team. #SecuringGW is a shared responsibility, if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Published on

GW IT Risk and Assurance provides various information and resources through workshops and webinars as well as posts to our blog site.  The team is highlighting newly added Blog site resources.  Note some content referenced is hosted on GW Box and only accessible by those with GW Box access.  We hope to add more content sharing options for the wider community soon.

Please visit our resources page for more information about content being shared on GW Box

Quickstart Uploaded - Finding CyberSecurity Awareness Content in Talent@GW

...continue reading "Cybersecurity Training and Awareness Resources"

Published on

Compromise Prevention Tips

Prevention tips from the FBI Internet Crime Complaint Center (IC3) Public Service Announcement Business Email Compromise (BEC) the $55 Billion Scan

  • Use secondary channels and/or two-factor authentication to verify requests for changes in account information.
  • Use unique passwords/passphrases. Make sure to use a unique password for every online service you use and try to change your passwords/passphrases periodically.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or personal identifiable information (PII) of any sort via email. Be aware that many emails requesting your PII may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

unofficial GW hippo mascot holding a lockThis content is presented by the GW IT Cybersecurity Risk and Assurance team. #SecuringGW is a shared responsibility, if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

 

Published on

Information Sharing Through GW Box

GW IT Risk and Assurance provides information and resources through workshops and webinars as well as posts to our blog site.  Below the team highlights resources added to our newly created GW Box awareness repository.  Unfortunately, content hosted on GW Box is only accessible by those with GW Box access.  We hope to add more content sharing options for the wider community soon.

The following items were posted this week:

Cybersecurity Awareness - Quick Guides, Presentations, Documents and Resources (Shared Folder - Requires GW Box Account) 

    • Every effort is made to share content aligned with copyright holders' intended use of the content as handouts and guides for distribution.  Please let us know if we have something incorrectly posted by email infosec@gwu.edu.

Look for update announcements for these other focus areas coming soon!

unofficial GW hippo mascot holding a lockThis content is presented by the GW IT Cybersecurity Risk and Assurance team. #SecuringGW is a shared responsibility, if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

 

Published on

For GW Data Privacy Month a series of webinars, focused on privacy and information security best practices are being collaboratively presented by GW Information Security, GW Data Governance and the GW Privacy Office.  These sessions support the university’s commitment to protecting the privacy and security of institutional data and our community members personal information.

Additional Information available on the Risk and Assurance Blog Events Calendar.

Direct Actions to Secure Our Data

Account compromises impact individuals, families, organizations, and employers.  Your actions will assist in securing our data.  The following tips from the National Cybersecurity Alliance can assist you in keeping your personal information and GW data safe. 

The Core 4

As with most things in life, an ounce of cybersecurity prevention is worth a pound of cure. Follow our "Core 4" to show hackers you mean business.

1. Passwords / Password Managers

Use long, complex, and unique passwords. Every password should be at least 12 characters long and include letters, numbers, and symbols (like % or $). Ideally, your passwords should be random strings of characters, not recognizable words. Very importantly, each account should be protected by its own unique password. To create and store all these passwords, use a password manager!

2. Multi Factor Authentication

Switch on multi-factor authentication. Multi-factor authentication (MFA), sometimes called 2-factor authentication, adds a whole other level of security beyond your password. MFA will use biometrics, security keys, text messages, or an app to make sure you are you, even if a hacker gets access to your password. Enable MFA for any account that allows it!

3. Recognize and Report Phishing

Think before you click. Learn how to identity phishing messages, which will often try to inspire panic or urgency. Take a few seconds to read through the message and who sent it. With a little knowledge, you can spot most phishing attempts within moments.

4. Automatic Updates

Turn on automatic updates. The best way to get the latest, strongest security is to install software updates as soon as they are available - and the best way to know when they are available is to turn on automatic updates! Set it, forget it, and you won't regret it!

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Published on

Holiday Shopping Image

13 Tips for Online Safe Shopping

Adapted from content written by Kim Porter for NortonLifeLock Online shopping is easy to love. What’s more fun than finding what you need and—after a few clicks and a short wait—having it show up at your door Except when it doesn’t. It’s safe to say fake companies and identity thieves can turn the joy of buying into a hassle. What to do? Don’t click that buy button until you check out these tips to help you do safe online shopping.

  1. Shop where you trust
  2. Be Savvy about public Wi-Fi
  3. Use a VPN
  4. Use a strong passwords
  5. Check out the webpage security
  6. When in doubt, throw it out.
  7. Don’t give out more information than you need to
  8. Pay with a credit card
  9. Try a virtual credit card
  10. Check your statements regularly
  11. Mind the details
  12. Take action if you don’t get your stuff
  13. Report the company

Details on each tip provided below.

...continue reading "Holiday Season, Not Identity Theft Season"

Published on

If you think your social media or email account has been hacked, wrestle it away from the bad guys by acting fast.

Hackers use a bunch of different tactics to try to compromise people’s email, banking, social media, device, and other online accounts. Sometimes they do this to spam your friends with coupons, but other times they want to steal your money or identity. By alerting authorities and following a few steps, you can often retake control of your hacked account.

However, fast action is crucial. If you suspect that your digital account has been hacked, do something about it as soon as you can. Here’s what you need to know right now!

How does an account get hacked?

Security breaches happen in many ways – sometimes you might click on a bad link, or the company in charge of the account could be attacked. This is why cybersecurity is so important to us all, and why we at the National Cybersecurity Alliance are so hyped up about it!

Commonly, an account is hacked through phishing. This is when cybercriminals use misleading emails, social media posts, phone calls, texts, or DMs that lure you to click on a bad link or download a malicious attachment. If you take the bait, the hackers can get access to your device or account.

Another common way your account could be hacked is if there is a data breach that reveals your username and password. The company controlling the account in question could be hacked, for example. If you reuse passwords, if any platform you use is compromised then cybercriminals might know your password for many accounts. This is why you should have a unique password for each account and change your password ASAP if you find out a platform you use has had a breach.

Signs your account has been hacked

Does something seem off about one or more of your online accounts? Know the common symptoms of a hacked account.

  1. Unusual Social Media Activity: Your social media profile publishes posts that you didn’t create. Ditto for direct messages – hackers might use your account to send phishing DMs or posts to your followers. Often these posts encourage your friends to click on a link, download an app, or buy something through an online store.  
  2. Unexpected Messages to Friends: Friends and followers tell you that they received emails from your email address that you never sent, or DMs through social media that you never authored.   
  3. Unauthorized Login Notification: A company tells you that your information was lost via a data breach. In many places around the world, companies are required by law to tell you if they lost your data in a breach or cyber attack.  

What are 4 things to do when your account is hacked?

If you think an account is hacked, snap into action, and take a few quick steps to staunch the damage. You have the power to give cybercriminals the boot!

  1. Change Your Password: This will likely lock out the hacker. Unfortunately, it can also work the other way around: the hacker might change the password and lock you out. In this case, try using the “forgot my password” function to reset it. If that doesn’t work, contact the platform ASAP. If you used the same password for other accounts, you should change all of them, and start using unique passwords for every account. Use a password manager to generate and store all your passwords.  
  2. Notify your contacts: That your account was hacked. Let them know they may receive spam messages that look like you sent them. Tell your contacts they shouldn’t open these messages or click on any links contained in them. When the situation is cleared up, let everyone know that your accounts are secure again.   
  3. Update Your Security Software: Make sure your security software is up to date. Scan your system for malware, especially if you suspect your computer might be infected with a virus. Antivirus software will scan your device to check for any security issues. 
  4. Seek Assistance: Contact people who can help you. If you suspect someone has stolen money, this might mean calling the police and your bank. If a work account was breached, let your IT department know. If a social media or email account was hacked, alert the platform, and seek their help. If you think someone has stolen your identity, it is worth contacting the FTC. Let trusted friends and family know what you are going through so they can on the lookout for weird messages or posts from your account.  

Resources

Here’s where to turn if you have an account with one of these popular websites and you think its been hacked: 

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Published on

Social engineering - the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

Cyber attackers manipulate victims (targets) into making poor choices that enables direct and indirect criminal activity

Social Engineering attacks are conducted using various methods. The general process involves an attacker sending messages or otherwise contacting potential victims. Once the attacker has established contact, either directly with a victim responding or indirectly when a victim clicks a link or downloads an attachment, they steal user information such as account credentials, personal information, and funds. In some cases the attacker installs malware on the victims device to steal data as well as use the device to launch attacks against others.

 

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Social Engineering

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

Smishing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Would this person/company normally be sending you a text or make direct requests?
  • Use alternative methods to confirm the communication is actually from the real person.
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings for confirmation of requests when possible (online or in person)

Pretexting

Pretexting is a more focused form of social engineering where attackers use detailed and convincing backstories to gain access to systems or information. This method often involves impersonating someone in a position of authority or a trusted entity to manipulate victims.

Defeating Pretexting:

  • Avoid forwarding requests to subordinates and others asking them to 'take care of this' as this may convey legitimacy to the fraudulent request.
  • Confirm any backstory by contacting the relevant person or office directly.
  • Be suspicious of anyone asking for credentials, financial information, or access to systems.
  • Verify the legitimacy of requests, whether they involve money transfers, accessing login portals, or providing sensitive information.
  • Would this person/company normally be sending you a text or making direct requests?
  • Use alternative methods to confirm the communication is actually from the real person.

For more information [external link to Crowdstrike.com content]

 

 

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Published on

The following Infographic highlights 6 Phishing Red Flags. These tips will assist you in identifying malicious messages.

GW Information Technology Logo 6 Phishing Red Flags 1 - URGENT OR THREATENING LANGUAGE Phishing attempts often create a sense of urgency or use threatening language to prompt immediate action. Phases like

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Between all of your online accounts, whether personal or work accounts, you probably have many unique — and complex — passwords to manage.  And since you know better than to write them down in a notebook, have them on sticky notes hidden under your mouse pad, or stored digitally on your desktop, what are you supposed to do? 

Passwords are one of the most vulnerable cyber defenses used to protect our online accounts, as passwords are the only barrier between online accounts and cybercriminals who have a desire to access to our data and systems. Utilizing a password manager is a security best practice that cyber professionals are recommending for us.  

Along with other security tips, password managers minimize the risk of mis-managing our passwords. The question that arises here, are password managers secure, and what is our responsibility here to manage the password manager? 

What is a Password Manager?

A password manager is software that allows users to generate passwords, store, and manage account information including usernames and passwords all in one location. Password managers offer other features such as complex password suggestions, identifying weak or repeated passwords used, and alerting its users when their credentials appear compromises. When you use a password manager, you will set a password that is often referred to as the “master” password.  This will be the only password you will need to remember.

Password managers are available in different formats: 

  • An online service hosted by a third party and accessed through a website portal. This type is useful if you need access to the password manager from multiple devices. 
  • Software installed locally on a workstation that can operate either completely offline or connected to the internet to synchronize your information to a cloud database and get software updates.  

Are Password Managers Secure? 

Password managers can offer a high level of security level for account credentials and information, if best practices are used to secure their master password.  Whether you use, or planning to get, an online, or an offline password manager, you need to follow the following practices: 

  • Do your research and get a trusted password manager software that has a high reputation in the industry. 
  • Use a strong master password for your password manager account and never forget it. Some password manager vendors would never retrieve your account if you can’t remember your master password. 
  • Enable two-factor-authentication (2FA) to your password manager account for an extra layer of security.  
  • Keep your password manager software, web browsers, and all other software you use up-to-date. 
  • Audit the list of devices that are approved to access your password manager. 
  • For work-related accounts, always use password managers that are approved by your organization. Follow your organization’s policies, standards and procedures when processing, storing or sharing work-related data. 

Remember, if password managers are managed appropriately, they will offer you the level of security you are looking for to your online accounts’ passwords. 

This post is presented by the GW IT Cybersecurity Risk and Assurance team with information from CISA.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.