Skip to content

National Cybersecurity Awareness Month (NCSAM) is a month that helps raise awareness and highlight the importance of cybersecurity. Cybersecurity and Information Security overlaps with almost everything we do and every technology we use. NCSAM was started in 2004 by the National Cyber Security Alliance (NCSA) and the Department of Homeland Security (DHS). The creation of NCSAM was to help Americans be secure online. The month raises awareness for security and emphasizes both companies and individuals on how to protect themselves.

Over the years, NCSA and the DHS have put on joint events around many states for NCSAM. In the past events with panels of information security professionals have been done as well as talks and presentations. They have even done some summits around the states and webinars for all to join. This year they have panels, and presentations all around the country, including Washington, D.C. These events have had growing popularity each year and have had some high ranking and nationally recognized officials make appearances at these events.

Each year there are different themes. The themes are meant to emphasize a particular change in behavior that would help everyone be safer online. This year's theme is "Secure Our World" and more importantly #BeCyberSmart. This year’s theme aims to promote the idea that security should be a continuous process in which people and organizations make proactive decisions about their digital lives. Key areas will include staying safe online, using multi-factor authentication and good passwords setup as well how to avoid common cyber threats such as phishing and ransomware

Here at GWU, we are involved with NCSAM by spreading awareness through the university and by hosting our own events. We have events like meet and greets with the Information Security team, Cybersecurity Jeopardy, webinars, and presentations throughout the month of October. If you want to attend any events or have a chance at winning some of our excellent prizes this year, check out the event calendar here https://it.gwu.edu/it-events.

Security is in your hands image

Human Error and Information Security Hygiene

95%  of all successful cyberattacks start with human error according to the IBM Cybersecurity Intelligence Index. That would make it pretty important to periodically evaluate and increase your own awareness of Information Security hygiene and awareness. 

Information security is one of the fastest-changing fields in the world. New technologies emerge every day that change the way people attack and defend systems and networks. While professionals in information security are required to be in a constant state of learning to keep up with the field as a whole, those without day to day dealings tend to be the primary targets and the least informed. Being aware and informed enables everyone to protect themselves. 

Awareness Companies

Security awareness training should be a high priority for any organization. To facilitate effective awareness training, a number of companies focus on providing awareness training as a professional service, often using computer based training. Companies such as Habitu8, SANS, KnowBe4, and Security Ninja focus on providing awareness training packages to organizations who want to inform and educate their employees.
These packages are frequently integrated into something called a learning management system (LMS). An LMS is something like Blackboard.

Other free resources are also essential to reach people both inside and outside the Information Security community, such as:

On the Web

While organized and mandatory awareness training can be effective, it isn’t the only way to reduce risk and stay up to date on cybersecurity. There are an abundance of websites, blogs, and other informational pages freely available to all. Cybersecurity is often in the news, and the following websites can help users stay up to date:

  • Have I Been Pwned (run by Troy Hunt) lets users check if their email has been associated with a data breach and stay informed on breaches happening worldwide.
  • Krebs on Security: Brian Krebs’ site offers in-depth coverage of ongoing security stories without overwhelming less technical readers.
  • Credit Karma and Equifax offer credit monitoring services that can track your exposure to identity fraud or credit data breaches.

Social Media in Security

As social media has gained popularity, more and more professionals are turning towards it to keep informed and spread their message. It may come as a surprise to some that there is a large information security community on twitter. The #infosec community on Twitter is one of the best places to keep up with the latest security news. Professionals and organizations share news, tips, and resources.
Key accounts to follow:

These accounts provide invaluable resources for staying aware of current security trends, free webinars, blogs, and more.

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Learn Social Engineering
OZKAYA, E. (2018). LEARN SOCIAL ENGINEERING

 

Previously, we discussed Social Engineering in the form of Phishing, a typically untargeted attack type that focuses on quantity over quality. However, not all Social Engineering attacks cast a large net, some get up close and personal. Attacks that involve pretexting are typically more focused and can be well planned and highly targeted; making them a credible threat to information security at any company.

Whether used in person or through other means of communication, pretexting is a dangerous method used by attackers to worm their way into systems and financial profit. Pretexting can be relatively simple and recycled constantly, but can also be well thought out, researched, and specifically tailored to each target. Ultimately, pretexting involves an attacker impersonating someone or having a “legitimate” reason to gain access where they do not belong.  Pretexting relies heavily on an attacker having convincing and effective aliases, stories, identities, and credibility.

The research conducted to carry out a pretexting attack is typically all open source. They might scour an organization’s web pages to understand the size, structure, and relationships, or they might look for company login portals such as HR sites, mail hosting, and VPN portals. Often times, attackers will try to find information on specific employees like email addresses, position within the company, and any other information that can be used to impersonate or manipulate them. Gathering all of this information about an organization helps attackers in understanding how the business operates and what type of attacks might work. If the target is a large company with thousands of employees then an attempt to impersonate someone is more likely to be successful than if the target is a small close knit business that would easily recognize an imposter.

Thorough research enables attacker to determine the best methods to gain unquestioned access to money transfers, systems, and other restricted areas. A tactic that attackers frequently use is to impersonate a target’s boss, an executive, or other important figure, and then urgently request money transfers to specified accounts. The hope is that the targeted individual will panic due to the urgency and fail to verify the transaction with anyone else. Other attack types include impersonating vendors, internal departments, or other entities who might have an already established relationship with the organization. The attacker may try to call the victim and using their false identity and back story, then get them to visit a fake company login page and input their credentials. With those credentials, attackers can now access potentially sensitive systems and data.

Whether a Social Engineer uses a relatively general pretext, or a highly targeted and well planned one, users should be aware of and able to prevent the danger that they pose. Preventing these kinds of attacks is not necessarily difficult, it just takes a bit of time and diligence. If someone asks you to complete a wire transfer, take the time to confirm that they are the ones that sent the email or made the phone call. Reach out with another form of communication to verify. Always confirm any backstory that is offered to you, if you have been asked to log into a portal to accept new compliance documents or policies, contact your compliance office to double check. If someone visits the office and claims to work for a maintenance company but they aren’t on your schedule, call the corporate office and verify that their employee is supposed to be there. Confirm package deliveries from delivery people you have never seen before. Be highly suspicious of anyone who contacts you and asks for login credentials, personal information, or financial details over the phone or through email. Always be wary of strangers trying to access systems, data, and even your office building. Take the time to protect yourself and your organization from attackers who try to manipulate you with convincing and well thought out back-stories and personas.

-

Kennedy, D. (2014, March 05). Pretexting Like a Boss. Retrieved June 20, 2019, from https://www.trustedsec.com/2014/03/pretexting-like-boss/

Nadeem, M. (2019, April 17). Pretexting: Definition and examples | Social engineering. Retrieved June 20, 2019, from https://blog.mailfence.com/pretexting/

Phishing diagram
From Wombat Security

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that normal people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often times phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

       

Smshing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings when possible (online or in person)

What is Social Engineering?

We frequently hear about cyber-attacks on organizations using highly technical and sophisticated methods, involving malware and vulnerabilities that most people don’t understand. However, what we don’t typically hear about is how the attacker got in. According to Verizon’s Data Breach Investigation Report, in 2019, a third of all data breaches involved social engineering attacks to include phishing, pretexting, and a variety of other social engineering methods.

Social Engineering involves gaining the trust of unsuspecting users via manipulation or trickery, in order to gain unauthorized system access, credentials, or commit fraud. Attackers will attempt to take advantage of a multitude of psychological traits such as carelessness, curiosity, empathy, complacency, and most frequently ignorance.

Why does it Matter?

Social Engineering attacks are more common than you might think and odds are that you will encounter one yourself in some form or another. Failing to recognize a social engineering attack could range from a minor inconvenience to a life changing event. Compromise from such an attack could lead to needing a password reset to having a bank account drained of funds, or could even be the launching point for the next massive data breach that makes headlines worldwide.

For example, the 2020 Twitter hack, which affected numerous high-profile accounts, resulted from a social engineering attack targeting employees. Similarly, the 2020 SolarWinds breach, one of the most significant cyber-espionage campaigns, involved social engineering tactics used against employees to gain access to critical infrastructure.

Social Engineering is a large threat to the safety of not just large organizations, but also the individual.

Social Engineering Life Cycle Image

Social Engineering Life Cycle

Much like software development and risk management, many cyber-attacks follow a lifecycle approach; with a continuing cycle of input and output constantly improving the process. Social engineering is no different and even has a few lifecycle models dedicated to it. In its simplest form however, the Social engineering lifecycle follows four basic phases: Investigation, Hook, Play, and Exit.

The Investigation phase is when an attacker performs their recon. They might choose their targets based on position within an organization, ease of access, or they might choose a wide range of targets just to see what sticks. After choosing a target they will use public information to learn as much as possible. Sources such as social media, company websites, and other profiles provide a wealth of information for attackers to use.

The Hook phase involves the initial interaction with the target; ranging from email to in person contact. During the hook, the attackers focus is on spinning a web of lies to manipulate victims at their will.

During the Play phase an attacker gains a stronger foothold and carries out the attack. Depending on their goals, they will begin disrupting or stealing sensitive and valuable data.

The Exit phase points to the end of the lifecycle. The Social Engineer will attempt to remove all traces of their presence and bring an end to their charade. Everything the attacker has gained or learned during the process is then used during a new attack cycle to more effectively con another victim.

Social Engineering and unaware users provide a vast attack surface that can be easily taken advantage of.  Meaning that you need to do everything you can to be prepared for and protect yourself from the conmen of the internet age.

GW Box is the university's enterprise file sharing service for online cloud storage and collaboration. GW also uses Gmail for email service, as such, the community has access to Google Drive as a cloud storage solution as well. Sharing and collaborating is essential to every work and study environment in the 21st century. Whether it’s for class projects or work projects, cloud storage and sharing solutions have changed and simplified how we do things. But, there are practices we should implement and guidelines we should follow in order to use the cloud responsibly. Below are the recommended Best Practices by GW IT and GW Information Security.

 

Security Best Practices Document

 

Social media trends are not only fun, but they also include a hint of FOMO if we don’t participate. The same can be said for the newest viral trend of “how hard did aging hit me” challenge, also know as the “10 year challenge.” There have been speculations on the origin and purpose of this trend across the internet, even in the information security Twitter community.

Kate o'Neill Tweet Image

Kate O’Neill’s tweet is a perfect example of a growing distrust the public has of social media and the internet in general after the introduction of many AI technologies, whether they be related to ad content or predictive text.

This affects the GW community at every level; students, staff members, and faculty members alike partake in social media sharing. There is nothing that confirms that O’Neill’s tweet has truth to it. However, our goal is to highlight the need of users to be smart and to be safe online. Always be vigilant of what you post and how much detail you give out, especially when it comes to location sharing. Criminals are becoming increasingly more knowledgable about how to use technology to their advantage, as are large corporations like Facebook where we live our daily lives. The younger the clientele, the more common it is for them to live their life in the digital world. Be #securityaware.

Skeptics can agree that this trend and some others can be seen as data mining or data harvesting parading as a harmless social game. Realistically speaking, information security professionals know that technology has become so mobile that it goes where we go. So, our message to you is be mobile, but be mindful. Stay mindful of what you share and how much you share. It may sound like an older generation reprimanding you, but it is true, everything you do does not have to be a social media post.

#bemobile #bemindful #securityaware

 

The US Department of Education Office of Federal Student Aid has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions. Multiple institutions of higher education have reported that attackers are using a phishing email to obtain access to student accounts by providing links to bogus student portals.

If you have received this email or a similar one, please do not reply to it, open any attachments or click on the link.

Scam Phishing sample message

If you have responded to the phishing attempt with your GW UserID and corresponding password, please change your password immediately by visiting identity.gwu.edu and clicking on “Reset/Forgot Password”.

Please remember that you should always be wary of messages requesting account verification, confirmation or upgrade, payment or personal information such as your passwords, GWid, Social Security number or credit card information. Additionally, please ensure that your computer is patched with the most recent operating system updates.

If you receive any phishing attempts in the future, please do not reply to them, open any attachments or click on any links. Please forward the email to abuse@gwu.edu.

If you have any questions about the validity of a link you see or a message you receive, please contact the IT Support Center at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

We get this question a lot. You're surfing the web and you click a link and all of the sudden, you see this screen:

Image: Blocked website

We understand that this can be frustrating, especially when you believe that the website in question is completely safe and legitimate. The GW Security team is happy to correct any incorrect blocks and encourage you to contact us using the form provided on the block page. We also want to take this opportunity to provide an overview as to why some websites get blocked and what you can do.

The GW network is set up to use domain resolution services provided by Cisco OpenDNS Umbrella. OpenDNS serves over 65 million users daily and provides timely protection against an ever growing array of threats.

Before we talk about blocked sites, we want to mention a few categories that are commonly mentioned in block complaints and want to confirm that we do not block the following categories:

  • Controversial (for political, lifestyle or any reason)  sites
  • Pornography (except illegal)
  • Gaming
  • Coin mining (except for domains implicated in unsolicited browser coin mining and seen used by coin stealing / mining malware)
  • Video streaming / sharing / downloads

You can read OpenDNS anti-censorship policy here: https://www.opendns.com/about/anti-censorship-policy/

That said, pornography, gaming, coin mining, and (illegal) video sharing or streaming sites have higher than normal percentage of compromised and malicious / malvertising (ads redirecting to malware and adware) sites that could be blocked.

We also strongly advise against running gaming or coin mining servers on the GW network as they are often a target of various types of cyberattacks, including DDoS, and could be flagged for inappropriate use of GW resources such as electricity and shared bandwidth.

Here are some reasons why a website you're trying to visit may be blocked: 

Reason #1. This is not the site you intended to visit.

We block a lot of malicious and malvertising (ads redirecting to malware and adware) sites. Sometimes legitimate and clean websites could have an advertising pop up or redirect that gets blocked, thus giving an impression that the site you are visiting is blocked as well.

Double check the URL. You may be trying to visit a similar, likely malicious, website that is blocked (e.g. gwu.com vs. gwu.edu)

What to do:

Check the URL shown in the block page. If this is not the URL you typed or expected, try your original destination URL or check for other open tabs in your browser where the site you visited may still be open.

Reason #2. Malware, Adware, Scareware, Scams, Phishing, Bad hosting.

This category is obvious but still requires a few notes. Imagine your hometown restaurant site gets blocked and you believe it is wrong because you visited that site many times before so it seemed clean. There are a few reasons why blocks of legitimate sites may occur:

  • The site might actually be compromised. It does not have to be infecting visitors, but it could be detected as having phishing links, browser coin mining code, or malicious code redirecting visitors to suspicious sites.
  • Collateral damage from bad sites using the same hosting server. Sometimes OpenDNS services block IP addresses that are home to multiple malicious domains.
  • The site was compromised in the past but is clean now. However, some security providers may still have it blacklisted. Usually blocklists are shared between companies.
  • False positive blocks by some security providers may affect the overall score.
  • Human errors - non-malicious websites that were mistakenly blocked as part of an incident response investigation.

What to do:

If you believe it is wrong, fill in the form on the block page and we will reply promptly and whitelist or unblock clean sites.

Reason #3 Newly seen domains.

Newly seen (by OpenDNS) domains are temporarily blocked.

New domains are often registered in the thousands as a new malware campaign effort to bypass blocks on the sites that have already been flagged as malicious. The Newly Seen Domains (NSD) is a security category that works by checking OpenDNS logs to see lookups for that domain that were not seen across all OpenDNS global sensors in the past. If they see a lookup for that new domain, it is flagged as “newly seen” and added to the NSD list. This temporary block will eventually expire. The expiry time depends on the characteristics of the parent domain or  the IP space / registrant. Typically domains stay in the list between one to three days, but it isn't fixed to a set period of time. During that time malicious domains often get added to the appropriate security category and benign domains will become unblocked.

A significant portion of the domains that are categorized as newly seen will not, in fact, be malicious and OpenDNS takes precautions against blocking content delivery networks (CDN) known to generate a lot of new subdomains as well as other well known benign providers.

Please note that the first query to the domain will be allowed, because if OpenDNS has never seen it, it was not yet added to the Newly Seen Domain Category. The time gap between when a domain is first queried and before it appears in the list of domains matching the Newly Seen category is ?????

Important note: A domain will enter the process to be flagged as newly seen not when it is first registered, but rather when it is sampled in a DNS query to OpenDNS Umbrella resolvers - in other words, when a visit is attempted. Not every DNS query to Umbrella is sampled, and therefore some very low traffic domains may not be flagged as newly seen immediately.

What to do:

Fill in the form on the block page; we will reply promptly and whitelist it so you do not have to wait for the Newly Seen Domain block to expire in a few days.