Skip to content

Tag: information security

Published on

Cybersecurity has become one of the most significant hot topics inside and outside technology circles over the last two years. From securing learning devices due to a rise in digital learning during the COVID-19 pandemic to coping with the fallout of high-profile breaches of national infrastructure such as the Colonial Pipeline, there is an evidently constant news cycle dedicated to cybersecurity mishaps and concerns. With this continuous stream of bad news, it can be challenging for you to know how to keep secure in the face of cybersecurity and threat actors. 

Everyday users have a huge role in cybersecurity threat prevention, detection, and remediation. According to a Wall Street Journal article, many hacks are successful by convincing someone inside or close to the target company to divulge network access credentials or other critical information. Therefore, GW’s first line of defense in helping to combat cyber-related issues is you. 

Here are 4 essential best practices that you can adopt today to enhance your cybersecurity and create a more secure cyberspace for you and GW.  

Watch out for Phishing Attempts

Phishing is when a threat actor poses as a legitimate party such as a bank, delivery service or other organization in an attempt to get individuals to click harmful links. Phishing remains one of the most popular tactics used  today. In fact, 80% of cybersecurity incidents stem from a phishing attempt. While phishing has gotten more sophisticated, the phishing signs remain the same. Look for typos, poor graphics, and other suspicious characteristics (incorrect logo or email address) as these can be red flags indicating that the content is a phish. In addition, if you think you have spotted a phishing attempt while logged into the GW network, report the incident to GW IT immediately. To report an incident please contact the GW Information Technology Support Center at 202-994-GWIT (4948) or email abuse@gwu.edu

Update your Password

Password cracking is another tactic that cybercriminals use to access sensitive personal information.  To guard against password cracking, having unique, long and complex passwords is one of the best ways to boost your cybersecurity immediately.  It is highly recommended not to repeat passwords across your accounts because once a hacker cracks one account, they can easily do the same across all of your accounts. 

Passwords can be tough to remember. That’s why it’s smart to use a password manager to help you secure your various passwords in one place. Password managers are easy to use and can automatically plug-in your stored password when you visit a site. Along with other security tips, password managers minimize the risk of mis-managing account passwords.

Take Advantage of Secure Wi-Fi 

Mobile hotspots and public Wi-Fi networks are typically not password-protected,  so it’s easier for threat actors  to gain unauthorized access to devices. Students, faculty, and staff should take full advantage of the university Wi-Fi networks when on campus. They are password-protected and only allow internet access across the university premises, operating as a secure online bubble for every user to work in peace.  

Lock your Device

Whenever you're logged into your devices (computer, laptop, phone, etc.),  you’re also open to potential unauthorized access by hackers and other threat actors.  The easiest way to prevent unauthorized access to your device is to lock it whenever you leave it unattended. All you have to do to get back on your device is enter the correct password, and you can pick up where you left off. If you wouldn't leave your house with the front door wide open, you should not leave your devices unlocked, especially when they are unattended.  

This blogpost is offered to you by the GW Information Security and Risk Services team. For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security  

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu.  

Original blog content provided by The National Cyber Security Alliance www.stayfaeonline.org, modified and posted with permission. 

Published on

Logo for National Cybersecurity Awareness MonthNational Cybersecurity Awareness Month (NCSAM) is a month that helps raise awareness and highlight the importance of cybersecurity. Cybersecurity and Information Security overlaps with almost everything we do and every technology we use. NCSAM was started in 2004 by the National Cyber Security Alliance (NCSA) and the Department of Homeland Security (DHS). The creation of NCSAM was to help Americans be secure online. The month raises awareness for security and emphasizes both companies and individuals on how to protect themselves.

Over the years, NCSA and the DHS have put on joint events around many states for NCSAM. In the past events with panels of information security professionals have been done as well as talks and presentations. They have even done some summits around the states and webinars for all to join. This year they have panels, and presentations all around the country, including Washington, D.C. These events have had growing popularity each year and have had some high ranking and nationally recognized officials make appearances at these events.

Each year there are different themes. The themes are meant to emphasize a particular change in behavior that would help everyone be safer online. This year the theme is, “Own It, Secure It, Protect It”. The goal for this year's theme is to draw attention to careers in information security and to encourage accountability. Each week of the month will focus on a different area of the theme. The “own it” part of the theme is to have people take ownership of their data. Most people don’t realize how much private information is going out on the web. “Secure it”, is for having strong passphrases and avoiding scams and phishing. “Protect it” is being proactive with your information after it is out there. Being active in knowing where and who has your data, and how to keep it protected.

Here at GWU, we are involved with NCSAM by spreading awareness through the university and by hosting our own events. We have events like meet and greets with the Information Security team, Cybersecurity Jeopardy, webinars, and presentations throughout the month of October. If you want to attend any events or have a chance at winning some of our excellent prizes this year, check out the event calendar here, http://go.gwu.edu/ncsam2019.

Published on

Security is in your hands image

95%  of all successful cyberattacks start with human error according to the IBM Cybersecurity Intelligence Index. That would make it pretty important to periodically evaluate and increase your own awareness of Information Security hygiene and awareness. 

Information security is one of the fastest-changing fields in the world. New technologies emerge every day that change the way people attack and defend systems and networks. While professionals in information security are required to be in a constant state of learning to keep up with the field as a whole, those without day to day dealings tend to be the primary targets and the least informed. Being aware and informed enables everyone to protect themselves. Staying informed is simple, there are a wide range of awareness organizations and individuals dedicated to reaching outside of the information security community and enabling everyday users to secure themselves, their data, and thereby their organizations. 

 

Awareness Companies

Security awareness training should be a high priority for any organization. To facilitate effective awareness training, a number of companies focus on providing awareness training as a professional service, often using computer based training. Companies such as Habitu8, SANS, KnowBe4, and Security Ninja focus on providing awareness training packages to organizations who want to inform and educate their employees. These packages are frequently integrated into something called a learning management system (LMS). An LMS is something like Blackboard. Other free resources are also available and essential to reaching people both inside and outside the Information Security community. Free websites often feature webinars, talks, and videos. You can ask your organization or awareness training coordinator what resources are available to educate yourself. (At GW, you can email infosec@gwu.edu for more resources or to request training for your student organization or department.)

Free training resources
Reading and news: https://www.sans.org/security-resources/
Test your knowledge and learn: https://www.khanacademy.org/partner-content/nova/cybersecurity/cyber/e/cybersecurity-101-quiz

 

On the Web

While organized and mandatory awareness training can be effective, it isn’t the only way to reduce risk and stay up to date on cybersecurity. There are an abundance of websites, blogs, and other informational pages freely available to all. Cybersecurity is often in the news as well, it is worth noting that it comes up more and more often. 

One website run by Troy Hunt, Have I Been Pwned not only allows users to check if their email has been associated with a data breach, but also stay up to date on data breaches happening around the world. Hunt’s website provides information on hundreds of breaches that may impact you or your family and can often provide the early warning you need to change your passwords before your accounts are stolen. In addition to providing a breach checking service, the site also offers a way for users to check their password against the ever growing list of compromised passwords that Hunt maintains, and if you are unsure of how to choose a secure password look no further than the same page for guidance.

Credit monitoring services like Credit Karma and Equifax also offer services the track your exposure to identity fraud or a credit data breach.

Many information security websites can be so technical that they drive less informed readers away, but don’t let that discourage you. Brian Krebs an investigative journalist runs a site called Krebs on Security where he writes about the most recent information security news. Krebs provides in depth coverage of ongoing stories that far surpass traditional news media coverage. He achieves this without alienating less technical readers with overly complicated and technical language and articles. Krebs on Security provides a good way for the average user to stay up to date on relevant topics in the information security space.

As social media has gained popularity, more and more professionals are turning towards it to keep informed and spread their message. It may come as a surprise to some that there is a large information security community on twitter, but it is one of the best places to keep up with the latest in security news. While some may think that only information security professionals should be following each other on twitter, everyone can benefit from the discussions, news, and events that are posted all over the #infosec twitter space. Users will frequently post links to free webinars, blogs, and conferences covering a wide range of topics that would help even the least technical user remain aware and informed. Big names on twitter such as Jake Williams (@MalwareJake), Brian Krebs (@briankrebs), Troy Hunt (@troyhunt), and Lesley Carhart (@hacks4pancakes) provide a constant stream of information security news, issues, and tips to benefit everyone. Organizational Twitter accounts like the National Cyber Alliance (@StaySafeOnline) and SANS Internet Storm Center (@sans_isc) also provide comprehensive and consistent updates to the cybersecurity student and professional. Don’t be afraid to use less traditional methods such as Twitter and social media to educate and protect yourself.

Published on

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Published on
What is Social Engineering?

We frequently hear about cyber-attacks on organizations using highly technical and sophisticated methods, involving malware and vulnerabilities that most people don’t understand. However, what we don’t typically hear about is how the attacker got in. According to Verizon’s Data Breach Investigation Report, in 2019, a third of all data breaches involved social engineering attacks to include phishing, pretexting, and a variety of other social engineering methods.

Social Engineering involves gaining the trust of unsuspecting users via manipulation or trickery, in order to gain unauthorized system access, credentials, or commit fraud. Attackers will attempt to take advantage of a multitude of psychological traits such as carelessness, curiosity, empathy, complacency, and most frequently ignorance.

Why does it Matter?

Social Engineering attacks are more common than you might think and odds are that you will encounter one yourself in some form or another. Failing to recognize a social engineering attack could range from a minor inconvenience to a life changing event. Compromise from such an attack could lead to needing a password reset to having a bank account drained of funds, or could even be the launching point for the next massive data breach that makes headlines worldwide.

The massive Target data breach of 2013, which exposed the credit card and personal information of 110 million people, was a result of a contractor falling for a phishing email, one of the many social engineering methods attackers use. The DNC email leak in 2016 was caused by a well-crafted but fake password reset request from Google; sent to a high ranking DNC official and resulting in the leak of highly sensitive information regarding the Democratic campaign.

Social Engineering is a large threat to the safety of not just large organizations, but also the individual.

Social Engineering Life Cycle Image

Social Engineering Life Cycle

Much like software development and risk management, many cyber-attacks follow a lifecycle approach; with a continuing cycle of input and output constantly improving the process. Social engineering is no different and even has a few lifecycle models dedicated to it. In its simplest form however, the Social engineering lifecycle follows four basic phases: Investigation, Hook, Play, and Exit.

The Investigation phase is when an attacker performs their recon. They might choose their targets based on position within an organization, ease of access, or they might choose a wide range of targets just to see what sticks. After choosing a target they will use public information to learn as much as possible. Sources such as social media, company websites, and other profiles provide a wealth of information for attackers to use.

The Hook phase involves the initial interaction with the target; ranging from email to in person contact. During the hook, the attackers focus is on spinning a web of lies to manipulate victims at their will.

During the Play phase an attacker gains a stronger foothold and carries out the attack. Depending on their goals, they will begin disrupting or stealing sensitive and valuable data.

The Exit phase points to the end of the lifecycle. The Social Engineer will attempt to remove all traces of their presence and bring an end to their charade. Everything the attacker has gained or learned during the process is then used during a new attack cycle to more effectively con another victim.

Social Engineering and unaware users provide a vast attack surface that can be easily taken advantage of.  Meaning that you need to do everything you can to be prepared for and protect yourself from the conmen of the internet age.

Published on

GW Box is the university's enterprise file sharing service for online cloud storage and collaboration. GW also uses Gmail for email service, as such, the community has access to Google Drive as a cloud storage solution as well. Sharing and collaborating is essential to every work and study environment in the 21st century. Whether it’s for class projects or work projects, cloud storage and sharing solutions have changed and simplified how we do things. But, there are practices we should implement and guidelines we should follow in order to use the cloud responsibly. Below are the recommended Best Practices by GW IT and GW Information Security.

 

Security Best Practices Document

 

Published on

Social media trends are not only fun, but they also include a hint of FOMO if we don’t participate. The same can be said for the newest viral trend of “how hard did aging hit me” challenge, also know as the “10 year challenge.” There have been speculations on the origin and purpose of this trend across the internet, even in the information security Twitter community.

Kate o'Neill Tweet Image

Kate O’Neill’s tweet is a perfect example of a growing distrust the public has of social media and the internet in general after the introduction of many AI technologies, whether they be related to ad content or predictive text.

This affects the GW community at every level; students, staff members, and faculty members alike partake in social media sharing. There is nothing that confirms that O’Neill’s tweet has truth to it. However, our goal is to highlight the need of users to be smart and to be safe online. Always be vigilant of what you post and how much detail you give out, especially when it comes to location sharing. Criminals are becoming increasingly more knowledgable about how to use technology to their advantage, as are large corporations like Facebook where we live our daily lives. The younger the clientele, the more common it is for them to live their life in the digital world. Be #securityaware.

Skeptics can agree that this trend and some others can be seen as data mining or data harvesting parading as a harmless social game. Realistically speaking, information security professionals know that technology has become so mobile that it goes where we go. So, our message to you is be mobile, but be mindful. Stay mindful of what you share and how much you share. It may sound like an older generation reprimanding you, but it is true, everything you do does not have to be a social media post.

Let us know in the comments below if you make it a habit to consider what details you post on social media or if you have generally seen it as harmless fun.

#bemobile #bemindful #securityaware

 

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.