Office of the Chief Information Security Officer

Transcript Working Remotely

Title
Working Remotely
Scams & Security Tips

Instructions
This training is approximately 12 minutes long. You can speed it up or slow it down by using the controls in the player. A glossary can be accessed by the “glossary” link. A transcript can be downloaded or accessed from the “transcript” link.

Scene Introduction
The pandemic and the stay-at-home measures that have been enacted in response to it, have probably changed the ways you interact with technology and collaborate with other members of the UW community.

Working from home isn’t new for everyone, but it is a novelty for so many people to be attending classes and working from home all at once.

And when it comes to information security wherever there’s a novelty, there’s a potential vulnerability and there are always cybercriminals and other adversaries waiting to take advantage of those vulnerabilities.

Coronavirus Scams
Almost immediately as when news about Covid-19 broke, cybercriminals started sending phishing emails to steal credentials, infect devices and networks and to trick users into giving them personally identifiable information and access to bank and other financial accounts as well as UW data and systems.

So let’s take a look at examples of new scams and review some of the older ones scammers may adapt for the times and then go over some things to do to secure your personal and UW data, devices, connections, and collaborative tools.

Scams
Here are some phishing messages that have been sent to UW staff and students since the coronavirus pandemic was first reported.

Example 1

This email and other variations was sent in various forms to UW students and claims to link to a portal where they can sign up to receive funding relating to the Coronavirus Aid Relief and Economic Security or CARES Act.

Example 2

This email came out shortly after many UW employees began working from home. Using a forged account that appeared to be from the UW News Organization with urgent information about coronavirus and its impact on the UW community.

Example 3

This third example which targeted UW employees attempted to trick them into downloading an attachment which was likely infected with malicious software or malware.

Other emails used “letters of dismissal” and other subject lines intended to catch UW staff members off guard. Note that this example employs the word “kindly” which is often a red flag for a phish.

Older Scams

Gift Card Scams

In addition to these scams that exploit the current situation, scammers are also using tactics that have been around for a while. Last summer there was a surge of gift card scams with a subject line “Are You Available?” Variations on this scam have been sent to staff members at UW ever since.

Job Scams

Students have been sent emails with phony offers for jobs and internships that are carefully crafted with specific details that make them appear authentic.

Unemployment Scams

Cyberthieves target W-2s and tax information every year, but this year they are using various tactics to steal social security numbers to file false unemployment claims.

“I Know Your Password” Scams

“I Know Your Password” scams might try to trick you into believing the password that you discarded a long time ago might be used to blackmail you into paying large sums of money.

Click on the “Phishing at UW” link on this webpage for more information about phishing scams. The Office of the Chief Information Security Officer has a phishing example webpage as well as a scams page where new examples are posted regularly.

If you encounter an email that seems suspicious, it might help to check those pages to see if it’s been reported by someone else. But remember that the posted examples aren’t the only ones being sent to the UW community, any email that has a link, asks you to download an attachment, request personal or UW information or contains offers for money, internships or jobs should be regarded with skepticism until you can verify by calling or some other method other than an email response that the sender is who they claim to be.

Cyberthieves and other adversaries who try to steal personal and university information represent one kind of threat and that kind of activity accounts for much of the data loss at universities. The data can be accidentally lost or disclosed by employees as well, no matter which type of risk or threat and whether not the vulnerability is caused by an intentionally malicious or accidental disclosure.

Tips
The following tips will help you secure data, devices, connections, and collaborative tools with UW data security in mind.

Securing Data
First, let’s consider the data. When it comes to securing data, it’s important to protect your accounts, devices, and systems with strong passwords and passphrases and to use multi-factor authentication whenever possible. You can also use a password manager to track your passwords. For UW data, check out tools and resources on the Office of the CISO website or IT Connect by clicking on the following links:

  • Duo for multi-factor authentication.
  • LastPass, the UW’s enterprise version of a password manager which is available to all students and staff.
  • Passwords and Passphrases, an online training published by the Office of the CISO.

Back up your data. Back it up in several formats and keep your backup secured. There are many reasons why it’s important to keep your data backed up, but if your computer is hit by ransomware, a type of malicious attack in which cyberthieves lock up your data and devices until you agree to pay a sum of money. Your back up may be the only way to restore your work.

For infographics on ransomware and World Backup Day, check out the link for infographics.

Know what type of data you’re working with. UW administrative policy or APS 2.4 defines three types of data: confidential, restricted, and public. This data classification link on the UW Privacy office website will give you more information about the UW definitions for each data type as well as examples of each kind.

It’s not recommended to store UW confidential and restricted data on portable or home devices. So delete data once you’re done working with it.

So if you’re not storing data on your device, you may be wondering where can you store it? Consult the file services comparison list on the IT Connect website which has a table to help you determine which UW files services are acceptable for protected data such as FERPA or HIPAA.

Securing Devices
Next, let’s talk about devices. When it comes to devices, one important thing to remember is to keep your devices in a secure location and don’t leave them in your vehicle. Laptops and other portable devices left in cars is a common way data is lost at universities. Encrypt your laptops, mobile devices, portable storage devices, thumb drives, and hard drives on desktop computers. If your device is lost or stolen, notification to anyone who might be affected may depend on whether or not the device is encrypted. Check your device or hard drive’s documentation to find about how to encrypt it and keep track of the encryption key.

Keep your devices separate. Use work devices for work and personal devices for personal data. An important point of awareness on this topic can be found in APS 55.1 Mobile Device Use and Allowance, which states the following:

Employees are expected to configure mobile devices that are used to conduct UW business, whether personally owned or provided by the UW, in such a way that protects UW information.

It also says that if an employee uses a personal mobile device for UW business and the UW determines the confidentiality, integrity, and availability of UW information is at risk at the result of that use, the employee may be required to provide UW unrestricted access to the device.

Consult APS 55.1 particularity section four for more information about employee responsibilities.

Additional Tips for Securing Devices
Additional tips for securing devices are:

  • Keep all software updated and patched. The longer software goes without any updates, the more likely it has vulnerabilities that cybercriminals can exploit.
  • Use antivirus software and keep it updated. Sophos antivirus is available for all members of the UW community even for home use.
  • Don’t share your work devices with family, or roommates, or pets.
  • Additionally, use separate accounts for administrator activities and day to day usage. For instance, on your laptop or desktop computer create a user account for your daily activities and only use an account with administrator privileges for installing software and updates.
  • Get to know about firmware updates on your devices as well. Firmware is a set of instructions embedded on your devices that makes software work the way it’s supposed to. The method of updating firmware and the frequency for doing it depends on your device, so check the manufacturer’s documentation for more information.

Securing Connections
Now it’s time to talk about securing connections. Use a virtual private network (VPN) when you connect to UW data. Husky OnNet is available for the UW community. Click the “Husky OnNet” link to learn about how to install it, when you should use it and find out more about what a VPN does.

Most computers whether they are a Macintosh or PC have a firewall. Firewalls filter certain types of harmful traffic. Firewalls on devices are not always turned on by default, so check to make sure yours is on.

If you don’t much about your router, it’s a good time to learn as much as you can. Make sure you change the default name to something unique and change the default administrator password on the device.

Use the strongest form of encryption that you can. WPA 2 or 3 is preferable to WEP.

Require a password for users. Don’t leave your wi-fi network open for others to use.

Just like with other devices, use strong complex passwords. You can use a guest network, so that visitors have their own password. A guest password can be used for IoT or an internet of things devices as well.

When it comes to firmware, it’s especially important to keep your router updated. How hard or easy it is to keep it updated depends on the device. So once again, check with the manufacturer.

If you get to know more about your router and best security practices, you may see guidance that says you should hide your network name or the SSID. If you decide you want to hide it from view, that’s fine. But don’t assume that hiding your network will keep it out of reach from adversaries. The network can be reached in more than one way by those who have the right tools to find it. It’s more important to:

  • Change the default name
  • Require a strong password
  • Use strong encryption
  • And to get to know more about the administrative interface than to hide the network name

Collaborative Tools
And finally, a word about collaborative tools. We referred to this earlier, but it’s worth reiterating. It’s important to make sure you are using the right collaborative tools for the information you are sharing with coworkers. If you’re sharing HIPAA or FERPA data, for instance, check to see which services are appropriate for storing or sharing those types of data. A listing of online UW file services is available on IT connect as well as a comprehensive file service comparison. Security tips for using Zoom can be found on IT Connect.

Conclusion
Some of the most effective tactics that cybercriminals use rely on vulnerabilities on software, hardware, and various computing and network devices. Cybercriminals also exploit the way people use those devices and technologies. The best tools we have are awareness that cybercriminals constantly change their tactics and knowledge about the technologies we use to access, use, and store valuable personal and UW information.

Thank you for watching and thank you for keeping UW data secure.