National Cybersecurity Awareness Month-2024

October is National Cybersecurity Awareness Month (NCSAM) , is an annual initiative to raise awareness around cybersecurity issues and to empower everyone to protect your personal data in our highly digitized world.

Week 1 – Passwords and Multi-Factor Authentication

An image titled “Secure Your Stuff” shows a vault door with money sticking out and an unlock code of ‘1, 2, 3, 4’. This represents that you should protect your accounts as you would protect your money. Below are good and bad ways to secure your accounts.

Did you know over 80% of breaches involve weak or reused passwords?

The Importance of a Strong Password

Passwords are the first line of defense against unauthorized access to your personal and work accounts. Weak or reused passwords are an open invitation for hackers to gain access to sensitive information.

Why Are Weak Passwords Dangerous?

Hackers use a variety of methods—such as brute force attacks, phishing, and credential stuffing (using passwords from previous data breaches)—to break into accounts. If your password is weak or reused across multiple platforms, it’s only a matter of time before your accounts become vulnerable.

What Makes a Strong Password?

  1. Password Length: Aim for at least 12-16 characters (https://www.hivesystems.com/password). Longer passwords are much harder to crack and they don’t require you to remember a password that is overly complex.
  2. Avoid Common Words: Don’t use easy-to-guess words, phrases, or personal information like names, birthdays, or simple sequences (e.g., “12345” or “password”).
  3. Use Passphrases for: Consider creating a passphrase by combining random words (e.g., “Blue!Tree*Apple23”).
  4. Unique Passwords for Each Account: Never reuse passwords. Each account should have its own strong, unique password. Use a reputable password manager to assist you in storing all your passwords.

What is a Password Manager?

A password manager securely stores all your passwords. It can generate strong, unique passwords for each of your accounts. For more information, visit (https://www.hawaii.edu/infosec/resources-tips/password-manager)

What is Multi-Factor Authentication (MFA)?

MFA adds an extra layer of security to your accounts by requiring you to verify your identity in two or more ways before granting access. Typically, this includes something you know (your password) and something you have (a phone or authentication app).

How Does MFA Protect Your Account?

Even if a hacker gets hold of your password, they won’t be able to access your account unless they also have access to the second factor of authentication. This significantly reduces the risk of unauthorized access and helps safeguard sensitive information.

MFA significantly enhances your security by adding another hurdle for attackers. Accounts with MFA are over 99% less likely to be compromised compared to those without it. Don’t wait—take a few minutes today to enable MFA on your most important accounts!

If you receive a multi-factor authentication request and you are NOT logging into the service immediately DENY the request and change your password! The cyber criminal ALREADY has your password and is attempting to break into your account.

Week 2 – Data Privacy and Protection

An image titled “They’re Dangerous, Deadly, Radioactive, Active” shows a guy with his hand covering his mouth as if he is looking at something scary. Below, describes how PII can be hidden in old CDs, hard drives, shared folders, and so on. “Keys to Survival” points to not keeping PII if not needed, search & destroy, and containment. Image of person with a black bar across eyes and with a sad face, saying “…didn’t know I had them…was exposed very badly…”.

Defending Your Digital Future with Data Privacy and Protection

Data privacy and protection are the cornerstones of safeguarding both personal and organizational information. Data privacy refers to how personal and sensitive data is collected, stored, and shared, while data protection focuses on securing that information from unauthorized access, breaches, or misuse.

What is Data Privacy?

Privacy is about the rights and consent, and how and why data is collected, used, and shared in a lawful and transparent manner.

What Kind of Data is Included with Data Privacy?

Data privacy is mainly to safeguard Personally Identifiable Information (PII). PII includes such data elements like name, address, Social Security Number (SSN), and date of birth. Other PII include financial information, like bank account numbers and credit card information and health records, like medical histroy and insurance details.

Examples of Data Privacy Regulations

  • General Data Protection Regulation (GDPR) – European Union’s regulation on protecting the privacy of personal data.
  • HIPAA: The Health Insurance Portability and Accountability Act, which protects sensitive patient health information.
  • FERPA: The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students’ educational records.

For more information about external regulations that apply to the University of Hawai’i, https://www.hawaii.edu/infosec/policies/

Tips for Data Privacy

  1. Educate Yourself and Others:
    • Stay informed about data privacy regulations (e.g., FERPA, GDPR).
    • Conduct regular training sessions for staff and students on data privacy best practices.
  2. Use Strong, Unique Passwords:
    • Create complex passwords and avoid reusing them across different accounts.
    • Consider using a password manager to store and generate secure passwords.
  3. Enable Multi-Factor Authentication (MFA):
    • Add an extra layer of security by requiring a second form of verification for accessing sensitive accounts.
  4. Limit Data Collection:
    • Only collect personal information that is necessary for specific purposes.
    • Review and minimize the data collected in forms and applications.
  5. Control Access to Personal Data:
    • Implement role-based access controls to ensure only authorized individuals can access sensitive information.
    • Regularly audit permissions and access rights.
  6. Be Cautious with Sharing Information:
    • Think carefully before sharing personal data, especially on social media.
    • Limit the amount of personal information shared publicly.
  7. Secure Communication Channels:
    • Use encrypted messaging and email services when sharing sensitive information.
    • Avoid discussing private matters in public or unsecured environments.
  8. Review Privacy Policies:
    • Familiarize yourself with the privacy policies of platforms and services you use.
    • Understand how your data is collected, used, and shared.
  9. Practice Good Data Hygiene:
    • Regularly review and delete unnecessary personal data.
    • Shred physical documents containing sensitive information before disposal.
  10. Be Aware of Phishing and Scams:
    • Stay vigilant for suspicious emails or messages asking for personal information.
    • Verify the sender’s identity before clicking links or providing data.
  11. Utilize Privacy Settings:
    • Adjust privacy settings on social media and online accounts to control who can see your information.
    • Regularly review and update these settings.
  12. Report Data Breaches:

Data Privacy Resources

What is Data Protection?

Data protection focuses on the security measures to ensure data remains safe from breaches, loss, or unauthorized access.

Data Protection Tips You Should Know

  1. Data Classification:
  2. Security Measures:
  3. Educate your users to implement personal security:
  4. Create Data Backup Procedures:
    • Regularly backup important data and store backups securely, ideally offline or in the cloud.
    • Test backup restoration processes to ensure data can be recovered when needed.
  5. Regularly Update Software:
    • Keep operating systems, applications, and antivirus software updated to protect against vulnerabilities.
    • Enable automatic updates where possible to ensure timely patching.
  6. Limit Data Retention:
    • Regularly review and securely delete data that is no longer needed.

Week 3 – Phishing and Scams

An image titled “Don't Get Phished” shows a fishing pole stuck in the sand with a line out in the ocean. Next, an image that shows “Phishing Can Lead To…” with images of a human silhouette labeled Account Takeover, another image of a fingerprint labeled Identity Theft, another image of a hand labled Data Theft, another image of a bag of money labeled Financial Loss, and last image of an open lock labeled UH Ransomware or Data Breach. Below shows several Signs of a Phish and how Phish comes in different forms: Smishing, Vishing, and Quishing, and another shows ways to prevent getting phished.

What is Phishing?

Phishing is a cyber attack where attackers pose as legitimate entities—such as banks, colleagues, or even your boss—to trick you into revealing sensitive information like passwords, financial details, or personal data. These scams are often sent via email but can also occur through text messages or phone calls.

Types of Phishing Scams:

  1. Email Phishing:
    • This is the most common form of phishing! Attackers send fraudulent emails that appear to come from trusted sources, such as well-known companies or familiar contacts, asking you to click a malicious link or download a harmful attachment.
  2. Spear Phishing:
    • A more targeted form of phishing, spear phishing focuses on a specific individual or organization. Attackers personalize their messages, making them seem even more convincing and harder to detect.
  3. Smishing (SMS Phishing):
    • Attackers use text messages to deliver fraudulent links or requests for personal information. These texts often create a sense of urgency, such as claiming there’s a problem with your bank account or a delivery, prompting you to act quickly.
  4. Vishing (Voice Phishing):
    • Voice phishing involves defrauding people over the phone, enticing them to divulge sensitive information by sounding frantic and pushing their targets to act without thinking. This can often be attackers posing as banks, government agencies, help desk support to gain your trust.

How to Recognize Phishing Attempts

Knowing the signs of phishing is the first step in protecting yourself. Always remember to S.E.A.R the Phish to help keep our community safe.

STOP – Don’t panic and don’t be too quick to click on email links even if the message looks urgent and threatening.

EXAMINE – Look at the email closely. Does the message look suspicious, does the link look unusual, does the request make sense?

  • Check the Sender’s Email Address:
    Phishing emails often come from addresses that look similar to a legitimate one but contain small variations (e.g., “admin@hawai.co” instead of “admin@hawaii.edu”).
  • Look for Suspicious Links:
    Hover over any links in the email to see where they actually lead. Be cautious if the URL looks strange or doesn’t match the company’s official website.
  • Poor Grammar and Spelling Mistakes:
    Many phishing emails contain spelling errors, awkward phrasing, or grammatical mistakes that reputable organizations would not typically make. AI has made grammar mistakes less common, but it is still a common sign.
  • Urgent or Threatening Language:
    Phishers often try to create a sense of urgency by telling you to “act immediately” or face consequences, such as account suspension or fines. The University will NEVER ask for your username, password, or DUO code through text, calls OR google forms.
  • Alternative communications:
    Emails asking you to text, call, video chat, or use a different email address to correspond to them should always raise suspicions.

ASK – Even if it’s from a hawaii.edu you should always ask! Emails coming from hawaii.edu can be a compromised user, if you receive an email telling you to send information to a non-hawaii.edu, report it immediately.

  • Question the sender (if you know him/her personally).
  • Check with the ITS Help Desk (help@hawaii.edu) to determine if the email is legitimate or not.

REPORT – Notify ITS if you receive any UH-related phishing emails by forwarding it to phishing@hawaii.edu. Learn how to report a suspicious email at https://www.hawaii.edu/askus/898

How to Avoid Phishing Scams

Here are some practical steps to help you avoid falling victim to phishing:

  1. Never Click on Links or Download Attachments from Unknown Sources:
    • If something looks suspicious, don’t click! Verify the sender or contact the organization directly through official channels before taking action.
  2. Use Multi-Factor Authentication (MFA):
    • MFA adds an extra layer of security, even if you accidentally reveal your password. Remember to change your password should this happen and never approve MFA requests that do not line up to your logins!
  3. Keep Software and Systems Updated:
    • Regularly update your operating system, browsers, and security software to protect against the latest threats.
  4. Watch for Phishing on Mobile Devices:
    • Phishing is not just an email problem. Be vigilant about SMS phishing (smishing) and avoid clicking on suspicious links in text messages.
  5. Think Before You Act:
    • If you receive an unexpected request for personal or financial information, stop and think. Always verify before responding, and if you receive vishing ask to call back and verify the phone number.

Types of Scams at UH:

  • Job Scams: Attackers lure job seekers with enticing job or internship offers to steal personal information, such as Social Security numbers or bank details. They often create a sense of urgency with limited positions or first-come-first-served claims.
  • Free Giveaways: Scammers offer free products or services in exchange for personal information. They may ask you to cover shipping costs for an item you’ll never receive.
  • Termination of Account: Attackers often create a sense of urgency in emails, urging you to verify your account. The University will NEVER ask for your username, password, or DUO code via text, voice, or forms. Be cautious of websites that mimic the UH login. Always verify that links are to a hawaii.edu domain, and if in doubt, ask for clarification.

    • For examples of job scams and more phishing resources, see the links below:

  • UH Phishing campaign alerts: https://www.hawaii.edu/its/alerts/
  • UH Email alert sign up: https://www.hawaii.edu//its/notices/index.php
  • Job Offer Scams: https://www.hawaii.edu/infosec/awareness/job-offer-scam/
  • Spot the phish: https://phishingquiz.withgoogle.com/
  • Spearphishing: https://www.hawaii.edu/infosec/spearphishing/
  • S.E.A.R the Phish: https://www.hawaii.edu/infosec/phishing/learnmore/

    • Week 4: Software Updating

    An image titled “Don't Let Them In”, with bugs on both ends. Patching your systems helps keep bugs from getting in. Bottom left, shows Prevent Tips and the right shows Important Tips. Bottom right shows an image bugs swarming in a hole.

    Week 4: Update & Defend: Secure Your Digital Space!

    For the final week of Cybersecurity Awareness Month we will focus on Device Security and the critical importance of keeping your software and hardware up to date. Remember, your devices not only store your digital footprint but also contain a wealth of sensitive information related to both your personal and professional life. Securing your devices is crucial for safeguarding your data and privacy.

    Why are updates so important?

    Keeping your software and hardware up to date is important for patching security vulnerabilities, fixing bugs, improving performance, and enhancing functionality. If you delay patching, daily activities like browsing the web can lead to infections. Compromised web pages can check for outdated browsers and redirect you to malicious pages to exploit the device or download malware. Enabling automatic updates is a good way to keep your device secure, but it also requires you to restart your applications or machine to apply the patches.

    Tips to defend yourself

  • Update to Protect: Regularly updating software and hardware is your first line of defense against security vulnerabilities.
  • Be cautious of applications you install: Installation files can bundle third party software also known as potentially unwanted programs that may be a security risk. Be conscious when clicking through the install and read through all the steps.
  • Always download installation files from official sites: Third party sites may offer free downloads, but can be modified to contain malware to allow remote access or steal information.
  • Limit browser extensions: Browser extensions can enhance browser experience, but can be made by third-parties who may not be trustworthy. Malicious actors can disguise extensions as ai assistants that can steal passwords and sensitive information.
  • Limit administrator account usage: Standard user accounts should be used for daily activities to prevent full system compromises in the event malware is installed.
  • Never leave your device unlocked and unattended: All it takes is for you to step away from your machine for someone else to install malware, read your email, or to steal your data.
  • Encrypt your hard drive: Encrypting your hard drive protects your data should your device be lost or stolen.
  • Be cautious of public untrusted networks: Connecting unpatched devices to public networks like cafes, airports, and hotels can lead to infections from other compromised devices or malicious actors.
  • Never download software or call support numbers from pop ups: If you are ever browsing the web and suddenly get a pop up that your device is infected or the browser is out of date. Never follow the instructions to remediate, these pages are intended to scare users to download malware or remote access tools. You can force close applications if you need to with (alt+f4 for Windows) or (option+command+esc for macOS).
  • Backup your data regularly: Follow the 3-2-1 rule, Three copies of data to be protected are made, two different types of storage media are used, one copy is sent off site/offline.