2017 National Cyber Security Awareness Month
National Cyber Security Awareness Month
The purpose of National Cyber Security Awareness Month (NSCAM) is to raise awareness to the issues facing us about cyber security not only at the University of Hawaii, but also in our daily lives. For more information on the National initiatives, click on the banner image above.
National Cyber Security Awareness Month (NSCAM) sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi State Information Sharing and Analysis Center (MS-ISAC).
Each week of October will feature a different theme of cyber security. A summary of the current week will be posted on the top of this page while previous weeks will be placed towards the bottom. The current week's information will also be available on the Infosec home page.
The weekly topics will be:
- Online Safety
- Securing your home network
- Securing Personal Data
- Security for IoT Devices
Week 1: Online Safety
According to a 2016 Raytheon survey, 86 percent of young adults think that keeping the Internet safe and secure is a responsibility we all share - up 4 percent from 2015.
As digital citizens, we are getting better about consistently protecting ourselves, our devices, and our family and friends. However, the Internet is always "on," so we must remain vigilant and continue to connect with care in order to protect our mobile devices - including laptops, smartphones, and wearable technology - as well as our personal information.
- Protect your device. Add a passcode to your cell phone, tablet, or laptop right now!
- Use strong passwords or passphrases. Especially for online banking and other important accounts.
- Enable multifactor authentication. Wherever possible, enable multifactor authentication, which helps secure your accounts by requiring hardware or biometrics in addition to your password.
- Check your social media settings. Review your media security and privacy settings frequently. Enable two-step verification whenever possible.
- Educate yourself. Stay informed about the latest technology trends and security issues such as malware and phishing.
- Get trained. Contact your institution's IT, Information Security, or privacy office for additional resources and training opportunities
Below are a few tips from the National Cyber Security Alliance to keep you safe online!
Keep A Clean Machine
- Keep Security Software Current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
- Automate Software Updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that's an available option.
- Protect All Devices That Connect To The Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
- Plug And Scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
Protect Your Personal Information
- Secure Your Accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you to verify who you are before you conduct business on that site.
- Make Passwords Long And Strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Unique Account. Unique Password: Separate passwords for every account helps to thwart cybercriminals.
- Write It Down And Keep It Safe: Everyone can forget a password. Keep a list that's stored in a safe, secure place away from your computer.
- Own Your Online Presence: Set the privacy and security settings on websites to your comfort level for information sharing. It's ok to limit how and with whom you share information.
Connect With Care
- When In Doubt, Throw It Out: Links in emails, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it's best to delete or if appropriate, mark as junk mail.
- Get Savvy About Wi-Fi Hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
- Protect Your $$: When banking and shopping, check to be sure the site is security enabled. Look for the web addresses with "https://," which means the site takes extra measures to help secure your information. "Http://" is not secure.
Week 2: Protecting Personally Identifiable Information @ UH
Protecting Personally Identifiable Information (PII) is everyone's responsibility at the University of Hawaii. Understanding what PII is and how to protect it is extremely important to ensuring that the data does not get into the wrong hands or inadvertently exposed. If you suspect that data has been exposed, or someone is inappropriately handling sensitive information, please report it at email@example.com (or see Report Security Issues or Incidents. Below is a summary of each point of Week 2 content:
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is the type of information that needs to be protected because the inadvertent disclosure or inappropriate access requires a breach notification or is subject to financial fines. Information such as Social Security Numbers, Driver's License numbers or Hawaii Identification Card numbers, Financial Account numbers, PCI-DSS information, and Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA) are categorized as "Regulated" by the University of Hawaii.
New University Data Governance and Data Classification Policies
E2.215 Institutional Data Governance - Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information.
E2.214 Data Classification Categories - Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data. The categories are: Public, Restricted, Sensitive, and Regulated.
New University HIPAA Policy and HIPAA Compliance Officer
JT Ash, the University of Hawaii HIPAA Compliance Officer can be reached at firstname.lastname@example.org or (808) 956-7241.
The HIPAA Policy can be found here: http://www.hawaii.edu/policy/e2.217
Do you handle PII, "Sensitive", or "Regulated" data?
If at any point you handle or view any sensitive data or regulated data, you must acknowledge the online General Confidentiality Notice, found at https://www.hawaii.edu/its/acer/. The general confidentiality notice identifies the types of information that is considered sensitive and confidential (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to sensitive information.
You should also take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and policy. A link to the Security Awareness Training could be found here: https://www.hawaii.edu/infosec/training/.
Do you store "Regulated" data electronically or in paper format?
According to Hawaii Revised Statutes (HRS) 487N-7, any personal information system (regardless if it is paper-based or electronic) needs to be reported. For the University of Hawaii, this information needs to be reported in the Personal Information Survey site. This information survey MUST be reviewed and updated yearly.
Are you responsible for a server running on the UH Network?
If you are hosting a server on the University of Hawaii network (regardless if it is behind a firewall) MUST be registered on the Server Registration site. In addition to registering your server, it must be scanned for vulnerabilities and sensitive information yearly. More information on this requirement can be found here: https://hawaii.edu/askus/1312.
Information Security is ALL OUR Responsibility
Remember: Everyone is responsible for the protection of sensitive information. This task should not be left for one person to accomplish. It requires everyone's understanding and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawaii.
Week 3: Home Network Security
Everyone connected to the Internet at home has a home network. These days, it's even simple to set up: You just plug the cables into their respective spots, turn everything on, and it works! Unfortunately, that's where many stop configuring their home network. Many cyber criminals are able to break into home networks simply because the device was never updated or the admin password was never changed.
Below are some tips to get you started with securing your home network by configuring your router. Please note: Every router is different and may not offer all the features listed below.
- Change the default Admin password to a strong one. The admin credentials are normally very easy to guess and it is even easier to find on the Internet.
- Turn on WPA2 PSK security on the Wireless AND change the default password. This option requires you to provide a password to connect to the network. Like the admin credentials, the default password is also easily found on the Internet. You never want malicious users on your network.
- Turn off ICMP ping response. This option will stop the router from responding to ping requests, and will act like the device is unreachable. This will stop people from determining if your IP address is active and a device is using it.
- Turn off Remote Administration. This option will disable the ability to log into the router and change settings from the Internet. If you leave this on, anyone on the Internet can try to log into your router.
- Update your router's firmware. Security holes are found and patched around the clock, so it is important to keep your router up to date to prevent it from being vulnerable to known attacks.
Week 4: IoT Device Security
As technology progresses, so does the prevalence of Internet of Things devices, or IoT. The Internet of Things, in general terms, are everyday objects and devices that are able to connect to the Internet. Things like smart TVs, smart refrigerators, and smart home devices (Nest, Amazon Echo, Google Home, etc.), are all IoT. While convenient, these devices are often vulnerable to cybersecurity attacks.
IoT devices are prone to being hacked and loaded with malware that adds the device to a botnet. Botnets are a collection of devices used to carry out large scale online attacks on behalf of the hackers, easily being able to flood networks to slow down the Internet or even cause outages.
Below are a few tips to help keep you IoT devices safe.
- Use strong passwords when setting up the device (if possible). A common way for hackers to compromise devices is to use the default username and password to gain access.
- Secure your home network. Doing things like blocking access to your network, filtering ports and IPs, activating the firewall, etc. are all beneficial in keeping your IoT devices safe. Visit https://www.hawaii.edu/infosec/ncsam for more tips on how to secure your home network.
- Do not connect the device to the Internet if you don't use the online features. The devices like Smart TVs and Smart Refrigerators will still function as TVs and refrigerators without Internet connectivity.
- Restrict access to the device. Create firewall rules to only allow certain IP addresses to access the device.
- Keep the device updated! If possible, always check for updates for the device, especially on the manufacturers' website. Security holes are found constantly and are patched just as quickly. Stay up-to-date to prevent your device from being hacked.
Mobile Device Security
Mobile Devices are becoming apart of peoples everyday lives. Many of us use our mobile devices to view bank account information, pay bills, browse the internet, and social media. Our mobile devices can also be used to store sensitive information like photos, videos, emails, and text messages. It's important that we protect this information to prevent unauthorized users from accessing the information. The first line of defense for your mobile device is your lock screen. Your lockscreen doesn't only keep your significant other, kids, or parents from snooping on your phone, but it also makes it harder for other malicious users from gaining access to your device in the event your device in the event it's lost or stolen.
SEAR the Phish!
Cybercriminals craft legitimate-looking email to trick you into divulging your personal information. To keep yourself from becoming a victim, SEAR the phish!