Information Technology

Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, text message (SMS), and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you’re on the lookout for these variants on the traditional, mass emailed phishing attack:

• Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called “whaling”).
• SMiShing: Literally, phishing attacks via text message, these scams attempt to trick users into supplying content or clicking on links in text messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is difficult to contain.
• Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

• Don’t react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don’t fall for it!
• Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don’t trust people who contact you out of the blue claiming to represent your company.
• Know the signs: Does the message/phone call start with a vague information, a generic company name like “card services,” an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the “big three” bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there’s nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security (https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/). To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in.
2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to “security questions” that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won’t open you up to fraud at other sites.
6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a run-of-the-mill disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom.
7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night.
8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts such as a health savings account. Make a recurring calendar reminder to check every account for activity that you don’t recognize.
9. Manage those old-style paper statements. Don’t just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you’ve been a victim of identity theft:

• Create an Identity Theft Report by filing a complaint with the Federal Trade Commission (ftc.gov) online (or call 1-877-438-4338).
• Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
• Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

National Consumer Protection Week (NCPW) is March 3–9. This annual event encourages individuals and businesses to learn about their consumer rights and how to keep themselves secure. The Federal Trade Commission (FTC) and its NCPW partners provide free resources to protect consumers from fraud, scams, and identity theft.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review FTC’s NCPW resource page (https://www.consumer.ftc.gov/features/national-consumer-protection-week), participate in the NCPW Twitter chats and Facebook Live event, and review the following CISA tips:

• Protecting Your Privacy – https://www.us-cert.gov/ncas/tips/ST04-013
• Avoiding Social Engineering and Phishing Attacks – https://www.us-cert.gov/ncas/tips/ST06-003
• Preventing and Responding to Identity Theft – https://www.us-cert.gov/ncas/tips/ST05-019

Our social networks tell a story about us. You want to make sure that the story your social media tells about you is a good one. As articulated in a blog from the Digital Marketing Institute: “Sharing online allows you to craft an online persona that reflects your personal values and professional skills. Even if you only use social media occasionally, the content you create, share, or react to feeds into this public narrative. How you conduct yourself online is now just as important as your behavior offline.”

A positive online reputation is vital in today’s digital world. Like it or not, your information is out there. What you can do is help to control it and what it says about you.

Social media is so ingrained in our society that almost everyone is connected to it in some form. With every social media account you sign up for, every picture you share, and every post you make, you are sharing information about yourself with not only your friends and family but the entire digital world. How can you make sure your information and reputation stay safe online? Here are a few easy steps to get you started.

• Keep it clean and positive. Be entirely sure about what you’re posting. Make sure to post content that you feel positively reflects you, your creativity, your values, and your skills. Remember that future employers may look at your social media accounts before hiring you. Questionable content can leave a bad impression; this can include pictures, videos, or even opinions that make you seem unprofessional or mean and may end up damaging your reputation.

  Always think before you post or share negative or inappropriate content. Use the 24-hour rule before posting, allowing yourself 24 hours before posting any content that may be questionable to give yourself time to reflect on whether it is a good idea.

• Oversharing and geotagging. Never click and tell. It can seem like everyone posts personal information on social media all the time, including where they are and where they live. As noted on the DHS.gov site: “What many people don’t realize is that these seemingly random details are all criminals need to know to target you, your loved ones, and even your physical belongings—online and in the real world. Avoid posting names, phone numbers, addresses, school and work locations, and other sensitive information (whether it’s in the text or in the photo you took). Disable geotagging, which allows anyone to see where you are—and where you aren’t—at any given time.”

  If you really want to post that picture of your friends at brunch, consider following the concept of #latergram and post your content at a later time than when it actually happened. It is a win-win. You get to share your experience and at the same time still maintain the privacy of your location in real time.

• Don’t rely on privacy settings. You have a private social media account so you can post anything you want? Nope. Privacy settings make it harder to see your full account, but it’s not impossible. Also, there is always the chance that one of the people with access to your private account could screenshot and share the content.

  Make sure to keep your social media apps up to date and check the privacy settings frequently. Under no circumstances should you rely on privacy settings to shield inappropriate content. If there is any question that the content is inappropriate, don’t post it.

• Make sure you’re professional. Keep it classy! Every post is a reflection of you. Your social media accounts allow you to put your best foot forward or stumble if you aren’t careful. A positive social media presence can help create both personal and professional opportunities. Promote your personal brand or what you want people to think of you. And, your high school English teacher was correct—proper spelling and grammar are always a plus.
• Control your content. Claim your identity on social media. Set up social media accounts and keep the profiles current. You don’t have to join every platform; a few key ones will do. You can also look into apps that will cross post the content to all of your social media accounts, freeing up some of your valuable time. Use your accounts to engage professionally and personally in a positive way.

Your social media accounts should tell the story of you that you want employers and others to see. Google your own name on a regular basis to make sure that that information out there is accurate. If you find incorrect information online, request that the website update it or take it down.

Following these few simple recommendations puts you on your way to safely building a positive online reputation. Using social media positively doesn’t mean you can’t have fun and use it to express yourself; however, you want to ensure that you’re okay with anyone seeing everything you post. Once you post something online, it’s out there forever.

Tax Identity Theft Awareness Week is January 28 to February 1. This annual campaign aims to help consumers be more informed about protecting themselves from tax-related identity theft and scams. Tax-related identity theft occurs when someone steals a Social Security number and uses it to claim a tax refund or get a job.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages consumers to review the following resources for additional information:

• Internal Revenue Service (IRS) publication Taxes. Security. Together –  (https://www.irs.gov/pub/irs-pdf/p4524.pdf)
• NCCIC Tips on Preventing and Responding to Identity Theft – (https://www.us-cert.gov/ncas/tips/ST05-019)
• NCCIC Caution Users: Prepare for Heightened Phishing Risk This Tax Season – (https://www.us-cert.gov/ncas/tips/ST15-001)

January 28 is Data Privacy Day (DPD), an annual effort to  raise awareness about the importance of privacy and data protection as well as to unite privacy professionals worldwide. Data Privacy Day also celebrates the date when several countries signed the first legally binding international treaty dealing with the protection of personal data, Convention 108, on Jan. 28, 1981. The United States, Canada and 27 countries in the EU observe Data Privacy Day, also known as Data Protection Day in Europe. This year’s DPD events, sponsored by the National Cyber Security Alliance (NCSA), focus around the theme, A New Era in Privacy.

The NCSA Stay Safe Online website (staysafeonline.org) will feature a live stream of the Data Privacy Day 2019 – Live From LinkedIn event (https://staysafeonline.org/dpd19-live/), which includes presentations on opportunities and challenges and the future of privacy, as well as a TED-style talk with the Amazon Web Services Global principal security architect.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review NCSA’s tips on Managing Your Privacy (https://staysafeonline.org/stay-safe-online/managing-your-privacy) and the following NCCIC tips:

• Safeguarding Your Data – https://www.us-cert.gov/ncas/tips/ST06-008
• Protecting Your Privacy – https://www.us-cert.gov/ncas/tips/ST04-013
• How Anonymous Are You? – https://www.us-cert.gov/ncas/tips/ST05-008
• Choosing and Protecting Passwords – https://www.us-cert.gov/ncas/tips/ST04-002

Information about OSU’s privacy program is available here: https://it.osu.edu/news/2018/12/06/new-privacy-program-promotes-best-practices

During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), recommends these important steps you should consider to make your Internet of Things more secure:

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Choose strong passwords to help secure your device. See the article Choosing and Protecting Passwords at http://www.us-cert.gov/cas/tips/ST04-002.html for more information.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more at risk. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See the Good Security Habits article at https://www.us-cert.gov/ncas/tips/ST04-003 for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches at https://www.us-cert.gov/ncas/tips/ST04-006 for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network at https://www.us-cert.gov/ncas/tips/ST15-002 for more information.

Interested in learning more about Internet of Things (IoT) devices? Here’s an overview: https://cybersecurity.osu.edu/cybersecurity-you/protect-personal-devices/iot

Without a doubt, the smart devices that are a part of the Internet of Things make our lives easier and have many benefits; but we can only reap these benefits if our devices are secure and trusted. Here are some tips from the STOP. THINK. CONNECT. campaign (https://www.dhs.gov/stopthinkconnect-toolkit)  and National Cyber Security Alliance (https://staysafeonline.org/blog/evolving-digital-life-cybersecurity-evolving-internet-things/)  to increase the security of our Internet-enabled devices:

• Do your research! Before you adopt a new smart device, research it to make sure others have had positive experiences with the device from a security and privacy perspective. Be sure to read privacy policies to know where the data that you and your IoT devices generate is stored, how long it may be retained, and what may be done with it.
• Think twice about your device. Have a solid understanding of how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits.
• Understand what’s being collected. Most IoT devices require data collection. Take the time to understand what information your connected devices collect and how that information is managed and used.
• Where does your data go? Many IoT devices will send information to be stored in the cloud. Understand where your data will reside and the security protecting your personal information.
• Understand how to keep IoT devices up to date. This includes any software updates that might be needed and passwords or other ways of securing devices.
• Use strong passwords. Be sure to use a password for email accounts and cloud-based IoT services that is strong and unique. Password recommendations can be found at: https://cybersecurity.osu.edu/cybersecurity-you/passwords-authentication/passwords
• Keep a clean machine. Like your smartphone or PC, keep any device that connects to the Internet free from viruses and malware. Update antivirus and anti-malware software regularly on the device itself as well as the apps you use to control the device.
• Secure your network. Properly secure the wireless network you use to connect Internet-enabled devices. Don’t forget to use a strong password and update software regularly to protect your Wi-Fi router at home.
• Delete unused accounts. Be sure to delete any user accounts or other data when you are no longer using the IoT device. Information about deleting your account from various services can be found at: https://justdelete.me

The holiday season is the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. When you go to the grocery store or local shop, it’s habit to grab your reusable bags, lock the car, and make sure you’ve safely put away your credit card or cash before heading home with the day’s purchases. Similar precautions need to be taken when you’re shopping online from the comfort of your own home. If you make these simple precautions regular online shopping habits, you’ll be protecting your purchases and personal information.

The National Cyber Security Alliance recommends following these basic steps so you’ll be ready to cybershop safely and securely; additional information can be found here: https://staysafeonline.org/resource/cyber-safe-holiday-shopping-resource/

• Lock down your login. One of the most critical things you can do in preparation for the online shopping season is to fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like e-mail, banking, and social media.
• Keep clean machines. Before searching for that perfect gift, be sure that all web-connected devices—including PCs, mobile phones, smartphones, and tablets—are free from malware and infections by running only the most current versions of software and apps.
• Shop reliable websites online. Use the sites of retailers you trust. If it sounds too good to be true, it probably is!
• Conduct research. When using a new website for your holiday purchases, read reviews and see if other customers have had a positive or negative experience with the site.
• Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.
• Get savvy about Wi-Fi hotspots. If you are out and about, limit the type of business you conduct over open public Wi-Fi connections, including logging in to key accounts, such as e-mail and banking. Adjust the security settings on your device to limit who can access your phone. If you must use open Wi-Fi connections, connect to a virtual private network (VPN) first.
• Check the address bar. Look for the green lock icon and https:// in the URL before using your credit card online.