Best Practice

No-Click November

No-Click November

It’s November again. Cyber Security Awareness month (October) just passed but that doesn’t mean that we don’t have to keep practicing all the online safety tips we learned; quite the opposite actually, now that we have gotten more informed about online security, we must implement those tips daily and share our knowledge with everyone that surrounds us.

This year is coming to an end, yet new security exploits show up every day to attack the cyberspace. Holidays are coming, and NOW is as good a time as ever to learn/review security tips regarding where we “click”. Even the most security savvy are prompt to distractedly click here or there and fall for a scam before even realizing it. During this month, we will be sharing tips through all of our social media gadgets, to properly prepare you to enter the Internet battlefield, a place full of web links, attachments, and tricky “click-here’s”.

The amount of people who go online everyday only gets bigger and bigger, and so does the time they stay online. Phishing attacks and identity theft attempts are a threat to us most of the time we are navigating through the cyberspace, which is why we should stay protected always, and since the internet is a shared resource, our duty is also to create awareness and make sure others stay secure as well.

From malicious links send through email, to suspicious attachments and even “x” (cancel) buttons in ads and popups, the possibility to fall for an attack is just one click away. And the best way to protect yourself is being vigilant where you navigate, and take every precaution possible.

This month we also have Computer Security Day (Nov. 30th). This is a great month to remind you to keep your computer and information safe. Learn how in our Securing Your Computer section.

Tips to help you identify when not to click:

  • Don’t simply trust information from sources you don’t know. If you have to click a link, cut and paste the information into the browser to make sure it’s a legit site.
  • Make sure you know where short links are taking you to. A good way to find out is by copying and pasting them into a "link expander" such as KnowURL.com or LongURL.org
  • Before clicking on links on emails, especially if you don’t know the source, rest your mouse (without clicking) on the link and make sure the address is the same one typed in the email.
  • Try to always investigate the source of a link before clicking it. Don’t trust what comes to you from strangers.
  • Beware of scammers in popular websites. In some sites like Pinterest, you might click on someone’s board and realize that it takes you to a complete different address than what the pin was about. Be cautious when clicking on other people’s content.
  • Be careful with websites that demand you to download a video codec or software to view something. It will most likely lead you to download malware.
  • Read before you click. If you don’t find the terms and conditions worth reading, then don’t put your security at risk agreeing with them.
  • We recommend you enable site checking and add an anti-phishing toolbar to your browser. These last ones help detect and may block known phishing sites.
  • Just because a friend posts or "likes" a shared link it doesn’t mean that it is safe to access, hackers often disguise links as interesting content to get to you, but this malware will likely affect your computer or mobile device in many of harmful ways.
  • We often ignore pop ups reminding us to update our computer security software. In this case, DO click, as soon as you can. An important part of staying safe is keeping them up to date.

 

The online shopping boom aroused by Black Friday also makes this month appropriate to share security tips so you can protect yourself from false special sales and ads that try to trick you into believing that they are leading you to get a great deal. If it sounds too good to be true, it probably is. Listen to your instincts! 

Check our Online Shopping tips and follow us on all of our social media gadgets for daily tips and information.

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec 

October is Cyber Security Awareness Month!

October is Cyber Security Awareness Month!  

This year is the 11th anniversary of National Cyber Security Awareness Month, a collaborative effort created between government and industry to guarantee everyone has the resources needed to stay safe online.

The online world has become a very important part of our everyday life. We work, learn, plan and play online all through the day and the actions that we take, whether we are connected to the Internet or not, often impact the whole online community. The campaign refers to Cybersecurity as “the mechanism that maximized our ability to grow commerce, communications, community and content in a connected world.”

The Internet is a resource that we all share. Everyone has the responsibility of securing the networks they use, as well as their portion of the cyberspace; it is also a shared responsibility to take actions to ensure cyber security and to promote these actions. If we each make an effort to guarantee the safety of the Internet, it will have a positive impact for everyone.

This October, the RIT Information Security Office encourages you to review your online safety practices, take precautions and spread the word! Help others understand the consequences of their actions and behaviors online, so that they too can enjoy the Internet safely. Cyber security is a matter that affects everyone. Do your part to make cyberspace safer!

This year, RIT is again a proud champion of NCSAM, and as a part of our shared responsibility to promote online safety for everyone, we share with you the 2014 National Cyber Security Awareness Campaign STOP.THINK.CONNECT, that is dedicated to promoting cybersecurity practices for everyone.

       

      Practice digital self-defense: protect yourself and everyone else by following these simple tips: 

       

      Keep a Clean Machine.

      • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
      • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an option available. 
      • Protect all devices that connect to the Internet: Smart phones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
      • Plug & scan: USB sticks and other external devices can be infected by viruses and malware. Use your security software to scan them.

      Protect Your Personal Information.

      • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer two-factor authentication, an additional way for you to verify who you are before you conduct business on that site.
      • Use a passphrase: Create a passphrase by choosing a short phrase, changing the capitalization of some of the letters, replacing some with numerical and symbolic substitutions and purposefully misspelling or abbreviating some words. For more information on how to create a secure password go to Creating Strong Passwords.
      • Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.
      • Write it down and keep it safe: Everyone can forget a password. Use a password safe such as LastPass to store your passwords.
      • Own your online presence: When available, set the privacy and security settings on social media to your comfort level for information sharing. It’s ok to limit how and with whom you share information.

      Connect with Care.

      • When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
      • Get savvy about WiFi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
      • Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “Http://” is not secure.

      Be Web Wise.

      • Stay current. Keep pace with new ways to stay safe online. Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
      • Think before you act: Be wary of communications that urge you to act immediately, offers something that sounds too good to be true, or asks for personal information.
      • Back it up: Protect your valuable work, music, photos, and other digital information by making a digital copy and storing it safely.

      Be a Good Online Citizen.

      • Safer for me means more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.
      • Help the authorities fight cybercrime: Report stolen finances or identities and other cybercrime to http://www.ic3.gov (Internet Crime Complaint Center), the Federal Trade Commission at http://www.onguardonline.gov/file‐complaint.

       

      Go to Best Practices and visit http://www.stopthinkconnect.org for more tips and information.

      RIT is a proud champion of NCSAM

       

      Browser Configuration

      Browser Configuration

      One of the easiest “technologies” to keep your information and computer safe is properly configuring the security settings on your web browser.  Most people leave the settings at default because it’s convenient, but not taking those extra couple minutes now can mean many costly hours (or weeks) later if your information gets compromised.

      Below are some setting suggestions and how to complete them on the most common browsers.  Settings may vary based on browser version, and we recommend always updating your browser to the most current version to ensure the most recent patches and security features are applied.

      1. Limit Cookie Storage
      2. Don’t Store Passwords or Allow Sites to Remember Your Form Entries
      3. Disable Pop-ups
      4. Limit Plug-ins and Add-ons
      5. Enable Automatic Site Checking
      6. Prompt for Downloads
      7. Clear Browsing Data/Temporary Internet Files

      1. Limit Cookie Storage

      Cookies are data files a webpage puts on your computer that tracks information about you.  Cookies can be helpful like remembering what item you put in your shopping cart while you continue shopping.  Cookies can also send data to third-parties that you are not aware of or keep your login data on a webpage on a public computer after you are done using it.  To help protect your data, we suggest changing your settings to initially block most or all cookies and only enable cookies for certain sites as you come across them. 

      NOTE: First-party cookies (cookies for the domain you are on) help with the general web browsing feel we are all used to, for example, staying logged into your bank account site as you navigate from your checking to your savings account.  Therefore, blocking cookies entirely may not be ideal for your browsing needs.  Third-party cookies (cookies not specifically attached to the domain you visited) often are the cookies that contain issues and compromise data and can be blocked without interfering with you day-to-day web activities.

      To configure cookies, select:

      INTERNET
      EXPLORER 10

      Tools | Internet Options | Privacy | Advanced, and:

      1. Select Override automatic cookie handling.
      2. Select Prompt or Accept for first- party cookies and Block for third-party cookies.  If you select Prompt, it will ask for each site what you want to keep, which is helpful for limiting cookie use but will have a lot notifications.

      FIREFOX 21

      Main Menu | Options | Options | Privacy, and:

      1. Under History, select Use Custom Setting for History.
      2. Uncheck at least Accept third-party cookies.  You may instead want to uncheck Accept cookies from sites to block all cookies and enable individual cookies as you need to.
      3. Change the Keep Until value to I close Firefox so it won’t store first-party cookies after you close your browser window

      SAFARI 6

      Safari | Preferences | Privacy, and under Block cookies, select From third parties and advertisers.  You can also block all cookies if you wish by selecting Always and enable individual cookies as you need to.

      CHROME 27

      Chrome Menu | Settings | Show Advanced Settings.  Under Privacy click Content settings.  Under Cookies, set the following:

      1. Select Keep local data only until I quit my browser.  You can instead select Block sites for setting any data if you want to elect which cookies to allow as you visit each site.
      2. Check Block third-party cookies and site data.

      OPERA 12

      Main Menu | Settings | Preferences | Advanced | Cookies, and:

      1. Select Accept cookies only from the site I visit to disable third-party cookies.  You can instead select Never accept cookies if you want elect which cookies to allow as you visit each site.
      2. Check Delete new cookies when exiting Opera.

       

      2. Don’t Store Passwords or Allow Sites to Remember Your Form Entries

      Some webpages ask if you want to store information such as credit cards, usernames or passwords.  They may also give you the option to stay logged in or to “remember me.”  Having websites remember your information is like writing down a password on a piece of paper and sticking it on your front door.  Anyone who looks at the right door will see it.  To help yourself, be conscious of what you tell sites to remember and configure the following settings:

      INTERNET
      ​EXPLORER 10

      Tools | Internet Options, and:

      1. Select Advanced.  Then under Security, check Do not save encrypted pages to disk.
      2. Select Content.  Then under Autocomplete, click Settings and uncheck all.
      3. Select Privacy.  Then check Never allow websites to request your physical location.

      FIREFOX 21

      Main Menu | Options |Options | Privacy, and:

      1. Under Tracking, select Tell sites that I do not want to be tracked.
      2. Under History, select Use Custom Setting for History. Uncheck Remember my browsing and download history.  Uncheck Remember search and form history.

      Also select Main Menu | Options |Options | Security, and uncheck Remember passwords for sites.

      SAFARI 6

      Safari | Preferences, and:

      1. Select Autofill and uncheck all.
      2. Select Privacy and check Ask websites not to track me.

      CHROME 27

      Chrome Menu | Settings, and:

      1. Under Privacy, click Content settings.  Under location, select Ask me when a site tries to track my physical location.
      2. Under Passwords and forms, uncheck Enable Autofill to fill out web forms in a single click and uncheck Offer to save passwords I enter on the web.

      OPERA 12

      Main Menu | Settings | Preferences, and:

      1. Select Forms.  Uncheck Enable Password Manager.  Also do not enter any of the saved form data.
      2. Select Advanced |Security.  Check Ask websites not to track me.

      NOTE:  If you would like to save your passwords because you created very strong passwords that may be hard to remember, we suggest an external password vault service that encrypts your password information locally and stores the encrypted information for you in the cloud.  Some popular ones are LastPass (https://lastpass.com/index.php), RoboForm (http://www.roboform.com), and 1Password (https://agilebits.com/onepassword).

       

      3. Disable Pop-ups

      Pop-ups are generally advertisements or other little windows that force you to pay attention to them before you can get back to the webpage you are on.  This is a great advertising gimmick, but it’s also dangerous because a malicious pop-up may have a virus download on all links within the pop-up, including the Ok and Cancel buttons.  Crafty popups even make it so the X at the top of the window to close it contains a virus download.  Pop-ups may also take you to sites that can phish your information or otherwise trick you into putting yourself at risk.

      Smart web developers have learned to not put content in pop-ups, so blocking all pop-ups should not negatively affect your browsing experience.  You can always allow certain pop-ups as you go if you need them.  Block all pop-ups by selecting:

      INTERNET
      ​EXPLORER 10

      Tools | Internet Options | Privacy, and check Turn on Pop-up Blocker.

      FIREFOX 21

      Main Menu | Options | Options | Content, and click Block pop-up windows.

      SAFARI 6

      Safari | Preferences | Security, and check Block pop-up windows.

      CHROME 27

      Chrome Menu | Settings, under Privacy click Content settings.  Select Do not allow any site to show pop-ups.

      OPERA 12

      Main Menu |Settings |Preferences |General, and select Block all pop-ups

       

      4. Limit Plug-ins and Add-ons

      Downloaded toolbars, plug-ins and add-ons can be helpful for enhancing your browsing experience, but the more items you attach to your browser, the more possible vulnerabilities there are for an attacker to exploit.  Additionally, attackers may use Active X, JavaScript, VBScript, and Java to run malicious code on a website without your knowledge.   Unfortunately, many legitimate pages use JavaScript as part of their functionality.  Limiting these types of scripts, though, can help protect you from a surprise malware download.  We suggest blocking most or all and enabling individual sites as you go by performing the following:

      INTERNET
      ​EXPLORER 10

      Tools | Internet Options | Advanced.  Under Browsing, uncheck Enable third-party browser extensions (add-ons).

      You will also want to select Security and click the Internet icon. Change the setting to High for the “Internet” zone.  Click the Trusted Sites icon and set this to Medium.  Add sites to the Trusted list as you go.

      FIREFOX 21

      Main Menu  | Options | Options, and:

      1. Select Content and uncheck Enable JavaScript.  If desired you can keep Enable JavaScript checked, but click Advanced and uncheck all to limit JavaScript actions.
      2. Select Security, and check Warn when sites try to install add-ons.

      SAFARI 6

      Safari | Preferences | Security, and uncheck Enable JavaScript, uncheck Allow Java, and uncheck Allow all other plug-ins.

      CHROME 27

      Chrome Menu | Settings. Under Privacy, click Content settings and:

      1.  Under JavaScript, select Do not allow any site to run JavaScript.
      2. Under Plug-ins, select Block all (you can instead select Click to play to be prompted).
      3.  Under Unsandboxed plug-in access, select Ask me when a site wants to use a plug-in to access my computer.

      OPERA 12

      Main Menu | Settings |Preferences | Advanced | Content, and uncheck Enable JavaScript, uncheck Enable Java, and uncheck Enable plug-Ins.  If desired you can keep Enable JavaScript checked, but click JavaScript Options and uncheck all to limit JavaScript actions.

       

      5. Enable Automatic Site Checking

      Automatic Site Checking or other filters such as this will check webpages you visit against known fraudulent or malicious websites (a blacklist) and warns or blocks you before loading the page.  These features may also scan webpages for suspicious characteristics and flag you of potentially hazardous sites (which can be added to the blacklist if need be).

      INTERNET
      ​EXPLORER 10

      This feature is automatically on.  To verify that it’s on, select Tools |Safety | Turn on SmartScreen Filter.

      FIREFOX 21

      Must be turned on by selecting Main Menu | Options | Options | Security.  Check Block reported attack sites and check Block reported web forgeries.

      SAFARI 6

      This feature is automatically on.  To verify that it’s on, select Safari | Preferences | Security, and check Warn when visiting a fraudulent website.

      CHROME 27

      This feature may be automatically on.  To verify that it’s on, select Chrome Menu | Settings, and under Privacy check Enable phishing/malware protection.

      OPERA 12

      This feature is automatically on.  To verify that it’s on, select Main Menu | Settings | Preferences | Advanced | Security and check Enable Fraud and Malware Protection

       

      6. Prompt for Downloads

      The Automatic Site checking mentioned above can help review downloads for malware, but there are other settings you can configure that can help alert when something is about to download in case you accidently click a link and realize you shouldn’t be downloading that item.  Even just prompting you to tell the browser where to save the file can make you pause and think about what you are downloading.  You should always be careful what you download and from where, and scan all email attachments and downloads with your anti-virus software.

      INTERNET
      ​EXPLORER 10

      Tools | Internet Options | Security |Custom Level.  Under Downloads, select Enable for Automatic prompting for file downloads.

      FIREFOX 21

      Main Menu | Options | Options | Main, and under Downloads check Always ask me where to save files.

      SAFARI 6

      Safari | Preferences | General and uncheck Open “safe” files after downloading.

      NOTE:  Just because Safari labels the file extension as “safe” doesn’t mean it actually is.  It’s also smart to open downloads only after the anti-virus scans them.

      CHROME 27

      Chrome Menu | Settings, and under Downloads, check Ask where to save each file before downloading.

      OPERA 12

      Main Menu | Settings | Preferences | Advanced | Downloads.  Here you can manage what to do for each type of file you may download.  For example, we recommend for EXE and BAT files to select Show the download dialog.

       

      7. Clear Browsing Data/Temporary Internet Files

      This removes all stored web data on your computer (cookies, cache, history, stored passwords/autofill data, etc.).  Since we just went through blocking new data from being saved, it’s smart to clear out any data that is currently there.   It’s also a good idea to repeat this step regularly to ensure any data that does still get saved, gets cleared.

      INTERNET
      ​EXPLORER 10

      Tools |Safety | Delete browsing history. Check the items to remove and click Delete.

      FIREFOX 21

      Main Menu |History | Clear Recent History.  In the dropdown, change the amount of time you want to go back (recommended: Everything).  Click the arrow next to Details, check the items to remove and click Clear now.

      SAFARI 6

      Safari | Reset Safari. Check the items to remove and click Reset.

      CHROME 27

      Chrome Menu | Tools | Clear Browsing Data. In the dropdown, change the amount of time you want to go back (recommended: The beginning of time).  Check the items to remove and click Clear browsing data.

      OPERA 12

      Main Menu | Settings | Delete Private Data.  Check the items to remove and click Delete.

       

      Private Browsing Windows

      Many browsers also have a feature that allows you to navigate the web without saving search history, form information, cached information, and some cookies.  While private browsing windows and tabs can be a start to keeping your information safe, it should not be relied on as a means to be “off the grid” or as a total replacement for the security settings mentioned above.

      Browser

      What It’s Called

      How to Set It

      INTERNET
      ​EXPLORER 10

      InPrivate Browsing

      Tools | Safety | InPrivate Browsing

      FIREFOX 21

      Private Browsing

      Main Menu  | New Private Window

      SAFARI 6

      Private Browsing

      Safari | Private Browsing

      CHROME 27

      Incognito Mode

      Chrome Menu  | New Incognito Window

      OPERA 12

      Private Tab/Window

      Main Menu  | Tabs and Windows | New Private Window

       

      SECURITY NOTE:

      Using these recommended security settings do not negate the effects of malware that could already be installed on your computer.  For example, keyloggers can capture your data even if your browser doesn’t save it.  Be sure to keep your anti-virus up-to-date and scan your computer regularly for threats.  These security settings also do not exempt you from phishing attacks.  Be careful what information you share online and never provide your password to anyone.  More details can be found in various sections of our Best Practices pages (http://www.rit.edu/security/content/keeping-safe).

      Using LinkedIn’s New Two-Factor Authentication

      Using LinkedIn’s New Two-Factor Authentication

      The growing trend in sites adding two-factor authentication to their log in process has many feeling more secure in their social media and other online interactions.

      With passwords being easy to compromise with phishing attacks, many users have been hoping for something more secure.  Two-factor authentication gives a double protection on your account, requiring you to know something (your password), and have something in your possession (a token).  The token can be any number of devices, cards or other physical items, often generating unique codes as proof you have the object.  Think of ATMs.  You need to have the ATM card (the token) and know your PIN in order to access your account and do any transactions at the ATM.  One without the other and you can’t get in.

      LinkedIn is using a single-use code sent via SMS to whatever mobile number is listed on the account.  Your mobile device serves as your token.  This code is entered into the site after you enter your password to complete the two-factor authentication.  The idea behind this is if your password happens to be cracked or phished, as long as you don’t lose or compromise your phone, you are still safe from attackers logging into your account (though you should change your passwords and do a virus scan to be safe if your password gets compromised!).  

      Want to enable this security feature for your own LinkedIn account? LinkedIn provides some instructions here:  
      http://www.slideshare.net/linkedin/two-step-verification-on-linked-in.  

      Many other sites have similar security features so check out your account settings and give yourself an extra layer of protection.

      SECURITY NOTES:

      As with any security chain, there are ways this could possibly be compromised.  The easy way is if an attacker knows your password and stole your phone.  A more sophisticated way is if you get phished for both your password and the code just sent to you, and the attacker users both before the code expires.  How likely could these happen?  Well that’s up to your security prowess.  Read more on our website about creating secure passwords (https://www.rit.edu/security/content/password), avoiding phishing attempts (https://www.rit.edu/security/content/phishing) and best practices when it comes to mobile device security (https://www.rit.edu/security/content/mobile-devices). 

      Awareness Posters and Videos

      Posters

      In the last EDUCAUSE Poster and Video contest, RIT student and Information Security Office employee Karyn Lewis won several monetary awards for her posters. We'll provide information on the 2013 contest as it's available. Click on the thumbnails below to see the posters.

      Other Student-Produced Posters from RIT

      Arden Kelly "Keep Your Private Things Private"Cristin Sick "Is this Your Version of Computer Self Defense?"Richard Kim "When Connected, Stay Protected"

      Videos

      Retro RIT Information Security Awareness Video created by Rachel Diesel. (Temporarily unavailable.)

      The EDUCAUSE Information Security Poster and Video Contest has had a number of interesting entries. View their YouTube page at: https://www.youtube.com/user/SecurityVideoContest.  We've embedded a couple of them on this page. 

       

      2011 Gold Winner, PSA: "Protecting Your Computer in a Public Place"

       

      2011 Gold Winner, Training Video: "The Right Kind of Bait"

       

      2009 Gold Winner, Training Video: "Cyber Security Awareness"

      Pages

      Subscribe to RSS - Best Practice