Cybersecurity Awareness Month - October 2022
#See Yourself in Cyber
"This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers."
-Cybersecurity and Infrastructure Security Agency (CISA)
We recognize the need for cybersecurity every day to keep our information safe. This October, the University is participating in National Cybersecurity Awareness Month.
Though threats to cybersecurity may regularly make the news, we know how to guard against them but we can’t do it alone. We all need to play our part! During Cybersecurity Awareness Month, we will share best practices and tips to keep us cyber-safe everywhere we go. To turn away cyber attacks, a little knowledge teamed with critical thinking skills can go a long way!
The overarching theme for this year’s awareness month is “See Yourself in Cyber.” Each week will feature one of the following themes, a training video, a game, and posters. It is going to be a fun and cyber-safe month!
- Week 1 - Cybersecurity at work
- Week 2 - Watch out for that phish!
- Week 3 - More than just phishing
- Week 4 - Cybersecurity at home
Training
Information security training is available to all employees on the training page.
Thanks, and have a cyber-secure October!
WEEK ONE: CYBERSECURITY AT WORK
#See Yourself in Cyber
"The best defense against cyberattacks is not technological cybersecurity solutions but the strengthening of the human element." - Perry Carpenter, cybersecurity veteran, author and chief evangelist-security officer for KnowBe4.
Facts and Figures
- 42% of schools have students or employees that circumvent cybersecurity protections. -Impact My Biz
- Nearly three-quarters (74%) of ransomware attacks on higher ed institutions succeeded. -Inside Higher Ed
- Ransomware attacks on U.S. schools and colleges cost $6.62b in 2020. - Darkreading
- 95% of cybersecurity breaches are caused by human error. -World Economic Forum
focus
This week's focus: Cybersecurity at Work.
No matter what our job role is, when we see ourselves in cyber, we recognize the need and take responsibility to protect the data, devices and other IT resources we use for work.
My role: Stop, Look and Think! It does not matter the type of cyber attack we face, when we stop, look and think, it goes a long way to protect us from taking actions that could compromise the information that is valuable to us and the organizations we work for. Click on each image below to learn more.
Additional CONTENTS
- Training video: Understanding web links - URLs (2 minutes).
- Game: Cybersecurity trivia twirl (external link).
*Some additional resources on cyber awareness have been provided by the Computer Science Department. To learn more, please visit Computer Science Department at NEIU.
To learn more about being #cybersmart, visit the Cybersmart page.
WEEK two: WATCH OUT FOR THAT PHISH!
#See Yourself in Cyber
"Very smart people are often tricked by hackers, by phishing. I don’t exclude myself from that. It’s about being smarter than a hacker. Not about being smart." -Harper Reed
Facts and Figures
- Phishing attacks account for more than 80% of reported security incidents. -CSO Online
- 57% percent of organizations see weekly or daily phishing attempts. -GreatHorn
- According to the results of Terranova Security’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website.
- 95% of cybersecurity breaches are caused by human error. -World Economic Forum
focus
This week's focus: Watch Out for That Phish!
How do hackers operate? They use tactics to convince or scare their victims into taking an action. These tactics come through different methods. The following are some methods they use:
- Phishing: The use of an email to trick you into giving out sensitive information or taking a potentially dangerous action, like clicking on a link or downloading an infected attachment. Hackers do this using emails disguised as contacts or organizations you trust so that you react without thinking first.
- Vishing: Phone-based social engineering is voice phishing or “vishing.” Like phishing, vishing is when the hacker calls you and tries to con you into surrendering confidential information.
- Smishing: Smishing stands for “SMS phishing” or phishing that occurs through text messaging.
- Pretexting: When a hacker calls and creates a story (usually impersonating a senior colleague or IT service in the organization) to get information from their victim. Oftentimes, the victim feels the need to trust the caller and give out information.
My role: hackers enjoy phishing, but we don't have to be the bait. Let's be the human firewall (a barrier) between the hacker and the information that is valuable to us and the university by identifying phishing tactics and responding to them appropriately.
Before taking an action, Stop, Look and Think! Click on each image below to learn more.
Additional CONTENTS
- Training video: You will learn how phishing works, red flags to watch out for when requests for login information are involved, how people can fall for bait, and tips for staying secure.
- Phil Hendrie & Kevin Mitnick: Credential Harvesting Attack (5 minutes).
- Mobile-First Module: Phishing: Don’t Get Reeled In (4 minutes).
- Game: Test your ability to identify phishing emails, try Google's phishing quiz (external link).
WEEK THREE: MORE THAN JUST PHISHING
#See Yourself in Cyber
"Social engineering bypasses all technologies, including firewalls." -Kevin Mitnick, KnowBe4
"Hackers find it easier and cheaper to manipulate people using social engineering to gain access to information, IT systems, or buildings than to use technology. Why? People can easily be convinced to ignore simple security practices that are there to protect them if they believe they need to act immediately or show goodwill in response to a request." -UTS
Facts and Figures
- 98% of Cyber attacks involve some form of social engineering. -Purplesec
- Up to 90% of malicious data breaches involve social engineering -KnowBe4
- On average, social engineering attacks cost companies $130,000.00 through money theft or data destruction. It is important to note that social engineering can lead to broader breaches. In those cases, the totals can reach hundreds of thousands, if not millions of dollars
-Securityinfowatch
focus
This week's focus: More Than Just Phishing
What is Social Engineering? Social engineering is simply the art of convincing someone to trust you so that they take an action you want them to take for your advantage. Victims usually lower their guard and give up sensitive information if they trust someone.
Social Engineering is more than phishing. This week focuses on other most common social engineering methods beyond phishing. These methods include pretexting, baiting, quid pro quo, tailgating, and the use of social media.
- Pretexting: When a hacker calls and creates a story (usually impersonating a senior colleague or IT service in the organization) to get information from their victim. Oftentimes, the victim feels the need to trust the caller and give out information.
- Baiting: When a victim is lured into taking an action in exchange for an item. The victim might give out information or click on a link that would then be used by the hacker to carry out malicious activities against the victim or the organization they work for. For example, a victim could get an email from a utility service company or a product vendor asking them to complete a survey in exchange for an Amazon gift card. The survey link would be the entry point that the hacker uses to compromise the victim or their organization.
- Quid Pro Quo: Like baiting, victims are lured into taking an action in exchange for a service. For example, the victim might get a call supposedly from social security services offering them some type of benefits and the victim then gives out their social security number which could be used to impersonate them.
- Tailgating: This is when someone without authorization gains access to a building or an office area by following closely behind someone with authorization. The attacker usually pretends to be busy with something or someone or carrying an item or engages the victim in a conversation and hopes that the victim would allow them in based on goodwill.
- Social Media Reconnaissance: This is when the attacker uses social media to learn more about their victim and/or the organization they work for. The attacker then uses the information gathered to build a friendly relationship with the victim over a period of time to gain the victim's trust and then lures the victim into taking an action.
My role: Let's watch out for requests offering us goods or services in exchange for an action they want us to take or social media connections including professional connections, job or business opportunities, etc.
Additional CONTENTS
- Training video: You will learn how pretexting and some other social engineering attacks work and how to identify and respond to them:
- KnowBe4 Pretexting - "Tech Support" Social Engineering (5 minutes).
- Interactive Training Module - 2022 Social Engineering Red Flags (15 minutes).
Before we respond to a request for sensitive information, download or access a shared file, accept a new friend or professional connection or allow someone into a restricted area, Stop, Look and Think! Click on each image below to learn more.
If you have any questions or would like to provide some feedback, please email uinfosec@neiu.edu.
WEEK FOUR: CYBERSECURITY AT HOME
#SeeYourselfInCyber
"Security used to be an inconvenience sometimes, but now it’s a necessity all the time." -Martina Navratilova
"Cybersecurity is not for the passive nor the reactive minds but for those who proactively see the need to maintain good practices and own the responsibility to secure the data they handle everywhere and all the time". - UTS
Facts and Figures
- 20% of organizations experienced a breach because of a remote worker. Data breach costs increased by over $1 million whenever remote work was a causal factor. -Cybertalk
- According to Forbes, individual SSN can retail for as little as $4 on the darknet, and passport information sells for $62.61 on the dark web. -Knowbe4
- A clone credit card with pin sells for as little as $15 on the dark web. -Privacyaffairs
- It takes victims, on average, 6 months and approximately 200 hours of work to recover from identity theft, and an average loss of $1,100 per victim. -Privacybee
focus
This week's focus: Cybersecurity at Home
Working remotely has become a way of life for many over the last two years. Once a luxury, working from home has become all but a necessity and has brought with it many information security risks and challenges. This week's focus is keeping cybersecurity top of mind at home; both when working and in our everyday lives.
Non-office environments such as homes, hotels, cafeterias, sport centers, etc., are usually very conducive for hackers to operate as these settings are considered to have lesser guards in place than an office. For this reason, we have to continue to maintain good practices wherever we are, take responsibility for how we handle data and the IT resources we use and remain vigilant to keep the hackers out. Below are some essential security hygiene to maintain:
- Use a strong password and don't share it.
- Use multi-factor authentication - password only is not enough! Beware of unsolicited DUO or any other multi-factor authentication requests e.g. to provide a pin or approve a Push. Decline such requests.
- Keep the software/applications on your devices up to date.
- Maintain active anti-virus software on your devices.
- Store and share sensitive data securely. Dispose of sensitive papers and unwanted devices securely.
- Don't circumvent manufacturers' security settings on your devices.
- Use social media sensibly and keep your communications and data private. Be sure of the friend or professional requests you accept.
- Don't be phished! Beware of emails with attachments to download, or soliciting sensitive. information from you including your password, social security number, driver's license details, etc.
- Beware of bogus websites and the links you visit. If unsure, use a search engine to look up the website address.
- Use available awareness and training resources to keep you current on cybersecurity. See the University's cyber smart tips page.
- Report any suspicious or actual incident as soon as possible to IT. When you report, we get stronger!
As we wrap up the last week of National Cybersecurity Awareness Month, the key takeaway is to #SeeYourselfInCyber. This means that your cyber security responsibility cannot be delegated. You have to know it, own it and do it! Click on the images below to learn more: