Title
Accordion Content

November 2019: Data Breaches
In 2017, nearly eight million records in the education industry were breached in 35 events. More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure. These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions

All Citrus College staff and faculty have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.

Here are some things you can do every day to protect our student data.

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don't hesitate - do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today's environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you've created by managing them all in one "vault" and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if it is lost or misplaced.
  • Understand where, how, and to whom you are sending data: Many breaches occur when we accidently post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Take care to know how you are transmitting or posting data.

Content for Security Matters is courtesy of the EDUCAUSE Cybersecurity Program.

September 2019: Understanding the Basics of Online Safety and Security
Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts' activities. These types of alerts are useful because they make you aware of what's going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don't use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider's servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here's another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it's likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

Monthly content for Security Matters is courtesy of the EDUCAUSE Cybersecurity Program​.​

September 2019: Understanding the Basics of Online Safety and Security
Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts' activities. These types of alerts are useful because they make you aware of what's going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don't use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider's servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here's another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it's likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

Monthly content for Security Matters is courtesy of the EDUCAUSE Cybersecurity Program​.​

July 2019 : Security Matters - Keeping Tabs on Mobile Devices
With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer's operating system.
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you'll be able to identify and report exactly what information is at risk.
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. Do not choose options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer's hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don't forget to review an app's specifications and privacy permissions before installing it!
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.

What can you do if your laptop or mobile device is lost or stolen?
Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to Technology and Computer Services so that we can respond quickly to the incident.

Monthly content for Security Matters is courtesy of the EDUCAUSE Cybersecurity Program​.​

​May 2019: Social Engineering
Social engineering - manipulating people into doing what they want - is the most common way for cybercriminals to steal information and money. According to an article on Wired.com, between November 2017 and February 2019, six hundred and sixty (660) education-related institutions were targeted with a scam in which employees were tricked into purchasing gift cards and sending the codes to someone they wrongly assumed was a trusted authority.

Social engineering is at the heart of all types of phishing attacks - those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:

  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted "very important person" (VIP) source. These messages will ask recipients to rush and bypass normal processes. Targets are those who can conduct financial transactions on behalf of the organization (sometimes called "whaling").

  • SMiShing: Literally, phishing attacks via short message service (SMS) or text messaging. These scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.

  • Vishing: Voice phishing are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

  • Don't react to scare tactics: All of these attacks depend on scaring the recipient. Examples include notice that you are being sued; that your computer is full of viruses; or that you might miss out on a chance at a great interest rate. Don't fall for it!

  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website or support line. Don't trust people who contact you out of the blue claiming to represent your bank or an agency.

  • Know the signs: Does the message or phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

To help you more readily identify suspicious e-mails, our mail server will automatically add a "caution" or warning footer (in a yellow box) at the bottom of any e-mail that is sent from an external source. Take time to reach out to senders via phone or a new e-mail to confirm any unusual action requested of you.

Monthly content for Security Matters is courtesy of the EDUCAUSE Cybersecurity Program​.​

Display Order
Attachments
Content Type: Accordion
Back To Top
SecurityMatters