October 2020: Cybersecutiry Overview and Basics
There has been a dramatic increase in the number of cybersecurity incidents reported since the start of the pandemic. On June 6, the University of California, San Francisco (UCSF) paid a ransom of $1.14 million to hackers to recover data from its School of Medicine that had been encrypted in a cyberattack. Similar attacks were carried out against Michigan State University and Columbia College, Chicago. In August, the University of Utah reported a payment of $457,000 to cybercriminals who held employee and student data for ransom.
Cybercriminals often take advantage of poor security practices by employees in order to conduct their activities. Keenan and Associates has provided Citrus College with a series of online training courses that can improve your security awareness. Help keep the IT resources and sensitive data at the college safe by taking one (or all) of the following courses, available on the training calendar:
Cybersecurity Overview: This introductory course provides an overview of cybercrime and cybersecurity, including the basics of cybersecurity along with the effects of cybercrime, the types of cyber threats and how users are susceptible.
Browser Security Basics: This course provides all staff members with an overview of browser security and ways to browse the web safely. Topics include: the types of browser threats, the basics of browser security and safe browsing practices.
Password Security Basics: This course provides an overview of password security and management, including the basic principles of password security, the elements of a strong password, and strategies of how to create and maintain passwords.
Email and Messaging Safety: This course provides an overview of cybercrime via email, and how to employ safe email and messaging practices to avoid and help prevent cyber threats, attempts at fraud and identity theft.
Protection Against Malware: This course provides staff members with an overview of basic protection against malware. Topics include: the types of malware, how malware works and protective strategies.
Copyright Infringement: This course covers basic knowledge about copyright laws, print and audio materials, visual and multimedia materials, and the internet and digital media.
Click this link to launch a curriculum containing all six of these courses.
July 2020: Social Engineering Scams
Cybercriminals have learned that a successful way to take advantage of a victim is through social engineering. We've seen this recently at Citrus College. Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources.
When someone you don't know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency.
One common social-engineering scam is the gift-card scam. The attacker poses as a supervisor or manager (the impersonator). The impersonator will email the victim and begin a brief email exchange. The impersonator will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so, and will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the impersonator, the victim goes through with the purchase, spending hundreds or thousands of dollars.
How do you avoid becoming a victim of these types of attacks? Ask yourself if the request makes sense. Check the email address of the sender. Does the sender's email address come from Citrus College? Is there a warning that the e-mail came from outside of the Citrus College e-mail system?
Whenever you receive an "urgent" email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate. If something seems off to you, it probably is.
January 2020: Data Privacy
The Internet is full of data about you. Whenever you play a game, shop, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.
Similarly, the business of higher education requires us to collect, process, and store the digital information of others. Whenever we handle such information, we need to think about how we want our own information treated and treat other people's data with the same care and respect.
Protect yourself by following these tips:
Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
Keep your work and personal presences separate.Administrative Procedure (AP) 3723 recognizes that authorized Citrus College officials may review or access the contents of e-mail for purposes related to the college business. Use an outside service for private emails. This also helps you ensure uninterrupted access to your private email and other services if you switch employers.
Protect the information, identity, and privacy of others by following these tips:
Know what resources are available at Citrus College. Citrus College IT Security Analyst Ryan Tang can answer questions about information security best practices and the technologies available to protect online identity and the personal data. The training calendar also provides online self-guided tutorials on information security and privacy.
At Citrus College, these policies can be found online in the
3000 series of board policies and administrative procedures.
Keep student and staff personal information confidential and limit access to the data.
Only use data for its intended purpose. If you need to use data for another reason, always check relevant resources and policies first for guidance.
Destroy or de-identify private information when you no longer need it.