As many as 35% of data breaches come from Higher Ed.

October 12, 2015

October is National Cyber Security Awareness Month! The goal of this national campaign is to raise awareness about steps each of us can take to stay safer and more secure online.

The focus of this cyber security month article is on preventing data breaches and avoiding the scams that often follow major data breaches. Together we’re secure!


Preventing Data Breaches

High profile data breaches continue to happen. Major breaches from the past year include the Federal Office of Personnel Management (OPM), Anthem, Sony Pictures, and a cyber attack on UCLA.

Leading causes of these and other major breaches have been:

  • Clicking on a malicious link or attachment
  • Shared passwords or passwords revealed to phishers
    • --> Most of the breaches the FBI investigates started with a spear phish (a sophisticated, targeted phish)
  • Exploited technical vulnerabilities, such as out of date or unpatched computers and applications

Some lessons from high profile breaches:

  • Attackers are still going after end users as the weakest link in the security chain.
  • PII (personal information) and other private information is everywhere. If it's not in the system the attackers compromised, it's probably somewhere they can get to from there.
  • It's not uncommon for the initial compromise to have happened 6-18 months before the breach was discovered. The attackers have plenty of time to find what they’re looking for.
  • The initial compromise that allows malware to be installed is typically due to common vulnerabilities -- often older vulnerabilities where solutions are known but haven’t been applied yet. Examples of this would be an out of date operating system or an old version of an application.

Big breaches can be opportunities for new scams:

  • Malicious links often appear in web search results about major breaches, especially high profile or scandalous breaches.
  • Phishing scams (email or phone) attempting to get breach victims to sign up for fake credit monitoring or other breach-related support are common. This happened with the Anthem breach.
  • In the aftermath of the Federal Office of Personnel Management (OPM) breach, imposters pretended to call from the Federal Trade Commission (FTC) offering money to OPM data breach victims. The imposter told the victims that they needed to provide their personal information right then over the phone in order to receive the payment. It was all a scam.

What you can do:

This all points to the need to constantly be alert to new schemes and scams. It's incredibly common to hear that the original source of a data breach was someone giving up their account information to a phishing attempt. Some important tips to help keep you safe:

  • Beware of unfamiliar links and attachments. Links in email, texts, tweets, posts and online advertising are often the way cybercriminals steal your information or compromise your computer. Attachments, too. If it looks suspicious, DELETE IT!
  • Don't let anyone trick you into revealing your password or other personal or private information.
  • Make your passwords long and difficult to guess. Use a combination of upper and lower case letters, numbers, and special characters.
  • Keep passwords secret. Don’t share your passwords or reveal them to others. No legitimate organization should ever ask for your password.
  • Keep up to date: Make sure your computer's operating system and applications are protected with all necessary security "patches" and updates. Turn on auto-updates for everything you can.
  • Use antivirus. Make sure your computer is running up-to-date antivirus software.
  • Don’t use an administrator-level account for your daily work. Use a regular, non-admin account for day-to-day tasks, both at work and at home. Administrator accounts should only be used when specifically needed. If someone compromises your computer when you’re logged in with an admin account they can do much more damage than if you are using a regular, non-admin account.
  • Delete sensitive information whenever you can. Keep it off of your workstation, laptop computer, and other electronic devices if at all possible.
  • Order a copy of your credit report from each of the three major credit bureaus - Equifax, Experian, and TransUnion. Make sure it's accurate and includes only those activities you've authorized. You can get one free report from each of these services per year.
  • See Identity Theft Resources if you believe you have been the victim of identity theft.

-----

For additional information about these and other cyber security topics, visit ITS’ “How to Stay Secure” webpage at http://its.ucsc.edu/security/stay-secure.html.

For questions or assistance, contact the ITS Support Center.