Welcome to information security awareness training for SIUE.
As an employee you are the front line in protecting SIUE's infrastructure and the privacy of SIUE faculty, staff, and students. Security and privacy starts with:
Being aware of common and likely threats
Safeguarding your e-ID and password
Knowing the rules of acceptable computer use
Information security brings to mind hackers, cybercriminals who act as threat operators wanting to gain access to sensitive information for a number of purposes contrary to the need for privacy. A popular image of hackers is that of a highly sophisticated, technically savvy criminal who is an ace computer programmer and can find the most minute cracks in any computer system to exploit. Although this image is not untrue, it is also uncommon. Hackers that you encounter are more likely to be confidence men and scammers who find it much easier and resourceful to trick you out of your access. These con-men use fraudulent emails and phone scams to get you to reveal your computer credentials, which can be used to then access your computers, bank accounts, and personal information. This process, which leverages a natural inclination to trust, is a threat known as social engineering.
Social engineering accounts for the majority hacking attacks each year. Therefore, it's important that you know the common tactics used in social engineering in order to protect yourself and the systems you access. Your credentials can be used to view not just your information, but other's information as well affecting everyone you have access to.
One way someone might use social engineering to manipulate you is by pretending to be a student who lost their e-ID and need your help getting onto their account. Looking through your trash for sensitive information you may have discarded is known as dumpster diving. An unfamiliar person may tailgate through an open door into your work area without swiping an ID. You don't need to physically confront or stand up to someone who does this, but they should be pointed out to a supervisor. Shoulder surfing is someone gaining your password or PIN by simply watching your fingers typing on a keyboard or number pad. Or, someone may just attempt to steal information from your unlocked desk or device.
Urgency, fear, and bullying are common tactics and are good indicators to get suspicious. Using the proper processes and procedures might sometimes be cumbersome, but they can protect you from being bullied or tricked into bypassing the protections that secure private and sensitive information.
Here are some guidelines to help avoid social engineering cons:
First, you should handle confidential information as if it were your own personal information.
Do not give personal information over the phone or to someone who can' verify who they are.
Do not discuss confidential or important information in public areas.
Do not leave confidential information on your desk unless you are using it.
Be mindful of what you throw in the trash, maybe shred it, or put it in a secured trash bin.
Lock your desk and computer when you are away from your office, even if it's only for a minute.
And finally, note people trying to get into restricted areas without an ID as something you might need to report to an authority.
The most common threat you should be concerned with is phishing via email. Email is a part of everyday work and home communication which can be used to trick you into revealing your passwords or even downloading malicious software. After you have fallen victim to phishing, a criminal can use your ID and password to find something to steal, vandalize, or sabotage.
Phishing has gotten much more sophisticated recently and it preys on your trust, curiosity, and desire to truly help someone in trouble. Knowing who and what to trust is the key. Be suspicious of any unsolicited offers of help, requests for help, direct requests for personal information, job offers, or urgent demands for action. The intent is to cause you to act before thinking. Instead, take time to consider what is being asked and don't let a link in an email control where you go or who you call. Try to reach the website from a search engine or directory. Any email that requests a reply with personal information is a scam, particularly offers for special deals or jobs.
The crudest form of phishing can be easy to spot. The emails will have obvious spelling and grammatical errors, odd looking website URLs, or grainy looking images. At their most sophisticated, the emails will look very official and polished. You will usually be directed to a URL that looks very much like an SIUE website, with an urgent message that you need to log in to prevent something bad from happening. At this point if you click through from the email and login, the scammers have just captured your eID and password and you will have gotten a very convincing looking error screen or even no response at all. The damage comes later when the hackers sell your information or use it to see what they have access to do under your credentials.
At SIUE, Information Technology Services will always give you a way to verify that communications originating from ITS are legitimate. SIUE ITS will not alert you to an emergency technical problem with your email, a system you access, or CougarNet by simply sending you a link and having you log in to fix it. Serious issues with email and systems require interaction with an SIUE technician to fix and will involve a phone call to the Helpdesk and walkthrough instructions.
Along with phishing comes the threat of malware. Malware is short for malicious software. It's a type of virus software that is intended to damage or disable computers and computer systems and is usually spread through email attachments,Internet file downloads, and social media scam links. Of particular note is ransomware, which is an increasingly common version of malware and a problem which is hard to near impossible to fix without complying with the criminal's demands.
Different types of malware affect your computer in different ways. You might notice unusual toolbars on your browser or windows opening by themselves without your input. Malware can operate behind the scenes, recording the keys you press on your keyboard and even your web browser history. At worst, ransomware will lock away access to your files or computer through encryption with a demand that you pay the criminal to unlock it.
Fortunately, there are many steps you can take to protect yourself and prevent the spreading of malware.
The simplest way to protect yourself from these scams is to not click on any links from an email. Just see if you can arrive where the email is directing you on your own through your browser. In most cases you can hover over the link in your email to see if it's a website you recognize. Just place the mouse pointer over the link without clicking and wait for a box to pop up with the complete link spelled out. In no case should you reply to an email asking for personal information. You can be sure SIUE ITS will never ask you for personal information via email.
In the case of ransomware, the best defense is to back up your files off of your computer via a shared drive or cloud based storage. It's important to realize the nature and sensitivity of the information that you intend to backup, so it's best to discuss backup options with the ITS helpdesk or your supervisor before putting anything in the cloud or on a flash drive especially if you are concerned about irreplaceable project data, research, and intellectual property.
We understand that it can be confusing keeping up with the latest scams and trying to identify potential threats.
That's why you shouldn't hesitate to call the help desk before downloading anything if you're ever unsure about the credibility of an email or attachment. We're always here for you.
It's also important that you know the rules and policies that cover the use of computing devices on campus. As well as complying with all federal and state laws and SIUE rules and policies, you should also avoid doing any of the following:
Engaging in activity that jeopardizes the availability, performance, integrity or security of the network.
Using IT resources for personal gain or commercial purposes.
Accessing files without authorization.
Harassing, intimidating or threatening others through electronic messages.
Constructing communication that appears to be from someone else, even if it's just as a joke.
Creating or transmitting any offensive, obscene or indecent material.
Engaging in these activities can result in disciplinary action up to and including loss of network access, termination of employment, and sometimes criminal or civil liability.
The very most important thing you can do to protect yourself, SIUE faculty, staff and students is guarding your eID and password. Just as you would not be quick to hand over your wallet, car keys, or house keys to just anyone or sometimes even people you know, your eID and password are just as important. You are ultimately responsible for what happens when your eID is in use. Choosing a good password is a fundamental step in protecting what happens with your eID. When choosing a password, you need to make it as difficult as possible for a threat operator or intruder to identify, whether by educated guesses or automated attacks.
Take the following precautions to defend your eID with a strong password:
Change your password soon after being notified that it will be expiring.
Never use the same password on a different account
Never write down your password or share your password with others
If you suspect your password has been compromised, change it immediately and report the compromise to your supervisor and to the ITS help desk.
This example shows us how to create extremely secure passwords. Think of a sentence that means something to you or is easy to remember. Keep only the first letter of every word. Replace the "a" for "and" with an ampersand and use a mixture of capital and lowercase letters. This is obviously an extreme example but it gives you an idea of what a secure password might look like. Try to follow this kind of example where you can, although some systems and networks may restrict your use of special characters, spaces, or numbers. Like any security control, passwords aren't' absolutely foolproof, but the more complicated they are, the more effective they are.
You play an important role in the defense and protection of the SIUE infrastructure. By being aware you become harder to trick and less of a target. Criminals are opportunistic and prefer a path of least resistance and low risk rather than engaging with a savvy, knowledgeable employee.
You are always the first line of defense for protecting SIUE from cyber criminals. It's important to think before you click.
The ITS help desk is the main front in assisting those with information, questions or issues. Please don't hesitate to call or email with any questions you may have. We are on your side, just call 650-5500, email email@example.com, or look for us in the basement of Lovejoy and at the MUC.