A common trick used by hackers is to send an email, which appears to come from someone you trust. The email urges the recipient to click on a link to verify their account, update “expired” password, or open an important attachment. The email may look real, with company logos, links and branding, but beware – you may have received it from an illegitimate source.
The 5 common features of Phishing emails are:
- Too good to be true
- Sense of urgency
- Unusual Sender
Especially as it applies to business employees, it’s easy to imagine how an employee might be manipulated into clicking on a phishing attack utilizing any of these appeals.
There is more than one way to Phish:
- Phish – email
- Vishing – scams that make use of VoIP (Voice over Internet Protocol)
- Spear Phishing – attacks that are customized to the recipient of the email, such as corporate executives
- SMS Phishing or Smishing – cell phone or smartphone text messages that influence people to divulge personal information
Protecting against phishing
Here are a few things you should know:
- Your bank will never send you an email or call you on the phone asking you to disclose personal information such as your credit card number, banking password, or your mother’s maiden name.
- Be suspicious of unsolicited emails that appear to have a sense of urgency and warnings that your accounts will be closed or your access restricted if you don’t reply.
- Review the email carefully. While some fraudulent emails may look professional at first glance, look for spelling errors, incorrect grammar, or unusual language.
- When using @bcit.ca email, you should always hover over the link (don’t click) to see if it starts with BCIT’s adopted Safe Link approach (https://can01.safelinks.protection.outlook.com/?url=https://actual url).
- If you are not using @bcit.ca email and you notice the link is different, that is an indicator the source is probably illegitimate. You can check the validity by using a reputable search engine to look up the address and/or company name.
When in doubt, the best practice is to delete the email.
Ransomware is a form of malicious code or malware that infects a computer or network and spreads rapidly to encrypt the data. The malware makes the data inaccessible to the user and the criminals responsible will demand payment in order to unencrypt and return the files or unlock the infected computer.
The 3 common ways computers are infected:
- via Phishing Emails – the individual received an email with a malicious link or attachment
- via Malvertising – the individual visits a legitimate website that displays infected third party advertisements
- via Zero Day exploits – the individual visits a legitimate website that contains a malicious program
Protecting against ransomware
What you can do to protect against an infection:
- Do not open emails from spammers or unknown sources.
- Do not click on email attachments from an unknown source.
- Avoid suspicious websites altogether, such as the ads/links that often appear at the right or bottom of a website.
- Do not accept software updates that are triggered from a website or email, such as Java and Adobe Flash.
If you receive a pop-up or encounter a message that prompts you to pay a ransom:
- Immediately disconnect the device from the network/Internet and stop using it.
- Report it immediately to IT support or get assistance in removing the infection
- Do not pay the ransom in any form.
- Change your important passwords (i.e., online banking, email) from a different (uninfected) device.
Malvertising is a type of malicious code that is hidden within a legitimate website in form of an advertisement, which either infects (with or without interaction) a computer with malware or redirects user to a malicious website. Hackers use online advertisements that will appear to be official, legitimate ads, but are loaded with malicious intent such as ransomware, hence the name “malvertising”
Malvertising could potentially perform the following malicious activities without clicking on the advertisement:
- Forced redirect of the browser to a malicious site
- Display unwanted advertising, malicious content, or pop-ups.
- A “drive-by-download” installation of malware or adware on the computer of a user viewing the ad.
Malvertising could potentially perform the following malicious activities with a click on a malicious ad:
- Execute code that installs malware or adware on the user’s computer
- Redirect the user to a malicious website, instead of the target suggested by the ad’s content
- Redirect the user to a malicious website very similar to a real site, which is operated by the attacker
Protecting against malvertising
Here’s some things you can do to protect yourself from malvertising:
- Install pop-up/AD blocker for your browsers
- Update all software including, operating system, browsers, Adobe Flash and Java
- Anti-virus/anti-malware software can protect against some malicious code executed by malvertising
- Resist clicking on ads, even if they appear to be from reputable companies
A data backup is a result of copying or archiving files and folder to be able to restore them in case of data loss or damage. Anyone who has lost files or folders knows how important it is to ensure their files are backed up. At BCIT, backing up your files is as easy as storing them on a network drive. There are many possible reasons your files may not be there when you need them:
- Hard disk failure
- Virus/worm infection (“malware”)
- Operating system failure
- Accidental deletion
- Computer theft
- Flood damage to your computer
- Any problem that requires re-imaging your computer (re-imaging involves erasing the entire hard drive contents and re-installing the operating system and standard BCIT applications)
Encryption is the process by which plaintext or any other type of data is converted from a readable form into secure, to prevent unauthorized access. Just as we lock our homes, we rely on encryption to securely protect our data that we don’t want unauthorized parties to view or access.
Encryption is imperative for sending sensitive information, securing documents, keeping email and communications private and, ultimately, it allows for peace of mind in an event of a compromise, theft or lost.
At BCIT encryption usage must be risk based and must take into account the sensitivity of the information as per the Encryption Requirements below:
|Windows Laptop & Desktop||Full disk encryption||Windows BitLocker|
|Apple Laptop & Desktop||Full disk encryption||Apple FileVault|
|Mobile Smart Devices||Device-level encryption||MDM or ActiveSync enforced encryption|
|Media Storage (USB keys, CDs, backup tapes, portable hard drives)||Device/media-level encryption||Microsoft BitLocker to Go, Kingston DataTraveler Vault, IronKey.|
Passwords (words or strings of characters) and passphrases (sequences of words or other text) are common and important ways to access and protect digital information on or off the Internet through almost any type of device. Consequently, attackers attempting to access information use a variety of tools to guess or steal passwords/passphrases.
At BCIT, passwords contain a minimum of 8 characters and a passphrase style is recommended instead of a password. Passphrase must include:
- One upper case letter
- One lower case letter
- One number
- One special character
Follow top five ways to keep password/passphrase safe:
- create a strong passphrase password; avoid simple/common passwords
- guard it carefully (e.g. don’t share it or write it down)
- do not use BCIT passwords for systems outside of BCIT
- update password in case of potential threat or compromise
- use different passwords for different services
A secure password vault must be used for storing and sharing passwords. KeePass is a reliable and free open source password manager for individuals. For schools or departments that require a central management and sharing of passwords refer to 1Password.
Multifactor authentication (MFA) is a security control that requires more than one method of authentication to verify user’s identity to log in. MFA is essential because traditional usernames and passwords can be compromised. When using MFA, you will need two or more authentication factors to login.
We typically refer to three types of authentication factors:
- Things you know
An example of this is passwords, pins, and security questions.
- Things you have
An example of this is a sim card, security token, and employee ID.
- Things you are
An example of this is fingerprint scans, voice recognition, and facial recognition.