Oct 2020  Securing Your Remote Office

Monthly Security - Tips Newsletter

October is Cybersecurity Awareness Month and with the increased cybersecurity risks of working from home, we should all be thinking about how to secure our home office. After months of remote work, you have become a "work from home" pro. However, there may be some areas where you can shore up your home office cyber defenses. You may have realized that the security best practices you once followed are diminishing. Ask yourself - are you communicating with your colleagues and co-workers in a safe and secure way? Do you keep your passwords properly managed? Can you identify (and report) potential incidents or threats on your network? Answering these questions should make you realize that cybersecurity is more important than ever. For remote employees especially, there are many security risks – three in particular – that pose a threat: Email scams Many scammers send phishing emails with the intent to steal sensitive information from the recipient or the company. Especially in complicated times – like the novel coronavirus pandemic – phishers are hoping to take advantage of trusting victims. They'll often pretend they are someone within the company, like the CEO or a manager, to establish false trust. Remote workers are easy targets because they are not in the office and, therefore, hackers are hoping they won't check to see if the email is legitimate. Unsecured Wi-Fi During this time, many remote employees are using their private home network, which can increase the risk of leaked data. Third parties might be able to intercept and access sensitive emails, passwords and messages. Personal computers Many remote workers admit to using their personal devices rather than their designated work tech. According to Cisco, 46% of employees report transferring files between their work and personal computers. If employees obtain sensitive data and store it on their personal devices, that puts many organizations at risk. Another source of vulnerability is that if you, as a remote employee, are using your personal computer and are not downloading the latest updates, you are more vulnerable to cyberattacks. What can you do? While a list of everything you can do would be exhaustive, here are six suggestions that will go a long way towards securing your remote office. Not all of these can be deployed by everyone, but they are worth noting. We have ranked these (somewhat subjectively) in order of ease of implementation. 1.  Use strong passwords. Physical devices aren't your only concern. If a hacker tries to access any sensitive accounts, you want to make it as difficult as possible for them to log in. Make sure you are not only utilizing unique passwords for each account, but strong passwords as well. Using a password manager is a great precaution, as it ensures you are only using strong passwords; like those with special characters, numbers, upper and lowercase letters, etc. 2.  Multi-factor authentication. Multi-factor authentication (MFA) grants access to the device and all software after the employee provides more than one form of identification. Multi-factor authentication can prevent hackers from accessing your accounts, computer and mobile devices. The availability of MFA is becoming more and more widespread. If it is an option, we strongly recommend you take advantage of it. 3.  Invest in antivirus software. Your employer may provide a recommended application for a company-issued device, but if you use your personal laptop for work, you need to keep your system protected. 4.  Follow company policies to the letter. Your company likely has clear policies for accessing the company network outside the office. Those guidelines and rules should always be followed, but it's especially important when you're working remotely. Report any suspicious behavior to your IT department immediately and follow basic computer hygiene standards: All systems properly patched and up to date. This simply means that the latest updates for your applications have been downloaded, as these are pivotal in securing known vulnerabilities, in which malicious actors could exploit. Malware/Antivirus scans completed on a regular basis. Do not open email attachments willy-nilly. Look at any received email with a cautious eye. It is still the #1 vector for bad actors to wreak havoc.   5.  Don't allow family members to use your work devices. Remember, the computer you do your work on is for employee use only – it's not the family computer. Treat your work-issued laptop, mobile device and sensitive data as if you were sitting in a physical office location. While we understand that this is not always feasible, you should continuously associate your actions with a security-first and data-aware mentality in mind. As an added benefit you will help your family and other users to become more cyber aware and cyber secure. If the option exists to use company-issued equipment, that will always be the first choice. A second choice is a dedicated machine that no one else uses; not for games, nor movies or checking out those tantalizing Facebook posts. Lastly, a shared computer, one that is following all the computer hygiene recommendations above and is being closely monitored. 6.  Encrypt your messages. Data encryption helps protect sensitive information by translating it into a code that only people within your company can access through a secret key or password. Even if scammers intercept your data, they won't be able to interpret it properly. This goes for any messages or information you send, receive, or store on your devices. If this is a feasible option at your organization, make sure to check with your IT department for what types of encryption they may offer or you can take advantage of the many free and paid applications that are available. Encryption requires a bit more technical savvy but is not beyond your capability! Although October is Cybersecurity Awareness Month, please remember that we should all be cyber aware 365 days out of the year!

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Sept 2020  Malware, Malicious Domains, and More: How Cybercriminals Attack SLTT Organizations

Monthly Security - Tips Newsletter

Cybercriminals continue to target U.S. State, Local, Tribal, and Territorial (SLTT) government organizations at an alarming rate. Attackers often target SLTT organizations because they know their security teams need to run complex networks, as well as deal with numerous third-party systems and services. Many SLTT cybersecurity teams are also struggling with reduced security budgets and a well-documented shortage of skilled cybersecurity and networking professionals to fill open positions. COVID-19, and the subsequent increase in remote working by government employees and online accessibility requests for government resources by citizens, has only added to their security challenges. Cybercriminals’ SLTT Playbook One of cybercriminals’ favorite attack vectors against SLTT organizations is malware. Malware is malicious software designed to perform malicious actions on a device. It can be introduced to a system in various forms such as emails or malicious websites. Various types of malware have distinct capabilities dependent on their intended purpose, such as disclosing confidential information, altering data in a system, providing remote access to a system, issuing commands to a system, or destroying files or systems.   While malware comes in many flavors, the most prolific type used against SLTT organizations is ransomware. Ransomware is a type of malware that blocks access to a system, device, or file until a ransom is paid. Ransomware does this by encrypting files on the endpoint, threatening to erase files, or blocking system access. It can be particularly harmful when ransomware attacks affect hospitals, emergency call centers, and other critical infrastructure. The 2020 Verizon Data Breach Investigations Report (DBIR) found that ransomware disproportionately affects the public sector (over 60% of malware incidents vs. 27% of malware in all sectors). Additionally, incidents observed by the Multi-State Information Sharing and Analysis Center (MS-ISAC) showed a 153% increase in SLTT ransomware attacks from January 2018 to December 2019. In 2019, there were more than 100 publicly disclosed ransomware attacks against SLTT organizations – including an attack on the City of Baltimore’s IT systems that locked out thousands of computers and disrupted nearly every city service. This attack is estimated to have cost the city as much as $18 million.Other common types of malware affecting SLTT organizations include: - Trojans are malware that appears to be a legitimate application or software that can be installed. Trojans can provide a backdoor to an attacker and subsequently full access to the device, allowing the attacker to steal banking and sensitive information, or download additional malware. Findings from the 2020 Verizon DBIR show that trojan variants were involved in over 50% of malware incidents in the public sector. - Downloaders or Droppers are malware, which in addition to their own malicious actions, allow for other, often more dangerous, malware to infiltrate the infected system. Data collected by the 2020 Verizon DBIR shows that nearly 25% of public sector incidents involved a downloader or dropper. - Spyware is malware that records keystrokes, listens in via computer microphones, accesses webcams, or takes screenshots and sends the information to a malicious actor. This type of malware may give actors access to usernames, passwords, any other sensitive information entered using the keyboard or visible on the monitor, and potentially information viewable through the webcam. Keyloggers, which mainly record keystrokes, are the most common type of spyware and ZeuS, the most famous keylogger, has been on the MS-ISAC’s Top 10 Malware list for several years. - Click Fraud is malware that generates fake automatic clicks to ad-laden websites. These ads create revenue when clicked on. The more clicks, the more revenue that is generated. Kovter, one of the more prolific versions of click fraud, has been on the MS-ISAC’s Top 10 Malware list for the past few years. Protecting Your Organization from Malware Malware most commonly finds its way into SLTT organizations through either malspam, unsolicited emails that either direct users to malicious websites or trick users into downloading or opening malware, or malvertisements, malware introduced through malicious advertisements. The common thread between these vectors and the various types of malware they can introduce to your organization’s IT systems is that they almost always involve either users or the malicious software they unintentionally download connecting to malicious web domains. To help SLTT organizations protect themselves against these common types of cyber-attacks, the Center of Internet Security (CIS) is partnering through the MS-ISAC and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) with the U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and Akamai to offer its new Malicious Domain Blocking and Reporting (MDBR) service at no cost to U.S. SLTT government members of the MS- and EI-ISACs. The service allows SLTT security teams to quickly add an additional layer of cybersecurity protection against their systems connecting to malicious web domains and to enhance their existing network defenses. For organizations not eligible to join the MS- or EI-ISAC, similar protection can be obtained through Quad9. Quad9 is a no-cost, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy. Quad9 was developed by the Global Cyber Alliance (GCA), an international nonprofit organization founded by a partnership of law enforcement and research organizations focused on combating systemic cyber risk in real, measurable ways (CIS is a founding organization of GCA). About Malicious Domain Blocking and Reporting (MDBR) The MDBR service is only available to members of the MS- and EI-ISAC. For those who are not eligible for membership, please see the section below on Quad9 for a similar service available to the General Public. MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats and limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain. In just the first five weeks of service, the MDBR service blocked 10 million malicious requests from more than 300 SLTT entities. Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known or suspected malicious domains. Attempts to access known malicious domains, such as those associated with malware, phishing, or ransomware, are blocked and logged. Akamai provides all logged data to the MS- and EI-ISACs’ Security Operations Center (SOC), including both successful and blocked DNS requests. The SOC uses this data to perform detailed analysis and reporting for the betterment of the SLTT community, as well as regular organization-specific reporting and intelligence services. If necessary, remediation assistance is provided for each SLTT organization that implements the service. Any U.S. SLTT government entity that is a member of the MS- or EI-ISAC can sign up for MDBR. They are able to take advantage of this additional layer of cybersecurity protection at absolutely no cost, courtesy of funding support provided by CISA. To learn more about MDBR and sign up your organization for the service, please visit our website. About Quad9 Quad9 blocks against known malicious domains, preventing your organization’s computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types an address into their web browser, Quad9 checks the site against a list of domains compiled from over 18 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains that are based on heuristics examining factors such as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkage to other sites, as well as individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match. Quad9 routes your organization’s DNS queries through a secure network of servers around the globe.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Aug 2020  Working Remotely: How to be Safe, Secure, and Successful

Monthly Security - Tips Newsletter

Between working at the office, or school, or remotely, the principles of security can become something of a moving target. For some, this creates an uncertainty with making sure that the right policies are applied. Reducing risk on at-home networks, keeping information secure during virtual meetings and having a strong password policy are some best practices that can be implemented quickly and effectively from wherever you are working. Reducing Risk on Home Networks Home IT devices, such as unsecured off-site routers, modems, and other network devices are subject to many of the same threats as on-site business devices. They can be attacked from any device on the internet. Remote devices are also vulnerable to unauthorized access from neighbors and passersby. As we continue to work, attend school, and connect with friends and family remotely, there are steps you can take to reduce the risk and improve the security of home networks. Consider the following list to gauge the amount of risk involved and improve the security of your home network: - Are your network devices physically secured? - Have you changed the default manufacturer/administrative account password on your network devices (modem and router)? Many routers will come preconfigured with a password. The default password for most router models are easily accessible on the internet, making it extremely important to change the administrative passwords and not use the default. - Do you have a unique password and two-factor authentication (2FA) enabled on your network devices (modem and router)? - Do you have a password policy in place? Do you have a unique password and 2FA enabled on your internet service provider's web portal? - If you use a mobile application for network management, do you have a unique password and 2FA enabled? - Have you installed the latest updates for your network devices (i.e., modem, router, laptop/PC) or have you enabled auto-update with the device’s administration page? - Does your network device (router/modem) support Wi-Fi Protected Access Version 2 (WPA2) or Wi-Fi Protected Access Version 3 (WPA3)? WPA2 should be the minimum. - Have you turned off/disabled Wireless Protected Setup (WPS) and Universal Plug and Play (UPnP) on your network? If enabled, these might allow attackers to connect to your devices without permission. - Have you changed the Wi-Fi network name to something unique that doesn’t provide any identifying information? - Have you enabled firewall on your network devices? - Have you disabled remote management? Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration. - Have you hardened your device by removing ports, software or services that are unused or unwanted? - Do you run updated antivirus and malware protection on your device? Security during virtual meetings In order to help protect you and your organization from potential threats, here are some cybersecurity tips on how to securely configure your virtual meetings, whether they be for work or your classroom experience: Sharing of your information assets during virtual meetings - Avoid adding your meeting to any public calendars or posting it on social media - Require participants to enter an access code - Avoid reusing access codes or meeting pins - Distribute the meeting link and access code directly to the intended participants - Remind invited guests not to share the access code - Before sharing your screen, close unused windows to ensure you do not share sensitive or confidential information - Use a privacy shield or cover over your webcam when it is not in use Managing your information assets and password policy - Use your organization’s provided services and devices - Do not record the meeting unless it is necessary and be aware that others may be able to record the meeting - Disable the “Anyone Can Share” feature to prevent unauthorized screen sharing - Muting users on entry can prevent potential disruptions - Prevent users from sharing video by default; allow video sharing only when necessary - Validate the participant list against invited attendees, or have participants identify themselves as they join the meeting - Do not trust the safety of links shared in meeting chats - Schedule “Unlisted” meetings and hide specific details, such as its host, topic, and starting time - Do not allow attendees to “Join Before Host” - Set up each meeting to require all attendees to enter a password - Create a unique password comprised of upper, lower case, numbers, and special characters for each meeting - Exclude the meeting password from attendee email invitations. Provide the password to attendees via a separate email or by phone - On reoccurring meetings, always check to ensure one-time attendees are not included in subsequent meetings or meeting chat threads. - Do not list personal information, such as location, phone number, or date of birth on your Skype profile Remember, just like you protect your physical assets (shed, kayak, or bike) with a padlock, you need to lock down connectivity devices to protect information assets! A resilient cybersecurity mindset contributes towards being able to have a clear view of the objectives. For some, end points might have become a primary concern, for others, the corporate assets might have become even more susceptible in light of the increased amounts of ransomware. This dual pronged problem especially became more evident during this new world of COVID-19 with more staff working remotely. Have you identified more risk than you initially realized? More information and mitigation techniques can be found at Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). Additional Resources CIS Password Policy Guide

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

July 2020  6 Common Elderly Scams to Watch Out For And How To Stay Safe

Monthly Security - Tips Newsletter

A scam can be initiated via the computer (email, internet, social media), text, postal mail, in person, or a phone call. No matter the origin of the scam, the characteristics are the same: - First, there is something to pique your interest – someone in trouble, big discount offers, lottery win. - Second, the individual contacting you seems trustworthy, super friendly, and seems to care about you. - Third, there’s a deadline associated with the offer – act fast, act now. There will always be scams, particularly those targeted at seniors. This month’s newsletter identifies some common scams and some tips to help you take control of the situation and stay safe and stay in control. Grandparent Scam One of the most common scams presented to seniors is the Grandparent Scam. The caller claims to be a relative, a grandson or granddaughter, and the call is urgent. Typically, the grandchild is out of town and is in trouble, needs money fast for some emergency, and doesn’t want the rest of the family to know. The caller may have bits of information, some of which could be collected from sources like social media, and prompts the senior to provide more information, making the call appear genuine. This is not a legitimate call. Hang up the phone and contact your family or the authorities. Sweepstakes Scam In this case, the scammer would send their target a check or something else of value, whether in the mail, email, text or phone call, that indicates the recipient won something. In order to claim the “prize,” the recipient may have to send a check or money order to cover taxes and fees, and may be asked for banking information to deposit the winnings, or to buy something to enter the contest. This is so the scammer can obtain private banking information. The name of the sweepstakes may seem familiar – quite often scammers will do this to make it recognizable. Legitimate contents do not ask for money or financial information up front. Do not respond to these messages with a check, money order or cash. It is always best to never provide identifying information to anyone over the phone, text, or email especially your bank account information. Home Improvement Scam Scammers target seniors by providing home improvement services in order to gain access to their home, belongings, and personal information. They will arrive at their target’s house, offer free inspections, or offer services to fix something they deem “needs work”. Scammer will pretend to be working for the local town or county to appear more legitimate. The homeowner should stay in control of the situation and not be intimidated by the person at their door. - Never let them in your home. - Be suspicious of unsolicited offers, and ask for identification. - If work does need to be done, ask friends and neighbors who they would recommend. Be sure to get references, and only used licensed contractors. - Never pay the full amount up front. Pay as the work is completed according to a contract. Telemarketer Scam Scammers will target seniors in an effort to obtain financial information by claiming to be from an important institution such as a credit card company, Microsoft, Social Security Administration, Internal Revenue Service, phone company, power company, and so on. Never feel pressured to commit to anything over the phone. - Don’t rely upon caller ID to let you know who the call is coming from. Technology today allows for calls to be masked and appear to be from a number you know or can associate with, but it is not. - Never give out personal information to an unsolicited caller. Never provide birthday, social security number (even the last 4 digits), your mother’s maiden name, pet’s name, bank account information or anything that can be used as password or identifying information. - Hang up and contact the company the caller claims to be with directly if you feel you need to talk to them. Refer to your copy of your phone bill, power bill, or the number on the back of your credit card or bank card to initiate contact. Internet Scams There are many ways scammers are using technology to take advantage of seniors. Whether it is a special offer via email, attempts to acquire your user name and password via a scheme, or skimming of information while shopping online, there are ways you can be in control and keep your information safe. If you are computer-savvy, keep these tips in mind to keep your information safe: Never click on links in emails. Don’t open attachments for special offers. - Be careful of free offers over holidays. - Watch for malicious adds and popups. - Don’t shop over public wi-fi. - Be suspicious of gift card scams –buy from trusted sources. - Know what your product costs. - Make sure the site is secure – look for the “lock” icon and “https” on your browser address bar when shopping. - Make sure all computer anti-virus, malware, and security software is up to date. - Don’t save credit card information online; check out as guest if offered on the site. Charities While there are many charities that are worthy of your donations, be sure you know who you are donating to. - Always verify the charity before making any donation by checking with your Attorney General’s office. - Know what the charity is doing with your contribution. - Avoid charities that will not answer your questions or provide written information about their programs or finances. - Talk with family, friends, or trusted sources before giving to charity. - Do not give on the spot before doing research on the charity - Never give cash or purchase gift cards for payment. If you feel you have been scammed, or are concerned that you are a victim of fraud, contact your local law enforcement immediately. Remember to keep a close eye on bank and credit card statements, and report any unusual activity. Stay informed. Remember, you are in control! Additional resources https://ag.ny.gov/sites/default/files/smart_seniors.pdf https://www.cisecurity.org/newsletter/how-to-spot-and-avoid-common-scams/ https://ag.ny.gov/sites/default/files/smart_seniors.pdf https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/elder-fraud https://www.guidestar.org/ https://www.charitynavigator.org/

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

June 2020  Virtual Conferencing Platform Security Tips

Monthly Security - Tips Newsletter

With the recent move for many to working from home, there are a lot of questions around virtual conferencing platforms. Much of the attention has focused on the security of some platforms compared to others. However, the majority of the security issues actually have a lot to do with the users' familiarity with these platforms and their proper usage. The first thing to remember is this: If you are going to download a virtual conferencing application, be certain the download is from a reputable source. Most often the company will host the download themselves or have a link to the download on their website. It is advisable not to trust a download from third-party if you were not directed there by the official website. Security concerns regarding virtual conferencing Encryption may not be adequate to secure sensitive information or to protect the privacy of individuals. - End-to-end encryption is not an easy task for real-time audio or video connections. In most use cases it takes special hardware or software. It is very important to remember that some topics should not be discussed over a virtual conference. This is especially true regarding sensitive data, personally identifiable information (PII), and regulated data such as the Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Rule (COPPA), Federal Tax Information (FTI). - Consider where encryption key distribution servers are located when evaluating a company’s offerings. Researchers have found that some companies' encryption key distribution servers for U.S.-based meeting sessions were located in Beijing, China. In such situations, companies may be obligated to disclose meeting encryption keys to the Chinese government. - Just because a company advertises encryption, doesn’t mean that the best version of encryption being utilized. Figure 1: Tux the Penguin Encrypted in ECB vs Pseudo-Random Encryption Source github picoctf-2019-solutions/Cryptography/aes-abc/readme.md Virtual conferencing applications are vulnerable to multiple attacks - Malicious actors are creating fake installation files for multiple meeting platforms including Zoom Meetings, MS Teams, and Google Classroom. - Some conferencing platforms have been “conference bombed.” This is when an uninvited guest gains access with the intention to disrupt or eavesdrop on the meeting. - Virtual conference meeting users have been targeted to capture potentially sensitive data disclosed during meetings. As well, recorded meetings may not be stored by their meeting host in a secure manner. Attackers have accessed a virtual conferencing meeting provider’s files stored on a provider’s computer and unsecured public cloud environments. Guidelines for Virtual Conferencing - If possible, NEVER share sensitive or regulated data during virtual conference meetings. - Become familiar with who may record your meeting. Be aware that individuals may choose to record a meeting using audio or video recording tools outside of the meeting software. - Download virtual conferencing clients directly from the manufacturer or your service provider. - Always run the newest version of the conferencing client (if required to download and install a client). - Password protect each meeting with a unique and complex password using letters, numbers and special characters. - Password protect recordings of meetings with a unique and complex password using letters, numbers and special characters. - Do not share your meeting link in public forums or on social media. In the event you must advertise your meeting publicly, remove the password embedded in the link and ask attendees to contact the organizer for the password. - Use a meeting ID rather than the personal ID associated with a virtual conferencing account. This way the meeting ID should change for each meeting. - Disable sharing for all attendees except for the meeting host. - Use the waiting room/lobby feature when it is available. This requires the organizers to admit people singly (for small meetings) or all at once (for larger meetings). If an attendee seems suspicious, the waiting room feature allows organizers to prevent them from joining the meeting. - Remove and block anyone from meeting rooms with an unrecognizable or unverifiable identity. Once removed, the person or people cannot come back in. Taking the above steps will help ensure your organization's virtual meetings will remain secure while employees connect and collaborate through these platforms.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

May 2020  6 Steps to Securing IoT Devices and Taking Back Your Privacy

Monthly Security - Tips Newsletter

In today's world we are more connected than ever — not only to each other, but to our devices. For example, people now have the ability to open and close their garage doors and even start their cars directly from their phones. But what information do we put at risk when we do all of these amazing things? Securing Internet of Things (IoT) devices and keeping personally identifiable information (PII) safe and secure these days is of the utmost importance. IoT Information Collection When you buy the latest IoT device, you need to be aware of two things: First, IoT devices collect your information, and second, that information is always accessible. So, what exactly is information collection? Think of a common steaming service, like Netflix. Once you sign up, you'll start receiving emails from Netflix letting you know they’ve added a new TV show that you might enjoy. And the thing is, they’re usually right! That's because your viewing history and ratings have been transmitted through an algorithm to determine what else you’d be willing to watch, and thus, continue your subscription. Now imagine every device you have on your home network collecting this type of information. It's a scary thought! Keeping Your Information Secure on IoT Devices  While technology enables you to control your life from your fingertips, your information is at everyone else’s fingertips as well. Security isn’t fun or flashy, and because of this, some companies do not give it the consideration it deserves before they bring their products to market. Very often when you buy an IoT device or utilize a company’s service you have unknowingly allowed them to collect information about you. That agreement you have to sign before you can use any of their items is written by their lawyers, and unfortunately, without saying yes you can’t use that fancy new gadget. All of these companies know it, which is why hundreds of pages sit between you and your new purchase. 6 Steps to Protect Yourself and Your Devices 1. Change Default Passwords On devices that are connected to your network you should always make sure you change the default password. It doesn't matter if it's a new security camera or a new fridge. Creating new credentials is the very first step in securing your IoT devices and protecting your privacy. Research has shown that a “passphrase” is safer than a password. What does this mean? It means 1qaz!QAZ is less secure than Mydogsliketochasethechickensaroundtheyard! which is also much easier to remember. 2. Automatic Patches and Updates In today's "set it and forget it" society, many electronic devices can take care of themselves. Quite often technology has a setting that allow for automatic updates. This is an important setting to turn on when securing IoT devices. 3. Set-up Multi-factor Authentication (MFA) MFA security settings are growing in popularity. This is as simple as receiving a text or code that you need to type in while signing on to a system. Often times within the account preferences of your device, you can set up an Authentication Application. If you can’t find this option call customer service, chances are it exists somewhere. 4. Utilize a Password Manager Keep usernames and passwords unique. Most password manager applications can generate a random password for you, and will allow you to store them safely. 5. Update Default Settings Check to see which settings are turned on by default, especially if you don't know what they mean. If you are unfamiliar with FTP or UPnP, chances are you are not going to use them, or even notice that they are off. 6. Avoid Public Wi-Fi It may be convenient to connect to a public Wi-Fi, but think again! If the Wi-Fi network does not require a password, then anyone can listen in on your computer’s information. Some public Wi-Fi networks are deliberately set up in the hopes that people will use it so they can steal information or credentials. Remember that just like you lock your front door to protect the valuables inside, these days you also need to lock your IoT devices to protect your information and your privacy.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

April 2020  What You Need to Know About COVID-19 Scams

Monthly Security - Tips Newsletter

Taking advantage of current events is a common tactic that cybercriminals use to fuel their malicious activities. With the global pandemic of COVID-19 and an overwhelming desire for the most current information, it can be difficult for users to ensure they are clicking on reliable resources. So far, the MS-ISAC has seen malicious activity come through just about every channel: email, social media, text and phone messages, and misleading or malicious websites. The range of current malicious activity attempting to exploit COVID-19 worldwide varies. A few common examples include: - Fake tests or cures. Individuals and businesses have been selling or marketing fake “cures” or “test kits” for COVID-19. These cures and test kits are unreliable, at best, and the scammers are simply taking advantage of the current pandemic to re-label products intended for other purposes. For more information on fraudulent actors and tests, check out resources from the U.S. Food and Drug Administration (FDA). - Illegitimate health organizations. Cyber criminals posing as affiliates to the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), doctor’s offices, and other health organizations will try to get you to click on a link, visit a website, open an attachment that is infected with malware, or share sensitive information. This malicious activity might originate as a notice that you have been infected, your COVID-19 test results came back, or as a news story about what is happening around the world. - Malicious websites. Fake websites and applications that claim to share COVID-19 related information will actually install malware, steal your personal information, or cause other harm. In these instances, the websites and applications may claim to share news, testing results, or other resources. However, they are only seeking login credentials, bank account information, or a means to infect your devices with malware. - Fraudulent charities. There has been an uptick in websites seeking donations for illegitimate or non-existent charitable organizations. Fake charity and donation websites will try to take advantage of one’s good will. Instead of donating the money to a good cause, these fake charities keep it for themselves. Government Efforts to Reduce COVID-19 Malicious Activity   The Department of Justice (DOJ) is actively seeking to detect, investigate, and prosecute cyber threat actors associated with any wrongdoing related to COVID-19. In a memo to the U.S. Attorneys, Attorney General William Barr said, "The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated." Individually, most state law enforcement agencies and other judicial officials are also treating these malicious actions as a high priority. More information can be found at https://www.justice.gov/coronavirus. Additionally, the FDA has been taking action to protect consumers from fraudulent and deceptive actors who are taking advantage of COVID-19 by marketing tests that pose risks to patient health. If you are aware of any fraudulent test kits or other suspect medical equipment for COVID-19, you can report them to the FDA by emailing FDA-COVID-19-Fraudulent-Products@fda.hhs.gov. The FDA is now aggressively monitoring and pursuing those who place the public health at risk and are holding these malicious actors accountable. Recommendations  Exercise extreme caution in handling any email with COVID-19-related subject lines, attachments, or hyperlinks in emails, online apps, and web searches, especially unsolicited ones. Additionally, be wary of social media posts, text messages, or phone calls with similar messages. Be vigilant, as cyber actors are very likely to adapt and evolve to the nation’s situation and continue to use new methods to exploit COVID-19 worldwide. By taking the four precautions below, you can better protect yourself from these threats: - Avoid clicking on links and attachments in unsolicited or unusual emails, text messages, and social media posts. - Only utilize trusted sources, such as government websites, for accurate and fact-based information pertaining to the pandemic situation. - Federal Emergency Management Agency (FEMA) recommends only visiting trusted sources for information such as coronavirus.gov, or your state and local government’s official websites (and associated social media accounts) for instructions and information specific to your community. - NEVER give out your personal information, including banking information, Social Security Number, or other personally identifiable information over the phone or email. - Always verify a charity’s authenticity before making donations. For assistance with verification, utilize the Federal Trade Commission’s (FTC) page on Charity Scams. For more information  If you think you’re a victim of a scam or attempted fraud involving COVID-19, or you think you know of a scam or fraud, you can report it without leaving your home: - Contact the National Center for Disaster Fraud Hotline via email at disaster@leo.gov at 866-720-5721 or the FEMA Disaster Fraud Hotline at 866-720-5721 to report frauds and scams, including personal protective equipment (PPE) hoarding or price gouging; - Report scams and frauds to the Cybercrime Support Network ; and - File a complaint for criminal activity by contacting your local law enforcement agency. Additional Resources - CDC, FEMA, and White House | COVID-19 - CDC | COVID-19-Related Phone Scams and Phishing Attacks - CDC | Know the facts about coronavirus disease 2019 - CISA | Security Tip: Using Caution with Email Attachments - CISA | Risk Management for Novel Coronavirus - CISA | Information & Updates on COVID-19 - FBI | FBI Exec Discusses COVID-19-Related Schemes - FEMA | Coronavirus Rumor Control - U.S. DOJ | Coronavirus

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

March 2020  Social Media: The Pros, Cons and the Security Policy

Monthly Security - Tips Newsletter

Risks & rewards of social media   Social media is a great tool in your organization’s communications toolbox. Many Americans have accounts on at least one platform and expect to find pages for their favorite brands and communities. If used correctly, it can have many benefits: - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about. - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business. - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.  Of course, the unicorn is the post that goes viral for the right reasons. However, not everything looks rosy when it comes to organizations using social media.   Building a security-focused social media plan   Privacy and security risks associated with social media platforms only increase as the number of users and platforms grow. Cybercriminals mine social media accounts to get valuable intelligence that they can use in malicious campaigns. All organizations should develop a social media policy that takes cybersecurity and privacy into account. The first step is to develop a social media policy that includes what can be posted, who can post, and on what devices (e.g., can they use their personal device, or does it have to be a company-owned device?), and who is responsible for keeping and changing passwords. These are just some of the things that should be addressed; there are guides that will help you write a detailed plan. Below are a few tips for developing a secure social media plan in your organization: - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about. - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business. - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.   Securing our connected future  Social media has proven to be a powerful communications tool for both business and government organizations, but its powers can be used to harm as well as help. A solid social media policy and security plan that is implemented with care, will vastly improve your social media strategy and protect employees’ privacy.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

February 2020  Cyber Threat Actors Expected to Leverage Coronavirus Outbreak

Monthly Security - Tips Newsletter

Cyber threat actors (CTA) leverage interest during public health threats and other high-profile events in order to conduct financial fraud and disseminate malware. We expect that this trend will continue with the emergence of new and recycled scams involving financial fraud and malware related to the coronavirus outbreak. Malicious actors are likely to post links to fake charities and fraudulent websites that solicit donations for relief efforts or deliver malware. The MS-ISAC observed similar scams and malware dissemination campaigns in response to previous high-profile events including Hurricane Harvey, the Boston Marathon bombing, the Royal Wedding, and the Tennessee wildfires. Its highly likely that more scams and malware will follow over the course of the response period. Internet users should exercise caution before opening related emails, clicking links, visiting websites, or making donations to coronavirus relief efforts.
Warning Signs   As of February 1, 2020, the MS-ISAC had observed the registration of names containing the phrase “coronavirus.” The majority of these new domains include a combination of the words “help,” “relief,” “victims,” and “recover.” Most of the domains appear to be currently under development. However, as a few appear malicious and the domains themselves appear suspect, these domains should be viewed with caution. More domain registrations related to the coronavirus are likely to follow in the coming days. The potential of misinformation during times of high-profile global events and public health threats is high and users should verify information before trusting or reacting to posts seen on social media. Malicious actors often use social media to post false information or links to malicious websites. The MS-ISAC observed similar tactics in the days following Hurricane Irma’s landfall and other natural disasters. It is likely that CTAs will also capitalize on the outbreak to send phishing emails with links to malicious websites advertising relevant information. It is possible these websites will contain malware or be phishing websites requesting login credentials. Other malicious spam will likely contain links to, or attachments with, embedded malware. Victims who click on links or open malicious attachments risk compromising their computer to malicious actors.   How to Avoid Being the Victim   The MS-ISAC recommends that users adhere to the following guidelines when reacting to high-profile events, including news associated with the coronavirus, and solicitations for donations: - Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source. - Be cautious of emails or websites that claim to provide information, pictures, and videos. - Do not open unsolicited (spam) emails or click on the links or attachments in those emails. - Never reveal personal or financial information in an email or to an untrusted website. - Do not go to an untrusted or unfamiliar website to view the event or information regarding it. - Malicious websites often imitate a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs .org).   The MS-ISAC recommends that technical administrators adhere to the following guidelines when reacting to and protecting their networks and users during high-profile events, including news associated with coronavirus: - Warn users of the threats associated with scams, phishing, and malware associated with high-profile events and train users about social engineering attempts. - Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall. - Flag emails from external sources with a warning banner. - Implement DMARC to filter out spoofed emails.
For More Information FTC Warns of Ongoing Scams Using Coronavirus Bait https://www.bleepingcomputer.com/news/security/ftc-warns-of-ongoing-scams-using-coronavirus-bait/
	The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

January 2020  New Year, New You... Same W-2 Tax Scams

Monthly Security - Tips Newsletter

Tax season is in full swing, which means criminals will go to great lengths to separate you from your money, your identity, or anything of value that is within their reach. They may offer seemingly legitimate "tax services" that are actually designed to steal your identity and your tax refund. Often times, criminals will lure you in with an offer of larger write-offs or refunds. Such scams might include fake websites and tax forms that look like they belong to the Internal Revenue Service (IRS) in order to trick you into providing your personal information. Due to the rise in data breaches, you should always take steps to minimize your risk of identity theft and other online-related crimes; this is especially important this time of the year. Below are some warning signs to look for and basic precautions you can take to minimize risk and avoid becoming the next victim!
Warning Signs of an Online Tax Scam - An email or link requesting personal and/or financial information, such as your name, social security number, bank or credit card account numbers, or any additional security-related information. - Emails containing various forms of threats or consequences if no response is received, such as additional taxes or blocking access to your funds. - Emails from the IRS or federal agencies. The IRS will not contact you via email. - Emails containing exciting offers, tax refunds, incorrect spelling, grammar, or odd phrasing throughout. - Emails discussing "changes to tax laws." These email scams typically include a downloadable document (usually in PDF format) that purports to explain the new tax laws. However, unbeknownst to many, these downloads are almost always populated with malware that, once downloaded, will infect your computer. How to Avoid Being the Victim - Never Send Sensitive Information in an Email: Information sent through email can be intercepted by criminals. Make sure to consistently check your financial account statements and your credit report for any signs of unauthorized activity. - Secure Your Computer: Ensure your computer has the latest security updates installed. Check that your anti-virus and anti-spyware software are running properly and receiving automatic updates from the vendor. If you haven't already done so, install and enable a firewall. - Carefully Select the Sites You Visit: Safely searching for tax forms, advice on deductibles, tax preparers, and other similar topics requires great caution. NEVER visit a site by clicking on a link sent in an email, found on someone's blog, or in an advertisement. The websites you land on might look like legitimate sites, but can also be very well-crafted fakes. - Be Wise with Wi-Fi: Wi-Fi hotspots are intended to provide convenient access to the internet, however, this convenience can come at a cost. Public Wi-Fi is not secure and is susceptible to eavesdropping by hackers, therefore, never never use public Wi-Fi to file your taxes! - Look for Clear Signs: Common scams will tout tax rebates, offer great deals on tax preparation, or offer a free tax calculator tool. If you did not solicit the information, it's likely a scam. - Be on the Watch for Fake IRS Scams: The IRS will not contact you via email, text messaging, or your social network, nor does it advertise on websites. Additionally, if an email appears to be from your employer or bank claiming there is an issue that requires you to verify personal information, this is most likely a scam as well. Don’t respond to these types of emails; always contact the entity directly. - Always Utilize Strong Passwords: Cybercriminals have developed programs that automate the ability to guess your passwords. To best protect yourself, make your passwords difficult to guess. Passwords should have a minimum of nine characters and include uppercase and lowercase letters, numbers, and symbols. If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email (with headers or as an attachment) to its phishing@irs.gov email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.
For More Information - IRS | Taxpayer Guide to Identity Theft - IRS | Report Phishing - IRS Dirty Dozen
	The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

December 2019  10 Tips to Securely Configure Your New Devices

Monthly Security - Tips Newsletter

The holiday season is upon us, which means shopping for the latest gadget is in full swing. With the massive number of discounts that are available this year, it makes sense for you to buy that latest smart device, right? However, as impressive as the latest iPhone or gaming computer might be, ensuring you’re able to properly secure these devices is more important than ever! Any device that connects to the internet is potentially vulnerable and could become compromised. Here are several tips to keep in mind that can help you securely configure your new devices:
Secure Configuration Tips 1 Adjust Factory-Default Configurations on Hardware and Change Default Passwords Passwords are a common form of authentication and are often the only barrier between cybercriminals and your personal information. Some internet-enabled devices are configured with default passwords to simplify setup. But did you know those passwords can easily be found online? To better secure your digital devices it’s important to change the factory-set default password. Be sure to replace it with a strong and unique password or passphrase for each account. 2 Secure your Wi-Fi Network with Encryption Your home’s wireless router is the primary entrance for cybercriminals to access your connected devices. To enhance your defenses, use Wi-Fi Protected Access 3 (WPA3). WPA3 is currently the strongest form of encryption for Wi-Fi. Other methods are outdated and more vulnerable to exploitation. 3 Double Your Login Protection Enable multi-factor authentication (MFA) to ensure that only the person who has access to your account is you. If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a secure token. For instance, with an iPhone you can utilize your screen lock feature with a pin or password. 4 Disable Location Services and Remote Connectivity Location services might allow anyone to see where you are at any given time. Consider disabling this feature when you are not using your device to further secure your private information. Additionally, most mobile devices are equipped with wireless technologies such as Bluetooth that can be used to connect to other devices or computers. Consider disabling these features when not in use as well!
5 Safeguard Against Eavesdropping Disconnect digital assistants, such as your Amazon Alexa, when not in use. Limit conversation near baby monitors, audio recordable toys, and digital assistants. Be sure to cover cameras on toys, laptops, and monitoring devices when they are not in use. 6 Don’t Broadcast Your Wi-Fi Network Name To prevent outsiders from easily accessing your network, avoid publicizing your Wi-Fi network name, or service set identifier (SSID). All Wi-Fi routers allow users to disable broadcasting their device’s SSID. Doing so will make it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities. 7 Install a Network Firewall Install a firewall at the boundary of your home network to defend against external threats. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. Most wireless routers come with a configurable, built-in network firewall that includes features such as access controls, web-filtering, and denial-of-service (DoS) defense, that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the security of your network.   Please Note: Your internet service provider (ISP) may be able to help you determine whether your firewall has the most appropriate settings for your particular equipment and environment. 8 Install Firewalls on Network Devices In addition to a network firewall, consider installing a firewall on all computers connected to your network. Often referred to as host or software-based, these firewalls inspect and filter a computer’s inbound and outbound network traffic based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with a built-in, customizable, and feature-rich firewall. Additionally, most vendors bundle their antivirus software with additional security features such as parental controls, email protection, and malicious website blocking. 9 Remove Unnecessary Services and Software & Install Antivirus Software Disable all unnecessary services to reduce the attack surface of your network and devices, including your router. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increased attack surface of your network environment. Additionally, a reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use, allowing for automatic virus definition updates to ensure maximum protection against the latest threats. 10 Update and Patch Regularly Manufacturers will issue updates as they discover vulnerabilities in their products. The perfect example being all of the update notifications you receive on your iPhone! Configuring your device to receive automatic updates makes this easier for many devices, such as computers, phones, tablets, and other smart devices. However, if you need to manually update your device, make sure you are only applying updates directly from the manufacturer (i.e. Apple), as third-party sites and applications are unreliable and can result in an infected device. Additional Resources: https://www.nsa.gov https://niccs.us-cert.gov/
	The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

November 2019  8 Shopping Tips for the Holiday Season

Monthly Security - Tips Newsletter

It’s that time of year again, holiday shopping has begun! Everyone is looking for those unique gifts, hot toys and cool electronics. Whether it is a hard-to-find toy for kids or the latest 4K smart TV. Black Friday sales seldom fail to pique the interests of even the most casual shoppers. Yet even after the chaos of Black Friday lies both Small Business Saturday and Cyber Monday. While it’s clear that businesses are after your dollars during the holidays, you should be aware that cybercriminals are on the lookout, too. When it comes to holiday shopping, you need to be careful that you don’t fall prey to these criminals. Here are some tips to following for your holiday shopping:
Online Shopping Tips  1 Do not use public Wi-Fi for any shopping activity. Public Wi-Fi networks can be very dangerous, especially during the holiday season. Public Wi-Fi can potentially grant hackers' access to your usernames, passwords, texts and emails. For instance, before you join a public Wi-Fi titled "Apple__Store," make sure you first look around to see if there's actually an Apple Store in your vicinity, and thus, confirm that it is a legitimate network. To help stay secure, you should always be on the lookout for the lock symbol on your webpage. 2 Look for the lock symbol on websites. When visiting a website look for the “lock” symbol before entering any personal and/or credit card information. The lock may appear in the URL bar, or elsewhere in your browser. Additionally, check that the URL for the website has “https” in the beginning. These both indicate that the site uses encryption to protect your data. 3 Know what the product should cost. If the deal is too good to be true, then it may be a scam. Check out the company on “ResellerRatings.com”. This site allows users to review online companies to share their experiences purchasing from those companies. This will give you an indication of what to expect when purchasing from them. 4 One-time use credit card numbers. Many banks are now offering a single use credit card number for online shopping. This one-time number is associated with your account and can be used in place of your credit card number. This way, if the credit card number becomes exposed, it cannot be used again. Check with your credit card company to see if they have this option available. 5 Keep your computer secure. When using your computer to do your holiday shopping, remember to keep your Anti-virus software up to date and apply all software patches. Never save usernames, passwords or credit card information in your browser and periodically clear your offline content, cookies and history. You will want to keep your computer as clean as possible for online shopping. The world of online shopping can bring lots of new products to your door step and can prove to be a lot of fun finding that special gift. Just remember to be careful so that you don’t make your data a special gift to cybercriminals.
In-Store Shopping Tips 6 Always use credit cards for purchases. Avoid using your ATM or debit card while shopping. In the event that your debit card is compromised, criminals can have direct access to the funds from your bank account. This could cause you to miss bill payments and overdraw your account. When using a credit card, you are not using funds associated with your bank account. This means you are better protected by your credit card company’s fraud protection program. If you pay off the credit card balance each month, you won’t pay interest and your banking information will be protected. 7 Don’t leave purchases in the car unattended. Criminals can be watching and will consider breaking into your car to get the merchandise you just purchased. If you must leave some items in your car, consider leaving them in the trunk or glove compartment rather than in a visible location. 8 Beware of “porch pirates.” When shopping online and receiving purchases by mail, make sure you are always tracking your packages. The US Postal Service, FedEX and UPS all have systems to track your packages, and all three utilize tracking numbers that can be used to figure out where your item is and when it should be delivered to your home. However, the only surefire way to thwart porch pirates is to not have packages delivered to your home at all. Consider having your holiday packages delivered to a family member, your workplace, or a trusted neighbor!
Remember, always trust your instincts. If an email or an attachment seem suspicious, don't let your curiosity put your computer at risk! ~ Happy Holidays and safe shopping!
	The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes. Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.