Mac Updates – Beginning March 17, 2015

The following information applies to all faculty, staff, and administrators who currently use a Mac (Apple) computer. If you are using an SJU-provided Mac, please continue reading this email in its entirety.

An ongoing priority for the Office of Information Technology (OIT) has been to ensure a safe computing environment for the campus community. This includes providing anti-virus and anti-spyware protection, enabling safe browsing while you search the internet, and patching exposed vulnerabilities that put your data and the SJU network at risk. With these goals in mind, we have taken another step forward to ensure that all Mac users on campus are receiving vital security updates and running the same version of the Mac operating system. In doing this, OIT is able to better assist you in managing the software on University computers and ensure that University information resources are not put at unnecessary risk of potential security threats.

It is a common misconception that Apple computers are not at risk of threats such as viruses and malware. This is simply not the case. In reality, no computer is completely immune from possible attack. Our job in OIT is to proactively protect against this possibility.

A year ago, OIT introduced a new product to assist in remotely managing the software that runs on a Mac. This allowed OIT to deploy software, updates, patches, and other fixes to Apple computers in a more cost effective, distributed manner. Before this new solution was introduced, high priority updates and patches were difficult to deploy in a timely and proactive fashion thus putting the campus computing environment at risk.

Many of you may have already noticed a window appear indicating available updates, which lets you know when new patches or updates are available (pictured below):

mac1

However, since implementing this solution, OIT has found that in some cases, urgent updates are not being installed regularly to University computers.   In other words, some Mac users are ignoring or avoiding these important software update. Beginning on March 17th, OIT will adopt a more proactive approach to ensure that high-priority patches are installed within a 7-day window. If you have a high priority update pending installation on March 17th, you will see a message appear like the one pictured below. You will have 7 days to install the update.

mac2

Within 72 hours of the deadline, you’ll be prompted more frequently to perform the installations. At this point, it is highly recommended that you install these updates immediately to avoid reaching the deadline for the software update. When the deadline is reached, you will be forced to log out and reboot your computer. (Within 5 minutes of the deadline, you will see the image below):

mac3

It is highly recommended that you allow the updates to install when you first receive the update message. If you choose to wait, you risk losing documents when the forced installation occurs.

Is this only for Macs? For now, yes. However, OIT is working on a similar solution to address mandatory updates and patches for Windows computers that will be available soon.

It’s important to know that in utilizing this tool, OIT cannot and will not be accessing any of the data on your University computer.

OIT appreciates your cooperation in helping us better manage our University resources.

If you have any questions, please contact the TSC.

Phishing Scam: Dropbox Share Requests Now Being Faked

According to Wikipedia, Phishing “is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.”

It has come to our attention that Dropbox share requests are now being forged. Here are two examples of the fake share requests people have been receiving:

Hi asantabarbara@siena.edu,

=

Your friend shared a folder with you on Dropbox

=

Click accept to view

=

Happy sharing!

_____________________________________________________________________

Hello,

John Smith shared a folder with you on Dropbox

Click accept<http://nationalcenterforscience{dot}org/cuchicagoEdu> to view

Happy sharing!

– The Dropbox Team

 

Please note: if you receive a Dropbox share request from an unknown e-mail, delete the share request immediately and do not click on the link.

If you receive a Dropbox share request from someone you know, do not click on the link. Instead, send a new e-mail (don’t respond by replying to the Dropbox request) to the person asking them if they sent the share request. If they did, you may click on the link. If they didn’t, delete the share request and do not click on the link.

If you have any questions, please contact the TSC at X2920 or by e-mail at techhelp@sju.edu.

Cybercrime and Law Enforcement

The focus of the final week of National Cyber Security Awareness Month centers around the education of local law enforcement officers to enable them to help their communities deal with the effects of cybercrime and providing the general public with ways to protect themselves from becoming victims of identity theft, fraud, phishing and other forms of cybercrime.

A recent article on the website Politico states, “Cybercrime costs the global economy up to $575 billion annually, according to a new report, with the U.S. taking a $100 billion hit, the largest of any country. That total represents up to 0.8 percent of the global economy, according to the report out Monday from McAfee, now known as Intel Security, and the Center for Strategic and International Studies, a Washington think tank. For the U.S., the estimated $100 billion cost means 200,000 lost jobs and is almost half of the total loss for the G-8 group of Western countries.” (Kopan, 2014)

But the effects of cybercrime aren’t limited to financial damages incurred by companies alone. An article on CNNMoney tells us that “Every two seconds, another American becomes a victim of identity fraud.
The number of identity fraud victims jumped to 13.1 million in 2013, a new report from Javelin Strategy & Research finds. That’s an increase of 500,000 from 2012 and the second highest number of victims since Javelin began conducting its annual study in 2004.Identity fraud occurs when someone’s personal information is used to access money, while identity theft is when personal information is accessed, even if it isn’t used for financial gain. “(Ellis, 2014)

So what can the average consumer do to protect themselves from becoming a victim of cybercrime? The following are some very useful tips for keeping yourself – and your data – safe:

1. Use anti-virus software: Your net-savvy friend may tell you that he doesn’t have anti-virus on his computer because it slows things down. But look at it this way, one wrong click and he may have to make the entire college project from scratch.
2. Didn’t expect, don’t click: The golden rule: Hackers infect PCs with malware by luring users to click on a link or open an attachment. Social media has helped criminals profile individuals. They can see what you’re interested in or what you [post] about and send you crafted messages, inviting you to click on something. Don’t.
3. Different site, different passwords: Keeping a common password for all online accounts is a lot like having the same key for all locks. Only difference being that it is a lot easier to get hold of the online key. Also never reuse your main email password. But most online users own accounts in over a dozen sites. So either try and use clever variations or start doing some really heavy memory-enhancement exercise.
4. If in doubt, block: Just say no to social media invitations (such as Facebook-friend or LinkedIn connection requests) from people you don’t know. It’s the cyber equivalent of inviting home the guy with an eye-patch who stares at you at the bus stop.
5. Don’t bank on public wi-fi: Most Wi-Fi hotspots do not encrypt information and once a piece of data leaves your device headed for a web destination, any ‘packet sniffer’ (a programme which can intercept data) can intercept your unencrypted data. If you choose to bank online on public Wi-Fi, that’s very sensitive data you are transferring.
6. Only shop online on secure sites: Before entering your card details, always ensure that the locked padlock or unbroken key symbol is showing in your browser. Additionally, the beginning of the online retailer’s internet address will change from “http” to “https” to indicate a connection is secure. Be wary of sites that change back to http once you’ve logged on.
7. Lock down your FB account: Remove your home address, phone number, date of birth and any other information that could used to fake your identity. Similarly you might want to delete or edit your “likes” and “groups” – the more hackers know about you, the more convincing a phishing email they can spam you with. Change your privacy settings to “friends” from “friends to friends”.
8. Don’t store your card details on websites: Err on the side of caution when asked if you want to store your credit card details for future use. Mass data security breaches (where credit card details are stolen en masse) aren’t common, but why take the risk? The extra 90 seconds it takes to key in your details each time is a small price to pay. (TNN, 2013)

Resources
Ellis, B. (2014). Personal Finance. Retrieved from CNNMoney: http://money.cnn.com/2014/02/06/pf/identity-fraud/
Kopan, T. (2014). Cybercrime costs $575 billion a year, $100 billion to US. Retrieved from Politico: http://www.politico.com/story/2014/06/cybercrime-yearly-costs-107601.html
TNN. (2013). Work&Life. Retrieved from iDIVA: http://idiva.com/news-work-life/12-ways-to-protect-yourself-from-cyber-crime/21449

Online Security for Small to Medium-sized Businesses

While cybersecurity is an important issue for both small and big businesses alike, larger companies have a marked advantage when it comes to purchasing and implementing the systems necessary to keep their data safe. Even so, the little guys face the same critical concerns when it comes to warehousing sensitive customer information.

According to the National Small Business Association, 44 percent of small businesses say they’ve been victimized by a cybercrime of some kind at least once. And the cost of those crimes averaged nearly $9,000 each to rectify. Part of the cost is notifying customers of a data theft that might compromise their personal credit or other information. Nearly every state now requires businesses to tell customers if personal data has been lost or stolen. (Kehrer, 2014)

A recent study of cyber crime by the Ponemon Institute reflects the staggering costs inflicted upon businesses due to Illegal data breaches in 2013. German and US companies had the most costly data breaches($199 and $188 per record, respectively) These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8 million). (Ponemon Institute, 2013)
And while the cost of preventing or repairing the damage caused by cyber attacks can be expensive, the aftermath of the attacks can be devastating. Customers may be less inclined to patron an online business knowing that their personal information has been stolen in the past.

In a recent article published on the Department of Homeland Security’s website, implementation of the following practices was suggested for businesses looking to beef up their data security:
• Use and regularly update anti-virus and anti-spyware software on all computers; automate patch deployments across your organization to protect against vulnerabilities.
• Secure your Internet connection by using a firewall, encrypting information and hiding your Wi- Fi network.
• Establish security practices and policies to protect sensitive information; educate employees about cyber threats and how to protect your organization’s data and hold them accountable to the Internet security policies and procedures.
• Require that employees use strong passwords and regularly change them.
• Invest in data loss protection software for your network and use encryption technologies to protect data in transit.
• Protect all pages on your public-facing websites, not just the checkout and sign-up pages. (Department of Homeland Security, 2014)

As the Internet of today continues to replace the brick and mortar of yesterday, businesses of all sizes continue to search for ways to utilize the global market and unlimited sales and growth potential online commerce has to offer. Their success hinges not only on their ability to supply goods and services to their customers, but to keep sensitive customer information secure as well.

Resources:

Department of Homeland Security. (2014). Cybersecurity for Small and Medium-Sized Businesses and Entrepreneurs. Retrieved from Homeland Security: http://www.dhs.gov/national-cyber-security-awareness-month-2014-week-four

Kehrer, D. (2014, July). Cyber security growing problem for small business. Retrieved from AZCentral: http://www.azcentral.com/story/money/business/abg/2014/07/27/cyber-security-growing-problem-small-business/13242313/

Ponemon Institute. (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved from Ponemon Institute: http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf

Securing Infrastructure and the “Internet of Things.”

This year the third week of National Cyber Security Awareness Month focuses on critical infrastructure and The Internet of Things. “The Internet underlies nearly every facet of our daily lives and is the foundation for much of the critical infrastructure that keeps our nation running. The systems that support electricity, financial services, transportation, and communications are increasingly interconnected. The Internet of Things—the ability of objects and devices to transfer data—is changing the way we use technology. “(About Us, 2014)

As connectivity expands beyond computers and handheld devices to include things like household appliances, home safety systems, and even the cars we drive, the need for security – and the degree of impact should that security fail – becomes increasingly obvious…and personal. “Securing the Internet of Things represents new challenges in terms of the type, scale and complexity of the technologies and services that are required. The Internet of Things means sensitive information, such as device operation details and personal data, transitions from moving within secure networks to moving between third parties. The risks of having information travel between externally controlled appliances, customers and sensory-based technology challenges traditional, layered-protection security management.” (Peter Sondergaard – Gartner, Inc, 2014)

What Are the Challenges?

Protecting a vast infrastructire that’s constantly growing and changing to meet the needs of a population of users becoming more dependant upon it necessarily involves a certain degree of difficulty. Navigating this type of terrain obviously comes with its own set of challenges.

1. There’s often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. ‘Nobody has visibility into these devices or what is the authenticity of the firmware” if there’s an update to them.

Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. “They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely” and manage it like any other Linux OS, he says.

Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren’t running up-to-date firmware. It’s unclear if they contain vulnerabilities. “Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?”

2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There’s a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations.

3. There’s often a lack of accountability for device security.
For many consumer devices, “there isn’t a clear ownership on who owns the security,” LaPoint says. “Device manufacturers say, ‘We don’t know.’ They’ve hardly thought about it.”

Some just post firmware updates on their websites, and it’s up to the consumers or users to download and update the products. “Some come with obscure instructions, and that you have to do so with a USB cable,” for example, he says. “I don’t think the manufacturers are taking ownership” of securing their devices.

4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.

Many of these devices run on the same network as IT systems. “How do these devices ultimately bridge to other things on my network?” LaPoint says. “If someone sees me in my underwear” via my webcam, that’s not ideal. “But if they are able to gather personal information about me or other systems on my network… What other things can you do?” (Higgins, 2014)

Regardless of the security challenges faced literally on a minute by minute basis, one thing is certain: the Internet of Things – with its ability to provide instantaneous information to a growing number of data-hungry users – is here to stay. Protecting that data and the people who traffic it will continue to be of paramount importance in the years to come.

Resources
About Us. (2014). Retrieved from StaySafeOnline.org: http://www.staysafeonline.org/ncsam/about
Higgins, K. J. (n.d.). 4 Hurdles To Securing The Internet Of Things. Retrieved from InformationWeek: http://www.darkreading.com/informationweek-home/4-hurdles-to-securing-the-internet-of-things/d/d-id/1306978
Peter Sondergaard – Gartner, Inc. (2014). Securing the Internet of Things. Retrieved from Forbes: http://www.forbes.com/sites/gartnergroup/2014/09/25/securing-the-internet-of-things/