Information Security Hub
The Roger Williams University Information Security Hub provides resources to protect personal and university data from cybersecurity threats, including tips on password safety, phishing, and mobile security.
Information Security is everyone’s responsibility. The Roger Williams University Information Technology Department wants to make sure our community has the tools, information, and resources we need in order to combat the growing cybersecurity threats we face. At the RWU Information Security Hub website, you’ll find useful content on how to protect your personal information, assets, and University data as well as important information on the latest security issues.
Six Things You Can Do To Keep Your Online Accounts Safe
- Protect your password
- Don't use the same password for multiple sites online.
- Never share your password. You should be the only one who knows it.
- Avoid including your name or common words. Your password should be difficult to guess.
- Use extra security features offered by the site, such as two-factor or two-step authentication.
- Make sure your email account(s) are secure.
- Log out of your accounts (i.e. Facebook, Gmail) when you use a computer you share with other people.
- Run anti-virus software on your computer.
- Review RWU's Cybersecurity Training Portal that includes tools to identify and evade common cyber threats.
What is phishing?
Phishing is an attack that uses email or a messaging service to trick you into taking an action such as clicking on a malicious link, opening an infected attachment, or responding to a scam. The message is crafted to look like it came from someone or something you know.
Spear Phishing
Unlike a generic phishing message, spear phishing emails are customized for the intended recipient. Individuals are more likely to fall victim to these attacks due to their personalized nature.
Common clues that a message is a phishing attack:
- The email appears to be from an RWU source but the subject field contains [EXT] when checking university email. This signifies that an email was sent from a source external to RWU.
- The email appears to come from a legitimate organization but the "From" address is from a personal email such as @gmail.com.
- The message comes from an official email but has a "Reply to" address going to a personal email.
- There is a sense of urgency or it requires "immediate action" before something bad happens.
- Something looks too good to be true.
- Contains a generic salutation such as "Dear Customer".
- The email requests sensitive information such as credit card numbers, passwords, or other information that a legitimate sender should already know.
What should I do if I receive a suspicious email?
- Do not click on any links or download any attachments.
- Contact the company or sender through other means (i.e. phone or through their website).
- Submit the email to MediaTech by forwarding the message to spam@rwu.edu.
What is SPAM?
SPAM is electronic junk mail. The term refers to email that is unsolicited, sent in bulk form, and unwanted.
What is phishing?
Phishing scams involve defrauding email recipients by acting as legitimate companies or organizations to obtain sensitive information (such as passwords or financial information).
What do SPAM and phishing emails look like?
Here are some examples received by RWU community members:
- Board Policy Professional Standards for All Roger Williams University Employees
- FW: Roger Williams University Communication Update
- Auto Default Password Reset
- "Elsevier: Materials Today Proceedings" Conference
- RE: ITS
- Webmail Upgrade
- Re: Account Re-Activation
- iii
- FW: Validation
- An Opportunity
- To All Faulty\Staff
- your job
- Roger Williams University 124
- Shoe Size Survey
- Property Sales Agreement
- From RWU Help Desk
- Help Desk
- IT Security-Change Your Password
- University Notice
- RE: School Calendar
- (RWU Staff Member's Name Here) has shared an important file with you
- You have received a new fax
- R.W.University HR!
- Your invoice 885754 is available for review!
- Alert#1913
- ....has shared a document on Google Docs with you
- Click here to view the bulletin sent by IT to the RWU community about this phishing email
- Roger Williams University
- Your Microsoft Email Account @rwu.edu Will Expire in 48 Hours
- Hi (YOUR NAME HERE)
Where can I get more information?
- Students: The National Cyber Security Alliance site has additional information regarding SPAM and Phishing, along with other cybersecurity topics.
- Faculty and Staff: RWU Information Security Awareness Training Portal
Sharing Data with 3rd Party Agencies
RWU is committed to protecting the personal information of the university community. In certain business practices, RWU benefits from sharing sensitive data with outside vendors. Payroll processing is one example. Although these partnerships are needed, they can lead to unauthorized data exposure. To help mitigate this risk, the University’s Written Information Security Program notes a safeguard measure (Safeguards, section 5) that evaluates a vendor’s security posture. This evaluation is summarized by a questionnaire that captures how our business partners will secure the data shared with them. A completed questionnaire is required for all 3rd party service contracts that share restricted university data.
Personalized Scams
Personalized scams are customized for the intended recipient. Attackers are able to easily obtain databases of people's names, passwords, or other details due to the vast number of websites that have already been hacked. Attackers can use this information to trick people into thinking that they have hacked into their system by crafting an email with some personal details about the victim. They then use fear and extortion to try to force the victim into paying them money. The key to remember is that in almost every situation your system was never hacked in the first place.
Clues to look for:
- Be suspicious if you receive a highly urgent email, message, or phone call. Attackers want to rush you into making a mistake.
- Payment is demanded in Bitcoin, gift cards, or other untraceable methods.
- If the email looks suspicious, search online to see if anyone has reported a similar attack.
Phone Call Attacks
Attackers use phone calls to try to trick people into doing what they want by creating situations that seem very urgent so that they rush into making a mistake. Common situations are: pretending to be from a government tax department saying you have unpaid taxes or pretending to be from Microsoft tech support and telling the victim that their computer is infected.
Things to keep in mind:
- Be suspicious anytime someone calls you and creates a sense of urgency.
- If you think that the call is an attack, hang up. Call the organization directly yourself to verify if the call was legitimate.
- Never trust Caller ID. Phone numbers can be spoofed to look like they come from legitimate organizations.
- Never allow a caller to take temporary control of your computer or trick you into downloading software.
- If a call is not from someone you know, let it go to voicemail. Let the caller leave a message and review calls on your own time.
Smishing / Messaging Attacks
In a smishing or messaging attack, the attacker uses SMS, texting, or messaging to reach out to their victim to try to trick them into taking an action that they should not take. These types of attacks feel more informal than email, making it more likely that someone will fall for them.
Clues of an attack:
- Be suspicious of a message that creates a sense of urgency.
- The message sounds too good to be true.
- The message appears to come from someone you know but the wording does not seem like them.
- The message asks for sensitive information that they should already have access to.
Malware / Ransomware
Malware is software used to perform malicious actions such as spying on online activity, sealing passwords or files, or using your system to attack others. Malware can infect any device including Mac computers and smartphones, to DVRs and security cameras.
Ransomware is a special type of malware that encrypts files making them inaccessible. Attackers then require that you pay them a ransom, usually in digital currency such as Bitcoin, before they will decrypt your files. Paying the ransom is not a guarantee though that you will be able to recover your files. The attackers may not provide a decryption method, something could go wrong with the decryption process, or they may infect your computer with additional malware.
Steps you can take to protect yourself:
- Keep your computer and devices up-to-date and enable automatic updating whenever possible.
- Install trusted anti-virus software.
- Only download and install programs and apps from trusted online stores.
- Be suspicious of messages that create a sense of urgency or seem too good to be true.
- Regularly back up your system and files to Cloud-based services or backups offline, such as a disconnected hard drive.
Mobile devices have become an important part of daily life as a means to communicate with others and other uses such as online banking. The biggest threat to your mobile device is you. it is much more likely that you will lose or forget a mobile device than it is for it to be hacked.
Tips for securing your device:
- Enable the screen lock and require that a passcode or fingerprint is needed to unlock it.
- Enable automatic updating. Devices running the most recent version of their operating system and apps are harder to hack.
- Install or enable tracking abilities so that you can track your device over the internet. This makes it possible to locate it and may allow you to remotely wipe all of your information off the device if needed.
- Only download apps from trusted sources such as the Apple App Store or Google Play Store. Apps from other sites are more likely to be infected. Delete apps that you no longer use.
When you are ready to dispose of or donate your device, you should securely wipe it which erases all the data on the device. The easiest method is to perform a factory reset on your device. Additionally, you should remove the SIM card and physically destroy it, as it retains information about your account. If you have an employer issued device, check with your supervisor about proper disposal procedures.
Passwords / Passphrases
Strong passwords are essential to safeguard your personal information. Once a cybercriminal has your password, they may be able to access your bank account, read your email, or worse. Traditional passwords can be complex, hard to remember, and confusing. It is now recommended to use a passphrase instead. A passphrase is a series of random words (Green-Luck-Easily) or a sentence (Time for Coffee!) which are easier to remember but harder for attackers to hack. They are strong because they use capital letters and symbols. To make them even stronger, letters can be replaced with symbols such as using the @ symbol in place of the letter 'a'.
Tips for using passphrases:
- Use a different passphrase for each device and account. Consider using a password manager program that securely stores your passphrases for you.
- Never share your passphrase with anyone. The only exception would be to share it with a trusted family member in case of an emergency.
- Do not use public computers to log in to accounts. The computer may have a virus or malware on it either by accident or on purpose.
- Use two-factor authentication whenever possible. This is where something like a passcode sent to your smartphone is needed in addition to your passphrase in order to log in to your account.
- Use a PIN, passphrase, or biometric (fingerprint) method to protect mobile devices.
- Close, delete, or disable accounts you no longer use.
Multi Factor Authentication (MFA/2 Factor Authentication)
RWU uses a high-security email login procedure known as 2-factor authentication in an effort to prevent password compromise and improve account security. With this procedure you will need to set up a phone number to authenticate your account. The easiest and most flexible option is to use a cell phone, which can provide authentication through a specific authenticator app, through text message, or through a voice call. Alternately, you can set up a landline phone (office, home, or other) as a method of authentication. However, if a landline is used, you will need to be at that location when you are authenticating your account.
For more information on 2-factor authentication, click here.
For information on how to set up 2-factor authentication, click here.
Contact the MediaTech help desk at https://mediatech.rwu.edu or mediatech@rwu.edu if you have any questions or need help setting up 2-factor authentication.
SOCIAL MEDIA CYBERSECURITY
Now more than ever, consumers spend increasing amounts of time on the internet. With every social media account you sign up for, every picture you post, and status you update, you are sharing information about yourself with the world. How can you be proactive and “Do Your Part. #BeCyberSmart”? Take these simple steps to connect with confidence and safely navigate the social media world.
DID YOU KNOW?
- In 2021 4.48 billion people are now using social media worldwide. That’s an increase of more than 13% from 2020. Put another way: Almost 57% of the total world population are using social networks.
- Digital consumers spend nearly 2.5 hours on social networks and social messaging every day.
SIMPLE TIPS
- If You Connect IT, Protect IT. Whether it’s your computer, smartphone, game device, or other network devices, the best defense against viruses and malware is to update to the latest security software, web browser, and operating systems. Sign up for automatic updates, if you can, and protect your devices with anti-virus software.
- Never click and tell. Limit what information you post on social media—from personal addresses to where you like to grab coffee. What many people don’t realize is that these seemingly random details are all that criminals need to know to target you, your loved ones, and your physical belongings—online and in the real world. Keep social security numbers, account numbers, and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even vacation plans. Disable location services that allow anyone to see where you are—and where you aren’t—at any given time.
- Speak up if you’re uncomfortable. If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know. Likewise, stay open-minded if a friend approaches you because something you’ve posted makes them uncomfortable. People have different tolerances for how much the world knows about them, and it is important to respect those differences. Don’t hesitate to report any instance of cyberbullying you see.
- Report suspicious or harassing activity. Work with your social media platform to report and possibly block harassing users. Report an incident if you’ve been a victim of cybercrime. Local and national authorities are ready to help you.
- Remember, there is no ‘delete’ button on the internet. Share with care, because even if you delete a post or picture from your profile seconds after posting it, chances are someone still saw it.
- Update your privacy settings. Set the privacy and security settings to your comfort level for information sharing. Disable geotagging, which allows anyone to see where you are—and where you aren’t—at any given time.
- Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.
RESOURCES
- Kemp, Simon. “Half a Billion Users Joined Social in the Last Year” Hootsuite Jul. 22, 2021. https://blog.hootsuite.com/simon-kemp-social-media/
- Yik Yak: How can students be safe while using Yik Yak?
- TikTok: 4 ways TikTok is dangerous to Personal Privacy and Security
- Instagram: What are the dangers of Instagram?