October is Cybersecurity Awareness Month (CAM)
October is dedicated to educating everyone about online safety, protect personal and business data, and to share resources, tools, and training so that you can become aware and familiar with the everyday risks of digital compromises and how cyber criminals behave. There is something new each week during this month for you to learn and share with others.
To avoid cyber-attacks, a little knowledge teamed with critical thinking skills can go a long way. To protect the confidentiality, integrity, and availability of information in today’s highly networked systems, companies should require that all individuals:
- Understand their roles and responsibilities related to the organizational mission.
- Understand the organization’s information technology security policy, procedures, and practices.
- Have a good understanding and at least adequate knowledge of various tools to protect all data.
- The importance of reporting when a phishing attack is suspected and that it is not enough to just to ignore or delete it.
Some common types of cyber threats include:
- Ransomware: A widespread cyber threat where hackers encrypt files on a user's device and demand a ransom for decryption.
- DDoS: A damaging and persistent cyber-attack that disrupts the normal traffic flow of a network or server.
- Phishing: A type of attack that makes up over 90% of all data breaches, but users and organizations are often poorly trained to identify it.
- Attacks on Internet of Things (IoT) Devices: Hackers can take over IoT devices, such as industrial sensors, to gain access to data or make them part of a DDoS attack.
- Man-in-the-Middle (MITM) Attack: A sophisticated cyber-attack that can negatively impact the security of individuals and organizations.
- Password Attacks: A crucial stage of system hacking that often exploits legal means to gain unauthorized access to a system .
Cybersecurity Awareness Month tries to impress upon users the importance of cyber security and the adverse consequences of its failure. Awareness reinforces knowledge already gained, but its goal is to produce security behaviors that are automatic. Our goal is to make “thinking security” a natural reflex for everyone at ATCC.
Weekly Activities
Understanding cyber threats can have a significant impact on organizations and individuals, including:
- Financial losses: Cyber threats can result in financial losses for organizations, such as the cost of ransoms, stolen funds, and recovering lost data.
- Reputational damage: Cyber threats can damage an organization's reputation and lead to a loss of customers.
- Theft of intellectual property: Cyber threats can lead to the theft of intellectual property, such as copyrights, trademarks, and patents.
- Disruption of operations: Cyber threats can disrupt an organization's operations.
This week we introduce a mini video series produced by KnowBe4. Each week I will have 3 videos for you to watch. Please take the time to watch these videos and look for the red flags.
All the videos from KnowBe4’s can be accessed until October 31st.
Let’s find out who Mark is.
“This year, we’re focusing on the educational original drama series “The Inside Man,” produced by our partners at KnowBe4. Through episodic videos and engaging scenarios, you’ll learn how to identify and thwart even the most sophisticated cyber-attacks, fortifying our organization’s overall security posture.
In the premiere of this educational cyber-thriller, hacker-for-hire Mark, code name “Romulus,” infiltrates a major tech company by scoring a job on their IT security team. Mark’s shadowy handler tasks him with tightening security while uncovering details about a huge merger deal. Even before his first day, he’s already gathered intelligence on his new colleagues through their overshared social media. Just when you think you know which side he is on, Mark gets caught attempting corporate espionage—but will that stop him from downloading massive troves of confidential data?”
Episode 1 Episode 2 Episode 3 Think Before You Click
Interactive Mini-Game: In this game, your users will learn how to differentiate between malicious links and legitimate ones. Then, you will use what you’ve learned to help your surfer make it safely to shore while dodging common website clones.
Your employees will learn:
- How to tell a good site from bad
- Tricks bad actors use to fool users
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
Artificial intelligence (AI) is a game changer for individuals, businesses and the cybercriminal. Phishing emails have traditionally been the easiest way to compromise corporations. Impersonation techniques that are AI powered, are now bypassing conventional security defenses such as bad spelling, logos, or suspicious email addresses. Continuous monitoring and helping to quickly analyze user behaviors and device activities to detect anomalies and potential threats are likely to play a key role in this game changer. The risks that humans pose, the need for continuous verification and sophisticated threat detection are crucial. However, technology alone is not enough. Cultivating a culture of security awareness and vigilance among all employees is far more crucial. It starts and ends with you.
There are many good reasons to use artificial intelligence such as; it helps you save time; it can reduce human error, it can operate in areas or situations that are too risky for humans, and it can speed up and improve decision-making. We need to be aware of the risks of using AI systems such as:
- Data privacy – Data collected from AI systems can leave your business or individual vulnerable to attacks from hackers or malicious actors.
- Algorithmic bias – AI systems are designed and built by humans that inherently carry human bias within them that can impact predictions and outcomes, especially as it relates to race, gender, or other socio-economic factors.
- Compliance – As artificial intelligence is being used more frequently and widely around the world, there are laws and regulations in staying compliant with customers' jurisdictions.
- Cyberattacks – AI systems can launch and cripple organizations faster today.
- Manipulation – Artificial intelligence can manipulate humans that may result in social, political, economic, and security implications.
Last week we introduced Mark in the mini-series The Inside Man. Hopefully you had a chance to watch the first three episodes. This week, we continue to watch Mark as he becomes part of the company. Let’s find out what happens with Mark.
All the videos from KnowBe4’s can be accessed until October 31st.
Episode 4 Episode 5 Episode 6 QR Codes: Safe Scanning Understanding URLs
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
This week you will learn the importance of staying safe while working at home, traveling while working, and using mobile devices. Improving your security practices is the best defense against security threats.
- Make sure your device is up to date on its operating system and applications.
- Make sure your mobile apps are not asking for access to things on your phone that are irrelevant to their function.
- Password protect your device when not being used or lock the device – use a lock PIN, biometric identifier like facial recognition or a fingerprint.
- Keep work-related data separate from your personal data.
- When using public Wi-Fi, make sure to connect to your VPN connection before accessing sensitive data.
- Use strong passwords or passphrases (remember, passwords are like cheesecake they are not meant to be shared even with friends).
To guard data and protect against password exploitation, Multi-factor authentication (MFA) is used as an extra layer of security. If one of the factors are stolen, the thief still doesn’t have the other factor and cannot access your account. If you receive a code on your mobile device that you did not trigger, DO NOT approve it.
As we get more used to more technology today, we must not forget about IoT devices (Internet of Things). While they add something special to your home, it is important to always:
- Patch and update those devices
- Unplug smart devices in your home office while working
- Talk to your employer about IoT use
- Change the factory-set password on those IoT devices
All the videos from KnowBe4’s can be accessed until October 31st.
Episode 7 Episode 8 Episode 9 Mobile Device Security
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
This is week 4 in our series for the month of October. We are here to assist you in using some critical thinking and tools to achieve awareness of what lurks in our work environment and our personal lives.
Phishing emails are a way that cybercriminals use email to trick you into giving them private and sensitive data or taking a dangerous action. The consequences of falling for a phishing email can be catastrophic to the ATCC and/or you. Protect yourself and your organization by learning to be observant of these signs:
- Mysterious Messages: Did you expect an email with attachments or links? Always check the trusted source before opening an attachment or link.
- Urgent Demands: Phishing emails often direct you to take immediate action. Your only immediate action should be STOP, LOOK, & THINK.
- Sneaky Links: If an email requests you to log into a site from their link within the message, always go to the trusted site (a known legitimate address) first and log in that way.
All employees should understand today’s threat landscape and see that the threats out there are more common than you might think.
- Don’t reply to the email.
- Don’t click on suspicious links within the message.
- If you’re unsure whether an email is spam or a phishing attack, report the message in the top right corner (see attachment from Minnesota State) or forward to the IT department at it@alextech.edu.
This is week 4 in our series for the month of October. It is getting intense wondering what Mark is going to do. Have you been watching the Inside Man? Check out the last 3 episodes! We are here to assist you in using some critical thinking and tools to achieve awareness of what lurks in our work environment and our personal lives.
If you have any questions, feel free to reach out to the ATCC IT team. Thanks, and have a cyber secure October!
All the videos from KnowBe4’s can be accessed until October 31st.
Episode 10 Episode 11 Episode 12 AI, Phishing, and Cybersafety Safe Web Surfing Game
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
Hardware security is just as important as software security. Restarting or shutting down your computer daily improves performance. Computers need rest too. Turning off your computer can help reduce the risk of hardware damage to the CPU, fan, and other moving parts. It is a way for the computer to reset the state of your software/application, clear out your RAM (frees up space for your computer to perform tasks). Key reasons why hardware security matters:
- Windows Updates: Your computer needs essential security updates all the time. A computer that fails to shut down or restart often is vulnerable to cybersecurity attacks.
- Power Surges: The heat produced by a sleeping computer (not shutdown) exposes all components to higher heat levels and can burn out faster with a power surge versus a computer that is completely shut down.
- Extends Hardware Life: Components in your computer generate heat while in use. Shutting down your computer at the end of your workday allows your computer to fully cool down.
Shutting down your computer is an important cybersecurity practice as it reduces the risks of security threats, hardware damage, and data loss. Cybercriminals will try to exploit vulnerabilities in devices that are always on and connected to the internet.
- Logging off or signing out: This does not fully shut down your computer and is still using processing power.
- Closing your laptop lid: This does not fully shutdown your computer either. Don’t put the laptop into a laptop bag unless you shut it down properly. This can overheat the laptop.
- Close all applications you have access to before shutting down your computer: Some programs take a while before disconnection begins after inactivity. The data you have access to is vulnerable during the time of still being connected from a cyber-attack. This is especially true if you have devices such as credit card readers attached to your computer.
This is week 5 in our series for the month of October. Have you been watching the Inside Man? You can check out all the episodes below each week. The Inside Man can be accessed through October 31st. We are here to assist you in using some critical thinking and tools to achieve awareness of what lurks in our work environment and our personal lives.
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
Cybersecurity Awareness Month 2024:
Click the image to play the video.
Cybersecurity Awareness Month (CAM): Recipe for Cybersecurity
Pair this module with the matching multiple quiz and other resources found in our Recipe for Cybersecurity toolkit.
Happy Cybersecurity Awareness Month!
Materials available through October 31st, 2024.
2024 KnowBe4, Inc.
Cyber Security FAQ
Malware can be classified into several different types of malicious software that can harm data, software or even hardware. Here are few common examples of malware.
- A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels.
- A trojan is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems.
- A Bot is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being.
Do people really get infected by these things?
On average, we have 3-5 employees each week who are affected/infected by malware.
Depending on the severity of the incident, these incidents may require mandatory reporting of a data breach which could cost the college a significant amount of money. At minimum, an infection involves loss of employee time and productivity. In many cases the computer must be quarantined, rebuilt or replaced, and there may be data loss. This can also impact you personally. If you do any personal finances on your work computer, your passwords may be stolen, or identity theft may occur.
- Do not open any email attachments that you are not expecting.
- Do not click on any links within email messages unless you are sure of their legitimacy.
- Pay attention to the website address when searching for information online and only go to websites that you are familiar with (look at the website address below the article title & make sure it is a reputable site).
- When in doubt of an email or website, contact the IT Department and we will check it for you.
SPAM is considered as unsolicited email from someone trying to sell you something. Phishing is the more extreme attempt to acquire sensitive and private information resulting in a more long-term effect of identity theft.
It should be a red flag if you receive an email that you don’t know and aren’t expecting. Be suspicious from that moment on. If the attachment has a generic name or has a double extension (ie: document.docx.exe), it is highly likely it is an infected attachment. If there is a link in the message and it is shortened with bit.ly in the URL, it may be going to a bad website. If you hover over the link or link button and you see several % symbols in the URL, beware. Often, unsafe messages have words misspelled or use an unusual dialect (i.e. – the word “kindly” is often used).
Here are some recommended tips to follow:
- Make sure you spell all words correctly. The number one thing that hackers count on is you misspelling words. They rely on this to manipulate you or direct you to websites that may also be infected with several tools to hack you. Check the spelling in the URL (website address).
- When “Googling” for information, pay attention to the website address and only click on the links to reputable sites. If it looks fishy, it probably is phishy. For example, if you search for Alexandria Technical & Community College, look at the website address below the site title and make sure the address is something you are familiar with, like alextech.edu, minnstate.edu, or facebook.com (and spelled correctly).
- The first defense is common sense. If a strange website is asking to run software on your computer, close out of the website by doing a CTL+ALT+DEL and choose the “Task Manager” option. Find the browser (Chrome, Edge, Internet Explorer) that you have open in the “Processes” tab and choose “End Task” immediately. Contact the IT department for further information.
We have instructions for Windows 7 & 10 on how to scan your computer on our IT webpage at https://www.alextech.edu/college-services/it-department/safety-information
Yes, your computer is still at risk. Anti-virus or anti-malware applications are not 100% foolproof and the hacker relies on you to fall for their attacks to acquire your information or data. However, any anti-virus software is better than none at all.
The first thing you should do is remove the app and see if the bizarre issues stopped. If you have an anti-virus installed, run a full scan. If you decide to install an anti-virus app on your mobile device, read the reviews and know what you are installing. Hackers often disguise their malware within these types of apps.
You should NEVER use the same passwords for all your different logins (i.e. – use a different password for your bank than you use for your social media and email). Using the same password allows a hacker the ability to easily gain access to several of your accounts if they obtain one of your passwords. It is also a best practice to change passwords every 90 -180 days. MinnState requires you to change your StarID password every 180 days (6 months). Never give out your password to anyone and never log into a computer with your credentials and let someone else use it. Many companies have policies against sharing passwords, including Minnesota State. 5.22.1 Computers and Information Technology Resources Acceptable Use
A passphrase is considered to be easier to remember than a password. A password generally is restricted to between 4-16 characters long, whereas a passphrase can be much longer. For some, a passphrase is less stressful for the user to remember yet much harder for a hacker to guess. Although not all environments support passphrases because they allow spaces in them, most current Operating Systems do support a passphrase. A password “bLuC@r1987” is easier for a hacker to guess than using “My first Blue Car was a 1987 Ford.”
Security questions will add a layer of security to your accounts. An ideal security question is something that only you know. Some users choose a security question answer that does not relate to the question. For example, “The Sound of Music” in response to “Your mother’s maiden name?” This can increase security, but you need to be careful to remember the answer. Although you may find it inconvenient to create and remember these security questions, it is very important. Having this second level of authentication is an excellent way to prevent unauthorized logins. Each time you log in from a new device, you will be asked one of the security questions.
If you enjoy having someone steal your identity, rob your bank account, hold your data for ransom, or intercept your tax returns, then clicking that “Remember Me” option is the perfect way to make a happy hacker! NEVER let a website remember your username and password. We have so many passwords today that it is hard to remember them all. Using a spreadsheet, notebook, the back of your family photo in your wallet, or a sticky note under your keyboard is a risky way to invite someone to easily acquire your private information. It’s no different than you dangling your car/house keys in the middle of a crowd for anyone to grab or keep your car title in the glove compartment in your car. There are apps out there that help you keep track of your account information and have layers of security. One of the applications that the ATCC IT Department supports is called KeePass. For more information about using KeePass to secure your passwords, contact us.