The IT department at the North-West University (NWU) recently launched a series of online training sessions for staff and students at the university. Themes included mobile cyber security, remote working and cyber security and phishing.
The sessions of forty-five minutes each included a quiz at both the start and the end of the sessions. We were delighted to see considerable improvement in the results of attendees before and after these sessions. Cyber-security experts and IT trainers (Marco Pires, Frans Roodt and Edward Jantjie) presented the training.
Attendees had the opportunity to ask questions at the end of the presentations or mail their questions to the presenter afterwards. To access the training video material, go to http://services.nwu.ac.za/information-technology/cyber-security-videos.
For November 2020, IT continues the efforts towards cyber-security awareness by offering an advanced phishing-awareness course compiled by Khipu, which is available to NWU staff. Staff members can access their individualised links to access the training on the NWU intranet at https://intranet.nwu.ac.za/cyber-security-phishing. Topics covered in the training material are “What is a social engineering attack?”, “What to look for”, and “Cyber squatting and typo squatting”, to name only a few. The training material also includes games, which contribute towards making the whole learning experience a lot more fun and interactive. We strongly encourage NWU staff to take some time during November to do the training.
Cyber security is critical because it covers everything that concerns the protection of our sensitive data. Security breaches could not only affect you as an individual (by causing data and financial losses), but it also has the potential to harm the university. Aside from the economic cost of a breach, it can also cause reputational damage and loss of customer and stakeholder trust. In addition to the direct impact on the NWU, the amount of work that goes into recovering whole environments and restoring the damage done is immense. In some extreme cases, it even becomes a serious danger of physical or infrastructural damage where persons are in danger when power grids or access control is compromised.
Mobile security involves measures to protect portable devices such as smartphones, laptops and tablets from threats and vulnerabilities. Mobile devices offer a vast number of communication options: Wi-Fi, Bluetooth, cellular service and near-field communication (NFC), to mention a few. Each of these provides an avenue for a potential attack. Public Wi-Fi is notoriously hazardous, so using a VPN (virtual private network) for any internet access makes sense. VPNs work by encrypting user data across the network. Another familiar experience regarding mobile devices is device theft or losing your device. So, when choosing a device and – more importantly – the cloud security solution, the ability to track, trace and wipe the device remotely is an essential element of mobile security, on top of the normal malware protection.
The Covid-19 lockdown earlier in 2020 initiated a change from the traditional working-at-the-office model towards working remotely. However, working remotely introduces cyber security risks, since home network setups are often less secure. Frans Roodt went into great depth during his training session (https://youtu.be/Iph6_OGRu_0) on what to consider when setting up your home router, and on other potential weak points like disabling your WPS. Like with mobile security, the use of a VPN is highly advisable when working remotely. Choosing strong passwords and not using the same passwords for multiple websites, applications, and network access are imperative. If you have the option to use multi-factor authentication, individuals are strongly advised to make use of it. Multi-factor authentication, sometimes also referred to as two-factor or dual-factor authentication or two-step verification, requires at least two distinct forms of identification. Which means you use multiple different channels to prove your identity, e.g. when you use your password to log in and you also need to complete a code or number sent to your cell phone or via a verified authenticator app, and it might include the use of biometrics.
Social engineering involves someone being manipulated or tricked into providing their credentials, whether it is knowingly or not. The human component is easiest to filter: no matter how extraordinary your security measures are or how difficult it is to hack your system, if the right person gives out their credentials to the wrong person it can be catastrophic. These fraudsters will be cleverly disguised or provide you with a false sense of security and authority, giving the impression that this person is reliable and trustworthy. No matter who the entity seems to be, always ask for identification and double-check facts – do not just assume they are who they say they are. Many of these attacks rely on people’s willingness to share information.
Phishing is a cyber attack notorious for using social engineering, and is one of the most widely used angles when cyber criminals attempt to gain access to your information. In this type of attack a target is contacted by email, telephone or text message by someone posing as a legitimate organisation or individual to lure victims into providing sensitive data such as passwords, banking and credit card details and personally identifiable information. On an individual level, giving credit card details in a phishing scam could lead to financial losses for someone, while on an organisational level providing a network password in a phishing attempt could compromise the security of the entire organisation’s network and data.
Shoulder surfing is another type of social engineering where a person will hover in the vicinity and look over your shoulder when you log in at your desktop or ATM and gain access to your account. It may be a stranger washing windows, a courier or even a colleague whom you think is trustworthy. Therefore, be cautious when logging in anywhere to ensure no one can view your credentials as you type. Your credentials are your own – never provide them over a phone or simply because someone asks you to do it.
Tips to stay safe while working online:
- Choose strong password phrases (e.g. ThisIsMyG@@gl3Passwrd – the longer the phrase, the more secure you are).
- Consider using multi-factor authentication (MFA) where available.
- Avoid using public Wi-Fi – any insecure Wi-Fi network is a potential risk.
- Ensure you can spot phishing emails:
- If you are unsure about the legitimacy of an email, delete and ask the sender to resend. It takes 5 mins to resend an email and days to repair damage due to compromise.
- Watch out for phishing emails that look like they are from colleagues or contacts.
- Emails containing links can be very dangerous. Copy the link, paste it in a Word document and check that it does go to the correct and intended website.
- Check that your home router is secure with decent encryption standards, and WPS is disabled.
- Connect to the office via a VPN.
- When you work on a mobile device, ensure nobody is shoulder surfing or hovering around. When in a tight space, think about using a screen filter so only the person directly in front of the screen can see, and to the rest it seems blank.