Security Topics

Information security is an ever-evolving field. In an effort to combat security threats and disperse accurate, up-to-date information, we have compiled a list of glossary terms with which everyone needs to be familiar.

For more information on any of these topics, please get in touch with the information security team.

Phishing

If you’ve been on the internet for very long, you have probably heard the term ‘phishing.’ Phishing has always been a problem for users of the internet. One of the most well-known phishing scams, the Nigerian prince scam, first showed up around 1921, believe it or not, in the form of a fraudulent letter.

It may seem like phishing is easy to spot and ignore, but it continues to be a huge issue in the information security community. According to Infosecurity Magazine, phishing was found to be the most effective mode of hacking in 2017, with 90 to 95 percent of all successful attacks taking this form. Forbes reported that researchers found an average loss of $500 million per year due to phishing between 2013 and 2016.

Another type of phishing scheme is the business email compromise (BEC), otherwise known as spear phishing (we love our extended metaphors). This is a more targeted form of phishing (think: one sharp spear, instead of a fishing net) that goes after personnel that have access to important files like social security numbers, account routing information, or W-2 forms. As you may imagine, this form of phishing is infinitely more dangerous, especially if the hackers successfully impersonate an executive with more power. In just 2016 alone, BEC scams were responsible for a combined loss of $5.3 billion, a significant jump from 2015's numbers of $3.1 billion.

In other words: We need to stay vigilant.

Here at Miami University, we have seen plenty of examples of phishing come through. Often, these kinds of emails will be sent from a non-Miami account and will contain one or more grammatical errors. Here is a checklist of steps you can take to determine whether or not the fishy email you just got is, indeed, ‘phishy’:

  • Who is the email from? If the signature indicates that the missive was sent from someone at Miami, but the actual “from” box doesn’t match the @miamioh.edu server, that’s suspect.
  • What does the email want me to do? If someone is asking you to provide personal details, such as Social Security numbers or bank account routing information, chances are it’s a scam. That goes double if it’s the University president requesting this data. We promise, President Crawford will never (ever) ask for your SSN via email (or otherwise, for that matter).
  • Check the grammar. Oftentimes, these emails are written poorly, riddled with typos and grammatical snafus.

If you’re still not sure, contact someone on the InfoSec team and we’ll help you out.

Social engineering

Sometimes, hackers can get a little sneaky. Social engineering is when malicious actors forgo the use of complicated hacking techniques in favor of their own wits. So instead of using computing tools and technologies, they utilize psychological manipulation in order to get users (you!) to divulge personal information. Phishing is actually a form of social engineering.

Social engineering has been a wildly successful way to weasel money out of unsuspecting users. In fact, it is being used in more than two-thirds of hacking activities, according to numbers compiled by Social-Engineer.Org. And as more avenues of attack open up, humans have become the number-one target for hackers, displacing machines in the top spot.

Here are a couple examples of social engineering to become acquainted with.

Example 1: This is how hackers hack you using social engineering

In this video, a journalist has his cell phone account hacked during a demonstration at the DEF CON hacking conference. In a little under two minutes, the woman learns his personal email address, adds herself to his account, and changes the password. This is a stark example of just how easy it might be to trick telephone operators into giving your personal information away.

Example 2: CEO scam

This humorous video illustrates the craftiness of those malicious actors with a skit. Even though this video sets up a seemingly ridiculous and tongue-in-cheek premise of a hacker calling from his mom’s kitchen, the lesson behind it is real: Even if callers identify themselves as someone in a position of power, they could be trying to pull the wool over your eyes.

The best way to avoid the dangers of social engineering is to stay vigilant! If you experience anything suspicious (for instance, if you get an email from President Crawford asking for your bank account information), please contact InfoSec@MiamiOH.edu right away.

Ransomware

Ransomware is an important concept to understand within the information security field. This is a kind of malware that keeps users from accessing their systems by locking either the screen or files. A specialized kind of this family of malware is called ‘crypto-ransomware,’ in which the malicious program encrypts all of the user’s files, making it even more difficult to recover the data. These programs get their name from the fact that they hold data for ransom - asking for varying amounts of money in order to get the data unlocked.

Ransomware is a real threat. Research firm Cybersecurity Ventures predicted that in 2017, losses due to ransomware would skyrocket to more than $5 billion, up from $325 million in 2015. This exorbitant amount includes the cost incurred from lost productivity, lost files, and damage of reputation, among others.

To protect against ransomware, there are a few things you can do:

  1. Back up your data.
  2. Update your computer’s software.
  3. Be suspicious of links sent to you in emails or social media messages, even if they appear to come from trusted friends.

If you suspect your computer has been compromised, immediately disconnect from the wireless network in order to prevent a possible infection from spreading.

VPN

In order to access Miami University files and programs from a location off campus, you have to use what is called a ‘Virtual Private Network.’ This is essentially an added layer of protection on our proprietary data, keeping Miami information safe from anything malicious that may be lurking on outside networks.

When you sign in with your computer or mobile device, the VPN encrypts all data sent from your computer to Miami - meaning that even if a hacker were to intercept the information, it’s not that easily decoded. This comes in handy when you need to do some quick work from home or access a file (such as your W-2) from another device.

For more information about VPN, visit the Knowledge Base.

To learn about how to get the VPN client for your devices, read our helpful article in the August 2017 Tech Talk newsletter.

Password strength

Your MUnet password is used to log in to services like myMiami, Canvas, BannerWeb, Miami Directory, and email. We require that you change your password once every 180 or 365 days, depending on the complexity/strength of the code you choose. Essentially, the stronger the password, the more complex: For example, using letters, numbers, and special characters makes it harder for potential malicious actors to guess your password.

The full policy regarding how often, why, and when you change your password can be found in the Knowledge Base.

Check out our article on password security for some password dos and don’ts to ensure you’re making the best logins possible.

Two-factor authentication

This is an important concept when it comes to password strength. Two-factor authentication puts up another wall between your private information and would-be attackers. It requires users to fulfill a second step in order to log in to their accounts. Often, the service asks for a PIN or a temporary passcode that can be retrieved via an app or text message.

For more information about two-factor authentication, including how to enable it, how to manage your two-factor settings, and other topics, please see the overview in our Knowledge Base.

What are we doing to improve information security at Miami University? Visit our Security Enhancements page to learn more about one of our Top IT Initiatives.