Category: Information Security

Secure the Swamp Online Scavenger Hunt

Posted on

October 2021 marks the 18th year of Cybersecurity Awareness Month. With the increasing threat of cyberattacks to universities around the world, information security is more timely than ever. UF participates in the initiative every year to empower students, faculty, and staff to own their role in protecting themselves and the university.

This year’s campaign is centered on a “Secure the Swamp!” online scavenger hunt. Each week in October, UFIT will share tips on social media focusing on three themes: phishing, securing your remote work environment, and mobile device security. Students and employees can then test their cybersecurity knowledge by answering four questions on these topics. The hunt begins on Monday, October 25, at 8 a.m. and ends Friday, October 29, at 5 p.m. Participants will have the opportunity to win an exclusive “Secure the Swamp!” T-shirt.

Remember, the UF Information Security Office can’t protect UF by itself. It’s our shared responsibility to keep the university’s data and systems secure. Visit https://security.ufl.edu/ to participate in the scavenger hunt and find more resources. Also, follow UFIT on Twitter (@GoGatorsUFIT), Facebook (@GoGators.UFIT), Instagram (@gogators_ufit), and YouTube (/GoGatorsUFIT) for some clues!

Campus-Wide Message: Ransomware and Phishing

Posted on

Vice President and CIO Elias Eldayrie emailed all UF faculty, students, and staff this morning with facts about ransomware and phishing. Eldayrie also listed some key success indicators for securing campus, like a decrease in compromised accounts and the increase in reporting potential phishing emails, made possible because of the campus’s buy-in and involvement on cybersecurity issues. The statistics Eldayrie shared are:

Unauthorized Account Usage
Since implementation of multi-factor authentication, UF has seen a 99.7% decrease in compromised accounts
Phishing
Since installation of the phish alert button into GatorMail, faculty, students, and staff have reported more than 14,500 suspicious emails, leading to fewer successful phishing attempts
IT Security Risks
Since launching the new risk assessment process in 2016, 5,200+ risk assessments have been submitted by faculty and staff prior to technology purchase, allowing for review of security gaps and risk

UFIT engages in year-round training and outreach to help UF better understand information security risks, like what to look for before clicking on links in emails–especially those with the [External Email] banner. President Fuchs also recorded a video about ransomware and phishing to support outreach efforts. View the President’s video here.

Additional resources to help our campus community securely teach, learn, research, and conduct university business are listed on https://security.ufl.edu/resources/.

UF’s Cyber Security Framework Program

Posted on

UF’s Information Security Office, in partnership with the Office of Internal Audit and Office of Compliance and Ethics Program, introduced the Cyber Security Framework Program (UFCSF) on July 1. Planned and implemented in response to an audit sponsored by Florida’s Board of Governors, the Cyber Security Framework Program heightens UF’s ability to identify, protect, detect, respond, and ultimately recover from cybersecurity incidents.

The Cyber Security Framework program will provide a high-level view of the operational maturity of units across campus, which are then rolled up into a university-wide maturity rating. This information collected will be used to:

Develop a unified view of the university’s information security environment
Discover gaps in enterprise cybersecurity processes and technology
Create university-wide solutions that reduce risk and increase cybersecurity maturity

The UFCSF program is modeled on the National Institute of Standards and Technology cybersecurity framework and tailored for the university’s OneIT model. Surveys are now being sent quarterly to UF’s 16 colleges and administrative units to evaluate their current processes for protecting computing assets and data, and for assessing risk. More information on the UF’s Cyber Security Framework program is online. Anyone with questions may email the UFCSF program team.

Install Patches [Updates] To Your Devices

Posted on

Whether you are a faculty member, student, or staff, inevitably you’ve worked more from home in the past 16 months than ever before. If you use a personally-owned laptop or PC not managed by UF technical staff, chances are your device(s) aren’t up to date. Outdated devices allow cybercriminals to exploit bugs, so it’s important to secure them. There is an easy way to protect personally-owned devices and the data on them: patching.

A patch, also called an update or software update depending on the device manufacturer, is released to fix security vulnerabilities and other bugs. Applying the update as soon as it’s released is important, because they are often in response to a known vulnerability or virus. Updates not only improve the security of your device, but often provide additional functionality, usability, or performance of features. All software has bugs, and manufacturers constantly identify and patch these–just as cybercriminals constantly look for bugs they can use to attack devices and steal data.

A good way to stay current with patches is to enable automatic updates. Read item #1 on https://security.ufl.edu/resources/protect-your-computer/ for simple instructions to enable automatic updates on Mac and Windows devices. Another good tip: Reboot your laptop, smartphone, PC, and other devices each week, rather than just closing the lid or logging off. Completely shutting down and restarting devices helps to install and apply updates. You can learn more tips on the Information Security Office website.

Fake Emails from “UF Faculty” Targeting Students

Posted on

Students are reporting suspicious emails in their Gmail or other non-UF inboxes, claiming to be from instructors. These phishing scams enable cybercriminals posing as faculty to convince students to deposit fake checks or send gift cards. Because students often handle email on their phones–where full email addresses are obscured–it isn’t immediately apparent that the email is a phish.

Impostor emails attempt to lure students with high-paying job opportunities and often come from faculty members the student doesn’t know. Cybercriminals can find enough information online to impersonate faculty without having to hack into their UF account. The proliferation of these scams is a great reminder to always be cautious when clicking on any email, no matter who they seem to come from.

Remember:
1. Even if a phishing email doesn’t include a malicious link or attachment, it’s still just as dangerous if you respond.
2. The [External Email] tag will appear in the body of emails originating from outside the university, alerting you that it may well be malicious.

If you think an email in your Gmail or non-UF inbox is a phish, forward the message as an attachment to abuse@ufl.edu.

Cybercriminals Target UF International Community

Posted on

UF’s 5,712 international students, along with our international faculty and staff population, are prime targets for criminals who want to leverage their immigration status to steal money and sensitive data.

The UF International Center (UFIC) reported several cases of phishing emails and phone calls from cybercriminals posing as representatives of the U.S. Department of Homeland Security or U.S. Immigration and Customs Enforcement. Scams include threats of deportation, visa revocation, or phony visa lottery acceptances. The fake messages are schemes to solicit money or sensitive information (e.g. Social Security numbers, credit card information, etc.).

“We cannot emphasize enough how important it is for our international students to be aware of scams and phishing attempts that can impact their legal status, identity, and financial future,” said Debra Anderson, director of International Student Support Services for UFIC.

Everyone, regardless of visa status, should think twice before automatically clicking on an email attachment. U.S. government agencies never demand immediate payment over the phone or via email. In fact, contact with U.S. agencies involved in immigration issues always starts with a letter, not a phone call or an email. If you think an email in your GatorMail is suspicious, report it with the Phish Alert Button so UF’s Information Security Office can investigate further.

Securely Disposing of UF Records and Media

Posted on

The secure destruction of paper, electronic records, and media containing restricted data is required at the University of Florida. Failure to properly dispose of documents and media, such as hard drives, USBs, and CDs, that hold restricted data can cause significant risk to UF and its faculty, students, and staff.

UF’s process for disposal of records is clearly articulated to ensure compliance. Faculty and staff should know that different media types (e.g., paper, CD, files stored on encrypted hard drives, etc.) have different destruction methods. The Securely Deleting Electronic and Paper Records webpage includes a chart with a complete list of media types and disposal methods. If your department is moving or has a need to dispose of a significant volume of paper files, UF Procurement Services offers bulk-shredding services for university records as well as media that is required to be destroyed.

Anyone with questions about working with, or the process for deleting electronic and paper records that contain restricted data, may email the UF Information Security Office.

Protecting UF: Mandatory Information Security Training

Posted on

In 2019, audits were conducted of the state’s 12 public universities. The report recommended that the University of Florida enhance its existing information security awareness program with mandatory annual faculty and staff training. This summer, UFIT developed a new training program to meet the Florida Board of Governors recommendation.

“Protecting UF: Information Security Training” consists of four modules: phishing awareness, restricted data, cloud and sharing tools, and general safeguards. Training takes approximately 30-40 minutes to complete and is mandatory for faculty and staff. Emails will deploy from the myTraining portal in the next few days notifying the UF community that training is available. Training must be completed by the close of the fall 2020 semester, with the annual reminder date for re-certification based upon the initial completion date. As part of the Protecting UF program, in January all enrolled students will see a “to do” reminder in ONE.UF to take the phishing awareness training.

This effort is part of a larger program to inform the UF community on how to protect teaching, learning, research, and online activities. Please visit the Information Security Office website for additional information on this training and other security topics.

Simple Changes to be More Cybersecure

Posted on

Checking the age of your passwords and reviewing an email link or attachment before opening it can go a long way in protecting yourself from a cyber attack. It’s the world we now live in, so here are some reminders that could save you a lot of heartache and financial and/or identity problems:

1. Check before you click.
Never click on links or open attachments without inspecting the email first. With the enormous volume of malicious emails created and sent every day, being cautious is crucial. Always hover over the email address and look for signs of a scam.
2. Protect and update your passwords.
When was the last time you updated your passwords? Experts recommend updating them every 60 days! Not only should you update passwords, but you should use a passPHRASE. The longer your passwords are, the better.
3. Never leave your electronic devices unattended.
As tempting as it is to ask someone to watch your laptop while in Marston, don’t take this risk. Always take your portable items with you, even if it’s just “for a minute” while you are at the reference desk.

For more ways to be cyber aware, read the Psychology of Phishing story on UFIT News or visit the Information Security Office website.

Before Going Abroad: Tips for UF’s Research Community

Posted on

Traveling outside of the United States can put your research data–along with your identity and reputation–at risk. Whether you’re conducting a study, lecturing, or simply vacationing abroad, UF’s Information Security Office (ISO) wants you to understand the dangers of data targeting and identity theft.

Some tips to consider:
If possible, bring a temporary laptop that has only the files you’ll use/need while abroad
Verify your mobile device’s encryption
Be sure your laptop’s antivirus software is up-to-date before you travel
Disable automatic connections to open WiFi networks
Use UF’s VPN to connect to any service where Gatorlink authentication is required

Also, to protect your data and personal information, only get online via secure WiFi networks. Recent issues to be aware of include China’s blocking of UF’s VPN. More tips are available on the ISO’s traveling abroad page.

Faculty should contact the Office of Research to ensure they are not traveling with hardware or software subject to export controls. Anyone who needs help configuring VPN or changing their laptop settings are welcome to contact the UFIT Help Desk for assistance.