+

Information Security Tips (August 2022) – How to handle confidential information?

/in /by

Occasionally, you might need to transmit, store, edit and access different types of data for work purpose. No matter what format the data stored as, we are obliged to ensure proper security measures and controls are adopted on UM data to avoid data leakage, especially the confidential data. Some common causes of data leakage are human errors, weak password being cracked, stolen credentials, lost of devices, software vulnerabilities being used, insecure network connection, etc. Disclosure of confidential data may cause damage to the reputation of the University or may have certain legal implications. Therefore, please refer to the below tips to protect the data:

Protect data with password and encryption, erase old data
Ensure confidential data is handled as required by the “Guidelines of Confidentiality” and the “Guidelines for Handling Confidential Information”. For example, when you take or process the confidential data outside campus for official work purpose, the data must be protected with password and encryption with encryption tool. In addition, erase all confidential data on the device immediately after processing it.

Transmit and share data carefully
Before sending/replying/forwarding an email, please review the recipients’ email addresses, email content, attachments and ensure they are correct. For example, don’t contain too much personal information or unverified content such as rumors, exclude all unnecessary confidential data in the email history. Besides, when you share data to other people in computer systems, please ensure the privileges are set correctly.

Enable 2FA and use strong password
To minimize the probability of credentials being stolen and password being cracked, please enable Two-Factor Authentication (2FA) service and use strong password to protect your UM user account. Moreover, use different passwords for different accounts, in particular those for handling confidential data.

Protect your devices by biometric technologies
Besides using password lock, it is also recommended to use biometric technologies to protect your smart phone and tablet, i.e. fingerprint and facial recognition. It can minimize the probability of unauthorized people accessing your personal data, working email, online payment and bank information in case you lost or misplaced the device.

Update computer systems and devices, enable anti-virus software
Ensure the operating systems, web browsers and software on your electronic devices are updated to the latest version, and patch them for vulnerability as soon as possible to prevent attackers from being able to take advantage of the known problems or vulnerability. Please be reminded to enable the real-time protection and monitoring feature of anti-virus software, scan the computer regularly and keep the version up to date.

Be careful in using public WiFi networks and computers
Please always assume public WiFi network and computers are insecure as attackers may capture your data in the same public network or computer you are using. Thus, avoid performing financial or other transactions that involve confidential data while using public network and computers.

Information Security Tips (July 2022) – Tips for work from home remotely

/in /by

Everyone is working from home due to the epidemic, please remind:

  1. Make sure your computer program is up to date– Keep updating the system and software programs of the device regularly. If the anti-malware program has been installed, it should be updated to avoid damage or infection by malware; Download the protection software at here (Link) and select ESET Internet Security;
  2. Login to SSLVPN andusevirtual desktop service provided by ICTO for using major UM administrative system. Please refer to the detail information (Link);
  3. Logout from all of your accounts (including SSLVPN) before you leave your computer;
  4. Protect your datato avoid data breach;
  5. During video conferencing, do protect your privacy;
  6. DO NOTarbitrarily believe unconfirmed news. Usually, during epidemic incidence, there will be relevant fake news disseminated. Don’t let a phishing scam reel you in. Don’t arbitrarily forward unconfirmed news;

 

Information Security Tips (May 2022) – How to Use Mass Email Efficiently & Safely

/in /by

How to Use Mass Email Efficiently & Safely

In our daily work, we may need to distribute email to multiple recipients, mail groups or different organizations. What is the most efficient way to do this? Sending it one by one with the same message? or sending it in a mass email? Of course, sending a mass email will be a better choice.

Although distributing mass email saves you time from delivering the same message repeatedly, it comes with some drawbacks at the same time if it is not done carefully. Drawbacks can be disclosure of recipient contacts unnecessarily to third party, or wasting email resources, etc. The following aspects must be considered before sending the mass email:

1. Is the email justified for proper purpose?
2. Will it cause any security/privacy related issues?
3. What will happen if one of the recipients click ‘Reply All’?
4. Will the email confuse the recipients?

To cater the above aspects, we suggest the following:

  • Make sure the email aligns with your organization’s mission and approved purpose.
  • Use Blind carbon copy (Bcc) to hide the recipient list from individual recipient and it can protect recipients’ privacy. This can also avoid duplicated mass email when any recipient clicks ‘Reply All’.
  • Give a clear subject heading can help recipient to differentiate the normal email from spams or phishing.

For more details about Sending Mass Email, please refer to “Guidelines for Sending Mass Email and Using Email Group”.

Reference: Don’t Let a Phishing Scam Reel You In

Information Security Tips (April 2022) – How to protect your computer against viruses and malware?

/in /by

In our daily life, we used to pay attention to our home security, however, have you ever doubted about your home computer being hacked? Hackers often install Trojan horse on your computer without your acknowledge and use it to steal your important data. They can also use it to remote control your computer camera and microphone for peeping and eavesdropping. As cryptocurrency has become popular and valuable nowadays, hackers may use Trojan horse to control a lot of computers which belong to other people for crypto mining illegally. Such crypto mining attack can slow down the computer and Internet speed, increase the electricity consumption and decrease the lifespan of the computer.

Crypto mining attack is actually spreading all over the world. UM has also received an information security alert from the Cybersecurity Incidents Alert and Response Center (CARIC) of Macao that some computers of several organizations in Macao have been infected with crypto mining malware this year since February and there is an upward trend. To ensure information security, please refer to the following tips to protect your computer immediately:

  • Keep your computer up to date, patch or upgrade the operation system and software for vulnerability as soon as possible.
  • Enable the real-time protection and monitoring feature of antivirus software, scan the computer regularly and keep the version up to date.
  • Only download software from the official website of the vendor/publisher.
  • Don’t download any type of cracked or hacked programs.
  • Don’t click links and open attachments in suspicious email.
  • Securely maintain and manage your user account and password, i.e. enable two-factor authentication (2FA) service and use more complicated password.

If you found any of the below signs on your computer, it may be infected by virus or malware:

  • Loss of performance, frequent freezing or crashing.
  • Overheating or battery drops faster.
  • Loss of information, file deleted/modified or hard drive formatted without your permission.
  • Unexpected modification of web browser homepage, unwanted pop-up or redirects to websites you are not intended to visit.
  • Antivirus software is closed or stopped running.

If you suspect that your UM user account has been hacked or computer has been infected, please contact ICTO Help Desk immediately.

Reference
· Don’t Let a Phishing Scam Reel You In
· How to download and install software in a secure manner?
· Are you ready to prevent Ransomware?
· Two-Factor Authentication (2FA)
· How to choose a strong password?
· Basic Knowledge of Online Safety and Security
· Other Information Security Tips

Information Security Tips (March 2022) – How to download and install software in a secure manner?

/in /by

The daily online activities may bring risk to your electronic device, because most threats that infect your computer system, such as viruses and malware, usually come from the programs that you download and install from the Internet.

Here are the 4 tips to download and install software in a relatively safe way:

1. Only download software from the official website of the vendor/publisher
You are always recommended to download the software only from the official website of the vendor or publisher, and avoid to download software installers from third party websites. It is because some of the installers have been embedded with various types of ads, which may install additional malicious programs to your system.

2. Always delete any software that is downloaded to your device automatically
This often happens when you accidentally visit malicious websites on the Internet and the websites will send their malicious programs directly to your device. When this happens, always delete the application that is downloaded automatically to your device without your acknowledgement.

3. Don’t download any type of cracked or hacked programs
A program that includes any type of crack or hack is certainly a malicious program. When you run it, it will install malicious codes into your system or device. It tends to disturb your system and send malicious commands to it. It is better for you to stay away from cracked or hacked software.

4. Follow the installation steps carefully
When you download a software installer even from the official website, do not just mindlessly click “next”. You have to follow the installation steps very carefully because a bad software vendor might embed malware or adware into their installer. Make sure to tick off any unnecessary options during the installation.

Reference
· Don’t Let a Phishing Scam Reel You In
· How can I identify a phishing, fake email and websites?
· Beware of Phishing Trap
· Other Information Security Tips

Information Security Tips (June 2021) – How to protect your data while travelling?

/in /by

The University campus is equipped with a trusted Wi-Fi network to keep your data safe, but when you travel off campus for vacation, academic field trips, or a study session at a public venue, please take extra precautions on using public Wi-Fi as hackers and other cybercriminals like to take the advantage of public locations with less security protection to contact cyberattack.

Please take note of the below tips to keep your data safe when using public Wi-Fi:

    • Verify the network, configure and turn off sharing function
    • Use a virtual private network (VPN)
    • Use links with HTTPS
    • Keep the firewall enabled
    • Use antivirus software
    • Always turn off automatic connection
    • Always use two-factor authentication (2FA) – In this way, even if a hacker obtains your username and password, they still cannot be able to access your accounts.

If possible, it is better to use the network of your mobile device as a hotspot instead of using the insecure public Wi-Fi.

Information Security Tips (January, 2021) – How long have you not changed your password?

/in /by

Do you know? In the recent years, data breach occurred in different industries over the world. In case you have not changed your password for a long time, your password may have been compromised in various information security incidents such as phishing emails, fake websites, Trojan horse programs, vulnerabilities, password cracking, etc. Your account password may have already known by the hackers, so you are advised to refer to the following security measures for ensuring account security.

    • Change password periodically. Usually, it is recommended to change password every 180 days. If you have not changed your password for a long time, please change it immediately (Change password);
    • Strong password. Use strong password, such as “gL3ToL@uh%” (please refer to ICTO knowledge base);
    • Lengthen the password. You can also lengthen the password instead of using complicated password. It is recommended to use unrelated word combinations which is more than 15 characters in total. It is not only more secure but also easier to remember and input the password, e.g. “PersonalOceanAlthough”;
    • Beware of information security fatigue. We believe that you have already had a certain extent of awareness and alertness. However, sometimes you may unconsciously get relax and unfortunately cause information security incident. Therefore, you are recommended to make good use of some security tools as below to reduce security risk.
      • Use two-factor authentication to log in to your accounts (2FA);
      • Encrypt mobile disks (BitLocker);
      • Use RMS to protect important documents (RMS).

ICTO has launched the 2FA service since 2019. Besides, we have an automatic security mechanism to detect network intrusion activities. Once a suspicious intrusion activity is detected or any account is compromised, its related network connection will be terminated or the related user account will be automatically disabled as well to avoid further security threats.

Reference

Information Security Tips (2020 Q4) – Cyber Security during the Novel Coronavirus Pneumonia Epidemic

/in /by

This year 2020 has been a tough year. With the outbreak of Novel Coronavirus Pneumonia around the world, our lives, work, and studies rely more and more on network services. As online activities become more frequent that it is severely challenging to information security, especially the risk increases under insufficient protection of personal equipment and home office environment. With the coming of long Christmas holiday and final exams, information security is often being overlooked easily when dealing with heavy work or study. In order to have a secure online working and learning environment, here are some safety tips for your reference:

  • Keep devices and Apps up to date.This general tip is useful even if you are just casually surfing the Internet. Keep your devices up to date (including anti-virus tools, Apps and operating system) ensures you have the latest security fixes;
  • When working at home, avoid other family members from accessing important information related to your work;
  • Backup data! Make sure that you have performed data backup for each device. In case you lost your mobile device, data backup can be used not only for data restoration, but also for identifying lost data accurately, facilitating reporting and planning appropriate actions for data with security risks;
  • Beware when sending important informationWhen using email or communication software to send information, you must ensure that the content and recipients are correct. Once you send some personal data to unauthorized persons by mistake, you are more likely to violate the laws of Macao.
  • When receiving any information with URL link or attachment (especially an online meeting URL), DONOT open it unless you are expecting it and absolutely certain that it is legitimate;
  • Secure Your Zoom MeetingPlease refer to “How to Secure Your Zoom Meeting” and “Using Zoom Effectively in Classroom“;
  • Don’t overlook low-tech solutionsTape over the camera of your laptop or mobile device for privacy.

Reference

What is ISO 27001? Does it have any relationship with you?

/in /by

ISO27001 is an information security management standard (ISMS), which is based on risk management principles to establish, implement, operate, monitor, review, maintain, and improve an organization’s information security system. Its purpose is to ensure the security and reliability of information services, and to provide users with information security operation standards. In other words, in the field of information security management, information is a valuable asset. Therefore, it is necessary to maintain that the information meets the following three elements in the process of creation, transmission, storage, and use, generally called CIA, and such requirements are also the requirement of the Macao Cybersecurity Law, in which the University must fulfill the relevant regulations.

  • Confidentiality To ensure not to disclose to any unauthorized persons
  • Integrity To ensure there is no unauthorized tampering of information
  • Availability To ensure authorized users can access information and resources properly and reliably

ICTO used to attach great importance to information security. In order to ensure that the University’s information management can meet the international standards and best practices, since the end of last year, ICTO has actively planned to obtain the certification for ISO27001 information security management in stages, and the first stage of certification is about to be carried out.

In addition, information security is everyone’s shared responsibility. Every user may need to send, handle, and access different types of information. ICTO will timely announce and refine the related information security reference materials, guidelines and tips, etc., so as to ensure that users can easily understand the related requirements and important matters of information security.

Reference

The Cybersecurity Law is now in effect. Are you ready for it?

/in /by

Information technology was developed rapidly in recent year. With the development of artificial intelligence and 5G networks, some technologies that seemed to be impossible before have gradually entered the lives of everyone, which also show the importance of information technology services. Especially during the anti‑epidemic period in recent months, public’s dependence on IT services has become more obvious, and information security has become a topic of discussion. Hence, the requirements on information security will become higher.

With the effective of the Macao Cybersecurity Law, in accordance with the relevant regulation, the University must ensure that information networks, computer systems and data are protected properly, and strengthen the alert and response towards information security incidents. ICTO will continue to safeguard the information security for our campus network, and cooperate with the Cybersecurity Incident Alert and Response Centre in order to fulfill the reporting obligations, including reporting information security incidents and providing updated Internet service information (such as the account name for connecting to the Internet service provider, IP address, domain name and other related information.)

In addition, if you need to setup IT facilities or providing IT services in UM, you are obliged to ensure that the provided services are secure and reliable. Therefore, please note the following:

  • Make sure the operating system and application are updated to the latest version to ensure the maximum protection;
  • Pay attention to the system default setting whether it is secure or not, including initial passwords, permission and system services;
  • Enable any information security measures, system logging and perform backup for important data;
  • For outsourced IT services, you must also ensure that their provided services meet the relevant requirements ofthe Cybersecurity Law ;
  • If you need to change the network architecture or encounter an information security incident, you must inform ICTO*.

* Note: ICTO will be responsible for implementing the above reporting obligations for UM in accordance with the Cybersecurity Law. The detail information will be announced in due course.

Besides service providers must pay attention to information security. In fact, it is also the responsibility of each user. Users must always maintain security awareness in order to build a secure IT environment.

Reference: