+

Information Security is everyone’s responsibility

/in /by

Did you know? In the recent years, there were different types of industry occurred data breach in the world, involving education institutions, airline companies, government departments, banking and financial institutions, e-commerce corporations, web service providers, etc. More than half of the breaches were caused by activities directly attributable to human errors, including lost devices, physical loss and unintended disclosure. These breaches were arguably preventable through basic information security protection safeguards.

  • What can you do everyday to protect data? No matter what types of industry you are working in, you may need to transmit, process, access, and share such varying data elements. There is not a “one size fits all” blueprint for information security controls that all industries can follow. Yet all members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of our careless where we accidentally post confidential information publicly, mishandle or send confidential information to the wrong party. Taking care to know how you are transmitting or posting data is critical.
  • Create complex and unique passwords: Use different passwords for different accounts, in particular those for handling confidential data.
    Enable two-factor authentication: Two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Protect your devices: Besides using password lock, it is also recommended to use some biometric technologies to protect your smartphone and tablet. It is critical to keep curious minds from accessing personal information, work email, or retail/banking applications. It also helps to protect your device in case you lost or misplaced it.
  • Update your computing devices: Ensure the operating system, web browser, and applications on all your electronic devices are updated to the latest version.
  • Getting ready to send data to a vendor or sign a contract? In daily work, we are obligated to ensure that the University’s confidential information are properly protected, especially if we need to use an outsource service or a cloud service. If the service involves confidential information, you must consider the related information security technology before the project begins or signing the contract, which ensures the data is protected properly.

Reference

Are you ready to prevent Ransomware?

/in /by

Ransomware is a type of malicious software that encrypts the files on your computer and blocks the related information. Usually, user needs to pay a “ransom” or fee for the decryption key in order to decrypt and gain access to the files. Ransomware may spread to any shared networks or drives which your devices are connected. It is expected that increase number of ransomware attacks will occur in the future.

How will I get infected by Ransomware?
Common media for ransomware attacks include emails with malicious attachments or links to malicious websites. It is also possible to get an infection through instant messaging or texts with malicious links. Antivirus may not detect a malicious attachment, so it is important for you to be vigilant.

How can I protect myself against Ransomware?
There are two steps to protect yourself against ransomware:

  • Preparation   Back up your information regularly.Once a ransomware infection occurs, it is often too late to recover the encrypted information. Your research project or other important information may be lost permanently. For the PC which is provided by ICTO, there is a basic backup function for each user to prevent the lost of files from desktop and notebook computers which connecting to our campus network. For more details, please refer to “PC Data Backup“. Moreover, you can consider regularly performing extra backup for your important files to a location that you are not continuously connected to;
  • Identification   Ransomware typically appears as phishing emails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible media is malvertising, such that malicious advertisement will be embedded in other normal websites to deceive users.

4 important things to “Ensure”

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives, potentially including connected cloud drives such as Dropbox,as we just mentioned, it is important to back up your files regularly to a location that you are not continuously connected to;
  • Ensure that you are able to restore files from your backups. Users can periodically restore some of the files from the backup copies for verification;
  • Ensure that antivirus is up to date and functioning;
  • Ensure that you are keeping your system and mobile devices up to date with patches;

What should I do if I think I’m infected?

  • Report the ransomware attack to the related IT technical support immediately;
  • Isolate or shut down the infected computer. Disconnect it from WiFi network or unplug the network cable;
  • Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.

How to use Personal and Home Use Internet devices in a secure manner?

/in /by

In the modern IT era, there are a lot of individual and home use Internet-enabled devices, including smart phones, smart watches, home routers, electronic game consoles, and a variety of smart home devices. While bringing convenience to life, it may also bring certain information security risks. Therefore, we would like to provide some security tips for you to ensure that the devices you are using are assets, rather than burdens.

  • Make sure your computer program is up to date Keep updating the system and software programs of the device regularly. If the anti-malware program has been installed, it should be updated to avoid damage or infection by malware;
  • Secure your network The wireless network should be protected properly using WPA2 encryption, complex passwords, and the software of WiFi router at home should be updated regularly;
  • Learn more about your device Have a solid understanding on how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits;
  • Understand how to keep devices up to date Read the instructions carefully to understand all necessary safe use methods, including changing the default password and precautions;
  • Understand the data content being collected Some smart devices will collect data. Take some time to understand what information your connected devices collect and how the information is managed and used;
  • Know how your data is stored Smart devices will send and store the collected data on cloud. Therefore, users should be aware of where the data is stored and the security measures to protect personal data;
  • Do more studies Before adopting new smart devices, study and understand more about other users’ evaluation on the security and privacy of the devices and service provider.

Are you always ready to protect important data?

/in /by

With the increasing storage of data on computer devices, especially under the popularity of mobile devices such as smart phones, tablets and notebook computer, etc. their intrinsic value and portability are likely to be the targets of criminals. We would like to provide you with the below tips to protect your information to a certain extent in case your mobile device is stolen or lost.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Protect your mobile devices and backup data! Make sure that you have performed data backup for each device, and you can safely lock or wipe all data through remote operation whenever necessary. In addition, data backup can be used not only for data restoration, but also for identifying lost data accurately, facilitating reports and appropriate actions for data with security risks.
  • Never leave your devices unattended in a public place or office. Your device should not be exposed when it is left in the car, place it inside the cabinet. In addition, please be aware that the high temperature inside the car after parking may damage your device.
  • Protect your devices with password. By enabling passwords, PINs, fingerprint scans, or other forms of authentication, you can have more time to remotely wipe your device if it is stolen or lost. Also, do not enable the options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred the documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devicesDestroy the data in your computer’s hard drive properly before disposing the old computers. Use the factory reset option on your mobile devices and erase or remove SIM and storage cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permission before installing it!
  • Be cautious about public Wi-Fi hot spots. Avoid performing financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep your software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible, so that it can prevent attackers from being able to take advantage of the known problems or vulnerability.

In case your laptop or mobile device is lost or stolen, please consider to report to the police and keep the police report. If the lost device contained sensitive information of the University, staff or student information, please report the lost or situation to the University immediately, so that the related action can be taken as soon as possible.

2FA – Account Security under Your Control

/in /by

If someone steals your account password, is there a way for your not to worry about the account being stolen? It is actually easy! It can be easily implemented by using the two-factor authentication (2FA), which allows users to control their account login. Without user’s authorization, nobody can log into the account. It takes only a few minutes to complete the setup and it is easy to use, which is a simple and efficient measure.

  • How does it work? Once you have activated two-factor authentication on your account, whenever an account login with your password comes from a different device other than the one you have already permitted, an authorization check will come to your registered smart phone. Without your approval, a password thief can never get into your account.
  • Is it difficult to set up? 2FA has been widely applied and easy to use nowadays. Typically, you only need to install the 2FA app on your mobile phone and complete simple registration process, you can then authorize the account login when necessary.
  • Can I adjust the frequency of checking? Although some accounts are required to perform an authorization operation each time user logs in or performs a specific operation, in many cases, 2FA will provide some convenient features. For example, the default authorization feature, usually the user is not required to authorize again when logging in the browser of the same computer within the preset time after the first authorization operation is completed. However, DO NOT enable any default authorization feature on a public computer.
  • Which accounts should I protect with 2FA? In fact, it is recommended to initiate 2FA for all accounts as much as possible, and it is recommended to protect the following accounts first:
    • User account for work purpose, of course, you must comply with some data protection related laws and data protection policies, guidelines and procedures of your organization.
    • Financial accounts: Protect your money!
    • Online shopping accounts: Protect usage of your stored credit card information!
    • Social media accounts and email accounts: Protect your personal reputation in case your identity is compromised!

Reference

Are you always ready to protect your mobile devices?

/in /by

Mobile phones, tablets, and notebook computers have always provided us with the convenience of working anywhere, anytime, and at the same time brought some additional security risks. These mobile devices make storage and information access easy on one hand, but are easily lost or stolen on the other hand. Do you know what to do if your device is lost or stolen? Here are some information security tips for you:

  • Secure your devices. Use a password or fingerprint to secure your device to avoid unauthorized access;
  • Turn on the “Find Me” function. If your device has a “Find Me” as well as remote deactivation and wipe features, make sure they are enabled to avoid data loss or being stolen.
  • Protect your data. Perform data backup regularly and consider enabling encryption feature for your device; (Please refer to “Data loss happens all the time. Do you have a data backup plan?“)
  • Update any software, including anti-virus protection, to make sure you are running the most secure version available. Avoid downloading and installing software from unknown sites;
  • Do not ignore the physical security measures of the devices.
    • Cover the camera of your laptop or mobile device to protect your privacy if necessary;
    • Label you devices with basic contact information in case they are lost;
    • Write it down! Record the manufacturer, model, serial numbers of your mobile devices, contact information that can provide support;
    • In case your device is stolen, please consider reporting to police and keep the police report as well.

Reference

Beware of Phishing Trap

/in /by
“Phishing” is a trick in social engineering. Cybercriminals usually use phishing to trick the victim into some kind of expected behavior. Social engineering is the core of all phishing attacks, especially via email. The advancement of information technology makes phishing simple. It is very fast, inexpensive and low-risk to set up and operate phishing attacks. Any cybercriminal can launch such attacks.

Before replying to any email, you must confirm the identity of the sender, especially if the email involves sensitive content such as money, personal information or account password, etc. please pay special attention. Usually, a phishing email will contain one or more characteristics as below:

1. Be aware of the non-official email address domain. For example, a notice from ICTO Help Desk is unlikely to come from the following email addresses. Please note that if an email address is shown with a display name, it may not be used to verify of the sender’s identity. For this case, you need to verify the sender’s email address in “< >” or “[ ]”;

  • @ — For official email, it is unlikely to come from third party email service;
  • @ — @connect.um.edu.mo is used in the student and alumni service but not an official staff email address.

2. Beware of attachments — Email attachment is the most common platform for malicious software. When you get a message with an attachment, DO NOT open it unless you are expecting it and absolutely certain that it is legitimate;

3. Urge to do something is one of the typical phishing characteristics, an urgent call to action makes you more likely to cooperate, e.g. urge to perform account verification, purchase some prepaid cards, money transfer, etc. If a message states that you must act immediately or you will lose access, so you must calmly deal with it. Cybercriminals often use intimidation and hope you will follow the action without thinking;

4. Incorrect URL link — It will take the recipient to a fraudulent website instead of the genuine links;

5. Fake email signature — Hackers may obtain the email signature from somewhere. Even if it looks real, you are not recommended to identify the authenticity of email with the email signature. However, if the sender’s email signature is unusual, you need to pay special attention;

6. Do not trust the sender’s photo — Hackers may obtain someone’s photo from somewhere, e.g. social media website;

7. Using different communication channels — For any suspicious requests, you can use different communication channels to determine the authenticity of the email sender. For example, instant messaging apps, or voice call, etc.

Reference

Data Privacy and Skills in Using Email

/in /by

In today’s information age, email service has become an indispensable communication tool in daily work, as well as one of the major communication tools. Hence, email security are becoming more and more important. For external attacks such as telecommunications fraud and malware attacks, although user’s information security awareness is increasing, the possible problems arising from the use of email cannot be ignored. In particular, for any jobs that involved personal data, you must handle them with special care. To further enhance users’ skills in using email more secure, here are some security tips:

  • Before sending an email, you must review the email content, attachments, and the recipients’ email addresses;
  • Before replying to email, you must confirm the identity of the sender. Do not reply to the email casually. For those emails that involve sensitive content such as money, personal information or account password, etc, please pay special attention;
  • Before forwarding emails, you must understand whether the email content, which included attachments and contents of reply history, is suitable for forwarding. You can also consider extracting some necessary contents instead of forwarding the entire email. Do not arbitrarily forward unconfirmed content, so as not to spread the rumors;
  • To consider carefully the necessity of mass emailing and make good use of email system resources. For more details, please refer to the “Guidelines for Mass Email and E-mail Groups“;
  • Be aware of using “Reply to all”. It may cause unnecessary distortion. Please carefully consider the necessity;
  • Make good use of Bcc., to ensure that the recipients are not allowed to see each other’s email addresses, thus protecting the privacy of each recipient;
  • Note the email contents and attachments. Do not send too much content or attachments, especially personal information. If it contains sensitive content, you must consider whether it is suitable for transmission via email. In addition, the use of email must also comply with the policies of the University and existing local laws and regulations, as well as other laws that may need to be complied in other jurisdictions. (Please refer to the Reference information.)
  • Do not rely on “email recall”! Actually, the email recall is a facilitating function that can only minimize the impact, but it cannot guarantee recalling the email you sent successfully.

In addition, users can get used to writing emails before filling in the recipients’ email addresses, so as not to send unfinished emails by mistake. If you need to select an email address from the contacts, be careful when selecting an email address as some email addresses may look similar.

 

* Reference information

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. Acceptable Use Policy on ICTO Computing Facilities Campus Network and Internet
  6. Guidelines for Mass Email and E-mail Groups
  7. How can I identify a phishing, fake email and websites?
  8. What you need to know about EU General Data Protection Regulation?
  9. Data Privacy in an Era of Compliance
  10. Other Information Security Tips

Data Privacy in an Era of Compliance

/in /by

“Compliance” means conforming to laws, regulations, standards and other requirements.

Nowadays, Internet is essential for everyday life. However, do you know Internet contains large amount of data about you? Whenever you play a game, online shopping, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.

Similarly, our daily work may require us to collect, process, and store the personal information of others. Whenever we handle such information, we need to think about how we want our own information treated and treating other people’s data with the same care and respect.

Tips for protecting your personal data:

  • Know what you are sharing. Check the privacy settings on all of your social media accounts. Some of them may include a wizard to guide you walk through the settings. Always be cautious about what you post publicly;
  • Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, you should consider whether the necessity and the security level of the site;
  • Be aware of phishing email and fake website. Your personal information may be phished! *6

Tips for protecting the information, identity, and privacy of others:

  • Know what laws, policies and guidelines are applicable. They govern how to collects, processes, stores, and deletes the personal data of constituents;*1,2,3,4,5
  • Use the data only for its intended purpose. If you need to use data for another reason, always check the above policies and guideline first;
  • Do keep constituents’ personal information confidential and limit access to the data;
  • Destroy or de-identify private information when you no longer need it.

* Reference

  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. What you need to know about EU General Data Protection Regulation?
  6. How can I identify a phishing, fake email and websites?

How to Protect Your Data and Devices While Traveling

/in /by

Traveling today is so much easier with technology. You can stay productive, entertained, and in touch. For many, having a cell phone or other electronic device is a critical part of having a great travel experience and an integral part of daily life. Unfortunately, traveling with devices can mean increased risks for keeping your personal data private as well as the potential for device theft.

Here are some steps you can take to help secure your devices and your privacy.

  • Travel only with the data that you need. That means leaving some of your devices at home, using temporary devices, removing personal data from your devices, or shifting your data to a secure data storage;
  • Protect your data. Perform a full backup of the data that you leave at home and consider enabling encryption feature for your device;
  • Update any software, including anti-virus protection, to make sure you are running the most secure version available;
  • Turn off Wi-Fi and Bluetooth to avoid unexpectedly automatic connections;
  • Turn on “Find My [Device Name]” tracking and/or remote wiping options in case it is lost or stolen;
  • Well prepared. Especially, charge your devices before you go;
  • Be aware of the risk of committing an offense. Clear your devices of any content that may be considered illegal or questionable in other countries, and verify whether the location you are traveling to has restrictions on encrypted digital content;
  • Don’t overlook low-tech solutions:
    • Tape over the camera of your laptop or mobile device for privacy;
    • Be aware of people “shoulder surfing” for personal information;
    • Keep your devices on you whenever possible, or use a hotel safe;
    • Label all devices in case they get left behind!