Visibility for Protection
Information security in higher education faces increasing challenges, accelerated by the pandemic-driven need and expectation to access data and resources “anywhere, from any device, anytime.” Attackers are increasingly taking advantage of vulnerabilities on “endpoint” devices - desktops, laptops, tablets, and smart phones – to access institutional data for financial gain or sabotage. In environments where we bring our own devices and work from anywhere, information security teams often lack the visibility and monitoring capabilities necessary to ensure that endpoints (and therefore our institutional data) are properly protected.
You may have heard about a recent information security incident at UCSF. To avoid similar situations and to address the issue of endpoint security at UC Merced, the Information Security team has developed and implemented the Bobcat Desktop Endpoint Management environment. Bobcat Desktop allows OIT to deploy, update, and troubleshoot connected systems on an opt-in basis - ensuring they are configured correctly, updated automatically, and secured against attacks.
In this COVID-19 environment, the protection and management of devices connected to UC Merced systems and resources have become increasingly important. Remote work, learning and teaching has created an environment with increased attack surface, and Bobcat Desktop is more helpful than ever to UC Merced users. We've been expediting our efforts to get Bobcat Desktop rolled out to more endpoints.
To protect and manage endpoints regardless of where they are, we have developed a three-part solution;
1. Bobcat Desktop Endpoint Management
2. Mobile Device Management (MDM)
3. FireEye HX Endpoint Security Management
The Information Security team has been working closely with departments to deploy these endpoint tools as needed. Recently, we have successfully completed deployments to the Administrative Coordination Team (ACT) and Student Health Services. These tools are critical as part of our endpoint management effort to prevent incidents similar to the one that happened at UCSF.
The shift to remote learning, remote instruction, and remote work and the associated rise in use of personal devices to do University work has led to an increased risk to UC Merced’s information security posture. We want to remind you that the threat of social engineering, phishing and disinformation campaigns surrounding Coronavirus (COVID-19) remains high. Please be on the alert!
Across the globe, there is an increased amount of phishing and ransomware activities initiated by criminal organizations and nation state actors. These sophisticated attempts are targeting COVID-19 researchers, health providers, and anyone who might have access to institutional resources and data assets mostly in the form of COVID-19 exposure notification messages. These activities are also confirmed by FBI through public service announcements.
In general, criminals and bad actors are using the COVID-19 pandemic to raise fear and concern via phishing emails and text messages. These scams might indicate that you have been infected and/or you were near someone that is infected with COVID19, say that found out about you due to social tracking, and instruct you to download a form and proceed immediately to the nearest hospital.
Even before COVID-19 contact tracing programs have legitimately been rolled out in Merced, cyber criminals have been sending emails alleging that staff members have been infected. These malicious messages—ostensibly from institutions such as the World Health Organization (WHO), or Center for Disease Control (CDC), University of California faculty and staff, or even medical professionals—are intended to spread disinformation and disrupt economic recovery efforts. Many instances of this type of cyber crime are also very targeted, such as the Social Services Letter circulating in Merced County indicating COVID-19 testing is mandatory for all households and failure to comply will result in a suspension of benefits.
Please be aware that the United States government and medical professionals and institutions do not do any social tracking of the COVID-19 virus. Hackers will say that they traced you down via your phone or a charge card receipt for a location or someone that you might know. Typically, they try and keep everything as vague as possible so that you will click on the link included with the message. Keep these tips in mind:
- Please do not click on any suspicious links in messages. Read messages critically, even if they’re about COVID-19.
- Visit websites that you know and trust such as UC Merced’s Campus Covid-19 Updates or the Centers for Disease Control and Prevention for legitimate information.
- Do not respond to texts, emails, or calls about checks or the government stimulus package. This is another way for actors to obtain your personal information and infect your devices with malicious code.
- Ignore online offers for vaccinations and home-test kits. No such approved products exist currently.
- Hang up on robocalls.
- Visit our Phishing Email Archive: https://it.ucmerced.edu/phishing#heading-3 for regularly-updated examples of phishing attempts and stay informed to stay safe!
UC Merced Information Security has noticed a large spike in phishing scams and spam emails using a subject line containing “Coronavirus” or “COVID-19” as the lure to entice our campus community to click on links, download files, and open attachments. Many of these emails impersonate legitimate institutions and authorities.
One specific threat, reported by the Health Sector Cybersecurity Coordination Center (HC3), is an alert that cyber criminals have already begun circulating links to a “Live Coronavirus - COVID-19 map” falsely claiming to be from Johns Hopkins University, which actually contains malware. This malware can steal your browser history, cookies, cryptocurrency and other credentials including email addresses, passwords and credit card numbers.
More generally, beware of emails and sites containing information about or selling products that would allegedly cure or prevent COVID-19. These are also potential sources of phishing and spam.
As always, we urge users to:
- Exercise caution when clicking on links or opening attachments, even if they look like they’re from someone you know
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it
If you’re unsure if an email is legitimate or if you know for certain it isn’t, please report it directly to Information Security at firstname.lastname@example.org. For more information, be sure to visit our How to Spot a Phish page.
In November, 2019, Americans told Pew Research Center they're feeling frustrated that companies and the government are constantly tracking them online and collecting their personal information, but they're also increasingly vulnerable to identity theft as security breaches rapidly proliferate.
According to data retrieved from Privacy Rights Clearinghouse, the number of educational institutions (EDU) records exposed in reported data breaches each year from 2004 to 2017 remained steady at less than 5 million records. In 2017, this number increased to 7.6 million records. However, there was a dramatic increase in 2018 when a single data breach exposed 40 million records, bringing the total number of exposed records for the year to almost 41 million.
During the same time period, the number of reported EDU data breaches decreased from 64 reported data breaches in 2004, climbing to a high of 107 reported data breaches in 2007, and then dropping to 17 data breaches in 2015 and 2018. This demonstrates that cyber-criminals have steadily gotten better at accessing greater amounts of data with fewer breaches—as is most evident in the case outlined above, when the single data breach yielded 40 million records.
Armor, a Cloud Security company, reports that educational institutions were hard hit by ransomware in 2019. According to Armor, there were ransomware attacks against 72 school districts (links to map) from the period of January 1 through December 31, which may have impacted as many as 1,039 schools in the U.S.
Analysis on attack methods for ransomware reveals that most attacks begin with phishing, spear-phishing, and social engineering. For this reason, it’s important that educational institutions train their users via awareness campaigns to help protect their networks. Awareness campaigns should include education about current and emerging cybersecurity risks and phishing emails. Training should focus on policies regarding how to maintain secure passwords and how to properly respond to suspected phishing scams.
LogMeIn, a subsidiary of LastPass Password Management company, published the results of a survey they conducted in the first half of 2018. According to LastPass, even though 91% of respondents said they understood the risks of password reuse across websites, a staggering 59% reported doing it anyway. There are several reasons for user apathy, but the main culprit seems to be fear of forgetting what their password is.
Compounding this risky user behavior, 53% of respondents said that although they were aware of the risks, they had not changed their passwords in the past 12 months or longer. This holds true even when they learn of a data breach that involved user passwords. Adding still more to their risk profile, nearly 60% engaged in these behaviors: password reuse and failure to change passwords despite a data breach.
LogMeIn explored whether there was a significant difference in how users create passwords for personal and work use. Almost half of users said they didn’t do anything unique between creating personal or work passwords and, even worse, 62% said they reuse the same password between personal and work accounts. Only about one in five users reported creating stronger passwords for work than for personal use.
As part of their 2019 National Cybersecurity Awareness Month reporting, TechRepublic highlighted the findings of a recent survey conducted by Google. Here are some of the key numbers on American's cybersecurity habits:
- 59% = Percentage who have incorporated a name or birthdate into their password
A further break down of this last percentage reveals:
- 33% = A pet's name
- 22% = Their own name
- 15% = Spouse or partner's name
- 14% = Child's name