Data security


IT Security Icon Illustration

Ransomware Alert, May 14, 2017

If you receive an unexpected email that looks unusual or or an email with an attachment you did not ask for, do not open it. Instead, delete it immediately and report it to the Technology Support Desk.

We all deal with data — lots of data. At home, that data includes credit card numbers, insurance policies, tax returns and bank statements. At MacEwan, we deal with data like students’ personal, financial and academic records, and confidential, potentially sensitive information about employees and the university’s operations.

In the wrong hands, that information could bring about devastating consequences to you personally and to the university.

There are several things you can do to lower your risk of having your data compromised.

Lock down your computer

  • Your computers at work and at home should require a user log in every time they start up or are unlocked. You should also set your computers to automatically lock after a certain period of idleness.

  • Whenever you step away from your computer at work, log out to protect it from being accessed by unauthorized users

  • Remove any sensitive data from your work laptop or computer. In fact, don’t store any kind of sensitive information on your local hard drive. It’s best practice to use the university’s network infrastructure to store your data: it’s secure and it’s backed up daily.

  • Use a VPN (Virtual Private Network). A VPN client is a piece of software on your computer that lets you log in to the MacEwan Network using your university credentials. Your computer exchanges your credentials with the MacEwan server and creates a secure, encrypted Internet communication. You can get more information and download MacEwan VPN software on the MacEwan VPN page.

  • You can also set up your own VPN service to access your secure home network from your personal laptop while you are not at home.

Secure your devices

One of the biggest risks to data security is the loss or theft of a device (smart phone, tablet or laptop) that does not have an access password or pin. Without a password, anyone who steals or finds a device has an open door to your data.

There are some very simple precautions you can take to secure the devices you use at home and at work.

  • Install a pin or passcode on all your devices. See our tips for creating passwords

  • Attach a sticker with your contact information to the device

  • When you are not using your device, lock it up

Be careful when using public wi-fi

Free wireless is everywhere, but proceed with caution. Public wi-fi networks are also open to scammers and cybercriminals who can and do use eavesdropping software to monitor your online activity to steal login details and other information.

Never assume that a public wi-fi network is safe to use just because it has a password — this includes those at airports or hotels.

Tips to lower the risk of having your data compromised through public wi-fi:

  • Turn off your wi-fi if you’re not actively using the Internet

  • Don’t use public wi-fi to visit sites that require you to log in with a username and password (banks, social networks, webmail). Wait until you’re on a secure, private network.

  • Watch out for shoulder surfers. If your laptop is open in a public space, it’s easy for someone to see exactly what you are doing. Look around to make sure no “shoulder surfers” are watching what you type.

  • Use a VPN (see “Lock down your computer,” above)

  • Turn off sharing. Your home network might let you share files, access printers, or allow other computers to log in to your computer. Turn these things off when you’re on a public network.

  • Turn on your computer’s firewall. Most operating systems include a variation of firewall software that is designed to block outside access to your system. While they aren’t a foolproof defense, it’s worth activating them.

  • Activating a Windows firewall

  • Activating a Mac firewall

Use HTTPS and SSL Whenever Possible

Regular web site connections over HTTP exchange lots of plain text over the wireless network you're connected to, and someone with the right skills and bad intent can sniff out that traffic very easily. It's not that big of a deal when the text is some search terms you entered at Lifehacker, but it is a big deal when it's the password to your email account. Using HTTPS (for visiting web sites) or enabling SSL (when using applications that access the internet, such as an email client) encrypts the data passed back and forth between your computer and that web server and keep it away from prying eyes.

Why Should I Care About HTTPS on Facebook (or Other Web Sites)?

Many sites—including Facebook, Gmail, and others—will do it automatically, but keep an eye on the address bar and make sure the "s" in "https" is always there when you're exchanging sensitive information. If it disappears, you should log out immediately. Other sites will default to HTTP connections, but support HTTPS if you manually type it in.

Note that if the sensitive browsing can wait—especially if it's something very sensitive like banking or credit card info—you should just wait to do that sensitive browsing at home. There's no reason to risk more than you have to.

If you access your email from a desktop client such as Outlook or Apple Mail, You'll want to make sure that your accounts are SSL encrypted in their settings. If not, people could not only theoretically read your emails, but also get your usernames, passwords, or anything else they wanted. You'll need to make sure your domain supports it, and sometimes the setup might require different settings or ports—it's not just a matter of checking the "use SSL" box—so check your email account's help page for more details. If it doesn't support SSL, make sure you quit the application when you're on a public network.

Consider Using a Virtual Private Network

Unfortunately, not all sites offer SSL encryption. Other search engines and email providers may still be vulnerable to people watching your activity, so if you use one of these sites frequently (or really just want the extra protection), you may want to try using a VPN, or virtual private network. These services let you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you're on a public one.

Information on MacEwan's VPN is on Tech Support's VPN page.

Turn Wi-Fi Off When You Aren't Using It

If you want to guarantee your security and you're not actively using the internet, simply turn off your Wi-Fi. This is extremely easy in both Windows and OS X. In Windows, you can just right-click on the wireless icon in the taskbar to turn it off. On a Mac, just click the Wi-Fi icon in the menu bar and select the turn off AirPort option. Again, this isn't all that useful if you need the internet, but when you're not actively using it, it's not a bad idea to just turn it off for the time being. The longer you stay connected, the longer people have to notice you're there and start snooping around.

How to Automate Your Public Wi-Fi Security Settings

Obviously, you don't want to have to manually adjust all of these settings every single time you go back and forth between the coffee shop and your secure home network. Luckily, there are a few ways to automate the process so you automatically get extra protection when connected to a public Wi-Fi network.

On Windows

When you first connect to any given network on Windows, you'll be asked whether you're connecting to a network at your home, work, or if it's public. Each of these choices will flip the switch on a preset list of settings. The public setting, naturally, will give you the most security. You can customize what each of the presets entails by opening your Control Panel and navigating to Network and Sharing Center > Advanced Sharing Settings. From there, you can turn network discovery, file sharing, public folder sharing, media streaming, and other options on or off for the different profiles.

 

How to Identify an Unsafe Website

Phishing attacks and malicious URLs will often lead you to a malicious website. These sites trick you into providing personal information or downloading a virus that allows the hackers access to your personal files or information. Even legitimate looking ecommerce sites can be fronts for a malicious websites.

There are several things you can do to protect yourself from malicious websites. First and foremost, never click on a link in an email or text to go to any site. Always type in the address manually or use a bookmark that you know is legitimate.

Check the URL

Is the URL spelled correctly? Phishers will set up website URLs that are nearly identical to the spelling of a legitimate site URL.

The URL of any secure, legitimate site that asks you for personal information (e.g. credit card number) will begin with “https” rather than “http.” The “s” at the end of “http” stands for “secure.” These sites use an SSL (Secure Sockets Layer) connection, which encrypts your information before it’s sent to a server. If you don’t see https in the URL, don’t type in your information.

Look at the site’s design and content

Is the site poorly laid out? Is it dated?

Does it offer free stuff? Prices so cheap it doesn’t seem possible? A huge return for little investment? If it looks to good to be true, watch out – these offers might be bait. Do some research before you offer up any information.

  • If the site asks you to update/download software before you’re able to do something—watch a video, play a game—close the site.  

  • Never click on a link embedded in an email. Even if sent from someone you trust, always type the link into your browser.

  • Use your common sense. Does a website look strange to you? Is it asking for sensitive personal information? If it looks unsafe, don’t take the risk.

Look for signs of legitimacy. Does the website list contact information or some signs of a real-world presence. If doubtful, contact them by phone or email to establish their legitimacy.

Read the URL carefully. Check the properties of any links. Right-clicking a hyperlink and selecting “Properties” will reveal the true destination of the link. Does it look different from what it claimed to lead you to?

You should also always be on the lookout for the clues and telltale hints that you are on a malicious website.  After all, it is by smart people noticing something wrong and reporting it that the above tools can do their job.

Things to look for in a secure website

When visiting a website that asks for sensitive information such as credit card numbers or your social security number, the first step you can take to securing your privacy is creating a strong password.

The lock icon

Another sign to look for is the “Lock” icon that is displayed somewhere in the window of your web browser. Different browsers may position the lock in different places.

Be sure to click on the “lock” icon to verify that a website is trustworthy. Do not simply look for the icon and assume a website is secure! Your web browser will have detailed information on the website’s authenticity if you click on the icon, so be sure to read this carefully before entering any of your information on the site.
 

 

How to Protect Yourself from an Unsafe Website

Use your internet browser's security tools

Browser information

Be sure to install the most current version of your web browser. Most browsers have sophisticated filters that can identify and warn you of potential security threats. For information on browser-specific security tools, explore their security features on their official web pages.

Internet Explorer

Mozilla Firefox

Google Chrome

Anti-virus software

Make sure that the proper online protection tools are enabled for your Anti-Virus Software

McAfee’s SiteAdvisor

Norton’s Safe Search

Security add-ons

You may also want to consider downloading an add-on for your browser that is specially designed to identify any unsafe elements of a website

Web of Trust

AVG Link Scanner

Take advantage of your search engine’s security features

Google has a secure version of its search engine. Simply visit https://google.com when conducting any Google search.

In your Google settings, turn on the “always use HTTPS” function through the following steps:

To disable or re-enable this feature in Gmail:

  1. Sign in to Gmail.

  2. Click the gear icon  in the upper-right corner, and select Mail settings.

  3.  In the General tab, set ‘Browser Connection’ to ‘Always use https’ or ‘Don’t always use https.’
If you’ve never changed the setting before, no radio buttons will be selected, even though the default is indeed ‘Always use https’.

  4. Click Save Changes.

  5. Manually change the URL to http://mail.google.com to start accessing Gmail via http.

 

Spotting a Malicious Site

A malicious site is a site that tricks you into giving away information or downloading a virus. Or it might have code that finds and exploits security holes in your computer. If the site can find a security hole, then it can download a virus to your computer and install it without any action on your part.

Even a legitimate site can become malicious if hackers trick the ad network it uses to run infected ads. Learn more about malicious ads and how to keep them off your business site.

If the hackers have done their job right, detecting a malicious site isn't easy. However, there are some telltale signs you can watch for. Let's take a look at what they are.

Encryption

One popular type of malicious site is the fake banking site. Hackers will steal the code for a bank's home page, so it looks exactly like the real thing. However, if you try to log in, the site records your login information and sends it straight to the hackers who log in to your real account and drain it.

We've said it before, but we'll say it again: Never ever click on a link in an email or text to go to your banking site. Always type in the address manually or use a bookmark that you know is legitimate.

However, to further confirm you're in the right place, check the address bar of your browser. First, make sure the domain name is right. For example, Chase bank is "www.chase.com," not "www.chase-bank.com" or "www.chase.bk."

Second, any real banking site should start a secure connection right away. That means the address will start with "https://" and your browser should show a key or colour to indicate a secure connection. Most sites, however, don't load encryption right away, so this is a less-useful test for a shopping site or informational site. That's why you should look at things like the website's presentation and content.

Presentation

Of course, not every site is going to be a high-quality clone of a real one. Hackers often put together a bunch of generic sites at once and throw them online with whatever domain names they can get their hands on.

So, you might end up at "www.amazingsuperawsomefreesoftware.com" and it looks like something from the '90s with terrible layout and bad grammar and misspellings all over the place. True, a lot of small software developers don't have a lot of money to sink into a nice website, but poor presentation should always give you pause.

Content

Outside of presentation, it's helpful to ask what the website is trying to get you to do. Does it want you to download a program, take a survey, watch a video or give it information so it can send you money or a free prize? Any of these could be an attack.

If the site is offering a specific piece of software, or a few of them, run the software names through Google to find the developer's website. A lot of hackers take free software, add in viruses and then put them up online at generic sites.

People searching for the software end up on the generic site and download the infected program thinking it's the real thing. Even some "legitimate" download sites do this using toolbars and other third-party software instead of viruses.

If you got a download that includes a toolbar and you can't get rid of it, click here for the solution.
When it comes to surveys, never take ones from sites you've found in an ad or email. They'll ask for too much information. Instead, find legitimate survey sites on a reputable site like ours.

Video scams are popular. You'll be told the video is the most shocking, heartwarming or sexiest thing you've ever seen. However, to watch it you need to download an update for your video player! Of course, that download is a virus in disguise. Click here to see an example of this scam. Only watch videos on known sites like YouTube or videos.komando.com.

Finally, a big draw for many people is free stuff, especially on Facebook. "Get a free iPad, car or trip to an exotic location!" You just need to enter every bit of personal information you have, and pay a small fee. Remember, though, if it sounds too good to be true ... you know the rest.

Avoid Malicious Sites Entirely

As we said above, some malicious sites don't try to trick you; they attack you automatically through security holes in your browser. That's why you need to make sure your computer, browser and important software are always up to date.

Adobe Flash, for example, has regular serious security problems that open up your computer to attack. Keeping it updated is critical, but your best option is to disable it from running automatically.
Still, it's better if you don't land on a malicious site at all. That's why you need to learn how to spot phishing emails and dangerous online scams.

One of the ways computers can get infected online is through malicious websites or phishing scams. This happens when a scammer links a user to a website that looks exactly like a familiar site like Microsoft or Google, but is actually the scammer's site. Users will often input their username and password on the malicious site, and the scammer will then have control of their account.

It's possible to avoid these types of scams, though, just by taking a close look at the URL, or website address. Normally we read things from left to right, but in this instance you'll want to read it right to left. This will shed some light on where the website originates, and whether or not it's actually what you think it is.

First look at the domain extension in the URL bar, which for a lot of sites is .com, .net, .edu, etc. This may be something else, like .in, which is the country code for India. If it's a country code, then there's a good chance that site or business is from that country. There are exceptions to this rule, however -- for example, Leo's netcast network TWiT is located at twit.tv, but is not located in the Pacific island nation of Tuvalu. In this case it's used as an abbreviation for "television."

Just to the left of the domain extension is the actual domain, aka the site you're visiting. If all that shows up in the URL bar is "http://microsoft.com", then you know you're on the official Microsoft website. Scammers will try to fool users by putting a familiar name like"microsoft" in their own URL, however. So you may find that the URL actually says "http://microsoft.(something else).com." It may look identical to the Microsoft website, but instead you'll be on the scammer's website. The part of the URL furthest to the left is *not* indicative of the site you're on. This is only a subdomain of a different site.

It's a good idea to avoid clicking links from email, and type out the web address whenever possible. Always double check the URL bar in your browser to make sure it is the site you intend to visit. When it comes to security online, you are ultimately the last line of defense, and simply knowing how to detect scams will prevent you from becoming a victim.