Tip of the Day
If you are in public, avoid leaving digital devices unattended for any reason and be sure to encrypt data stored on any internal and external drives. If your laptop or device is lost or stolen, encryption will protect your data from prying eyes and prevent data exfiltration.
Bluetooth is a technology that has been around since 1994 and, over the past two decades, we have seen a drastic increase in its everyday use. Bluetooth technology enables electronic devices within range of each other to communicate wirelessly using a short-range radio frequency. Bluetooth is available for many devices such as mobile phones, tablets, computers, smartwatches, and fitness trackers. However, this technology does not come without security risks and is vulnerable to a variety of attack vectors such as malware, bluesnarfing, and bluejacking. An attacker can develop malware to exploit Bluetooth technology in order to gain an advantage, using a Bluetooth connection to infect other connected devices. Another attacker could bluesnarf, or illicitly access a victim’s data through a Bluetooth connection, and snoop on emails, text messages, contact lists, and calendars. This technique can also allow an attacker to browse the internet, send messages, and make calls on the victim’ device. Other attackers could bluejack—a term describing the distribution of unsolicited messages through Bluetooth to a device—to prank or harass their victims.
The NJCCIC recommends users of Bluetooth technology to protect themselves by following these tips:
Disable all Bluetooth functions when not in use.
Always install the latest updates for your device and Bluetooth software/firmware.
Your device should remain on the “hidden” setting and should not be “discoverable.”
Be cautious near open Wi-Fi hotspots if you are using Bluetooth in public. Your connection could be intercepted.
Safeguard all Bluetooth connections by requiring a secured connection. Enable authentication and encryption if it is available for your device.
Clickbait is a form of advertising, typically sensational or provocative in nature, designed to entice viewers to visit a particular website. Some examples of clickbait are headlines such as Top ten health issues, number four will shock you!, What time period do you actually belong in?, and Are you smarter than Albert Einstein? Take this IQ Test to find out! Although some forms of clickbait are legitimate, others serve a more malicious purpose. Clickbait can, and sometimes does, lead to websites hosting malicious code in the form of ransomware, viruses, or trojans. Clickbait, in the form of online quizzes and surveys, might try to convince users to disclose personal information or require permission to access a social media account. Clickbait can also lure visitors to websites designed to spoof those of legitimate companies in order to sell them counterfeit or low-quality goods. The NJCCIC strongly recommends avoiding clickbait if you wish to protect yourself and your personal information.
Technology has been integrated into many aspects of our lives. The need to be proactive and vigilant to protect against cyber threats has never been greater. However, in order to be as secure as possible, we need to practice good cyber hygiene. Using cyber security best practices, we can make sure we are protecting and maintaining our technology appropriately.
In support of National Cyber Security Awareness Month, the program and toolkit below has been developed for small business information technology staff and managers to assist with enhancing cybersecurity protection, utilizing the Center for Internet Security's National Cyber Hygiene Campaign.
Data backup is one of the most important elements of cybersecurity and information technology, but is often overlooked. Data backup means having copies of your important data saved in case your original ones are lost. If your important data is lost and no backups are available, it will undoubtedly cost you and your organization time, money, and manpower to reproduce any deleted, stolen, destroyed, or corrupted files. Potential threats to data include are but not limited to human error, network intrusion, hardware failure, software bugs, and natural disasters. The NJCCIC recommends all consumers and organizations back up any and all valuable data.
Here are some tips for data backup:
Schedule daily automatic backups.
Store multiple copies of backups offline in a secure, separate, and dry location.
Test your backups regularly to ensure that you can successfully restore your data should the need arise.
Consider integrating cloud solution to your data backup plan.
Make sure to encrypt your backups.
Be cautious of all emails you receive, even from seemingly legitimate senders, including your favorite retailers, financial institutions, friends, and family. Malicious actors often use advanced techniques to make emails appear to originate from senders you recognize.
If you receive an email from a retailer or financial institution asking you to click a link to “view a message on your account” or to access a great deal, never click on these links and instead go directly to the legitimate site.
In the case of an email from a friend, co-worker, or loved one containing an attachment or link, text or email the individual to their known address to confirm they sent you the email in question.
Pay close attention to misspellings in the subject, URLs, message text, or attachment titles.
EMV Credit cards
WHAT IS EMV 101?
Learn about how chip-enabled credit cards (also known as EMV Technology) are becoming the new standard for consumers and business owners.
WHAT TO KNOW
Credit cards themselves are not changing, they are just becoming safer. Think of your new EMV technology as password protecting your credit cards. Before, the magnetic strip contained open personal and financial information vulnerable to theft. Now, however, EMV cards are encrypted with powerful technology that secures all customer information. This ensures that only the intended merchant and customer are involved in the transaction. In New Jersey, we like to say that the customer may take 5 more seconds to checkout with EMV, but their information will be safe forever.
HOW IT WORKS
EMV cards are the global standard, with more than 3.4 billion issued across 80 countries. Embedded with a visible microchip, these safe new cards are decrypted only after the customer inserts one into a terminal and types in a secret PIN number.
This system will be applicable to both debit and credit cards and the account linked to each card will not change. For example, an EMV credit card will still not be attached to a cardholder’s checking and savings account. Although the magnetic strip on the back of the card will still be accessible, a chip-enabled terminal will require a customer to follow the new procedure for all commercial transactions. Procedures for online transactions will not be effected by these changes.
WHY IT MATTERS
Starting on October 1, 2015 by Executive Order, President Obama’s BuySecure Initiative will mandate the implementation of the more secure ATM and credit transaction system between merchants and customers. As part of the initiative, liability for unprotected transactions will be shifted to the merchant in order to boost consumer confidence, but through continued awareness, it is also designed to protect the legal and financial interests of businesses of every size.
FIND OUT MORE FROM YOUR OWN CREDIT NETWORK
Follow the links below to access the website of your own credit card provider
The "s" in "https" stands for "secure" and indicates that communication with the webpage is encrypted. Reconsider your purchase if you get to the checkout cart page and do not see “https” in the address bar. In addition, look for the lock icon in the address bar.
Lock Your Devices
An important security feature that is often overlooked is the lock function. Would you ever leave your home without locking the door(s) and/or without putting the alarm on? The same principle should be applied to desktops, laptops, mobile phones, smartwatches, and tablets which all have the ability to be locked securely. Forgetting to lock or not setting up a lock screen for your device(s) may place your data at risk to being stolen or viewed by other people accessing those device(s). A mischievous person could attempt to retrieve personal identifiable information, destroy or steal files, send malicious emails from your accounts, install a keylogger—a software that covertly tracks or logs the keys struck on your keyboard—to record any usernames and passwords, or damage your reputation. The NJCCIC recommends locking all devices, if possible, to prevent any unwanted access.
Here are some tips for locking your device(s) and keeping your personal information private:
Set up your device with a security code, password, PIN, or pattern.
If available, use a biometric method such as your fingerprint, the retina of your eye, or facial recognition.
Set a screen lock time limit so that your device locks after a period of inactivity.
If available, set the power button as a way to lock your device quickly.
Set your device to wipe all data and files after a certain amount of unsuccessful login attempts. Disclaimer: The NJCCIC is not responsible for loss of data if this option is chosen and you fail to remember your security configuration(s).
For organizations: ensure employee work devices are set to lock automatically and restrict access to the security settings.
Patch and Update
One of the leading causes of cyberattacks are caused by vulnerabilities left in unpatched and outdated operating systems (OS), hardware, and software. Organizations should review their products daily or weekly to ensure that security holes, glitches, and drivers are fixed. Other revisions include adding new features and removing outdated ones. The potential consequence of not correcting these issues could allow a cyber threat actor to exploit the vulnerabilities to their advantage. Cyber threat actors could develop code that can target those vulnerabilities, insert the code into malware, and distribute consequently to unsuspecting consumers via a website, email, or downloadable content. A consumer infected with this malware could be at risk to loss of data, identity theft, remote access, or other dangers. The NJCCIC recommends all consumers to always patch and update all OS, hardware, and software.
Here are some tips about patching and updating:
Turn on “Automatic Updates.” This setting is hassle-free and will update/patch your OS or software automatically for you.
Install updates/patches as soon as they become available. Do not ignore or 'postpone' them.
Be proactive. Research the updates/patches to understand known issues and what is being fixed.
If there has not been a patch or update for some time, then check with the company website to see if you need to do a manual installation.
For organizations: Turn off “Automatic Updates.” Use a patch management system to determine which updates/patches are critical for your organization and when they should be installed. Schedule a maintenance process so that the installation of updates/patches do not interrupt normal day-to-day business operations. Ensure that you test and validate all updates/patches before they are deployed. This is critical as they may affect other hardware or software that is currently being used.
Recommended Mailing Lists to Stay Up-to-Date:
http://www.us-cert.gov/cas/signup.html - US-CERT
http://technet.microsoft.com/en-us/security/dd252948.aspx - Microsoft Technical Security
http://lists.apple.com/mailman/listinfo/security-announce - Apple Security
http://www.linuxsecurity.com/content/section/3/170/ - Linux Security
http://seclists.org/bugtraq/ - Bugtraq General Security
http://seclists.org/ - Security Mailing List
If another individual can access the same public computer you are using, do not log into your accounts or make online transactions. Public computers may contain malicious software that can make it easy for criminals to steal your confidential information. In addition, criminals can potentially recover information that was previously deleted from the computer. Try to keep all public computer activity as anonymous and general as possible.
Account credentials remain a top target for cyber threat actors. Whether you are trying to build an online presence on social media, banking online, or shopping on e-commerce websites, chances are you log on with your email address or username and a simple, six or eight-character password. Use the following recommendations to secure your password(s).
Create a strong password. Strong passwords are comprised of sufficient length and complexity necessary to resist guessing and brute force attacks. One rule of thumb is the longer the password, the stronger the password. The inclusion of multiple character sets - uppercase and lowercase letters, numbers, and special characters (@#!$%&, etc.) will further enhance the strength of your password.
Never use any words that can be found in a dictionary, names, dates, or any information that could easily be found through your social media accounts, such as pets’ names, children’s birthdays, etc.
Avoid using the same password for multiple accounts, and change them every three to six months.
For organizations: implement an enterprise-wide password policy that establishes minimum requirements for both length (ideally 10 or more characters) and complexity, and mandatory password reset schedules.
NJCCIC Cyber Blog: Passwords, Passwords, Passwords
Secure Wi-Fi Router(s)
With the increased dangers of hackers and identify thieves, you should protect your router(s) just as you would lock the door(s) and window(s) of your home or business. Wi-Fi routers are a great asset to anyone who uses them because they do not make a mess of wires running throughout your home or business. A Wi-Fi router allows you to have free ability to sit anywhere in your home or business to access the internet. However, if you choose not protect them, you may potentially place your payment card(s), bank account information, social security number, and your usernames/passwords at risk to be stolen. If you have webcams or frequently browse the internet, a hacker could gain the ability scan, watch, and record what you do. In addition, individuals who could use your open router’s network, without your knowledge, may download or host illegal content. The NJCCIC recommends locking down your Wi-Fi router(s) if you wish to protect yourself and your personal information.
Here are some tips to secure your Wi-Fi router:
Lock down it down. Change the username/password of the default admin account of the router.
Choose a strong and complex password and encryption such as WPA or WPA2 for your network.
Change the name of the network and turn off the router’s ability to broadcast its identity.
Configure the router to only accept the devices you own on your network via MAC addresses.
Turn off guest networks.
Always update the router’s firmware.
Always update operating systems and patch software.
Use a firewall and always run up-to-date antivirus software to detect and remove potential malware on your machine.
Remove outdated operating systems, software, or applications.
Turn off the Wi-Fi router if you will not be using it or if you are away for extended periods of time.
Two-Factor Authentication (2FA)
What is Two-Factor Authentication (2FA)?
2FA is an authentication method that adds an additional layer of security that integrates either something you have (such as a physical token or an access code sent to an external device), something you are (such as your fingerprint, the retina of your eye, or other biometric authentication method), or somewhere you are (such as your known location).
Why should you enable Two-Factor Authentication?
By themselves, passwords are no longer a reliable layer of security as cyber threat actors are constantly testing billions of password combinations per second with powerful computers. In addition, as data breaches become more frequent, it can result in users’ passwords becoming compromised. Accounts that require the use of knowledge-based security questions for user verification are vulnerable as well, since social engineering and publicly posted personal information on social media sites could easily provide those answers to an attacker. The NJCCIC recommends all users enable 2FA on any account that offers it as a security option.
Here are some tips for implementing 2FA:
Determine whether your accounts offer 2FA by checking your security settings, going to twofactorauth.org, or contacting the company directly. If so, enable it immediately.
You should still create a strong password that is not easily guessable. Change your password every three to six months and do not reuse the same password for other accounts.
Some online accounts have an option to mark your 2FA device—such as a mobile phone—as a trusted authentication method, eliminating the need to use 2FA in the future or for 30 days. The NJCCIC does not recommend using this option as it can weaken security if your device is lost, stolen, or compromised.
For organizations: Deploy 2FA for your employees to greatly reduce the risk of theft of account credentials and sensitive data.
USB drives, also known as thumb or flash drives, are great tools for storing information in a relatively small and portable location. However, USB drives are an attractive tool, or target, for malicious actors and can pose a security risk to citizens, governments, and businesses. One of the most common security risks is a lost or stolen USB drive. If your data is lost and no backups are available, it will undoubtedly cost you and your organization time, money, and manpower to reproduce your files.
Beyond the risk posed by human error, criminals and other malicious hackers can use a variety of techniques to take advantage of USB drives. One technique is when is the use of malware—malicious software—to target USB drives. If a victim’s machine is infected with this malware, the USB drive become infected as well. This technique can cause a chain reaction of infections if the victim is unaware and plugs the same USB drive into other machines.
Another technique is when an insider threat has the ability to infect USB drives at the manufacturing plant. They can infect the USB drives before they are shipped and sold to victims who unknowingly install malware onto their machines. This is also achieved by leaving unattended infected USB drives lying on the ground or around an office building, waiting for a unsuspecting victim to pick it up and plug into their machine.
A third technique is when a malicious actor or insider threat uses a USB drive to physically steal confidential or sensitive data and either sell it for profit or release it to unauthorized parties.
The NJCCIC recommends users of USB drives to protect themselves by following these tips:
Utilize any available security features that your USB drive provides. Enable password and/or bio-metric protection.
Always backup any data stored on USB drives in another location. Be cautious not to infect your backup location with an infected USB drive.
Always patch and update all operating systems, hardware, and software.
Use a firewall and always run up-to-date antivirus software to detect and remove potential malware on your machine or USB drive.
Do not keep personal identifiable information (PII) and business information stored on the same USB drive.
Do not plug a personal USB drive into a work computer and a work USB drive into a personal computer.
Do not plug in or use unknown USB drives that you or someone else had found.
Disable the autorun feature on your machine. This will prevent a USB drive from launching automatically.
Always buy USB drives directly from a reputable vendor.
Most computers and monitors today have integrated webcams that can be used as a form of communication over the internet. If not, there are standalone webcams available that can be directly connected to your computer via a USB cable. Although it might be difficult for cyber threat actors to access your webcam, it does not mean it cannot be done. When surfing the internet or reading emails, you may unknowingly click on a malicious link or download a malicious file containing malware and executable code. This executable code could then activate your webcam and/or disable the webcam activation light so that you would never suspect that you are being watched. A cyber threat actor who has access to your webcam can remotely watch you or live-stream footage from your webcam on a website or elsewhere.
Here are some tips for preventing unwanted access to your webcam:
Obscure the lens of your webcam. Use a specifically designed clip, a simple post-it note, black electrical tape, or any other method to cover your webcam.
Disconnect your USB webcam when not in use.
If you never use your integrated webcam, disable it in the BIOS and in your operating system.
If your device is connected to the internet, ensure that you change the default password.
Update/patch all firmware and software.
Turn on your firewall and secure your internet router/modem with a strong password.
Always run up-to-date antivirus software to detect and remove potential malware on your machine.
Try to be aware of changes you did not initiate on your computer.
Never click on suspicious links or download suspicious files.
Assume that your webcam is always activated.