Take Control of Your Personal Info to Help Prevent Identity Theft

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the "big three" bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there's nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in.
2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/anti-malware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to "security questions" that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won't open you up to fraud at other sites.
6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a run-of-the-mill disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom.
7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night.
8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts such as a health savings account. Make a recurring calendar reminder to check every account for activity that you don't recognize.
9. Manage those old-style paper statements. Don't just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you've been a victim of identity theft:

• Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
• Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
• Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).
• Check if you have an account that has been compromised in a data breach have i been pwned?

Partially reposted from: Educause Review: March 2019: Take Control of Your Personal Info to Help Prevent Identity Theft

Where is Your Student Data Stored and How is it Being Secured?

Best Practices to Guard against Cyber Threats, Especially from Third-Party Vendors

By John Ramsey
National Student Clearinghouse Chief Information Security Officer

The National Student Clearinghouse, EDUCAUSE and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) released today the white paper, “Cybersecurity: Why It Matters to Registrars, Enrollment Managers and Higher Education,” to kick off October as National Cybersecurity Awareness Month.

Registrars and enrollment managers play central roles in an institution’s cybersecurity posture. The choices they make each day directly affect student data security. Yet there can be a disconnect between that data’s primary custodians and the information technology (IT) department that manages the systems on which the information is stored. It is imperative that both the registrar’s office and enrollment management office are in lockstep with the IT department with respect to the institution’s cybersecurity efforts, to guard against cyber threats, especially from third-party vendors.

Also, if administrators are using third-party vendors, where is student data stored and how is it being secured? If registrars and enrollment managers do not know, it’s time to find out. This is the only way they can fulfill their responsibility as a careful steward of student data.

The most important cost to keep in mind is the long-term cost that students face after they have had their personal information stolen, which can translate into lifelong negative effects if their data is used.

The white paper is based on the Clearinghouse’s 25-year record of maintaining the confidentiality and privacy of student records and frequent cybersecurity conversations with registrars, enrollment managers and other institution officials, EDUCAUSE and REN-ISAC’s cybersecurity work over many years, and current best practices expressed in two recent major reports.

To learn about other best practices to guard against cyber threats, especially from third-party vendors, review “Cybersecurity: Why It Matters to Registrars, Enrollment Managers and Higher Education” today for guidance from the Clearinghouse, EDUCAUSE and REN-ISAC.

If administrators are using third-party vendors, where is student data stored and how is it being secured? If registrars and enrollment managers do not know, it’s time to find out.

partially reposted from: National Student Clearinghouse Blog, Oct 1, 2018

Don't Let a Phishing Scam Reel You In

Cybercriminals use phishing—a type of social engineering—to manipulate people into doing what they want. Social engineering is at the heart of all phishing attacks, especially those conducted via e-mail. Technology makes phishing easy. Setting up and operating a phishing attack is fast, inexpensive, and low risk: any cybercriminal with an e-mail address can launch one.

According to Verizon's 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all suffered losses when personal data and research were disclosed to unauthorized parties. Phishing played a part in more than 40% of these breaches. Knowing what you're up against can help you be more secure. Here are a few things you can do to guard against phishing attacks:

• Limit what you share online. The less you share about yourself, the smaller the target you are for a phishing attack. Cybercriminals use information you post online to learn how to gain your trust.
• Protect your credentials. No legitimate company or organization will ask for your username and password or other personal information via e-mail. Your school definitely won't. Still not sure if the e-mail is a phish? Contact your IT help desk. (Many institutions now offer a "phish bowl" so end users can quickly and easily report phishy messages or view the latest scams.)
• Beware of attachments. E-mail attachments are the most common vector for malicious software. When you get a message with an attachment, delete it—unless you are expecting it and are absolutely certain it is legitimate.
• Confirm identities. Phishing messages can look official. Cybercriminals steal organization and company identities, including logos and URLs that are close to the links they're trying to imitate. There's nothing to stop them from impersonating schools, financial institutions, retailers, and a wide range of other service providers.
• Trust your instincts. If you get a suspicious message that claims to be from an agency or service provider, use your browser to manually locate the organization online and contact them via their website, e-mail, or telephone number.
• Check the sender. Check the sender's e-mail address. Any correspondence from an organization should come from an organizational e-mail address. A notice from your college or university is unlikely to come from YourIThelpdesk@yahoo.com.
• Take your time. If a message states that you must act immediately or lose access, do not comply. Phishing attempts frequently threaten a loss of service unless you do something. Cybercriminals want you to react without thinking; an urgent call to action makes you more likely to cooperate.
• Don't click links in suspicious messages. If you don't trust the e-mail (or text message), don't trust the links in it either. Beware of links that are hidden by URL shorteners or text like "Click Here." They may link to a phishing site or a form designed to steal your username and password.

Partially reposted from:  https://er.educause.edu/blogs/2017/9/october-2018-dont-let-a-phishing-scam-reel-you-in