LATIS Security Training Topics

Email is one of the biggest security threats for businesses and universities. Because it has been around for a long time (relatively speaking), people tend to let their guard down and take email security for granted. Cybercriminals take advantage of this and use email as a way to gain access to corporate networks in order to spread malware, viruses, and spam. It’s easy for criminals these days to send out thousands or even millions of emails, knowing that someone will take the bait. Don’t fall for their scams. Follow these email best practices and always be on the lookout for suspicious emails asking you for personal information or requesting that you click on a link or open an attachment.

• Don't share your email credentials with anyone, including your spouse and/or other family members. Sharing credentials is a violation of the University's Acceptable Use Policy (https://z.umn.edu/use).
• Use UMN email only for UMN business. Set up a separate account with one of the many email providers out there and use that for your personal email. As a public institution, the UMN may collect and produce email as required by law. Keeping business and personal email separate will simplify things in the event that the University is asked to turn over email records.
• Use the Gmail web client for your UMN email. The Gmail web client will alert you with phishing and spam banners when it detects potentially hazardous mail. It won’t catch everything but it does a fairly good job of filtering out phishing and spam. 
• Don’t open attachments without scanning them first. 
• Avoid accessing email from public Wi-Fi. If you have to read your email when you’re out in public, use the mobile internet service from your cell provider and/or VPN rather than public Wi-Fi.
• Gmail storage is no longer unlimited. As a best practice, you should be cleaning up your email inbox periodically to free up storage space.
• Log out of your email when you are done.

Passwords are the first line of defense to prevent unauthorized access to your computer. Creating a strong password isn’t difficult, but many users still opt to use simple passwords, setting themselves up to be an easy target for hackers. The NordPass site lists “password” as the most common password of 2022, followed by “123456” in second place. Here are a few simple tips for creating strong passwords and keeping them safe. 

• Follow the instructions at https://it.umn.edu/services-technologies/good-practices/choose-strong-passwords-keep-them-safe for creating a strong password.
• Use a password manager.
• If you are creating the password yourself, it should be 20 characters or longer. If you are using a perfectly random password generator, such as those found in most password managers, 12 characters is sufficient.
• Do NOT save passwords in your browser.
• A Post-It note under your keyboard or attached to your monitor does NOT classify as a secure storage location for your password. 
• Use your University Internet ID and password ONLY for your University account. Use unique usernames and passwords for any of your other personal accounts.
• Don’t reuse or recycle passwords. 
• Lock your screen any time you will be leaving your device unattended.

Password Managers

Why use a password manager?

Password managers make it easy for users to create unique, complex passwords for each different site or service they use. People that don’t use a password manager often use the same password or password patterns across multiple sites, making it more likely that their account will be compromised. If a hacker gains access to any one of the sites, they will have the user’s account information for the other sites as well. Users that don’t use a password manager also have a tendency to use fairly weak passwords, making it easier for the bad guys to gain access to their accounts.

A password manager solves these issues by helping users create strong passwords for each of the various sites and services they use. Most password managers also have plugins for browser integration so logging into a website is as easy as going to the site and clicking on the prompt from your password manager.

Password managers can also help prevent you from becoming the victim of a phishing attack. If you click on a link in an email that appears to be legitimate but is actually a link to a malicious site, your password manager won’t prompt you to log on because the URL differs from the one you have stored in your password manager. Be very careful before overriding your password manager and copying and pasting the credentials so you can log in to the site. Stop first and compare the URL on the website to the one you saved in your password manager. Malicious actors often create copycat sites with URLs very similar to those of the legitimate sites with just a slight difference in the URL, replacing a “I” with an “l”, for example, making it hard to realize that you aren’t on the legitimate site. Since the URL is different, your password manager won’t prompt you to log in, thereby protecting you from entering your credentials on a potentially malicious site. 

Choosing a Password Manager

• LastPass  - https://www.lastpass.com
• 1Password  - https://1password.com
• KeePassXC  - https://keepassxc.org 
• BitWarden  - https://bitwarden.com
• Password Safe - https://pwsafe.org

What is mobile device security?

Mobile device security is the protection of data on portable devices as well as the networks they connect to.

Why is mobile device security important?

Mobile devices such as phones, laptops, and tablets allow us to access our data from anywhere, but that convenience comes with a cost. Mobile devices are easily lost or stolen, and any device that connects to a network can potentially provide criminals with a way "in" if adequate measures haven't been taken to secure the device.

What can I do to secure my mobile device?

Here are some basic steps that can be taken to make it harder for the bad guys to compromise your device.

• Enable screen lock and require a password, PIN, or fingerprint sensor to unlock your mobile device
• Enable requiring a fingerprint or PIN to unlock financial apps (e.g. your banking app, Venmo, Paypal).  Why? Without that safeguard, if your phone is stolen while unlocked (e.g. grabbed out of your hand), a criminal can transfer money to themselves.  
• Enable automatic updates to keep your phone and/or tablet current.
• Install antivirus software. 
• Check app permissions periodically to ensure they are only being granted the minimum permissions necessary for the app to function correctly.
• Disable applications and services that you don’t use.
• Log out of applications or accounts when you are done using them.
• Only install apps from trusted sources (e.g., Google Play or Apple Store).
• Use a password manager to store passwords.
• Don’t “root” or “jailbreak” your device. 
• Avoid using public Wi-Fi, such as the free Wi-Fi you find at coffee shops or airports. If you have to get online when you’re out in public, connect to a VPN, such as the UMN VPN, immediately after connecting to the public Wi-Fi. Another option is to use your carrier's mobile data instead of Wi-Fi as 5G, LTE, and 4G connections are encrypted.
• Turn off your bluetooth and Wi-Fi when not in use.
• Avoid using a public port, such as those found in airports, transit stations, or conference centers, to charge your phone.
• Set up remote tracking on your device so you can track it down in the event it is stolen. 
• Additional resources can be found at
  • https://it.umn.edu/news-alerts/news/it-top-ten-protecting-your-mobile-devices
  • https://it.umn.edu/services-technologies/good-practices/use-your-device-securely
  • https://it.umn.edu/sites/itumn.umn.edu/files/secure_u_brochure_5.pdf

What is ransomware?

Ransomware is sophisticated malware that attackers use to infect a computer and hold the data hostage until the “ransom” is paid.

Types of ransomware

• Crypto ransomware - The most common type of ransomware, crypto ransomware encrypts your data and makes it impossible to unlock without a decryption key.
• Lockers - This type of ransomware locks you out of your system and displays the ransom demand on a lock screen, rendering your computer useless until the ransom is paid. 
• Scareware - Scareware attempts to scare users into buying unnecessary software, often by claiming to have detected a virus or some other issue on your computer and requesting that the user pay to get the issue resolved. Some will flood the screen with pop-ups, forcing the user to pay to remove them.
• Doxware or leakware - This is ransomware that infects a computer and threatens to leak personal or company data online unless a ransom is paid. 
• RaaS (Ransomware as a Service) - In the RaaS model, ransomware authors offer access to their ransomware as a pay-for-use service, allowing criminals to purchase it as a subscription. The subscriber then uses the ransomware to infect computers and collect ransom payments, paying a portion of the ransom to the ransomware author.

Protecting against ransomware

• Keep your computer up-to-date with the latest patches and updates.
• Install anti-virus software and keep it updated with the latest definitions.
• Encrypt your storage devices and store the encryption key in a safe place.
• Maintain current backups.
• Use only known, trustworthy sites when downloading software or media.
• Don’t open suspicious email attachments.
• Don’t click on unsafe links. 
• Use a VPN whenever you’re on a public Wi-Fi network.

What to do if your computer gets infected with ransomware

• Do NOT pay the ransom.
• Isolate the computer. Immediately disconnect it from the network and all wireless connectivity (Wi-Fi, Bluetooth).
• Report the infection to the LATIS IT team. They will coordinate with UIS to determine the next steps to take.
• Document the details, including any recent software installs, downloads, etc., to the best of your ability.
• Do NOT take any action that might alter or delete any data or evidence on the infected device. 

What is Social Engineering?

Social engineering is a tactic used by cybercriminals, either online or in person, to manipulate, influence, or deceive victims in order to gain control of their computer or steal personal information. The ultimate goal is usually to get their victims to give up usernames and passwords, install malware, or send money to the scammer.

The schemes they use can be pretty obvious, such as asking for a password, or seemingly harmless, like asking what kind of software you use or the name of the person that is in charge of your IT department. The scammers may try to pass themselves off as someone that would have a legitimate need for the access or information they are requesting, such as a repair person or a vendor.

Types of Social Engineering Attacks

• Phishing Attacks
  • Phishing attacks hit an all-time high in 2022 and are the threat  type most likely to cause a data breach. In fact, phishing poses such a huge threat that it has its own section.
• Baiting Attacks
  • In a baiting attack, a criminal leaves malware-infected USB drives in a public place. Marking them “confidential” increases the odds that someone’s curiosity will get the better of them and they will plug it into their computer to see what’s on it, thereby infecting their computer with malware.
• Physical Breach Attacks
  • A physical breach attack is one where an unauthorized person gains access to a secure area. One method they use is to ‘tailgate’ behind them after an authorized person has swiped their card key or entered their door code. This is particularly easy to do when, for example, a number of people are going through the door to attend a meeting. 
  • Another classic example is the ‘coffee trick’ where an unauthorized person holding a cup of coffee in each hand walks towards an office door. An unsuspecting person, wanting to be helpful, opens the door for them and, viola, they’re in! 
• Typosquatting
  • In a typosquatting attack, the cyber criminals create malicious websites with URLs that are common misspellings of legitimate websites. For example, if a user goes to mail.goggle.com and lands on a site that looks like the legitimate one, they might not realize their typo and enter in their credentials, thereby giving the hackers access to their email account. Wrong domain endings (e.g., .org instead of .com), alternative spellings (e.g., colour instead of color), and the addition or omission of a hyphen in a domain name can also cause confusion that typosquatters can take advantage of to rope in unsuspecting victims.
  • Some companies are aware of this particular scam and have registered the domain names for common typos for their site so going to, for example, www.amazoon.com, will redirect you to the legitimate site for Amazon. Don’t count on that always being the case though. Check the URL of the site you’re on before entering your credentials to avoid being a victim of typosquatting. 

How to Spot Social Engineering Attacks

• Using fear as a motivator. Threatening or intimidating emails, calls, or texts are a dead giveaway that a scammer is trying to coerce you into giving them your information. The email may appear to come from an authority figure, such as the IRS, the police, or a bank, and will try to scare you into complying with their request for your personal information or money. 
• Sense of urgency. An email, phone call, or text message that includes an urgent request for personal information is an obvious red flag that someone is trying to trick you into giving up information. A request that requires you to take immediate action or face dire consequences is designed to make you act without stopping to think first. Always check the legitimacy of ANY request before sending any personal information.
• Requests that ask you to “verify” your information. Your bank or credit card company will never send an email or call you asking you to verify your personal information such as your password, credit or debit card number, or your Social Security Number. Such requests are obvious red flags that the sender is a scammer. 

How to Protect Against Social Engineering Attacks

• Make sure your email spam filter is turned on. Gmail’s spam filter catches most unwanted emails but there are always some that get through. While email services don’t publish information about their spam filters, (with good reason), it is understood that user interaction, such as flagging an email as spam, helps train the filter. However, it’s also believed that if you accidentally click on spam email, it signals google that the email is interesting to you and could potentially open you up to receiving similar (spam) emails. 
• Keep your devices (phone, computer, etc.) up-to-date with the latest software. Most devices these days have auto-update capability so make sure that’s enabled.
• Use multi-factor authentication (MFA) if available. Using MFA helps verify that you are who you say you are. However, a word of warning about MFA scams. If a cybercriminal manages to get your login information, they will repeatedly try to log in to your account, causing you to receive multiple MFA notifications. The scammer is hoping you will get tired of the notifications and approve one, just to make the notifications stop. The solution is an easy one: NEVER approve an MFA notification that you didn’t request.  And if the scammer got far enough to request the MFA notification, that means they have your login information for that account. Change the password for that account immediately to prevent the scammer from having further access to it.
• Be suspicious of any request that asks for your personal information. Ignore any requests for login credentials or personal information, particularly if it is an unexpected request that you didn’t initiate. A legitimate business will never email you asking for your personal information or login credentials. Flag any such email requests as spam and delete them. 
• Check the sender. In Gmail, click the down arrow next to the “to” line to display the information about the sender, such as their email address and the reply-to address. Check closely to make sure everything matches up and that the email is from the organization that it claims to be from. 
• Slow down. If you’re feeling a sense of urgency, slow down. Social engineers try to get you to act fast so don’t have time to spot the red flags. 
• Verify links before clicking. Shortened links, such as a bit.ly link, may be used to hide a malicious URL. Use a link expander such as the one in duckduckgo, to test the link without clicking it.

What is Phishing?

Phishing attacks start with a fraudulent email, text message, or phone call that is designed to lure you into clicking on a link to a fraudulent website, opening an infected attachment, or divulging personal information. One example would be an email that appears to be from a bank informing you that there is an issue with your account and asking you to confirm your account information. The link provided in the email directs you to a fake site where your login credentials will be recorded and then used to empty your bank account.

Why is phishing such a popular method for attackers to use?

Phishing is popular among threat groups largely due to the ease with which a phishing attack can be carried out. The widespread availability of phishing toolkits coupled with the rise of "Ransomware as a Service" make it simple to launch a phishing attack, even for someone with little or no IT experience. Stats show that approximately 90% of the malware on computers made its way there via phishing and roughly 42% of workers self-reporting having taken a dangerous action (clicking on a link, downloading a file, etc.) after receiving a phishing email. Given that roughly 15 billion phishing emails are sent out on a daily basis, even if only a small percentage of them are successful, that’s a lot of compromised machines out there waiting for the hacker's next move. They may, for example, use the infected computer as a platform from which to launch other attacks, or they may simply encrypt the computer with ransomware. Once the malware is installed, the hackers have control of the computer and can do whatever they want. Don’t fall victim to a phishing attack. Think before you open an email or click on a link.

Types of Phishing Attacks

• Email Phishing - This is the most common type of phishing attack by far, largely due to the low cost of setting up a phishing attack as well as the chances of success. All it takes is for one recipient to click on a link or open an attachment for the attack to be successful.
• Smishing - Smishing is a form of phishing that uses text messages, or SMS, to try to gather personal information, such as bank account information or credit card numbers. Users don’t often equate phishing scams with text messages but it’s actually easier for hackers to “find” your phone number than your email address. Phone numbers in the U.S. are limited to 10 digits whereas email addresses are not limited by size and can include numbers, letters, and symbols.Thus it’s easy for a hacker to send out texts to all the various permutations of digits and wait for the responses. Since users are more likely to respond to a text message than an email, the hacker is likely to achieve their goal.   
• Vishing - Vishing, or “voice phishing” is an attack where the criminal targets the potential victim over the phone, often posing as a person of authority, and tries to trick them into divulging personal information or sending a payment. Common tactics include posing as a person from a bank asking the victim to verify their identity, masquerading as an IRS agent and claiming the victim owes taxes, or pretending to be tech support and offering to “fix” an issue on the victim’s computer but installing malware instead. 
• Spear Phishing - Spear phishing is a phishing attack that is targeted to a specific individual, organization,or business. Social media is a huge contributor to the rise of spear phishing as people are putting the details of their entire lives online, making it easy for attackers to access the personal information of the victim. 
• Business Email Compromise (aka whaling)- In a Business Email Compromise (BEC), the attacker directly targets an employee or senior executive and tries to trick them into transferring funds or revealing sensitive information, such as trade secrets. Some examples would be a spoofed email that appears  to come from, for example, a high-level executive authorizing a wire transfer, or a trusted vendor requesting immediate payment of an invoice. 
• Angler Phishing - Angler phishing is one of the newer phishing techniques that targets social media users.  The criminals set up fake social media accounts that appear to be customer support for a large business or financial institution. These fake accounts will then be used to contact disgruntled customers who are airing their complaints on social media, sending them a link they claim will take them directly to an agent that can resolve the issue. The link of course, is bogus, and clicking on it will generally either install malware on the victim’s computer or take them to a website where they may be tricked into divulging personal information such as their bank account information or a credit card number. 
• Search Engine Phishing - Search Engine Phishing is another relatively new type of phishing attack, though it differs from other phishing attacks as it doesn’t involve email, text, or a phone call. Instead, the criminals set up a website offering, for example, cheap/free products, amazing deals, or (fake) job offers. Search engines then index the site, ensuring it will show up in search results for the unsuspecting victims. The search results are legitimate but the website is fake. Its sole purpose is to trick victims into handing over their personal information.

Can you spot a phishing attack?

Take this quiz to see if you can tell when you’re being phished.

How to Spot a Phishing Attack

Phishing attacks often look like they’re from a company or organization you know and trust, such as a bank or credit card company, and ask you to take some sort of action. Don’t do it! Some examples of the more common phishing scams are emails where the scammers

• claim they have noticed suspicious activity with your account
• warn that your account will be closed if you don’t reply
• ask you to confirm personal information or update your payment details
• attempt to convince you to click on a link to make a payment
• state you have won something or are eligible for a government refund
• entice you to open an attachment, such as an invoice or shared document that you weren’t expecting

The above are all red flags that the email is very probably a phishing attempt. In all cases, DO NOT click on any links, open any attachments or shared documents, or reply to the message. If you’re not sure whether or not it’s a phishing attempt and want to verify that, for example, there isn’t an issue with your bank account, call your bank or go to their website directly rather than clicking on the link in the email. If in doubt, forward the email to [email protected], including the email headers, and UIS will look into it.

How to Protect Against Phishing Attacks

• Learn to recognize the signs of a phishing attack.
• Be wary of emails with generic greetings such as “Dear sir” or “Dear Ma’am.” 
• Avoid sharing personal information.
• Never click on unknown links or attachments.
• Mistakes in spelling or grammar are red flags that the sender may not be who they claim to be.
• Don’t be lured by “deals” that are too good to be true.
• Don’t jailbreak your device.
• Monitor your financial statements to look for unfamiliar charges or suspicious activity.
• Keep all of your devices up-to-date with the latest software.
• Think before you click. 
• Report suspicious messages to your email provider.

Browsers are one of the most common tools that people use to access resources on the web. Used for anything from checking email to catching up on the news to shopping online, browsers offer the user a form of one-stop shopping. However, this convenience comes at a cost. The cybercriminals also know that browsers are used for a variety of online activities, making them a prime target for hackers to steal your credentials, infect your computer, or deceive you into clicking on a link to a malicious website. 

Some users  may think that they’re safe when browsing online because they primarily only visit known, trusted sites. However, it’s easy to accidentally click on a malicious link that appears in your search results or to mistype a url and wind up on a site other than the one you intended to visit, particularly if the page you land on is a look-alike for the one that you expected. In addition to that, legitimate sites can also be hacked so even if you’re on the intended, trusted site, you could wind up having your identity stolen or downloading malicious software to your computer.

While web browsing carries with it certain inherent risks, there are some things you can do to protect yourself and reduce your chances of becoming a victim of the cybercriminals. Here is a list of some of the steps you can take to safely browse the web.

1. Keep your browser updated. Running an outdated browser that lacks the latest security features  is asking for trouble. Automatic system updates make it easy to ensure that your browser is updated to the latest version. After updating, check the settings in your browser to see if there are any new security features added that you can take advantage of. 
2. Most modern browsers will issue a warning if they detect that a website you are trying to visit is malicious. Heed the warning and close the tab. Visiting a malicious website can result in viruses or other malware being installed on your computer, even if you have taken other precautions, such as using anti-virus software and configuring the settings in your browser for high security. Don’t ignore it when your browser warns you that the site you are trying to visit may be malicious. Close the tab and move on. 
3. Don’t save passwords in your browser. Use a password manager instead, such as one of the ones listed in the passwords section on this page. 
4. Be careful of shortened URLs, or URLs with things like special characters, numbers, or hyphens in them. Cybercriminals often use these in order to disguise the URL and deceive users into clicking on a malicious link. 
5. Be wary of any URLs posted on social media sites. Use a search engine to search for the topic of interest instead. And, as with all search engine results, check the URL carefully before clicking on it. If you know the URL of the legitimate site you are looking for, use that rather than clicking on a link from a social media site or a search engine result.  
6. Do not click on pop-ups or dialogue boxes as doing so could potentially download malware to your computer. 
7. Never trust free downloads. Free content, such as downloads of free videos, music, or software, often contains malware or viruses. Offers that seem too good to be true fall into the same category. 
8. When you are finished visiting a website, log off and clear your cache and cookies. Staying logged on to a site after you are finished could potentially leave you vulnerable to session hijacking by a hacker. Play it safe and log off when you are done. 

• Do not save work documents on a personally-owned computer. Store them on University storage (e.g., files.umn.edu), Google Driv, or Box Secure Storage instead. 
• LATIS Safe Data page: https://latisresearch.umn.edu/safe-data
• UIS training for working remotely is at https://training.umn.edu/courses/18521
• Practice safe computing: https://it.umn.edu/working-learning-campus

Risks of using Public Wi-Fi

• Whose network are you really joining? 

Anyone can set up a wireless hotspot and assign it whatever name they want. By setting the name (Service Set Identifier) to a common or commercially used SSID, unsuspecting users connecting to the rogue hotspot will think they’re on the legitimate network provided by the store or shop they are at. If you have your device set to automatically connect to available networks, your device could be connecting to the rogue hotspot without you even being aware of it. 

• What happens if I connect to a rogue hotspot or Access Point (AP)?

Once you have connected to their hotspot, cybercriminals can use the connection to hack into your laptop or mobile device. They can also set up a man-in-the-middle attack (MITM) where they intercept traffic from your device, alter it, and retransmit it, thereby masquerading as you and stealing your identity. For example, they can change an email that you are sending to a friend and add a link to a phishing or malware site. Your friend will think the link is safe because it appears to be coming from you, a person they trust, so they let their guard down and click on the link, thereby infecting their device with malware. As you can see with this example, connecting to the rogue hotspot poses a danger not only to you but also to anyone you may contact while you are on the cybercriminal’s hotspot. 

• What public Wi-Fi networks are safe?

In short, assume that no public Wi-Fi is safe. Airports are particularly risky as they are popular targets for hackers due to the large number of international travelers passing through that need to get online but may not have access to a domestic cellular network

Using public Wi-Fi

While public Wi-Fi isn’t generally considered to be safe, there are some steps you can take to protect yourself  when using Wi-Fi that is open to the public

• Verify the SSID of the network you are going to connect to, either by looking for an official poster with the SSID and password or by asking an employee. Make sure you use the exact spelling  for the SSID as hackers often set up wireless networks with names very similar to the one the business is using. For example, if the legitimate SSID is bobscoffeeshop, the hacker might set up a hotspot for bobscoffeeeshop, hoping unsuspecting customers won’t notice the extra “e” in the name and will connect to their rogue network.
• Use a VPN anytime you’re on a public Wi-Fi network. Most public Wi-Fi networks don’t use any type of encryption, leaving you vulnerable to having your credentials stolen. Public Wi-Fi services also don’t normally require authentication, making it easier for hackers to get into a system and plant malware or steal sensitive information
• Disable the automatic connection feature in your WiFi settings on your device. Set it to ask permission before connecting to a network so you don’t end up automatically connecting to a rogue network. 
• Enable the firewall on your laptop or device.
• Use antivirus software and keep it updated.
• Turn off file sharing.
• Keep your device updated with the most current patches. 
• Avoid using public Wi-Fi for anything that involves sensitive data.
• Don’t assume a website is secure just because it’s using https and has a lock icon. Many users have been trained to look for the https in the url along with the lock icon to ensure the site is secure. Cybercriminals are aware of this and have started using certificates on their sites to make it appear that the site is secure when they send out their phishing emails. Don’t trust a site just because it is using https and has a lock icon. And, as always, don’t click on the links in your email. Instead of clicking on the link, go to the known, legitimate site instead and do a search.