Information Security Alerts
To meet growing technological needs and to protect against evolving cyber threats, Information Security engages with the campus community to increase cybersecurity awareness, incentivize cybersecurity, encourage the adoption of best practices, and implement a shared sense of responsibility for cybersecurity at our institution. This page will be updated as information and/or alerts--from CISA, other Federal agencies, and the public sector--are identified.
March 07, 2022
Recent world events have raised our awareness of potential cyber-attacks. We do not have all the answers, nor do we know what will happen next. But from a cybersecurity standpoint, we do know that continuing to focus on the fundamentals is key to protecting ourselves at home and at work. While the sense of urgency may have changed, the way cyber attackers target us has not. Here are the basics to focus on:
- Implement multi-factor authentication on your accounts. A password isn’t enough to keep you safe online. By implementing a second layer of identification, like a confirmation text message or email, a code from an authentication app, a fingerprint or Face ID, you’re giving your bank, email provider, or any other site you’re logging into the confidence that it really is you. Multi-factor authentication can make you 99% less likely to get hacked. So enable multi-factor authentication on your email, social media, online shopping, financial services accounts. And don’t forget your gaming and streaming entertainment services!
- Update your software. In fact, turn on automatic updates. Bad actors will exploit flaws in the system. Update the operating system on your mobile phones, tablets, and laptops. And update your applications – especially the web browsers – on all your devices too. Leverage automatic updates for all devices, applications, and operating systems. (See CISA Known Vulnerabilities Catalog)
- Think before you click. More than 90% of successful cyber-attacks start with a phishing email. A phishing scheme is when a link or webpage looks legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, social security number, credit card numbers, or other sensitive information. Once they have that information, they can use it on legitimate sites. And they may try to get you to run malicious software, also known as malware. If it’s a link you don’t recognize, trust your instincts, and think before you click.
- Use strong passwords, and ideally a password manager to generate and store unique passwords. Our world is increasingly digital and increasingly interconnected. So, while we must protect ourselves, it’s going to take all of us to really protect the systems we all rely on.
What's more, there is going to be a tremendous amount of false information spread on the Internet. Do not trust or rely on information from new, unknown, or random social media accounts, such as posts on LinkedIn, Instagram, Facebook, or Twitter. Many of these accounts have been created on these sites for the sole purpose of putting out fake information (fake news). Instead, follow only well-known, trusted news sources that verify the authenticity of information before they broadcast it.
Donations to many are important and if you wish to donate to a cause in support of recent events, do your due diligence to ensure sure you are donating to a well-known, trusted charity. There will be many scams attempting to trick people into donating to fake charities run by cybercriminals.
Please continue to focus on the fundamentals you have learned from the semi-annual Cybersecurity training and you will go a long way to protecting the institution's data as well as your personal information no matter who the cyber attacker may be. Contact firstname.lastname@example.org if you have any questions.
December 15, 2021
This holiday season, it is important to remain diligent in defending against ransomware attacks by staying up to date on the best practices for malware prevention. Ransomware is a form of malicious software (“malware”) that encrypts data on a device, rendering that data, and the systems that rely on them, unusable. Cyber threat actors often demand a ransom to provide a decryption key, or may threaten to publicly disclose sensitive files and information gained during the ransomware attack (if the ransom is not paid). Throughout the COVID-19 pandemic, it is reported malicious cyber actors used various COVID-19 related scams to target businesses and agencies across the U.S.
December 10, 2021
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. We assess it is highly probable a threat actor will attempt to exploit this vulnerability. This bulletin contains Indicators of Compromise and mitigation techniques to defend systems against the vulnerability.
November 13, 2021
The FBI says it has fixed a software misconfiguration that was abused to send fake emails falsely warning of a cyber attack. As many as 100,000 hoax emails were sent in two waves early this morning, originating from a legitimate FBI domain.
September 3, 2021
Howard University, one of the nation’s largest and most prestigious historical universities and the alma mater of Vice President Kamala Harris, canceled classes Tuesday, September 3 after a ransomware attack. Ransomware attacks have become a scourge in recent years, and universities are common targets. Hackers have managed to infect at least 19 colleges and universities in 2021.
March 18, 2021
Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors. PYSA typically gains unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) network credentials and/or through phishing emails.