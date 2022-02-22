With the sheer volume of personal data shared online, how can one ensure their information is protected from malicious actors?
Beyond basic cybersecurity hygiene like keeping different, unique passwords per website and not clicking on suspicious links, advice from the UW Office of the Chief of Information Security Officer (CISO) can help students confidently navigate tax season, financial aid, and other transactions involving personal information.
“It’s important to stay aware that your credentials, personally identifiable information, and your financial info — such as W-2 forms — are a target for cyber thieves,” Melissa Albin, an information security analyst for CISO cyber intelligence, said.
Attacks in cyberspace are categorized as violating one of the three aspects of the CIA Triad: confidentiality, integrity, and availability. Availability refers to being able to access information when you need it. Ransomware concerns when a user’s data is encrypted and therefore unavailable until a ransom is paid for the key — is an example of breaches that threaten availability. The Colonial Pipeline ransomware is one of the best-known recent examples.
Each piece of data online can be checked for a unique fingerprint (otherwise known as a hash, or a unique string generated by an algorithm) to validate its integrity. If the data has been altered, it will produce a different hash value. A common example in web exploitation is changing the numerical value in a bank account.
The vast majority of threats involving tax or other financial information may be characterized as sensitive information disclosure, or exploiting the user’s confidentiality.
During social engineering attacks when the malicious actor tries to make you assume they are a trusted source, the actor violates your assumptions of trust and steals confidential information such as your credit card for their personal gain.
In response to the number of malicious actors masquerading as trusted sources, CISO published a blog with tips and examples of what common phishing attempts look like.
Although enabling two-factor authentication (2FA) through Duo makes it harder for malicious actors to log into your account, it is not the silver bullet to security. Leading security experts have illustrated how malicious actors can find a way to decrypt information or receive tokens to bypass these security measures.
Regardless of how strong a software’s security may be, nothing can patch human error or the disclosure of personal information to a malicious actor masquerading as a trusted source.
“What can we do?” Albin said. “The answer is always end-user education.”
Phishing is one of the most common methods for malicious actors online to steal victims’ credentials. Most phishing emails will nudge the user to immediately click on a link or fill out a form for important financial or other information.
“[Phishing] evokes some emotional response to force you to make a decision,” Albin said.
While UW, through its partnership with Proofpoint, filters and discards most emails that have common characteristics of phishing attempts, malicious actors continue to grow more complex in their tools and methods, with at least one recent phishing attempt coming from an email with a UW domain name.
“Even if you think you recognize the sender, names and email addresses can be forged or spoofed, so stop and think before you click,” Albin said. “If the email includes a link from MyUW or Workday, for instance, open a browser and go to those websites to log in rather than clicking through.”
CISO regularly posts blogs and videos aimed at increasing end-user awareness and training, including updates on new vulnerabilities such as Log4j.
“One thing I tell my relatives is to stop and think, ‘Was I expecting this call or message?,’” Albin said. “And if the answer is no, proceed with skepticism. Assume it’s a scam until you can verify the caller or sender is who they say they are.”
Beyond being vigilant of emails, phone calls, or text messages that prompt you to log in through a faulty portal, students should update all devices regularly (Microsoft, for example, releases bug fixes every Tuesday).
Albin also recommends using a password manager (which generates unique, complex passwords for every site you visit — you only have to remember the initial password) to prevent lateral movement ifone of your passwords is discovered.
As you learn about how to stay safe online, spread awareness to your colleagues. If they receive an offer or gift card that sounds too good to be true, share CISO resources to help them discern a scam from a trusted source.
Do you have any lingering questions about cybersecurity or any other issues related to information technology? Fill out the following form with topics you would like to see us explore with industry experts.
Reach reporter Julie Emory at news@dailyuw.com. Twitter: @JulieEmory2
Like what you’re reading? Support high-quality student journalism by donating here.
(0) comments
Welcome to the discussion.
Log In
Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.