Awareness Topics

A common trick used by hackers is to send an email, which appears to come from someone you trust. The email urges the recipient to click on a link to verify their account, update “expired” password, or open an important attachment. The email may look real, with company logos, links and branding, but beware – you may have received it from an illegitimate source.

The 5 common features of Phishing emails are:

1. Too good to be true
2. Sense of urgency
3. Hyperlinks
4. Attachments
5. Unusual Sender

Especially as it applies to business employees, it’s easy to imagine how an employee might be manipulated into clicking on a phishing attack utilizing any of these appeals.

There is more than one way to Phish:

• Phish – You receive an email from Amazon asking you to renew your Prime membership. The email requests you to login to renew it.
• Vishing – You receive a call from Microsoft claiming that your computer is running slower than usual and that they need to check if you have viruses or other errors that need resolving.
• Spear Phishing – You receive an email from your manager about an upcoming company BBQ with games and prizes on May 20^th and provides a link to RSVP to the event.
• SMS Phishing or Smishing – You receive a text message that you received a $500 refund from Bell mobility and need to open the link to receive the refund.

Protecting against phishing

Here are a few things you should know:

• Your bank will never send you an email or call you on the phone asking you to disclose personal information such as your credit card number, banking password, or your mother’s maiden name.
• Be suspicious of unsolicited emails that appear to have a sense of urgency and warnings that your accounts will be closed or your access restricted if you don’t reply.
• Review the email carefully. While some fraudulent emails may look professional at first glance, look for spelling errors, incorrect grammar, or unusual language.
• When using @bcit.ca email, you should always hover over the link (don’t click) to see if it starts with BCIT’s adopted Safe Link approach (https://can01.safelinks.protection.outlook.com/?url=https://actual url).
• If you are not using @bcit.ca email and you notice the link is different, that is an indicator the source is probably illegitimate. You can check the validity by using a reputable search engine to look up the address and/or company name.
• Report to BCIT IT Services Help Desk if you suspect that you received a phishing email at https://www.bcit.ca/it-services/getting-help/

When in doubt, the best practice is to delete the email.

Ransomware is a form of malicious code or malware that infects a computer or network and spreads rapidly to encrypt the data. The malware makes the data inaccessible to the user and the criminals responsible will demand payment in order to decrypt and return the files or unlock the infected computer.

The 3 common ways computers are infected:

1. via Phishing Emails – the individual received an email with a malicious link or attachment
2. via Malvertising – the individual visits a legitimate website that displays infected third-party advertisements
3. via Zero Day exploits – the individual visits a legitimate website that contains a malicious program that has no fix yet

Protecting against ransomware

What you can do to protect against an infection:

• Do not open emails from spammers or unknown sources.
• Do not click on email attachments from an unknown source.
• Avoid suspicious websites altogether, such as the ads/links that often appear at the right or bottom of a website.
• Do not accept software updates that are triggered from a website or email, such as Java and Adobe Flash.

If you receive a pop-up or encounter a message that prompts you to pay a ransom:

• Immediately disconnect the device from the network/Internet and stop using it.
• Report it immediately to IT support or get assistance in removing the infection
• Do not pay the ransom in any form.
• Change your important passwords (i.e., online banking, email) from a different (uninfected) device.

Malvertising is a type of malicious code that is hidden within a legitimate website in the form of an advertisement, which either infects (with or without interaction) a computer with malware or redirects users to a malicious website. Hackers use online advertisements that will appear to be official, legitimate ads, but are loaded with malicious intent such as ransomware, hence the name “malvertising”

Malvertising could potentially perform the following malicious activities without clicking on the advertisement:

• Forced redirect of the browser to a malicious site
• Display unwanted advertising, malicious content, or pop-ups.
• A “drive-by-download” installation of malware or adware on the computer of a user viewing the ad.

Malvertising could potentially perform the following malicious activities with a click on a malicious ad:

• Execute code that installs malware or adware on the user’s computer
• Redirect the user to a malicious website, instead of the target suggested by the ad’s content
• Redirect the user to a malicious website very similar to a real site, which is operated by the attacker

Protecting against malvertising

Here are some ways you can protect yourself from malvertising:

• Install pop-up/AD blocker on your web browsers
• Update all software including, operating system, browsers, and Java
• Uninstall Flash if it has not been disabled already
• Turn on Anti-virus software to protect against some malicious code executed by malvertising
• Resist clicking on ads, even if they appear to be from reputable companies

At BCIT, you may need to access BCIT’s network resources off campus such as:

• Departmental shared network drives
• OneDrive to share course folders
• Remote printing to BCIT printers
• Some AppsAnywhere applications with on-site licensing restriction
• BCIT staff virtual desktop.

Students and staff can use myVPN to establish a remote connection to secured BCIT systems and resources. myVPN will secure information by:

• Encrypting data transferred between BCIT and your computer
• Separating network traffic between BCIT connections and regular internet usage

Best Practices for working remotely:

• Secure remote access is necessary for student and staff to access common BCIT resources.
• Use myVPN to access BCIT resources if necessary -> link to the page of myVPN
• Protecting personal and confidential information
• Do not leave your device unattended, lock your device when not in use.
• Encrypt your device to protect sensitive information.
• Use of BCIT OneDrive instead of public cloud storage for work related documents. (link to the introduction/kb page of BCIT Onedrive)
• Secure network by changing default router password and using a strong password for Wi-Fi
• Enable WPA2 encryption on router
• Ensure that Windows Defender or another antivirus is enabled, and Windows Firewall is also enabled

A data backup is a result of copying or archiving files and folder to be able to restore them in case of data loss or damage. Anyone who has lost files or folders knows how important it is to ensure their files are backed up. At BCIT, backing up your files is as easy as storing them on a network drive. There are many possible reasons your files may not be there when you need them:

• Hard disk failure
• Virus/worm infection (“malware”)
• Operating system failure
• Accidental deletion
• Computer theft
• Flood damage to your computer
• Any problem that requires re-imaging your computer (re-imaging involves erasing the entire hard drive contents and re-installing the operating system and standard BCIT applications)

Encryption is the process by which plaintext or any other type of data is converted from a readable form into secure, to prevent unauthorized access. Just as we lock our homes, we rely on encryption to securely protect our data that we don’t want unauthorized parties to view or access.

Encryption is imperative for sending sensitive information, securing documents, keeping email and communications private and, ultimately, it allows for peace of mind in an event of a compromise, theft or lost.

At BCIT encryption usage must be risk based and must take into account the sensitivity of the information as per the Encryption Requirements below:

See: Steps on how to use BitLocker To Go to encrypt removable data drives

Passwords (words or strings of characters) and passphrases (sequences of words or other text) are common and important ways to access and protect digital information on or off the Internet through almost any type of device. Consequently, attackers attempting to access information use a variety of tools to guess or steal passwords/passphrases.

At BCIT, passwords contain a minimum of 8 characters and a passphrase style is recommended instead of a password. Passphrase must include:

• One upper case letter
• One lower case letter
• One number
• One special character

Follow the top five ways to keep your password/passphrase safe:

• create a strong passphrase password; avoid simple/common passwords
• guard them carefully (e.g., do not share it or write it down)
• do not use BCIT passwords for systems outside of BCIT
• update passwords in case of potential threat or compromise
• use different passwords for different services

A secure password vault must be used for storing and sharing passwords. KeePass is a reliable and free open-source password manager for individuals. For schools or departments that require a central management and sharing of passwords refer to 1Password.

Multifactor authentication (MFA) is a security control that requires more than one method of authentication to verify user’s identity to log in. MFA is essential because traditional usernames and passwords can be compromised. When using MFA, you will need two or more authentication factors to login.

We typically refer to three types of authentication factors:

• Things you know
  An example of this is passwords, pins, and security questions.
• Things you have
  An example of this is a sim card, security token, and employee ID.
• Things you are
  An example of this is fingerprint scans, voice recognition, and facial recognition.

Steps on how to turn on 2-Step Verification for Gmail.
Steps on how to turn on 2-Step Verification for Facebook.

BCIT is moving to multi-factor authentication (MFA) for all faculty, staff, and contractors on the most frequently used BCIT systems in order to improve our information security and prevent potential privacy and security breaches. This move will also help us to be in compliance with our cybersecurity insurance requirements. We are implementing a tool, Duo, which will require that you do an additional step, usually only once or twice a day, when authenticating to frequently used BCIT systems and applications. Find this link to learn more about Duo.

As of June 6, 2022, OneDrive is BCIT’s solution for file storage for BCIT staff and students. You can provide others with access to the files and folders stored in your BCIT OneDrive storage in a variety of ways, both temporary and permanent.

All sharing is done via providing the other user with a link and can be set up either at the onedrive.bcit.ca site or through Windows File Explorer on your BCIT-issued computer. Follow this link to learn more about how to securely transfer file with BCIT OneDrive.

Keeping yourself safe when browsing the web is necessary to protect your data and devices from malicious threats. Navigating to unknown, unsecure, and untrusted websites poses a security risk that may result in the loss of sensitive information as well as putting the network at risk of a cyber-attack. Here are some ways you can protect yourself:

• Enable Do not track in privacy settings of your web browser
• Do not click on malicious links or advertisements when browsing
• Block or prevent download of unwanted apps or pop-ups in privacy settings
• Set tracking prevention to balanced or strict based on needs
• In Edge, enable Microsoft Defender SmartScreen, block potentially unwanted apps, and turn on site safety services.
• Enable enhanced security mode for security mitigations on all sites.
• Install an adblocker such as Adblock or uBlock.

Protecting data on Social Media

Social media is a hotbed of information for friends and family but also for potential malicious individuals that will try to exploit you with social engineering.

• On Facebook and other social media platforms, only add people you know.
• Restrict access of information that the public can view.
• Do not post or provide sensitive information such as address and birthdates.
• Photos taken by smartphones and digital cameras may automatically attach a geotag of the exact location where the photo taken. Disable geotagging in camera settings and remove or edit photos that have geotags.
• When posting photos, ensure that there is not any revealing info such as street location and license plates.
• Use MFA whenever possible to secure accounts

Personal information is a combination of individual identifiers such as name, birth date, Social Insurance Number, portrait, student ID, employee number, BCIT email, etc.

BCIT is regulated by the Freedom of Information and Protection of Privacy Act (FIPPA) and requires protecting personal information from unauthorized collection, use and disclosure.

• Encrypt your electronic devices so that sensitive information is protected even it is lost or stolen.
• Remove any unnecessary files and copies that might contain personal information from your storage.
• Use a secure channel such as BCIT OneDrive to share confidential documents.
• Never transmit sensitive information such as passwords over email unless it is secure and encrypted and the recipient is trusted.
• Whenever discussing private information, turn off or move mobile devices that may be listening such as Google Home, Alexa, and smartphones.