Friday, November 22, 2019

Shopping Tips for the Holidays

I received a great newsletter this week from the Multi-State Information Sharing and Analysis Center (MS-ISAC) titled "8 Shopping Tips for the Holidays" and it got me thinking about all of the holiday-type attacks that I've seen resulting in compromised systems or an unhappy holiday experience.

The first ever holiday attack I witnessed was a fake FedEx notification to my husband, about eight years ago, during December, at a time in which he really was awaiting several shipments to be fulfilled. Upon clicking on the link, malware was installed that rendered his computer completely unusable. He's a smart IT professional - if it happened to him, it can happen to anyone!

So here are a few tips...

1) Don't click on fake shipping links. The "FedEx" attack comes back every year. Don't fall for it! When you want to check the status of your shipment, either logon to the site from where you purchased your item, or logon to the shipping site and type or paste in the shipping number directly. Never click on a shipping link in an email! And remember, attackers don't just mimic FedEx; I've experienced this type of phishing email simulating other shipment companies too.

2) Shop from known reputable merchants. Sometimes advertising that you see on your social media sites are actually links to fake websites to either install malware or steal your credit card information. Instead of clicking directly on those advertisements, try googling the product, or better yet - go search for it in your favorite shopping site (like Amazon). It's best to purchase from known reputable merchants to protect yourself and your purchasing experience.

3) Don't be scammed by unrealistic prices. Remember, if it seems too good to be true, it is likely a scam. Don't fall victim to a scam while seeking great shopping deals!

4) Don't click on links received in a text message. Last week I received three different text messages, supposedly from different financial institutions indicating fraud or some other problem with my account. Since two of these belonged to financial institutions for which I don't have an account, this felt like a scam. While this isn't necessarily a holiday attack - this could definitely ruin your holiday if your smartphone becomes unusable or your account is taken over at this important time of year. Avoid clicking on links sent in a text message! Using a separate means, such as a browser or your bank app, log directly onto your account and validate whether there are any important messages. Alternatively, you can call the institution to ask about the text message.

Visit our Cybersecurity Help site and/or the Multi-State Information Sharing and Analysis Center (MS-ISAC) for more tips.

Happy shopping this holiday season!

Today's blog comes from OIT Chief Information Security Officer Debbi Blyth

Friday, October 11, 2019

CIO Theresa Talks: Hello tech leaders, do you want to work together?

After a full career in information technology ranging from engineer, product manager, management consultant, author, speaker, high tech entrepreneur, and board member, I wanted to make more of a difference. Contributions and connections bring meaning to my life.

So I asked myself, "Could a tour of service in government work for me? Should I run for office or what?"

Then opportunity knocked. I heard newly elected Governor-elect Polis on the radio asking people to apply for his Cabinet positions. So I did. Six weeks later, I was pleased to be appointed as the State of Colorado Chief Information Officer and Executive Director of the Governor’s Office of Information Technology (OIT). WOW! The perfect match, this position leverages all of my experience and delivers phenomenal opportunities to make a difference in an innovative, forward-looking environment.

OIT busted my myths. 

Prior to jumping in, I held some stereotypes of bureaucracy and slow-moving government operations. I was wrong. I found a fast-paced, full-service enterprise provider of information technology and communications services with nearly 1,000 IT and support professionals who serve more than 31,000 state employees in 17 executive branch agencies. Our work ranges from keeping systems operating, information flowing, applications running, and technology advancing, securely. We power state government and serve Colorado's counties, residents, businesses, and visitors. Our passionate purpose is customer delight.

Have you asked that question? What brings meaning to your life? Could a tour of service in government also provide you a way to leverage your talents, give back, provide meaning, and have some fun? We are looking for a visionary Chief Technology Officer, Chief Strategy Officer, and other talent. Check out the OIT job opportunities here and spread the word. Let’s find a way to work together.

Opportunity is knocking.

Today's blog comes from OIT Chief Information Officer and Executive Director, Dr. Theresa M. Szczurek

Monday, January 28, 2019

How Anonymous Are You Online? Tips for Protecting Yourself

Have you ever wondered how something you briefly look at on one website pops up as an advertisement on a completely different website? This is because each website you visit collects information about you, allowing the next site you visit to display advertisements based on the information that was collected. Usually this is done by companies to better advertise to you as well as collect data on their customers, but this can be a privacy concern or used for malicious purposes.

Some information that can be collected about you from websites can include: your IP address, how long and how often you visit particular pages, other websites that you visit, the browser you are using, and in some cases the type and version of the operating system on your device.

There are several steps you can take to prevent this information about you from being collected.
  • Use a VPN (Virtual Private Network): There are many different VPNs that you can download and use. Some are free, some are not. A VPN provides you with an encrypted tunnel to access the internet, which can increase your security and anonymity online.
  • Limit or disable cookies: Most websites use cookies to track the users that visit their sites. Cookies enable websites to find out about your browsing habits. Because cookies can store personal data, limiting or disabling them can be a good idea.
  • Use HTTPS Links: Be cautious of any site URL without HTTPS in the URL. HTTPS is more secure than HTTP.
  • A Big No to Public Wi-Fi: Wi-Fi hotspots are convenient, but when accessing your personal accounts, be cautious. Make sure you never log in to your accounts, particularly bank accounts, when using a public Wi-Fi network. Someone using the same network could intercept the data that you have provided online (e.g., your bank details, passwords, emails, etc.) If you must use a public Wi-Fi network, do so with a VPN.
  • Password Manager: Like VPN products, there are many password managers that you can download and use. Password managers store your passwords, and they also suggest good, complex passwords to use for each of your accounts. This is a great step to take to help prevent your online accounts from being compromised.
  • Look out for phishing: A very easy method that attackers use to collect your personal data is phishing. The attacker will send out emails, text messages, and sometimes even phone calls pretending to be your bank or cell phone company. The email or text will provide a link for you to click and will take you to a website requesting your personal information. Always be wary of requests for personal data and trust your instincts if something seems “phishy.” 

Today's blog comes from Chelsey Vance, OIT Risk and Compliance, Senior Risk Analyst.

Monday, October 29, 2018

When it Comes to Passwords, Complexity is Key

Every time you open a new account or are forced to change your password, you’ve probably been prompted to make sure that your password is a strong one. These days strong is not enough. A complex password is what you need.

Attackers have easy access to programs that can attempt to “brute force” guess your password. If passwords are not complex enough, this can take seconds. You have undoubtedly heard that your password should contain at least one uppercase letter and number and be at least eight characters long. That is OIT’s standard for our state workforce, but this may not be enough. Special Agent Scott Augenbaum (Ret). of the FBI’s Cyber Crime unit devised an easy way to make sure that you have complex passwords.

A helpful practice is to use a sequence that makes sense to you for your passwords:

  • You pick one number and one special character (like *2).
  • Then you use that combination at the front and end of your password *2xxx*2.
  • You can use a sentence that describes the account you use, but only using the first letter of each word.

This way, you can create complex passwords, and all you need to remember is your number and special character and a simple phrase. Here’s a couple of examples of how it would work.

For an Amazon account, you could use ‘Love to shop at Amazon’ as the phrase + your number/special character combination, so the password would be *2Lts@A*2. If someone were to see this written down, it would not make much sense.

For Bank of America, you could use ‘This is my Bank of America account’ *2TimboaA*2 or ‘Love to bank at Bank of America’: *2Ltb@boA*2

Note: some sites or apps like Bank of America will only accept certain special characters. If they do not accept your default of * for this example, make sure to note that you have used a different one for that site.

This method will also ensure that you are not using the same password for multiple accounts. As you know, this is dangerous because if an attacker can find your one password, she or he could have access to more than one of your accounts.

If this method isn’t for you, you can also use password creating/storing apps like LastPass or One Password. The important thing to remember these days is that strong doesn’t necessarily mean secure, complex is the key for password security.

Today's blog comes from Chelsey Vance, OIT Risk and Compliance, Senior Risk Analyst.