Where To Keep Your Data, And Why

This week’s topic is Where to keep your data, and why. It is more an information piece geared to getting you think, than a simple tip.

The Tip

These days, many of us work on laptops and take our work with us everywhere. Even if we do not work on a laptop, we probably use a smartphone, and have a large amount of data with us at all times. Although this makes for terrific portability and convenience, to have our office with us at all times, it also opens the door to all sorts of risk to our data and privacy. To be diligent and responsible in this modern landscape, we need to ask ourselves, “what are we keeping on our laptops and why, what should we not be keeping on our laptops, how do we protect what we do store”?

The Detail

This is a complex issue and there are several variables. Broadly, we need to consider privacy and security, not just when we are working but also in the case of loss or theft.

Although most of us never really think about the distinction, we should ask ourselves, “Is this a primarily work computer that I do a little personal stuff on or primarily a personal computer that I do a little work on.” In either case, it’s probably a good idea to have separate user accounts on the laptop for each purpose. This will prevent things like your personal bookmarks and search history, possibly passwords, and other personal details from coming up when you are doing a work presentation. Think of this in the same way as many of us have separate email addresses for personal and for work.

The biggest risk to your device (and data) is loss or theft. In such a circumstance, you are not only losing the device and the data, you are also risking a 3rd-party getting access to all your data, which could expose all sorts of personal and administrative risk and liability. There are two issues here that need different approaches. The first is actually getting access to your data again in such a circumstance, and the second is preventing a 3rd-party from being able to do anything with your data. There are several strategies for each. Another huge risk to the privacy of your data is crossing borders. The rules around the privacy of your data are more than a little fuzzy, and change on a regular basis from jurisdiction to jurisdiction. In many, if not most cases, you can be legally compelled to unlock your device (and any data on it) to border officials.

So, where should we store our data? There are several approaches, each with pros and cons to consider. We might choose to just do the easy thing and keep everything on our laptop’s hard drive. This is certainly convenient, though it is the most vulnerable to loss or theft. It is also very vulnerable to any border agency that might insist on seeing what’s on your device. We might choose to keep all our sensitive data on a USB drive. Of course these small storage devices are easy to lose, they are also easier to keep private at customs agencies (if that’s a concern) and assuming you are carrying them separately from your laptop, they are not a big obvious target for thieves. Regardless of whether you are using local storage or removable media, you absolutely should be using encryption. This is the only protection in the case of loss or theft. Your laptop’s login password will only slow a thief down by a few seconds. Encryption of your hard drive or USB drive is the only way to protect the privacy of your data from theft. MacOSX and more recent versions of Windows both have encryption tools built-in, and there are several commercial tools available as well.

Of course, privacy is only one concern in the case of loss or theft. So is actually losing all your data, so regardless of where your store your data, regular backups to other storage devices (that you test occasionally) are essential!

The third option for where to store your sensitive data is the cloud. The cloud might mean a business network file-share, services like Google Drive, DropBox, OneDrive, Amazon, and so on. Cloud storage offers many advantages, provided you have an internet connection. It is the best way to cross a border if you have data you need to be 100% sure remains secure, because non of your sensitive data will actually be on the device that you can be compelled to unlock. It is not vulnerable to theft or casual loss. Many cloud services also offer backups. Most cloud services have a team of security experts working on keeping your data safe and secure. Although cloud services may seem ideal, truth be told, most of the providers have had some security incidents in their history. Of course access to your cloud data will only be as secure as the quality of your password 😉

So, that’s a relatively brief discussion on a few topics you should consider when deciding where and how to store your data. Although I’ve just scratched the surface, I hope this week’s discussion will encourage you to give some thought to these topics, and maybe do a little more reading. At the very least, you should be backing up regularly, and give serious thought to encryption. I’ve included a few links below for more reading, and as always, google is your friend.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.


Special Security Alert – Spear Phishing

In the last 48 hours, a huge increase in very sophisticated phishing emails are being reported by several major industry partners in the US and Canada, including finance, business and higher education. What is making these these ‘Spear’ Phishing attempts so effective is that they contain very targeted and specific personal information in them, such as names and social security numbers, making them very convincing. It’s anybody’s guess where the personal information is coming from, but it’s a good bet that recent compromises at Equifax and others are leading to more and more of these sophisticated attacks.

Please have a look at the PDF Tip Sheet on spotting Spear Phishing attempts.

More information from one our partners, Beazley Breach Solutions, follows.

March 9, 2018

New Spear Phishing Attack Using Employee SSN As Bait
The Beazley Breach Response (BBR) Services team is currently working with many policyholders who have reported within the last 48 hours that their employees have received and clicked on a new, particularly effective spear phishing email. While the first incidents were reported by credit unions, we have now seen incidents occur across industries, including higher education and utilities.

Spear phishing is a form of phishing that is targeted at the recipient and appears to come from a trusted sender. This new attack is made to look like it comes from FedEx. The phishing emails included the targeted employee’s name and Social Security number. Noteworthy here is that these phishing emails “up the game” by actually including employee personal information in the email, which may be the reason the recipients were tricked into clicking on the email’s links.

The links in the email take the email recipient to a Google Docs page, which retrieves a unicode-encoded Visual Basic (VB) script from Google and uses that as a dropper to download and install malware. Essentially, this means that in these cases there is a reasonable probability of a malware infection that could potentially impact personally identifiable information (PII).

BBR Services is working closely with the affected organizations along with legal and forensic experts to investigate and mitigate any impact and also to find a common source of the compromised information.

If you receive a suspicious email, or anything you are unsure of, please contact techsrv@nipissingu.ca, and we’ll be glad to look into it for you.


Check Before You Click

The Tip

Did you know that many viruses and other forms of compromise can now be spread just by visiting a website? This makes it more important than ever to be careful what you click on!

The Detail

Potentially harmful links can come to you from all sorts of sources including email, facebook, twitter and other social media tools, messaging apps, and more. If you use a reliable anti-virus solution, some of them may warn you, but this is not available to everyone, and not enough. Many fraudsters use URL shorteners to hide where the link will actually take you. You cannot simply avoid these tiny urls though, as they are a useful tool used for many legitimate purposes.

There are several online services which will take a link you provide (copy/paste), and either analyze it for safety, or simply expand where the shortened URL will actually take you, without taking you there. These services are quick and easy to use, and a very useful tool in your cyber security tool chest.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.


Fraud Prevention Month

The Tip
This week’s tip is not so much a tip as it is a public information message. Fraud Prevention Month is an annual campaign held in March that aims to prevent Canadians from becoming victims of fraud.

The Detail

The government of Canada provides a website full of resources to help Canadians battle fraud online, door-to-door, and over the phone. Highlights include a variety of anti-fraud promotional materials, a fraud quiz, several videos, the ‘Little Black Book of Scams’ 1st and 2nd editions, and a calendar of events across the country provided by the Consumers Council of Canada.

Scammers are sneaky and sly. They can target anyone, from youngsters to retirees. They can also target businesses. No one is immune to fraud. One group of superheroes has found a way to see through the scams. Their secret is simple: knowledge is power!

Read on to find out how you can also become a fraud-fighting superhero.

The Little Black Book of Scams 2nd edition

Test your knowledge with the Fraud Quiz

Fraud Prevention Month

Calendar of Events

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.


5 Tips to Securing Your Webcam

laptop-webcamThe Tip
January 28 was Data Privacy Day. Read this post about the importance of securing your webcam and protecting your privacy. This is a guest-post by Marc Saltzman, who has reported on the high-tech industry since 1996 as a freelance journalist, author, lecturer, consultant, and radio and TV personality. It is taken from The Government of Canada’s ‘Get Cyber Safe Blog’

In case you missed the news, a young person discovered someone was spying on them via their webcam – while they were watching a DVD movie on their laptop in the bathtub, no less.

Can this really be true? While it’s not likely, it’s technically possible, yes.

It’s a privacy nightmare to think someone has remotely hijacked your webcam and is watching you in front of your computer without your knowledge.

The Detail

And so the following are a few precautions you can take to minimize the odds of this happening.

  • If you’re using an external webcam – that is, one that plugs into your computer’s USB port – only connect it when you need it. Yes, it can be a pain to remember to plug it in whenever you want to Skype or Facetime with someone, but at least you’ll know 100 percent you aren’t been spied on if there’s no camera connected.

  • Some external cameras have a small cover you can close over the webcam lens, so be sure you take advantage of this when you’re not using it. If your webcam doesn’t have this, you can point it to the ceiling until you need it, or place a small piece of electrical tape on the front of the webcam – but don’t place it directly over the lens or else it could damage it.

  • If your laptop or desktop has a built-in webcam, be sure to have good computer security software installed (which you should have anyway, of course). A good security suite includes antivirus, anti-spyware, a firewall and other tools to keep the bad guys from getting in. Good web browsers should also notify you if your webcam is being activated and you may be prompted to agree.

  • If you need to have your computer repaired, take it to a trustworthy source or else an ill-intentioned technician could secretly install spying software on your PC; ensure remote access programs aren’t on your laptop or desktop you didn’t install yourself. If you find something, immediately uninstall it and bring it to a trusted source.

  • Be sure your wireless network has strong security settings and a good password to prevent outsiders from accessing your Wi-Fi network without your consent. Another tip is to go to the webcam’s settings/options and enable some kind of notification when it’s being used, such as a small light that turns on near the webcam or a sound alert – if it doesn’t do it already (most will have a small light illuminate when activated).

For more of Marc Saltzman’s tips, reviews and videos, follow him on Twitter: @marc_saltzman

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The Culture of Security

This week’s topic is The Culture of Security

Security Badge

The Tip
Our community has its own culture. We have a standardized method of communication. We have dress codes. We have expectations, rules, and a collective personality that exists in the university. All of us have a responsibility to increase our own cyber-security awareness. In fact, that’s one of the important aspects of our culture. How we position ourselves against the threats we face determines the overall health of our organization, which impacts every person in it! That’s why we need strong human firewalls, like you, who think before clicking, report unusual events, and always follow workplace policies and procedures.

The Detail

How can you contribute to our security aware culture?

  • Lead by example and work together. While we expect everyone to remain security aware on an individual basis, don’t forget that combating cybercrime requires teamwork!
  • Stay alert in all three domains: Cyber, Physical, and People. The threats we face are not isolated to just cybercriminals and phishing emails.
  • Report all security incidents. Even if you’re not sure if something should be considered “an incident,” it’s better to be safe than sorry!
  • Follow workplace policies and procedures especially as they pertain to security. Policies and procedures are never meant to be a hindrance to your work, though it may feel that way at times. Policies and procedures are how we support and protect everyone.
  • Take the culture home with you. Transfer your security aware efforts to every part of your personal life! Create an at-home security policy and have open dialogues about security with your family.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The 10 Tenets of OpSec

From Beazley Breach Response Services and Lodestone Security

Operations Security, or OpSec, is the mindset of using secure practices. Practicing OpSec helps keep us safe from ne’er-do-wells.

  1. Secure your space
    Don’t leave sensitive documents out when away from your workspace. Lock them away when you leave your desk, and if you can’t, get them out of sight.
  2. Stay aware of your surroundings
    Pay attention to tailgaters, shoulder surfers, and strangers. If you see a stranger in the office without a badge or ID, direct them to the security desk.
  3. “For your eyes only”
    If your organization classifies data as sensitive, private, or confidential, label documents and files so people can understand how they should be handled. If you discover sensitive information that’s not properly protected, report it immediately.
  4. Use stronger passwords
    Longer is stronger. Instead of easy-to-crack passwords like Password1!, use a passphrase, like ‘1 Red Elephant Balloon Maker?’, or a sentence you can easily remember. Or use a password manager to create and store secure passwords.
  5. Don’t mix business and leisure
    When you use work email for Internet play, you give the bad guys more opportunities to get in. Use work email for work, and your own email for personal matters.
  6. Secure your personal devices
    If you use your own cellphone or laptop for work (“bring your own device” or BYOD), use anti-virus software and keep your computer and applications updated. If you have a work laptop or device, use it only for work and don’t expose company assets to unnecessary risk.
  7. Don’t get “attached”
    Word documents and PDFs can hide exploits sent by a hacker. Opening the file or enabling macros can give an attacker control over your computer. If you get an unexpected or strange email attachment from someone you know, call to check whether it’s legit.
  8. Use it and lose it
    If you find a stray USB drive or removable hard drive, don’t plug it in. It’s old hacker trick to litter the area around an office with infected USB devices. Don’t plug in a hacker’s weaponized USB, send it to IT!
  9. Beware of Wi-Fi eavesdropping
    Bad actors can easily impersonate known Wi-Fi connections using a cheap device that can kick you off a router and fool your device into happily accepting a faster connection. Don’t ignore browser warnings. Use a secure virtual private network (VPN) or tether to your own phone or hotspot. If you have to use an untrusted connection, avoid sensitive activities like online banking or logging into work webmail.
  10. Travel smart
    On a plane, train, or public transit, you’re not protected like at the office. Privacy screens help keep your work private. Lock your computer when you’re not using it, and lock up laptops and sensitive documents safely when you’re done for the day. Take sensitive documents back home if you can’t dispose of them securely.

Source: Lodestone Security, www.lodestonesecurity.com, info@lodestonesecurity.com


Mobile Device Security, Are You Doing Enough?

This week’s topic is Mobile Device Security, Are You Doing Enough?

The Tip
Most of us don’t think about it, but chances are your smart phone is more precious than your wallet or your keys, and in many cases, your actual computer. Although we all might think about it occasionally, most of us don’t do more than a 4-digit passcode and hope for the best.

Locked Smartphone

The Detail

With that in mind, here are some basic but important tips that will help keep your sensitive information secure, even in the event of a theft of your phone.

Always lock your phone with a password
One of the most basic but often overlooked tips is to secure your phone with a password. Swipe patterns are ok, but finger-trails easily reveal these. A 4-digit passcode is an improvement, but using a strong passphrase is the ideal protection. Even if your phone is stolen, this basic protection will stop most thieves from getting your data. Most phones can also be set to auto-erase with too many failed login attempts, if you need additional security.

Ensure your device locks itself automatically
If you setup password protection, but leave your phone unlocked on your desk for long periods of time, you’re not secure. Most phones are readily setup to lock automatically after a period of inactivity. Choose the shortest amount of time you are comfortable with. A couple minutes is appropriate, even if it seems a tiny bit inconvenient.

Keep your phone up-to-date
Update your OS and apps regularly. These updates often include important security and vulnerability updates. If you’re nervous about teething problems on the bleeding edge of updates, at least get the reminders, but don’t forget to eventually update. Minor version updates are almost always security related.

Only download apps from approved sources
Apple’s App Store and The Google Play Store take security seriously and do the best they can to watch for vulnerable apps. Don’t jailbreak your devices to get access to other apps, and read user reviews before downloading new apps. There is often good information there.

Install anti-virus software
Although not as widespread as on desktop computers, virus’ and other problem software still exist on mobile devices. Most major antivirus companies have apps for your mobile device.

Use discretion when downloading apps
It’s easy to get excited about the wealth of low-cost or free apps available. Most of us add apps of all sorts without too much research. Don’t downloads apps you don’t really need, and clean up your apps from time-to-time. Also, it’s important to see what permissions your apps are asking for. You can expect a mapping app will want to know your GPS location, but if an alarm clock wants access to your contacts database, you might want to treat that with extreme caution.

Stick to window-shopping on public WiFi
Public WiFi networks have popped up all over the place, and are very handy, but security on these networks is scarce at best, and non-existent typically. Be very careful what you do on public WiFi as the chances are pretty good that others may be watching network activity. In particular, avoid activities that convey a password or account or credit card number, unless you are absolutely sure you are using a secured connection.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Email Privacy, is it really?

This week’s topic is Email Privacy, is it really?

The Tip

There’s an old saying that email is about as secure as a postcard. Is that still true? The answer is yes and no. For most of us most of the time, it’s private enough. For some uses, we should be cautious.

The Detail

This should come as no surprise anymore, but your email isn’t private. In fact, it’s one of the least secure methods of communication you can use. Emails are stored at multiple locations: on the sender’s computer, your Internet Service Provider’s (ISP) server, and on the receiver’s computer. Deleting an email from your inbox doesn’t mean there aren’t multiple other copies still out there. Finally, due to their digital nature, they can be stored for very long periods of time, so think twice before writing something down in an email you don’t want others to see.

Much of this is mitigated for us, due to the way use and deliver email at Nipissing via google apps. Gmail does encrypt data over their internal network, so if you are corresponding between Nipissing email accounts, using the Gmail client, your communication should be encrypted and remain fairly secure. This is one of the advantages in using the Gmail suite.

However, while Gmail encrypts email over their network, their encryption only protects data that is on their servers – not while it is bouncing around on other servers on the Internet, meaning that your data is still vulnerable when corresponding outside the network, unless you adopt a solution that provides client-side encryption. This is not necessary for most users, just doing day-to-day correspondence. Just like a postcard going through the postal mail, most people stumbling across it couldn’t be bothered or interested to look at it. If however you are emailing sensitive documents and data around, outside of our network, you might want to consider a few other strategies. Client-side encryption takes some setup and most users couldn’t be bothered or find it confusing. That said, it is effective and essential for some types of communication, once you jump through the initial hoops. Using services like Dropbox or Google Docs/Drive are safer methods for the sharing of sensitive documents, rather than sending them as attachments.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.


Patch, Patch, Patch – You need to stay up-to-date

This week’s topic is Patch, Patch, PatchYou need to stay up-to-date

The Tip

There are going to be a lot of updates released in the weeks to come for your phone, your tablet, your computers… it is more important than ever to keep your devices fully up to date.

The Detail

If you follow much news at all, you’ve likely heard a lot about the Meltdown and Spectre security threats, that became public news around the holiday break. In a nutshell, security vulnerabilities at the base chip level, effecting Intel, AMD, ARM, and possibly other processors, have been discovered. This impacts pretty much every device with a computer in existence. Industry insiders learned of this vulnerability under nondisclosure agreements several months ago and immediately began developing engineering mitigations and updating cloud infrastructures.

In the days ahead, there will be a lot of patches released by all vendors to help protect against these very real concerns. Some have already been released, and likely applied. Many servers and cloud services have been updated. Apple and Microsoft have both released updates in that last few days to deal with this. More will follow. Some older devices may be left behind, and if you’re hanging on to that ancient iPhone or desktop running Windows XP, it may be time to retire them. Older systems that are patched can expect noticeable slowdowns in performance. Newer systems (2016+) running modern operating systems (Windows 10 or Apple High Sierra) should see considerably less of a performance impact.

If you have questions or concerns about applying an update, please contact UTS Support.


USB Flash Drive Security – It’s Important

USB drives are so pervasive in today’s world of technology, that it’s all too easy to become blasé to the many risks in using this very useful and ubiquitous technology.

Risks inherent with USB Flash Drives fall into two broad categories. 1) Virus/malware and 2) Data theft.

1) What Can a “Bad” USB Stick Do?

A malicious device can install malware such as backdoor Trojans, information stealers and much more. They can install browser hijackers that will redirect you to the hacker’s website of choice, which could host more malware, or inject adware, spyware or greyware onto your computer. While the ramifications of these threats can range from annoying to devastating, you can stay protected from these threats by keeping anti-virus software installed and up-to-date, and by using it at all times. Finally, do not plug unknown flash drives into your computer.

2) What can a “Lost” USB Stick Do?

So, you’ve taken all the steps to keep your desktop secure, your internet usage safe, your passwords robust… and then bringing some data home from work on a USB drive, you misplace the drive. If there was anything sensitive on there, the consequences could be significant. Fortunately, it is easy to protect yourself from this risk by keeping your flash drives encrypted. Although some higher end drives actually have hardware encryption built-in, there are several inexpensive software solutions for USB disc encryption. In fact, all modern versions of Windows and MacOS come with encryption tools built in.

For more information, try googling ‘USB safety’ or ‘USB security’. There is a large selection of articles out there on these topics. UTS would also be happy to talk with you about this, and will be sending more information in the weeks and months ahead.


Lost USB Disk Panic



Password Managers – You should be using one

This week’s topic is Password Managers – You should be using one

The Tip

The majority of us use not-so-strong passwords, and reuse them on different sites. After all, how are you supposed to use and remember strong and unique passwords on all the websites that you use? The answer is a password manager.

The Detail

Using a password manager is one of the top safety practices recommended by security experts. Password managers are easy to use. They store your login information for all the websites that you use, and will help you login automatically. They encrypt your password database with a master password, and that is the only one you will need to remember. They will also generate strong passwords for you, for new accounts and for updating old, weak passwords, and can be used with 2-factor authentication.

Password databases can be shared across multiple devices, and are always in sync, so you have the right information with you on your phone, or tablet, or home or work desktop computers.

Password managers solve the problem of having to remember multiple and complex passwords, removing the temptation to reuse passwords on multiple sites. They are easy to use. You do not need to sit down and spend hours getting one setup. You just start to use it, and as you visit sites and login, they will capture your info for future use. They can also be used for storing pins and credit card info, should you wish, as well as secure notes. The more sophisticated managers out there will also let you share some password details with a spouse’s account, or other team setting.

Password managers come in several free and commercial versions, from several reputable vendors. Spend a few minutes and read a few reviews to find the product that is right for you. Most have free versions available with commercial licensed upgrades available for more features.

Some of the popular ones include LastPass, Dashlane, 1Password, KeePass, but that is by no means an extensive list. There is a good side-by-side review here, with further information on why password managers are so important.



Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Brantford Campus
50 Wellington St.
Brantford, ON, Canada
N3T 2L6
Tel: 519.752.1524
Fax: 519.752.8372