Working from home on personal devices

For safe and effective account management on your personal devices while working from home, follow these top five tips: 

  1. Create a password-protected user account that you only use for work.
  2. Create a separate account for everything else, including online shopping, casual web-surfing, watching Netflix, etc. Where possible, create additional accounts for anyone else who might use your computer (e.g. family members, roommates, guests, etc.) 
  3. Make sure your work account automatically locks after short periods of inactivity. This will prevent accidental use of your work account by other users.
  4. Limit yourself to one administrative account on the computer that is used to authorize updates.
  5. Use different passwords to access each account. Review these tips for creating strong passwords.

Looking for more tips on working remotely? Visit Remote Security Matters.

Cyber threats on the rise for health care and research

The Canadian Centre for Cyber Security has been monitoring an increase in targeted attacks during the COVID-19 pandemic and has published curated advice and guidelines for targeted institutions and IT professionals.

Cyber threat attackers monitor current affairs across the globe to identify ways to exploit fear and uncertainty to increase their success rate. It is no surprise that the current global pandemic has provided malicious attackers opportunities to target individuals and institutions involved in healthcare and research, in addition to the general public.

More information and the full PDF tip sheet can be downloaded from the Canadian Centre for Cyber Security website.
Baseline Security Controls. Read linked pdf

Below are some quick links to cyber security resources, which can also be found in the tip sheet.

Cyber Security Best Practices:

Additional Information

Click here for more information on the Canadian Centre for Cyber Security.

Take 5 Minutes to Improve Your Online Safety

University of Toronto’s Citizen Lab provides the community with a simple visual tool that helps internet users navigate complicated privacy and security concerns in an ever-evolving digital world.

Security Planner is an easy-to-use guide that outlines how to stay safe online. Whether you are online for personal or professional reasons, answering three simple questions will generate a personalized list of recommendations with step-by-step instructions based on your specific concerns and environment.

Try out Citizen Lab’s confidential and free Security Planner service. Simply select what applies to you and get on track to a safer online experience!

Receive personalized recommendations based on:

  • What device(s) you are using
  • Your personal security concerns
  • Areas of information security that interest you most or scenarios that are best suited to your situation

Block Known Malicious Sites from Home

The Canadian Internet Registration Authority (CIRA) has announced a new security service to protect individual Canadians from accessing malware sites. It’s called Canadian Shield and it provides three levels of protection: ‘private’, ‘protected’ and ‘family’, by filtering DNS queries. User friendly instructions are provided to set up a full range of devices and there is no charge for the service. Learn more here.

When set to ‘protected’, the service will block HTTP and HTTPS connections to known malware and phishing sites as well as protect the privacy of DNS queries. In the case of HTTP, users receive a notification explaining why access to a site was blocked, whereas HTTPS attempts will result in an error message.

This type of DNS protection is known to be effective in blocking malicious sites, reducing the likelihood of malware infections and reducing the effectiveness of phishing attacks.

This article from the Canadian Centre for Cyber Security provides a detailed explanation.

This video from Waterloo University demonstrates where to make changes in your router.

Image shows how Canadian Shield protects from from accessing known malicious sites

Protect Your Network

Almost every home network starts with a wireless (often called Wi-Fi) network. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:

  • Change the default administrator password on the device controlling your wireless network. The administrator account is what allows you to configure the settings for your wireless network.
  • Ensure that only people you trust can connect to your wireless network. Do this by enabling strong security including requiring a password for people to connect to your wireless network. Once connected, their online activities are then encrypted.
  • Make sure the password you provide to people using your wireless network is a strong password and that it is different from the administrator password.
  • Remember you only need to enter the administrative password once for each of your devices, as they store and remember the password.

Not sure how to perform these steps? Ask your Internet service provider, check their website, check the documentation that came with your wireless access point, refer to the vendor’s website, review the first 80 seconds of this video:

Other tips to protect your home are:

  • Know and secure other network devices in your home
  • Keep your home systems up to date
  • Use two-step verification for your online accounts
  • Back-up your data

Details are also shown in the fact sheet on “Creating a Cyber Secure Home.”

Protect Your Passwords

When a site prompts you to create a password: create a strong password — the more characters it has, the stronger it is. Using a passphrase is one of the simplest ways to ensure that you have a strong password. A passphrase is nothing more than a password made up of multiple words such as “beehoneybourbon.” We recommend you also use a unique passphrase for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe.

Can’t remember all your passphrases?

Use a password manager, which is a specialised program that securely stores all your passphrases in an encrypted format (and has lots of other great features too!). Finally, enable two-step verification (also called two-factor or multi-factor authentication) whenever possible. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app that generates the code for you. Two-step verification is probably the most important step you can take to protect your online accounts and it’s much easier than you may think.

See more detail in this document.

Image showing steps to protect your password

Additional Security Matters articles about passwords:

Remote Security Concerns

We know that working from home is different — perhaps overwhelming — as you adjust to your new environment. One of our goals is to enable you to work as securely as possible from home. Below are some simple, effective steps to working securely. The best part is all of these steps not only help secure your work, but they will make you and your family far safer as you create a cybersecure home.

Useful Sites

The following is a list of useful cyber security sites
DATEInternal/ExternalSites
2020-03-30InternalU of T ITS IT Preparedness
2020-03-30InternalSpecial Advisory on COVID-19 Phishing, Mar 19, 2020
2020-03-30InternalCTSI Resources for Instructors
2020-03-26ExternalCanadian government guidance
2020-03-26ExternalUK government training
2020-03-26ExternalSANS Security Awareness blog
2020-03-26ExternalGeneral guidance (cygenta.co.uk)

Protect Yourself Against Malware

Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices. Meanwhile, the companies that created the software are hard at work fixing them by releasing updates.

Here are some tips and resources to help protect your devices against malware while working remotely:

  1. Enable automatic updates on your devices. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TVs, baby monitors, security cameras, home routers, gaming consoles or even your car.  If your computer is managed by your department, automatic updates may already be enabled.
  2. Install Microsoft System Center Endpoint Protection (anti-virus for Windows); it is available for no charge on University owned or leased equipment. See microsoft.utoronto.ca for more information.
  3. If you are using a work-provided computer remotely, be sure to only download and use products and software that are approved by your department.
  4. See this tip sheet on how to protect yourself from phishing attacks.
  5. Promptly report incidents to your IT personnel. See this list of contacts for details.

See more detail in this document.

image has pdf attached re staying safe from malware

Additional Security Matters articles about malware:

Protect Yourself Against Personalized Attacks

During this time of change and confusion, personalized cyber attacks are more common and have a greater success rate.

Here are some tips and resources to help you stay safe when working remotely:

  1.  Get familiar with the different types of social engineering.
  2.  Learn how to spot a phish! The best offence is a good defence!
  3.  Learn about the anatomy of a phish.

If you suspect a social engineering attempt, follow this checklist:

  • Resist the rush: If someone pressures you to act quickly under pressure, it is most likely an attack.
  • Recognize the ‘bag of tricks’: If something sounds suspicious or too good to be true, it probably is.
  • Think before you click: Be cautious: One wrong move could infect your device and spread it to others.
  • If you are not sure, ask: Ask your manager or your administrator if what you are being asked to do is unusual; ask through your normal methods.
  • Do not respond unless you are certain: do not provide your phone number or respond to emails. Hang up the phone if you feel threatened.
  • React quickly if you think your account / computer was compromised: change your password and contact your local IT department.

See more detail in this document.
Image of Social Engineering Personalized Attacks

Want to learn more about malware and its effect on the U of T community?

Here are some Security Matters articles on previous incidents that involve social engineering