Security Matters

Quercus is the University of Toronto’s (U of T) web-based platform that instructors and students use to access course content, interact with one another, explore a range of tools and more.

With the increase in virtual classrooms this year, Information Technology Services’ Academic and Collaborative Technologies (ACT) team recently released new additions to the academic toolbox. These tools are available to help faculty enhance their courses and enrich the “classroom” learning experience for students.

Tools that support goals and learning outcomes

As of August 2020, new tools now available in Quercus include Top Hat, Piazza, Labster and the OneDrive (Office 365) integration. Review the full list of new tools for faculty, including an brief synopsis of what they are and how they are used.

Quercus Support Resources hub

For more information and support on remote teaching assistance, visit the Quercus Support Resources hub.

Audio/video recordings

There are several possible reasons a lecture or class session might be recorded for teaching and learning purposes. For example, to provide learner(s) an accommodation associated with a cognitive or physical disability, as a study aid and/or due to a missed class. This process might be initiated by the instructor or by the student. Learn more about the considerations, guidelines and policies that apply to lecture recordings: https://teaching.utoronto.ca/ed-tech/audio-video/.

Quercus: Fun facts!

The fall 2020 semester at U of T has been like no other. Here is a quick look at some of the Quercus activity the University has experienced (this data captures the 30-day period from Aug. 19 to Sept. 17, 2020).

A new program — called Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) — is launching this month to help University of Toronto (U of T) staff understand their data assets and information risks and work together to manage them.

Through a partnership between Information Security and Data Governance, DAI-IRSA supports units throughout their data governance and information risk management journey and within a common framework for identifying data assets and risks to those assets. Additionally, each unit’s contributions to this program helps the University understand the shared challenges related to data governance and information risk across the institution. “You can’t govern and protect what you don’t know you have,” explains Jeff Waldman, Manager, Institutional Data Governance, Planning and Budget.

Why is this program important to you?

The DAI-IRSA program provides a simple-to-use toolkit for units to describe their data assets and information risk, specific to their context, and lays the foundation for data governance and information risk management activities. Support is provided throughout the process in a format of the user’s choice, either through structured workshops or self-directed learning opportunities.

Attend the Oct. 28 launch event

A DAI-IRSA program launch event will be held virtually on Oct. 28 at 11 a.m., during which Information Security and Data Governance staff will host a discussion on the program overview and provide information on how to enrol. Consider attending if you are an administrative or IT manager, business officer, Information Security professional or IT professional. Register here.

To learn more about DAI-IRSA, visit uoft.me/IRSA or contact dai.irsa@utoronto.ca.

The University of Toronto’s (U of T) Information Technology Services (ITS) has educational and fun activities planned for this year’s Cyber Security Awareness Month (CSAM) campaign (throughout October) to help raise awareness in the community about cyber security best practices.

Get the most out of this year’s campaign by taking part in:

Ask Me Anything

Do you have questions about how to protect yourself or your work environment against cyber threats? Do you want clarification on any of the Information Security programs promoted during CSAM 2020? If so, please share them using this form.

Your questions will be answered by the Information Security team and shared in an article once the 2020 campaign ends.

CSAM Trivia

At the end of each week — from Oct. 9 to Oct. 30 — a new set of trivia questions will be released. The questions will focus on the materials released that week and reference links will be provided. For each correct result, the participant will be entered into a raffle to win Amazon gift cards at the end of the month! Stay tuned for weekly announcements.

 

For a full list of CSAM 2020 activities, visit the events calendar.

Students, faculty and staff are invited to meet and engage in conversation with the University of Toronto’s (U of T) Chief Information Security Officer (CISO), Isaac Straley, at a virtual Coffee with the CISO event.

Straley joined U of T in 2018 and he holds the inaugural appointment of CISO at the University. As the CISO, he is responsible for providing strategic leadership and oversight of U of T’s information security and privacy programs. He leads senior technology managers and staff on securing University systems and data assets and implementing practices that meet U of T’s policies and standards for information security. In addition, the CISO identifies, evaluates and reports information security risks to the chief information officer.

As part of this year’s Cyber Security Awareness Month (CSAM) campaign, Isaac is hosting a one-hour session for staff and faculty:

• Oct. 7 at 2 p.m. (staff/faculty session) — Event ended.
• Oct. 27 at 11 a.m. (student session) — Register here.

Attendees will join Isaac Straley for an engaging conversation — discussing his role as CISO, data privacy and security and how it relates to our higher education environment. Come prepared with topics or questions that interest you, as these sessions are open conversations between Isaac and the attendees.

As spots are very limited, those who have had the opportunity to engage with Isaac in the past are encouraged to leave a spot for those who haven’t.

Every October, Cyber Security Awareness Month (CSAM) is recognized by individuals and organizations across the globe. The University of Toronto (U of T) is no exception; Information Technology Services (ITS) hosts an annual tri-campus community CSAM campaign to raise awareness and educate staff, faculty and students about how to protect themselves and their work environments against malicious cyber threats.

With remote working, learning and teaching having become the “new normal” for 2020, this year’s CSAM campaign at U of T will be themed: “Remote Security Matters” and will focus on the programs available to help the U of T community practice online safety.

“Security always matters, but being mobile amplifies the need for innovative security practices to be put into place and communicated,” explains Isaac Straley, U of T’s Chief Information Security Officer (CISO). “This remote lifestyle requires a different approach to how we practice cyber security and is an ongoing effort that we are tackling head-on.”

The campaign will revolve around the programs and services that U of T’s Information Security team have put in place to protect our at-home and on-campus community. In addition to remote security, each week of CSAM 2020 will focus on one of these programs, including Multi-Factor Authentication (MFA), Information Risk Self-Assessment (IRSA), and a new framework for baseline security controls.

“Working and learning both look a little different this year, and we take the responsibility of addressing and educating the community about online safety very seriously,” says Luke Barber, Director of Information & Instructional Technology Services for U of T Mississauga. “We are excited to share the resources and education coming out of the Mississauga campus and through our tri-campus efforts.”

For 2020, CSAM activities at U of T will include virtual activities and events. Highlights of the campaign include:

• Oct. 7: Coffee with the CISO for staff and faculty
• Oct. 21: Get to know your Information Security team: webinar panel
• Oct. 27: Coffee with the CISO for students
• Oct. 28: DAI-IRSA launch event
• Oct. 29: Secure Together conference
• Ongoing: Weekly trivia with raffle prizes
• Ongoing: Ask Me Anything

These activities and events, in conjunction with the various resources that will be released each week, will give the U of T community an opportunity to connect with the ITS team and learn about best practices for remote cyber security.

Visit these pages throughout October for more information and to stay updated on CSAM news and activities:

• Security Matters website
• Events calendar
• CSAM 2020 Resource page
• UTM CSAM webpage
• UTSC CSAM webpage

CSAM is a tri-campus initiative so be sure to visit your local campus IT department website and social media for additional resources specific to your location.

In an increasingly digital world, cyber security issues are an inevitable (and ever-growing) part of the landscape. As a result of COVID-19’s increased effect on security breaches, this continues to be a hot topic in local, national and international news coverage. Here is a brief roundup of some of the most interesting recent news items from the past month.

Malicious Google Chrome extensions found available for download in Chrome store

Malicious applications (apps) made their way into the Google Chrome store, disguised as legitimate apps. Once installed, these apps took screenshots, read data and stole login information from users. Google has since prevented more than 100 malicious Chrome extensions.

Takeaway: Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices. Learn how to protect yourself against malware.

Tim Hortons mobile app tracks more than meets the eye

Tim Hortons is under scrutiny for not disclosing the high level of user location tracking made possible through their app. The company’s app uses technology that checks locations on mobile phones, uses GPS coordinates to infer the location of customers’ homes and workplaces and notes every time they may have visited a competitor. However, Tim Hortons does not disclose this level of information to app users.

Takeaway: Privacy practices are not always as they seem. Managing settings on your devices to disclose as little information as possible is a good start. Turn off locations services when available or only enable location settings when the application is in use.

COVID-19 lockdown inspires malware attack on fashion retailer

One day after closing all 3,000 of their stores due to the COVID-19 lockdown, fashion retailer Claire’s online presence was hacked. Payment skimmers and malicious code were added to their online stores to steal customer data and credit card information.

Takeaway: Online shopping is always a risk, even if the retailer is legitimate and the website appears to be safe. Once notified by Sansec, Claire’s confirmed that they identified and removed the unauthorized code and took additional measures to reinforce the security of their e-commerce platform.

Fake COVID-19 tracing app with ransomware targets Canadians

Shortly after Prime Minister Justin Trudeau announced the approval of a nationwide COVID-19 tracing app, hackers took advantage and launched a fake government website with a malicious app for download. Once downloaded, the app activated a program that stole the user’s data and held it for ransom.

Takeaway: Malicious websites are designed to look very convincing. Check the website URL to confirm you are on a legitimate website before downloading files or providing personal information. In this case, Communications Security Establishment researchers were able to crack the app’s code and wrote a decryption tool that rescued victims’ data.

Outdated Windows versions puts users at risk through Zoom software

A researcher discovered a vulnerability for Windows 7 (or older) users who are running the Zoom video conferencing software on their devices. To exploit the Zoom vulnerability, an attacker simply tricks the user into opening a document file.

Takeaway: Enable automatic updates on your devices. By ensuring your computers and mobile devices install these updates promptly, you make it much more difficult for hackers to succeed.

 

For more tips on staying safe online, visit the Remote Security Matters webpage.

In addition to the increasing number of COVID-19-related scams globally, the University of Toronto (U of T) continues to receive reports of common email phishing attempts crafted to look like enticing job opportunities, requests to update or migrate to a new system and more. In light of this, U of T students, staff and faculty are encouraged to continue to maintain caution when dealing with suspicious emails, texts or phone calls.

Here are two reported email phishing attempts with some common red flags highlighted. Visit the Phish Bowl for more.

By using mail.utoronto.ca email addresses and credible-appearing signatures, these phishing attempts have the potential to be detrimental to the U of T community. To protect against these types of phishing attempts, please review tips for how to spot a phish.

What can you do if you suspect a phishing attempt/attack?

• Report it using the “report message” function in your Office 365/UTMail+ inbox and to report.phishing@utoronto.ca
• When in doubt, call the sender by phone to confirm the email was really from them
• If you opened an attachment or link that was provided in a phishing email, reach out to your local IT service desk immediately