Received a suspicious message?

Report a phish

Cyber threat trends for 2020

February 28, 2020

In February, IBM released its 2020 Threat Intelligence Index to highlight the most prominent cyber security risks and trends collected from the past year. With a good understanding of this report, organizations can make well-informed decisions on the battle against cyber crime and learn more about protecting data online.

Cyber crime trends and approaches

As the use of smart devices are a reality, cyber criminals are using the internet of things (IoT) such as smart home hubs, connected security systems and smart thermostats to threaten both consumers and enterprises. Malware campaigns tracked by IBM in 2019 showed a shift from targeting consumer electronics to targeting enterprise-grade devices, which is a new trend that didn’t occur in 2018.

In terms of the approaches that attackers use to initiate cyber attacks, phishing was the leading method used in 2019, accounting for 31 per cent of initial attacks. At 30 per cent, scan-and-exploit was the secondary approach used by attackers to inspect target environments for vulnerabilities. The third most popular method (29 per cent) was the use of stolen credentials to access data.

Industries being targeted

The top targeted industries in 2019, included financial services, retail, transportation, media, professional services, government, education, manufacturing, energy and health care.

Key lessons for 2020

With cyber security in mind, the Information Security Team and the chief information officer at the University of Toronto continue to implement various initiatives including anti-phishing exercises, cyber security seminars and events such as Cyber Security Awareness Month and Data Privacy Day to help staff and students protect their data online.

As the key takeaways from this report, organizations should consider the following action plans to better prepare for cyber threats in 2020:

  • Grasp a better understanding of cyber security threat motivations and tactics;
  • Build and train in-house incident response teams;
  • Practice and test incident response plans;

Read the full report to learn more.

Tips for travelling with devices

February 25, 2020

When we consider the risks associated with travelling, it’s important to remember the risks that stem from the devices we bring with us. With March Break approaching, now is a good time to refresh your memory with best practices for travelling with your devices.

Protect your passwords

Before you depart, wipe all stored passwords from your device applications and browsers and turn off the “remember me” feature. To be extra cautious, you can also change your existing device and online account passwords to temporary passwords.

Get permission

U of T staff and faculty must ensure they have the departmental authorization to take data off-site. Always check with your departmental contact first.

Prepare for the worst

In case of loss, make sure you know how to remotely wipe your personal devices. Travel with a copy of your cellular provider’s toll-free phone number so you can quickly have service suspended or blocked.

Keep your devices close

Always keep your devices with you. Pay extra attention at airport screening and other security checkpoints and never leave your belongings unattended at events or conferences.

Be cautious

Practice the same caution you would at home. Don’t download or click links from untrusted sources and delete emails that seem suspicious.

Travel light

Don’t travel with confidential data on your phone or computer. Empty the devices you will take with you and create temporary online data stores.

Use trusted devices only

If you need to bring a portable hard drive or USB drive with you, ensure the devices are trusted and encrypted. Never use an unfamiliar or untrusted device for this purpose.

Strengthen your password

Make sure all devices and accounts are protected by strong passwords. A strong password is either short and very complex or long and easy to remember. If possible, set up multi-factor authentication.

Burner or backup

Use a “burner” device that can be used on a temporary basis when travelling. If you choose to bring your own personal devices, back up your information with a cloud service or a secure device you leave at home.

Update, update, update!

Make sure the software on all your travel devices is up to date. Updates to your computer software and mobile device apps will work to fix unknown security gaps.

Jan. 27, 2020 – CRA scam targets university communities

January 27, 2020

I am writing to advice you of an email scam circulating from what appears to be the Canada Revenue Agency (CRA). This current scam is targeting student, faculty and staff at universities across the country. It states that a tax credit is owing to recipient and requests a response in order to receive the refund.

Given that we are in the midst of tax season, more of this type of activity may appear in the coming weeks and months. While the Information Security team and your local IT are working together to reduce the amount of scam emails you receive, it’s recommended that everyone remain vigilant when dealing with electronic communications.

If you are concerned that you may have shared your personal information (e.g., social insurance number (SIN) or credit card number) with a scammer, the CRA advises you contact the police. If your SIN has been stolen, you should also contact Service Canada at 1-800-206-7218. Visit their website for more information: www.canada.ca/en/employment-social-development/services/sin.html.

If you are concerned that you have shared banking information, please contact your bank.

What to do if you suspect a phishing attempt/attack…

  • If you suspect your password may have been compromised, immediately change it.
  • If you receive a phishing message(s) and are using U of T Office 365/UTMail+, please report it using the “report message” function in your inbox. Otherwise, please report it to: report.phishing@utoronto.ca
  • When in doubt about the legitimacy of an email, call or ask the sender in person to confirm if they sent the email.
  • If you opened an attachment that was sent in a phishing email, reach out to your local IT service desk immediately.

Thank you for your support as we work together to keep everyone safe and secure online.

Isaac Straley
Chief Information Security Officer
University of Toronto

Phishing alert – CRA scam targets university communities

January 27, 2020

The Information Security team at the University of Toronto (U of T) is warning students, staff and faculty to be wary of a current email scam circulating from what appears to be the Canada Revenue Agency (CRA).

The CRA scam is targeting students, faculty and staff at universities across the country. It states that a tax credit is owing to the recipient and requests a response in order to receive the refund.

Given that we are in the midst of tax season, more of this type of activity may appear in the coming weeks and months, warns Isaac Straley, U of T’s chief information security officer. “While the Information Security team and your local IT are working together to reduce the amount of scam emails you receive, it’s recommended that everyone remain vigilant when dealing with electronic communications,” said Straley.

If you are concerned that you may have shared your personal information (e.g., social insurance number (SIN) or credit card number) with a scammer, the CRA advises you contact the police. If your SIN has been stolen, you should also contact Service Canada at 1-800-206-7218 and/or visit the website for more information.

If you are concerned that you have shared banking information, please contact your bank.

What to do if you suspect a phishing attempt/attack…

  • If you suspect your password may have been compromised, immediately change it.
  • If you receive a phishing message(s) and are using U of T Office 365/UTMail+, please report it using the “report message” function in your inbox. Otherwise, please report it to: report.phishing@utoronto.ca.
  • When in doubt about the legitimacy of an email, call or ask the sender in person to confirm if they sent the email.
  • If you opened an attachment that was sent in a phishing email, reach out to your local IT service desk immediately.

A look back at 2019 data privacy hot topics

January 24, 2020

Each year we celebrate Data Privacy Day on Jan. 28 to recognize how the advancement of technology impacts our privacy rights and to highlight the value of protecting our personal information. As a joint effort between the Freedom of Information and Protection of Privacy and Information Security teams, we promote privacy-related best practices, insights and updates, including this list of notable data privacy topics and news stories from the past year.

Trending topics:

General Data Protection Regulation

As of May 25, 2018, General Data Protection Regulation (GDPR) came into effect to help align data protection protocols and increase levels of protection for European Union citizens. This list of regulations for handling consumer data turned out to be a leading concern in 2019, as public and private sectors around the world considered the implications and new requirements and the European Commission issued more frequent and larger fines for non-compliance.

GDPR sets out to follow seven key principles, which include lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability. Individuals and companies are expected to follow these principles when creating a data protection practice or could face fines up to four per cent of their annual turnover.

Ransomware on the rise

There was an increase in ransomware attacks around the world in 2019, with municipalities and health care organizations being the most commonly targeted.

Among the many cases throughout 2019, three Ontario hospitals were hit with a malware called Ryuk, which collects enough data to know how the organizations operate and its ability to pay ransom. Ryuk is invisible to the average user but attacks computer networks, collecting information over time. Luckily for these hospitals, the malware was discovered by a firewall before any of the data escaped and no money had to be paid to retrieve files.

Big news stories:

Ransom paid to retrieve LifeLabs data after breach

LifeLabs performs more than 115 million laboratory tests per year — from standard lab testing to genetic and naturopathic testing. In December 2019, LifeLabs revealed a data breach that affects millions of Canadians who use their services. Mainly impacting those living in Ontario and B.C., the potentially accessed information included health card numbers, logins, passwords, email addresses and more.

LifeLabs paid ransom to retrieve the data, notified the privacy commissioners and government partners and are taking steps to strengthen cyber defenses. Customers are advised to change their passwords as a step toward ensuring protection moving forward.

Politics and privacy

In late 2018, Canada’s parliament enacted Bill C-76, the Elections Modernization Act, which requires political parties to develop and publish privacy policies that help protect personal information. However, because these policies require prescribed content but not adherence to obey international privacy standards, many questions have been raised.

Governments urged to adapt privacy laws

In November 2019, the federal government released a statement addressing their commitment to modernize Canada’s privacy legislation. This resolution calls for:

  • a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies,
  • all public and private sector entities engaged in handling personal information to be subject to privacy laws,
  • Enforcement powers, such as legislating order-making powers and the power to impose penalties, fines or sanctions,
  • the right of access should apply to all information held by public entities, regardless of format

 

U of T CISO, Isaac Straley, discusses information security and its role within the University

January 20, 2020

In December 2018, the University of Toronto (U of T) welcomed Isaac Straley as the University’s first-ever Chief Information Security Officer (CISO). As an information security professional with 15 years of experience, he is working to bring positive change to U of T community. We sat down with Isaac to discuss his vision for the University’s information security future.

What makes U of T a unique institution to protect?

U of T is a large, distributed, world-class, research institution. Initially, it can seem like the higher education mission doesn’t fit with typical security models. The academy is a place of openness and freedom. These things seem at odds with the goal of protection, which can require locking down, implementing strong controls, and achieving consistency. So, we must find a different way of engaging the community. We have to empower people, educate them, and develop unique skills to protect this great institution. Maintaining openness and managing risk is not a zero-sum game. We can enable and empower openness while managing the risk.

How has information security changed in recent years?

The old information security model offers that there is a state of being “secure.” It assumes that if you just do enough: spend enough money, lock enough things down, say no enough, you will find the magical state of security. But this state doesn’t exist.

The new security model is one of managed risk. To live our daily lives or do business at the University we need to make trade-offs. In this new model, we consider what people need to do and then figure out how to empower people to do it safely. To me, security done right is empowerment.

What are your goals for the University’s information security future?

We want to use security to enable the mission of the University and help everyone make informed decisions. We will offer a robust outreach and education program and assessment services that divisions, units, and individuals can use to understand their risk and solutions without needing to be cyber security experts.

Would you say information security is a collective effort?

Yes; we’re all in this together. We share a network and resources, so we need to work together. When we find consistency in the way we approach things and we’re in agreement in how we treat certain types of information we’ll be safer. We are each empowered to do our part to make the security program effective.

What are your top security tips?

  1. Use multi-factor authentication.
  2. Keep your computer up-to-date.

Those two things are always important. Most breaches happen because of a stolen password or an infected system. If we take care of our passwords and if we take care of our devices, we can prevent most breaches.

Cyber security news roundup: a recruitment crisis, botnets, spies and ransomware

December 10, 2019

In an increasingly digital world, cyber security issues are an inevitable (and ever-growing) part of the media landscape. As a result, a range of cyber security issues are hot topic in local, national and international news coverage. Here is a brief roundup of some of the most interesting recent news items right now.

The return of botnet Emotet

Are you seeing an uptick in personalized spam email? Emotet, one of the internet’s most costly and destructive botnets, could be responsible. The emails sent by Emotet can be easy to fall for: they impersonate a sender that you have previously corresponded with and reply to existing email threads. Emotet spreads fast by using a massive database of stolen email passwords.

Takeaway: People can counter the threat of Emotet infections by using an antivirus program like Windows Defender or Malwarebytes and using strong passwords.

Authorities allege Ottawa man was preparing to leak highly protected information to foreign entities

In September, Canadian investigators discovered a trove of encrypted computers in the Ottawa condo of an RCMP intelligence director. Authorities allege that 47-year-old Cameron Ortis was preparing to leak highly protected information to a foreign entity or terrorist group. Ortis is currently in custody while he awaits trial.

Takeaway: The national police force is assessing and working to limit security risks among Canada’s intelligence allies. The Public Safety Minister maintains that Canada must strike a balance between privacy and the needs of law enforcement.

Fast food makes fast data – DoorDash is the latest victim of a data breach

Hackers were hungry for stolen information when food delivery service DoorDash was victimized by a data breach last May. In September DoorDash confirmed that the breach had impacted approximately 4.9 million users including customers, delivery workers and merchants.

Takeaway: Users who created DoorDash accounts before April 5, 2018 are encouraged to change their passwords. However, DoorDash confirmed that the perpetrators did not obtain enough information to make withdrawals or charges.

Are women the answer to the cyber security recruitment crisis?

The cyber security industry is in a recruitment crisis: it desperately needs more skilled works to meet the growing industry’s demands. Many cyber security experts argue that the answer to the industry’s lack of skilled workers is in training and recruiting more women.

Takeaway: Lisa Kearney, founder of the Women CyberSecurity Society, confirms that women only make up approximately 10 per cent of the cybersecurity workforce. Lisa’s non-profit society is aimed at helping women and girls find and maintain good careers in cybersecurity.

Ransomware attacks that target private businesses and public institutions are on the rise

In October, Toronto’s Michael Garron Hospital became the third hospital to fall victim to a ransomware attack in recent months. No money or data was lost in the attack, but cyber security experts suggest that more ransomware attacks that target public and private institutions are to come.

Takeaway: Exercise caution by not clicking on emails or links from people you don’t know. The malware often infiltrates systems after a user opens a malicious email attachment.

Practise safe surfing this holiday season

November 25, 2019

Tips for protecting your personal and financial data while shopping online

The holiday season can be a stressful time for most, especially when it comes to finance. It’s no wonder we’ve adopted, with open arms, the Cyber Monday tradition of shopping for pre-holiday deals from the comfort of our living rooms.

Unfortunately, hackers anticipate the influx of online shoppers during the holiday season, which puts our personal and financial information at greater risk.

Before beginning to load up your virtual shopping cart, read through this list to ensure you are protecting your information by following these best cyber security practices:

DO YOUR RESEARCH

The general rule of thumb is to shop with reputable vendors and/or ones that you are familiar with. However, your online searches during the holiday season are likely to present you with some out-of-the-park deals that seem too good to be true. If this is the case – and if the website isn’t familiar to you – check out online reviews about the website and purchase results to see if you should move forward with your purchase.

‘S’ IS FOR SECURE

It’s simple: Don’t input any personal or financial information unless the URL of the website begins with https. The “s” means you are working within a secure network.

BE SKEPTICAL

We are all familiar with the spam emails in our junk folders, but it’s important to be aware that these emails can sometimes make it into our inboxes and look very legitimate. Users should be skeptical of any email that asks to confirm personal or financial information, even if it references a specific recent purchase. To validify a suspicious email, take a look at the sent address, the customer service phone number and email listed in the footer. Then cross reference this information with what you find on the website that it’s claiming to be affiliated with.

KNOW YOUR WIFI

While it’s always exciting to connect to an open public Wi-Fi to check your social media feed, it’s not the safest means to make an online purchase. Public Wi-Fi connections make it easier for hackers to intercept insecure transactions as they are being transmitted. Instead, play it safe by connecting to a password-protected Wi-Fi that you trust before inputting any personal information.

OPT FOR CREDIT

Once you make it to the payment page, best practice is to use a credit card instead of your debit. Most credit card companies have some sort of protection in place to save you from fraudulent charges and the money is not automatically drawn from your account. In either case, it is also best to check your bank statement to ensure there are no discrepancies.

 

Safe shopping!

CSAM 2019 recap: activities across the tri-campus community

November 5, 2019

Online privacy and data protection were front and centre for University of Toronto (U of T) staff, students and faculty during Cyber Security Awareness Month (CSAM) activities, held throughout October.

Hosted by the Information Security team, events included pop-up information booths and Coffee with the CISO sessions, held across all three U of T campuses. The overall theme was: “One Team. One Goal.”

The pop-up booths, staffed by security team members, offered the U of T community a chance to ask questions, play games and pick up security-related prizes, swag and educational resources. In total, about 400 people visited the three booths collectively.

Meanwhile, the invitation-only Coffee with the CISO provided about 60 faculty and staff members the chance to meet and start a dialogue with Isaac Straley, who joined U of T as its first-appointed CISO in December 2018.

Other events included a lightning round presentation, featuring Information Security Council working group chairs at the St. George campus, and a cyberbullying panel discussion in Mississauga.

The Security Matters website has been updated with new resources from this past month’s CSAM initiatives, check it out to learn more.

Updated Cyber Security Awareness Month resources

October 25, 2019

Security Matters has updated its resource page with this year’s University of Toronto (U of T) Cyber Security Awareness Month (CSAM) educational materials. These materials include:

  • A guide on what steps to take if you suspect you have received a phishing email.
  • An overview of U of T’s Information Security (IS) unit priorities for the next year.

U of T staff, students and faculty are encouraged to read, share and discuss these resources with their own peers in support of this year’s key IS and CSAM message: One team. One goal.