Security Matters

October is just around the corner and while temperatures may be dropping, cyber security education and awareness will be on the rise.

The start of a new school year brings with it new cyber risks and threats. The University of Toronto’s (U of T) Information Security team is tackling issues of privacy and data protection by hosting its annual Cyber Security Awareness Month (CSAM) activities across all three campuses, starting Oct. 1.

Part of this year’s focus will be on how individuals and the University must work together to keep its systems and people secure. The overall theme will be: “One Team. One Goal.”

“We’re in this together – Universities are places of open inquiry, exchange of information, and collaboration,” explains Isaac Straley, U of T’s Chief Information Security Officer (CISO), Information Security. “Information security and privacy can be a challenge in this environment, but it is not a zero sum game. We do, though, have to help each other out.”

CSAM activities will include pop-up booths at all three campuses, staffed by security team members. At the booths, students, faculty and staff will have the chance to meet University employees who help protect their privacy and data as well as pick up resources about how to practise information security in the office, classroom, academic spaces and at home.

“The increasing need to develop critical cyber security skills is an important message for the entire University audience and I’m really excited to see this initiative broaden its support to the tri-campus community,” says Luke Barber, Director of Information & Instructional Technology Services for U of T Mississauga. “I think we’ll all see benefits and learning outcomes far greater than the sum of our individual efforts in doing so!”

Zoran Piljevic, Director of Information & Instructional Technology Services at U of T Scarborough, agrees. He says regardless of whether you are at work or school, the organization’s online safety and security is a responsibility that we all share. “Our data is valuable and we need to incorporate a daily routine of vigilance when handling information,” says Piljevic. “We look forward to emphasizing resistance and resilience through our education, training and awareness efforts in October at the Scarborough campus.”

Other CSAM-related events taking place throughout the month will include contests, an Information Security Council Panel discussion and social media polls. For a full list of events, visit the Security Matters calendar.

Straley, who joined U of T as its first-appointed CISO in December 2018, will also be hosting an invitation-only “Coffee with the CISO” event at each campus.

A recognized thought leader in information security and privacy, Straley held a similar CISO role at the University of California for 13 years. His top security tips to the U of T community are: “Be thoughtful about unexpected emails, especially those with urgent demands, be careful about the apps you install on your devices, and always check privacy setting and default sharing. You do not have to be an expert or work hard to make a real difference.”

September is a busy month for everyone at the University as we gear up for the fall semester. At the University of Toronto (U of T), communication between administrative staff and the student community is at its peak, making it the perfect time for attackers to phish people under the guise of administrative and student interaction.

This year, attackers are leveraging the communications of a new school semester in a variety of ways. Currently, two of the most common scams at U of T feature:

• Urgent email account upgrade notices that threaten account termination.
• Emails containing potentially malicious attachments.

Read below for a description of these phishing scams and tips on what to do if you receive one.

1. Upgrade notice

A widely-circulated email is asking students and staff to ‘upgrade’ their U of T email accounts before termination by providing a phone number that they are asked to text. The recipient is then asked to await further instruction. Examples of this phishing email can be viewed on the Security Matters PhishBowl here: https://securitymatters.utoronto.ca/phish-university-of-toronto/.

If you have received this email, Information Security and Enterprise Architecture (ISEA) recommends you take the following actions:

• If you responded to the email and texted the phone number, you should immediately take steps to block that number. Information on how to block numbers can be found on your device’s webpage or FAQs.
• If you followed further instructions and provided your UTORid and password, please immediately change your password by clicking on the ‘reset’ link in the Password and Account Management section at https://www.utorid.utoronto.ca.

2. Attachment ‘request’

The second common phishing email appears to come from someone in the U of T community. For example, the attackers attempt to engage administrative staff members by pretending to be a current student. The email claims to provide ‘requested’ details through an attachment that they prompt the recipient to download. The attachment contains potentially malicious content that, when opened, could affect the user. Examples of this phishing email can be viewed on the Security Matters PhishBowl here: https://securitymatters.utoronto.ca/phish-re-mbpgsa-email-friday-night-live-the-rom/.

If you have received this email, ISEA recommend you take the following actions:

• If you opened an attachment that you suspect may be malicious, please run your anti-virus software. If you do not have anti-virus software or you are in a position where it cannot be run, you should contact helpdesk for further assistance at: http://help.ic.utoronto.ca.

During this busy time, ISEA would like to remind the U of T community to be vigilant and to report any communications that seem unexpected or odd. Please follow the guidelines outlined here: https://securitymatters.utoronto.ca/report/.

Recipients of phishing emails are also asked to report these messages using the “Report Message” function in Outlook, which can help reduce the number of times these emails are delivered. To report an email, follow these steps:

Select the email.

1. For Outlook on desktop, look to the top right of the menu bar for a ‘Report Message’ icon. If you are using the online version of Outlook, look for the three dots to the right of the forward email symbol.
2. Click on the arrow or dots and select the ‘Phishing’ option.
3. In the popup window, confirm you would like to report. After confirming, the email will be reported and removed from your inbox.

For more tips on how to spot phishing emails and stay safe online, visit the Security Matters resource section.

In late July, a data breach at Capital One Financial compromised the personal data of more than 106 million people, including six million Canadians. This breach is just another example of a very long list of multi-national companies who have been targeted by attackers in recent years, including Equifax in 2017, Marriott in 2018, Facebook in 2019 and the Australian National University in 2019.

How did this breach happen? Capital One runs its credit card services through Amazon Web Services (AWS) and current reports show the cause of the breach was an incorrect firewall configuration. The alleged attacker, Paige Thomson, 33, was able to break through the misconfigured firewall to reach the cloud-based AWS server where Capital One was storing its customer data. AWS had no responsibility in causing or detecting the breach — Capital One was responsible for its firewall configuration and the vulnerability that allowed the attacker unauthorized access.

This incident can serve as a lesson for the University of Toronto (U of T) community as it starts to make use of more third–party computing infrastructure and platform services:

• Use of third–party cloud storage services does not completely absolve the University from taking responsibility for IT-centric tasks, such as firewall configuration and monitoring or best practice network architecture usage.
• The University needs to be aware of the way third–party vendors describe the division of responsibility. For example, AWS, Microsoft Azure and other third–party infrastructure and platform providers make it clear in company guidelines, outlining the division of responsibility between the company and its customers.

U of T must also remain wary of how different types of services denote different levels of responsibility for customers:

• The Infrastructure-as-a-Service (IaaS) offering puts the responsibility for all software patching, upgrading, network configuration and isolation, incident detection and response and data protection on the customer.
• Platform-as-a-Service (PaaS) puts the responsibility for application patching, network configuration and isolation, incident detection and response and data protection on the customer. Also, PaaS support is less work than IaaS for the customer.
• Software-as-a-Service (SaaS) often places the responsibility for authentication and authorization to access data on the customer.

For more information and tips on protecting your data, be sure to visit our resources section.

The University of Toronto’s Information Security and Enterprise Architecture (ISEA) team is dedicated to keeping information secure for staff, students and faculty alike. The Security Matters website now features an updated Report an Incident section for members of the University community who suspect they have received a phishing email. 

The update provides practical steps to take if you are the recipient of a suspicious email from a known or unknown email contact: the email might ask you to click a link, download an attachment, enter your credentials or send money or gift cards 

If you suspect a phishing attempt, please follow the updated guidelines at https://securitymatters.utoronto.ca/report/ and email report.phishing@utoronto.ca.