Security Matters

Everyone knows about the ‘lock’ icon on a browser. You select a shortcut or type in a URL in your browser, the page content is displayed, and the lock symbol indicates that the connection between you and the service is encrypted. You can enter a password or bank account information or Amazon purchase and be confident the information is hidden from prying eyes somewhere on the Internet. That’s valuable protection to have.

There’s another feature besides encryption that indicates that you are protected. This is ‘authentication’ of the website – when a site is authenticated you can be confident that the site you’re connected to is where you want to go and not a fake or phishing site. That is valuable – you don’t want to be entering your account information into a site that is pretending to be, for example, your bank website or the university’s UTORid login site.

To provide good website authentication, services use an ‘Extended Validation’ or EV digital certificate. When you connect to such a site, you’ll notice the browser will show a green shading where the URL is – the green shading, and the lock, is your indication that the site you are connected to is where you want to be. Why? Because the organization that runs the service that obtained the Extended Validation certificate has to go through a number of procedures to validate their identity with the Certificate Authority (CA). These procedures include providing:

1. Names of officials, mailing addresses, telephone numbers of the business entity that runs the service.
2. A business identifier, such as a Dunn and Bradstreet number, which indicates that the business has endeavored to prove its validity.
3. A legal letter from a business lawyer, vouching for the business.

The CA checks all this information before issuing the digital certificate for the website. So the next time you access your bank website or log in to the university service using your UTORid, look for the ‘green bar’:

It’s one more item to help you be safe on the Internet.

You might ask: why doesn’t every website use an Extended Validation certificate? Let’s step back and look at digital certificate validation a little closer. There are three categories of validation for digital certificates. They are:

• Extended Validation (EV)
• Organization Validation (OV)
• Domain Validation (DV)

We’ve talked about EV. An Organization Validation certificate undergoes a less stringent validation process before being issued by the CA. A Domain Validation certificate undergoes a very basic check consisting of the CA finding the registrant of the website’s domain name and sending an email request to the specified address. The response authenticates the order of the certificate by the owner. Some points about these categories:

• The higher the level of validation, the higher the cost to purchase the certificate from the CA. DV certs can be very inexpensive or free. The ‘Let’s Encrypt’ verification, for example, is issued at no charge.  There is evidence[1] to show that DV certificates are being used for malicious purposes because of the minimal cost and the very weak validation procedure. The evidence also shows that OV and EV certificates are not used with malicious sites.
• The EV certificate is easy to identify by a user – the ‘green bar’. However, there is no visual identifier on a browser available to distinguish an OV certificate from a DV certificate. So there’s not much difference from a user perspective between an OV or DV certificate. OV certificates have value over the DV certificate from an organization’s perspective though. Each OV certificate will contain common organization information. The organization can use its IT infrastructure management capability to check site certificates – verifying that they came from the organization. That, in itself, provides a strong measure of validation at a reduced cost compared to the EV certificate.

To conclude, here are some points for users and service providers to keep in mind when using certificates:

1. When you’re shopping or banking online, and you’re prompted to enter sensitive information such as passwords, credit card or banking information, look for the ‘green bar’ on your browser. Not every browser shows the green indication in the same way (or at all!) – most do.
2. If you’re a service provider, use EV certificates to protect websites that handle the most sensitive information. Use OV certificates for everything else.
3. Use DV certificates for test or personal sites.

To die-hard shopping fans Black Friday is a fun and challenging experience: the thrill of beating the crowds to find the best deals, and then the satisfaction of coming home with a haul of discounted gadgets, clothing, jewellery and much more.

To others, especially those who hate crowds, Black Friday is an utter nightmare!

Cyber Monday is for shopaholics who would rather stay home than brave the crowds. Cyber Monday was created just over ten years ago as the online alternative to Black Friday. With Cyber Monday, you can stay home and shop to your heart’s content.

But when shopping online, consumers must be careful because there are scammers who are looking to take advantage of unscrupulous shoppers. On Cyber Monday, protect yourself from credit card fraud and identity theft using these simple tips:

Watch Out for Fake Online Stores

Scammers have been known to create fake online stores that advertise too-good-to-be-true deals in order to draw in potential victims. To protect yourself:

• Shop from sites you know and trust.
• Check the domain name. Sometimes fraudsters create exact replicas of well-known sites. Is the domain name spelled correctly? Is it a slight variation of the correct URL?
• If this store is unknown to you, search for reviews of the website. Keep an eye out for words like fraud or scam.

Monitor Your Credit Card Statement

If you do make a purchase from a new site, check your credit card statement in case there has been any suspicious activity. The sooner you report credit card fraud, the better.

Use a Secure Network

Don’t make purchases online when you using public Wi-Fi. Your information could be tracked and logged.

Update Your Device

When you are prompted to update your device, do it. They contain critical security updates that can protect you from the latest threats.

By staying vigilant and mindful as you shop online you can get your hands on those exciting deals without giving up your privacy or personal information.

Happy shopping!

Another successful Cyber Security Awareness Month has come and gone, and we had the pleasure of facilitating various outreach activities.

We ran five unique initiatives, reaching three audiences: faculty, staff and students. Our two most successful events were our cloud security course and our pop up booth.

The course, run by well-known information security expert, James Arlen, provided a valuable overview of ITS’ responsibilities when it comes to securing a cloud-based service. Nowadays, the procurement and deployment of cloud services (more descriptively known as Infrastructure as a Service, Platform as a Service, and Software as a Service) is becoming increasingly attractive given the complexities of operating and maintaining hardware, middleware and applications. While the responsibility for some of these aspects can be transferred to the cloud service provider, there are many other aspects that remain the responsibility of the business and technical contacts of the local service provider. Many of U of T’s technical staff attended this course and were grateful for the opportunity to learn more about this important subject.

Since we began this outreach program one year ago we have hosted pop up booths at locations across the tri-campus. When we run these booths, we hand out educational materials, lead games and conduct surveys. But the most important moments are when we take the time to chat with students.

When we speak with students at our booth we have the unique opportunity to connect with them one on one. It’s amazing how, when you offer students the opportunity to express themselves about info security, the flood gates open. We hear personal stories of hacked accounts, identity theft and expressions of fear about life in the digital age.

It seems that having a person physically in front of them provided students with the empathetic ear they craved. Often students can feel like they are just a number, by making ourselves available to chat, they begin to feel like we, and the university as a whole, cares about them personally. For a young person who is confused or frightened, this makes all the difference.

October is Cyber Security Awareness Month, a time to promote mindfulness and safe practices around users’ activities online. October also serves as the anniversary of the University of Toronto’s information security awareness and education initiative, dubbed “Security Matters”. This time last year, our team was rolling out its first initiative, the celebration of Cyber Security Awareness Month. We created bright, attractive banners and displayed them across the tri-campus. We wrote and shared articles about info security, providing our population with useful tips and tricks on how to protect their personal information.

From there the initiative grew. We created the security matters website, set up an active social media presence, and hosted monthly info sessions at all three campuses. We created a brand with friendly mascots and created a web game, “Patch vs. the Nefarious Code” featuring those characters. We participated in outreach activities setting up pop up booths where we would chat with students about their privacy and safe password practices.

It’s been a whirlwind of a year, and we are proud to present this year’s Cyber Security Awareness Month main events: a workshop and a presentation by information security expert, James Arlen.

James Arlen is a world-renowned information security expert. He is Leviathan’s director of risk and advisory services and a contributing analyst at Securosis. He has delivered security solutions to many Fortune 500, TSE 100 and major public-sector organizations. James frequently speaks at industry conference and his commentary can be found in various trade publications.

For only $1000 you can take James Arlen’s two-day workshop on Cloud Security for business and IT professionals. This course provides a solid foundation in cloud security and the opportunity to apply that foundation in practice. You could become certified; the course content is sufficient to take the Certificate of Cloud Security Knowledge certification test offered by the Cloud Security Alliance. Register through ODLC.

You can also join us for a special speaking engagement, “Information Security Risk – from a Business, Administrative and Technical Perspective”, with Mr. Arlen on October 26th from noon-2pm. In this talk, attendees will learn about information security risk handling and the vital role it plays in any information security program. Information security risk handling provides a process for budget managers and administrators to use for making decisions regarding reducing or accepting the risk that accompanies the operation of online services. This talk is directed at staff in administrative and business roles as well as IT professionals. This session is totally free of charge and all are welcome. Register for free.

During Cyber Security Awareness Month keep an eye out for our banners and follow us on social media to keep up with all of our activities.

To learn more visit securitymatters.utoronto.ca

Follow us: @uoftcyberaware

Like us: facebook.com/uoftcyberaware/

Did you know that technology is currently in the midst of a paradigm shift? That shift is the rise of the “Internet of Things”. Just as in the 80’s there was the era of the personal computer and in the late 90’s there was the dot com boom, we are entering of a new era in information technology with the Internet of Things (also known as IoT).

So, what is the Internet of Things? In the most basic sense, IoT is the idea that everyday objects can connect to the internet. This opens the door to some pretty exciting functionality: fitness bands that track calories burned, refrigerators that know when you need to get groceries…

Sounds pretty exciting, right? But with every leap forward there come various risks. In the case of IoT your security and privacy can be at risk. Unfortunately, it seems that manufacturers are building IoT too quickly for security agencies to ensure they are secure. The market is competitive and securing devices is expensive, so device security often falls to the wayside. This isn’t science fiction – we’ve already seen instances where IoT devices have been used to launch devastating DDoS attacks.

Also, although your data is being collected to improve your quality of life, that data is also being given away. As a consumer, you have to consider whether you are comfortable with your data being shared with the corporation that owns your device. Keep in mind that your personal information can be stolen from these devices too.

IoT devices have some very exciting capabilities and they really can improve your quality of life, but take some time to research your device’s security features to ensure you are safe and secure as you enter this new technological era. Here’s a few pointers:

• If confidentiality, integrity or availability are important characteristics of the IoT, then you should verify that the device is maintained by the vendor. Check to see if patches are released for the device, change and record the password for the device and be prepared to log into it occasionally to check or update it. Look into the reputation of the vendor, if you’re not comfortable with it, then choose another product. Don’t always buy the least expensive option.
• Be prepared to disconnect the device from the network if necessary – best way to do this is power it down – yes – be prepared to lose the functionality of the device.
• Put a firewall in front of the network that connects the IoTs.

Wireless router vendors are starting to include features to detect and manage IoT devices in residential networks, here’s an example of one:

https://us.norton.com/core