2021 Guide to staying safe online - You are the key to our cyber safety. Play your role - RMIT University
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
—
2021 Guide
to staying safe
online
You are the key to
our cyber safety.
Play your role.
1
Introduction
Society’s continuing journey into an interconnected and
digital world has transformed the way we work and play. We
have embraced technology more than ever as the COVID-19
pandemic forced us to work, learn, study and engage socially
through digital channels.
The environment in which we operate has also changed, with
more frequent and complex cyber threats. There are significant
levels of illegal trade on the dark web, increased state-sponsored
actors (hackers acting on behalf of a government) targeting critical
infrastructure, international ploys to steal the intellectual property of
organisations across the globe, and cyber criminals actively trying
to steal identities, data and money.
RMIT University has made significant investments in technologies
and introduced many tools to protect your personal wellbeing
as well as the University’s data and services. Staying safe online
is key to the protection of our data and services; it is a shared
responsibility where we all have a significant and ongoing role
to play.
This guide offers insight into the tools and good practices you can
adopt to stay safe online. It will assist you to connect securely and
guide you to act responsibly when using RMIT resources.
Policy Pat will focus on acceptable use standards, from our
Information Technology Policy, and will cover the mandatory
security behaviours that must be followed by all staff and students
when using the University’s technologies and services.
Please familiarise yourself with the information in this guide,
adopt our cyber safety standards and stay safe. Many of the tips
in this booklet equally apply to your personal digital world, which
also needs to be secure. Share your learnings with your friends
and family.
Thank you for playing your role in helping protect RMIT data and
services. Together we can help fight cybercrime.
Tony Aramze
RMIT CISO
2
Learn how you can boost
your cyber protection
knowledge and skills through
the information, advice and
tips in this guide.
1 Case study: What could go wrong?
2 Passwords and authentication
3 Email security: Phishing and data loss prevention
4 Internet use: Safe connections, social media
Securing, sharing and storing data:
5 OneDrive, SharePoint, Teams, Cloudstor
6 Remote working/learning/study
7 Personal devices
8 Mobile applications
9 International travel
10 Incident reporting and help
31
Case study:
What could go wrong?
Sarah was an active user of Instagram. she was a student at a large Australian
She knew that her RMIT login password university. The format used for RMIT email
needed to be one that was not used addresses was also easy to find. They tried
elsewhere, but she was finding it too hard the Instagram password on Sarah’s email
to keep up with all the various passwords account and bingo, they had access.
across her accounts. Ignoring RMIT’s
advice, she used her Instagram password A single compromised password can allow
for her RMIT login password. other people to access your accounts if
you have used the password elsewhere.
Instagram suffered a data breach where Sarah’s behaviour jeopardised the
usernames and passwords were leaked. It reputation of the University. The threat
was headline news. Sarah quickly changed actors also made a ransom demand:
the password to her Facebook site to stop unless the University made a significant
random posts appearing under her name. payment within 24 hours it would lose
A few weeks later, RMIT’s Cybersecurity access to critical information systems,
Office was alerted that sensitive RMIT which would jeopardise the operations of
data was for sale on the dark web and the University.
found that Sarah’s account had been
compromised. Don’t be like Sarah. Have a strong, unique
password on your RMIT account and don’t
The threat actors (bad guys) that hacked use your RMIT password anywhere else.
Instagram had taken a little more time and These two actions are significant measures
ran the Instagram passwords across other that will protect the University’s confidential
accounts. A Google search and a look research, sensitive data and personal
at her Instagram posts quickly provided information. PLAY YOUR ROLE.
them with Sarah’s profile, including that
42
Passwords and
authentication
Like your front door key, which secures your personal items, a password is your key to
securing your online world.
The longer the password, the stronger it is. A passphrase or sentence, rather than a single
word or random mix of letters, numbers and symbols, makes it harder for hackers to
access your data.
Top tips 5. Never share passwords or leave
them on a sticky note.
1. Use a password manager. Passwords should never be shared and
This is an app that helps you generate, certainly do NOT belong on sticky notes
manage and store your passwords on your PC or in your wallet.
securely. You only have to remember
one password, which is used to access 6. Set up self-serve password reset
the password manager. (SSPR) for your RMIT account.
Setting up self-serve password reset
2. Turn on will make it easy for you to reset your
Multi-Factor Authentication. password if you forget it or if ITS resets
This will strengthen the security access it due to a cyber incident. Click here to
to your Office 365, Google and any set up ‘self-service password reset’ on
personal accounts or applications. This the RMIT staff or student website.
security measure requires two or more
proofs of identity before access 7. Check if your username and
is granted to an account. password have been compromised
in a data breach. Change your
3. Decline prompts to ‘save your password immediately if the search
password’ on web pages. reveals any compromise on your
This feature generally saves your accounts. https://haveIbeenpwned.com
passwords in plain text and would
allow an attacker easy access to your 8. Subscribe to ‘Notify Me’
passwords if your computer were The 'notify me' feature can be found
compromised. on the 'haveIbeenpwned' site.
You’ll receive an alert if any of your email
4. Cover the keypad. accounts or passwords are compromised
When entering a PIN or password in so you can promptly change your
public, cover the keypad. password. It’s like having an alarm on
your home. If something is happening,
you can be alerted to respond.
52
Passwords and
authentication
Make your password unique to your RMIT login; that means you don’t use that password
anywhere else. The first thing a cybercriminal does upon cracking a password is to see
what other apps it may give them access to.
What does Policy Pat say ■ Minimum password length is
eight characters, although he
about passwords? recommends 13 or more for
greater security.
■ Password complexity and the
frequency that passwords must
be changed are enforced by the
RMIT identity system.
■ Accounts and passwords must
not be shared.
■ Do not use your RMIT password
on any other account.
■ Change your password
immediately if you think it may
have been breached.
63
Email security:
Phishing
Phishing – don’t bite the bait.
Phishing catches innocent people all over the globe
■ Cybercriminals use social engineering click on an email link to download an
– an assortment of malicious activities invoice – which can let them into our
based on psychological techniques – to whole system! Students have received
try to manipulate you into trusting them messages requesting them to open
so you do what attachments. It’s important to be able to
they want. identify when you are being phished.
■ ‘Phishing’ is a technique using emails, ■ RMIT uses filter tools to weed out
texts, social media or telephone calls known phishing emails. However, no
that aims to trick you into revealing tool is perfect. We must check every
valuable data such as usernames, email before we respond or click on
passwords, bank account and/or credit attachments within them. If an email
card details. looks suspicious to you, then there’s a
good chance it is. Don’t click on any
■ Emails are a primary method for links, do more in-depth checks, and
phishing attacks against RMIT staff and if you have any doubt forward it to
students. Cybercriminals have tried to reportphishing@rmit.edu.au.
trick RMIT employees by having them
Beware of scams
A request to purchase multiple iTunes vouchers or Google Play cards is a common scam.
Never purchase iTunes vouchers or Google Play cards from an email request sent to you
without verifying the request via phone/SMS/chat to the sender.
73
Email security:
Phishing
Every email is a potential scam
It’s important to know where and what to check in every email you receive.
Check for these signs of phishing:
■ Any email requesting sensitive if the link in the text doesn’t match the
information with a login link or URL displayed when you hover your
attachment cursor over a link. If they are different,
Legitimate companies will not send an it means you will be going to a different
email requesting your tax file numbers, site, which is not what a reputable
bank details or passwords. Be wary of organisation would be asking you
updates to login information or requests to do. When you hover over a link, it
to download files. Don’t disclose your should also always begin with https://.
login details or personal information (e.g. However, phishing sites are now using
passport, driver licence) TO ANYONE. https:// so be cautious and don’t base
your decision on this point alone.
Never enter your username and
password into a website where you ■ Emails that are not personalised
have been directed by a link in a and are requesting information or
message, particularly email and SMS a response from you
messages. Be wary of emails from organisations
that know you but don’t refer to you by
■ Hyperlink URLs that don’t match name. Hackers sometimes use generic
the organisation signatures to sign off on an email and
Always check URLs before you click don’t include a person’s name and role.
on them. Alarm bells should be ringing
Report all phishing and phishing simulations immediately
Forward all suspicious emails Practise your phishing awareness skills.
received in your RMIT mailbox to Can you spot the real email from the
reportphishing@rmit.edu.au scams (phishing)?
If it is found to be malicious, our cyber phishingquiz.withgoogle.com
experts will take the necessary action to
contain the risk. cyber.gov.au/acsc/view-all-content/
programs/stay-smart-online/scam-
messages/quiz
83
Email security:
Phishing
■ The sender or organisation doesn’t ■ Emails with only an attachment
have a legitimate domain name or a hyperlink in the body of
the email
The domain address is the part that
comes after the ‘@’ symbol, e.g. Emails where little information, if any,
@rmit.edu.au. Always check and is included in the body of the email
verify the domain address of the is a sign that something is not right.
sender’s email. An email requiring you to click on any
link could download malware on your
Then check their email address by computer or have you responding to a
hovering your mouse over the ‘From’ fake web page.
address. The email address and
sender’s name should be identical. ■ Emails with unsolicited
Phishing emails often have one letter attachments
different between the two addresses,
tricking us into thinking they are the Companies don’t typically send
same address. It’s important to look emails with attachments. Emails from
carefully. Although this is a good rule reputable organisations are more
of thumb, it isn’t foolproof. Companies likely (although not always) to direct
may use third party email providers you to download documents from
or varied domains, which makes this their website. Be particularly wary of
check hard. If in doubt, check the .exe, .scr, .zip files and Office files with
domain name with a Google search to macros enabled (docm, xlsm, pptm).
help your decision making. If it is not a While these are specific file types
listed domain, there’s a good chance and quite common, no file type can
it’s phishing. be guaranteed as safe and any file
can be malicious. If in doubt, contact
When checking a domain address, the company directly with a number
the correct domain needs to appear sourced from its website. Never use a
after the https:// and before the first contact number provided in the email
‘/’. In most cases, anything after the sent to you.
first single ‘/’ can be disregarded and
is often used by scammers to confuse ■ Poor spelling/grammar
you (see phishing image example).
In the past, phishing could often be
If you notice something is different, you picked up due to poor English and
can use this tool to help you confirm grammar. Low level phishing will often
your thinking: still contain spelling and grammar
mistakes, but targeted phishing can be
https://isitphishing.org very well written.
93
Email security:
Phishing
More telltales of phishing
If you receive an email that you are unsure about,
these considerations will also help you decide
if it’s phishing:
SENDER: CONSEQUENCE:
1. Were you expecting the ‐ Is there an undesirable impact if
communication? you don’t respond within a certain
timeframe? For example, the
2. Is the sender known to you consequence may be loss of system
(email, text message, phone call)? access or a financial penalty.
3. Is the sender asking for information ACT:
that is inconsistent with their role or
their need to know the information? ‐ Scams often include a timeframe in
Even if you do know the sender, be which you need to urgently act or
careful of spoofing! The person behind respond. They may ask you to open an
the email may not be who they claim attachment, access a web link, confirm
to be. your personal details or request action
relating to your bank account. Scams
Spoofing is a type of scamming that often include a timeframe in which you
uses the trust that you have with a need to act or respond and have a
person you know to attack. Email sense of urgency to them to entice you
spoofing is the creation of email to act.
messages with a forged sender
address. The only way to verify a MOTIVE:
spoofed email is by directly contacting
the sender – but not via the ‘return’ ‐ Is the email playing to your emotions,
email. It is not possible to authenticate such as panic or fear of consequences
an email by looking at the sender rather than logic?
address. Cybercriminals in recent
times have been known to spoof
RMIT email addresses, so please be
careful. If you are being asked to do
something unusual, look for other
telltale signs. If you are in doubt,
please make a phone call to confirm
the request.
103
Email security:
Data loss prevention
Information Protection Classification labels
– protect your files and emails with a security label
■ Restricted
■ Protected
■ Trusted
■ Public
Office 365 allows users to apply an Information Protection Classification label to files
and emails. The sensitivity label protects the data. The use of Information Protection
labels is recommended for students. The classifications are: Public, Trusted, Protected
or Restricted. The classification you apply will depend on the sensitivity of information
contained in the document or email, including any links and attachments. Look for the
‘sensitivity’ labels on your Microsoft Office 365 tool bar.
More information (staff only):
rmit.edu.au
TIPS
If you receive a ‘labelling recommendation’ and you are
not the author of the document, contact the author prior
to accepting and applying the recommendation and
before you finalise the document.
113
What does Policy Pat say
about email protocol?
■ All activity on RMIT systems ■ Microsoft Office 365 is the only
must be traceable. Group and email client to be used to access
shared mailboxes must not be RMIT email.
used anonymously. While it may
be a group mailbox sending the STAFF ONLY
email, the email must include an
individual’s name as the sender ■ As an RMIT employee, you must
to sign off the email. This helps classify emails using the Information
our RMIT community to verify any Protection labels available on your
request before responding. toolbar (Public, Trusted, Protected,
Restricted).
■ RMIT email should be used
predominantly for University ■ Work emails or any attachment
purposes. Minimal personal use must not be sent to a personal
is allowed. A personal email email address.
address should be the primary
email address for personal ■ Before you press send, double
communications. check your senders’ list to ensure
your email is going to the right
■ You are responsible for any activity person.
done under your username, so lock
your computer when you step away ■ Be careful using email auto-
and do not share your account prompts. Using auto-prompts
with anyone. makes it easy to select an incorrect
name from your sender list and
■ You must check for and report risks sensitive information being
suspicious emails. sent to unauthorised recipients.
■ Before you forward an attachment ■ Group email lists must be kept up
or link to anyone, you must verify to date. Using outdated lists may
the link and attachment. Do not put confidential data into the wrong
assume that either are safe. hands and result in regulatory fines
against RMIT.
124
Internet use:
Safe connections,
social media Safe connection Social Media
Connect safely Social media
Only use secure or trusted connections Social media platforms are frequently
such as RMIT WiFi, your home network or accessed by people with malicious intent
Eduroam (educational roaming). (primarily identity theft and information
gathering for the purpose of larger-scale
■ Public WiFi is generally not secure, cyber-attacks).
even if you have a security code to
access it. When using social media:
■ Don’t use public WiFi to access any
personal information or accounts as ■ Never use your RMIT password or email.
this may allow other people to gain ■ Be conscious of what you share online.
access to it. Personal information, organisational
■ Treat the WiFi at cafes, airports, structures and information visible
hotels, shopping centres or similar on notice boards can be used to
as unsafe; only use it for activities compromise security. Scammers use
such as general browsing of sports, information from innocent posts to build
weather and news. their scams.
■ Avoid posts disclosing your location or
If you need to provide sensitive information your role within the University.
online, check the URL starts with ‘https’ or
has a padlock symbol in the address bar, We all have a role in protecting the reputation
which signifies you have a secure connection. of the University, both on and offline. Social
media can favourably influence a reputation
■ Unlawful and unethical online and can equally be used to inflict significant
behaviour or practices are not personal or organisational harm.
permitted on the RMIT network.
■ You must take care not to
allow malicious software or
security vulnerabilities into
RMIT systems.
■ Do not use RMIT resources
excessively for personal use or
in a way that would detract from
another user’s experience. What does Policy Pat say
about safe internet use?
135
Securing, sharing and storing
data: OneDrive, SharePoint,
Teams, CloudStor
SharePoint
USB SharePoint is the University’s tool for file
SSD
storage and sharing. Before using any
SharePoint sites, it is important you are
aware of the security implications of storing,
accessing and sharing files.
Google Drive, USBs and flash drives should
not be used to store RMIT data. USBs SharePoint help, tips and FAQs for site
and flash drives are not a safe storage owners and users.
option as they are easily lost. A USB stick
can carry a malware infection, which can SharePoint RMIT Learning portal
infect a computer when connected. Resist
the temptation of a freebie if you see one Refer to our SharePoint owner and
lying around or are offered one from an user tips to ensure your information
untrustworthy source, i.e someone handing remains protected and secure in
them out on the street. SharePoint
Store and share data safely Cloudstor
RMIT provides staff and students with Aarnet’s Cloudstor is also an endorsed
tools that enable safe storage, sharing and secure storage repository for research data.
access to electronic files through OneDrive,
SharePoint and myDesktop. These tools
should be used in line with our Information
Security Policy.
Protect and respect sensitive data
It’s important to respect data confidentiality
both in a workplace and in your personal
world. When your data is no longer required,
it must be respectfully disposed of or
stored as per legal requirements.
145
Securing, sharing and storing
data: OneDrive, SharePoint,
Teams, CloudStor
Site owners
■ Before you create a new site, define
the purpose of the site and define who
should have access.
■ Know and understand your security
and access responsibilities. You must
regularly review and update who has
access to ensure it is only given to
people who need it. SharePoint users
■ Understand the site’s external sharing ■ Before you add or access files on
(outside of RMIT) permissions. any site, discuss with the owners the
purpose of the site and understand
■ Have two to three current site owners. who will have access to files stored in
This will make access requests and that location.
reviews easier to manage.
■ Make sure appropriate Information
Classification labels (Public, Trusted,
Protected or Restricted) are applied
to all files before they are uploaded.
■ Remember, different areas of a
SharePoint site may be accessed
by different groups so it’s important
to always know where you are
uploading a file/folder.
■ NEVER upload sensitive information
to a ‘public’ SharePoint site.
Documents uploaded to a public
SharePoint site are accessible to all
RMIT staff and students
155
Securing, sharing and storing
data: OneDrive, SharePoint,
Teams, CloudStor
Microsoft Teams
When storing files in Teams, remember that
they are stored in an underlying SharePoint
site. Check with the Teams group owners to
ensure the site is secure.
Tips to ensure your information remains What does Policy Pat say
protected and secure: about securing, sharing
■ When sharing your screen via Teams, and storing data?
be mindful of the information visible,
including Posts or Chat or Files in
your Teams window.
■ Information should only be
■ When inviting a guest (someone
made available to those that
external to RMIT) to join a Team, be
need it for University work.
aware that you are giving them access
When sharing any information,
to all files, folders and posts that other
consider the purpose of why
team members have access to.
you are sharing it and share the
minimum information required
■ When inviting a colleague or guest
for the task. If it is anything
(someone external to RMIT) to present
sensitive such as personal
at one instance of a recurring meeting
information, research, results
using Teams, be aware that the
or assignments, make sure that
person can see all new chat activity
you are authorised to share it.
from then on.
■ Click here for more information
■ If you provide access to Teams files or
on Acceptable Use standards)
folders for people outside the team,
ensure you let your team know who
■ RMIT data should only be
has access.
stored on RMIT endorsed sites
or locations. Using non-RMIT
endorsed storage options is a
security risk and a violation of
RMIT Records Policy.
166
Remote working/
learning/study
Connect safely
When working remotely, generally, personal devices are less secure than those provided to
you by the University.
TIPS
■ Avoid using personal computers ■ Keep your operating systems
and NEVER use personal email and apps up to date. If you are
accounts to store and send an RMIT staff member, regularly
RMIT data. restart your RMIT-provided
devices so the latest software with
■ Always save work files to the all available security controls can
RMIT-approved tools, such as be deployed to you.
M365, TRIM or other approved
business systems. ■ If you use a shared computer,
remember to log off at the end
■ Use RMIT-approved applications of your session so the next user
and network tools (e.g. Microsoft can’t access your account.
Teams instead of Zoom).
■ Lock your screen so others don’t
■ Secure your personal devices have unauthorised visibility of your
so any RMIT information is not information.
accessible to others.
■ Keep a clear workstation
■ Apply the right Information whenever you step away from it.
Protection label before you store
or send any file. ■ Don’t leave information in
areas where it may be seen by
■ Use a secure WiFi network or unauthorised people.
ethernet connection.
■ Don’t allow confidential
■ Enable WPA2 security on your discussions to be overheard.
home WiFi router.
■ Shred printed documents that you
■ Change the default password on no longer require.
your router.
177
Personal
devices
Devices are at risk of being hacked by
cyber attackers.
■ Keep the operating system
■ Set and forget automatic updates as and applications up to date.
a default feature. Most updates include security
patches.
■ Disable WiFi and Bluetooth auto-
connect when not required so no one ■ Keep a current antivirus
can use them to access the data on software version running and
your device without your knowledge. follow guidelines published
on the ITS website for device
■ To prevent the transfer of malware, security.
charge your devices directly via a
power point rather than USB or ■ Keep a screen lock
computer ports. Use your own power enabled that uses a unique
adapter and charging cord rather than authentication method, PIN,
sharing these accessories. pattern or fingerprint.
■ When using a non-ITS
managed device (e.g. mobile
or laptop) to access RMIT
What does Policy Pat say? systems or data, enable a ‘find
my device’ (Android) or ‘find
my phone’ (Apple) capability
and ensure it is useable if the
device is lost or stolen.
■ Change your RMIT account
password immediately if your
device is lost or stolen.
■ Do not store RMIT data locally
on the device memory.
188
Mobile
applications
Use the Apple App Store or Google Play
for all your applications. To avoid malware
infecting your device, do not install apps,
certificates or any other executable files from
links in emails, social media, text messages
or pop-up ads.
Review your privacy settings after every
mobile application upgrade. An upgrade
may put your settings back to default and
compromise your security.
What does Policy Pat say? ■ Don’t install any software
or use Software-as-
a-service without ITS
approval (via ITS service
desk).
■ Unlicensed software must
not be installed on any
RMIT devices. Copies of
licensed software must
not be installed on your
RMIT devices.
■ Security features or
storage on your PC
must not be removed or
modified for any reason
e.g. troubleshooting.
199
International
travel
Stay protected when travelling During your journey
Travelling overseas makes you more ■ Defer social media posts until you
vulnerable to cybercrime compared are home.
with staying at home; about 20 percent
of travellers experience some form of ■ Take all your electronic devices,
cybercrime. Whether you are travelling including any security tokens, onboard
for work or pleasure, add a few extra with you when flying. Store your
precautions into your travel plans to security token separately from your
reduce your risk. laptop, such as in your coat pocket or
personal carry-on luggage.
Before you leave
On the ground
■ Update your device with the
latest software. Plan to use your ■ Remember, it’s safest to connect
smartphone’s mobile hotspot as a using your data plan and international
secure internet connection rather than roaming.
unsecure public WiFi.
■ Switch off Bluetooth and WiFi auto
■ If you are travelling to a destination connect. Turn them on only when you
where there may be data interception need them.
by the country’s government, it is
recommended you don’t travel ■ Avoid connecting your phone using
with devices. Bluetooth connectivity in rental cars.
Your device may be vulnerable to
■ Refer to the International travel pages hackers and personal information
for more information. such as contact lists may be retained
even after the connection has been
terminated.
TIPS
Click here for more travel safety advice.
2010
Incident reporting
and help
The RMIT Service and Support Centre is
just a phone call away. When it comes to
cyber safety, it’s best to act early. ■ To book a cyber awareness
team briefing, email the RMIT
All staff and students should report any Information Security Office
suspicious online requests or incidents
related to their RMIT login and email account ■ Become a Cyber Ambassador
that may lead to a data breach as soon
as possible.
■ Join us on Yammer: RMIT
Forward any suspicious emails (phishing) Cybersecurity Awareness
immediately to:
reportphishing@rmit.edu.au ■ For more information on
cybersecurity
For help or to report a data or security
incident, contact the RMIT ITS Service and
Support Centre: rmit.edu.au/its/ithelp
RMIT ITS Australia
+61 3 9925 8888
RMIT ITS Vietnam Hotline
+84 28 3776 1313
Full details on the RMIT Information Technology
and Security Policy can be found here.
Full details on the RMIT Acceptable Use Standard – Information Technology can
be found here.
21Remember, data never sleeps and
the internet doesn’t forget.
Special thanks to:
Nguyen Trung Hieu - Multimedia Designer, RMIT Vietnam
Nguyen Anh Duc - Creative Service Lead, RMIT Vietnam
Steven Lam - Intern, RMIT Melbourne School of Engineering
for their invaluable contribution to this booklet.
22You can also read
