Facebook
Facebook Twitter Instagram Snapchat YouTube Wordpress

IT Security

Knowledge of Information Security principles and applying their practices will help protect your and Douglas College information. Learning these principles and practices will help you avoid putting yourself and the College at risk.

If you have any questions or topics you would like to see covered, contact the Manager of IT Security.

Please see common topics below:

Spam

Email Spam is the practice of sending unsolicited bulk email, usually commercial in nature, to email addresses they have collected. It is the Internet equivalent of junk mail that we all receive at home.  If you fill out your email address at a website and receive unwanted email from them, it is not spam because you gave them your email address. If you get unwanted email from a site where you didn't give them your email address, then it is spam.

Spammers (people that send spam) collect email addresses in several different ways:

  • Buy an email list from a company that has legitimately obtained your email address. 
  • Run a program to go through websites and collect email addresses. 
  • Run a program to go through news groups to collect email addresses. 
  • Try to guess email addresses for a company using variations of common names and initials (brute force method). An email is sent to each one. The ones that don't get an error are valid email addresses.
  • Use web browsing tricks. 

Spam emails are designed to get you to click on a link in order to try and sell you a product. Spammers often get paid by the product site based on the number of people that click on the link.

It is also a common trick for spammers to forge the “From” field in the email to make it look like it came from your email address. They do this in order to try and get past email spam filters. When the “From” email address and the "mail to" address are different, it usually indicates the “From” field is forged.

The best advice is to just delete any spam you receive. Some email programs (Outlook, etc.) have junk email options that help keep spam out of your inbox. Do not reply to spam email as it just informs the spammer that the email account is active. When spammers sell email addresses, they get paid more for accounts that have been verified as active.

Phishing

Phishing (pronounced "fishing") emails are designed to trick you into giving up your user ID, password, or other personal information.

What is spear-phishing? Spear-phishing is a fake email targeted to people in a specific company or organization for the purpose of gaining access to the organization and its information.

The fake email is usually crafted based on research about the company from sources including Facebook, LinkedIn, and the company website. The goal of the spear-phish attack is to trick you into clinking on a link or opening an attachment so they can steal your credentials / infect your computer, steal information from your company and use your computer / credentials to access other systems.

The fake emails could be worded like warnings that your account has been compromised, or include an attachment that says it is an invoice from a company, or claim it is from the IT department. Frequently they try to impart a sense of urgency (e.g. claiming your credentials will expire if you don't respond quickly).

Phishing is similar to spear-phishing except it targets a wider audience rather than an individual company or organization.

How can you spot a spear-phishing attack? There are several things that I have seen:

  • Poor grammar and spelling
  • The links in the email do not go where they say
  • The email claims to be from an internal email address but is actually from an external email address.
  • Attachments in .zip or executable format

What should you do if you receive a spear-phishing email? Do not clink on any links or open any attachments. Instead send a copy to the help desk to report the phishing attempt.

For an article on spear-phishing, click on the link below ... trust me, its OK ;-)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201307_en.pdf

Phishing Example

I received the following email. Can you tell why the following email is a phishing attempt?

As a reminder a phishing email attempts to trick you into clicking a link or open an attachment in order to steal your login information or infect your computer.

(Please click on the image to display in full screen)
phishing_example


Answer.

(Please click on the image to display in full screen)
phishing_example_answer