Cybersecurity Basics

From E-Learning Faculty Modules


Contents

Module Summary

Instructors who teach online often use a range of technologies. Most use a wide suite of software programs for office work and data analytics. Online, they use email systems, learning management systems (LMSes), social networking sites, wikis, blogs, video-sharing sites, and microblogging sites. In terms of digital contents, they use third-party contents, digital repositories and libraries, and self-created self-authored multimedia. Cybersecurity, broadly speaking, involves the protection of electronic data and the systems on which such data is created, stored, and (properly) shared—the protection of personally identifiable information (PII), the protection of intellectual property, the protection of sensitive information, the promotion of secure communications (and the protection of accurate messaging), and so on. Effective online instructors walk a fine line between being careful in online spaces and going overboard with incaution or excessive fear. The good news about cybersecurity is that this multi-dimensional challenge is being worked from various angles by many, but online instructors do have to play an important role. This module describes some basic good cybersecurity practices.

Takeaways

Learners will...

  • consider what “cybersecurity” is and review some common related terms and their definitions
  • review what “cybersecurity” is in teaching and learning contexts
  • explore some constructive cybersecurity habits
  • consider the levels of responsibility between instructors and the institution of higher education
  • contemplate some practical ways to stay up-to-date on cybersecurity issues and explore some helpful online resources related to cybersecurity

Module Pretest

1. What is cybersecurity? What are some common related terms, and what do they mean?

2. What is cybersecurity in the online teaching and learning context? What are some common types of information at-risk in a cybersecurity context for online instructors? What are some types of private information that may be at risk? What are some common systems at risk?

3. For instructors and learners, what are some constructive cybersecurity habits? Why are some unconstructive cybersecurity habits? Why?

4. Between instructors and the institution of higher education, who is responsible for what in terms of cybersecurity? Why?

5. Why is it important to stay up-to-date on cybersecurity issues? What are some helpful online resources for cybersecurity?

Main Contents

A laptop with HR data is left in a car and stolen, with the private data in wrong hands and likely compromised and compromise-able.

A staff member has just found a thumb drive and decided to plug it into a computer on a network. A malicious software program on the thumb drive has auto-run and infected the system and is logging all keystrokes and sending that information elsewhere, for exploitation.

A person has received an email that sort of looks legit, with an attached file promising a funny cat video. Click. Suddenly, the computer is locked up, and a ransomware message appears. Pay up to access your files—which have now been encrypted—or lose everything on your machine (now a “brick”).

There are plenty of ways that the security of technology systems may be compromised. What are some ways to improve cybersecurity?


1. What is cybersecurity? What are some common related terms, and what do they mean?


Earlier, “cybersecurity” was lightly defined as having to do with the protection of electronic data. In practice, it involves much more. A better definition of “cybersecurity” from Tech Target reads (in part): “the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”

What are some common terms related to cybersecurity?

AI social bot: an artificial intelligence (AI) social robot that can emulate a person on social media by Tweeting and sharing photos and intercommunicating with a person

Bot: a robot

Botnet: a network of computers compromised by malicious software and harnessed to send out spam messages and malware

Malware: malicious software

Man-in-the-middle attack: a deception in which a third-party intercepts and changes communications between two other communicators without their knowledge (and so corrupting messaging)

Phishing: the sending of emails using a false identity in order to elicit people’s private log-on identity and passwords in order to steal private information or moneys or otherwise cause harm

SPAM”: unsolicited mass-scale email messages

Spear-phishing: the targeted sending of customized emails under a false identity to compromise a specific individual

Spoofing: the deceptive taking on of another’s identity

Zero-day: a technological exploit or vulnerability in a technology-based system that has not yet been discovered by the owner of that system


2. What is cybersecurity in the online teaching and learning context? What are some common types of information at-risk in a cybersecurity context for online instructors? What are some types of private information that may be at risk? What are some common systems at risk?


In the online teaching and learning context, “cybersecurity” involves some simple habits.

Emails:

  • In terms of email, do not open emails from senders whom you do not recognize.
  • Do not click on links from in emails from people you do not recognize.
  • Do not open attached files from emails from senders whom you do not recognize.
  • Develop a sense of what spam, phishing, and spear-phishing emails look like, and do not respond to them. (Report such emails in the drop-down menu to the emails in Office 365.)
  • Verify that an email came from a particular sender before clicking on any links or opening any files.

Passwords:

  • Use robust and complex passwords.
  • Do not write passwords down.
  • Do not re-use passwords.
  • Use two-factor authentication where possible. (This is where you have the service provider auto-generate a key that will be emailed to you or sent to you as an SMS text to doubly-verify your identity.)

Websites:

  • Do not visit unknown or “iffy” websites.
  • Avoid the “dark alleys” of the Internet and Web.
  • Avoid the so-called Dark Web.
  • Make sure that the websites that you’re visiting haven’t been spoofed.

Software:

  • Use reputable software by respected companies with healthy track records and reputations.
  • Update the software regularly.
  • Do not use pirated or stolen software.
  • When downloading software, go to a reputable site (like CNET’s download.cnet.com) and vetted stores that ensure that no malware is riding on the software.

Computer System Hygiene:

  • Update all software and operating systems regularly. Do not put those updates off.
  • Update antivirus protections on a machine.
  • Use trusted software to ensure that a deletion of a file means a clean deletion (Eraser at https://eraser.heidi.ie/).
  • Clean off excess files using CCleaner (https://www.piriform.com/ccleaner/download).
  • Read the fine print.
  • Do not plug thumb drives into one’s laptop or main machine. Turn off auto-run as a matter-of-course.
  • Go with “airplane mode” for wireless connectivity unless one is connecting to a trusted network.
  • If a computer system has a lot of popup ads, clean off the malware from the machine before continuing to use it. Remember, too, that a lot of malware can be "stealth" and not give any indication of its presence. This is why hygiene measures may be helpful to delete some malware that may be residing on the machine.

Data Storage:

  • Maintain backups of all electronic data, not only on the main machine…but on a trusted cloud…and on a memory device not co-located with the main machine.
  • Be able to recreate the computer if somehow the machine is destroyed…or ransomware is introduced and everything is locked up, etc.

Social Sharing:

  • Information posted on social media and shared publicly may be used in a variety of ways, by people who may not have your best interests at heart. It is wise to be judicious about sharing. There are safer channels to use to share information with one's family and friends.

Engaging “Friendlies:

  • Don’t get used by “social engineers.” People will reach out with all sorts of requests, including strangers, who want intellectual property, research, site license codes for software, and everything else. Ignore such requests.
  • Various research sharing sites have features in which strangers can ask for copies of copyrighted research. Once you’ve signed over rights, you do not have the rights to share further. Make requestors buy their own copies…or subscribe to the right databases, etc. Such research costs a lot of money to actualize and share…and people will always want “free.”

When Traveling:

  • Bring a clean machine, with all unnecessary files left in safe storage.
  • Keep computers and memory devices with you at all times.
  • Do not use wireless at airports or cyber cafes and other locations where IDs, passwords, and log-ons may be captured. Do not log on to anything sensitive while traveling. (Anticipate travel needs by notifying banks and credit card companies and such ahead of time, so those companies can expect in-character activity from abroad.)
  • After trips abroad, change all passwords.
  • Use encryption for files at rest and files in transit.
  • Use VPNs (virtual private networks) to protect communications from end-to-end when accessing university resources.
  • Go with “airplane mode” for wireless connectivity when traveling.

All There:

Generally speaking, assuming that all activities you engage in online and on your machines are discoverable. All emails are on the servers of the service provider. All screenshots and imagery on a machine are retained on the machine. Many software programs have recovery files created for all created contents. (A basic read-through of computer forensics books will give a sense of how much is knowable.)

Not about Avoiding the Cloud Per Se:

Anything on the “cloud”—think LMS, email systems, video hosting sites, survey systems, etc.—are there for easy access by the service provider. There is no “avoiding the cloud” as some may imagine. (The “cloud” just refers to remote servers, and in most cases, most online services are delivered from the cloud.) Virtually all social media platforms and socio-technical systems are hosted on remote servers as well.

Not Taking on Fraudsters on Your Own:

It is a bad idea to engage with spammers and sketchy individuals online as a non-professional. Some such engagements have ended in further exploitation and violence. If there are discovered exploits, document clearly, let law enforcement know, and move on.

An Accurate Risk Assessment:

A “risk assessment” for online instructors will vary depending on the person, their topic of expertise, the data they handle, and the learners and colleagues with whom they interact. Those who work with sensitive materials have to undergo training on how to handle these. These include personally identifiable information (PII), financial information, and sensitive research information. In such cases, the online instructors will train into the work—with encryption (of data at rest and in transit), caution in carrying sensitive material (not on thumb drives, which can be misplaced and left lying around), healthy paranoia about others’ motives, and so on.

It is important not to be gullible. People will contact you with all sorts of proffers. If it is too good to be true, it is likely fraud. (And yet, people fall for the classic scams all the time—whether it is the so-called “Nigerian prince” come-on or some version of that…or the romance come-on or the job-recruitment come-on, or something else. Be skeptical. Be alert. Think through what you’re doing before you do it.)


3. For instructors and learners, what are some constructive cybersecurity habits? Why are some unconstructive cybersecurity habits? Why?


Some constructive cybersecurity habits, in addition to those mentioned above include the following:

  • Instructors would do well to keep up with their campus cybersecurity trainings.
  • They should read broadly about the topic and cultivate other channels of knowledge about cybersecurity beyond their workplace.
  • If they have questions, they should contact a specialist in cybersecurity. It’s totally good to be subject matter experts (SMEs) in their own areas but to lack knowledge in others.

For online learners, they would do well to follow the tips above.

  • Some online learners will justify going with pirated software because they are “poor” students. They stand to lose a lot more going with something pirated than with educational (discounted) licensure of the real thing. (Many software companies are very generous to those in education.)


4. Between instructors and the institution of higher education, who is responsible for what in terms of cybersecurity? Why?


The instructor is responsible for maintaining his / her own systems, generally speaking, by updating anti-virus protections, avoiding phishing and spear-phishing come-ons, avoiding malware infections, and so on. The instructor is responsible for notifying those in IT when they come across some elicitations.

If instructors are working on high security projects, they need to notify their project leads when they are contacted and asked to share privy information.

The institution of higher education is responsible, generally, for running clean systems and working to protect the instructors and the information they handle (which oftentimes belongs to the university).


5. Why is it important to stay up-to-date on cybersecurity issues? What are some helpful online resources for cybersecurity?

Cybersecurity is a dynamic and fast-changing issue, with so much dynamism in technologies and practices.

One fun resource is by Gary McGraw of Cigital. He hosts the Silver Bullet Podcast, in which he interviews cybersecurity professionals, who share insights about the field.

https://www.cigital.com/podcast/

Examples

How To

Please see the above for some general “how to’s”. Please also research further for the specifics on how to shore up particular systems and to protect information and identities in various contexts.

Possible Pitfalls

There are two general areas of risks in terms of taking on cybersecurity, and these are at both extremes.

If a person is too lax, he or she risks compromising their own computer systems, their institutional networks, and data (their own and others’). They risk having systems that do not work efficiently. They risk harming their own professional reputations for professional work.

There is a risk at the other extreme as well, of being so intimidated by cybersecurity threats that the person takes a “Luddite” (no tech for me) or “fortress” (“I’m not going out anywhere”) approach to the world. Some faculty will not use technologies, the Web or Internet, or social media. If fear of cyber threats results in disengagement, then that will be a large harm. There are many constructive ways to use technologies and the Web and Internet. Even as cyberspace is highly dynamic, there are many efforts to identify risks and to neutralize them. Those who would use technologies and online resources with some basic and reasonable cautions will help advance technology.

Module Post-Test

1. What is cybersecurity? What are some common related terms, and what do they mean?

2. What is cybersecurity in the online teaching and learning context? What are some common types of information at-risk in a cybersecurity context for online instructors? What are some types of private information that may be at risk? What are some common systems at risk?

3. For instructors and learners, what are some constructive cybersecurity habits? Why are some unconstructive cybersecurity habits? Why?

4. Between instructors and the institution of higher education, who is responsible for what in terms of cybersecurity? Why?

5. Why is it important to stay up-to-date on cybersecurity issues? What are some helpful online resources for cybersecurity?

References

Extra Resources

McGraw, Gary. (2017). Silver Bullet Podcast. Retrieved June 29, 2017, from https://www.cigital.com/podcast/.