May has arrived and if you are like me you are gearing up for summer while trying to finish up the semester. This frantic time of finals, final papers, showcases, productions, graduation, and all other manner of “showing your work” is in full swing. Good luck to everyone, whether you are taking tests, giving tests, grading tests, or something else. I know everyone is ready for a change. A change of season brings a change in many other things, including information technology and security. I have a couple of changes to pass along to the community, along with the normal warnings and reminders. Let’s get to it!
The first change I want to mention is a change coming soon, but not yet upon us. I know most everyone has seen those yellow banners on your emails that warn you if an email came from an outside email address. Love them or hate them, they are going away, probably sometime this summer. I can hear the screams of relief and thanks even in my office on Stretch Road! You’re welcome! Those banners are IMHO, great to have to remind us to be careful with email, but they have a fatal flaw, in that a crafty attacker can embed special code into an email to erase those banners, rendering them useless.
Thankfully, Microsoft is aware of this issue and is releasing a solution soon that will allow us to eliminate the banners. The new feature still allows us to “flag” the email if it comes from outside the Berry system, but the warning will not be a part of the message. Below are two images that show how these notifications may look. The “external” tags and notices are outlined in red. You can click on the images for larger versions.
My understanding is these tags only work in Outlook on the desktop and mobile or in the Outlook web interface in a browser. If you read your email in some other mail client, these tags and notices will not be available. The Office of Information Technology is still formulating a timeline to roll out these changes, so stay tuned to my newsletters or check the website for announcements about this change. Email notifications will go out for this also.
The best way to stop phishing emails in their tracks is to learn how to spot them. You can sign up for training on our training platform, attend my phishing LunchITS training session, or request I come train your department at a time and location convenient for you. You can request access to the training platform or request customized departmental training using the link in the right-hand sidebar of this page or simply email firstname.lastname@example.org.
Speaking of training, OIT is currently investigating expanding the training platform to be able to handle the entire active community, all faculty, staff, and students. If we are able to do this, we can offer security awareness training on a regular basis to everyone. We are currently attempting to determine the best interval between training and how long individual sessions of training should be.
Training to spot phishing attempts will help you avoid all of the various scams that are popular right now. These include IRS-related and tax filing scams, scams related to stimulus payments, fake notifications of emails, shared documents, and voice mails, and yes, there are still scams related to COVID, particularly in relation to vaccines. Get the training you need to spot the phish!
If you don’t have MFA enabled on your account it will be soon! If you want it NOW (as you should), make your request by emailing email@example.com to tell them you want MFA! The most secure way to configure it is to use the Microsoft Authenticator on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the current posts page.
You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events will be posted.
Food for Thought
Permanent link to this comic: https://xkcd.com/1349/