Welcome to the start of the 2021-2022 fiscal year! You’ve probably been scrambling over the past few days to get all those “end of the year” things completed. I know I have. Just because the “new year” is starting doesn’t mean that we aren’t already in full swing with many summer initiatives, including the Governor’s Honors Program, preparing for the fall semester, hosting camps, and just getting those things that must be done outside of the two main semesters done. This being the start of July, the Independence Day holiday approaches as I write this newsletter, but by the time most of you read it, the day will have passed, so I hope you all had a fun, safe, and meaningful time celebrating.Continue reading “July News from Information Security”
October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!
Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.
As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of
Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds
As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email firstname.lastname@example.org and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!
In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.
There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.
If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.
Go directly to the scavenger hunt page! This link will not be active until Monday October 5th, 2020, at 8:00AM
Hard to believe, but this entire year has been hard to believe, so why should anything change now? Lots of things to pass along to all of you in this newsletter, from mandated notifications to announcements of new and returning resources, to the upcoming Cyber-Security Awareness Month.
By far, the most important item is the reminder that downloading or distributing copyrighted material, including through peer-to-peer file sharing applications, without the permission of the copyright owner is against the law. Illegal downloading or distribution of copyrighted materials can result in your being prosecuted in criminal court and/or sued for damages in civil court. Criminal penalties for first-time offenders can be as high as five years in prison and $250,000 in fines. If sued in civil court, you may be responsible for monetary damages, attorneys’ fees, and civil penalties up to $150,000 per work distributed.
Use of Berry’s resources for unauthorized distribution of copyrighted materials is forbidden. The College prohibits illegal copyright infringement through its Acceptable Use Policy. You are required to adhere to all college policies including those that relate to copyrights and fair use. This information is posted on the Berry website at https://berry.edu/policies/ . The Memorial Library has an excellent resource: http://libguides.berry.edu/copyright
There are many legal sources available for copyrighted material such as music, movies, and TV shows. Some are free and some charge a nominal fee. We’ve all grown VERY aware of the possibilities over the last few months, at least those of us who were required to isolate ourselves or who did so voluntarily in response to the coronavirus. Please be responsible in your use of copyrighted materials.
With that out of the way here are a couple of new resources from Information Security. While we won’t get to meet and chat in Krannert for the foreseeable future, it doesn’t mean Information Security is taking a break. The cyber-criminals definitely don’t.
On this site in the next few days you will see a new item in the main menu. The Berry College “Phishbowl” will feature past and current phishing emails curated from submitted emails from Berry faculty, staff, and students. All emails have been anonymized, unless they came to a non-personal account like “Financial Aid” (one of the phishers favorite targets).
You’ll be able to see a variety of phishing emails, with commentary on the various indicators that betray it as a phishing email. Eventually, you’ll be able to sort and filter emails based on type, i.e., sextortion emails versus financial fraud versus fake notifications (this capability is still “under construction”). I hope seeing these emails with their tell-tale indicators will help you be able to spot a phishing email and not get caught in the future.
Another new resource is a twist on an old resource. Last year, I held a series of lunchtime training opportunities I affectionately called “LunchITS”. Well…that’s not gonna happen this year, at least for a while, so I am launching a new opportunity for one-hour training sessions via Zoom. I hope to hold the first one mid-September, then have them regularly, every other week or so, through the end of the semester.
Topics will include old standbys like phishing and account management, to new sessions with more narrowly focused topics like how to effectively and easily use a password manager, or how to choose and safely use Internet of Things (IoT) devices like “smart” coffee pots and home automation equipment. Sessions will be repeated throughout the semester, so I hope you get the opportunity to attend one. Details will be posted on this site as general posts and to the events calendar hosted here, when it returns. Check back for more info, or if you are part of a club, office, department, or other group and want to get customized “in-person” (via Zoom, of course) training, just let me know. Check the About page for my contact information.
With this being September, as mentioned before, that means that next month is October, which is Cyber-Security Awareness Month! There will be weekly posts on the nationally chosen topics, plus, in lieu of a table in Krannert every week, there will be a weekly competition, culminating in a grand prize drawing for some exciting prizes. More details will be posted here on this site throughout September, so check back for more info.
In addition to details about the October fun, there will continue to be warnings posted about current phishing emails, breach notifications, and other information security events that could affect you, so bookmark the beautiful new front page and check back often.
Now for the usual reminders (or for those who have never been here before, some important information you should definitely read).
If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing email@example.com to tell them you want MFA!
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember, you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar, once it makes its triumphant return.
Thanks for persevering to the end of this rather long newsletter!
Photo Credit: No Piracy billboard by Descrier (CC BY 2.0) https://flic.kr/p/faTECf
NOTICE! Further updates to this page will be announced on the Berry OIT social media platforms. We’re on Facebook (@BerryCollegeOIT), Twitter (@berryoit), and Instagram (@berrycollegeoit). Please check back here often, as tactics will change almost daily based on new events related to the virus. Updates will continue to be added to the bottom of this page and dated for easy following.
While we all should be washing our hands more frequently, using hand sanitizer, avoiding large gatherings, limiting our travel, and taking other physical precautions in response to the coronavirus. we also have to take into account information security precautions.
Criminals will use every ruse they can to try and take your money, steal your credentials or infect your computer with malware, including promising “coronavirus updates”, “miracle cures”, and other information and services. Many of these phishing emails will be believable, not just because the criminals may take care to craft them accurately, but because almost everyone has at least some small innate fear of this mostly unknown virus. There is urgency and “scariness” built right in, as the coronavirus will most likely affect all of us, at least indirectly, at some point.
Please be especially careful with any emails that attempt to manipulate you using fear of the coronavirus. Avoid and report emails that request donations, or claim to have “inside information” about the virus and the associated disease, COVID-19.
UPDATE (3/18) – also stay away from apps in the Apple Store and Google Play that are coronavirus related. The vast majority are designed to steal your data and credentials or take over your phone, or both.
If you want more information about it, your best bet is to stick to major news outlets like CNN, MSNBC and Fox News for more reader-friendly summaries, and the Center for Disease Control and Prevention, the World Health Organization, and the Georgia Department of Public Health for more detailed and localized information.
Please also consult the college’s update page for dealing with the coronavirus.
Links to other sources of information will be posted here as the situation develops, but your first stop should be the page above.
UPDATE (3/18): Here is the NCSA resources page mentioned in the March 18th email. https://staysafeonline.org/covid-19-security-resource-library/
UPDATE (3/23): Coronavirus-themed phishing emails are arriving in campus email inboxes now. They promise everything from where to find masks and other protective gear to the fact that you don’t need a vaccine to beat the coronavirus (true, but irrelevant). Some are attempting to impersonate the World Health Organization and the Centers for Disease Control and Prevention. Don’t be fooled! Report or delete these emails, don’t follow any links, and don’t open any attachments. Rest assured the WHO and the CDC will not email you directly with updates. You can visit these sites from the links above, or if you have them bookmarked now, as some do, use your bookmarks or Google to find the sites safely.
UPDATE (3/23b): Scammers are now using the promise of government stimulus checks to try and steal your credentials and financial information. They are also attempting to impersonate the IRS to achieve the same goals, with the same lure (stimulus checks). Don’t fall for these tricks! The government will not contact you via email and ask for private financial information.
UPDATE (4/1): For those of you using Zoom for classes or other duties – Due to a bug in how Zoom handles web and file addresses in the chat feature, OIT strongly recommends that you do NOT send links to resources for classes (or work) via chat, nor should you open any links in the chat window. Please put resource links for all classes in Canvas, and treat any link in the chat window as you would a link in an email, VERY SUSPICIOUSLY! Also, please make sure you are following ALL of the recommendations from OIT about securing Zoom sessions if you are using Zoom to conduct classes. These are found in a March 19th email from firstname.lastname@example.org.
UPDATE (4/1b): Scammers have no shame. One of the newest phishing scams out there tries to convince you that they are contacting you from a hospital and that they know you have had contact with someone infected with the coronavirus. The scam attempts to have you download and open the attachment, then proceed to the nearest hospital. The attachment contains malware and will infect your computer. Even during a pandemic, don’t open attachments.
Also, scammers have registered hundred of new domains over the past few weeks with “zoom” in them somewhere and the websites associated with them are handing out malware to unsuspecting users who click on them. The real domain for Zoom is zoom.us. There is never any reason to go to the Zoom website to use Zoom. Download the Zoom app to your computer and do your work there. Be VERY cautious with emails that purport to be from Zoom.
Finally, a group of scammers are going “old school” to infect users. They are mailing (yep, snail-mail) USB drives to potential victims, sometimes accompanied by gift cards or other lures to get users to plug them into their computers. Don’t ever plug in a USB drive of unknown origin into your computer! The USB drives sent by these scammers will install malware that will allow them access to your computer. Don’t fall for it!
Welcome to this special “mid-January” monthly edition of news from Information Security!
With the students not returning to class until the 13th of the month, this edition was delayed to roughly coincide with their arrival. Also delayed are the security awareness posters, for those who get them and post them in their offices. If you would like to have security awareness posters to put on a departmental or office bulletin board or at “the watering hole” for your area, please email email@example.com and mention you would like to receive these on a monthly basis (and how many). They will normally be distributed at the first of the month, but again, for January, 2020, they will be distributed the week of the 13th.
I’ve already sent a couple of emails to faculty and staff this year, one about the new idle workstation lock policy that went into effect on the 6th of January, and another pointing to a post here urging everyone to be particularly vigilant in the next few weeks, and beyond, as tensions with Iran continue to build. It is assumed that part of Iran’s counterattack will be conducted in the digital realm. You can read the warning by clicking here.
On the topic of returning things, there will be a LunchITS scheduled toward the end of January. The topic will be account security, including information about usernames, passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this LunchITS is for you. I will send out an email when the schedule is confirmed and you can always check the event calendar right here on the InfoSec News & Alerts site for future events. February will see the return of the phishing LunchITS and a brand new LunchITS geared toward a broader overview of security awareness.
Wait, what’s a LunchITS, you ask? LunchITS, which is short for “Lunch+Information Technology Security” are one hour training sessions, held during the lunch hour (12:00 noon – 1:00 PM) in Krannert, where you can come, with your lunch, and learn more about information security. You can pick up lunch at Krannert, or brown bag it. Just be prepared to learn while you eat. You’ll get information to take back with you, with all of the main points of the session included on the provided literature, for those of us who can’t eat and take notes at the same time.
Also coming up in January is Data Privacy Day, celebrated on the 28th of the month, which just happens to be a Tuesday, and Information Security will have a table in Krannert from 11:30AM until 1:00PM where you can drop by and ask questions, pick up information, and grab some gratuitously bad edible items. This event will also be on the event calendar on this site and an email will go out the day before to remind you.
Finally, coming soon to a computer or phone screen near you (probably on your desk or in your hand) is the next in-house written, filmed, and produced security awareness video. The intrepid Director of Information Security will help yet another would-be victim with their security awareness. As soon as it is ready, an announcement will go out over email and on social media.
On that topic, if you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the previously mentioned events calendar.
That’s it! Welcome back to a new year, everyone, whether you just got here or have been here for two weeks this year already.
If you have been paying attention to the news, you will have seen how the US embassy in Baghdad, Iraq was attacked on December 31st, 2019 and how the US retaliated with a drone strike killing a high ranking Iranian general on the 3rd of January, 2020. While not diving into the good or bad of this, there is every reason to believe Iran will attempt some kind of counterattack, most probably in the cyber realm, rather than the physical.
Iranian cyber-weapons and cyber-warfare troops are advanced and the nation has all the motivation it needs to launch a concerted digital attack. Please be extra vigilant over the next few weeks with unexpected emails, voice mails, or phone calls. Be suspicious. If you have any doubt at all to the validity of an email, please contact Information Security for assistance. It only takes one email to add Berry to the list of unfortunate institutions that have suffered a devastating cyber-attack.
I would ask department heads, office managers, directors, and other employees in managerial positions to request further training for their staff or faculty if they feel there may be a weak link in the operational unit. There’s no need to point out individuals…simply request training, either online or face-to-face, for the entire unit.
That’s my New Year’s warning and plea!
It’s National Cyber Security Awareness Month!
Welcome to October! While it doesn’t feel quite like fall, the calendar says we are there. That means it is once again, for the sixteenth year nationally and fifth year here at Berry, National Cyber Security Awareness Month (NCSAM)! The theme this year is “Own IT. Secure IT. Protect IT.” The “IT” is intentionally capitalized, as it stand for “information technology”.
Information Security will be covering three information security topics every week of October, each based on an aspect of the theme. Articles will post each Tuesday, which means that one is posting the same day as this newsletter. There will also be a link to an information security awareness video. These will be short, humorous videos designed to quickly present an information security topic. We’ll also be hosting a table in Krannert every Thursday of the month, handing out information, answering questions, and offering either swag or edible goodies, or both, to everyone who stops by. That includes Halloween, so be ready for some edible treats that day.
We’ll also have a box at the table where you can register once each week to win a prize. The winning name will be drawn on Halloween, after the Krannert table closes at 1PM. The winner will be notified via email and will receive a bag o’goodies
Be on the lookout for the first NCSAM article, it will post shortly after this newsletter.
In other news, this site will now be posting information about third-party data breaches that involve Berry email addresses. For example, the textbook rental company Chegg experienced a breach that exposed information on nearly 40 million accounts. There were about 1600 accounts registered with Berry email addresses on the Chegg site. While a good portion of those are alumni accounts, current students were among the affected. Emails will continue to be sent to the community when breaches expose unencrypted passwords and/or action should be taken immediately.
Finally, you probably noticed that this site is undergoing a makeover. As we expand the scope of information we are providing and hope this draws more people to the site, we figured we should probably “de-uglify” it some. There will be more changes coming as the site is updated and more information and services are added. Keep checking back for the changes.
That’s it for this newsletter. We hope you come back to the site often during October and beyond to stay informed about information security.