September News From Information Security

September already!?!?

Hard to believe, but this entire year has been hard to believe, so why should anything change now? Lots of things to pass along to all of you in this newsletter, from mandated notifications to announcements of new and returning resources, to the upcoming Cyber-Security Awareness Month.

By far, the most important item is the reminder that downloading or distributing copyrighted material, including through peer-to-peer file sharing applications, without the permission of the copyright owner is against the law. Illegal downloading or distribution of copyrighted materials can result in your being prosecuted in criminal court and/or sued for damages in civil court. Criminal penalties for first-time offenders can be as high as five years in prison and $250,000 in fines. If sued in civil court, you may be responsible for monetary damages, attorneys’ fees, and civil penalties up to $150,000 per work distributed.

Use of Berry’s resources for unauthorized distribution of copyrighted materials is forbidden. The College prohibits illegal copyright infringement through its Acceptable Use Policy. You are required to adhere to all college policies including those that relate to copyrights and fair use. This information is posted on the Berry website at https://berry.edu/policies/ . The Memorial Library has an excellent resource: http://libguides.berry.edu/copyright

There are many legal sources available for copyrighted material such as music, movies, and TV shows. Some are free and some charge a nominal fee. We’ve all grown VERY aware of the possibilities over the last few months, at least those of us who were required to isolate ourselves or who did so voluntarily in response to the coronavirus. Please be responsible in your use of copyrighted materials.

Whew!

With that out of the way here are a couple of new resources from Information Security. While we won’t get to meet and chat in Krannert for the foreseeable future, it doesn’t mean Information Security is taking a break. The cyber-criminals definitely don’t.

On this site in the next few days you will see a new item in the main menu. The Berry College “Phishbowl” will feature past and current phishing emails curated from submitted emails from Berry faculty, staff, and students. All emails have been anonymized, unless they came to a non-personal account like “Financial Aid” (one of the phishers favorite targets).

You’ll be able to see a variety of phishing emails, with commentary on the various indicators that betray it as a phishing email. Eventually, you’ll be able to sort and filter emails based on type, i.e., sextortion emails versus financial fraud versus fake notifications (this capability is still “under construction”). I hope seeing these emails with their tell-tale indicators will help you be able to spot a phishing email and not get caught in the future.

Another new resource is a twist on an old resource. Last year, I held a series of lunchtime training opportunities I affectionately called “LunchITS”. Well…that’s not gonna happen this year, at least for a while, so I am launching a new opportunity for one-hour training sessions via Zoom. I hope to hold the first one mid-September, then have them regularly, every other week or so, through the end of the semester.

Topics will include old standbys like phishing and account management, to new sessions with more narrowly focused topics like how to effectively and easily use a password manager, or how to choose and safely use Internet of Things (IoT) devices like “smart” coffee pots and home automation equipment. Sessions will be repeated throughout the semester, so I hope you get the opportunity to attend one. Details will be posted on this site as general posts and to the events calendar hosted here, when it returns. Check back for more info, or if you are part of a club, office, department, or other group and want to get customized “in-person” (via Zoom, of course) training, just let me know. Check the About page for my contact information.

With this being September, as mentioned before, that means that next month is October, which is Cyber-Security Awareness Month! There will be weekly posts on the nationally chosen topics, plus, in lieu of a table in Krannert every week, there will be a weekly competition, culminating in a grand prize drawing for some exciting prizes. More details will be posted here on this site throughout September, so check back for more info.

In addition to details about the October fun, there will continue to be warnings posted about current phishing emails, breach notifications, and other information security events that could affect you, so bookmark the beautiful new front page and check back often.

Now for the usual reminders (or for those who have never been here before, some important information you should definitely read).

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember, you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar, once it makes its triumphant return.

Thanks for persevering to the end of this rather long newsletter!

Photo Credit: No Piracy billboard by Descrier (CC BY 2.0) https://flic.kr/p/faTECf

NCSAM Week 5 – IoT, MFA, and PhysSec

Welcome to the fifth and final week of National Cyber Security Awareness Month. I want to thank you for sticking with me through the whole month. All NCSAM articles are archived on this site, just click the NCSAM link in the top menu to find them.

Now, to our topics for this week.

First, in the “Own IT” category, let’s talk about IoT, or Internet of Things devices. These are all those “smart” devices we connect to the network and that do things automatically, remotely, or just through following our voice. They include everything from Amazon Echos to Google Home devices, toasters to coffee pots, and TVs to refrigerators. Whenever you decide to splurge on a “smart” device, be sure to read the manual, follow the setup procedures, ensure it is up to date, and above all, change any default passwords. Well made devices from reputable companies should have all of this documented either in physical format packaged with the device or online. Don’t just plug the device in, drop it on the network and forget about it. That smart toaster is really no longer a toaster, it is a computer that makes toast, with all of the issues inherent with computers. Again, follow the setup procedures, keep it up to date and make sure to secure it from improper access by changing any default passwords.

If only these devices required multi-factor or two-factor authentication (MFA, 2FA)! They would be a lot safer! In our “Secure IT” section, let’s talk about MFA/2FA and how it can add an additional layer of security to your accounts. MFA/2FA requires you to provide, in addition to a username and password, an additional unique identifier, called a factor, to complete the sign-in process. There are three kinds of factors:

  1. Something you know – a password, a pin, a secret code
  2. Something you have – a key, a phone, an ID card
  3. Something you are – a fingerprint, your face, your palm

MFA/2FA requires at least two different factors. You can request MFA/2FA be enabled on your Berry account by contacting the Office of Information Technology via email at computing@berry.edu.

Once you have enabled and configured MFA/2FA, even if someone were to guess or steal your username and password, they would not be able to access your account without the second factor. That’s some comfort, as data breaches happen every week and phishing emails get even harder to spot.

Finally, for our “Protect IT” topic, let’s talk about physical security. Many “hackers” do nothing more than listen in on sensitive phone conversations when the caller is not aware, or “shoulder surf” by walking by someone as they put in their password. You should be aware of your surroundings as you use your devices, particularly if you are accessing sensitive data like bank or credit cards numbers, medical information, or other private documents.

Physical security is not just related to information security, of course. Be careful as you move around your environment. Don’t prop open security doors or leave doors unlocked. Don’t allow anyone you don’t know to “tailgate” behind you through a secure door, like in a residence hall. If you need to go somewhere at night, find a friend or friends to go with you.

I hope this series of articles have been informative. Again, you can check out the entire collection of NCSAM articles here on this site by clicking on the “NCSAM” button in the main menu.

If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the main menu.

Check the table in Krannert on Thursday (Halloween!!) between 11:00 and 1:00 one last time for info and goodies and another chance to put your name in the pot for the prize to be awarded that afternoon.

Here is this week’s video, a (hopefully) funny clip about multi-factor authentication. You will have to log in using your email username and password to view the video on the Microsoft Stream service.

Students – here is your link

Faculty/Staff – here is your link

 

NCSAM Week 4 – BYOD, Know Your Devices, and Keep Up With Your Devices

This week’s discussion of “Own IT, Secure IT, Protect IT” is all about devices – smartphones, laptops, tablets, watches, and other “smart” things.

Students, faculty, and staff have been “bringing their own devices” (BYOD) here at the college for nearly two decades. The nature of our network requires us to modify how we use these devices compared to how we use them on our home networks, but the end goal is the same. We want to be able to connect quickly and safely to the Internet. The Office of Information Technology (OIT) has worked tirelessly over the years to make connecting to the network easy, reliable and secure. There have been times when the sheer number and diversity of devices made that hard to accomplish, but with cooperation from everyone, it is possible.

Own IT

First, make sure your device, whatever it is, is fully up to date with all software patches. This will be one of the first troubleshooting steps (after rebooting it) that OIT will ask you to complete when having issues with connectivity. Devices with unpatched issues can disrupt our networks or, if infected with malware, even compromise other devices. Second, make sure you lock your devices to protect the data on them. Finally, if you have any issues connecting to the wireless network, be sure to contact OIT by emailing computing@berry.edu. Please refrain from using the guest wireless network, as it does not provide the same level of security as the Berry or EZConnect networks.

Here is OIT’s web page about connecting to the wireless network. Consult it first before contacting OIT. The answer to your question may be there. On that page are links to operating system and device specific instructions.

Secure IT

Know how to secure your device. Before you dive into all the whiz-bang features on a new phone or tablet or other device, find out how to secure the device. Do you need to change a default password? Do you need to run updates? Are there additional ways to secure your device, like fingerprint scanners, facial recognition, PINs, or other methods? Device security is all about layering multiple protections, so be sure to enable all your available mechanisms. Also, be sure to register your device, especially phones and watches and other devices that could potentially be lost, with a locating service. Both Apple and Google have mechanisms that could potentially allow you to find a lost device. Here are the links to that information (the Google link asks you to log in to your Google account, so there is an additional link to an article to walk you through the process without logging in to Google:

Apple Find-My                                         Google Find My Device                          Here is the article that clearly explains the Google process

Protect IT

Speaking of lost devices, take steps to ensure you can keep up with your device. Does it need a case? Phones these days are so slim and built with rounded corners and edges that it is easy to drop them or for them to slide out of a pocket. Find a good case that affords you a good grip and makes sure it doesn’t easily slip from where ever you carry it. Popular these days are the extendable stands like the PopSockets and some cases have stands or handles built into them. Be sure you can keep track of your devices. Choose cases and accessories for your phone that make them stand out from the sea of phones identical to them everywhere. Colorful cases, stickers, and other identifying items tend to discourage the casual phone-grabber, as it may make it harder for them to get rid of the phone. It will most certainly make it easier for you to spot your phone if you leave it laying around somewhere.

Here is the link to the PopSockets site

OtterBox makes great cases, but their prices can be premium

To find something that suits your style and budget, fire up your favorite shopping site and search for “smart phone cases” or “cell phone cases”. You are sure to find something.

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for the prize bag worth over $75 to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Now for some fun… enjoy this one man show video about passwords and password managers, starring your Director of Information Security (who is not a paid actor…)

You will have to log in with your email credentials to view the video on Microsoft Stream:

Students – here is your link

Faculty and Staff – here is your link

Tune in for our last article next week when we talk about the IoT, MFA and PhySec! If you don’t know what those are, definitely check out the article next week.

NCSAM Week 3 – Identifying Sensitive Data, Spotting Phishing Emails, Cleaning Your Digital House

Welcome to week 3 of National Cyber Security Awareness Month!

We’re already more than halfway through October. Halloween approaches!

I know most of you students will not read this until Wednesday at the earliest. Who wants to spend Fall Break time reading about Cyber Security Awareness? Just kidding! YOU should!

This week we are discussing how to identify sensitive data (own IT), how to spot phishing emails (secure IT), and how to clean up your digital data (protect IT). This post will be a little longer than most, so bear with me. Following along with our car and/or bike maintenance theme, we have to know how to spot trouble with our car, like not ignoring those yellow lights on the dashboard,or that weird shrieking noise it makes when you start it up, or the squealing sound when you touch the brakes. With our bike, we have to be more…manual, and proactive. Always check the tires and chain before starting a ride, and inspect our brake pads to make sure they are working. If something is squealing on our bike, we should probably just stop and check it out. Sorry…I didn’t mean to fall too far down the analogy rabbit hole there.

To properly “own our IT”, we have to know – What is sensitive data? It is any data about a person, or entity, that is potentially exploitable or possibly damaging. Some sensitive data is defined by law. There are dozens of alphabet soup laws, regulations, and standards with  which we have to comply. Some of these are: PCI-DSS, HIPAA, FERPA, GLBA, GDPR, and so many more. If you don’t know what any of those are, Google is your friend, but we can discuss the impact of these laws, regulations and standards without knowing exactly what they are. For example, the college is required to comply with HIPAA to protect employee and student medical records. It must comply with FERPA to protect student information and with PCI-DSS to protect credit and debit card information. But what is this information?

A short list includes, names, addresses, credit card numbers, medical diagnoses, grades, academic status, classes taken, location, and account numbers. Not all of these information items are covered by all of the laws, regulations, and standards, but a subset of them are covered in almost every one. They are referred to as PII (personally identifying information), PHI (personal health information), or other acronyms. The penalties for not protecting this data range from monetary fines to loss of institutional accreditation, to the inability to accept credit and debit cards as payment options. Any of these penalties would be bad, but arguably the worst result would be the loss of a good reputation for the college.

The college offers training to faculty, staff and students whose jobs involve dealing with sensitive information. Ask your supervisor if your job involves handling sensitive information. If so, ask for training. Information Security will provide it, just email us at infosec@berry.edu.

Part of securing sensitive data, particularly usernames, passwords, and financial information is learning to spot phishing emails and other social engineering attempts. Phishing emails are getting more sophisticated every day and target phishing, sometimes called “spear-phishing” is now on the rise. Because of the inordinate amount of data collection and aggregation in use by many companies, and data breaches that expose this information, more and more information is available to scammers for use in crafting emails that are convincing and appropriately targeted, it is getting harder and harder to tell real emails from fraudulent ones. Here is a short list of things to watch out for when evaluating an unexpected (virtually 100% of phishing emails are unexpected in some way) email.

  • Misspelled words, poor grammar, odd word choices, and improper punctuation are all signs of a potential phishing email
  • Emails promising large sums of money or informing you that you won a lottery you didn’t know existed are common ruses – everybody likes more money.
  • Urgent deadlines, threats of loss of accounts or access to files, late fees, penalties, are all designed to force you to make a bad decision.
  • The government (local, state, or federal) will never send you notice of impending actions via email. That notice from the IRS about a rebate or worse, a penalty can generally be ignored.
  • Any request for your username and password, whether by email or phone call, or any other communication channel is always fraudulent.
  • Phishing emails frequently ask you to click on a link to do everything from “confirm your details” to download a document that has “important information” in it. Don’t follow links in suspect emails. If the phisher got lucky and tries to impersonate a company you have an account or do business with, go to the site directly in a new browser window (meaning, don’t click the link!), log in, and check your account. If the company has an important message for you, it will be here.

Let’s assume you clicked on a link (reminder – don’t do that). How do you know if the page in your browser that is now requesting your username and password is legitimate?

  • Check the address bar to make sure the site is secure.
  • Check the address in the address bar to make sure it is correct.
  • Does the page look familiar?
  • Are there typos on the page?
  • Do logos and images look out of place?

In the end, ask yourself these two questions with every email

  1. Is this email or phone call asking for my password or other login information?
  2. If I clicked on the link (reminder – just don’t) did it bring me to a login page?

If the answer is YES to either question, then there is a good chance you are being phished.

Check these resources to test your eye for spotting phishing emails and fraudulent login pages:

OpenDNS’s Phishing Quiz – This tests your ability to verify correct web addresses

Jigsaw/Google Phishing Quiz – This one is fairly difficult, but explains each phishing clue

Accellis Phishing Quiz – You have to scroll a bit, but it’s a good test

Now let’s talk about protecting your IT (and yourself) by cleaning out your digital file cabinet. Sometimes we “temporarily” store a password for an account in an unsafe way, like in a photo on a smartphone, or even in a text file or note-taking app. Other times we keep information about financial transactions, tax returns, and other potentially dangerous data around for way too long. We keep so much stuff these days we have no idea what we have anymore. Take time for a quarterly cleaning. Every time the season changes (which I admit is sometimes a moving target here in the South), take time to do the following:

  • Go through the photos on your phone, or sort through them on a laptop or desktop if they are stored in cloud storage service. Get rid of any of those “temporary” pictures you were going to delete anyway. This is also a good opportunity to take a look at what you have captured on your phone’s camera and delete any potentially embarrassing or even incriminating photos. Hey, we’re all human!
  • Sort through your files stored in cloud storage services like iCloud, Google, Dropbox, and others to see if there is anything you don’t need anymore. It’s best to just delete these files, as you generally pay by the gigabyte for cloud storage. If you don’t need it, why keep it, especially if it is sensitive information?

Finally here is another funny video by Habitu8 about phishing, or, in this instance “vishing”, phishing via a phone call and more specifically this type of attack is called, as the title says, a CEO scam. Check it out – CEO Scam by Habitu8 – You’ll want  to pause the final screen with tips on how to avoid this scam, unless you are a speed reader.

Thanks for reading all of this! Check the site next week for the new NCSAM article and check the site often for breach announcements, current phishing scams, and more.

 

NCSAM Week 2 – Privacy, Safe e-Commerce, What’s Out There About Me?

Welcome to week 2 of National Cyber Security Awareness Month!

This week we will again explore all three aspects of this year’s theme – “Own IT, Secure IT, Protect IT”. Remember, the “IT” stands for “information technology”, and, just like we have to do regular maintenance on our cars or bikes, we have to do regular maintenance on our digital presence.

We talked about safe social media posting last week in relation to “owning” our IT. Let’s continue to talk about social media, but this week we’ll focus on making sure you have checked the privacy settings of all your social media accounts. There are a lot of resources to help you with this; the best ones should be on the specific sites themselves. Go to the support section of all your social media sites and look for information on default privacy settings and make sure you are comfortable with them. If not, change them to suit your comfort level. Beyond the support section of your social media sites, here are a couple of links to more privacy resources:

10 Ways to Protect Your Privacy on Social Media

How To Manage Your Social Media Privacy Settings

Realize that social media sites are continually updating their systems and therefore, some of these tips may no longer be applicable or accurate.

We buy more and more things online these days, from electronics to cars to tonight’s dinner. As part of “securing” our IT, let’s talk about staying safe while using e-commerce sites. Any time you make purchases online, be very careful to only provide as much information as is needed to complete your purchase. Unless you use a particular site almost daily, don’t allow sites to save your credit or debit card info. Data breaches happen every week. The fewer places your financial information is stored, the better. Always make sure any page you submit credit or debit card info on (or any sensitive or private info) is secured via HTTPS. Browsers have changed how they display this now. Until recently there was a green padlock in the address bar of the browser; now the padlock is either gray or missing entirely if the page is secured. If it is NOT secured, the browser should clearly indicate this and how this is done varies from browser to browser. Finally, make sure the sites you purchase on are reputable. If you’re not sure, open another tab in your browser and look for reviews. The Internet is great for that! Click here for a resource with more details about shopping securely from the folks at the SANS (SysAdmin, Audit, Network and Security) Institute. This is an OUCH! newsletter, a free resource from SANS you can subscribe to on their site, sans.org.

Finally, to “protect” our IT, go hunting for yourself online sometime. You can do a simple Google search, or use some of the many available resources to see how much of your information is out there. One great resource is Troy Hunt’s Have I Been Pwned website. Here you can input your email address(es) into a search form and the site will tell you if your information has been a part of any of hundreds of data breaches, spanning back for years. If you are really curious about what exactly is out there, you can use one of a number of people search engines like Spokeo or Pipl. To get details requires a purchase of some kind on either site, but they can be spookily accurate and precise about who knows what about you.

Now that you have some idea what is out there, how do you get rid of it? Or fix it, if it is inaccurate? If you can pinpoint the source of inaccurate information, you can usually go directly to the site and get help remediating the issue. If not, there are other resources out there to help you with this. Here are a couple:

UnListMy.Info

Privacy Rights Clearinghouse

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Here is this week’s video, a funny clip about over-sharing on social media, which would have been more appropriate last week, but I couldn’t not share it with you:

Social Media Privacy by Habitu8, The Security Awareness Video Company

Tune in next week when we talk about data and phishing!

NCSAM Week 1 – Social Media, Passwords, Cyber Hygiene

Welcome to National Cyber Security Awareness Month, also known as NCSAM!

Every week this month we will explore topics around the theme of “Own IT, Secure IT, Protect IT”. That’s not three typos in a row, that’s “IT” as in information technology. We are surrounded by it, in our homes, at work, in stores, and just about anywhere we go. We depend on it, just like we depend on our cars or bikes. That means, just like cars and bikes, we have to take care of it with regular maintenance, and make sure to lock it so it won’t get stolen.

Each week we will briefly explore an idea around each of these aspects of owning, securing and protecting. This week, in relation to “owning” our IT, we want to remind everyone to be careful what they post on social media. Once something is posted, nothing short of an EMP or nuclear war will remove it from the Internet (not that there would be an Internet left after either of these occurrences, but you get the point). These days, employers routinely explore prospective employee’s social media posts to get a better idea of the person they are considering hiring. Own your social media by being careful about what you post and also by asking your friends to not include you in potentially derogatory posts.

In the realm of “securing” our IT, please make sure you are using strong, unique passwords for your online accounts. Strong passwords should be long, at least 12, if not more, characters. Don’t be concerned so much with complexity, because longer passwords are generally better. Don’t use your name, your pet’s name, your phone number, or any other information that might be available online. Don’t reuse passwords between accounts, particularly passwords for financial, or other sensitive accounts. If you have a lot of accounts (and honestly, who doesn’t?) consider using a password manager to help you create and “remember” all those strong unique passwords. You can get more information on strong passwords and password managers at the table in Krannert on Thursday

Finally, concerning “protecting” our IT, follow good cyber hygiene practices. Just like you have to clean up trash, brush your teeth, and wash your clothes (at least occasionally), you should close out online accounts you don’t use, change your passwords periodically, and delete files you no longer need. You should also always lock your computer if you are stepping away from it (not recommended if it is a laptop. keep it with you!), and always use either a pin, or a bio-metric lock mechanism (finger scan, face recognition) for your mobile devices, especially your phone. Your phone is the key to so many of your online accounts. Make sure it is secured!

Check the table in Krannert on Thursday for info and goodies and a chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each future week’s article.

Here is this week’s video, an oldie, but goodie about password security. You will have to log in using your email credentials to view the video

Students: https://web.microsoftstream.com/video/2dc735da-b797-4725-a8bc-8f36dee9197a

Faculty/Staff: https://web.microsoftstream.com/video/f9c0bbb0-05ff-46ca-ad67-d6cae6a23b6e