May News from Information Security

Welcome to May!

This is a very busy time of year. As a class exits the college, many staff and faculty are concerning themselves with the new class coming in August. Others are preparing for summer projects and events. In the middle of this barely-controlled chaos, it would seem to be a bad idea to introduce something new to the community, but the Department of Information Security is undaunted.

Let’s talk about multi-factor or two-factor authentication. Multi-factor and two-factor authentication are terms for the same security measure – the requirement of more than just a username and password to access an account.

Weak and reused passwords are a common entry point for criminals to access your accounts, computers, and ultimately, even the college network. The goal of multi-factor (MFA) or two-factor (2FA) authentication is to make these weak and reused passwords useless to others.

Were you tricked into revealing your password through a phishing scam? Rest easy, your account is safe…if you are using MFA/2FA! That’s the control that multi-factor authentication—also known as two-step verification or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That’s a lot of power for very little effort!

  • How does it work? Once you’ve activated two-factor authentication on an account, whenever an account login with your password is submitted, an authorization check will come to your smartphone or other registered device. Without your approval or current code, a password thief can’t get into your account.
  • How do I get MFA for my accounts? MFA is available now for your college Office 365 account (email, OneDrive, applications, etc.). You just have to request it by emailing computing@berry.edu. It is available for many other accounts, for example Google, many social networks, iCloud and more. Each of these services handle the setup differently. Check out https://lockdownyourlogin.org for more information about specific sites.
  • Is it difficult to set up and use? MFA is not difficult to set up, but requires a few steps. Using it typically requires only one more step after entering your username and password. You’ll install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can’t install a mobile app. For international travelers, some mobile apps also generate a code so that a data or cellular service connection isn’t required for this second step.
  • Can I adjust frequency of the MFA checks? This capability varies between different services, but in many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., personal website administration), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up MFA—such as a personal email account you typically only check from one laptop and one smartphone.
  • Which accounts should I protect with MFA? Why wouldn’t you protect all of them where it’s available? But, start with those that are most critical to your identity and livelihood. Here are some suggestions:
    • Email accounts: “Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
    • Financial accounts: Protect your money!
    • Social media accounts and website management accounts: Protect your reputation and/or brand!
    • Online shopping accounts: Protect usage of your stored credit card information!

The college will begin requiring MFA for all users in the next few months. Avoid the rush and volunteer to have MFA enable on your account this summer. You will have access to an IT staff member or student worker to help you set it up. Just email computing@berry.edu and request MFA for your account.

Check out this video for more information about MFA!

What is Two-Factor Authentication?

Stay tuned, there are more upcoming Information Security events this summer!

April News from Information Security

The topic for April is about other types of scams used to try and manipulate people in addition to typical phishing emails.

Cybercriminals use social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you’re on the lookout for these variants on the traditional, mass emailed phishing attack we’ve come to know so well over the past few weeks:

  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called “whaling”). These attacks are planned in advance by examining the website of the organization and gathering as much information about the organization structure as possible, to find people likely able to authorize financial transactions.
  • SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
  • Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
    • One particularly prominent version of a vishing attack involves a call, from a number that looks local, where a recorded voice will claim to be in “their employment office” on “a recorded line”. The “on a recorded line” part is is a major red flag. The next question is usually some variation of “Can you here me?”. This is the second major red flag. There is much discussion as to what happens if you simply answer “yes” to this question. Some say that the scammers will use that recorded “yes” to claim you authorized charges against your credit card or cellular phone bill or other account. Others say it doesn’t matter and the next thing that will happen is you will be bombarded with offers for all kinds of products and services, the “yes” being an acknowledgement that it is OK for you to receive these offers. Either way, its best to simply hang up and for good measure, block the number or, if your carrier and phone allow, report the call.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

  • Don’t react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don’t fall for it!
  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don’t trust people who contact you out of the blue claiming to represent your company. If you have any doubt about the email, go to the company website directly, don’t click on links in the email! If there is an issue with your bank or other service, there will be a way to verify that, either via internal messaging on the website, or a phone number, again, NOT the number in the message! Find the number on the company website, reached by going directly to in in your browser.
  • Know the signs: Does the message/phone call start with a vague information, a generic company name like “card services,” an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Be on the lookout for new security awareness posters in the residence halls and other locations on campus in April. There will be a table in Krannert toward the end of the month. There will be another chance to win a prize at the table in Krannert.

March News from Information Security

March is here! Spring Break can’t be far away. This month we are focusing on protecting your rights as a consumer. We are all consumers at some point and we should take proactive steps to make sure we are making good financial decisions and setting ourselves up to be able to recover from identity theft.

This article is posted today so that you can read it before National Consumer Protection Week (March 3-9) begins. This week is dedicated to helping consumers know their rights and make well-informed decisions about their finances. Check out the FTC site linked above for more information

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the “big three” bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there’s nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

  1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in. Be sure to update. It takes a few minutes, but could protect you from serious financial harm.
  2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
  3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
  4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to “security questions” that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
  5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won’t open you up to fraud at other sites. See the article posted right here on this website about password managers
  6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom. Check into cloud storage like Dropbox and OneDrive and backup options like iDrive, Acronis, and Carbonite.
  7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night. This is available in both Windows and MacOS operating systems and almost all smartphones.
  8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts. Make a recurring calendar reminder to check every account for activity that you don’t recognize.
  9. Manage those old-style paper statements. Don’t just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you’ve been a victim of identity theft:

  • Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
  • Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

Set aside some time in March to manage your financial accounts and take precautions like those listed above.

For more information check out the FTC video “Five Ways to Help Protect Your Identity”

The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Be on the lookout for new security awareness posters in the residence halls and other locations on campus. There will be a table in Krannert toward the end of the month, after Spring Break. There will be two more chances to win a prize, one related to the posters and another at the table in Krannert.

Below is a list of useful resources, including some mentioned above.

February News from Information Security

It’s February already! Classes are in full swing and Spring Break can’t get here fast enough! This month we are focusing on good use and management of social networks and social media. The content below is based on information provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Our social networks tell a story about us. You want to make sure that the story your social media tells about you is a good one. As articulated in a blog from the Digital Marketing Institute: “Sharing online allows you to craft an online persona that reflects your personal values and professional skills. Even if you only use social media occasionally, the content you create, share, or react to feeds into this public narrative. How you conduct yourself online is now just as important as your behavior offline.”

A positive online reputation is vital in today’s digital world. Like it or not, your information is out there. What you can do is help to control it and what it says about you.

Social media is so ingrained in our society that almost everyone is connected to it in some form. With every social media account you sign up for, every picture you share, and every post you make, you are sharing information about yourself with not only your friends and family but the entire digital world. How can you make sure your information and reputation stay safe online? Here are a few easy steps to get you started.

  • Keep it clean and positive. Be entirely sure about what you’re posting. Make sure to post content that you feel positively reflects you, your creativity, your values, and your skills. Rest assured that future employers will look at your social media accounts before hiring you. Questionable content can leave a bad impression; this can include pictures, videos, or even opinions that make you seem unprofessional or mean and may end up damaging your reputation. This applies not only to your site, but to your digital friend’s sites. If a friend wants to post a photo or video including you and you feel it is inappropriate, don’t be afraid to speak up and ask them not to post it. If they post it anyway, ask them to take it down. If they won’t, find better friends.Always think before you post or share negative or inappropriate content. Use the 24-hour rule before posting, allowing yourself 24 hours before posting any content that may be questionable to give yourself time to reflect on whether it is a good idea.
  • Oversharing and geotagging. Never click and tell. It can seem like everyone posts personal information on social media all the time, including where they are and where they live. As noted on the DHS.gov site: “What many people don’t realize is that these seemingly random details are all criminals need to know to target you, your loved ones, and even your physical belongings—online and in the real world. Avoid posting names, phone numbers, addresses, school and work locations, and other sensitive information (whether it’s in the text or in the photo you took). Disable geotagging, which allows anyone to see where you are—and where you aren’t—at any given time.”If you really want to post that picture of your friends at brunch, consider following the concept of #latergram and post your content at a later time than when it actually happened. It is a win-win. You get to share your experience and at the same time still maintain the privacy of your location in real time.
  • Don’t rely on privacy settings. You have a private social media account so you can post anything you want? Nope. Privacy settings make it harder to see your full account, but it’s not impossible. Also, there is always the chance that one of the people with access to your private account could screenshot and share the content.Make sure to keep your social media apps up to date and check the privacy settings frequently. Under no circumstances should you rely on privacy settings to shield inappropriate content. If there is any question that the content is inappropriate, don’t post it.
  • Make sure you’re professional. Keep it classy! Every post is a reflection of you. Your social media accounts allow you to put your best foot forward or stumble if you aren’t careful. A positive social media presence can help create both personal and professional opportunities. Promote your personal brand or what you want people to think of you. And, your high school English teacher was correct—proper spelling and grammar are always a plus.
  • Control your content. Claim your identity on social media. Set up social media accounts and keep the profiles current. You don’t have to join every platform; a few key ones will do. You can also look into apps that will cross post the content to all of your social media accounts, freeing up some of your valuable time. Use your accounts to engage professionally and personally in a positive way.Your social media accounts should tell the story of you that you want employers and others to see. Google your own name on a regular basis to make sure that the information out there is accurate. If you find incorrect information online, request that the website update it or take it down.

If you follow these few simple recommendations, you are on your way to safely building a positive online reputation. Using social media positively doesn’t mean you can’t have fun and use it to express yourself; however, you want to ensure that you’re okay with anyone seeing everything you post. Once you post something online, it’s out there forever. There’s no “delete” button on the Internet!

Take a few minutes to view this video about securing your LinkedIn account (This link is for students only. You will need to log in with your Vikings email credentials.)

If you are a faculty or staff member please click here to view the LinkedIn video.  You will also have to login with your Office365 email credentials.

Don’t have a LinkedIn account? You should! Go get one now! LinkedIn

Have a great February and be on the lookout for the new security awareness posters in the residence halls and offices. There will be a table in Krannert again this month and we will again have goodies of both the flavorful and informational variety.

January News from Information Security

Welcome to January, a new year, and a new semester of college!

This post is the first of a monthly series that will explore topics related to information security with practical tips, current trends in spam and phishing, and updates on the state of security and privacy. The content is based on information provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

January 28 is Data Privacy Day. Data privacy for you personally means reviewing privacy settings on social media, being mindful of entering data into websites, and taking ownership of your online identity. Data privacy for you professionally extends these principles to caring for other people’s data, from collection, processing, sharing, and storing to destruction.

Please take a moment to read the information below about data privacy and how you should carefully curate your online presence and how the college strives to protect the data we collect about you.

 

The internet is full of data about you. Whenever you play a game, shop, browse websites, or use any of numerous apps, your activity and some of your personal information may be collected and shared.

Similarly, the business of higher education requires us to collect, process, and store the digital information of others. Whenever we handle such information, we need to think about how we want our own information treated and treat other people’s data with the same care and respect.

Protect yourself by following these tips:

  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for identity and account verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your email account, so you should use an outside service for private emails. This also helps you ensure uninterrupted access to your private email and other services if you switch employers.

Protect the information, identity, and privacy of others by following these tips:

  • Know what resources are available at your institution. Colleges and universities might employ individuals with some of the following titles and responsibilities: compliance officer, who can help you navigate the laws and regulations that govern how your institution handles constituents’ personal data and what safeguards need to be implemented to ensure the data stay secure; data privacy officer, who can answer questions about how your institution protects the privacy of both your data and constituents’ data; and a(n) (chief) information security officer, who can answer questions about information security best practices and the technologies available to protect online identity and the personal data of constituents.
  • Know what policies are in place at your institution. A privacy policy governs how the institution collects, processes, stores, and deletes the personal data of constituents; a data classification policy governs how the institution organizes the data it interacts with and what rules are in place for processing it; and an information security policy articulates how the institution governs and prioritizes information security activities.
  • Keep constituents’ personal information confidential and limit access to the data.
  • Only use data for its intended purpose. If you need to use data for another reason, always check relevant resources and policies first for guidance.
  • Destroy or de-identify private information when you no longer need it.

Take a look at this short video about The Internet of Me and Privacy

If you are curious how much data about you is out there, check out this site: Have I Been Pwned?

Have a great January and be on the lookout for the new security awareness posters in the residence halls and offices and watch for events on campus related to information security and privacy. There will be a table in Krannert this month and we will have goodies of both the flavorful and informational variety.