April News from Information Security

Welcome to April and all that it means to this community! April is the month before the end of the semester in May. April means it is getting warmer and it’s time, if you haven’t already, to cycle in a new wardrobe of clothes for the fast-moving weeks at the end of the school year. I want to apologize for the tardiness of this newsletter. I was unavoidably out of work for a week due to problems caused by the massive amount rain we received back on March 25th. I know so many of you wait with bated breath for the first day of the month just to read my newsletter, so I apologize for the delay. </sarcasm>

Continue readingApril News from Information Security”

March News from Information Security

Whew! We made it to March!

While there won’t be some of the typical shenanigans we are used to experiencing in March, like Spring Break (sorry, I had to mention it), there are plenty of things to be aware of. This newsletter may run a little longer than most, as we are “enjoying” the result of a confluence of tax season, potential economic stimulus payments, Zoom meetings, COVID vaccines, plus all the regular stuff. As Maverick from Top Gun would say, this is a “target-rich environment”, except not for potential dates, but for phishing emails.

Continue readingMarch News from Information Security”

February News from Information Security

Welcome to February, the month of Valentine’s Day, Black History Month, World Cancer Day, Abraham Lincoln’s birthday, World Day of Social Justice, and many other international, regional, and country-specific days of remembrance and celebration.

This year it is also the time when a new Virtual Scavenger Hunt is launching, sponsored by Information Security and the Office of Information Technology. If you participated in and enjoyed the Virtual Scavenger Hunt back in October for Cybersecurity Awareness Month, you will love this one. No need to wait a week for the next set of questions-this scavenger hunt can be completed in an afternoon or evening (or morning, if you prefer).

The Scavenger Hunt will kick off on Monday, February 15th, the day after Valentine’s Day, so it is appropriately named the “Post V-Day Virtual Scavenger Hunt”. The hunt will conclude at noon on Friday, February 19th with a drawing that will determine who will win the four available prizes.

Two winners will be drawn from a pool of names made up of anyone who attempts the scavenger hunt. To qualify for that drawing, you only have to attempt the hunt and submit answers to at least the first day of questions, even if those answers are wrong. For the sake of clarity, I am calling these prizes “runner-up” prizes. They will consist of a collection of college,  OIT, and Information Security branded items along with a generous amount of Valentine’s Day candy.

Two prizes I am calling “grand prizes” will be awarded to two lucky people whose names are drawn from a pool of names of those who successfully complete the scavenger hunt. To qualify, you must complete the hunt by finding all the correct answers to the questions, then complete the form at the end of the hunt. The grand prizes will consist of a package including a super cool and vaguely Berry blue Rocketbook Smart Reusable Notebook (8.5″ x 11″) with a Frixion pen and microfiber cloth, seven additional Frixion pens in various colors, and a Rocketbook Pen Station pen holder. This notebook is reusable, eco-friendly and can scan your notes directly to a cloud storage provider like Google Drive, Dropbox, Evernote, OneNote, iCloud and others with the help of an app on your Android or Apple phone. There are lots of available accessories for these notebooks including folio covers, additional pens, and even “Beacons” which will allow you to scan information on a whiteboard  using the same app. Good luck! I will send a reminder about the scavenger hunt on the 15th.

I want to revisit a topic introduced in the January newsletter, which you can read at this link. Our new training platform is ready for use, with several short security awareness courses focusing on single topics like email phishing, other social engineering tactics, data security, passwords, and safe browsing. There is also a longer general security awareness course that incorporates all of these topics, spending substantially less time on each one.

If you would like to have access to this training, just go to the InfoSec News and Alerts site, click on “Latest Posts” in the main menu, then click on the link to the form, which is on the right-hand side of the page. You can also simply click this link to access the form.

If you are depending on Zoom to attend or conduct classes or for work, be sure to check out the Zoom resources provided here for tips and information on how to effectively and safely use Zoom.

If you don’t already have it, multi-factor authentication (MFA) is coming your way. This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. You can request MFA be enabled on your account or wait until you are automatically enrolled in the next few weeks. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email.

You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events will be posted.

Food for Thought

Permanent link to this comic: https://xkcd.com/1016/

Featured Image: Photo by Jason D on Unsplash

Data Breach Notification: Nitro PDF

In September of 2020 there was a breach of the Nitro PDF service. There were 77 million records exposed, which included email addresses, names and passwords for the service.

There were 161 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. While you are there, you can also sign up for breach notifications involving your Berry or other email addresses by clicking on “Notify Me” at the top of any page on the site.

If your information was included, be sure to change your password for the Nitro PDF service. Also, check your settings to make sure they have not been altered.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any page on this site.

If you haven’t signed up for multi-factor authentication (MFA), you will soon be enrolled by the Office of Information Technology. You can still request this additional security measure so you can set it up on your timeframe, before it is required.. MFA adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and Virtual LunchITS will be posted.

Requests to Opt-In for Text Messaging from MediCat are Real

A large number of users have received emails from Berry College Health Services requesting that they opt-in to receive text messages in order to receive timely updates on our COVID19 response.

These emails are real. The sender is NoReply@medicat.com, which is why the external email banner was applied to the email. Users who want to receive SMS text messages from the Berry College Health Services office can either click the link in the email, or if you are hesitant to click on the link, you can also simply log into myapps.berry.edu, click on the “Health Center Patient Portal”, then follow the instructions in the email, which were:

    • Click on your name at the top right of the screen
    • Select “EDIT PROFILE”
    • Ensure that there is a cell phone number associated with your account and it is accurate
    • Check the box to receive  SMS text messaging
    • Click “SAVE”

If you have any questions about this or other suspicious emails, please contact Information Security by emailing infosec@berry.edu, or calling the office during normal working hours at 706-236-1750, or extension 1750.

 

Featured Image: Photo by Mia Baker on Unsplash

January News from Information Security

Welcome to 2021! Let’s hope it goes better than 2020.

Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.

In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.

The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to infosec@berry.edu and stating you want access to the security awareness platform, or by filling out the training access form found here.

By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.

Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.

There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.

The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.

Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email computing@berry.edu and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.

If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.

Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,

Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.

What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.

As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to support@whatever.site will usually get your feedback to the right place. Be sure to use the correct site address, i.e. support@facebook.com for Facebook.

Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.

Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

 

Food for Thought

Featured Image: Photo by Waldemar Brandt on Unsplash

Cartoon courtesy of XKCD.com

Permalink for cartoon https://xkcd.com/2391/

December News from Information Security

Welcome to one of the strangest Decembers we’ve ever had here at Berry. It is certainly the strangest of my 30 years here. The students are gone, but not done. Finals loom for some of them, then almost two full months of no school. What will we do in the silence?

I’m sure we all have different answers to that question, so I’ll leave it hanging rhetorically.

This newsletter will be a little different from previous ones. We’ll be focusing on a minimal number of topics, but for one in particular I will ask for a couple of extra minutes of reading time from you.

If you have perused this site much you will know that I post breach and data exposure announcements here periodically, usually when they affect a good number of the community. If you’ve been unlucky enough to be impacted by a breach, you may have received an email from me explaining what data was exposed and what you should do about it.

A recent notification came to me, announcing that 189 emails belonging to Berry community members had information exposed, specifically passwords. Most breaches affect no more than a couple dozen Berry email addresses and when I get the notices I will sort through them, compose an email and send it out to those affected. This number of emails was larger, but still manageable. Then I read further into the announcement. Those 189 emails were scattered across more than 23,000 potential websites and services. The data did not include enough information to determine which email address went with what service or website.

The bottom line is, 189 Berry community members, who could be faculty, staff, students, alumni, or even retirees, have had a password for some service exposed. You can find out if you were one of these 189 by going to the Have I Been Pwned website and putting in your Berry email address in the search form.

You may find that in addition to this massive exposure notification containing 226 million unique emails, named Cit0day, you may have had information related to your Berry email address exposed by other data breaches. I encourage you to not only check your Berry email, but your personal email accounts as well, and those of your family if you are so inclined. I also strongly encourage you to sign up for notifications from Have I Been Pwned. The link (Notify Me) is at the top of the main page there. It is free and if your email address shows up in a data breach, you’ll get an email notification directly from Have I Been Pwned giving you as much information about the breach as is available.

The important question, once you determine that you are indeed affected by a data breach is this – What do I do now?

Generally, I will suggest you change your password for the service or website that experienced the breach, check that your account information is correct, and if financial data was involved, to closely monitor your bank account and credit card accounts. In the case of the Cit0day notification, you will have no idea which of your twenty to one hundred or more accounts has been affected. What do you do then?

The “nuke the site from orbit” approach would be to reset the password on EVERY account you have. Do you even know all of your accounts? Who hasn’t signed up on a site for a specific purpose, never to return? What data might you have had to give up to create that account? Did it include a credit/debit card number or bank account number?

The real question to ask at this time, if you are affected by the Cit0day announcement is – Did I reuse the password for this account, whatever account it was? Realizing, again, that there is no way to tell what specific service or website exposed the password.

That question leads to the next – How many other accounts are now vulnerable because I reused this exposed password? The scary part is, you don’t have an answer to this question, because you don’t know what account is compromised.

Which leads to the most important question in this article – Why are you not using a password manager to create a unique password for EVERY account, service, and website you use?  Yes, it takes time to set it up.  For some, time is money, right? How much does thirty minutes cost you? The entire amount in your bank account? Unlikely. The maximum amount on your credit line? Probably not.

If you had used a password manager to create a unique password for your account on whichever site among the 23,000 possible  ones that were affected , the potential damage to you would have been limited to that one site. If you reused a password, or worse, use the same password for everything, then the damage could be much greater.

Please, if you are not using a password manager now to manage your accounts, start using one. I’ve written on the subject multiple times here in the monthly newsletter and during Cybersecurity Awareness Months, both this year and in years past (all of which are available from the main menu of this site).

Take a few minutes and visit the links below. Check out the flyer linked at the Quick Info page for some password managers. If you don’t want to follow links,  just type “best password manager” into your favorite search engine. There are password managers for all platforms (Windows, macOS, Linux, Android, iOS, web browsers), needs, and budgets.

Quick Info page on Password Managers

In-depth knowledge article on password managers on this site

Why you need a password manager flyer (PDF)

Two-sided password flyer linked in the Quick Info page above (PDF)

Good password policies flyer with a paragraph at the bottom about password managers (PDF) Don’t try to use the link at the bottom, it is broken.

Because the link in the above PDF is broken, here is a link to a great article on password managers-the good, the bad, the ugly, and the beautiful. My apologies for the pop-up ads, but the article is worth the annoyance. If you read nothing else, read this article.

Whew! That was password managers. The next and final item I want to emphasize in this newsletter is multifactor authentication (MFA). MFA is coming to all accounts at Berry – faculty, staff, and students. With some personnel issues that have come up, the rollout may be delayed a bit, but it is still coming.

Again, I have written about this multiple times over the course of maintaining this site. There is a Quick Info page on MFA for the impatient, or you can go read the instructions for setting up MFA here on the main Berry website. If you are still unclear about why we are requiring this, check out this FAQ article, also on the main Berry website.

You can still request MFA for your account by emailing computing@berry.edu.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets.

Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Food for Thought

 

Featured Image: Photo by Science in HD on Unsplash