Welcome to week 3 of Cybersecurity Awareness Month!
You can head over to the VSH start page using the link at the bottom of the article, but hang here for a little longer to read about the main topics.
Those main topics are phishing and what the Office of Information Technology (OIT) is doing to combat it, and securing Internet-connected devices in healthcare. While this second topic doesn’t seem appropriate, as Berry is a college, not a hospital, we will specifically talk about the many different healthcare devices that are available to consumers, from smart watches and athletic trackers to insulin pumps and smart asthma monitors.
Phishing And The Phish Alert Button
Before we talk about all those incredible Internet of Things (IoT) devices, let’s return to discussing phishing. If you read last week’s article, you’ll remember that there was a quick blurb at the end talking about the importance of detecting and reporting phishing emails you receive.
The first step, of course, is to detect a phishing attempt. How do you do that? What’s the secret to knowing that an email is a phishing attempt? Here’s some items to check in an email to make sure you don’t get hooked.
- Make sure the “From” address matches the purported sender. For example, if an email claims to be from Amazon, but the “From” address is from some account at a Gmail address, it’s probably a phishing attempt
- If the greeting is generic, as in “Dear Customer” or “Dear Sir/Madam”, there’s a good chance it is a phishing attempt. Legitimate emails from companies you do business with will seldom start this way. They will either have no greeting, or the greeting will address you by name. Also beware of greetings (and subjects) that refer to you by your email username. These are most likely phishing emails as well
- Poor grammar and spelling. No legitimate company will send out email with poor grammar or spelling. It would reflect poorly on them.
- Urgency is another warning sign. Emails that require “immediate attention” or warn of dire consequences if you don’t act quickly are most likely phishing attempts.
- Links and attachments are both signs that an email is a phishing attempt. Even if you are expecting an attachment from someone, it can be a good idea to simply confirm with them via phone or other method that they sent it.
- Lotteries, donations, investment opportunities, get rick quick schemes, unsolicited job opportunities and inheritances from people you don’t know are almost always too good to be true.
If you would like to see real examples of phishing emails, you can visit the Berry College Phishbowl, located here on the InfoSec News and Alerts site.
If you receive a phishing email, even if you are not 100% sure, report it. If it is not a phishing email, you’ll get a reply explaining why it is not. To help OIT combat phishing, please report these phishing attempts using the “Report Email as Phishing” button, which is available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. In Outlook, it should appear in the ribbon menu as an open envelope with an orange hook. On the web and mobile, you will find the button under the “three dots” menu in the top right corner of the window when you open an email.
It’s very important to report these emails using the button and not to simply forward them to Information Security or delete them, as this allows us to take action on these emails to protect the community. OIT has invested in a system to be able to mitigate phishing emails, but its effectiveness relies on you reporting phishing attempts. So report all the ones you receive to help us protect you.
IMPORTANT OPPORTUNITY ALERT!!!
If you want to learn more about how to spot phishing emails, there is a Virtual LunchITS scheduled for October 22nd at noon. It will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up to attend. You can do that right in the event. Just click on it in the Event calendar on the InfoSec News and Alerts site and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the course resources and the meeting link and password.
Securing Internet-Connected Devices in Healthcare
Everything can be connected these days, from smart watches, like the Apple Watch, to dedicated fitness trackers like FitBits, to shoes like Under Armour’s HOVR running shoes. Healthcare devices are prime candidates for connecting to the network, as they can produce historical data that can be used to make health decisions, or can be controlled remotely with a smartphone app. Once they are connected, they are targets, just as we mentioned last week about IoT devices on your home.
How can we make sure that these devices are securely connected? Here are some tips to help you make a secure connection with your “healthy” devices.
- Choose well-known, reputable brands that won’t disappear on you after you purchase the product.
- Make sure you follow the vendor-provided instructions for connecting it to the network.
- Once it is connected to the network, make sure you update the device to the latest version of the software or firmware running on it.
- Be sure to continue to update the device, or, if it is capable, set it to auto-update when updates are available.
- Keep track of your devices, particularly those that collect data about you and your activities, like smart watches and fitness trackers.
Those of you who have consumer medical devices like insulin pumps, continuous glucose monitors, pacemakers, asthma monitors or inhalers and other devices that can potentially disrupt your health should be extra careful in following the tips above. Most of these devices have online communities and vendor supplied resources that can help you stay aware of any potential issues with your particular device. If you’re not connected to any resources like this, use your favorite search engine and see what’s out there.
One more thing before we get to the VSH clues…you will soon be receiving, or may have already received, an email informing you of when multi-factor authentication (MFA) will be enabled on your account. Don’t delete these emails or report them as phishing! They are real. The emails will provide you with resources about how to set up MFA. If you want to have MFA enabled on your account before your appointed date, email email@example.com and let them know you want MFA.