February News from Information Security

Welcome to February, the month of Valentine’s Day, Black History Month, World Cancer Day, Abraham Lincoln’s birthday, World Day of Social Justice, and many other international, regional, and country-specific days of remembrance and celebration.

This year it is also the time when a new Virtual Scavenger Hunt is launching, sponsored by Information Security and the Office of Information Technology. If you participated in and enjoyed the Virtual Scavenger Hunt back in October for Cybersecurity Awareness Month, you will love this one. No need to wait a week for the next set of questions-this scavenger hunt can be completed in an afternoon or evening (or morning, if you prefer).

The Scavenger Hunt will kick off on Monday, February 15th, the day after Valentine’s Day, so it is appropriately named the “Post V-Day Virtual Scavenger Hunt”. The hunt will conclude at noon on Friday, February 19th with a drawing that will determine who will win the four available prizes.

Two winners will be drawn from a pool of names made up of anyone who attempts the scavenger hunt. To qualify for that drawing, you only have to attempt the hunt and submit answers to at least the first day of questions, even if those answers are wrong. For the sake of clarity, I am calling these prizes “runner-up” prizes. They will consist of a collection of college,  OIT, and Information Security branded items along with a generous amount of Valentine’s Day candy.

Two prizes I am calling “grand prizes” will be awarded to two lucky people whose names are drawn from a pool of names of those who successfully complete the scavenger hunt. To qualify, you must complete the hunt by finding all the correct answers to the questions, then complete the form at the end of the hunt. The grand prizes will consist of a package including a super cool and vaguely Berry blue Rocketbook Smart Reusable Notebook (8.5″ x 11″) with a Frixion pen and microfiber cloth, seven additional Frixion pens in various colors, and a Rocketbook Pen Station pen holder. This notebook is reusable, eco-friendly and can scan your notes directly to a cloud storage provider like Google Drive, Dropbox, Evernote, OneNote, iCloud and others with the help of an app on your Android or Apple phone. There are lots of available accessories for these notebooks including folio covers, additional pens, and even “Beacons” which will allow you to scan information on a whiteboard  using the same app. Good luck! I will send a reminder about the scavenger hunt on the 15th.

I want to revisit a topic introduced in the January newsletter, which you can read at this link. Our new training platform is ready for use, with several short security awareness courses focusing on single topics like email phishing, other social engineering tactics, data security, passwords, and safe browsing. There is also a longer general security awareness course that incorporates all of these topics, spending substantially less time on each one.

If you would like to have access to this training, just go to the InfoSec News and Alerts site, click on “Latest Posts” in the main menu, then click on the link to the form, which is on the right-hand side of the page. You can also simply click this link to access the form.

If you are depending on Zoom to attend or conduct classes or for work, be sure to check out the Zoom resources provided here for tips and information on how to effectively and safely use Zoom.

If you don’t already have it, multi-factor authentication (MFA) is coming your way. This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. You can request MFA be enabled on your account or wait until you are automatically enrolled in the next few weeks. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email.

You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events will be posted.

Food for Thought

Permanent link to this comic: https://xkcd.com/1016/

Featured Image: Photo by Jason D on Unsplash

January News from Information Security

Welcome to 2021! Let’s hope it goes better than 2020.

Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.

In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.

The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to infosec@berry.edu and stating you want access to the security awareness platform, or by filling out the training access form found here.

By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.

Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.

There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.

The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.

Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email computing@berry.edu and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.

If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.

Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,

Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.

What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.

As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to support@whatever.site will usually get your feedback to the right place. Be sure to use the correct site address, i.e. support@facebook.com for Facebook.

Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.

Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

 

Food for Thought

Featured Image: Photo by Waldemar Brandt on Unsplash

Cartoon courtesy of XKCD.com

Permalink for cartoon https://xkcd.com/2391/

CAM Week 4 – Security Awareness Training and The Future of Connected Devices

Welcome to week 4 of Cybersecurity Awareness Month!

This is it! This is the last week to participate in the Virtual Scavenger Hunt (VSH)! I hope you have all successfully advanced to the fourth and final week, but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. Head over to the VSH start page (link at the bottom of the article, to not distract you from the main topics).

Security Awareness Training

An important part of equipping the Berry community to #BeCyberSmart is security awareness training. We’ve used security awareness training for specific groups here at the college for a couple of years now, but our goal is to expand our training platform to allow everyone to access the same training. One way we are working toward our goal is investing in a brand new training platform to replace the one we were using.

This new platform will eventually allow us to offer the same training to everyone, with the presentation tweaked appropriately for each part of our community – faculty, staff and students. More details will be sent as we roll out the new platform. If you are required to take security awareness training for your campus job, you’ll soon see it in your MyApps portal  at https://myapps.berry.edu. Hopefully, if we complete the expansion of the system in a few months, everyone will see it in the MyApps portal.

You also have the option to request security awareness training. Once the system is live, you’ll receive information on how to request that training. It will cover a variety of topics, including how to pick a good password (or 100 good passwords), password managers, how to spot phishing emails and other social engineering attempts, which will protect you and the college, and how to secure your accounts and devices.

The Future of Connected Devices

The future is all about connected devices. As mentioned in last week’s article, Internet of Things (IoT) devices include watches, shoes, and healthcare devices. We also have connected toasters, coffee makers, refrigerators, TVs, and doorbells. The IoT devices market is expected to reach $1.1 trillion by 2026 according to Fortune Business Insights. Who knows what we will have connected by that time?

In development right now are everything from smart contact lenses to smart roads, all of which must be connected to the Internet to work. The estimated number of devices connecting to the network by 2025 is well over 75 billion. One of the most important technologies to facilitate this is 5G networking. This new networking paradigm will enable this massive collection of devices to connect to each other and to us.

It’s an exciting time, but there is one fact that we need to understand as we connect “everything” to the network. Once a toaster is made “smart” and connected to the network, it is technically no longer a toaster. It is a computer that can also toast our bread and bagels. That means it must be securely connected to the network, kept up to date, and managed in some way. That puts a burden on everyone to #BeCyberSmart and understand the rewards and risks of connected devices.

Other Stuff

If you missed the Virtual LunchITS last week but want to learn more about how to spot phishing emails, it will be repeated in November, so check the Events calendar on this site to find out when. Like the previous LunchITS, it will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up and attend. You can do that right in the event. Just click on it in the Event calendar and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the link and the password.

Also, remember that the Office of Information Technology encourages you to sign of for Multi-Factor Authentication (MFA). This will add an additional layer of security to your Berry account. You can read about it at this page on the main Berry website. Email computing@berry.edu to request it.

OK, it’s time to throw some hints to those of you who can’t seem to make your Week 3 Virtual Scavenger Hunt answers get you to week 4.

For the first question – A common name for the answer to question one is “the mob”. Also, the DBIR is available at this URL – https://enterprise.verizon.com/resources/reports/dbir/
For the second question – The answer can be found right under the “Cut to the chase” heading.
For the third question – The answer is eight letters long.
For the fourth question – Scroll most of the way through the article to find this answer. It’s an “i” thing.
For the fifth question – The answer is precise to two digits past the decimal point. It’s also less than 6, but more than 5…

IMPORTANT: You don’t have to resubmit your answers on the week 3 form, but these clues should help you get the correct URL for week 4 of the scavenger hunt.

If you haven’t started the scavenger hunt, here is the start page. You have until 5PM on October 30th to complete the hunt. Good luck and happy hunting!

Virtual Scavenger Hunt Start Page

CAM Week 3 – Phishing and Healthcare Devices

Welcome to week 3 of Cybersecurity Awareness Month!

I hope you are all advancing in the Virtual Scavenger Hunt (VSH), but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. If you’ve been paying attention, you’ll notice that our grand prize has changed. Unfortunately, everyone else thought the Isport Ear Buds were cool, too, and we ran into a supply problem, as in, we couldn’t get a pair. Fortunately, Monster makes several great sets of ear buds and we picked a comparable pair to replace the Isports. You can click the link above to check them out on the Monster website.  You can head over to the VSH start page using the link at the bottom of the article, but hang here for a little longer to read about the main topics.

Those main topics are phishing and what the Office of Information Technology (OIT) is doing to combat it, and securing Internet-connected devices in healthcare. While this second topic doesn’t seem appropriate, as Berry is a college, not a hospital, we will specifically talk about the many different healthcare devices that are available to consumers, from smart watches and athletic trackers to insulin pumps and smart asthma monitors.

Phishing And The Phish Alert Button

Before we talk about all those incredible Internet of Things (IoT) devices, let’s return to discussing phishing. If you read last week’s article, you’ll remember that there was a quick blurb at the end talking about the importance of detecting and reporting phishing emails you receive.

The first step, of course, is to detect a phishing attempt. How do you do that? What’s the secret to knowing that an email is a phishing attempt? Here’s some items to check in an email to make sure you don’t get hooked.

    1. Make sure the “From” address matches the purported sender.  For example, if an email claims to be from Amazon, but the “From” address is from some account at a Gmail address, it’s probably a phishing attempt
    2. If the greeting is generic, as in “Dear Customer” or “Dear Sir/Madam”, there’s a good chance it is a phishing attempt. Legitimate emails from companies you do business with will seldom start this way. They will either have no greeting, or the greeting will address you by name. Also beware of greetings (and subjects) that refer to you by your email username. These are most likely phishing emails as well
    3. Poor grammar and spelling. No legitimate company will send out email with poor grammar or spelling. It would reflect poorly on them.
    4. Urgency is another warning sign. Emails that require “immediate attention” or warn of dire consequences if you don’t act quickly are most likely phishing attempts.
    5. Links and attachments are both signs that an email is a phishing attempt. Even if you are expecting an attachment from someone, it can be a good idea to simply confirm with them via phone or other method that they sent it.
    6. Lotteries, donations, investment opportunities, get rick quick schemes, unsolicited job opportunities and inheritances from people you don’t know are almost always too good to be true.

If you would like to see real examples of phishing emails, you can visit the Berry College Phishbowl, located here on the InfoSec News and Alerts site.

If you receive a phishing email, even if you are not 100% sure, report it. If it is not a phishing email, you’ll get a reply explaining why it is not. To help OIT combat phishing, please report these phishing attempts using the “Report Email as Phishing” button, which is available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. In Outlook, it should appear in the ribbon menu as an open envelope with an orange hook. On the web and mobile, you will find the button under the “three dots” menu in the top right corner of the window when you open an email.

It’s very important to report these emails using the button and not to simply forward them to Information Security or delete them, as this allows us to take action on these emails to protect the community. OIT has invested in a system to be able to mitigate phishing emails, but its effectiveness relies on you reporting phishing attempts. So report all the ones you receive to help us protect you.

IMPORTANT OPPORTUNITY ALERT!!!

If you want to learn more about how to spot phishing emails, there is a Virtual LunchITS scheduled for October 22nd at noon. It will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up to attend. You can do that right in the event. Just click on it in the Event calendar on the InfoSec News and Alerts site and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the course resources and the meeting link and password.

Securing Internet-Connected Devices in Healthcare

Everything can be connected these days, from smart watches, like the Apple Watch, to dedicated fitness trackers like FitBits, to shoes like Under Armour’s HOVR running shoes. Healthcare devices are prime candidates for connecting to the network, as they can produce historical data that can be used to make health decisions, or can be controlled remotely with a smartphone app. Once they are connected, they are targets, just as we mentioned last week about IoT devices on your home.

How can we make sure that these devices are securely connected? Here are some tips to help you make a secure connection with your “healthy” devices.

    1. Choose well-known, reputable brands that won’t disappear on you after you purchase the product.
    2. Make sure you follow the vendor-provided instructions for connecting it to the network.
    3. Once it is connected to the network, make sure you update the device to the latest version of the software or firmware running on it.
    4. Be sure to continue to update the device, or, if it is capable, set it to auto-update when updates are available.
    5. Keep track of your devices, particularly those that collect data about you and your activities, like smart watches and fitness trackers.

Those of you who have consumer medical devices like insulin pumps, continuous glucose monitors, pacemakers, asthma monitors or inhalers and other devices that can potentially disrupt your health should be extra careful in following the tips above. Most of these devices have online communities and vendor supplied resources that can help you stay aware of any potential issues with your particular device. If you’re not connected to any resources like this, use your favorite search engine and see what’s out there.

One more thing before we get to the VSH clues…you will soon be receiving, or may have already received, an email informing you of when multi-factor authentication (MFA) will be enabled on your account. Don’t delete these emails or report them as phishing! They are real. The emails will provide you with resources about how to set up MFA. If you want to have MFA enabled on your account before your appointed date, email computing@berry.edu and let them know you want MFA.

OK, it’s time to throw some hints to those of you who can’t seem to make your Week 2 Virtual Scavenger Hunt answers get you to week 3.

    • For the first question – The Events calendar for the InfoSec News and Alerts Site is right on the main menu. Once you go there, choose the monthly view, if it is not the current view. You’ll see the event in question as the only single day event in October.
    • For the second question – be sure you put a leading zero on your answer to come up with a four digit month and day answer
    • For the third question – Be sure to jump into the section on ransomware to find the answer.
    • For the fourth question – The largest breaches in the Have I Been Pwned database are listed on the left side of the main page.
    • For the fifth question – Follow this link to the security awareness poster that is in the residence halls and in Krannert.

IMPORTANT: You don’t have to resubmit your answers on the week 2 form, but these clues should help you get the correct URL for week 3 of the scavenger hunt.

If you haven’t started the scavenger hunt, here is the start page. Good luck and happy hunting!

Virtual Scavenger Hunt Start Page

 

Photo Credit: Photo by Solen Feyissa on Unsplash

CAM Week1 – Passwords, Password Managers, and Protecting Connected Devices

Passwords and Password Managers & If You Connect It, Protect It

Welcome to the first week of Cybersecurity Awareness Month! Each week we will discuss two primary topics. One of those topics will be the CAM 2020 “official” weekly topic and the other will be localized for the Berry community. This week, the official topic is “If You Connect It, Protect It”, and the local topic concerns passwords and password managers.

If You Connect It, Protect It

Once we connect a device to the Internet, via a wireless network or cellular data connection, or other method, it is exposed and vulnerable. That’s a terrible way to look at it, but there are stories every day of new vulnerabilities in software and hardware that we use all the time. In 2019 there were over 22,000 vulnerabilities identified, with over 12,000 of those reported and assigned a Common Vulnerabilities and Exposure (CVE) identifier, which is used to identify and promulgate information about the vulnerability.

That 22,000 number is across hundreds of companies and products, but you know the names of some of the most affected companies. They include Microsoft, Adobe, Apple, and yes, even Google. It’s a safe bet that whatever device you connect, it will already have, or will have in the future, vulnerabilities. What to do?

When reputable companies find or are told about vulnerabilities, they create and release updates, unless the software or hardware is no longer supported. We see evidence of this all the time…Windows wants to reboot to install updates, your phone tells you it needs to reboot to install updates. Don’t ignore these warnings, especially when first connecting a device to the network. At the same time, become familiar with what these warnings look like to avoid being fooled by fake update messages in the future.

All of this to say that the most important rule of properly securing connected devices is to keep your devices updated. The first thing to do after you connect something new to the Internet is update it.  On average, newly connected devices are attacked within 5 minutes and are targeted by exploits specific to the device within 24 hours. That’s not much time to go out and get the latest update for the device. Do it quickly!

Passwords and Password Managers

We talk about passwords a lot, for good reason. With all of their inherent flaws, passwords are the de facto way we authenticate to all of our accounts. The average person now has 27 discrete accounts, while people in information technology fields or younger people may have two or three times that many. This means the average person should have at least 27 different passwords, but humans take shortcuts, even when it is dangerous to do so.

One particularly dangerous shortcut people take is to reuse passwords for multiple accounts. Aside from the need to keep them secret, this is the most important rule in properly dealing with passwords – do NOT reuse them. Make sure passwords are unique across all accounts.

Good passwords are also long, complex, and not based on easily located data, like birthdays, pet’s names, high school mascots or other public record information.

How long?

Truthfully, twelve to fifteen characters, minimum.

How complex?

Have a mix of upper and lower case letters, numbers, symbols and even spaces, if an account allows it.

Based on what?

There’s several good ways to do this. If the password must be memorable, try imagining a picture of a favorite place, a scene from a book, movie or TV show, or other vivid image that you won’t forget, or be prone to alter. Pick four or five words that describe that image, string them together, capitalize a word, or all of them, and throw in a number. For example, a memorable scene might include a cowboy trying to stay on a bucking bull in a rodeo. Words to pick from this scene could include cowboy, bull, horns, bucking and a number could be 8 (as in, the cowboy has to stay on the bull 8 seconds to get a score).

The resulting password could be “Cowboy-Bull-Horns-Bucking-8”.

What makes this a good password?

    • It is long – 27 characters
    • It is complex – upper and lower case letters, a number, and symbols

What weakens this password?

    • It is based on words which are all in the dictionary

The length and complexity wildly outweigh the weakness of being based on dictionary words. This would be a great password, but read on for why it is not.

Our awesome example password is no longer a great password because it has been exposed. It has been used as an example and therefore should NOT be used as a password. No length or complexity will ever outweigh the disadvantage of an exposed password. Keep your passwords secret and never share or reuse them.

If you prefer not to create 27+ word pictures for your accounts, your passwords, of course, don’t need to be memorable if they will be stored in a password manager and possibly generated by a password manager. They can be as long, complex, and random as you wish, as you will never have to type them in, or even know them.

Password managers like LastPass, 1Password, BitWarden, and even iCloud Keychain for you Apple-only folks, allow you to use long, complex, and unique passwords for EVERY account you have. You only have to remember one, good, strong password to lock away the rest of your passwords. Visit the sites for the managers above or run a search in your browser for “password manager” and see how many results you get.

There are so many options and in your search results you’ll also find sites that will compare some of the available managers, providing recommendations and showing how they stack up against each other. Some have unique features or are better suited for families. Some may not support all of your devices, so be sure to check that your chosen phone, tablet, or operating system is supported. Be sure to pick a recent review, as vendors continuously attempt to improve their products, pricing and supported platforms. Find one you like, try multiple ones out if you need to. Many have trial periods, others don’t cost anything to use, but may have severe limitations. You are almost guaranteed to find one that matches your needs, wants, and budget.

Virtual Scavenger Hunt

If you missed the information about the Virtual Scavenger Hunt (VSH) in the October newsletter, head over there to read about it, then read the CAM 2020 page, and then the VSH Start Page. It will tell you about the hunt, how to participate, and information about the grand prize.

Good hunting!

If you get stuck in the VSH, be sure to follow Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit) for clues. Other, potentially more important information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check the InfoSec News And Alerts Site for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like training will be posted.

 

Photo Credit: Photo by BENCE BOROS on Unsplash

October News from Information Security

October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!

Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.

As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds

As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email computing@berry.edu and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!

In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.

There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.

If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.

The Berry CAM2020 page

Go directly to the scavenger hunt page!   This link will not be active until Monday October 5th,  2020, at 8:00AM

Upcoming Events

 

 

 

 

Featured Image: Photo by Joanna Kosinska on Unsplash

July News from Information Security

Well, 2020 has been a trip so far, wouldn’t you agree?

“Trip” might be an understatement. It’s as if our lives are as jumbled and chaotic as this pile of puzzle pieces. Nothing seems to make sense, or have any clarity whatsoever. Between the corona-virus, murder hornets, protests (and riots), cancel culture, and for extra flavor, all during an election year, I know many of you are weary and yearn for some good news.

This post is not that…I’m sorry.

We’ve been bombarded by all kinds of phishing emails. Thanks, again, to everyone who reports these and to those who simply delete them and move on. There’s no relief in sight for these. We will continue to be sent fake personal assistant jobs, fake upgrade notifications, fake meeting notifications, fake emails about ‘favors” and “urgent requests”, fake shared document notifications, and more. Please be vigilant, informed, and conscientious in handling your email.

One particular type of phishing email that has popped up recently (again) is one where a phisher uses old emails from a compromised account to attempt to get users to click on a link leading to a “report” or “project update” or other some important document. From your perspective, you see a familiar subject line in an email, potentially coming from a valid and known address, but in the body of the message, there is a sentence about an updated report or some other document that has nothing to do with the original email. It usually has a convenient link provided to view it. Don’t click the link! If you have any thought that it might be valid, contact the sender to confirm they sent it.

The other type of phishing email that was popular for a couple of days was the fake shared document notification. The email purported to be from a colleague, but the actual From address was not a Berry address. Also, the document was shared on some other cloud storage system other than OneDrive. Documents related to college business and activities should never be put on any other cloud storage service other than OneDrive. Be very careful with shared document notifications…always verify with the purported sender.

Email is also the subject of my next warning. During the early days of the corona-virus meltdown, many companies bought up vast amounts of protective gear, especially masks, gloves, and other disposable personal protective equipment (PPE). Some of these companies are now holding large quantities of PPE in stock and realizing they need to get rid of at least a portion of it. We have already seen some spam emails offering PPE and we will probably see more. You can either simply delete these emails or you can flag them as spam using the tools in Outlook. While I don’t mind them being reported via the “Report Email as Phishing” button, many technically aren’t phishing as much as simple spam. With that said, don’t hesitate to report any that you feel are more than just unsolicited commercial emails.

How to flag an email as spam? In Outlook, with the spam email open, there is a button on the left-hand side of the menu bar that lets you block the sender. It looks like a person with the red “circle-with-a-backslash” symbol (officially the “general prohibition sign”). The first option is “Block Sender” which will block the sender and send the email to the Junk folder.

One last thing. I’ve typed “Report Email as Phishing” more times that I want to count, and all the “cool colleges” have a nifty acronym for their phishing reporting tool, so I’ve decided we should also have one. Therefore, from now on, the “Report Email as Phishing” button will be referred to as the “REaP” button (capitalization/non-capitalization is intentional), which I think is fitting, as it allows us to “reap” phishing emails from our system. Yes, I know “reaping” generally means harvesting or gathering useful or good things, not dangerous emails, but the base action is fundamentally the same. Right? I’m glad you agree. Whew, that will save me twenty characters of typing per instance moving forward!

Be on the lookout for an announcement concerning the official opening of the Berry Information Security Phishbowl, or simply, the Phishbowl. I WILL NOT be using an acronym for that, thanks to the Urban Dictionary.

Here goes the usual reminders…

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (someday when the corona-virus crisis has passed…).

Photo Credit: Photo by Hans-Peter Gauster on Unsplash