May News from Information Security

Wait?

It’s May already?

Where did April go?

It passed by as we were stuck at home and no, you didn’t miss the the April newsletter, as it was lost in the work-from-home shuffle. There’s a hint of a light at the end of the coronavirus tunnel as some businesses are opening and some restrictions lifted, but that’s all I’m going to say about that…

While we may not have been as busy during this time, phishers, scammers, and other bad actors have gone into overdrive. Some sources have placed the increased fraudulent traffic as 300% higher this last quarter over the same quarter from 2019. The amount of emails attempting to leverage the coronavirus and associated fears has grown astronomically and the phishers have an edge in this environment – we’re already stressed and uncertain.

There are emails purporting to have a cure for the disease, others with great deals on PPE (who figured that acronym would ever become common?), some trying to steal CARES relief funds, and others trying to convince people they have come in contact with someone with the virus. That’s just a tiny sample. There are some new articles on this site covering social media surveys, Skype password phishing, and complaint scams. The COVID-19 article was updated multiple times with new information. If you haven’t read those yet, you should check them out after you’re done reading this.

Myriad opportunities abound to phish, scam, and deceive people who have severe cases of cabin fever, restlessness and real fears about jobs and finances. No stress point is neglected in the daily attacks from bad actors trying to compromise accounts, steal credentials, and wreak havoc in an already chaotic environment. Many people are learning new ways to work, communicate, shop, eat, and socialize. All of the “new” is irresistible to scammers and phishers. Here is what I consider the number one safety tip (with some examples) to safely navigate this new (hopefully temporary) normal.

  • Almost all email should be considered suspect at this point. Apply a much higher grade of scrutiny to any and all emails you receive.
    • Emails like the ones mentioned in the Skype phishing article will appear to come from a variety of services, all of them trying to get you to click on that link or button in the email to check your notifications. Don’t!!! Simply log in to the site or service like you normally would, and if you have notifications, they will be there.
    • Emails asking for banking information or other financial information should be VERY carefully scrutinized. Most will be fraudulent. If you or a family member need to supply banking information to receive CARES funds or are having to deal with unemployment, make sure you are going to the right resources. Numerous government sites are available including the Health and Human Services site  and the primary government site about coronavirus information. The Georgia Department of Labor site is where to get answers about the process of receiving unemployment benefits.
    • Phishers haven’t given up on old themes. We have received plenty of emails to campus inboxes purporting to be from college department heads, all the way to President Briggs, asking you to for a “favor” or with an “urgent request”. Don’t fall for these! Check the From address and look for the external email banner to determine the validity of emails like this. The fact that they should be EXTREMELY rare should immediately render them suspect.

On a somewhat different topic, check out the new voicemail notification Quick Tip here on the site. It explains how to tell if a voicemail notification received via email is valid or not.

Here’s hoping that things will get back to normal soon, even if normal is slightly different. As always, if you ever have a question about an email or other questions about information security, please don’t hesitate to contact me at infosec@berry.edu, extension 1750 or 706-236-1750. I’m still working at home, like many others.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to the point we can do that).
Photo Credit: Photo by Jose Antonio Gallego Vázquez on Unsplash

Data Privacy Day – Krannert Table

Come by the Information Security table in Krannert between 11:30 and 1:00 PM for information about protecting your privacy, the chance to ask questions and get answers face to face, and to pick up some delicious edible items.

January News from Information Security

Welcome to this special “mid-January” monthly edition of news from Information Security!

With the students not returning to class until the 13th of the month, this edition was delayed to roughly coincide with their arrival. Also delayed are the security awareness posters, for those who get them and post them in their offices. If you would like to have security awareness posters to put on a departmental or office bulletin board or at “the watering hole” for your area, please email infosec@berry.edu and mention you would like to receive these on a monthly basis (and how many). They will normally be distributed at the first of the month, but again, for January, 2020, they will be distributed the week of the 13th.

I’ve already sent a couple of emails to faculty and staff this year, one about the new idle workstation lock policy that went into effect on the 6th of January, and another pointing to a post here urging everyone to be particularly vigilant in the next few weeks, and beyond, as tensions with Iran continue to build. It is assumed that part of Iran’s counterattack will be conducted in the digital realm. You can read the warning by clicking here.

On the topic of returning things, there will be a LunchITS scheduled toward the end of January. The topic will be account security, including information about usernames, passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this LunchITS is for you. I will send out an email when the schedule is confirmed and you can always check the event calendar right here on the InfoSec News & Alerts site for future events. February will see the return of the phishing LunchITS and a brand new LunchITS geared toward a broader overview of security awareness.

Wait, what’s a LunchITS, you ask? LunchITS, which is short for “Lunch+Information Technology Security” are one hour training sessions, held during the lunch hour (12:00 noon – 1:00 PM) in Krannert, where you can come, with your lunch, and learn more about information security. You can pick up lunch at Krannert, or brown bag it. Just be prepared to learn while you eat. You’ll get information to take back with you, with all of the main points of the session included on the provided literature, for those of us who can’t eat and take notes at the same time.

Also coming up in January is Data Privacy Day, celebrated on the 28th of the month, which just happens to be a Tuesday, and Information Security will have a table in Krannert from 11:30AM until 1:00PM where you can drop by and ask questions, pick up information, and grab some gratuitously bad edible items. This event will also be on the event calendar on this site and an email will go out the day before to remind you.

Finally, coming soon to a computer or phone screen near you (probably on your desk or in your hand) is the next in-house written, filmed, and produced security awareness video. The intrepid Director of Information Security will help yet another would-be victim with their security awareness. As soon as it is ready, an announcement will go out over email and on social media.

On that topic, if you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the previously mentioned events calendar.

That’s it! Welcome back to a new year, everyone, whether you just got here or have been here for two weeks this year already.

.

Photo Credit – Photo by Glen Carrie on Unsplash

 

 

Data Breach Notification: Data Enrichment Exposure

In October, a large database was left unsecured and exposed to the Internet. This database contained “enriched” data profiles, which means that someone had taken some basic information about a person, like an email address or social media profile, and then searched and cross-referenced publicly available data to gather as much information as possible about that person. Companies do this for millions of people and then sell these “enriched” profiles to ad companies to help them target potential customers. It’s one of the reasons you get SO MUCH SPAM.

There were over 600 million accounts in the exposed database. There were 2,789 berry.edu or vikings.berry.edu email address in those records. There were NO passwords included in this breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

The information included email addresses, employers, geographic locations, job titles, names, phone numbers, and social media profiles. While none of the individual pieces of this information alone are considered damaging or sensitive, the accumulation of this data in a single profile not only helps advertisers, but it also helps scammers more accurately target people by sending focused phishing emails that seem more credible.

Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

 

November News from Information Security

The days keep marching on! It’s November already and holidays and finals are growing ever closer. Fall weather is finally here, just in time for winter to blow in.

I want to thank everyone who came by the table in Krannert during National Cyber Security Awareness Month in October. We had more people stop by this year than ever before and one lucky person won the big prize on Halloween. In addition to some Berry-branded drinking apparatus, they got lots of candy and a Yubico YubiKey that will help them increase the security on lots of their online accounts. There were over 60 visits to the table this year, the weekly articles were viewed over 170 times and the videos had dozens of views. I hope you had as much fun watching the last two videos as I did writing and making them.

Another piece of information I want to pass along is the implementation of automatic idle lock for campus workstations. This has been mentioned before, but to refresh your memory, this simply means that most computers on campus, if left idle for ten minutes, will lock the desktop, requiring the user to enter their credentials to gain access. Information Technology has been working hard to make sure this policy does not impact computers in classrooms, meeting rooms, and other places where there is a potential for the policy to interrupt class or meetings. The important information I want to pass along is that this policy will go into effect on January 6th, 2020, when everyone returns from the holidays. More information will be provided between now and the end of the semester.

Keep an eye on this site to see when the next Krannert table is scheduled. The front page has an “Events” link in the main menu that will show all of the upcoming events being offered by Information Security. Also listed on the events page will be any upcoming LunchITS, where we dig into a topic for the duration of the lunch hour while enjoying our lunch. There will be one in early November, but the date is not yet finalized.

You can also check back for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

If you notice any issues with the site, as it is undergoing an upgrade and expansion, please let me know by emailing infosec@berry.edu.

Let’s take a few moments and dig into this month’s topic. Data security.

As I hope you inferred from all of the events and activity during October, information security efforts will only be successful when all members of the campus community understand the risks and take steps to avoid them. One of the biggest risks is the exposure of confidential data.

Did you know? In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data? There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. Updates to college owned computers is handled automatically as long as it is online to receive the update and is rebooted on a regular basis.
  • Use multi-factor authentication: Whether for personal use or work, multi-factor authentication (MFA) can prevent unauthorized access even if your login credentials are stolen or lost. If you would like MFA enabled for your account, please email computing@berry.edu and request it.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one “vault” and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of “oopsie moments” where we accidentally post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Taking care to know how you are transmitting or posting data is critical.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include the Office of  Information Technology (OIT) at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not OIT should be involved in the vendor/contract process, ask yourself the following questions:

  • Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
  • Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
  • Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
  • Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
  • Does the project involve providing a new data feed to an existing campus partner?
  • Does the project involve accepting card payments in any way?

If the answer to any of the above questions is “yes,” please collaborate with OIT at the beginning of the project to ensure that institutional data are properly protected. You can simply email computing@berry.edu and let the Technical Support Desk know you have a new service you want to implement. They will get the right staff in touch with you.

Have a great November!

 

Photo by Priscilla Du Preez on Unsplash

NCSAM Week 3 – Identifying Sensitive Data, Spotting Phishing Emails, Cleaning Your Digital House

Welcome to week 3 of National Cyber Security Awareness Month!

We’re already more than halfway through October. Halloween approaches!

I know most of you students will not read this until Wednesday at the earliest. Who wants to spend Fall Break time reading about Cyber Security Awareness? Just kidding! YOU should!

This week we are discussing how to identify sensitive data (own IT), how to spot phishing emails (secure IT), and how to clean up your digital data (protect IT). This post will be a little longer than most, so bear with me. Following along with our car and/or bike maintenance theme, we have to know how to spot trouble with our car, like not ignoring those yellow lights on the dashboard,or that weird shrieking noise it makes when you start it up, or the squealing sound when you touch the brakes. With our bike, we have to be more…manual, and proactive. Always check the tires and chain before starting a ride, and inspect our brake pads to make sure they are working. If something is squealing on our bike, we should probably just stop and check it out. Sorry…I didn’t mean to fall too far down the analogy rabbit hole there.

To properly “own our IT”, we have to know – What is sensitive data? It is any data about a person, or entity, that is potentially exploitable or possibly damaging. Some sensitive data is defined by law. There are dozens of alphabet soup laws, regulations, and standards with  which we have to comply. Some of these are: PCI-DSS, HIPAA, FERPA, GLBA, GDPR, and so many more. If you don’t know what any of those are, Google is your friend, but we can discuss the impact of these laws, regulations and standards without knowing exactly what they are. For example, the college is required to comply with HIPAA to protect employee and student medical records. It must comply with FERPA to protect student information and with PCI-DSS to protect credit and debit card information. But what is this information?

A short list includes, names, addresses, credit card numbers, medical diagnoses, grades, academic status, classes taken, location, and account numbers. Not all of these information items are covered by all of the laws, regulations, and standards, but a subset of them are covered in almost every one. They are referred to as PII (personally identifying information), PHI (personal health information), or other acronyms. The penalties for not protecting this data range from monetary fines to loss of institutional accreditation, to the inability to accept credit and debit cards as payment options. Any of these penalties would be bad, but arguably the worst result would be the loss of a good reputation for the college.

The college offers training to faculty, staff and students whose jobs involve dealing with sensitive information. Ask your supervisor if your job involves handling sensitive information. If so, ask for training. Information Security will provide it, just email us at infosec@berry.edu.

Part of securing sensitive data, particularly usernames, passwords, and financial information is learning to spot phishing emails and other social engineering attempts. Phishing emails are getting more sophisticated every day and target phishing, sometimes called “spear-phishing” is now on the rise. Because of the inordinate amount of data collection and aggregation in use by many companies, and data breaches that expose this information, more and more information is available to scammers for use in crafting emails that are convincing and appropriately targeted, it is getting harder and harder to tell real emails from fraudulent ones. Here is a short list of things to watch out for when evaluating an unexpected (virtually 100% of phishing emails are unexpected in some way) email.

  • Misspelled words, poor grammar, odd word choices, and improper punctuation are all signs of a potential phishing email
  • Emails promising large sums of money or informing you that you won a lottery you didn’t know existed are common ruses – everybody likes more money.
  • Urgent deadlines, threats of loss of accounts or access to files, late fees, penalties, are all designed to force you to make a bad decision.
  • The government (local, state, or federal) will never send you notice of impending actions via email. That notice from the IRS about a rebate or worse, a penalty can generally be ignored.
  • Any request for your username and password, whether by email or phone call, or any other communication channel is always fraudulent.
  • Phishing emails frequently ask you to click on a link to do everything from “confirm your details” to download a document that has “important information” in it. Don’t follow links in suspect emails. If the phisher got lucky and tries to impersonate a company you have an account or do business with, go to the site directly in a new browser window (meaning, don’t click the link!), log in, and check your account. If the company has an important message for you, it will be here.

Let’s assume you clicked on a link (reminder – don’t do that). How do you know if the page in your browser that is now requesting your username and password is legitimate?

  • Check the address bar to make sure the site is secure.
  • Check the address in the address bar to make sure it is correct.
  • Does the page look familiar?
  • Are there typos on the page?
  • Do logos and images look out of place?

In the end, ask yourself these two questions with every email

  1. Is this email or phone call asking for my password or other login information?
  2. If I clicked on the link (reminder – just don’t) did it bring me to a login page?

If the answer is YES to either question, then there is a good chance you are being phished.

Check these resources to test your eye for spotting phishing emails and fraudulent login pages:

OpenDNS’s Phishing Quiz – This tests your ability to verify correct web addresses

Jigsaw/Google Phishing Quiz – This one is fairly difficult, but explains each phishing clue

Accellis Phishing Quiz – You have to scroll a bit, but it’s a good test

Now let’s talk about protecting your IT (and yourself) by cleaning out your digital file cabinet. Sometimes we “temporarily” store a password for an account in an unsafe way, like in a photo on a smartphone, or even in a text file or note-taking app. Other times we keep information about financial transactions, tax returns, and other potentially dangerous data around for way too long. We keep so much stuff these days we have no idea what we have anymore. Take time for a quarterly cleaning. Every time the season changes (which I admit is sometimes a moving target here in the South), take time to do the following:

  • Go through the photos on your phone, or sort through them on a laptop or desktop if they are stored in cloud storage service. Get rid of any of those “temporary” pictures you were going to delete anyway. This is also a good opportunity to take a look at what you have captured on your phone’s camera and delete any potentially embarrassing or even incriminating photos. Hey, we’re all human!
  • Sort through your files stored in cloud storage services like iCloud, Google, Dropbox, and others to see if there is anything you don’t need anymore. It’s best to just delete these files, as you generally pay by the gigabyte for cloud storage. If you don’t need it, why keep it, especially if it is sensitive information?

Finally here is another funny video by Habitu8 about phishing, or, in this instance “vishing”, phishing via a phone call and more specifically this type of attack is called, as the title says, a CEO scam. Check it out – CEO Scam by Habitu8 – You’ll want  to pause the final screen with tips on how to avoid this scam, unless you are a speed reader.

Thanks for reading all of this! Check the site next week for the new NCSAM article and check the site often for breach announcements, current phishing scams, and more.