October News from Information Security

October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!

Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.

As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds

As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email computing@berry.edu and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!

In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.

There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.

If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.

The Berry CAM2020 page

Go directly to the scavenger hunt page!   This link will not be active until Monday October 5th,  2020, at 8:00AM

Upcoming Events

 

 

 

 

Featured Image: Photo by Joanna Kosinska on Unsplash

NCSAM Week 3 – Identifying Sensitive Data, Spotting Phishing Emails, Cleaning Your Digital House

Welcome to week 3 of National Cyber Security Awareness Month!

We’re already more than halfway through October. Halloween approaches!

I know most of you students will not read this until Wednesday at the earliest. Who wants to spend Fall Break time reading about Cyber Security Awareness? Just kidding! YOU should!

This week we are discussing how to identify sensitive data (own IT), how to spot phishing emails (secure IT), and how to clean up your digital data (protect IT). This post will be a little longer than most, so bear with me. Following along with our car and/or bike maintenance theme, we have to know how to spot trouble with our car, like not ignoring those yellow lights on the dashboard,or that weird shrieking noise it makes when you start it up, or the squealing sound when you touch the brakes. With our bike, we have to be more…manual, and proactive. Always check the tires and chain before starting a ride, and inspect our brake pads to make sure they are working. If something is squealing on our bike, we should probably just stop and check it out. Sorry…I didn’t mean to fall too far down the analogy rabbit hole there.

To properly “own our IT”, we have to know – What is sensitive data? It is any data about a person, or entity, that is potentially exploitable or possibly damaging. Some sensitive data is defined by law. There are dozens of alphabet soup laws, regulations, and standards with  which we have to comply. Some of these are: PCI-DSS, HIPAA, FERPA, GLBA, GDPR, and so many more. If you don’t know what any of those are, Google is your friend, but we can discuss the impact of these laws, regulations and standards without knowing exactly what they are. For example, the college is required to comply with HIPAA to protect employee and student medical records. It must comply with FERPA to protect student information and with PCI-DSS to protect credit and debit card information. But what is this information?

A short list includes, names, addresses, credit card numbers, medical diagnoses, grades, academic status, classes taken, location, and account numbers. Not all of these information items are covered by all of the laws, regulations, and standards, but a subset of them are covered in almost every one. They are referred to as PII (personally identifying information), PHI (personal health information), or other acronyms. The penalties for not protecting this data range from monetary fines to loss of institutional accreditation, to the inability to accept credit and debit cards as payment options. Any of these penalties would be bad, but arguably the worst result would be the loss of a good reputation for the college.

The college offers training to faculty, staff and students whose jobs involve dealing with sensitive information. Ask your supervisor if your job involves handling sensitive information. If so, ask for training. Information Security will provide it, just email us at infosec@berry.edu.

Part of securing sensitive data, particularly usernames, passwords, and financial information is learning to spot phishing emails and other social engineering attempts. Phishing emails are getting more sophisticated every day and target phishing, sometimes called “spear-phishing” is now on the rise. Because of the inordinate amount of data collection and aggregation in use by many companies, and data breaches that expose this information, more and more information is available to scammers for use in crafting emails that are convincing and appropriately targeted, it is getting harder and harder to tell real emails from fraudulent ones. Here is a short list of things to watch out for when evaluating an unexpected (virtually 100% of phishing emails are unexpected in some way) email.

  • Misspelled words, poor grammar, odd word choices, and improper punctuation are all signs of a potential phishing email
  • Emails promising large sums of money or informing you that you won a lottery you didn’t know existed are common ruses – everybody likes more money.
  • Urgent deadlines, threats of loss of accounts or access to files, late fees, penalties, are all designed to force you to make a bad decision.
  • The government (local, state, or federal) will never send you notice of impending actions via email. That notice from the IRS about a rebate or worse, a penalty can generally be ignored.
  • Any request for your username and password, whether by email or phone call, or any other communication channel is always fraudulent.
  • Phishing emails frequently ask you to click on a link to do everything from “confirm your details” to download a document that has “important information” in it. Don’t follow links in suspect emails. If the phisher got lucky and tries to impersonate a company you have an account or do business with, go to the site directly in a new browser window (meaning, don’t click the link!), log in, and check your account. If the company has an important message for you, it will be here.

Let’s assume you clicked on a link (reminder – don’t do that). How do you know if the page in your browser that is now requesting your username and password is legitimate?

  • Check the address bar to make sure the site is secure.
  • Check the address in the address bar to make sure it is correct.
  • Does the page look familiar?
  • Are there typos on the page?
  • Do logos and images look out of place?

In the end, ask yourself these two questions with every email

  1. Is this email or phone call asking for my password or other login information?
  2. If I clicked on the link (reminder – just don’t) did it bring me to a login page?

If the answer is YES to either question, then there is a good chance you are being phished.

Check these resources to test your eye for spotting phishing emails and fraudulent login pages:

OpenDNS’s Phishing Quiz – This tests your ability to verify correct web addresses

Jigsaw/Google Phishing Quiz – This one is fairly difficult, but explains each phishing clue

Accellis Phishing Quiz – You have to scroll a bit, but it’s a good test

Now let’s talk about protecting your IT (and yourself) by cleaning out your digital file cabinet. Sometimes we “temporarily” store a password for an account in an unsafe way, like in a photo on a smartphone, or even in a text file or note-taking app. Other times we keep information about financial transactions, tax returns, and other potentially dangerous data around for way too long. We keep so much stuff these days we have no idea what we have anymore. Take time for a quarterly cleaning. Every time the season changes (which I admit is sometimes a moving target here in the South), take time to do the following:

  • Go through the photos on your phone, or sort through them on a laptop or desktop if they are stored in cloud storage service. Get rid of any of those “temporary” pictures you were going to delete anyway. This is also a good opportunity to take a look at what you have captured on your phone’s camera and delete any potentially embarrassing or even incriminating photos. Hey, we’re all human!
  • Sort through your files stored in cloud storage services like iCloud, Google, Dropbox, and others to see if there is anything you don’t need anymore. It’s best to just delete these files, as you generally pay by the gigabyte for cloud storage. If you don’t need it, why keep it, especially if it is sensitive information?

Finally here is another funny video by Habitu8 about phishing, or, in this instance “vishing”, phishing via a phone call and more specifically this type of attack is called, as the title says, a CEO scam. Check it out – CEO Scam by Habitu8 – You’ll want  to pause the final screen with tips on how to avoid this scam, unless you are a speed reader.

Thanks for reading all of this! Check the site next week for the new NCSAM article and check the site often for breach announcements, current phishing scams, and more.

 

NCSAM Week 2 – Privacy, Safe e-Commerce, What’s Out There About Me?

Welcome to week 2 of National Cyber Security Awareness Month!

This week we will again explore all three aspects of this year’s theme – “Own IT, Secure IT, Protect IT”. Remember, the “IT” stands for “information technology”, and, just like we have to do regular maintenance on our cars or bikes, we have to do regular maintenance on our digital presence.

We talked about safe social media posting last week in relation to “owning” our IT. Let’s continue to talk about social media, but this week we’ll focus on making sure you have checked the privacy settings of all your social media accounts. There are a lot of resources to help you with this; the best ones should be on the specific sites themselves. Go to the support section of all your social media sites and look for information on default privacy settings and make sure you are comfortable with them. If not, change them to suit your comfort level. Beyond the support section of your social media sites, here are a couple of links to more privacy resources:

10 Ways to Protect Your Privacy on Social Media

How To Manage Your Social Media Privacy Settings

Realize that social media sites are continually updating their systems and therefore, some of these tips may no longer be applicable or accurate.

We buy more and more things online these days, from electronics to cars to tonight’s dinner. As part of “securing” our IT, let’s talk about staying safe while using e-commerce sites. Any time you make purchases online, be very careful to only provide as much information as is needed to complete your purchase. Unless you use a particular site almost daily, don’t allow sites to save your credit or debit card info. Data breaches happen every week. The fewer places your financial information is stored, the better. Always make sure any page you submit credit or debit card info on (or any sensitive or private info) is secured via HTTPS. Browsers have changed how they display this now. Until recently there was a green padlock in the address bar of the browser; now the padlock is either gray or missing entirely if the page is secured. If it is NOT secured, the browser should clearly indicate this and how this is done varies from browser to browser. Finally, make sure the sites you purchase on are reputable. If you’re not sure, open another tab in your browser and look for reviews. The Internet is great for that! Click here for a resource with more details about shopping securely from the folks at the SANS (SysAdmin, Audit, Network and Security) Institute. This is an OUCH! newsletter, a free resource from SANS you can subscribe to on their site, sans.org.

Finally, to “protect” our IT, go hunting for yourself online sometime. You can do a simple Google search, or use some of the many available resources to see how much of your information is out there. One great resource is Troy Hunt’s Have I Been Pwned website. Here you can input your email address(es) into a search form and the site will tell you if your information has been a part of any of hundreds of data breaches, spanning back for years. If you are really curious about what exactly is out there, you can use one of a number of people search engines like Spokeo or Pipl. To get details requires a purchase of some kind on either site, but they can be spookily accurate and precise about who knows what about you.

Now that you have some idea what is out there, how do you get rid of it? Or fix it, if it is inaccurate? If you can pinpoint the source of inaccurate information, you can usually go directly to the site and get help remediating the issue. If not, there are other resources out there to help you with this. Here are a couple:

UnListMy.Info

Privacy Rights Clearinghouse

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Here is this week’s video, a funny clip about over-sharing on social media, which would have been more appropriate last week, but I couldn’t not share it with you:

Social Media Privacy by Habitu8, The Security Awareness Video Company

Tune in next week when we talk about data and phishing!

NCSAM Week 1 – Social Media, Passwords, Cyber Hygiene

Welcome to National Cyber Security Awareness Month, also known as NCSAM!

Every week this month we will explore topics around the theme of “Own IT, Secure IT, Protect IT”. That’s not three typos in a row, that’s “IT” as in information technology. We are surrounded by it, in our homes, at work, in stores, and just about anywhere we go. We depend on it, just like we depend on our cars or bikes. That means, just like cars and bikes, we have to take care of it with regular maintenance, and make sure to lock it so it won’t get stolen.

Each week we will briefly explore an idea around each of these aspects of owning, securing and protecting. This week, in relation to “owning” our IT, we want to remind everyone to be careful what they post on social media. Once something is posted, nothing short of an EMP or nuclear war will remove it from the Internet (not that there would be an Internet left after either of these occurrences, but you get the point). These days, employers routinely explore prospective employee’s social media posts to get a better idea of the person they are considering hiring. Own your social media by being careful about what you post and also by asking your friends to not include you in potentially derogatory posts.

In the realm of “securing” our IT, please make sure you are using strong, unique passwords for your online accounts. Strong passwords should be long, at least 12, if not more, characters. Don’t be concerned so much with complexity, because longer passwords are generally better. Don’t use your name, your pet’s name, your phone number, or any other information that might be available online. Don’t reuse passwords between accounts, particularly passwords for financial, or other sensitive accounts. If you have a lot of accounts (and honestly, who doesn’t?) consider using a password manager to help you create and “remember” all those strong unique passwords. You can get more information on strong passwords and password managers at the table in Krannert on Thursday

Finally, concerning “protecting” our IT, follow good cyber hygiene practices. Just like you have to clean up trash, brush your teeth, and wash your clothes (at least occasionally), you should close out online accounts you don’t use, change your passwords periodically, and delete files you no longer need. You should also always lock your computer if you are stepping away from it (not recommended if it is a laptop. keep it with you!), and always use either a pin, or a bio-metric lock mechanism (finger scan, face recognition) for your mobile devices, especially your phone. Your phone is the key to so many of your online accounts. Make sure it is secured!

Check the table in Krannert on Thursday for info and goodies and a chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each future week’s article.

Here is this week’s video, an oldie, but goodie about password security. You will have to log in using your email credentials to view the video

Students: https://web.microsoftstream.com/video/2dc735da-b797-4725-a8bc-8f36dee9197a

Faculty/Staff: https://web.microsoftstream.com/video/f9c0bbb0-05ff-46ca-ad67-d6cae6a23b6e

July News From Information Security

We’re zooming through summer! July is here! Look for the return of the monthly security awareness posters in August!

For now, here’s a reminder about maintaining the safety of those portable devices we now depend on – our smartphones, tablets and even laptops.

With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system. Use BitLocker for Windows, FileVault for MacOS, and for Android and iOS devices use the encryption that is part of the system, which in some cases is enabled by default.
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your password.
  • Put that shredder to work! While not directly related to portable devices, paper records are VERY portable! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. The User Support department will do this for your Berry machines, but you should do the same for your personal devices. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it! Use some common sense. Device permissions unrelated to the purpose of the app should not be accepted.
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots. If you must, find a good VPN application for your device and use it.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your Berry device is lost or stolen and contained sensitive institutional or student information, immediately report the loss or theft to your supervisor and OIT so that they can act quickly. Even if you believe the device did not store sensitive or confidential information, report the incident as quickly as possible.

Two more items:

First, the external email banner is now active in Outlook and on Outlook Web Access. Emails received from non-Berry addresses will have the banner alerting you to this fact at the top of the message. There have been a number of questions about this service and I want to address them.

  • I am very glad that some of you are confident in your ability to discern the validity of any given email, but we have a large percentage of faculty, staff, and students who cannot. This is intended to help them when they receive an email from “President Briggs” or from “their supervisor” asking them for “a favor”.
  • There is no way to exclude certain addresses from the banner – if the email came from a non-Berry account, it will contain the banner.
  • If you need to forward the email to someone else, and don’t want the banner in the forwarded correspondence, the banner is removable in the edit window for the forwarded email.
  • Email banners like this one are common both at other higher education institutions and in the corporate space.

I understand it requires a new process for handling the vast amounts of emails we receive on a daily basis. We tested another way to alert users by inserting a tag in the subject line of the email, instead of using the banner, but the banner was the preferred method according to the test group.

Unfortunately, it only takes one phished user to compromise a large portion of our information systems. We have been lucky so far that the only phishing attempts our users have fallen for involved buying gift cards or giving up their username and password, both easily remedied.

I would be happy to discuss this further with anyone, but for now, this policy stands for our entire email user population.

Second, you are strongly encouraged to sign up for multi-factor authentication (MFA) to improve the security of your account. Check out the May Information Security Newsletter for more information.

Have a great rest-of-the summer!

March News from Information Security

March is here! Spring Break can’t be far away. This month we are focusing on protecting your rights as a consumer. We are all consumers at some point and we should take proactive steps to make sure we are making good financial decisions and setting ourselves up to be able to recover from identity theft.

This article is posted today so that you can read it before National Consumer Protection Week (March 3-9) begins. This week is dedicated to helping consumers know their rights and make well-informed decisions about their finances. Check out the FTC site linked above for more information

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the “big three” bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there’s nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

  1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in. Be sure to update. It takes a few minutes, but could protect you from serious financial harm.
  2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
  3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
  4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to “security questions” that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
  5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won’t open you up to fraud at other sites. See the article posted right here on this website about password managers
  6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom. Check into cloud storage like Dropbox and OneDrive and backup options like iDrive, Acronis, and Carbonite.
  7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night. This is available in both Windows and MacOS operating systems and almost all smartphones.
  8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts. Make a recurring calendar reminder to check every account for activity that you don’t recognize.
  9. Manage those old-style paper statements. Don’t just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you’ve been a victim of identity theft:

  • Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
  • Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

Set aside some time in March to manage your financial accounts and take precautions like those listed above.

For more information check out the FTC video “Five Ways to Help Protect Your Identity”

The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Be on the lookout for new security awareness posters in the residence halls and other locations on campus. There will be a table in Krannert toward the end of the month, after Spring Break. There will be two more chances to win a prize, one related to the posters and another at the table in Krannert.

Below is a list of useful resources, including some mentioned above.