Welcome to April and all that it means to this community! April is the month before the end of the semester in May. April means it is getting warmer and it’s time, if you haven’t already, to cycle in a new wardrobe of clothes for the fast-moving weeks at the end of the school year. I want to apologize for the tardiness of this newsletter. I was unavoidably out of work for a week due to problems caused by the massive amount rain we received back on March 25th. I know so many of you wait with bated breath for the first day of the month just to read my newsletter, so I apologize for the delay. </sarcasm>Continue reading “April News from Information Security”
Whew! We made it to March!
While there won’t be some of the typical shenanigans we are used to experiencing in March, like Spring Break (sorry, I had to mention it), there are plenty of things to be aware of. This newsletter may run a little longer than most, as we are “enjoying” the result of a confluence of tax season, potential economic stimulus payments, Zoom meetings, COVID vaccines, plus all the regular stuff. As Maverick from Top Gun would say, this is a “target-rich environment”, except not for potential dates, but for phishing emails.Continue reading “March News from Information Security”
Welcome to February, the month of Valentine’s Day, Black History Month, World Cancer Day, Abraham Lincoln’s birthday, World Day of Social Justice, and many other international, regional, and country-specific days of remembrance and celebration.
This year it is also the time when a new Virtual Scavenger Hunt is launching, sponsored by Information Security and the Office of Information Technology. If you participated in and enjoyed the Virtual Scavenger Hunt back in October for Cybersecurity Awareness Month, you will love this one. No need to wait a week for the next set of questions-this scavenger hunt can be completed in an afternoon or evening (or morning, if you prefer).
The Scavenger Hunt will kick off on Monday, February 15th, the day after Valentine’s Day, so it is appropriately named the “Post V-Day Virtual Scavenger Hunt”. The hunt will conclude at noon on Friday, February 19th with a drawing that will determine who will win the four available prizes.
Two winners will be drawn from a pool of names made up of anyone who attempts the scavenger hunt. To qualify for that drawing, you only have to attempt the hunt and submit answers to at least the first day of questions, even if those answers are wrong. For the sake of clarity, I am calling these prizes “runner-up” prizes. They will consist of a collection of college, OIT, and Information Security branded items along with a generous amount of Valentine’s Day candy.
Two prizes I am calling “grand prizes” will be awarded to two lucky people whose names are drawn from a pool of names of those who successfully complete the scavenger hunt. To qualify, you must complete the hunt by finding all the correct answers to the questions, then complete the form at the end of the hunt. The grand prizes will consist of a package including a super cool and vaguely Berry blue Rocketbook Smart Reusable Notebook (8.5″ x 11″) with a Frixion pen and microfiber cloth, seven additional Frixion pens in various colors, and a Rocketbook Pen Station pen holder. This notebook is reusable, eco-friendly and can scan your notes directly to a cloud storage provider like Google Drive, Dropbox, Evernote, OneNote, iCloud and others with the help of an app on your Android or Apple phone. There are lots of available accessories for these notebooks including folio covers, additional pens, and even “Beacons” which will allow you to scan information on a whiteboard using the same app. Good luck! I will send a reminder about the scavenger hunt on the 15th.
I want to revisit a topic introduced in the January newsletter, which you can read at this link. Our new training platform is ready for use, with several short security awareness courses focusing on single topics like email phishing, other social engineering tactics, data security, passwords, and safe browsing. There is also a longer general security awareness course that incorporates all of these topics, spending substantially less time on each one.
If you would like to have access to this training, just go to the InfoSec News and Alerts site, click on “Latest Posts” in the main menu, then click on the link to the form, which is on the right-hand side of the page. You can also simply click this link to access the form.
If you are depending on Zoom to attend or conduct classes or for work, be sure to check out the Zoom resources provided here for tips and information on how to effectively and safely use Zoom.
If you don’t already have it, multi-factor authentication (MFA) is coming your way. This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. You can request MFA be enabled on your account or wait until you are automatically enrolled in the next few weeks. Make your request by emailing email@example.com to tell them you want MFA!
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email.
You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events will be posted.
Food for Thought
Permanent link to this comic: https://xkcd.com/1016/
In September of 2020 there was a breach of the Nitro PDF service. There were 77 million records exposed, which included email addresses, names and passwords for the service.
There were 161 berry.edu or vikings.berry.edu email addresses included in the breach.
To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. While you are there, you can also sign up for breach notifications involving your Berry or other email addresses by clicking on “Notify Me” at the top of any page on the site.
If your information was included, be sure to change your password for the Nitro PDF service. Also, check your settings to make sure they have not been altered.
Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.
As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any page on this site.
If you haven’t signed up for multi-factor authentication (MFA), you will soon be enrolled by the Office of Information Technology. You can still request this additional security measure so you can set it up on your timeframe, before it is required.. MFA adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing firstname.lastname@example.org to tell them you want MFA!
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like
tables in Krannert and Virtual LunchITS will be posted.
Welcome to 2021! Let’s hope it goes better than 2020.
Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.
In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.
The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to email@example.com and stating you want access to the security awareness platform, or by filling out the training access form found here.
By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.
Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.
There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.
The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.
Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email firstname.lastname@example.org and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.
If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.
Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,
Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.
What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.
As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to email@example.com will usually get your feedback to the right place. Be sure to use the correct site address, i.e. firstname.lastname@example.org for Facebook.
Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.
Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.
Food for Thought
Cartoon courtesy of XKCD.com
Permalink for cartoon https://xkcd.com/2391/
We did it! We made it through October and Cybersecurity Awareness Month. I want to thank everyone who read the weekly articles, checked out the posters, and participated in the Virtual Scavenger Hunt. I want to congratulate Hanna Popa for her successful completion of the hunt and her luck in winning the Monster Clarity 102 AirLinks ear buds. She was one of the eight who completed the entire hunt out of the thirty-three who attempted some part of it.
If you enjoyed the hunt, or you missed it, but heard great things about it and wished that you had participated AND would like us to hold another one, just email email@example.com and tell us. While you’re at it let us know what information security topics you would like to see addressed here in articles or quick tips or even live (via Zoom for now) training sessions.
Speaking of live training, here in November there will be another opportunity to attend (via Zoom) live one-hour-ish lunchtime training on account management, covering everything from picking good passwords to using password managers, to enabling multi-factor authentication on all your accounts, particularly your Berry account. The event will be posted to the Event Calendar this week, once a final decision is made on the exact date, so check it out and sign up.
Our primary topic for this month is multi-factor authentication or MFA. MFA is now required for all Berry accounts and the Office of Information Technology (OIT) is rolling it out in phases. You will receive, if you haven’t already, an email detailing when MFA will be enabled on your account and how to set it up. The Network Operations group is holding training on MFA setup via Zoom, so if you have issues with the setup, be sure to attend. Details should be in the email you receive.
Why are we requiring MFA? You could potentially blame it on the corona-virus or COVID-19, but our attempts to require MFA have been in the works for many months before the virus hit our community. MFA places another layer of security on your Berry account, preventing someone who guesses or steals your password from accessing your account. It does this by requiring a second piece of evidence or a second “factor” in addition to your password to prove that you are you. That factor could be a fingerprint, or a temporary six-digit code texted to you or found in an app on your smartphone. In our case, the default second factor is just an approval via an app on your smartphone.
With MFA enabled, when you log in to your account, you will be required to enter your password, then a notification will pop up on your phone asking you to “approve” or “deny” the login request. You just touch “approve” if you are attempting to log in, or “deny” if you see a request when you haven’t tried to log in to your account. Without this second factor, the approval, or if you deny the login attempt, the login fails and the incident is logged so OIT can follow up and mitigate any potential threat to your account. This protects not just your email, but any web-based service you use here at Berry, from VikingWeb to the financial aid portal to the health center portal, so it is vital MFA is enabled on your account.
We’ve mentioned Zoom twice already in this newsletter, and we’re going to circle back to it now. One of the most critical aspects of using Zoom effectively is securing your Zoom sessions from “zoombombers” and others that wish to disrupt sessions. We depend on Zoom far too much these days, so we want to offer some information about how to properly secure your Zoom sessions.
Here is a Zoom document that discusses most of the security settings for Zoom. Don’t be daunted by the fact it is twelve pages long, there are pictures and cover pages and large type galore. Here are the high points, in a simple list:
- Use the waiting room feature if your meeting is not too large. This lets you control who actually gets into the meeting, albeit manually.
- Use a passcode for all meetings and use randomly generated meeting IDs, NOT your personal meeting ID.
- Only allow registered users to attend. Be careful with this setting, but it is useful if done correctly.
- Lock your meeting. Once everyone who is supposed to attend has arrived, you can lock the meeting to prevent anyone else from joining.
- Know how to manage users during the meeting. Understand the settings to control screen sharing, mute everyone, remove participants, and configure chat and annotation to prevent abuse.
Our current environment can prove difficult to navigate at times, but making sure you know how to manage a Zoom session will go a long way to make sessions requiring Zoom effective and secure.
One last thing before we wrap up. I want to encourage you to report ALL phishing emails you receive, using the “Report Email as Phishing” button available in the email browser interface (https://mail.berry.edu), on mobile devices using the official Outlook mobile client, and on the desktop using Outlook 2016 (Click-to-run version only) or Outlook 2019 (all versions). Doing so will help OIT protect the community by mitigating dangerous phishing emails identified by you, our first line of defense against phishing.
Welcome to week 4 of Cybersecurity Awareness Month!
This is it! This is the last week to participate in the Virtual Scavenger Hunt (VSH)! I hope you have all successfully advanced to the fourth and final week, but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the
Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. Head over to the VSH start page (link at the bottom of the article, to not distract you from the main topics).
Security Awareness Training
An important part of equipping the Berry community to #BeCyberSmart is security awareness training. We’ve used security awareness training for specific groups here at the college for a couple of years now, but our goal is to expand our training platform to allow everyone to access the same training. One way we are working toward our goal is investing in a brand new training platform to replace the one we were using.
This new platform will eventually allow us to offer the same training to everyone, with the presentation tweaked appropriately for each part of our community – faculty, staff and students. More details will be sent as we roll out the new platform. If you are required to take security awareness training for your campus job, you’ll soon see it in your MyApps portal at https://myapps.berry.edu. Hopefully, if we complete the expansion of the system in a few months, everyone will see it in the MyApps portal.
You also have the option to request security awareness training. Once the system is live, you’ll receive information on how to request that training. It will cover a variety of topics, including how to pick a good password (or 100 good passwords), password managers, how to spot phishing emails and other social engineering attempts, which will protect you and the college, and how to secure your accounts and devices.
The Future of Connected Devices
The future is all about connected devices. As mentioned in last week’s article, Internet of Things (IoT) devices include watches, shoes, and healthcare devices. We also have connected toasters, coffee makers, refrigerators, TVs, and doorbells. The IoT devices market is expected to reach $1.1 trillion by 2026 according to Fortune Business Insights. Who knows what we will have connected by that time?
In development right now are everything from smart contact lenses to smart roads, all of which must be connected to the Internet to work. The estimated number of devices connecting to the network by 2025 is well over 75 billion. One of the most important technologies to facilitate this is 5G networking. This new networking paradigm will enable this massive collection of devices to connect to each other and to us.
It’s an exciting time, but there is one fact that we need to understand as we connect “everything” to the network. Once a toaster is made “smart” and connected to the network, it is technically no longer a toaster. It is a computer that can also toast our bread and bagels. That means it must be securely connected to the network, kept up to date, and managed in some way. That puts a burden on everyone to #BeCyberSmart and understand the rewards and risks of connected devices.
If you missed the Virtual LunchITS last week but want to learn more about how to spot phishing emails, it will be repeated in November, so check the Events calendar on this site to find out when. Like the previous LunchITS, it will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up and attend. You can do that right in the event. Just click on it in the Event calendar and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the link and the password.
Also, remember that the Office of Information Technology encourages you to sign of for Multi-Factor Authentication (MFA). This will add an additional layer of security to your Berry account. You can read about it at this page on the main Berry website. Email firstname.lastname@example.org to request it.
OK, it’s time to throw some hints to those of you who can’t seem to make your Week 3 Virtual Scavenger Hunt answers get you to week 4.
For the first question – A common name for the answer to question one is “the mob”. Also, the DBIR is available at this URL – https://enterprise.verizon.com/resources/reports/dbir/
For the second question – The answer can be found right under the “Cut to the chase” heading.
For the third question – The answer is eight letters long.
For the fourth question – Scroll most of the way through the article to find this answer. It’s an “i” thing.
For the fifth question – The answer is precise to two digits past the decimal point. It’s also less than 6, but more than 5…
IMPORTANT: You don’t have to resubmit your answers on the week 3 form, but these clues should help you get the correct URL for week 4 of the scavenger hunt.
If you haven’t started the scavenger hunt, here is the start page. You have until 5PM on October 30th to complete the hunt. Good luck and happy hunting!