Welcome to April and all that it means to this community! April is the month before the end of the semester in May. April means it is getting warmer and it’s time, if you haven’t already, to cycle in a new wardrobe of clothes for the fast-moving weeks at the end of the school year. I want to apologize for the tardiness of this newsletter. I was unavoidably out of work for a week due to problems caused by the massive amount rain we received back on March 25th. I know so many of you wait with bated breath for the first day of the month just to read my newsletter, so I apologize for the delay. </sarcasm>Continue reading “April News from Information Security”
Whew! We made it to March!
While there won’t be some of the typical shenanigans we are used to experiencing in March, like Spring Break (sorry, I had to mention it), there are plenty of things to be aware of. This newsletter may run a little longer than most, as we are “enjoying” the result of a confluence of tax season, potential economic stimulus payments, Zoom meetings, COVID vaccines, plus all the regular stuff. As Maverick from Top Gun would say, this is a “target-rich environment”, except not for potential dates, but for phishing emails.Continue reading “March News from Information Security”
Welcome to 2021! Let’s hope it goes better than 2020.
Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.
In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.
The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to firstname.lastname@example.org and stating you want access to the security awareness platform, or by filling out the training access form found here.
By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.
Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.
There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.
The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.
Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email email@example.com and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.
If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.
Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,
Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.
What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.
As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to firstname.lastname@example.org will usually get your feedback to the right place. Be sure to use the correct site address, i.e. email@example.com for Facebook.
Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.
Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.
Food for Thought
Cartoon courtesy of XKCD.com
Permalink for cartoon https://xkcd.com/2391/
Welcome to one of the strangest Decembers we’ve ever had here at Berry. It is certainly the strangest of my 30 years here. The students are gone, but not done. Finals loom for some of them, then almost two full months of no school. What will we do in the silence?
I’m sure we all have different answers to that question, so I’ll leave it hanging rhetorically.
This newsletter will be a little different from previous ones. We’ll be focusing on a minimal number of topics, but for one in particular I will ask for a couple of extra minutes of reading time from you.
If you have perused this site much you will know that I post breach and data exposure announcements here periodically, usually when they affect a good number of the community. If you’ve been unlucky enough to be impacted by a breach, you may have received an email from me explaining what data was exposed and what you should do about it.
A recent notification came to me, announcing that 189 emails belonging to Berry community members had information exposed, specifically passwords. Most breaches affect no more than a couple dozen Berry email addresses and when I get the notices I will sort through them, compose an email and send it out to those affected. This number of emails was larger, but still manageable. Then I read further into the announcement. Those 189 emails were scattered across more than 23,000 potential websites and services. The data did not include enough information to determine which email address went with what service or website.
The bottom line is, 189 Berry community members, who could be faculty, staff, students, alumni, or even retirees, have had a password for some service exposed. You can find out if you were one of these 189 by going to the Have I Been Pwned website and putting in your Berry email address in the search form.
You may find that in addition to this massive exposure notification containing 226 million unique emails, named Cit0day, you may have had information related to your Berry email address exposed by other data breaches. I encourage you to not only check your Berry email, but your personal email accounts as well, and those of your family if you are so inclined. I also strongly encourage you to sign up for notifications from Have I Been Pwned. The link (Notify Me) is at the top of the main page there. It is free and if your email address shows up in a data breach, you’ll get an email notification directly from Have I Been Pwned giving you as much information about the breach as is available.
The important question, once you determine that you are indeed affected by a data breach is this – What do I do now?
Generally, I will suggest you change your password for the service or website that experienced the breach, check that your account information is correct, and if financial data was involved, to closely monitor your bank account and credit card accounts. In the case of the Cit0day notification, you will have no idea which of your twenty to one hundred or more accounts has been affected. What do you do then?
The “nuke the site from orbit” approach would be to reset the password on EVERY account you have. Do you even know all of your accounts? Who hasn’t signed up on a site for a specific purpose, never to return? What data might you have had to give up to create that account? Did it include a credit/debit card number or bank account number?
The real question to ask at this time, if you are affected by the Cit0day announcement is – Did I reuse the password for this account, whatever account it was? Realizing, again, that there is no way to tell what specific service or website exposed the password.
That question leads to the next – How many other accounts are now vulnerable because I reused this exposed password? The scary part is, you don’t have an answer to this question, because you don’t know what account is compromised.
Which leads to the most important question in this article – Why are you not using a password manager to create a unique password for EVERY account, service, and website you use? Yes, it takes time to set it up. For some, time is money, right? How much does thirty minutes cost you? The entire amount in your bank account? Unlikely. The maximum amount on your credit line? Probably not.
If you had used a password manager to create a unique password for your account on whichever site among the 23,000 possible ones that were affected , the potential damage to you would have been limited to that one site. If you reused a password, or worse, use the same password for everything, then the damage could be much greater.
Please, if you are not using a password manager now to manage your accounts, start using one. I’ve written on the subject multiple times here in the monthly newsletter and during Cybersecurity Awareness Months, both this year and in years past (all of which are available from the main menu of this site).
Take a few minutes and visit the links below. Check out the flyer linked at the Quick Info page for some password managers. If you don’t want to follow links, just type “best password manager” into your favorite search engine. There are password managers for all platforms (Windows, macOS, Linux, Android, iOS, web browsers), needs, and budgets.
Good password policies flyer with a paragraph at the bottom about password managers (PDF) Don’t try to use the link at the bottom, it is broken.
Because the link in the above PDF is broken, here is a link to a great article on password managers-the good, the bad, the ugly, and the beautiful. My apologies for the pop-up ads, but the article is worth the annoyance. If you read nothing else, read this article.
Whew! That was password managers. The next and final item I want to emphasize in this newsletter is multifactor authentication (MFA). MFA is coming to all accounts at Berry – faculty, staff, and students. With some personnel issues that have come up, the rollout may be delayed a bit, but it is still coming.
Again, I have written about this multiple times over the course of maintaining this site. There is a Quick Info page on MFA for the impatient, or you can go read the instructions for setting up MFA here on the main Berry website. If you are still unclear about why we are requiring this, check out this FAQ article, also on the main Berry website.
You can still request MFA for your account by emailing firstname.lastname@example.org.
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets.
Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.
Food for Thought
Passwords and Password Managers & If You Connect It, Protect It
Welcome to the first week of Cybersecurity Awareness Month! Each week we will discuss two primary topics. One of those topics will be the CAM 2020 “official” weekly topic and the other will be localized for the Berry community. This week, the official topic is “If You Connect It, Protect It”, and the local topic concerns passwords and password managers.
If You Connect It, Protect It
Once we connect a device to the Internet, via a wireless network or cellular data connection, or other method, it is exposed and vulnerable. That’s a terrible way to look at it, but there are stories every day of new vulnerabilities in software and hardware that we use all the time. In 2019 there were over 22,000 vulnerabilities identified, with over 12,000 of those reported and assigned a Common Vulnerabilities and Exposure (CVE) identifier, which is used to identify and promulgate information about the vulnerability.
That 22,000 number is across hundreds of companies and products, but you know the names of some of the most affected companies. They include Microsoft, Adobe, Apple, and yes, even Google. It’s a safe bet that whatever device you connect, it will already have, or will have in the future, vulnerabilities. What to do?
When reputable companies find or are told about vulnerabilities, they create and release updates, unless the software or hardware is no longer supported. We see evidence of this all the time…Windows wants to reboot to install updates, your phone tells you it needs to reboot to install updates. Don’t ignore these warnings, especially when first connecting a device to the network. At the same time, become familiar with what these warnings look like to avoid being fooled by fake update messages in the future.
All of this to say that the most important rule of properly securing connected devices is to keep your devices updated. The first thing to do after you connect something new to the Internet is update it. On average, newly connected devices are attacked within 5 minutes and are targeted by exploits specific to the device within 24 hours. That’s not much time to go out and get the latest update for the device. Do it quickly!
Passwords and Password Managers
We talk about passwords a lot, for good reason. With all of their inherent flaws, passwords are the de facto way we authenticate to all of our accounts. The average person now has 27 discrete accounts, while people in information technology fields or younger people may have two or three times that many. This means the average person should have at least 27 different passwords, but humans take shortcuts, even when it is dangerous to do so.
One particularly dangerous shortcut people take is to reuse passwords for multiple accounts. Aside from the need to keep them secret, this is the most important rule in properly dealing with passwords – do NOT reuse them. Make sure passwords are unique across all accounts.
Good passwords are also long, complex, and not based on easily located data, like birthdays, pet’s names, high school mascots or other public record information.
Truthfully, twelve to fifteen characters, minimum.
Have a mix of upper and lower case letters, numbers, symbols and even spaces, if an account allows it.
Based on what?
There’s several good ways to do this. If the password must be memorable, try imagining a picture of a favorite place, a scene from a book, movie or TV show, or other vivid image that you won’t forget, or be prone to alter. Pick four or five words that describe that image, string them together, capitalize a word, or all of them, and throw in a number. For example, a memorable scene might include a cowboy trying to stay on a bucking bull in a rodeo. Words to pick from this scene could include cowboy, bull, horns, bucking and a number could be 8 (as in, the cowboy has to stay on the bull 8 seconds to get a score).
The resulting password could be “Cowboy-Bull-Horns-Bucking-8”.
What makes this a good password?
- It is long – 27 characters
- It is complex – upper and lower case letters, a number, and symbols
What weakens this password?
- It is based on words which are all in the dictionary
The length and complexity wildly outweigh the weakness of being based on dictionary words. This would be a great password, but read on for why it is not.
Our awesome example password is no longer a great password because it has been exposed. It has been used as an example and therefore should NOT be used as a password. No length or complexity will ever outweigh the disadvantage of an exposed password. Keep your passwords secret and never share or reuse them.
If you prefer not to create 27+ word pictures for your accounts, your passwords, of course, don’t need to be memorable if they will be stored in a password manager and possibly generated by a password manager. They can be as long, complex, and random as you wish, as you will never have to type them in, or even know them.
Password managers like LastPass, 1Password, BitWarden, and even iCloud Keychain for you Apple-only folks, allow you to use long, complex, and unique passwords for EVERY account you have. You only have to remember one, good, strong password to lock away the rest of your passwords. Visit the sites for the managers above or run a search in your browser for “password manager” and see how many results you get.
There are so many options and in your search results you’ll also find sites that will compare some of the available managers, providing recommendations and showing how they stack up against each other. Some have unique features or are better suited for families. Some may not support all of your devices, so be sure to check that your chosen phone, tablet, or operating system is supported. Be sure to pick a recent review, as vendors continuously attempt to improve their products, pricing and supported platforms. Find one you like, try multiple ones out if you need to. Many have trial periods, others don’t cost anything to use, but may have severe limitations. You are almost guaranteed to find one that matches your needs, wants, and budget.
Virtual Scavenger Hunt
If you missed the information about the Virtual Scavenger Hunt (VSH) in the October newsletter, head over there to read about it, then read the CAM 2020 page, and then the VSH Start Page. It will tell you about the hunt, how to participate, and information about the grand prize.
If you get stuck in the VSH, be sure to follow Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit) for clues. Other, potentially more important information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check the InfoSec News And Alerts Site for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like training will be posted.
October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!
Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.
As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of
Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds
As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email email@example.com and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!
In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.
There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.
If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.
Go directly to the scavenger hunt page! This link will not be active until Monday October 5th, 2020, at 8:00AM
Welcome to the very late June newsletter!
A failure to plan and pre-write the June newsletter, plus a virtual conference during the first week of June, then a frenzy of activity at work, then a couple of vacation days has pushed this edition way past its normal publishing date.
But here we are, still stewing in the social distancing mire, but at least able to do more things, like eat AT restaurants instead of getting food delivered, or, gasp!, going out and picking it up curbside. I hope all of you are healthy and well and have been able to resume some sense of “old normalcy”.
As I mentioned in the last newsletter, phishers, scammers, and the like have been VERY busy trying to take advantage of this time of flux, if not outright chaos. I write this newsletter as cities around the country stagger under the effects of not just the coronavirus, but protests and riots. Both are happening, and many protests that start peacefully are stirred into riots by organized bad actors. I hope you or your loved ones have not been affected…and that’s all I’m going to say about that.
I’ve interacted with several of you about suspect emails over the last few weeks and I appreciate your caution and skepticism. Everything from fake voice mail notifications to fraudulent signature requests have arrived in our email inboxes. Companies continue to improperly care for the data they acquire from us. There are a couple of upcoming breach notifications that I need to finish and publish to the site.
With that said, I encourage everyone to go to Have I Been Pwned to see what data about you has been exposed. Notice I don’t say “IF” data has been exposed, but “what” data has been exposed. It’s easy. Go to the site, put in your email address(es), and be sure you are sitting down when you click “pwned?”. While you are there, sign up to be notified when information connected to your email addresses has been exposed. You’ll have to register each email individually.
As I mentioned in May’s newsletter, all email should be carefully examined. Actually, I said that “almost all emails should be considered suspect” and I stand by that statement. I also said that this was the number one safety tip I could offer during this time. Here are tips two and three.
Most Important Tip #2: Update your devices.
Your device, whether it is a Windows or macOS computer, or an Android or iOS device should be set to automatically update. If you have an undeniable fear of automatic updates, then at least make sure that update notifications are turned on. Then, when Windows or macOS notify you of an update, or your Android or iOS device chime to tell you an update is available, first confirm that it is a real update notification. Update notifications don’t come in your email, nor do they pop up inside your browser. These notifications come directly from the operating system of the device. Examples are shown below:
Windows 10 :
Left iOS (iPhone and iPad) and Right Android phone (Motorola, others may vary)
Most Important Tip #3: Use a strong, unique password and multi-factor authentication for every login account you have.
What do I mean by a strong password?
- At least 13 characters long, 20 is better…
- Don’t worry about complexity unless the particular site or service requires it.
- No dictionary words by themselves.
- Do not use any part of your username or real name/nickname in the password.
What?! Thirteen characters? Twenty characters? Yes. Find a password manager you like and use it to both generate and store your passwords. That means you only need to remember one long password, to open the password manager. Longer passwords are better than short, complex passwords. If you insist on making long passwords that are non-random, don’t use long dictionary words. Use multiple, unrelated words, as explained in the Good Password Guidelines Quick Info article here on this site.
Get multi-factor authentication enabled on every account you can, especially accounts for banks and other financial sites, sites which handle your medical records, other confidential and sensitive sites, and your Berry account.
Photo Credit: Photo by Max Kleinen on Unsplash