CAM Week 3 – Phishing and Healthcare Devices

Welcome to week 3 of Cybersecurity Awareness Month!

I hope you are all advancing in the Virtual Scavenger Hunt (VSH), but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. If you’ve been paying attention, you’ll notice that our grand prize has changed. Unfortunately, everyone else thought the Isport Ear Buds were cool, too, and we ran into a supply problem, as in, we couldn’t get a pair. Fortunately, Monster makes several great sets of ear buds and we picked a comparable pair to replace the Isports. You can click the link above to check them out on the Monster website.  You can head over to the VSH start page using the link at the bottom of the article, but hang here for a little longer to read about the main topics.

Those main topics are phishing and what the Office of Information Technology (OIT) is doing to combat it, and securing Internet-connected devices in healthcare. While this second topic doesn’t seem appropriate, as Berry is a college, not a hospital, we will specifically talk about the many different healthcare devices that are available to consumers, from smart watches and athletic trackers to insulin pumps and smart asthma monitors.

Phishing And The Phish Alert Button

Before we talk about all those incredible Internet of Things (IoT) devices, let’s return to discussing phishing. If you read last week’s article, you’ll remember that there was a quick blurb at the end talking about the importance of detecting and reporting phishing emails you receive.

The first step, of course, is to detect a phishing attempt. How do you do that? What’s the secret to knowing that an email is a phishing attempt? Here’s some items to check in an email to make sure you don’t get hooked.

    1. Make sure the “From” address matches the purported sender.  For example, if an email claims to be from Amazon, but the “From” address is from some account at a Gmail address, it’s probably a phishing attempt
    2. If the greeting is generic, as in “Dear Customer” or “Dear Sir/Madam”, there’s a good chance it is a phishing attempt. Legitimate emails from companies you do business with will seldom start this way. They will either have no greeting, or the greeting will address you by name. Also beware of greetings (and subjects) that refer to you by your email username. These are most likely phishing emails as well
    3. Poor grammar and spelling. No legitimate company will send out email with poor grammar or spelling. It would reflect poorly on them.
    4. Urgency is another warning sign. Emails that require “immediate attention” or warn of dire consequences if you don’t act quickly are most likely phishing attempts.
    5. Links and attachments are both signs that an email is a phishing attempt. Even if you are expecting an attachment from someone, it can be a good idea to simply confirm with them via phone or other method that they sent it.
    6. Lotteries, donations, investment opportunities, get rick quick schemes, unsolicited job opportunities and inheritances from people you don’t know are almost always too good to be true.

If you would like to see real examples of phishing emails, you can visit the Berry College Phishbowl, located here on the InfoSec News and Alerts site.

If you receive a phishing email, even if you are not 100% sure, report it. If it is not a phishing email, you’ll get a reply explaining why it is not. To help OIT combat phishing, please report these phishing attempts using the “Report Email as Phishing” button, which is available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. In Outlook, it should appear in the ribbon menu as an open envelope with an orange hook. On the web and mobile, you will find the button under the “three dots” menu in the top right corner of the window when you open an email.

It’s very important to report these emails using the button and not to simply forward them to Information Security or delete them, as this allows us to take action on these emails to protect the community. OIT has invested in a system to be able to mitigate phishing emails, but its effectiveness relies on you reporting phishing attempts. So report all the ones you receive to help us protect you.

IMPORTANT OPPORTUNITY ALERT!!!

If you want to learn more about how to spot phishing emails, there is a Virtual LunchITS scheduled for October 22nd at noon. It will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up to attend. You can do that right in the event. Just click on it in the Event calendar on the InfoSec News and Alerts site and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the course resources and the meeting link and password.

Securing Internet-Connected Devices in Healthcare

Everything can be connected these days, from smart watches, like the Apple Watch, to dedicated fitness trackers like FitBits, to shoes like Under Armour’s HOVR running shoes. Healthcare devices are prime candidates for connecting to the network, as they can produce historical data that can be used to make health decisions, or can be controlled remotely with a smartphone app. Once they are connected, they are targets, just as we mentioned last week about IoT devices on your home.

How can we make sure that these devices are securely connected? Here are some tips to help you make a secure connection with your “healthy” devices.

    1. Choose well-known, reputable brands that won’t disappear on you after you purchase the product.
    2. Make sure you follow the vendor-provided instructions for connecting it to the network.
    3. Once it is connected to the network, make sure you update the device to the latest version of the software or firmware running on it.
    4. Be sure to continue to update the device, or, if it is capable, set it to auto-update when updates are available.
    5. Keep track of your devices, particularly those that collect data about you and your activities, like smart watches and fitness trackers.

Those of you who have consumer medical devices like insulin pumps, continuous glucose monitors, pacemakers, asthma monitors or inhalers and other devices that can potentially disrupt your health should be extra careful in following the tips above. Most of these devices have online communities and vendor supplied resources that can help you stay aware of any potential issues with your particular device. If you’re not connected to any resources like this, use your favorite search engine and see what’s out there.

One more thing before we get to the VSH clues…you will soon be receiving, or may have already received, an email informing you of when multi-factor authentication (MFA) will be enabled on your account. Don’t delete these emails or report them as phishing! They are real. The emails will provide you with resources about how to set up MFA. If you want to have MFA enabled on your account before your appointed date, email computing@berry.edu and let them know you want MFA.

OK, it’s time to throw some hints to those of you who can’t seem to make your Week 2 Virtual Scavenger Hunt answers get you to week 3.

    • For the first question – The Events calendar for the InfoSec News and Alerts Site is right on the main menu. Once you go there, choose the monthly view, if it is not the current view. You’ll see the event in question as the only single day event in October.
    • For the second question – be sure you put a leading zero on your answer to come up with a four digit month and day answer
    • For the third question – Be sure to jump into the section on ransomware to find the answer.
    • For the fourth question – The largest breaches in the Have I Been Pwned database are listed on the left side of the main page.
    • For the fifth question – Follow this link to the security awareness poster that is in the residence halls and in Krannert.

IMPORTANT: You don’t have to resubmit your answers on the week 2 form, but these clues should help you get the correct URL for week 3 of the scavenger hunt.

If you haven’t started the scavenger hunt, here is the start page. Good luck and happy hunting!

Virtual Scavenger Hunt Start Page

 

Photo Credit: Photo by Solen Feyissa on Unsplash

NCSAM Week 4 – BYOD, Know Your Devices, and Keep Up With Your Devices

This week’s discussion of “Own IT, Secure IT, Protect IT” is all about devices – smartphones, laptops, tablets, watches, and other “smart” things.

Students, faculty, and staff have been “bringing their own devices” (BYOD) here at the college for nearly two decades. The nature of our network requires us to modify how we use these devices compared to how we use them on our home networks, but the end goal is the same. We want to be able to connect quickly and safely to the Internet. The Office of Information Technology (OIT) has worked tirelessly over the years to make connecting to the network easy, reliable and secure. There have been times when the sheer number and diversity of devices made that hard to accomplish, but with cooperation from everyone, it is possible.

Own IT

First, make sure your device, whatever it is, is fully up to date with all software patches. This will be one of the first troubleshooting steps (after rebooting it) that OIT will ask you to complete when having issues with connectivity. Devices with unpatched issues can disrupt our networks or, if infected with malware, even compromise other devices. Second, make sure you lock your devices to protect the data on them. Finally, if you have any issues connecting to the wireless network, be sure to contact OIT by emailing computing@berry.edu. Please refrain from using the guest wireless network, as it does not provide the same level of security as the Berry or EZConnect networks.

Here is OIT’s web page about connecting to the wireless network. Consult it first before contacting OIT. The answer to your question may be there. On that page are links to operating system and device specific instructions.

Secure IT

Know how to secure your device. Before you dive into all the whiz-bang features on a new phone or tablet or other device, find out how to secure the device. Do you need to change a default password? Do you need to run updates? Are there additional ways to secure your device, like fingerprint scanners, facial recognition, PINs, or other methods? Device security is all about layering multiple protections, so be sure to enable all your available mechanisms. Also, be sure to register your device, especially phones and watches and other devices that could potentially be lost, with a locating service. Both Apple and Google have mechanisms that could potentially allow you to find a lost device. Here are the links to that information (the Google link asks you to log in to your Google account, so there is an additional link to an article to walk you through the process without logging in to Google:

Apple Find-My                                         Google Find My Device                          Here is the article that clearly explains the Google process

Protect IT

Speaking of lost devices, take steps to ensure you can keep up with your device. Does it need a case? Phones these days are so slim and built with rounded corners and edges that it is easy to drop them or for them to slide out of a pocket. Find a good case that affords you a good grip and makes sure it doesn’t easily slip from where ever you carry it. Popular these days are the extendable stands like the PopSockets and some cases have stands or handles built into them. Be sure you can keep track of your devices. Choose cases and accessories for your phone that make them stand out from the sea of phones identical to them everywhere. Colorful cases, stickers, and other identifying items tend to discourage the casual phone-grabber, as it may make it harder for them to get rid of the phone. It will most certainly make it easier for you to spot your phone if you leave it laying around somewhere.

Here is the link to the PopSockets site

OtterBox makes great cases, but their prices can be premium

To find something that suits your style and budget, fire up your favorite shopping site and search for “smart phone cases” or “cell phone cases”. You are sure to find something.

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for the prize bag worth over $75 to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Now for some fun… enjoy this one man show video about passwords and password managers, starring your Director of Information Security (who is not a paid actor…)

You will have to log in with your email credentials to view the video on Microsoft Stream:

Students – here is your link

Faculty and Staff – here is your link

Tune in for our last article next week when we talk about the IoT, MFA and PhySec! If you don’t know what those are, definitely check out the article next week.

NCSAM Week 1 – Social Media, Passwords, Cyber Hygiene

Welcome to National Cyber Security Awareness Month, also known as NCSAM!

Every week this month we will explore topics around the theme of “Own IT, Secure IT, Protect IT”. That’s not three typos in a row, that’s “IT” as in information technology. We are surrounded by it, in our homes, at work, in stores, and just about anywhere we go. We depend on it, just like we depend on our cars or bikes. That means, just like cars and bikes, we have to take care of it with regular maintenance, and make sure to lock it so it won’t get stolen.

Each week we will briefly explore an idea around each of these aspects of owning, securing and protecting. This week, in relation to “owning” our IT, we want to remind everyone to be careful what they post on social media. Once something is posted, nothing short of an EMP or nuclear war will remove it from the Internet (not that there would be an Internet left after either of these occurrences, but you get the point). These days, employers routinely explore prospective employee’s social media posts to get a better idea of the person they are considering hiring. Own your social media by being careful about what you post and also by asking your friends to not include you in potentially derogatory posts.

In the realm of “securing” our IT, please make sure you are using strong, unique passwords for your online accounts. Strong passwords should be long, at least 12, if not more, characters. Don’t be concerned so much with complexity, because longer passwords are generally better. Don’t use your name, your pet’s name, your phone number, or any other information that might be available online. Don’t reuse passwords between accounts, particularly passwords for financial, or other sensitive accounts. If you have a lot of accounts (and honestly, who doesn’t?) consider using a password manager to help you create and “remember” all those strong unique passwords. You can get more information on strong passwords and password managers at the table in Krannert on Thursday

Finally, concerning “protecting” our IT, follow good cyber hygiene practices. Just like you have to clean up trash, brush your teeth, and wash your clothes (at least occasionally), you should close out online accounts you don’t use, change your passwords periodically, and delete files you no longer need. You should also always lock your computer if you are stepping away from it (not recommended if it is a laptop. keep it with you!), and always use either a pin, or a bio-metric lock mechanism (finger scan, face recognition) for your mobile devices, especially your phone. Your phone is the key to so many of your online accounts. Make sure it is secured!

Check the table in Krannert on Thursday for info and goodies and a chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each future week’s article.

Here is this week’s video, an oldie, but goodie about password security. You will have to log in using your email credentials to view the video

Students: https://web.microsoftstream.com/video/2dc735da-b797-4725-a8bc-8f36dee9197a

Faculty/Staff: https://web.microsoftstream.com/video/f9c0bbb0-05ff-46ca-ad67-d6cae6a23b6e

August News From Information Security

It’s August! Classes begin in just a few short weeks. This month’s newsletter is about staying safe online and covers a number of different topics, but first, here are some reminders and notices of things to come right here on campus.

Security awareness posters will return next week. On Tuesday, August 6th, departmental security awareness posters will be distributed. In September, both departmental and student posters will be distributed around the campus. There will be a chance to win a prize in September, so be sure to stay tuned.

The first LunchITS lunch-time training session was held on Thursday, August 1st. There will be more of these as the semester begins and all through the coming academic year. These lunch hour sessions cover various security awareness topics. The first topic was account security and it covered passwords, password managers, and multi-factor authentication. For those who couldn’t attend, it will be repeated during the fall semester, so there will be another chance to get this training.

Please consider requesting multi-factor authentication (MFA) for your Berry account and also consider using it for any other accounts you have that support it. It is easy to get MFA; just email computing@berry.edu and request it be enabled. You will also get information on how to set up and use it.

Many departments will be required to complete security awareness training related to the applicable laws, regulations, and constraints associated with their primary job responsibilities. You will be notified via email if you are required to take this training.

Please continue reading for tips on how to stay safe online.

 

Americans use 3,138,420 GB of internet data every minute of the day. It is safe to say that being online is now a way of life for many. Engaging in safe and secure online practices helps protect against the risks of living life on the internet.

Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts’ activities. These types of alerts are useful because they make you aware of what’s going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don’t use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider’s servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here’s another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it’s likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

July News From Information Security

We’re zooming through summer! July is here! Look for the return of the monthly security awareness posters in August!

For now, here’s a reminder about maintaining the safety of those portable devices we now depend on – our smartphones, tablets and even laptops.

With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system. Use BitLocker for Windows, FileVault for MacOS, and for Android and iOS devices use the encryption that is part of the system, which in some cases is enabled by default.
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your password.
  • Put that shredder to work! While not directly related to portable devices, paper records are VERY portable! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. The User Support department will do this for your Berry machines, but you should do the same for your personal devices. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it! Use some common sense. Device permissions unrelated to the purpose of the app should not be accepted.
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots. If you must, find a good VPN application for your device and use it.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your Berry device is lost or stolen and contained sensitive institutional or student information, immediately report the loss or theft to your supervisor and OIT so that they can act quickly. Even if you believe the device did not store sensitive or confidential information, report the incident as quickly as possible.

Two more items:

First, the external email banner is now active in Outlook and on Outlook Web Access. Emails received from non-Berry addresses will have the banner alerting you to this fact at the top of the message. There have been a number of questions about this service and I want to address them.

  • I am very glad that some of you are confident in your ability to discern the validity of any given email, but we have a large percentage of faculty, staff, and students who cannot. This is intended to help them when they receive an email from “President Briggs” or from “their supervisor” asking them for “a favor”.
  • There is no way to exclude certain addresses from the banner – if the email came from a non-Berry account, it will contain the banner.
  • If you need to forward the email to someone else, and don’t want the banner in the forwarded correspondence, the banner is removable in the edit window for the forwarded email.
  • Email banners like this one are common both at other higher education institutions and in the corporate space.

I understand it requires a new process for handling the vast amounts of emails we receive on a daily basis. We tested another way to alert users by inserting a tag in the subject line of the email, instead of using the banner, but the banner was the preferred method according to the test group.

Unfortunately, it only takes one phished user to compromise a large portion of our information systems. We have been lucky so far that the only phishing attempts our users have fallen for involved buying gift cards or giving up their username and password, both easily remedied.

I would be happy to discuss this further with anyone, but for now, this policy stands for our entire email user population.

Second, you are strongly encouraged to sign up for multi-factor authentication (MFA) to improve the security of your account. Check out the May Information Security Newsletter for more information.

Have a great rest-of-the summer!