January News from Information Security

Welcome to 2021! Let’s hope it goes better than 2020.

Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.

In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.

The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to infosec@berry.edu and stating you want access to the security awareness platform, or by filling out the training access form found here.

By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.

Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.

There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.

The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.

Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email computing@berry.edu and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.

If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.

Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,

Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.

What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.

As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to support@whatever.site will usually get your feedback to the right place. Be sure to use the correct site address, i.e. support@facebook.com for Facebook.

Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.

Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

 

Food for Thought

Featured Image: Photo by Waldemar Brandt on Unsplash

Cartoon courtesy of XKCD.com

Permalink for cartoon https://xkcd.com/2391/

December News from Information Security

Welcome to one of the strangest Decembers we’ve ever had here at Berry. It is certainly the strangest of my 30 years here. The students are gone, but not done. Finals loom for some of them, then almost two full months of no school. What will we do in the silence?

I’m sure we all have different answers to that question, so I’ll leave it hanging rhetorically.

This newsletter will be a little different from previous ones. We’ll be focusing on a minimal number of topics, but for one in particular I will ask for a couple of extra minutes of reading time from you.

If you have perused this site much you will know that I post breach and data exposure announcements here periodically, usually when they affect a good number of the community. If you’ve been unlucky enough to be impacted by a breach, you may have received an email from me explaining what data was exposed and what you should do about it.

A recent notification came to me, announcing that 189 emails belonging to Berry community members had information exposed, specifically passwords. Most breaches affect no more than a couple dozen Berry email addresses and when I get the notices I will sort through them, compose an email and send it out to those affected. This number of emails was larger, but still manageable. Then I read further into the announcement. Those 189 emails were scattered across more than 23,000 potential websites and services. The data did not include enough information to determine which email address went with what service or website.

The bottom line is, 189 Berry community members, who could be faculty, staff, students, alumni, or even retirees, have had a password for some service exposed. You can find out if you were one of these 189 by going to the Have I Been Pwned website and putting in your Berry email address in the search form.

You may find that in addition to this massive exposure notification containing 226 million unique emails, named Cit0day, you may have had information related to your Berry email address exposed by other data breaches. I encourage you to not only check your Berry email, but your personal email accounts as well, and those of your family if you are so inclined. I also strongly encourage you to sign up for notifications from Have I Been Pwned. The link (Notify Me) is at the top of the main page there. It is free and if your email address shows up in a data breach, you’ll get an email notification directly from Have I Been Pwned giving you as much information about the breach as is available.

The important question, once you determine that you are indeed affected by a data breach is this – What do I do now?

Generally, I will suggest you change your password for the service or website that experienced the breach, check that your account information is correct, and if financial data was involved, to closely monitor your bank account and credit card accounts. In the case of the Cit0day notification, you will have no idea which of your twenty to one hundred or more accounts has been affected. What do you do then?

The “nuke the site from orbit” approach would be to reset the password on EVERY account you have. Do you even know all of your accounts? Who hasn’t signed up on a site for a specific purpose, never to return? What data might you have had to give up to create that account? Did it include a credit/debit card number or bank account number?

The real question to ask at this time, if you are affected by the Cit0day announcement is – Did I reuse the password for this account, whatever account it was? Realizing, again, that there is no way to tell what specific service or website exposed the password.

That question leads to the next – How many other accounts are now vulnerable because I reused this exposed password? The scary part is, you don’t have an answer to this question, because you don’t know what account is compromised.

Which leads to the most important question in this article – Why are you not using a password manager to create a unique password for EVERY account, service, and website you use?  Yes, it takes time to set it up.  For some, time is money, right? How much does thirty minutes cost you? The entire amount in your bank account? Unlikely. The maximum amount on your credit line? Probably not.

If you had used a password manager to create a unique password for your account on whichever site among the 23,000 possible  ones that were affected , the potential damage to you would have been limited to that one site. If you reused a password, or worse, use the same password for everything, then the damage could be much greater.

Please, if you are not using a password manager now to manage your accounts, start using one. I’ve written on the subject multiple times here in the monthly newsletter and during Cybersecurity Awareness Months, both this year and in years past (all of which are available from the main menu of this site).

Take a few minutes and visit the links below. Check out the flyer linked at the Quick Info page for some password managers. If you don’t want to follow links,  just type “best password manager” into your favorite search engine. There are password managers for all platforms (Windows, macOS, Linux, Android, iOS, web browsers), needs, and budgets.

Quick Info page on Password Managers

In-depth knowledge article on password managers on this site

Why you need a password manager flyer (PDF)

Two-sided password flyer linked in the Quick Info page above (PDF)

Good password policies flyer with a paragraph at the bottom about password managers (PDF) Don’t try to use the link at the bottom, it is broken.

Because the link in the above PDF is broken, here is a link to a great article on password managers-the good, the bad, the ugly, and the beautiful. My apologies for the pop-up ads, but the article is worth the annoyance. If you read nothing else, read this article.

Whew! That was password managers. The next and final item I want to emphasize in this newsletter is multifactor authentication (MFA). MFA is coming to all accounts at Berry – faculty, staff, and students. With some personnel issues that have come up, the rollout may be delayed a bit, but it is still coming.

Again, I have written about this multiple times over the course of maintaining this site. There is a Quick Info page on MFA for the impatient, or you can go read the instructions for setting up MFA here on the main Berry website. If you are still unclear about why we are requiring this, check out this FAQ article, also on the main Berry website.

You can still request MFA for your account by emailing computing@berry.edu.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets.

Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Food for Thought

 

Featured Image: Photo by Science in HD on Unsplash

November News from Information Security

We did it! We made it through October and Cybersecurity Awareness Month. I want to thank everyone who read the weekly articles, checked out the posters, and participated in the Virtual Scavenger Hunt. I want to congratulate Hanna Popa for her successful completion of the hunt and her luck in winning the Monster Clarity 102 AirLinks ear buds. She was one of the eight who completed the entire hunt out of the thirty-three who attempted some part of it.

If you enjoyed the hunt, or you missed it, but heard great things about it and wished that you had participated AND would like us to hold another one, just email infosec@berry.edu and tell us. While you’re at it let us know what information security topics you would like to see addressed here in articles or quick tips or even live (via Zoom for now) training sessions.

Speaking of live training, here in November there will be another opportunity to attend (via Zoom) live one-hour-ish lunchtime training on account management, covering everything from picking good passwords to using password managers, to enabling multi-factor authentication on all your accounts, particularly your Berry account. The event will be posted to the Event Calendar this week, once a final decision is made on the exact date, so check it out and sign up.

Our primary topic for this month is multi-factor authentication or MFA. MFA is now required for all Berry accounts and the Office of Information Technology (OIT) is rolling it out in phases. You will receive, if you haven’t already, an email detailing when MFA will be enabled on your account and how to set it up. The Network Operations group is holding training on MFA setup via Zoom, so if you have issues with the setup, be sure to attend. Details should be in the email you receive.

Why are we requiring MFA? You could potentially blame it on the corona-virus or COVID-19, but our attempts to require MFA have been in the works for many months before the virus hit our community. MFA places another layer of security on your Berry account, preventing someone who guesses or steals your password from accessing your account. It does this by requiring a second piece of evidence or a second “factor” in addition to your password to prove that you are you. That factor could be a fingerprint, or a temporary six-digit code texted to you or found in an app on your smartphone. In our case, the default second factor is just an approval via an app on your smartphone.

With MFA enabled, when you log in to your account, you will be required to enter your password, then a notification will pop up on your phone asking you to “approve” or “deny” the login request. You just touch “approve” if you are attempting to log in, or “deny” if you see a request when you haven’t tried to log in to your account. Without this second factor, the approval, or if you deny the login attempt, the login fails and the incident is logged so OIT can follow up and mitigate any potential threat to your account. This protects not just your email, but any web-based service you use here at Berry, from VikingWeb to the financial aid portal to the health center portal, so it is vital MFA is enabled on your account.

We’ve mentioned Zoom twice already in this newsletter, and we’re going to circle back to it now. One of the most critical aspects of using Zoom effectively is securing your Zoom sessions from “zoombombers” and others that wish to disrupt sessions. We depend on Zoom far too much these days, so we want to offer some information about how to properly secure your Zoom sessions.

Here is a Zoom document that discusses most of the security settings for Zoom. Don’t be daunted by the fact it is twelve pages long, there are pictures and cover pages and large type galore. Here are the high points, in a simple list:

      • Use the waiting room feature if your meeting is not too large. This lets you control who actually gets into the meeting, albeit manually.
      • Use a passcode for all meetings and use randomly generated meeting IDs, NOT your personal meeting ID.
      • Only allow registered users to attend. Be careful with this setting, but it is useful if done correctly.
      • Lock your meeting. Once everyone who is supposed to attend has arrived, you can lock the meeting to prevent anyone else from joining.
      • Know how to manage users during the meeting. Understand the settings to control screen sharing, mute everyone, remove participants, and configure chat and annotation to prevent abuse.

Our current environment can prove difficult to navigate at times, but making sure you know how to manage a Zoom session will go a long way to make sessions requiring Zoom effective and secure.

One last thing before we wrap up. I want to encourage you to report ALL phishing emails you receive, using the “Report Email as Phishing” button available in the email browser interface (https://mail.berry.edu), on mobile devices using the official Outlook mobile client, and on the desktop using Outlook 2016 (Click-to-run version only) or Outlook 2019 (all versions). Doing so will help OIT protect the community by mitigating dangerous phishing emails identified by you, our first line of defense against phishing.

I normally wrap up the newsletters with a pitch for you to sign up for MFA, and I still encourage you to do so, but if you don’t, understand you will be required to use MFA at some point in the next few weeks. If you’d like to get ahead of the curve, request MFA for your account by emailing computing@berry.edu.
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Photo Credit: Photo by Plann on Unsplash

CAM Week 3 – Phishing and Healthcare Devices

Welcome to week 3 of Cybersecurity Awareness Month!

I hope you are all advancing in the Virtual Scavenger Hunt (VSH), but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. If you’ve been paying attention, you’ll notice that our grand prize has changed. Unfortunately, everyone else thought the Isport Ear Buds were cool, too, and we ran into a supply problem, as in, we couldn’t get a pair. Fortunately, Monster makes several great sets of ear buds and we picked a comparable pair to replace the Isports. You can click the link above to check them out on the Monster website.  You can head over to the VSH start page using the link at the bottom of the article, but hang here for a little longer to read about the main topics.

Those main topics are phishing and what the Office of Information Technology (OIT) is doing to combat it, and securing Internet-connected devices in healthcare. While this second topic doesn’t seem appropriate, as Berry is a college, not a hospital, we will specifically talk about the many different healthcare devices that are available to consumers, from smart watches and athletic trackers to insulin pumps and smart asthma monitors.

Phishing And The Phish Alert Button

Before we talk about all those incredible Internet of Things (IoT) devices, let’s return to discussing phishing. If you read last week’s article, you’ll remember that there was a quick blurb at the end talking about the importance of detecting and reporting phishing emails you receive.

The first step, of course, is to detect a phishing attempt. How do you do that? What’s the secret to knowing that an email is a phishing attempt? Here’s some items to check in an email to make sure you don’t get hooked.

    1. Make sure the “From” address matches the purported sender.  For example, if an email claims to be from Amazon, but the “From” address is from some account at a Gmail address, it’s probably a phishing attempt
    2. If the greeting is generic, as in “Dear Customer” or “Dear Sir/Madam”, there’s a good chance it is a phishing attempt. Legitimate emails from companies you do business with will seldom start this way. They will either have no greeting, or the greeting will address you by name. Also beware of greetings (and subjects) that refer to you by your email username. These are most likely phishing emails as well
    3. Poor grammar and spelling. No legitimate company will send out email with poor grammar or spelling. It would reflect poorly on them.
    4. Urgency is another warning sign. Emails that require “immediate attention” or warn of dire consequences if you don’t act quickly are most likely phishing attempts.
    5. Links and attachments are both signs that an email is a phishing attempt. Even if you are expecting an attachment from someone, it can be a good idea to simply confirm with them via phone or other method that they sent it.
    6. Lotteries, donations, investment opportunities, get rick quick schemes, unsolicited job opportunities and inheritances from people you don’t know are almost always too good to be true.

If you would like to see real examples of phishing emails, you can visit the Berry College Phishbowl, located here on the InfoSec News and Alerts site.

If you receive a phishing email, even if you are not 100% sure, report it. If it is not a phishing email, you’ll get a reply explaining why it is not. To help OIT combat phishing, please report these phishing attempts using the “Report Email as Phishing” button, which is available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. In Outlook, it should appear in the ribbon menu as an open envelope with an orange hook. On the web and mobile, you will find the button under the “three dots” menu in the top right corner of the window when you open an email.

It’s very important to report these emails using the button and not to simply forward them to Information Security or delete them, as this allows us to take action on these emails to protect the community. OIT has invested in a system to be able to mitigate phishing emails, but its effectiveness relies on you reporting phishing attempts. So report all the ones you receive to help us protect you.

IMPORTANT OPPORTUNITY ALERT!!!

If you want to learn more about how to spot phishing emails, there is a Virtual LunchITS scheduled for October 22nd at noon. It will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up to attend. You can do that right in the event. Just click on it in the Event calendar on the InfoSec News and Alerts site and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the course resources and the meeting link and password.

Securing Internet-Connected Devices in Healthcare

Everything can be connected these days, from smart watches, like the Apple Watch, to dedicated fitness trackers like FitBits, to shoes like Under Armour’s HOVR running shoes. Healthcare devices are prime candidates for connecting to the network, as they can produce historical data that can be used to make health decisions, or can be controlled remotely with a smartphone app. Once they are connected, they are targets, just as we mentioned last week about IoT devices on your home.

How can we make sure that these devices are securely connected? Here are some tips to help you make a secure connection with your “healthy” devices.

    1. Choose well-known, reputable brands that won’t disappear on you after you purchase the product.
    2. Make sure you follow the vendor-provided instructions for connecting it to the network.
    3. Once it is connected to the network, make sure you update the device to the latest version of the software or firmware running on it.
    4. Be sure to continue to update the device, or, if it is capable, set it to auto-update when updates are available.
    5. Keep track of your devices, particularly those that collect data about you and your activities, like smart watches and fitness trackers.

Those of you who have consumer medical devices like insulin pumps, continuous glucose monitors, pacemakers, asthma monitors or inhalers and other devices that can potentially disrupt your health should be extra careful in following the tips above. Most of these devices have online communities and vendor supplied resources that can help you stay aware of any potential issues with your particular device. If you’re not connected to any resources like this, use your favorite search engine and see what’s out there.

One more thing before we get to the VSH clues…you will soon be receiving, or may have already received, an email informing you of when multi-factor authentication (MFA) will be enabled on your account. Don’t delete these emails or report them as phishing! They are real. The emails will provide you with resources about how to set up MFA. If you want to have MFA enabled on your account before your appointed date, email computing@berry.edu and let them know you want MFA.

OK, it’s time to throw some hints to those of you who can’t seem to make your Week 2 Virtual Scavenger Hunt answers get you to week 3.

    • For the first question – The Events calendar for the InfoSec News and Alerts Site is right on the main menu. Once you go there, choose the monthly view, if it is not the current view. You’ll see the event in question as the only single day event in October.
    • For the second question – be sure you put a leading zero on your answer to come up with a four digit month and day answer
    • For the third question – Be sure to jump into the section on ransomware to find the answer.
    • For the fourth question – The largest breaches in the Have I Been Pwned database are listed on the left side of the main page.
    • For the fifth question – Follow this link to the security awareness poster that is in the residence halls and in Krannert.

IMPORTANT: You don’t have to resubmit your answers on the week 2 form, but these clues should help you get the correct URL for week 3 of the scavenger hunt.

If you haven’t started the scavenger hunt, here is the start page. Good luck and happy hunting!

Virtual Scavenger Hunt Start Page

 

Photo Credit: Photo by Solen Feyissa on Unsplash

CAM Week 2 – MFA and Securing Devices

Multi-Factor Authentication and Securing Devices at Home and Work (or School)

This week, as we did last week, we are covering two cybersecurity awareness topics. We’ll discuss securing devices at home and at work (or school) and we will cover multi-factor authentication and why you need it enabled on your account.

MFA

We’re talking about multi-factor authentication (MFA)!

We, as in the Office of Information Technology (OIT), have been talking about MFA quietly for about two years, but now we’re speaking up a little louder. You need to have MFA enabled on your account, now more than ever. Cybercriminals have increased the frequency and intensity of attacks, sending evermore sophisticated emails to try and convince you to click on a link or open an attachment.

If you click on a malicious link and enter your credentials on a fake login page, not having MFA enabled will allow the attackers to take control of your email account. This will also allow them to take control of other accounts and services you use, as your email username and password also grants you access to other resources associated with the college, like VikingWeb and Canvas. With MFA enabled, attackers won’t be able to log in to your account, even with your credentials.

It’s easy to get MFA setup. Simply email computing@berry.edu and request MFA be enabled on your account. You’ll get a response indicating it is active and you will be required to go through the setup process. There is a document available here that goes through the process or you can view a video that explains the process at this Microsoft Stream link. You’ll have to log in with your Berry email username and password to view the video.  The gist of the instructions is that you will need to install an app on your smartphone to be able to respond to MFA requests, then complete the setup process to link the app to your account.

The web page linked above also has a document explaining in more detail why we are doing this and answers some frequent questions, like “should I do this for all my accounts?”. SPOILER: You should! There is a link on this same page to the website Lock Down Your Login which has more information on how to secure your home, device and popular web accounts.

More information about MFA is coming soon. Keep an eye on your emails and the BerryOIT social media accounts on Facebook (@BerryColleOIT), Twitter (@berryoit), and Instagram (@berrycollegeoit).

Securing Devices at Home and Work

2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working and or attending class from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Here are some steps users can take to protect internet connected devices for both personal and professional use.

    • Make sure, as mentioned last week, your devices are all up to date.
    • If you are using a personal machine, not managed by the college, make sure you have up-to-date virus and malware protection installed.
    • Don’t bypass security features of the device…for phones and tablets, this primarily means assigning a passcode to secure them, and for laptops and desktops, this means having a password on all accounts on the systems.
    • If you are using a VPN, be sure it is up to date.
    • Don’t mix your personal files with your school or work files, and don’t make copies of sensitive college data and leave them your personal machine.
    • Following up on that, make sure that you are the only one who can access college data on your personal machine, if it is used by other household members. This may require you to create multiple accounts on the device.
    • Follow all college policies regarding use of OIT resources. If you feel any policy is hampering your ability to work or learn, bring it to the attention of OIT. Violating policy can expose you and the college to risk.

If you are still having difficulty with your Week 1 Virtual Scavenger Hunt answers and can’t get to the second week page, here are a couple more clues.

    • For question one, the types of factors are 1. Something you know 2. Something you have 3. Something you are
    • For question two, the answer is the result of 2 to the 6th power.
    • For question three, LastPass and 1Password are examples of this…
    • For question four, the first word of the example password is a four-legged animal
    • For question five, see the security awareness poster at this link or alternatively the answer is the square root of the answer for question two.

IMPORTANT: You don’t have to resubmit your answers on the week 1 form, but these clues should help you get the correct URL for week 2 of the scavenger hunt.

Finally, even though this post is not about “phishing” emails, per se, I want to remind everyone to please be very careful with unexpected emails, and report any phishing emails using the “Report Email as Phishing” button, available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. It’s very important to report these emails using the button and not to simply forward them to Information Security, as this allows us to take action on these emails to protect the community.

 

Photo Credit: Photo by Brina Blum on Unsplash

October News from Information Security

October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!

Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.

As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds

As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email computing@berry.edu and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!

In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.

There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.

If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.

The Berry CAM2020 page

Go directly to the scavenger hunt page!   This link will not be active until Monday October 5th,  2020, at 8:00AM

Upcoming Events

 

 

 

 

Featured Image: Photo by Joanna Kosinska on Unsplash

March News from Information Security

Welcome to March and welcome to the March newsletter!

The arrival of March means all kinds of things are happening. Daylight savings time starts on the 8th, spring break follows not far behind that, we celebrate St.Paddy’s day, and spring is around the corner, but it might snow before that happens. Don’t believe me? Ask those of us who were here in 1993 about the BIG March snow…or don’t…you might make us feel old.

We’re two months removed from the holiday shopping season, but there’s ALWAYS online shopping happening, so check out this information from EDUCAUSE about protecting electronic payments.

Online sales in the United States grew to a record high of nearly 19 percent during the 2019 holiday season. At the same time, the convenience of using credit cards and other electronic payment services is compelling consumers to rapidly reduce their use of cash. The 2019 Diary of Consumer Payment Choice report shows that cash is used about 50 percent of the time for in-person transactions under $10 (for things like lunch or coffee). For larger purchases of $25 or more, cash is used only 10 percent of the time. Cybercriminals are taking advantage of the increase in electronic payments. According to the 2020 Cybersecurity Report from Check Point Research, mobile banking malware attacks increased 50 percent from 2018 to 2019. Here are some tips to help you safely use electronic payment sites.

  • Verify websites before entering important information. Clicking on a link may not take you where you expect to go. When shopping, banking, or making payments online, manually type in the website name (e.g., chase.com) instead of clicking on links in an email, social network post, or text message.
  • Look for deceptive emails and texts. Your bank or electronic payment processor won’t ask you to provide personal information or passwords via email, but scammers will. Watch this Consumer Reports video for examples.
  • Ignore phone calls from unknown and unfamiliar numbers. If you receive a phone call from someone who is urgently asking for money, there’s a good chance it’s a scam. Most of these calls can be safely ignored, but if you want to check, search for the organization’s website and find out for yourself. Don’t be rattled by threats over the phone.
  • Look for the lock icon in your browser. The lock icon in the address bar of your web browser shows that the website you’re visiting sends data in encrypted form. Never send money or pay for goods on a site without this important safeguard.
  • Public computers aren’t for private information. The computers in a hotel lobby or a public library may have a virus that records your activity, including any passwords you enter. Shop and make electronic payments only on a computer that you control.
  • Don’t use free Wi-Fi when making an electronic payment. The open nature of free Wi-Fi at cafes, airports, and other public venues makes it possible for others who are on the same Wi-Fi network to spy on your activities. If you cannot wait for another time to do your banking, use a VPN when using free Wi-Fi.
  • Consider getting a credit card just for electronic payments. If you decide to get a credit card or online account just for electronic payments, make sure the credit limit or available balance is low. This can protect you from a large loss due to online fraud.
  • Review your transactions regularly. Online banking allows you to check your account quickly and easily. Take time each day or each week to quickly review electronic payments. If you see charges you don’t recognize, notify your bank or payment application vendor (e.g., Venmo, PayPal, or Apple Pay) as soon as possible.
  • Check your credit reports to help spot fraud. Credit reporting services Experian, Equifax, and TransUnion are required to provide you with a free credit report once per year, so try to check one report every four months.

We depend more and more on electronic payments, so lets be sure to protect them.

There will be a LunchITS during March, it’s just not scheduled yet, so check back on the site to find out when it will happen. It will be on account security, covering passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this one-hour training session is for you!

Security awareness posters will go out this week! Be looking for them in residence halls, Krannert, and college offices.

Check here on this site on the front page for some new data breach announcements. There are three (currently) and they should be posted by Wednesday.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo credit: Photo by rupixen.com on Unsplash