August News from Information Security

Welcome to the intentionally delayed August Information Security newsletter. I wanted to release this in conjunction with everyone returning to campus. First I want to welcome all our new faculty, staff and students as we begin this most interesting journey into the fall semester. I also want to welcome all the returning faculty, staff, and students who have been in various ways preparing feverishly (uh, maybe that’s not a good metaphor) striving earnestly for the start of classes.

You all have been inundated with safety information in relation to the coronavirus, COVID-19, or whatever name you want to use (I will simply use “virus” in this newsletter) to describe the virus that has upended our lives in such a profound way. I hate to be one to pile on, but in addition to the virus itself, all kinds of bad actors are afoot attempting to fool you into clicking on malicious links, submitting sensitive information, even giving up your passwords, many of them preying on the chaos caused by the virus. Please be extremely vigilant with any unexpected emails, and treat all email, at this point, with caution.

Internet criminals have no qualms about using any leverage they can to trick you. One of the latest ploys involved criminals spoofing the Small Business Administration loan relief website to try and steal information from you. Fake websites with false information about cures for the virus and government relief programs are rampant. Be very careful surfin’ the net out there.

I have some news concerning the InfoSec News and Information site (this site you are reading this article on). For the new folks (and even for returning folks who have never visited the site before), this site has a brand new look and feel. The style has moved from looking like a website from the early 2000s to now looking at least “2017ish”. I hope you like the new format and the easier navigation.

A downside to all this progress is that the transition has left the site without an events calendar, at least temporarily. I am looking for a new one and hope to get that squared away soon. Events will necessarily look a lot different for a while, but I hope to conduct some LunchITS training sessions this semester, via Zoom, of course, and I will continue to create and share new security awareness training videos. Keep checking back to see when the new events calendar shows up.

Also coming soon to the site is a “phishbowl” where you will be able to view examples of phishing emails so you can know what to look out for and also see just how desperate some people are to try and scam you. This should debut in the next week or so and will be accessible from the main page of the site.

I will, of course, continue to post warnings about phishing emails and notices about other information security topics. It will all be accessible here on the site, so bookmark it and check it regularly.

Here are some reminders (or “new information” for some of you)…

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and (eventually) the events calendar will return, where events like LunchITS training sessions and other opportunities can be found.

 

 

 

LunchITS – A Phishing Expedition

If the tsunami of phishing emails hitting the campus recently is causing you to doubt your ability to discern them, or you know you’re swamped and need a life preserver, come to Krannert 109 this Thursday, February 13th, at noon to go on a phishing expedition!

Director of Information Security, Dan Boyd will go over obvious and not-so-obvious ways to spot phishing emails. He’ll discuss the current tactics, techniques, and procedures used by phishers as they continually try to trip us up. There will be examples of current phishing emails to look over and you’ll get an introduction to a solid method to sniff out phishing emails quickly.

Bring a sack lunch or grab something in Krannert before coming down to room 109. We’ll start as close to noon as possible and wrap up before 1PM.

There is no requirement to RSVP for this training session, but it is appreciated. You can do so by simply emailing infosec@berry.edu.

January News from Information Security

Welcome to this special “mid-January” monthly edition of news from Information Security!

With the students not returning to class until the 13th of the month, this edition was delayed to roughly coincide with their arrival. Also delayed are the security awareness posters, for those who get them and post them in their offices. If you would like to have security awareness posters to put on a departmental or office bulletin board or at “the watering hole” for your area, please email infosec@berry.edu and mention you would like to receive these on a monthly basis (and how many). They will normally be distributed at the first of the month, but again, for January, 2020, they will be distributed the week of the 13th.

I’ve already sent a couple of emails to faculty and staff this year, one about the new idle workstation lock policy that went into effect on the 6th of January, and another pointing to a post here urging everyone to be particularly vigilant in the next few weeks, and beyond, as tensions with Iran continue to build. It is assumed that part of Iran’s counterattack will be conducted in the digital realm. You can read the warning by clicking here.

On the topic of returning things, there will be a LunchITS scheduled toward the end of January. The topic will be account security, including information about usernames, passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this LunchITS is for you. I will send out an email when the schedule is confirmed and you can always check the event calendar right here on the InfoSec News & Alerts site for future events. February will see the return of the phishing LunchITS and a brand new LunchITS geared toward a broader overview of security awareness.

Wait, what’s a LunchITS, you ask? LunchITS, which is short for “Lunch+Information Technology Security” are one hour training sessions, held during the lunch hour (12:00 noon – 1:00 PM) in Krannert, where you can come, with your lunch, and learn more about information security. You can pick up lunch at Krannert, or brown bag it. Just be prepared to learn while you eat. You’ll get information to take back with you, with all of the main points of the session included on the provided literature, for those of us who can’t eat and take notes at the same time.

Also coming up in January is Data Privacy Day, celebrated on the 28th of the month, which just happens to be a Tuesday, and Information Security will have a table in Krannert from 11:30AM until 1:00PM where you can drop by and ask questions, pick up information, and grab some gratuitously bad edible items. This event will also be on the event calendar on this site and an email will go out the day before to remind you.

Finally, coming soon to a computer or phone screen near you (probably on your desk or in your hand) is the next in-house written, filmed, and produced security awareness video. The intrepid Director of Information Security will help yet another would-be victim with their security awareness. As soon as it is ready, an announcement will go out over email and on social media.

On that topic, if you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the previously mentioned events calendar.

That’s it! Welcome back to a new year, everyone, whether you just got here or have been here for two weeks this year already.

.

Photo Credit – Photo by Glen Carrie on Unsplash

 

 

September News from Information Security

Welcome back, students!

Faculty and staff have been preparing for your return all summer. As we start another academic year, I want to bring to everyone’s attention some of the events and communications planned and coordinated by Information Security.

Security awareness posters will return to residence halls and offices next week. The original plan was to resume these in August, but with everything going on in preparation for the new academic year, the decision was made to wait until September.

Information Security will have a table in Krannert lobby one day a month to answer questions, provide informational materials, and (hopefully) snacks. Check the “Events” tab on the InfoSec News and Alerts website at infosec.berry.edu to see the schedule.

At least once a month there will be short training sessions offered during the lunch hour. These are called LunchITS. That’s Lunch + Information Technology Security. Bring a sack lunch or grab something in Viking Court and sit in on a fast-paced one hour training session. Topics will vary, but include account security, passwords and password managers, how to spot phishing and scam emails, and general online safety and privacy. Again, check the “Events” tab on the Infosec News and Alerts website to see the schedule for times and locations. All are welcome at these sessions.

Faculty, staff and students are all encouraged to request multi-factor authentication (MFA) be added to their Berry account. MFA is also called two-factor or second factor authentication (2FA) and is available for everyone. If you don’t know what that is, you can check out my May 2019 article here on the InfoSec News and Alerts site, which is all about MFA. Here is the exact URL – https://infosec.berry.edu/?p=209 or you can click here to go there now. You can request MFA be enabled on your account by emailing computing@berry.edu.

Speaking of MFA…Information Security encourages everyone to be vigilant at all times when handling unexpected emails. For the record, you will never be asked for your username and password via email or over the phone, and if you are, you should refuse and contact computing@berry.edu to report the incident. Also, the Office of Information Technology (OIT) will never ask you to log in to “fix” or “prevent deactivation” of your account. Any email like this is an attempt to steal your username and password. Again, please report these emails or phone calls. Emails can be reported using the “Report Email as Phishing” button in supported mail clients.

If you fall victim to one of these emails and your account is abused to send fraudulent emails or other activities, you will be required to use MFA on your account. You will also be required to complete a short training module on how to recognize phishing emails. OIT will be happy to assist you with the initial setup of MFA.

To raise your awareness of how to spot phishing emails, you can preemptively take security awareness training. There is training available for faculty, staff and students. Faculty and staff should email computing@berry.edu to request access to the security awareness training. Students can access this training by going to myapps.berry.edu and logging in using their email username and password. Click on the KnowBe4 Home Security app and install the secure sign-in extension when prompted. Once you have completed the install, click on the app again and it will request a password. The password to use is “homecourse”.

Finally, October is right around the corner and Berry will again be participating in National Cyber Security Awareness Month (NCSAM). The theme for this year is “Own IT. Secure IT, Protect IT.” There will be weekly emails about different information security topics each week of October, plus giveaways each week. Visit the InfoSec table in Krannert lobby each Tuesday in October to enter the weekly drawing.

That’s all for now.

Be Vigilant, Informed, and Conscientious!

 

 

Image by Pete Linforth from Pixabay

August News From Information Security

It’s August! Classes begin in just a few short weeks. This month’s newsletter is about staying safe online and covers a number of different topics, but first, here are some reminders and notices of things to come right here on campus.

Security awareness posters will return next week. On Tuesday, August 6th, departmental security awareness posters will be distributed. In September, both departmental and student posters will be distributed around the campus. There will be a chance to win a prize in September, so be sure to stay tuned.

The first LunchITS lunch-time training session was held on Thursday, August 1st. There will be more of these as the semester begins and all through the coming academic year. These lunch hour sessions cover various security awareness topics. The first topic was account security and it covered passwords, password managers, and multi-factor authentication. For those who couldn’t attend, it will be repeated during the fall semester, so there will be another chance to get this training.

Please consider requesting multi-factor authentication (MFA) for your Berry account and also consider using it for any other accounts you have that support it. It is easy to get MFA; just email computing@berry.edu and request it be enabled. You will also get information on how to set up and use it.

Many departments will be required to complete security awareness training related to the applicable laws, regulations, and constraints associated with their primary job responsibilities. You will be notified via email if you are required to take this training.

Please continue reading for tips on how to stay safe online.

 

Americans use 3,138,420 GB of internet data every minute of the day. It is safe to say that being online is now a way of life for many. Engaging in safe and secure online practices helps protect against the risks of living life on the internet.

Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts’ activities. These types of alerts are useful because they make you aware of what’s going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don’t use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider’s servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here’s another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it’s likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.