January News from Information Security

Welcome to 2021! Let’s hope it goes better than 2020.

Welcome back to campus. I hope everyone had a good holiday, stayed healthy, and is ready to charge through the spring semester. As you attempt to settle back in, I encourage you to take the time to reacquaint yourself with basic information security awareness.

In the fall, the college acquired a new training platform for security awareness. This content on this platform is authored by some of the foremost security experts on the planet. This group, known as the SANS (SysAdmin, Audit, Network, and Security) Institute, is the largest source for training and security certification in the world. They manage the Internet Storm Center, billed as “the Internet’s early warning system”, along with in-depth training and certification.

The new platform provides us with a rich set of training courses, supplemental materials, and course management options. Use of the platform is open to anyone in the active community of students, faculty, and staff. Courses for basic security awareness take about half an hour to complete, with some courses centered around specific topics such as FERPA, HIPAA, or PCI-DSS compliance taking up to an hour. You can request access to the platform by sending an email to infosec@berry.edu and stating you want access to the security awareness platform, or by filling out the training access form found here.

By choosing to take security awareness training, you can help the college fend off attackers, but equally as importantly, you can learn how to protect yourself, your home networks, your devices, and your various Internet accounts. It has never been more important to be aware of the tactics, techniques, and procedures attackers use to try and gain access to your devices and accounts. With COVID-19 came challenges to how we work, socialize, and live life, but along with those challenges came additional, and more potent attacks by the Internet bad guys. Not a day goes by without some phishing email landing in someone’s email inbox, or a text on a phone, or even a voice call, all attempting to separate you from your money, your accounts, and your peace of mind.

Courses on the platform include general security awareness as well as dedicated courses on phishing, account management, safe browsing, passwords and password managers, and device management. Once you are on the platform, you can choose to complete any or all of these courses.

There are also, as mentioned before, courses that target specific compliance and regulation topics. Some of you may be required to take one or more of these courses as part of your job responsibilities. If so, you will be notified via email and be given ample time to complete the training.

The last thought in relation to this topic is this-in an effort to raise the security awareness of the entire community, we are looking to make security awareness training a regular part of everyone’s routine. The frequency of training is being discussed, but it is likely to be conducted at least annually, if not biannually. This is not designed to torture you, or simply add to your workload, but to help you be vigilant, informed and conscientious in your everyday work. The SANS training starts with a module called “You Are The Shield”, emphasizing your role in being the first line of defense against attacks on the college that attempt to bypass our security technology by attacking you directly, via social engineering. We hope that by regularly providing training to you, you will be the shield.

Don’t forget, if you are not currently using multi-factor authentication (MFA), you will be sometime in the spring semester. We are continuing to roll MFA out to everyone on a schedule, but if you want MFA faster, please email computing@berry.edu and inform them you want MFA enabled on your account. You can find more information about MFA here, and you can find information on how to set up MFA in this document.

If you are depending on Zoom to conduct classes or work, be sure to check out the Zoom resources document provided here for tips and information on how to effectively and safely use Zoom.

Finally, Data Privacy Day is January 28th. Data Privacy Day is an international effort to promote the respect of privacy, safeguard data and enable trust. According to Stay Safe Online, a project of the National CyberSecurity Alliance,

Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.

What action? The first and foremost goal is to manage your privacy and security settings for all your accounts. This page, on the staysafeonline.org site shows you how to manage your settings on many popular devices, accounts, and services. Go there first to secure your accounts and devices, then share the link with your family and friends so they can do the same.

As you are securing your accounts, if you notice any settings that you feel should be different or default to safer values, let that website or service know. There is little incentive for these companies to change their practices if no one complains about them. There should be a contact form on most sites, but if not, sending to support@whatever.site will usually get your feedback to the right place. Be sure to use the correct site address, i.e. support@facebook.com for Facebook.

Also on Data Privacy Day, which is a Thursday, I will be offering a lunchtime training event via Zoom which will cover passwords and password managers. Having a strong and unique password for every account you have is the first step in securing your data and making sure it stays private. You can sign up for the class by going to the Events calendar on this site and clicking on the event on January 28th. There will be a sign up/RSVP (Going) button once you open the event.

Look for a new Virtual Scavenger Hunt in February. It will run the week leading up to Valentine’s Day. The grand prize will be…somewhat Valentine’s Day themed. More details in the February newsletter.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

 

Food for Thought

Featured Image: Photo by Waldemar Brandt on Unsplash

Cartoon courtesy of XKCD.com

Permalink for cartoon https://xkcd.com/2391/

November News from Information Security

We did it! We made it through October and Cybersecurity Awareness Month. I want to thank everyone who read the weekly articles, checked out the posters, and participated in the Virtual Scavenger Hunt. I want to congratulate Hanna Popa for her successful completion of the hunt and her luck in winning the Monster Clarity 102 AirLinks ear buds. She was one of the eight who completed the entire hunt out of the thirty-three who attempted some part of it.

If you enjoyed the hunt, or you missed it, but heard great things about it and wished that you had participated AND would like us to hold another one, just email infosec@berry.edu and tell us. While you’re at it let us know what information security topics you would like to see addressed here in articles or quick tips or even live (via Zoom for now) training sessions.

Speaking of live training, here in November there will be another opportunity to attend (via Zoom) live one-hour-ish lunchtime training on account management, covering everything from picking good passwords to using password managers, to enabling multi-factor authentication on all your accounts, particularly your Berry account. The event will be posted to the Event Calendar this week, once a final decision is made on the exact date, so check it out and sign up.

Our primary topic for this month is multi-factor authentication or MFA. MFA is now required for all Berry accounts and the Office of Information Technology (OIT) is rolling it out in phases. You will receive, if you haven’t already, an email detailing when MFA will be enabled on your account and how to set it up. The Network Operations group is holding training on MFA setup via Zoom, so if you have issues with the setup, be sure to attend. Details should be in the email you receive.

Why are we requiring MFA? You could potentially blame it on the corona-virus or COVID-19, but our attempts to require MFA have been in the works for many months before the virus hit our community. MFA places another layer of security on your Berry account, preventing someone who guesses or steals your password from accessing your account. It does this by requiring a second piece of evidence or a second “factor” in addition to your password to prove that you are you. That factor could be a fingerprint, or a temporary six-digit code texted to you or found in an app on your smartphone. In our case, the default second factor is just an approval via an app on your smartphone.

With MFA enabled, when you log in to your account, you will be required to enter your password, then a notification will pop up on your phone asking you to “approve” or “deny” the login request. You just touch “approve” if you are attempting to log in, or “deny” if you see a request when you haven’t tried to log in to your account. Without this second factor, the approval, or if you deny the login attempt, the login fails and the incident is logged so OIT can follow up and mitigate any potential threat to your account. This protects not just your email, but any web-based service you use here at Berry, from VikingWeb to the financial aid portal to the health center portal, so it is vital MFA is enabled on your account.

We’ve mentioned Zoom twice already in this newsletter, and we’re going to circle back to it now. One of the most critical aspects of using Zoom effectively is securing your Zoom sessions from “zoombombers” and others that wish to disrupt sessions. We depend on Zoom far too much these days, so we want to offer some information about how to properly secure your Zoom sessions.

Here is a Zoom document that discusses most of the security settings for Zoom. Don’t be daunted by the fact it is twelve pages long, there are pictures and cover pages and large type galore. Here are the high points, in a simple list:

      • Use the waiting room feature if your meeting is not too large. This lets you control who actually gets into the meeting, albeit manually.
      • Use a passcode for all meetings and use randomly generated meeting IDs, NOT your personal meeting ID.
      • Only allow registered users to attend. Be careful with this setting, but it is useful if done correctly.
      • Lock your meeting. Once everyone who is supposed to attend has arrived, you can lock the meeting to prevent anyone else from joining.
      • Know how to manage users during the meeting. Understand the settings to control screen sharing, mute everyone, remove participants, and configure chat and annotation to prevent abuse.

Our current environment can prove difficult to navigate at times, but making sure you know how to manage a Zoom session will go a long way to make sessions requiring Zoom effective and secure.

One last thing before we wrap up. I want to encourage you to report ALL phishing emails you receive, using the “Report Email as Phishing” button available in the email browser interface (https://mail.berry.edu), on mobile devices using the official Outlook mobile client, and on the desktop using Outlook 2016 (Click-to-run version only) or Outlook 2019 (all versions). Doing so will help OIT protect the community by mitigating dangerous phishing emails identified by you, our first line of defense against phishing.

I normally wrap up the newsletters with a pitch for you to sign up for MFA, and I still encourage you to do so, but if you don’t, understand you will be required to use MFA at some point in the next few weeks. If you’d like to get ahead of the curve, request MFA for your account by emailing computing@berry.edu.
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Photo Credit: Photo by Plann on Unsplash

October News from Information Security

October is here! Did you know there are 190 official and unofficial “days” in October? I know, there are only 31 actual days, but many days are workhorses, serving as “the day” for multiple celebrations, from National Pumpkin Day to World Animal Day to the International Day of Non-violence. More immediately on many of our minds here at Berry, Mountain Day is around the corner, along with long-sleeve weather. October is also the height of “pumpkin spice everything”, and…Cybersecurity Awareness Month!

Yes, it’s Cybersecurity Awareness Month! Let’s just call it CAM. It used to be called National Cyber Security Awareness Month or NCSAM, but it is observed internationally now. You can find out about our planned topics on the CAM 2020 page. There will be weekly articles as well as a month-long virtual scavenger hunt…and prizes…and candy…and learning! Head over to the CAM 2020 page to check it out after you finish reading this article. Come on, stay focused here! There will be another link at the bottom of the page.

As already mentioned, look for weekly articles on various security awareness topics posted right here each Monday of October. They, along with the security awareness posters on all the residence hall bulletin boards and in Krannert, will be essential to completing the scavenger hunt. You might be asking yourself, why burn 5-10 minutes of time each week in October tracking down scavenger hunt items? Because everyone who completes the scavenger hunt will be eligible for a drawing for the grand prize of a pair of Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds

As a part of CAM, the Office of Information Technology (OIT) is strongly urging everyone to sign up for Multi-Factor Authentication (MFA) for their Berry account (and all other accounts you have, but we are particularly concerned with your Berry account). MFA brings another level of security to your account and can protect you if the password for your Berry account is exposed. The setup is easy, and you’ll be able to keep your Berry account password for an entire year, assuming it does not get exposed. Email computing@berry.edu and let them know you want MFA. MFA will be required for all current students, faculty, and staff soon, so you should beat the rush and get signed up now!

In addition to encouraging everyone to sign up for MFA, OIT is also encouraging everyone to sign up for security awareness training. OIT is implementing a brand new security training platform and we want as many as possible to experience the new system. While we will continue to focus on specific training for now, we are looking to expand the system to accommodate everyone as soon as we can. More details will be provided, either in one of the CAM 2020 weekly emails or the November monthly newsletter.

There are other ways to participate in training. You can attend a one hour, Zoom-based, focused training on phishing emails or passwords and password managers, or request one-on-one training on a particular topic. Since the theme for CAM is “Do Your Part – #BeCyberSmart” we encourage you to develop your cybersecurity “smarts” in whatever way fits your schedule and goals.

If, after reading the CAM2020 page and looking over the rest of the website, you think I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the calendar where events will be posted and you can register for these events.

The Berry CAM2020 page

Go directly to the scavenger hunt page!   This link will not be active until Monday October 5th,  2020, at 8:00AM

Upcoming Events

 

 

 

 

Featured Image: Photo by Joanna Kosinska on Unsplash

August News from Information Security

Welcome to the intentionally delayed August Information Security newsletter. I wanted to release this in conjunction with everyone returning to campus. First I want to welcome all our new faculty, staff and students as we begin this most interesting journey into the fall semester. I also want to welcome all the returning faculty, staff, and students who have been in various ways preparing feverishly (uh, maybe that’s not a good metaphor) striving earnestly for the start of classes.

You all have been inundated with safety information in relation to the coronavirus, COVID-19, or whatever name you want to use (I will simply use “virus” in this newsletter) to describe the virus that has upended our lives in such a profound way. I hate to be one to pile on, but in addition to the virus itself, all kinds of bad actors are afoot attempting to fool you into clicking on malicious links, submitting sensitive information, even giving up your passwords, many of them preying on the chaos caused by the virus. Please be extremely vigilant with any unexpected emails, and treat all email, at this point, with caution.

Internet criminals have no qualms about using any leverage they can to trick you. One of the latest ploys involved criminals spoofing the Small Business Administration loan relief website to try and steal information from you. Fake websites with false information about cures for the virus and government relief programs are rampant. Be very careful surfin’ the net out there.

I have some news concerning the InfoSec News and Information site (this site you are reading this article on). For the new folks (and even for returning folks who have never visited the site before), this site has a brand new look and feel. The style has moved from looking like a website from the early 2000s to now looking at least “2017ish”. I hope you like the new format and the easier navigation.

A downside to all this progress is that the transition has left the site without an events calendar, at least temporarily. I am looking for a new one and hope to get that squared away soon. Events will necessarily look a lot different for a while, but I hope to conduct some LunchITS training sessions this semester, via Zoom, of course, and I will continue to create and share new security awareness training videos. Keep checking back to see when the new events calendar shows up.

Also coming soon to the site is a “phishbowl” where you will be able to view examples of phishing emails so you can know what to look out for and also see just how desperate some people are to try and scam you. This should debut in the next week or so and will be accessible from the main page of the site.

I will, of course, continue to post warnings about phishing emails and notices about other information security topics. It will all be accessible here on the site, so bookmark it and check it regularly.

Here are some reminders (or “new information” for some of you)…

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and (eventually) the events calendar will return, where events like LunchITS training sessions and other opportunities can be found.

 

 

 

LunchITS – A Phishing Expedition

If the tsunami of phishing emails hitting the campus recently is causing you to doubt your ability to discern them, or you know you’re swamped and need a life preserver, come to Krannert 109 this Thursday, February 13th, at noon to go on a phishing expedition!

Director of Information Security, Dan Boyd will go over obvious and not-so-obvious ways to spot phishing emails. He’ll discuss the current tactics, techniques, and procedures used by phishers as they continually try to trip us up. There will be examples of current phishing emails to look over and you’ll get an introduction to a solid method to sniff out phishing emails quickly.

Bring a sack lunch or grab something in Krannert before coming down to room 109. We’ll start as close to noon as possible and wrap up before 1PM.

There is no requirement to RSVP for this training session, but it is appreciated. You can do so by simply emailing infosec@berry.edu.

January News from Information Security

Welcome to this special “mid-January” monthly edition of news from Information Security!

With the students not returning to class until the 13th of the month, this edition was delayed to roughly coincide with their arrival. Also delayed are the security awareness posters, for those who get them and post them in their offices. If you would like to have security awareness posters to put on a departmental or office bulletin board or at “the watering hole” for your area, please email infosec@berry.edu and mention you would like to receive these on a monthly basis (and how many). They will normally be distributed at the first of the month, but again, for January, 2020, they will be distributed the week of the 13th.

I’ve already sent a couple of emails to faculty and staff this year, one about the new idle workstation lock policy that went into effect on the 6th of January, and another pointing to a post here urging everyone to be particularly vigilant in the next few weeks, and beyond, as tensions with Iran continue to build. It is assumed that part of Iran’s counterattack will be conducted in the digital realm. You can read the warning by clicking here.

On the topic of returning things, there will be a LunchITS scheduled toward the end of January. The topic will be account security, including information about usernames, passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this LunchITS is for you. I will send out an email when the schedule is confirmed and you can always check the event calendar right here on the InfoSec News & Alerts site for future events. February will see the return of the phishing LunchITS and a brand new LunchITS geared toward a broader overview of security awareness.

Wait, what’s a LunchITS, you ask? LunchITS, which is short for “Lunch+Information Technology Security” are one hour training sessions, held during the lunch hour (12:00 noon – 1:00 PM) in Krannert, where you can come, with your lunch, and learn more about information security. You can pick up lunch at Krannert, or brown bag it. Just be prepared to learn while you eat. You’ll get information to take back with you, with all of the main points of the session included on the provided literature, for those of us who can’t eat and take notes at the same time.

Also coming up in January is Data Privacy Day, celebrated on the 28th of the month, which just happens to be a Tuesday, and Information Security will have a table in Krannert from 11:30AM until 1:00PM where you can drop by and ask questions, pick up information, and grab some gratuitously bad edible items. This event will also be on the event calendar on this site and an email will go out the day before to remind you.

Finally, coming soon to a computer or phone screen near you (probably on your desk or in your hand) is the next in-house written, filmed, and produced security awareness video. The intrepid Director of Information Security will help yet another would-be victim with their security awareness. As soon as it is ready, an announcement will go out over email and on social media.

On that topic, if you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the previously mentioned events calendar.

That’s it! Welcome back to a new year, everyone, whether you just got here or have been here for two weeks this year already.

.

Photo Credit – Photo by Glen Carrie on Unsplash

 

 

September News from Information Security

Welcome back, students!

Faculty and staff have been preparing for your return all summer. As we start another academic year, I want to bring to everyone’s attention some of the events and communications planned and coordinated by Information Security.

Security awareness posters will return to residence halls and offices next week. The original plan was to resume these in August, but with everything going on in preparation for the new academic year, the decision was made to wait until September.

Information Security will have a table in Krannert lobby one day a month to answer questions, provide informational materials, and (hopefully) snacks. Check the “Events” tab on the InfoSec News and Alerts website at infosec.berry.edu to see the schedule.

At least once a month there will be short training sessions offered during the lunch hour. These are called LunchITS. That’s Lunch + Information Technology Security. Bring a sack lunch or grab something in Viking Court and sit in on a fast-paced one hour training session. Topics will vary, but include account security, passwords and password managers, how to spot phishing and scam emails, and general online safety and privacy. Again, check the “Events” tab on the Infosec News and Alerts website to see the schedule for times and locations. All are welcome at these sessions.

Faculty, staff and students are all encouraged to request multi-factor authentication (MFA) be added to their Berry account. MFA is also called two-factor or second factor authentication (2FA) and is available for everyone. If you don’t know what that is, you can check out my May 2019 article here on the InfoSec News and Alerts site, which is all about MFA. Here is the exact URL – https://infosec.berry.edu/?p=209 or you can click here to go there now. You can request MFA be enabled on your account by emailing computing@berry.edu.

Speaking of MFA…Information Security encourages everyone to be vigilant at all times when handling unexpected emails. For the record, you will never be asked for your username and password via email or over the phone, and if you are, you should refuse and contact computing@berry.edu to report the incident. Also, the Office of Information Technology (OIT) will never ask you to log in to “fix” or “prevent deactivation” of your account. Any email like this is an attempt to steal your username and password. Again, please report these emails or phone calls. Emails can be reported using the “Report Email as Phishing” button in supported mail clients.

If you fall victim to one of these emails and your account is abused to send fraudulent emails or other activities, you will be required to use MFA on your account. You will also be required to complete a short training module on how to recognize phishing emails. OIT will be happy to assist you with the initial setup of MFA.

To raise your awareness of how to spot phishing emails, you can preemptively take security awareness training. There is training available for faculty, staff and students. Faculty and staff should email computing@berry.edu to request access to the security awareness training. Students can access this training by going to myapps.berry.edu and logging in using their email username and password. Click on the KnowBe4 Home Security app and install the secure sign-in extension when prompted. Once you have completed the install, click on the app again and it will request a password. The password to use is “homecourse”.

Finally, October is right around the corner and Berry will again be participating in National Cyber Security Awareness Month (NCSAM). The theme for this year is “Own IT. Secure IT, Protect IT.” There will be weekly emails about different information security topics each week of October, plus giveaways each week. Visit the InfoSec table in Krannert lobby each Tuesday in October to enter the weekly drawing.

That’s all for now.

Be Vigilant, Informed, and Conscientious!

 

 

Image by Pete Linforth from Pixabay