NCSAM Week 3 – Identifying Sensitive Data, Spotting Phishing Emails, Cleaning Your Digital House

Welcome to week 3 of National Cyber Security Awareness Month!

We’re already more than halfway through October. Halloween approaches!

I know most of you students will not read this until Wednesday at the earliest. Who wants to spend Fall Break time reading about Cyber Security Awareness? Just kidding! YOU should!

This week we are discussing how to identify sensitive data (own IT), how to spot phishing emails (secure IT), and how to clean up your digital data (protect IT). This post will be a little longer than most, so bear with me. Following along with our car and/or bike maintenance theme, we have to know how to spot trouble with our car, like not ignoring those yellow lights on the dashboard,or that weird shrieking noise it makes when you start it up, or the squealing sound when you touch the brakes. With our bike, we have to be more…manual, and proactive. Always check the tires and chain before starting a ride, and inspect our brake pads to make sure they are working. If something is squealing on our bike, we should probably just stop and check it out. Sorry…I didn’t mean to fall too far down the analogy rabbit hole there.

To properly “own our IT”, we have to know – What is sensitive data? It is any data about a person, or entity, that is potentially exploitable or possibly damaging. Some sensitive data is defined by law. There are dozens of alphabet soup laws, regulations, and standards with  which we have to comply. Some of these are: PCI-DSS, HIPAA, FERPA, GLBA, GDPR, and so many more. If you don’t know what any of those are, Google is your friend, but we can discuss the impact of these laws, regulations and standards without knowing exactly what they are. For example, the college is required to comply with HIPAA to protect employee and student medical records. It must comply with FERPA to protect student information and with PCI-DSS to protect credit and debit card information. But what is this information?

A short list includes, names, addresses, credit card numbers, medical diagnoses, grades, academic status, classes taken, location, and account numbers. Not all of these information items are covered by all of the laws, regulations, and standards, but a subset of them are covered in almost every one. They are referred to as PII (personally identifying information), PHI (personal health information), or other acronyms. The penalties for not protecting this data range from monetary fines to loss of institutional accreditation, to the inability to accept credit and debit cards as payment options. Any of these penalties would be bad, but arguably the worst result would be the loss of a good reputation for the college.

The college offers training to faculty, staff and students whose jobs involve dealing with sensitive information. Ask your supervisor if your job involves handling sensitive information. If so, ask for training. Information Security will provide it, just email us at infosec@berry.edu.

Part of securing sensitive data, particularly usernames, passwords, and financial information is learning to spot phishing emails and other social engineering attempts. Phishing emails are getting more sophisticated every day and target phishing, sometimes called “spear-phishing” is now on the rise. Because of the inordinate amount of data collection and aggregation in use by many companies, and data breaches that expose this information, more and more information is available to scammers for use in crafting emails that are convincing and appropriately targeted, it is getting harder and harder to tell real emails from fraudulent ones. Here is a short list of things to watch out for when evaluating an unexpected (virtually 100% of phishing emails are unexpected in some way) email.

• Misspelled words, poor grammar, odd word choices, and improper punctuation are all signs of a potential phishing email
• Emails promising large sums of money or informing you that you won a lottery you didn’t know existed are common ruses – everybody likes more money.
• Urgent deadlines, threats of loss of accounts or access to files, late fees, penalties, are all designed to force you to make a bad decision.
• The government (local, state, or federal) will never send you notice of impending actions via email. That notice from the IRS about a rebate or worse, a penalty can generally be ignored.
• Any request for your username and password, whether by email or phone call, or any other communication channel is always fraudulent.
• Phishing emails frequently ask you to click on a link to do everything from “confirm your details” to download a document that has “important information” in it. Don’t follow links in suspect emails. If the phisher got lucky and tries to impersonate a company you have an account or do business with, go to the site directly in a new browser window (meaning, don’t click the link!), log in, and check your account. If the company has an important message for you, it will be here.

Let’s assume you clicked on a link (reminder – don’t do that). How do you know if the page in your browser that is now requesting your username and password is legitimate?

• Check the address bar to make sure the site is secure.
• Check the address in the address bar to make sure it is correct.
• Does the page look familiar?
• Are there typos on the page?
• Do logos and images look out of place?

In the end, ask yourself these two questions with every email

1. Is this email or phone call asking for my password or other login information?
2. If I clicked on the link (reminder – just don’t) did it bring me to a login page?

If the answer is YES to either question, then there is a good chance you are being phished.

Check these resources to test your eye for spotting phishing emails and fraudulent login pages:

OpenDNS’s Phishing Quiz – This tests your ability to verify correct web addresses

Jigsaw/Google Phishing Quiz – This one is fairly difficult, but explains each phishing clue

Accellis Phishing Quiz – You have to scroll a bit, but it’s a good test

Now let’s talk about protecting your IT (and yourself) by cleaning out your digital file cabinet. Sometimes we “temporarily” store a password for an account in an unsafe way, like in a photo on a smartphone, or even in a text file or note-taking app. Other times we keep information about financial transactions, tax returns, and other potentially dangerous data around for way too long. We keep so much stuff these days we have no idea what we have anymore. Take time for a quarterly cleaning. Every time the season changes (which I admit is sometimes a moving target here in the South), take time to do the following:

• Go through the photos on your phone, or sort through them on a laptop or desktop if they are stored in cloud storage service. Get rid of any of those “temporary” pictures you were going to delete anyway. This is also a good opportunity to take a look at what you have captured on your phone’s camera and delete any potentially embarrassing or even incriminating photos. Hey, we’re all human!
• Sort through your files stored in cloud storage services like iCloud, Google, Dropbox, and others to see if there is anything you don’t need anymore. It’s best to just delete these files, as you generally pay by the gigabyte for cloud storage. If you don’t need it, why keep it, especially if it is sensitive information?

Finally here is another funny video by Habitu8 about phishing, or, in this instance “vishing”, phishing via a phone call and more specifically this type of attack is called, as the title says, a CEO scam. Check it out – CEO Scam by Habitu8 – You’ll want  to pause the final screen with tips on how to avoid this scam, unless you are a speed reader.

Thanks for reading all of this! Check the site next week for the new NCSAM article and check the site often for breach announcements, current phishing scams, and more.