Welcome to all the students who have joined us at Berry since the last newsletter! I hope your fall semester has started off well, and that it continues to be good. As I usually do in this first newsletter of the academic year, I’m going to stick to the basics. I’ll introduce the Office of Information Security first, then we’ll discuss everybody’s favorite topic – passwords and multi-factor authentication. We’ll discuss the wide variety of phishing emails we are seeing here, and then I want to give you a sneak peek at the upcoming Cybersecurity Awareness Month activities, coming in October.
First, I want to say that the Office of Information Security is excited to have everyone back. If you are unfamiliar with what we do, please go check out the rest of this site. There are a number of resources you can take advantage of to grow your knowledge in regards to information security, or as we generally call it, cybersecurity. Our primary functions are to raise the cybersecurity awareness of the community and safeguard our systems and data. We do this by educating faculty, staff, and students on cybersecurity awareness and by working with college departments to facilitate secure processes and procedures. Enough about us.
Let’s talk about passwords. All of you (for you students, probably from birth) have had to deal with passwords. Every account, web site, and app seems to require us to authenticate ourselves and prove who we are. While this can be annoying, it is a good thing. There’s LOTS of information about you “out there” on the Internet. Some of it you put out there on social media sites, and some of it is simply collected about you and then used to target you with advertising. Advertising is the life blood of the Internet, but that is a topic for another day.
Let’s talk about passwords and some tips for creating strong passwords. Strong passwords are long. Strong passwords include letters (upper and lower case), numbers, symbols, and even spaces when acceptable. The minimum password length for your Berry password is 14 characters and it cannot include part of your username. There are other recommendations for strong passwords and tips on creating them right here on this site at this Quick Info page.
One tip you won’t actually see on that page is that passwords should be unique. Every account you have should have its own password. If you have thirty accounts, you should have thirty different passwords. I would bet that many of you have more than that. Do you reuse the same password? Do you have a couple of “good” passwords that you use? Don’t do that…use a unique password for every account.
But how, you will ask, do I remember that many passwords? The simple answer is – you don’t. Use a password manager that can remember them for you. That way, you can have your super-duper strong password that you know be your master password to access all of your passwords in your password manager. To find out more about this, check out this Quick Info page.
Finally, you probably have figured out that you need more than a password to access your Berry account. You need what is called a second factor. We highly recommend using the Microsoft Authenticator on your smartphone, as this is the most secure way to do this. You can also use the same app to authenticate to any site that uses Google Authenticator. And you should, but that is also a topic for another newsletter.
We’re all old enough to remember when it was just spam we had to filter out of our email inboxes, either using filters or manually deleting them. Now, we still have spam but we also have phishing emails. These are emails that are designed to steal usernames and passwords, or trick you into visiting a malicious site or opening a malware infected document. They come in all guises, from offers for easy remote jobs to “warnings” about expiring passwords, to fake notices of purchased goods or failed deliveries. The criminal actors behind these emails even use legitimate sites, like Google Docs, Microsoft SharePoint and OneDrive, and mass email providers to send out their lures.
Over the past few weeks, we have seen the following types of phishing emails:
- Fake notices from “HR” about salary or insurance changes. Many of these were notices about “salary reductions” or changes in coverage.
- Fake password reset warnings. Thankfully, most of them used the one phrase that is an instant tip-off that it is a phishing email – “Keep Same Password” or some variant of that. If we, meaning the Office of Information Technology, send you a password expiration notice, we will NEVER allow you to keep the same password.
- Other phishing emails would “thank” you for purchasing a product or service you did not purchase. These phishing emails are somewhat unique in that the only way to respond to them is via a phone call (not that you should ever respond to them). The goal is to get you on the phone and convince you that this purchase actually happened, then initiate some complicated refund process that ultimately steals your money.
- Another unique one we have gotten a lot lately – the “free piano” scam. This is a payment scam. There is never any piano, just a criminal trying to steal your money to deliver the nonexistent piano.
You can and should report any phishing or suspect emails you receive using the “Report Email as Phishing” button. The button isn’t actually labeled this way right now, as it is misbehaving, but it says “Phish Alert Report”. We are working on fixing the label. It will, eventually, say “Report Email as Phishing”. This button is available in the Outlook application, on the webmail interface at mail.berry.edu, and on the Android and iPhone Outlook apps. On the web and mobile apps, it is available under the “three dots” menu when viewing an email.
One more tip before we move to the next topic. Emails that come from “outside” of Berry will have a yellow banner in the message stating that fact. Use that to help you determine if an email is real or is phishing, but don’t depend entirely on that banner. Learn to spot the red flags of a phishing email. You can find those here, on this Quick Info page.
Finally, once we blaze through September (which we inevitably will), it will be October and Cybersecurity Awareness Month! Yay! We’re excited to celebrate this with everyone again this year. As in the previous two years we will have a virtual scavenger hunt that lasts the entire month. We are also planning (fingers crossed) to have an information table in Krannert where you can come and ask questions, pick up information, and grab some candy. We used to do this every October for Cybersecurity Awareness Month, but the COVID years put a stop to this. Hopefully, we’ll be back. More details in the next newsletter.
This year we will explore four primary topics or more precisely, behaviors…one for each full week of October. Those are:
- Enabling multi-factor authentication. This is already done for your Berry account, but you should do this for all of your sensitive accounts, including banking, medical/insurance services, social media, etc.. This is where the Microsoft Authenticator can help you (and a good password manager).
- Using strong passwords and a password manager. We’ve already discussed this in this newsletter and we’ll talk more about it during Cybersecurity Awareness Month.
- Updating software. It is essential to keep software updated. Your applications can be used against you, as can your mobile device and your computers, so you should keep them updated also.
- Recognizing and reporting phishing. Many of you get the first part done, but it is imperative that you also report phishing attempts so we have an idea of what kinds of lures the phishers are using and can inform the community.
Again, students, welcome to Berry, or welcome back to Berry! We’re excited you are here and hope to inform and entertain you through this academic year.
As mentioned before, you all have MFA enabled on your Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the current posts page.
You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.
Food For Thought
This one is NOT an embedded video link. It was supposed to be.
I don’t normally do this, so I hope it works…some of you may have already seen it.
Think about this – How good we would all feel if we could just do this every now and then…?
Featured Image: Photo By Matthew McConnell/Berry College