It is WAY past time for the September newsletter. My apologies for the tardiness of this post, but things have been busy. The timing of this newsletter is actually a bit fortuitous because of all the activity here in the Information Security department as we gear up for Cybersecurity Awareness Month which is….next month! Yes, October is Cybersecurity Awareness Month. More on that in a bit. What else have we been busy about? Phishing, phishing, and more phishing, plus attending to any issues that crop up with the Fall 2023 Cybersecurity Awareness training course, which, as a reminder, is mandatory for everyone to complete. More on both phishing and the training in a bit, also. September is such a great month! The semester is well underway, with classes moving along, fall sports happening all the time (and with great success), and all the other activities around campus. Those new to the campus are finding a groove and those returning are back in the routine. I hope your September has been going well.
Woo-hoo! Cybersecurity Awareness Month is almost here! Some of you will not be familiar with this annual event, so I want to provide some background. Cybersecurity Awareness Month started in 2004 as the National Cyber Security Awareness Month. You can see articles here on this site referring to this name or to the short version – NCSAM. The National Cybersecurity Alliance (NCA) along with the Cybersecurity and Infrastructure Security Agency (CISA) sponsors this month-long emphasis on cybersecurity. Berry has participated every year since 2014, with the exception of 2017. You can see all the articles presented during this month for each year under the “CAM” entry on the main menu of this site.
Each year there are four topics for the month; one for each week. The topics this year are:
- Use strong passwords and a password manager
- Turn on multifactor authentication
- Recognize and report phishing attacks
- Update your software
By learning about and following these four guidelines, you can improve the security of all your accounts, not just your Berry email account. There will be an article each full week of October, starting on October 2nd. The Virtual Scavenger Hunt is returning again this year. This search across the Internet will allow you to learn more about cybersecurity and be eligible for a drawing to win prizes each week and a grand prize at the end of the month. Information on how to join the hunt will be provided in the October newsletter. NCA has an all new theme for Cybersecurity Awareness Month and you’ll see that in October also, both here on this site and on the weekly posters. I’m very excited to prepare all of this for another Cybersecurity Awareness Month. Come back here on October 2nd to get all the details.
Our next topic is phishing emails. They are constant, unrelenting, getting harder to spot, and more dangerous. The new phad in phishing (see what I did there?) is to use legitimate websites to launch phishing attacks, like sharing documents from Microsoft OneDrive, Google Docs/Drive, or other well-known sites. This gives the email a hint of legitimacy because we use Microsoft Office365 here on campus and lots of people have Google accounts where they can share documents. The phishing emails that come in claim that someone shared a document with you. Usually, it is someone that would be important to you – a boss, a coworker, or even the president of the college. Here are some tips to spot these new types of phishing emails. Some of these tips are fairly nuanced, a testament to the fact that it is getting harder to detect phishing emails.
- 99% of the time, the name of the sender in the From line does NOT match the person who allegedly shared a document with you. These generally should match. If the email is from “Sally Rider”, but the message says that President Briggs shared a document with you, this is probably not legitimate, especially if there is no “Sally Rider” with a Berry account.
- If the email claims a document has been shared with you and it is via Office365, check the lower right corner to see if the Berry logo is present. It should be. If a different logo is present, or no logo at all, this came from another institution or company or was simply faked.
- A lot of these phishing emails have an attachment. If someone actually shared a document with you, there is no need for an attachment, because you will access that document on the Office365 site, where it will remain, unless you download it.
- If the email states that this link works for anyone and you feel the contents are most likely sensitive, you should be suspicious.
- If you are already logged in, you should not have to log in again to access the shared document. If you got this far trusting the email and it asks you to log in to access it, you should instantly be suspicious.
Whew! That’s a lot of work, but we should always be striving to better our ability to spot phishing emails. The days of just looking for misspelled words, bad grammar, and other simple red flags are almost over. If you are curious what those simple red flags are, go check out the Quick Info page on Phishing, right here on this site.
Information Security will be testing the community on how well they can spot phishing emails. During the month of October (Cybersecurity Awareness Month, as mentioned already), there will be simulated phishing attacks against students, faculty, and staff. Be on the lookout for these”fake” phishing emails and report them. Everyone who reports a phishing email (real or “fake”) during October will be eligible for a drawing through which you can win a small prize. Everyone who falls for one of these “fake” phishing emails will……want to recheck the Quick Info page on Phishing and sharpen their skills.
Mandatory cybersecurity awareness training is still ongoing. The deadline to complete the training is November 10th. I encourage anyone who supervises student workers to allow them to complete the training during work hours, if time and tasks allow. I also encourage staff and faculty to complete the training as their schedules allow. The course is designed to take 20-25 minutes at most and you do not have to complete it all at one sitting. Reminders to complete the course will start going out very soon and repeat until the deadline or until the course is completed, whichever comes first. If you don’t want to be nagged with reminders, simply complete the course. If the link in your email has expired, you can always just go to https://myapps.berry.edu, log in, and click on Berry Security Awareness, or go to https://berry.litmos.com and click on the “Sign in with your Berry account” link on the left side of the page. DO NOT attempt to put in your username and password…this will not work.
One last thing before I wrap this up. If you reported a phishing email in the month of August, I will be holding the drawing for the monthly prize in the next couple of days. I’ll notify the winner via email and set up a time and place to award them their prize. Be sure to not send my email to Junk or report it as a Phish…!
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! We are holding a drawing every month for a small prize and all you need to do to enter the drawing is to report a phishing email.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted.
Food For Thought
We’re going back to YouTube for an interesting story about copyright law and specifically why you can’t use pictures of the Eiffel Tower at night for commercial purposes. Who knew?