October is here! The weather is changing, classes are almost half-completed, Mountain Day is coming fast, and it is Cybersecurity Awareness Month! It’s that time of year to take a few minutes to examine our behaviors and awareness level, complete some training, go on a digital scavenger hunt, and maybe win some prizes! In addition to three more articles covering cybersecurity awareness topics this month, there is yet another scavenger hunt, open to students, faculty, and staff, where you will dive into topics related or adjacent to cybersecurity, solve the clues, and maybe end up with a Sony Bluetooth speaker or some other cool gizmo.
As this is week 1 of Cybersecurity Awareness Month (CAM), there are two cybersecurity awareness topics we will cover in this newsletter. Also, it is time for our fall edition of cybersecurity awareness training, so there’s information about that included below. I’ll explain one of the new features of our new cybersecurity awareness training platform, which is in addition to the new training format. I’ve also included all of the details about the scavenger hunt. Keep reading to know more!
No discussion about cybersecurity awareness is complete without discussing strong passwords and the tools needed to manage them – password managers. We all should understand by now that a strong password is long, contains a diverse set of characters (upper and lower case letters, numbers, symbols, and even spaces), and is not based on dictionary words, our pet’s name, our favorite sports team, or any other identifiable information. However, a strong password is also a little bit like that dollop of butter or mayo or other tasty spread you put on slice of bread. The more you spread the dollop out, the thinner, more fragile, and more exposed the bread underneath it becomes. Passwords are meant to be used for only one account. Every account needs a unique password. The more you reuse a password, the greater the chance that some company will have a breach exposing that password. Once that happens, every account you have used that same password with is now vulnerable.
The common reaction to this information is, “but how can I remember so many passwords?”. The answer is, “You don’t”. You use a password manager to create, store, and present all of those passwords. I use one and I use it HARD. I have 472 accounts in my password manager. It can review these passwords and tell me which ones have been exposed. It can generate long, complex passwords that are impossible to guess, yet provide me access to them to log into a site instantly. If you are curious about getting and using a password manager, check out the Quick Info page about password managers, right here on this website. If you are interested in a short course on how to use a password manager effectively, tell me in the comments. If I get enough interest, I will set up a LunchITs workshop where you can come, bring your own lunch, and learn during the noon hour.
Our other topic for this week is deepfakes. If you don’t know what this is, check out this YouTube video that does a great job explaining it, even though the video is five years old. It is nearly five minutes long, but the entire last minute is the sponsor plug, so you can just stop once that begins. Deepfakes have progressed far beyond the capabilities mentioned in the video, but the concepts are the same. It is now possible to make nearly unrecognizably fake videos that can have anyone saying or doing anything. If you think the video capabilities are frightening, imagine what can be done with just audio. A person’s voice can be convincingly faked by AI (artificial intelligence) using a recording of their voice less than a minute long. How do you determine what is real and what is not?
First, look for the normal red flags. Is this attempting to cause me anxiety or make me feel I must make a quick decision? Urgency is still a major factor in determining if an email or a phone call is real or not. In the case of deepfake videos, try to find other sources that may confirm or refute the deepfake video. You can also use other cues, such as “Does this speech align with other things this person has said?”. Be skeptical, take a breath, and pause to think. We’ll talk more about spotting the signs of social engineering in another week this month.
We have a new cybersecurity awareness training platform and I think you will appreciate its ability to move through the material in a brisk manner. The company we have chosen is called Hoxhunt. (I don’t know the origins of the word, so please don’t ask.) Hoxhunt’s platform is designed around micro-training, so topics are presented quickly, with a minimal number of questions proffered to quiz you after the module is over. Our goal this fall is to have everyone complete the training by Friday, October 31st. As of the publication of this newsletter, the training is available and notifications will be (or have been) sent out to invite you to complete it. The system will begin to remind you to complete the training after two weeks, so jump on it and get it done as soon as you can.
The other benefit we gain from the Hoxhunt platform is integration with our security feeds. Now, whenever an employee (not a student) performs certain risky behaviors, the system will alert them to what they have done and require a micro training on that topic. These trainings are in addition to the regular twice-a-year training and specifically address the risky behavior. This integration will be enabled in the next few days (or may already be enabled, depending upon when you read this).
Finally, let’s talk about the scavenger hunt! In response to many comments, we are offering the entire scavenger hunt at one time – no more waiting until the next week to progress to the next phase. This hunt has five levels with three questions per level and works the same as in pervious years. You will hunt down the answers to the questions, submit your answers, and be told how to move on to the next level. All prize drawings will be conducted on October 31st and will consist of five participation prizes and one grand prize. If you complete all five levels and submit your name to the completion page (and maybe an optional comment?), you will have a total of six entries into the drawings – one grand prize entry and five participation entries (one prize per person). Complete all five levels, but don’t submit your name on the completion page and you will only be eligible for the participation prizes. Clear? Only complete three levels and you only get three chances at participation prizes. All this makes sense? Right? Prize details are on the scavenger hunt start page, so get going!
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
There’s no food for thought this time, as I have given you a LOT of food for thought in the scavenger hunt! Get going!
February News from Information Security
