August 2016 Security Newsletter

Information Security Awareness Training

To help members of our campus community better protect both campus information as well as personal information, the University provides Information Security Awareness Training. The goal of the training is to increase awareness in our campus community of how information, whether campus related or personal, is targeted and the steps we can take to better protect ourselves, our campus, and our families.

Every employee is expected to complete the Information Security Awareness Training yearly. The training period runs during Fall and Spring semesters, so we are beginning a new round of training for the upcoming year, beginning August 16th.

The training can either be completed online via Canvas or by attending a live training session offered regularly throughout the year. The online training offers the flexibility of completing it at your own pace. To access the online training, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

The live training offers the opportunity to complete the training in one sitting. For the month of August, the live training sessions will be offered during Welcome Week. Multiple sessions are offered for your convenience. Simply attend the session that works best with your schedule.

All live sessions will be in room BU 110 (Business Building).

Wednesday, Aug 17th @ 3:00-4:30pm Thursday, Aug 18th @ 10:30-noon Thursday, Aug 18th @ 1:00-2:30pm

More sessions will be scheduled once the semester gets under way to accommodate those who are unable to attend during Welcome Week, and still want to participate in a live session. If a particular department/unit would like to schedule an individualized training, please contact Mark Walton to schedule a time.

Access to Data Center and Surrounding IT Offices

Every couple of years the IT department undergoes a security assessment conducted by outside security professionals. One of the findings of the last assessment centered around physical security of the data center and surrounding IT offices. The risk was classified as “high” by the assessment team, and the IT department felt it prudent to implement the team’s recommendation and better control access to sensitive IT areas. Anyone needing to meet with IT staff whose office is part of a sensitive location will now need to make prior arrangements to meet in another part of the building and be escorted into any restricted area. We know this will inconvenience many, and unfortunately reflects the ever increasing threat the University faces.

Lessons from Pokemon Go

Have you caught them all? With the Pokemon Go craze, it presents an opportunity to highlight issues whenever you install a new app. Upon installation, a new app will often ask for permissions to certain features of your mobile device, like your location, photos, camera, etc. You need to pay careful attention to what access you grant to your device. Case in point. An oversight with the Pokemon Go app actually granted access to all of the information available through your Google account if you used a Google account to sign-in. This effectively granted the app access to your e-mail, search history, and other potentially private information which was not needed for the functionality of the game. The issue has been corrected in this case, but each of us needs to better understand how our private information could potentially be exposed simply by installing an app. I’m not saying to avoid installing any apps, just be aware of the potential cost when it comes to your privacy.

Current Scam: Money Request from Paypal.

Paypal has a feature that allows users to do a “money request.” Fraudsters are using compromised accounts and using the feature to not only try and solicit funds directly from unsuspecting users, but also to trick individuals into clicking on malicious links included in the request. Always be cautious when it comes to links in messages, and remember, that advice doesn’t just apply to e-mails. Any service that allows you to message another individual and allows for links can be abused, whether that’s Paypal, Facebook, or whatever.

Current Scam: Social Security Account Fraud.

There is a Social Security Account scam going around where you receive an official-looking email from the Social Security Administration with an invitation to create an account so you can receive your benefits or check on your estimated benefits. The link takes you to a fake website where the fraudsters hope you will enter your personal information. Remember to never click on links in these types of emails. If you want to sign up for a My Social Security Account, make sure you are going to the official site at ssa[.]gov.


June 2016 Security Newsletter

VPN

The SUU VPN is a Virtual Private Network that encrypts all communication between your computer and the campus network. There are two scenarios for using the SUU VPN when you are away from campus.

  1. A few campus services require the use of the VPN when you are not on-campus. These include Banner INB, Cascade, and Argos. In order to access these services, you must first connect to the VPN.
  2. Connecting to untrusted wi-fi networks like those found in hotels, airports, and some retail chains. The VPN provides a secure, encrypted tunnel between your computer back to campus. This provides protection to you from individuals who may be trying to intercept your wireless traffic.

The VPN is available to any campus employee at no charge. For detailed instructions on installing the client for various devices (including Android and iOS), please see SUU Help. Once you get the AnyConnect VPN client installed, you’ll want to connect to the VPN anytime you’re traveling or trying to access protected services such as INB. Simply launch the AnyConnect client, connect to “lightning.suu.edu”, and enter your credentials. You should see a little locked icon in your system tray. When you want to disconnect, simply right-click on the icon and disconnect, or exit the AnyConnect client.

Feel free to contact me with any questions you may have concerning the use of the VPN.

93% of Phishing Attacks Now Have Ransomware Payloads

The company PhishMe recently reported that 93% of phishing attacks are ransomware. As a reminder, ransomware is malware that encrypts the data on your computer, and then holds the decryption key for ransom. By paying the ransom, you’ll supposedly be provided the ability to decrypt your files and regain access to your files, but there is no guarantee. The best protection against ransomware is to be careful of links and attachments in e-mails so as to not become infected in the first place, and to make sure you have off-line backups of your data in case you need to restore your files if you have been infected.</p>

Scams to Watch Out For

Here are a few scams that are currently circulating:

Tech Support Scam: I’ve warned previously of the phone scam where you get a call from a “Microsoft Support Technician” claiming that your computer has been infected and he’ll help clean up your computer for a fee. A new variant on this scam is leveraging malware. Once you’re infected with the malware, it displays a lock screen stating that your version of Windows has expired, and that you need to enter a product key. Even if you enter a correct key, it displays a message that you’ve entered an invalid product key and then gives you a phone number to call support. Of course, it’s a scam, and the “technician” will try and get you to pay to have them help unlock your system.

Rio Olympics: There have been a few scams going around concerning the upcoming Summer Olympics in Rio. They range from the games being cancelled, to great package deals, to everything in between. Remember to always be skeptical of anything where you’re not absolutely sure of the source.

Walmart Mystery Shopper: This scam tries to trick you into becoming a mystery shopper for Wal-Mart. They send you a legitimate looking check in the mail to be used at Wal-Mart, but first, you have to register as a mystery shopper, where they ask for all sorts of personal information, including your social security number.


March Security Newsletter

New Help Desk Ticketing Software

The IT department will be rolling out new help desk ticketing software in the upcoming days. We want to give the campus community a heads up before the roll out so you will be aware of the change, and so when things look a little different, you’ll know why. The new system will help IT to better serve the campus community through a more efficient and streamlined ticketing system. If you have a technology request/issue, please contact the Help Desk first. This helps to ensure that the ticket is properly logged, is assigned proper resources, and is better tracked through its completion. Please note that only the ticketing software is changed, all other aspects of the Help Desk, including its phone number (x8200), will remain the same.

New Password Requirements - Update

It’s been a little over 2 weeks since we implemented our new password requirements. We’ve had about 2800 people change their passwords, most opting for a longer password in order to keep it for a longer duration. We appreciate all of the feedback that we have received. The biggest gotcha is for those people that access PeopleAdmin regularly. PeopleAdmin only allows passwords up to 20 characters. So if you changed your password and it is longer than 20 characters, you won’t be able to log into PeopleAdmin. We are aware of the problem and are working on a long-term solution. However, in the short-term, if you need access to PeopleAdmin, and still want to keep your password for 1.5 years, please choose a password that is exactly 20 characters in length.

OUCH Newsletter

The SANS Institute publishes a monthly security newsletter. This month’s newsletter is on “Malware.”

I’ll be including a link that goes to securingthehuman[.]sans[.]org. Notice the sans[.]org in the hostname. That’s the official domain of the SANS Institute so you know the link is going to the right place.

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201603_en.pdf

The newsletter includes the following tips for protecting yourself from malware:

  • Make sure you have Anti-Virus software installed on your computer and it’s up-to-date.
  • Make sure all software on your computer is up-to-date, this includes your operating system and all applications installed on your computer.
  • Only download and install apps for your mobile device from trusted stores.
  • On your home computer: When you do common tasks such as reading e-mail or browsing the web, use a standard account, instead of an account with administrative privileges. The administrator account should only be used to install software or device drivers as needed.
  • Beware of phishing e-mails trying to get you to click on a link or open an attachment.
  • Regularly back up your files to a cloud-based service, or to an off-line backup.

New Password Requirements

As was mentioned in the last Information Security Awareness newsletter, we are implementing new password requirements for SUU accounts. The new requirements will be rolled out starting today, March 4th, through the Change Password portal app. This will be a gradual roll out as people’s existing passwords expire. There’s no need for everyone to go and change their password immediately. You can simply wait until your password would normally expire, and then when you select a new password, the new requirements will be applied.

The basics

  • As passwords expire, users must follow stricter password requirements
  • Longer passwords are more secure, resulting in a longer time between expirations
  • We expire passwords regularly because we’re protecting OTHER people’s data
  • Don’t use single words, repeating characters (wwwwwwwwwww), keyboard sequences (asdflkjh), or common phrases as your password

What are the new requirements?

  • Minimum password length: 10 characters
  • 10-15 character passwords: Expires in 6 months; 3 variants.
  • 16-19 character passwords: Expires in 1 year; 2 variants.
  • 20+ character passwords: Expires in 1.5 years, no variant requirements.

A variant is the type of character, which is either upper case, lower case, a number, or a symbol. Sometimes these are referred to as complexity types. Often a “complex” password requires at least 1 character in each of the 4 types. For us, the longer the password, the less “complex” it needs to be. What’s the best way of choosing a password?

Pick 3 or more random words and put them together. The key word is “random.” The words you choose shouldn’t have any previous relationship to one another. So titles of books, quotes, locations, or lyrics from songs aren’t good choices. Additionally, you should avoid using personal information such as the names of family members.

For example:

  • cat-pizza-volleyball

That’s a 20-character password and you get to keep it for 1 1/2 years! But make sure you choose your own password. That’s just an example.

Why longer passwords?

The answer is simply that the world we find ourselves in right now, as it relates to privacy and data theft, is very different than it was even a few years ago. The tactics used by the criminal element are ever evolving and becoming very sophisticated. Additionally, computer processing capabilities continue to increase at an incredible rate. Did you know the 8 character minimum password actually has its roots back in the 1980s? The US Government did some calculations based on processing speeds at the time, and determined an 8-character password was sufficiently resistant to password-cracking attacks for sensitive systems. Many organizations thought if it’s good enough for the government, then it’s good enough for us too, and thus adopted the same requirement. That was a great recommendation for the time, but here we are some 35 years later still using the same minimum requirement. It’s time for a change.

Why do we have to regularly change our passwords?

The IT Department has been asked on occasion why we make everyone change their password every 6 months, when our bank or other service provider doesn’t require a regular change. The answer to that question comes down to whose information is being protected behind that password. For your personal accounts (banks, credit cards, email, etc), it’s entirely your choice on how strongly you want to protect the information, because it’s YOUR information. However, when it comes to protecting University information, it’s no longer your personal information, but it’s OTHER people’s information.

Just because you don’t have to change your bank account password regularly, doesn’t mean that the bank employees aren’t changing theirs often.

We do realize that forcing password changes every 6 months can actually lead to weaker passwords, as people choose shorter passwords in order to remember them, and then just maybe increment a number at the end when they have to choose a new password. To help address this concern, the stronger your password, the longer you get to keep it. The IT Department always welcomes any feedback. If any of you have questions or concerns, just let us know. Thanks for helping us protect the information that has been entrusted to all of us.


Information Security Awareness Newsletter - February 2016

Welcome to the February 2016 edition of the Information Security Newsletter.

Updated Password Policy

In the next few weeks IT will be rolling out a new password policy. We will be raising the minimum password length from 8 to 10 characters. That’s the bad news. The good news? If you pick a really good password, then we’ll let you keep it longer than the current 6 month period. Typically the longer the password the stronger it is. So for those of you that pick a longer password, you won’t have to change it as often. I’ll send out another e-mail when we get closer to implementing the new policy, but just wanted to give everyone a heads up. The bad guys are continually upping their game, it’s time for us to do the same.

Phish

I want to thank everyone that reported the phish that many of you received on Tuesday. It was sent to 251 employees and I received reports from about 45. It had the classic red flags for a phish:

  • Unknown Sender
  • General Greeting
  • Using language to solicit a quick or emotional response
  • Link that goes to an unfamiliar address
  • Just a reminder to always be careful with links in e-mails. Your computer can become infected by simply visiting a web site. If you recognize it as a phish, resist the temptation to click on the link. Sometimes that’s all they need.

Ransomware

We’ve recently had a couple cases of ransomware on campus. Ransomware is malware that encrypts all of the data on your computer and any shared network drives. The bad guys then offer to decrypt all of your data if you pay the ransom, which is usually around $500. Fortunately, the employees that were affected didn’t have any important documents on their local harddrives (which were all lost), and notified IT immediately so we could restore network files from recent backups.

They were infected by opening up an attachment in a phishing e-mail. Remember to be careful with any attachment or link in an e-mail that you weren’t expecting. If you don’t know what it is, don’t open it.

We’ve been lucky to only have a few isolated incidents. Hollywood Presbyterian Medical Center has been affected by a massive incident where nearly their entire network has been down for more than a week as they work to recover from a ransomware attack. Their ransom? $3.6M. Yes, that’s an “M” for million.

Fraudulent Tax Return

Remember the warning that I gave last month about the fraudsters filing bogus tax returns in the hopes of collecting refund money? Well, it happened to one of our own. This employee recently reported his experience to me and I wanted to share. He received a Green Dot prepaid debit card in the mail. At first glance he just thought it was a typical credit card offer, but then he looked more closely. This didn’t look like one of those fake cards, but looked real. So he did some Google searching and found out that tax fraudsters often use prepaid debit cards as a part of their scam. Sure enough, when he called the IRS, somebody had attempted to file a tax return in his name, using his social security number. Luckily, the IRS had flagged it as suspicious and hadn’t paid out the refund. He promptly placed a credit freeze with all of the credit reporting agencies. This one is scary because it could easily happen to any one of us. Watch out for suspicious cards in the mail.

OUCH Newsletter

The SANS Institute puts out a monthly security newsletter. This month’s newsletter is on “Securing Your Home Network.” Just want to pass it on as a resource for helping protect our home networks.

I’ll be including a link that goes to securingthehuman[.]sans[.]org. Notice the sans[.]org in the hostname. That’s the official domain of the SANS Institute so you know the link is going to the right place.

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201602_en.pdf

10 Security Mistakes Nearly Everyone is Guilty Of - #9 & #10

Mistake #9: Ignoring SSL certificate warnings

When you visit a secure web site, you should see a little green padlock in your address bar. This lets you know that the site you are visiting is really who they say they are. If you ever get a pop-up that says that your browser can’t verify the site, then you need to be very cautious. There is a chance that you are actually visiting a fake site. If you run into that situation, feel free to contact me so I can help verify the site.

Mistake #10: Downloading apps from third-parties

Both Google Play and the Apple AppStore have some protections in place to help ensure that apps downloaded from their sites are safe and malware free. However, if you download apps from third-party sites, you have no such protections. The large majority of infected apps come from third-party sites and not the official stores. Be very careful if you are ever prompted to download an app from anyplace other than the official stores.

Winner of the Monthly Bookstore Drawing

January: Andrea Donovan

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an e-mail detailing any scams to the same address. You will be entered for every e-mail you send in.