Welcome to the September 2015 edition of the Information Security Newsletter.

Information Security Awareness Training

I appreciate those who have already completed the training. For those that were unable to attend a live training session last month, see the schedule below for September training opportunities. To complete the training online, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

All live sessions will be in room LIB002 (Library).

  • Friday, Sep 18th @ 9:00-10:30am

  • Monday, Sep 28th @ 2:30-4:00pm

  • Tuesday, Sep 29th @ 9:30-11:00am

More sessions will be scheduled during the upcoming months for those who are unable to attend this month, and still want to participate in a live session. If a particular department/unit would like to schedule an individualized training, please contact Mark Walton to schedule a time.

10 Security Mistakes Nearly Everyone is Guilty Of - #1 & #2

I found a good article by Information Security Buzz () titled, "10 Security Mistakes Nearly Everone's Guilty Of." It highlighted 10 common mistakes that we make when it comes to information security. I'm going to borrow their list and highlight two mistakes each month for the next few months. If you just can't wait for the full list, go to their web site and do a search (search box found towards the bottom of the page) on "10 Security Mistakes."

Mistake #1: Poor patching Every piece of software has programming mistakes (bugs). Some of those bugs are just annoying, like when a feature doesn’t work, or it crashes the application. Others can actually be serious enough to allow the bad guys to execute their code on your computer by exploiting the bug. This is frequently how they take control of your computer. The software vendors fix those bugs by releasing patches and updates, but it’s up to us to make sure those updates get installed. The very best way to protect yourself from becoming a victim is by keeping all of your software updated by patching regularly.

You want to make sure that all of your software is up-to-date. This includes:

  1. Operating System (Windows 7, Windows 10, Mac OS X, etc.)
  2. Anti-Virus (McAfee, Symantec, AVG, etc.)
  3. Web Browser (Chrome, Firefox, IE, etc.)
  4. Browser Plugins (Adobe Reader, Oracle Java, Adobe Flash, etc.)
  5. All application software (MS Office, games, etc.)

To help you do that on your home computer, you can download PSI (Personal Software Inspector) from Secunia.com. PSI will scan your computer for the software that is installed, and then tell you which applications are out-of-date and need updating.

Mistake #2: Too trustworthy We need to be almost paranoid about opening attachments and clicking on links in e-mails. The criminals often use phishing e-mails to try and trick us into either opening an attachment, or clicking on a link, which could lead to the compromise of our computer. Be really careful with those kinds of things in e-mails, especially for e-mails that just don’t sound right, even if they came from a “trusted” source. Remember, it’s trivial to spoof a FROM address, and people’s e-mail accounts get hacked and misused all the time. It’s not just emails any more; we need to be just as careful with links in text messages, as they can lead to the compromise of our mobile device.

Friendly Warning From One of Our Own

One of our employees shared this experience that happened to someone in their family:

“She read her final book on her Kindle and wanted to buy another one. Her credit card info was outdated and she couldn’t figure out how to change it. She decided to call customer service at Kindle and googled their phone number. She found the phone number and called. The man was very helpful and was walking her through how to load private information but she first needed to plug her device into her home computer. There he remotely took over her computer and she watched in horror as he trolled her information and files. He said he was completing a security check and was going to take an hour to load some sort of software and said if she needed to run errands, she was free to go and he would continue “working.” She left the room and called her local IT guy that helps her sometimes and he said, “UNPLUG your machine NOW!” She did and the “Kindle Customer Service Guy” called her immediately and said he lost connection and he wasn’t finished. On further examination of her computer by her local IT person whom she can trust, discovered files and malware the Customer Service Guy had installed and her files/information he looked at. Come to find out, she called a fictitious Customer Service and not the “real company” at all. She ended up having to change all of her bank accounts, credit cards, and passwords to everything! Luckily, she didn’t lose anything and learned a lesson to be more aware of what is legitimate internet information. This could happen to anyone.”

They’re right, it could happen to anyone. When you call customer support for any company, you have to make sure you’re contacting the real company. If you do a search, there are a lot of “Sponsored Ads” that show up at the top of the search. These are companies that pay to be at the top, and usually are NOT the official company. You can easily get into trouble if you aren’t paying close attention.

Winner of the Monthly Bookstore Drawing

August: Sheila Johnson

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an email detailing any scams to the same address. You will be entered for every email you send in.