Security Spotlight: Security Awareness Training Matters

Cybersecurity, data breach, privacy, phishing attempts– I am sure you are most familiar with these words, as they have been frequently used these past years in our campus presentations, national news reports and articles in industry magazines (just to name a few). The threats these words represent are escalating, complicated and quite frankly too important to dismiss.

Listed as the single most pressing issue in the Top 10 IT Issues 2019 from Educause (a non-profit association that helps higher education optimize the impact of IT), it is a University-wide challenge that we must address – together.

Our Information Security Office (ISO) has seen a steady increase in the number of phishing and social engineering attempts. Thankfully, in part due to our programming and outreach (such as cybersecurity month, wellness day presentations, email notices and training) constituents have become more aware of these types of attempts and are increasingly reporting them to the ISO and the Technology Support Center.

The ISO encourages everyone to take advantage of the security awareness training available through SANS to learn more about phishing and social engineering, and recommends that everyone regularly perform a “Malwarebytes Full Scan” to guard against malware (this program is already installed on our campus computers).

As we continue to develop our University security strategies, we ask that you remain vigilant, and never hesitate to call or email us to confirm the validity of an email or phone call. You can reach the Information Security Office at 570-941-4226 or email infosec@scranton.edu.

Free Security Resources

  • The  THINK. CONNECT. ™ Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats. https://www.stopthinkconnect.org/resources
  • Through StaySafeOnline, the National Cyber Security Alliance (NCSA) empowers users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity. https://staysafeonline.org/
  • Report identity theft to the Federal Trade Commission online at IdentityTheft.gov or by phone at 1-877-438-4338.
  • Get the latest information on IRS Tax Scams / Consumer Alerts. https://www.irs.gov/newsroom/tax-scams-consumer-alerts

Free Security Software Resources (for home)

  • uBlock Origin Extension (in Google Chrome Browser) is a free and open-source, cross-platform browser extension for content-filtering, including ad-blocking. https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
  • Malwarebytes protects you against malware, ransomware, malicious websites, and other advanced online threats that have made traditional antivirus obsolete. https://www.malwarebytes.com/
  • Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. https://haveibeenpwned.com/
  • K9 Web Protection is a free Internet filter and parental control software for your home Windows or Mac computer. K9 puts YOU in control of the Internet so you can protect your kids. http://www1.k9webprotection.com/
  • LastPass is a password manager that stores encrypted passwords online. https://www.lastpass.com/

 

 

 

Security Spotlight: “Are You Available” Gift Card Email Scam Targeting Faculty and Staff

Our Information Security Office has received several reports of email scams targeting University faculty and staff that involves the purchase of gift cards.

The email begins with subjects like “Follow up” or “Are you available?” and if the recipient replies, the attacker continues to portray a University leader explaining that they are in a meeting and can’t take calls. They urge the recipient to buy gift cards for them promising to reimburse them later.

The end goal is for the criminal to be sent gift cards on the “leader’s behalf” and email pictures of codes to them with the promise of later reimbursement.

**If you receive such an email, DO NOT RESPOND and forward the email to infosec@scranton.edu**.

If you received a similar email and you purchased gift cards, please contact the University Police for assistance and forward the original message to infosec@scranton.edu.

Previous story related to this topic:
Office Tip: Forward an Email Message as an Attachment

Scheduling Doors for On-Campus Events

The community was a large focal point while developing a plan for building access control during emergencies, and time was well-spent in reviewing each entrance and exit of every building on campus.  After ensuring that our campus residence buildings were properly equipped to be able to manage door access during an emergency on campus, we spent the better part of 2017 completing access control throughout academic and administrative buildings.  The goal was to meet convenience with security.

In completing the project, we were able to create an environment that allows the Royal Card system to control over 50 doors across 22 academic and administrative buildings. We utilize this same process for after hours and weekend events. In order to maintain control of all these doors for emergency events, it is pertinent that any time a door is required to be unlocked, it is done so using Royal IT Support.

How do I require that a door gets unlocked for an event?

If your event on campus requires doors to be unlocked in a campus building, it is important that the doors are properly scheduled to be unlocked, by submitting a request through Royal IT Support.

From the Royal IT Support homepage, you can submit your request by select Request a Service > Royal Card > Royal Card Door Schedule Change Request. Please be sure to include the building, doors, date(s), start time and end time of the event. To ensure the request is completed, submit this request at least 3 days before your event is scheduled.

If you have any questions, please contact the Technology Support Center at 570-941-4357 or techsupport@scranton.edu.

Building Access During Campus Emergencies

The University’s ability to prepare for and mitigate an emergency always remains a priority. In the event of an emergency, University Police will activate the Emergency Notification System once it has been confirmed that there is any significant emergency or dangerous situation. Then we think, what next?

It was in October, 2015 when a shooting occurred at Umpqua Community College. The suspect went from one building to the next, as we watched those events unfold live on CNN. The reporter asked, how the suspect could continue to enter buildings, when surely Umpqua was in lockdown. Probably at a secondary school where there is typically a single building that would be easy. But we recognized on an open college campus, that’s not always so easily done, especially with so many buildings. Back then, facilities manually unlocked and locked all the doors. And in an emergency could we really expect staff to start manually locking doors, and how long might that take? Consequently, we recognized the importance of implementing some measures to prevent what happened at Umpqua.

So in 2017, University Police, Facilities and IT embarked on a project to be able to remotely control all doors through the Blackboard Transact system. Now with the click of a mouse, most exterior doors can be put into “Royal Card Access Only” or in an extreme situation, a total lockdown. Educating the University Community on how these systems work during an emergency is an ongoing effort.

On any evening or weekend, access to all buildings requires your Royal Card. Should something happen either on or off-campus, we may decide it would be safer to control who has access to our buildings. We can now control access immediately through Blackboard Transact by requiring everyone to use their Royal Card to enter a building. We’ve decided to call this state, “Royal Card Access Only”. This isn’t a lockdown. Typically, classes and all university business would continue as scheduled, unless we decide otherwise. It’s important to recognize that we could be in this controlled state, for hours or even days depending on the situation. Or depending on the incident or threat, we could direct everyone to take shelter by staying inside. If you found yourself outdoors, you would be directed to seek shelter in the nearest building, which would be communicated through our Emergency Notification System.

Depending on the situation we may decide we must go into a “Total Lockdown” where all exterior doors would be locked, and Royal Card access would not be available. Certainly, we’d prefer to give our community the ability to quickly enter a building, therefore this would have to be for an extreme situation where perhaps a suspect has compromised our security system and possess a Royal Card. The strategy is to keep those who are already in a building safe. If you were in a building and in a safe location, you would stay where you are. If you’re not in a building you should immediately leave the area and seek safe shelter off campus, and not return until an all clear is given.

University Police continue to offer our Emergency Response/Active Shooter training. We’ve now incorporated these access control procedures into that presentation. You can also go onto our webpage to learn more, or reach out directly us by calling 570-941-7888 or stopping by in the Parking Pavilion.

Written by Donald Bergmann, Chief of Police at The University of Scranton

Phishing Attempt Warning

The University of Scranton has been experiencing a number of phishing email messages with links to Dropbox documents. The messages appear to be from “Scranton Mail” with a subject of “Login to view your file”.

The messages may appear to be from people you know. If you are not expecting a file, please do not click on the link or open attachments. If you have clicked on anything that requires a password, and believe that the email is not legitimate, it is always a good idea to reset your Scranton password.

Please report any future phishing attempt to our Network and Security Services office at infosec@scranton.edu.

For questions of concerns, contact the Technology Support Center at 570-941-4357 or techsupport@scranton.edu.

Phishing Email Sample

 

Data Privacy Day: Take Action

January 28 was the annual Data Privacy Day, a day to help raise awareness about the importance of privacy and protecting personal information. As a University employee, we ask that you take a moment to change your Self Service password and security questions.

Resetting your information is easy:

  • Log into my.scranton.edu, go to the Home tab
  • Under Emergency and Password Information, click Select Your Password Reset Questions
  • Under Update Personal Information, click Change Pin to update your password
    (Please DO NOT use the following special characters: @$&(),<>’;=#%”! or a space.)

Wireless Network Update Notice (12/2016)

Information Resources will be performing updates to the ROYALSECURE wireless network on December 15. As a result, you will need to update any wireless devices (cell phones, tablets and laptops; all operating systems) connected to this network prior to the change. Devices that are not updated before December 15 may no longer be able to connect to the internet and could display a warning about the network being untrusted when connecting.

Desktop computers and gaming devices do not need to be updated at this time.

Please follow the directions below to update your wireless devices:

To update wireless devices while you are on campus:

To update wireless devices while being off campus:

  • Open a browser on the device you wish to update
  • Visit the Technology Support Center’s website at http://www.scranton.edu/techsupport
  • Click on the Wireless Network Setup link
  • Follow the on screen directions

Questions? Please contact the Technology Support Center at 570-941-4357 or techsupport@scranton.edu.

Tool Highlight: Malwarebytes

malwarebytesMalware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information or gain access to private computer systems. Malware may be stealthy, intended to steal your information or spy on your computer for an extended period without your knowledge.

As part of its commitment to securing the campus computing environment and protecting University assets and data, Information Resources has licensed Malwarebytes Breach Remediation for all University owned PCs.

Please note that Malwarebytes does not prevent malware from being installed on your computer. Utilizing this tool regularly is part of a set of safe computing practices, which continues to be most effective way to safeguard computers and data from malicious attacks.

Regularly running Malwarebytes to scan for malware is highly recommended, certainly if you notice that your computer’s performance is sluggish or you suspect that your computer’s security has been compromised.

Review the Malwarebytes instructions to run the program on your University computer.

The Malwarebytes Breach Remediation Tool is available on all faculty and staff Windows-based computers. IT Services is exploring the feasibility of extending the tool to the Macintosh platform.

Information Classification and Handling

Do you know how important your data is? Have you thought about where it is stored? What would you do if your data was lost?

Data is one of the University’s most valuable assets. Because the majority of our employees rely on this information to conduct their day-to-day operations, we must learn to properly handle and secure it.

As members of the University community, we have the responsibility to safeguard the information we process, which means that we need to familiarize ourselves with how data gets classified, stored and shared.

How Does Data Get Lost?

Laptop and other technologies can get stolen by unauthorized visitors
Computers or other technical equipment can get hacked through spear phishing emails

What is the Impact of Data Loss?

The repercussions vary but could include loss of University reputation, loss of funding for the University, fines, long-term loss of critical campus or departmental service, and identity theft.

Manage Your Data

We hope the information below will help you manage your data in the most secure way possible. You may select the links below to jump to the corresponding section:

***

Restricted Data

red-secure

Restricted data is the most important or sensitive type of information. This information is regulated by law, such as HIPAA, and/or governed by other federal, state or local law, or University policy.

Examples: Social security numbers, driver license numbers, passwords, bank account numbers and credit card information.

Storage: Restricted information in electronic records should be secured with strong encryption when stored outside the central University administrative database. Restricted information in all forms of physical records must either be security locked or actively supervised in a private environment at all times.

Storage Option: RoyalDrive

Transmission: If you need to send restricted information through an email, please follow the following steps:
1. Save the information in RoyalDrive and set a password for it
2. Send the intended recipient an email containing the RoyalDrive ticket
4. Call the recipient and relay the password information to them

Confidential Data

yellow-secure

Confidential information, while not being overtly damaging to the user, can be potentially embarrassing to the University. It may contain records or information on events or activities that can be misinterpreted by people unfamiliar with those activities.

Examples: Grades, class lists, financial aid information, donor records, tuition bills, employee performance reviews, disability claims and department budget information.

Storage: Confidential information shall be stored in physical or electronic environments where access is limited to only those who need to conduct University business.

Storage Options: RoyalDrive and OneDrive for Business

Transmission: Confidential information may be transmitted over the University or external networks as required, but only with those who need to use the information.

Public Use Data

blue-secure

Public use information can be released without much concern for security.

Examples: Campus maps, event and class schedules, press releases and athletic scores and schedules.

Campus Resources

If you have any questions regarding data classification, handling and storage, contact the Information Security Office at 570-941-4226 or email mailto:infosec@scranton.edu.

Create Strong Passwords

Passwords are important if you want to keep your information safe.
Here are some simple ways to secure your accounts through better password practices:

  1. Create a strong password:
    Make passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols. Change them routinely and keep them private.
  2. Passphrases: Make your password a sentence:
    A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember. For examples on how to create this – view the videos below.
  3. Unique account, unique password:
    Have a separate password for every account. Re-using passwords is risky. If someone figures out your password for one account, that person could potentially gain access to all of them.

pw-univ