Think Purposefully, Act Knowledgably

A recent tweet by Microsoft (MS) referenced a long-standing free file-hosting website the company supports called DOCS.COM.  File-hosting websites are provided by online vendors (such as MS and Google) as a place where individuals may post personal electronic files and documents, often for the purpose of making them available to the general public.

The post on Twitter linked to a page on Microsoft’s website which included this information:


What is Docs.com?
Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, and Sways. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device. 

Can I use my Office 365 account with Docs.com?
Yes. You can use your work or school account to use Docs.com, or you can choose to use a personal Microsoft account — an email address and password that you use to sign in to services like Sway, Outlook.com, Skype, OneDrive, and Xbox Live. If you prefer, you can also sign in to Docs.com with a Facebook account.


As indicated in the article, it appears as though MS has recently extended the permissions to log into and use this website intended for the storage of personal  files to the credentials used by those schools using Office 365 (O365).  Because we are an O365 customer, this means it is possible to use your Bellevue College (BC) login to post documents to DOCS.COM.

This is not necessarily an issue for students who wish to use DOCS.COM for personal documents to supplement the online storage and electronic document sharing capabilities provided by the college through Microsoft’s OneDrive.

However, DOCS.COM is NOT, and I want to repeat this, NOT an authorized location for the storage of any electronic college documents by BC employees, despite the fact that you can access it with college credentials.  The use of the website has not been deemed compliant with FERPA and other campus information security requirements.

It is becoming an increasingly challenging issue in higher education that college employees with access to data and information protected by law (such as FERPA and HIPAA) are copying some of that information to personal file-hosting websites (such as DropBox, Box, DOCS.COM, etc.) without regard as to whether that cloud storage resource meets the information security requirements for the data.  Sadly, many people don’t even take the security of the data into consideration at all; they simply copy it anywhere that makes it more convenient to work with.

It is of utmost importance that each of us think purposefully and act knowledgably  when it comes to the information or data we work with on a daily basis.  Always protecting electronic information is of the highest priority.

The only authorized cloud repository of protected electronic Bellevue College data at the time of this writing is a college-provided OneDrive space or SharePoint Online file storage space (being rolled out soon!), unless a specific exception has been authorized through a Data Sharing Agreement (I’ll discuss these more at a later time).

Despite these services being sanctioned repositories, it is still critical that individual users of these authorized resources are cognizant of how they are sharing or providing access for others to the electronic files and data stored in them.

If you are not certain whether you can share electronic college information with someone, or whether you can store it somewhere, check with your supervisor.  If they are not certain, you or they can contact the Technology Service Desk for assistance, or let me know.

Safe Computing!

Credential Stealing

One of the consistently best voices addressing cyber security issues worldwide is Bruce Schneier.  He is a cryptography expert and privacy advocate out of Harvard who has published many books, some of which are very technical in nature and intended for professional information security audiences .  But one of his great skills is that he also writes about important and timely privacy, trust and security topics in a manner that is accessible to most lay people.

Today I am bringing your attention to a recent article he wrote for the Xconomy web site which addresses the evolving nature of  computer attacks and the assumptions most people make that such attacks are merely technical or malware issues.

Turns out, the challenges in modern IT security are not so much about technology, but about people using the technology.  In fact, Schneier states that “…software vulnerabilities aren’t the most common attack vector: credential stealing is.”

The article quotes the head of the NSA’s Tailored Access Operations (TAO) group as saying “…stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day…” ( essentially a software-based cyber attack using previously unknown tools or methods).

Schneier urges computing professionals to adapt to this changing environment, but the key piece of information within the article for most regular technology users is that they are more and more likely to be the initial target for malicious actors, who are using everything they can–including social engineering, phishing, physical and psychological manipulation, and outright threats–to gain legitimate credentials to target systems or networks, including home networks.

Using the kinds of techniques perfected by stereotypical con men and the hacker culture,  modern criminals are now hacking people more than they are hacking machines.  And once they have YOUR work or personal login credentials, they have the same access to everything you have access to within those environments.

So this article is a good reminder for each of us to think twice any time a person or a machine asks for personal or college information, or for home or work technology credentials.

Safe Computing!


The full Bruce Schneier essay can be accessed at: http://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/

If you are interested and wish to see more of Bruce’s writings, his personal blog web site is: https://www.schneier.com/.

(Sometimes his writings are too technical for me, but he has a very practical, realistic and common sense approach to many security and privacy issues, so it is worth checking his site out for the more generalized stuff that can help you can understand all of the issues about which he writes.)

Beware Humans with Computers!

At a recent presentation to state risk managers in Olympia, representatives of the law firm BakerHostetler, which includes a number of attorney’s who specialize in resolving information security data breach issues, identified that cyber attacks using Phishing and Malware  was the cause of 31% of the more than 300 data security incidents the firm handled nationwide in 2015.  This is not much of a surprise given the recent increases in the number of these types of attacks.

The second highest category identified at 24% was Employee Action/Mistake, which includes failures of employees to follow organizational policies resulting in a data breach.

Interestingly, the next highest causes of data losses include other categories which also have significant ties to how authorized users interact with information technology and the data stored and manipulated with that technology.  These include: Loss or Theft of a Device (17%); Vendor/ Contractor Actions (14%); Internal Employee Theft (8%); and Lost or Improperly Disposed Data (6%).

These statistics show that the human component of data protection is significantly more important with regard to modern IT security issues than is the technology component.

The underlying source of ALL of these top kinds (92%) of data breaches can easily be attributed to the authorized users of the compromised data and either a deliberate disregard for organizational policies or a lack of information security awareness on their part.

Clearly, it is important for each of us to understand that we each need to constantly protect the college data we access during the course of our daily work, and to ask questions of our supervisors when we are not certain how best to do that.

The college has published a number of policies and procedures related to technology use by college employees and the protection of college data.  Here are links to a few of those current documents:

Take some time this week to update yourself on the information in these important documents and, as always:  Safe Computing!

Security Information about Office 365

Many campus users have questions as college e-mail accounts are now stored in the cloud version of Exchange ( called Exchange Online) as part of our Office 365 deployment.

In addition to mitigating some of the costs incurred by the college to provide and support e-mail on campus, Exchange Online provides easier access to e-mail from off-campus, and provides additional layers of security and redundancy that have previously been cost-prohibitive for the college.

If you have any concerns about the privacy and/or security of Office 365, or would like more information, check out the Microsoft Office 365 Trust Center, or contact me with specific questions.