Tag Archives: e-mail

Related to the use and security of e-mail

Video Reminders

The links below are to a couple of very short awareness videos published by a third-party which remind us of some of the basics related to the information security topics of malware and phishing.  Clicking on the links below will open the videos in a new browser window.

The principles discussed in each of these videos apply to both the workplace and to your use of technology at home.

If you are using Internet Explorer 10 or better, once you have gone to the shared OneDrive folder where these are stored, you can use the white pointers to move between the Individual videos without having to return to this page.

The arrows look like these:Right-pointing arrow head graphicLeft-pointing arrow head graphic

 

Other browsers will require you to click on each link individually.

Safe Computing!


Videos:

Don’t Let Malware Spoil the Fun! (1:50)

Phishing: What Would You Do? (1:24)

Security Information about Office 365

Many campus users have questions as college e-mail accounts are now stored in the cloud version of Exchange ( called Exchange Online) as part of our Office 365 deployment.

In addition to mitigating some of the costs incurred by the college to provide and support e-mail on campus, Exchange Online provides easier access to e-mail from off-campus, and provides additional layers of security and redundancy that have previously been cost-prohibitive for the college.

If you have any concerns about the privacy and/or security of Office 365, or would like more information, check out the Microsoft Office 365 Trust Center, or contact me with specific questions.

Social Engineering

WHAT’S THAT?

Social manipulation (or “engineering”: a term coined by hackers) is a collection of successful physical and psychological techniques which allow the exploitation by malicious persons of the human tendency to trust or help other people, and is one of the greatest on-going information security threats. 

Social and environmental engineering is done to gain unauthorized access to college information, or to network and computing resources.  Because it is so successful in providing  attackers a way to bypass, through users, any electronic security methods which may be in place, various social engineering techniques are used every day.

Preventing intrusion by outside parties to college systems through the unwitting collaboration of students and employees is an important goal of information security, because once any access is attained, severe damage can be done.

In a service-oriented environment such as the college, this manipulation of trust creates a significant challenge to staff and requires that we are constantly on guard.  User awareness of various methods used to gather information is an imperative step in maintaining information security. 

Campus employees should always be thoughtful about legal requirements, such as FERPA, and college policies addressing what information may and may not be released to outside parties.

 PURPOSE

The initial purpose of social engineering is to obtain a user’s password.  Any account which provides access to the Bellevue College computers or network can be used by a knowledgeable user in many malicious ways, the least of which compromises only the account for which the password is known.     

Subsequent purposes related to social engineering are to physically obtain desirable sensitive information or to gain access to unattended systems,  thus negating the need for a computer password.

Social engineering attacks use both physical and psychological methods:

Physical methods for collecting information may include:

    • Impersonation of repairmen, IT support personnel, managers, etc., either by phone or in person.
    • Collecting and analyzing information from discarded trash (dumpster diving).
    • “Shoulder surfing”, which is watching to see employees type their passwords.
    • Searching a work area for passwords or other sensitive information that has been written down.
    • Using unattended computers that are already logged-in.

Psychological methods for collecting information manipulate trust and emotion to acquire information or access.  Some of these interactions may be in person, but more likely will be over the phone or through e-mail.  Some risks include:

  • E-mail purporting to be from a campus authority, such as the Help Desk or Information Resources (IR).
  • Direct phone requests to the Help Desk for password resets for the accounts of other users.
  • Pleas or threats for information by impersonation of authority figures or support personnel.

When this type of social engineering is done by e-mail, it is often referred to as “phishing.”

SUGGESTED RESPONSES

Area of Risk:   Office trash; dumpsters

Malicious user Tactic: Dumpster diving

Strategy to combat: Once something is left for trash, there is no expectation of privacy.

    • Reports containing confidential or sensitive data should be shredded before disposal.
    • All computer system media (Floppy disks, CD-ROM disks, tape, internal or external hard drives, USB drives, etc.) should be carefully erased and disposed of properly.

Area of Risk:  Psychological

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat:  If you don’t know someone, check!

    • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
    • IT support personnel will always wear Bellevue College identification.

Area of Risk:  Network, e-mail, and internet usage

Malicious user Tactic:  Creation and insertion of malicious software on systems to acquire passwords or other sensitive information

Strategy to combat:  User initiative and awareness

    • Appropriate password use and management.
    • Campus user caution regarding e-mail from unknown senders and e-mails with attachments.

Area of Risk:  Offices

Malicious user Tactic:  Shoulder surfing; stealing sensitive documents or external hard drives; wandering through halls looking for open offices; using unattended computers that are already logged-in

Strategy to combat:  User initiative and awareness

  • Don’t type passwords with anyone else present (and be courteous by not watching others typing in theirs).
  • Mark documents as confidential and require hard copies of those documents to be physically locked up.
  • Lock external hard drives and USBs up at night.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:  Phone

Malicious user Tactic:  Stealing toll-free access

Strategy to combat: 

  • Protect SCAN codes the same as passwords.

Area of Risk:  Help Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat: 

  • Remember that the Help Desk will not ask you for your password in an e-mail or over the phone.

If you have any questions about social engineering, or are uncertain if you have been a victim of social engineering, be sure to contact the Help Desk (415.564.4357).

Five Important Security Concerns for Employees

The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.

All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it.   In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).

Every Bellevue College employee should understand:

1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared. 

In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.

Individuals should also never allow anyone else to use a computer into which they’ve logged-in.  This is not only a security risk for the network, it is an individual identity protection measure as well.  If someone else is logged in as you, everything they may do online appears to be your doing. 

2- Bellevue College policies require that employees secure their workstations if they leave the immediate area

This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. 

Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.   

  • Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts.   The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially  data stored on college laptop computers, is of the highest concern at all times.
 4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.

This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation).  In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

A significant aspect of the public nature of college electronic communication is the use of e-mail.  All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper. 

5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.

  • The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!   

    In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

    Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply.  In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.


These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees.  If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.