Current Threats, Policies and Procedures, Security Awareness Newsletters

Is Your CISO a Little Paranoid?

Posted on Mar 31, 2021Share on

Glowing orange eyes in a completely dark backround

I am sure the subject of this email was seemingly odd. Well, it one of those “it’s funny because it’s true” moments. As an IT Security professional, I like to think I am paid to be at least a little paranoid or I wouldn’t be doing my job.

Passwords

Every now and then I get wind of someone sharing a password out of perceived convenience. Please remember that this is not allowed per UTIA IT Security policies, including UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy (AUP) and UTIA IT0132 – Identification and Authentication Policy, as well certain UTK and UTSA IT Security policies.

I understand people who want to be helpful and leave a password if someone needs something from your computer when you are on vacation, at a conference, or gone to lunch. However, there are ways to keep this from happening. The best way to do this is to make use of Microsoft Teams, or other Office 365 tools and UT’s Google Drive. This will allow others with a legitimate need to access necessary files when you are not around. Just make sure you give people the appropriate permissions so only those with a need to know can access the files. If you are unsure how to use Teams or Google Drive, there are plenty of training modules found on K@TE. You can also refer to UTIA IT0301P – Google Drive Procedures.

Also, some people have given administrative staff members their password for email so the staff can log in and manage the email and calendar. Again, this is not allowed and why would you want to do this when Outlook allows you to assign delegates with the appropriate permissions?

While people want to be helpful, they also need to remember the practice of giving out a password may be harmful to the Institute’s files and reputation, as well as the person’s files and reputation. Keep in mind that anyone who knows your password may unintentionally do something while on your computer that will look like you did it because it is your login. What is worse, someone you may think you know may have harmful intentions and purposefully do something to your data or the Institute’s data knowing that it will come back to you because they were logged in as you. We don’t ever want to think this may happen, but it does from time to time.

I also get questions about using a shared password. This, too, is not allowed, but if you feel that there is a strong business case for it, you should do a couple of things. First, read and follow UTIA IT0302 – Information Technology Formal Exception Policy and properly request an exception. I cannot guarantee that every request will be approved, but if there is sufficient reason, the request may be approved if there is no other option. If this is the case, you must get a departmental NetID so that it is not an individual’s account.

Trust but Verify VS. Zero Trust

In my almost 20 years as an IT Security professional, I was repeatedly told by my peers to use the “Trust but Verify” security model. This supposedly meant that you have faith in someone or something, but to independently confirm whether or not you should trust them. The phrase comes from an old Russian proverb shared by an American scholar with Ronald Reagan.

When it comes to cybersecurity I never agreed with that approach because there is no trust if you have to verify! And the phrase itself is an oxymoron. However, if you do a Google search on the phrase, IT Security professionals were still using it pretty consistently through the late 2010s.

Now we hear the about the “Zero Trust” security model more often. This, at is most basic definition, means “Never Trust, Always Verify.” This approach got its name in 2010, and has become the smart and preferred approach. And with everything that has happened in the last few years, you will most certainly hear more and more about zero trust.

Think of it like this: Back in the day if a stranger knocked and said they wanted to use your phone, you would let them in (trust) and ask questions once they were inside (verify). Now if someone showed up and wanted to use your phone, you would tell them that you will call the police for them and they can wait outside, while you lock the door as fast as you can (never trust, always verify)!

Without boring you any more with IT Security lingo, I bring this up for one reason. When you receive unexpected emails (particularly external ones), browser popups, etc., NEVER TRUST, ALWAYS VERIFY! It may take a little extra effort to verify, but think of the time it would take if you didn’t do your due diligence.

Current Threat Alerts

Spear Phishing

Spear phishing has been extremely widespread in the last two months. Please remember that these spear phishing emails have one purpose: to make “easy” money for the hacker. So far there have been no links or attachments so this means no viruses and no malware. The hacker wants to make you think that your supervisor is asking you to do something for them. That “something” is going to be the purchase of gift cards that you need to email the numbers and codes back. Please do not reply back. If you do hit “Reply” please note the reply-to address is no longer the address you saw on the original email.

Since this type of threat is not going away any time soon, please see Spear Phishing. I updated the document this morning and tried to include everything that has been seen so far. Print out a copy and put it somewhere you can remind yourself, if necessary!

Ransomware

I saw plenty of warnings that this kind of threat would be one of the top threats of 2021. So far, to my knowledge, no one at the Institute has been hit with ransomware this year, but there are global threats that you should at least know about.

Ransomware is a type of malware that is sometimes called scareware because the hacker uses threats and intimidation to scare the victim into paying to get their data back. You will most likely know it when you see it because most often you, as the victim, will click on a link then get a popup window with a message demanding a fee be paid or your system will not work and your data will be held hostage until payment is made.

This would be very intimidating to say the least. However, if you back up your data regularly, you won’t panic nearly as much because you will still have all of your data. Your computer can also be wiped and re-imaged so you can have the data reloaded. The key to the regular backup??? Make sure you store the backup somewhere completely separate from your computer. The best plan is that if your computer is in the office, store the backup at home or in a different building. Never leave your backup on removable storage plugged into your computer because if malware is on the computer, it will likely end up on any removable storage that is attached.

Ransomware happens to be a popular threat vector a hacker will use in the healthcare sector in hopes of getting a big payout for the return of the data or the selling of the data. While healthcare is the main sector being attacked in this way, it often happens to any sector involved with the government.

Remember that if you back up your data, you won’t have to buy it back. What is worse, many victims of ransomware have paid hefty ransoms only to not have the data fully returned, if at all.

If you ever suspect you have been compromised, please contact me immediately.

Thank you all for all that you do!

Sandy

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu