As the 18th annual Cybersecurity Awareness Month (CSAM) ends, I have to tell you that October becomes more important every year. I think this year’s CSAM was particularly good with the information about phishing, basic security guidelines, and keeping cybersecurity at the forefront of your mind every day as you connect! You need to think about protecting the Institute’s data, its money, and its reputation. We owe it to our employer to do so and we owe it to each other to protect all our hard work.
Spear Phishing Is Back
Well it has been a while since I had to bring up spear phishing, but here we go again! Yesterday evening a new spear phishing attack was launched. This time it appears to be coming from our wonderful Director and State 4-H Program Leader, Justin Crowe. (Thanks Justin for letting everyone know you didn’t send it!)
Here are the things to know:
- You will see that the reply-to address is not a utk.edu address.
- The message looks as if it is coming to only you, when it was really sent to lots of people using BCC:, hiding everyone’s names except for yours.
- This kind of attack is designed using mostly social media and organizational websites to see the chain of command, hoping to gain a sense of trust if a leader or supervisor asks you to do something.
- The content in the email is very succinct and says they need to speak with you about doing something “discreet” or otherwise secretive.
- The sender says to only reply to the message and not call, then they may give an excuse why you can’t call.
- If you do reply, you will most likely be asked to go purchase some various gift cards, like Amazon, and email them the card numbers and codes from the back of the card and you will be reimbursed as soon as possible.
- You will not be reimbursed!
- This is never something that anyone at the Institute would ever do because we have policies and procedures in place for this.
If you have to be a part of a cybersecurity attack, spear phishing is the easiest attack vector with which to deal. No accounts or computers have been compromised. No Institute data has been accessed. No attachments or links are included. No Institute money is lost. This is a targeted attack and only those who fall for it are liable. It is all about the criminal getting fast and easy money…your hard-earned money!
And remember that these spear phishing attacks seem to be quite cyclical. We won’t have a report of any for months, then they start happening all across the Institute. So please continue to be aware like so very many of you have been in the past several hours.
The Principle of Least Privilege and AD Groups
We all like to think that we need to know everything or have access to everything to do a good job. The principle of least privilege is one of the most helpful concepts in IT security. This concept is about giving a user the minimum level of access needed to perform their job responsibilities. I also use the phrase “need to know” more often, with emphasis on the word often. Permissions should be assigned on a specific need to know and not on a “might need to know at some point.” This keeps data protected and in the hands of only those who need that specific information to do their jobs on a day-to-day basis.
This is a really good time of year to take a look at who has what privileges. If you know that someone’s job responsibilities have changed, make sure their accesses line up with exactly what they need to do their jobs, nothing more. Sometimes it as simple as updating an Active Directory (AD) security group. AD groups need to be thought of as a way to collect user accounts, computer accounts, and other groups (e.g., email) into manageable units. These groups allow assignments of appropriate rights and permissions to perform specific tasks.
As people terminate and transfer to other departments and/or campuses I remove them from AD groups they no longer need access to. This helps to remove users who no longer have a need to know. If you know of changes to make, please send me an email, copying the Dean, Director, Department Head, or immediate supervisor, so that I can work with you.
UTIA Security Awareness Training
Don’t forget that we are in the middle of our annual required security awareness training. To those who have already completed the training that was assigned on 10/08, I appreciate you very much! To those who have not completed it the deadline, which is 12/17, is a little later this year so you still have time. But please remember not to test Murphy’s law because any time you put something off thinking you have plenty of time to do it, you will likely have so many unexpected things happen that you run out of time! This is especially important to remember this year because NetIDs will be disabled if the training is not completed by the end of the day on 12/17. Please refer to UTIA IT0123 – Security Awareness, Training, and Education Policy for details.
And if you have an E01 responsible account your training is assigned by UTK. I made certain not to double-assign the training.
Final Thoughts
I would be remiss if I did not tell you all how thankful I am to work with such wonderful people across the state! I am so proud of everyone for being so mindful of cybersecurity. I often get emails asking about the legitimacy of the email and/or sender and I can’t help but be so pleased when you add why you think it isn’t valid. Sometimes it is as if you have quoted the training or something I have said, so I am fully aware that you are paying attention and being cautious. And I am thrilled when you ask questions! So please keep sending me your questions, thoughts, concerns, and issues. Sometimes I am not aware there is a threat going on until you all start emailing me, particularly with these targeted spear phishing attacks! So thanks for being mindful and vigilant because cybersecurity should never be an afterthought nor should it be only thought of in October!
Stay safe and thank you all for all that you do!
Sandy
