Current Threats, Policies and Procedures, Security Awareness Newsletters

Recent Policy Updates and Online Scams

Posted on Apr 29, 2021Share on

Padlock encircled by the words cyber security

In an effort to keep everyone informed about IT Security policy and procedure changes, this month I would like to let you know about the recent updates of two of our policies. I would also like to share some of the risks from falling for an online scam. And finally, I would like to share some information about a couple of current threats.

Policy Updates

1. UTIA IT0125 – Configuration Management Policy: This IT security policy is necessary for establishing and maintaining the confidentiality, integrity, and availability of the Institute’s data and IT assets. The policy defines baseline configurations for all Institute-owned IT assets and defines asset management and change management with regards to Institute-owned IT assets classified as moderate, high, or business critical.

  • Baseline Configuration now includes some specific examples of each of the six baseline standards.
  • Added several new sections to reflect all of the appropriate NIST security controls that are implemented.
  • Some of the old sections were combining controls, so I pulled information out to go with the correct section.
  • Updated information for all other controls.
  • Updated the Roles and Responsibilities section to include the Technical Standards Committee, which is being reinstated to ensure the Baseline Configurations are tested and implemented successfully.

2. UTIA IT01xx – System and Services Acquisition Policy: This IT security policy defines the Institute’s system and services acquisition program, and how this program is used to evaluate IT assets purchased by the Institute. This policy addresses allocation of resources, as well as the life cycle and acquisition process for IT assets. This policy applies to all Institute-owned IT assets.

  • Added “maximum of” five years for systems to be refreshed.
  • Added in the System Development Life Cycle, “The computer purchase is to be made through University-approved vendors on OIT’s hardware ordering page.”
  • Also added that an extended warranty must be acquired with the purchase of any IT asset over $1,200.

Risks from Falling for Online Scams

When you fall for online scams, whether it is spear phishing, phishing, malware, or other, you put the Institute’s data and reputation at risk. That’s not all because you also put yourself at risk. Here is a short list of such risks and examples of how you could end up at risk:

Identity theft and/or impersonation

  • Online credit card processing system compromise could give up your name (or department name) and cardholder data which could allow fake cards with the real credit card information to be printed for someone else to sell or buy then use.
  • Posting a photo of your vaccination card with your information on it on social media sites could allow someone to have your name and birthdate, which could be the start of a major case of identity theft.

Damaged business reputation

  • Allowing data to be stolen because proper controls were not in place could easily cause the Institute and the University to lose trust from stakeholders, including donors, suppliers, partners, and customers/clients.
  • Stolen data, including student records, could cause a drop in student enrollment.

Loss of revenue

  • If the Institute’s reputation is damaged, there is a very good chance there will be a loss of revenue whether it be from fewer donations, partners, clients, or students.
  • Most times when data is stolen there are monetary losses due to legal issues and fines when the data was a part of regulatory compliance.

Intellectual property theft or other data theft

  • Theft of valuable research data that could be part of copyrights, patents, trademarks, and trade secrets could be sold.
  • Competitors around the world could recreate your work and claim it as their own.

Be sure to catch the upcoming e-newsletters and I will continue this review of social networking risks and how to prevent them.

Current Threat

Several people have been reporting getting an email regarding a purchase receipt for Norton. There are different versions of this email, but the general idea is the same in all. For instance, you get this message sent to nortoncustomerxx@gmail.com, and the sender is also using a Gmail account. Why would the recipient be “@gmail.com” but the email ends up in your “@utk.edu” account?

The message says that your annual plan for some version of Norton has been updated and renewed. The expiration is, however, often two years from date of purchase. Keep in mind that it is your “yearly” plan, but it will expire in two years! The cost seems to be exorbitant at over $500 (for either one or two years), when the cost on the Norton site is $149 regular price for one year. Finally, the phone number is almost always formatted in a really strange way, e.g., +1   –   (888)   –   (927)   –   (0793).

The premise of this is to catch you off-guard, hoping you will call the number given. In the course of the phone conversation, the “Norton” representative will ask for your credit card number so they can check their records and refund your account. This message is definitely a scam.

If you ever have any questions about a suspicious email, policies/procedures, social networking risks, or any other questions, please do not hesitate to let me know. I am here to help!

Thank you all for all that you do!

Sandy

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu