Happy Friday Eve!

Today I am repeating last week’s non-threat because it is likely to begin next week. I have also included information about a current phishing attempt targeted toward students, so please pass this along. I am addressing why you are never supposed to ask for or share a password. And there are several updates you need to know about.

Current Non-Threats

• UTK’s NetReg Classification Survey (email)
  • This was in last week’s newsletter, but it is worth repeating.
  • In a recent IT Weekly email, UTK’s Office of Information Technology (OIT) announced that starting in mid-March, you will receive emails informing you to reclassify your Institute-owned devices.
  • While these surveys will start going out in mid-March (after spring break), they will continue to be sent over the next few months until all devices have been classified.
  • Classification was put on a brief hold while the new NetReg system was being finished.
  • You will be once again required to complete a classification survey for each Institute-owned device.
  • You will be asked to identify, via checkboxes, the type of data stored, viewed, or processed on it.
  • Please take caution when you complete the survey(s) that you are responding for the appropriate device.
  • Also, this is very important…DO NOT INCLUDE DATA THAT IS YOUR OWN OR YOUR FAMILY’S.
    1. Part of the purpose of classifying devices is that in the event of a breach, we know who must be contacted.
    2. If the only PII stored on your devices is your own or your family’s, there is no contact that must be made nor State and Federal reporting that is required.
    3. While your own data is very important, the device is classified based on the Institute’s and University’s data that is stored on it.
    4. Including your own or your family’s data, such as personal credit cards, Social Security numbers, driver’s license numbers, etc., could cause the classification to be set at a higher level than it should and would create the need for a security plan to be written for that device when it really is not necessary based on the actual Institute’s data you are storing.
  • Once these surveys start being completed, I will begin checking the responses for Institute-owned systems and will see how those are looking.
  • If there the results are questionable (i.e., an inordinate amount of devices classified as “high”), I will start sending my own classification survey to find out more specific information about data being stored.
  • Then I can start scheduling meetings with those whose devices should truly be classified as “moderate” or “high” so I can help you create a system security plan for those devices.
  • Please complete the UTK classification survey within 30 days of notification, otherwise your devices will lose network access until the survey is complete.
  • Since this is an annual event, my best advice is that it is far less bothersome to classify all your devices on the same day so they are all on the same schedule.

Current Threats

• Research Opportunities (phishing email)
  • The sender is Denise Clare <denise.clare@hotmail.co.uk>.
  • The subject is FIRST QUARTER RESEARCH.
  • The message tells you that the Office of URaCE is accepting applications for the 2023 Student Research & Professional Development Learning Institute.
  • This institute is supposedly for undergrad researchers to “sharpen your skills in preparation for graduate school, medical school, or a career” in eight weeks of networking.
  • This email is “signed” by Benjamin N Lawrance, supposedly with Office for URaCE Team.
  • This email is NOT legitimate!!!
  • I did a little research and UTC does have the Office of Undergraduate Research and Creative Endeavor (URaCE).
  • This particular event is NOT listed on their site.
  • Benjamin N. Lawrance shows he is with the “Office for URaCE Team,” but is not listed on their site or even in the UT or UTC directory.
  • Denise Clare’s address uses a domain in the United Kingdom, which would make no sense at all.
  • For verification, I contacted the Executive Director for the Office of URaCE and she confirmed this is not legitimate.
  • The Executive Director is going to reach out to the IT folks at UTC to let them know, in case students contact them.
  • If you receive this email, please forward it, along with the Internet header, using these instructions, Reporting Phishing Attempts.
  • PLEASE share this information with your students, particularly those who are not employees since they won’t know about this threat if you don’t tell them!

Ask Your CISO

• Is there ever a time when it is okay to share my password with someone else?
  • This is easy enough to answer with one word…NO!
  • If you prefer a two-word answer…ABSOLUTELY NOT!
  • If you can’t already tell, this is a very serious issue.
  • UTIA’s IT Security policies, as well as UTSA and all the other UT campus and institute policies, make it very clear that you are to never share your password with anyone.
  • This means you are not allowed to ask anyone for their password, either.
  • Some examples of those policies include:
    1. UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy (AUP) states that users WILL NOT share access codes or passwords, and adds:
       • Never ask others for their passwords.
       • Never give anyone your password.
       • Shared accounts must be requested through the appropriate channel and only when
         there is a valid reason.
    2. UTIA IT0132 – Identification and Authentication Policy states, “Passwords must never be shared with anyone.”
    3. UTIA IT01xx – Media Protection Policy states, “Users must never share passwords with anyone, and anyone needing access to any IT asset at the Institute must go through the proper channels to request that access.”
    4. UT System’s IT0110 – Acceptable Use of Information Technology Resources states that users will not share access codes or passwords.
  • All Institute employees are expected to fully comply with all Institute and University policies and procedures.
  • Any employee not complying with a policy or procedure is subject to disciplinary action.
  • And if you are wondering why this is such a big deal…
    1. Someone with your password can log in as you and do things you would not do yourself.
    2. If someone else is using your password, they may not be as security-minded as you, causing the IT asset, the data, and your Personally Identifiable Information to be at risk.
    3. Someone with your password can have access to data and information that person is not approved to have, which is another violation of multiple policies.
    4. Someone with your password can log into other UTIA/UT systems, i.e., email, IRIS, Banner, Concur, SUPER, etc., from any computer, at any time without you knowing it.
    5. If someone logs in with your password, audit trails will look like it is YOU, not that person.
    6. Using another person’s credentials is viewed as fraudulent.
    7. Remember that an insider threat will often involve the use of someone else’s credentials.
  • Finally, I have a few pieces of advice.
    1. If you want to allow someone to help maintain your calendar, NEVER allow them to do so via your NetID and password, but do this the right way…set them as a delegate.
    2. If someone needs to use your computer, make sure you each have individual accounts set up as “User” and NOT “Admin,” which will keep your data separated and audit trails will be accurate in the event of a compromise.
    3. The requirement of two-factor authentication took away a lot of password sharing, so please know that asking for smartphone access AND a token is often a sign that someone is sharing their password!
    4. Remember, “Don’t ask for my password because I am not going to tell you!”
  • This applies to everyone!

Browser, OS, and Software Updates

• Microsoft
  • Microsoft has released updates to address multiple vulnerabilities in Microsoft software.
  • Exploitation of these vulnerabilities could allow an attacker to obtain sensitive information.
  • Updates are being automatically pushed to Institute-owned computers.
  • If you have recently clicked to have your computer restart later to finish these updates, please make sure your reboot right away to ensure all available updates have been applied.
• Firefox
  • Mozilla has released security updates to address vulnerabilities in Firefox.
  • These vulnerabilities could allow an attacker to take control of an affected system.
  • Since your browsers are being managed by UTIA ITS, you should be getting the updates automatically.
  • If you do not close your browser regularly, you may not have the latest updates.
  • In your Firefox browser, go to Settings (the three lines in the upper right-hand corner) and scroll down to Help.
  • Click on Help, then click on About Firefox.
  • A window will open to show you if your browser is up to date and what version you should have.
  • If you don’t have Firefox 111, please restart the browser to get the update.
• Adobe
  • Adobe has released security updates to address vulnerabilities in multiple products, including Photoshop.
  • Exploitation of these vulnerabilities could allow an attacker to take control of an affected device.
  • Updates are being automatically pushed to Institute-owned computers.
  • If you have recently clicked to have your computer restart later to finish these updates, please make sure your reboot right away to ensure all available updates have been applied.

Thank you so much for all you do to protect the Institute, as well as its assets and data. I am here to help you, so please don’t hesitate to let me know if you have questions or concerns. Your questions, security-mindedness, and feedback are important to me and greatly appreciated!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone else has an email group for students who are not employees of your department, please let me know what that address is and I can include it. I do this as a blind copy so student names and addresses will not show up!