In 2004, the President and Congress declared October to be Cybersecurity Awareness Month and we have been celebrating this ever since. The purpose of Cybersecurity Awareness Month is to help individuals protect themselves online as threats to information technology and confidential data become more common. The Cybersecurity and Infrastructure Security Alliance (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally. This is particularly important with all the things that are going on around the world.

This year’s theme is “See Yourself in Cyber” and CISA says that it demonstrates that while cybersecurity may seem like a complex subject, ultimately it is about all people. This October focuses on the “people” part of cybersecurity. From CISA’s website, this information is what they hope to see shared with peers.

• For individuals and families, we encourage you to See Yourself taking action to stay safe online. That means enabling basic cyber hygiene practices: update your software, think before you click, have good strong passwords or a password keeper, and enable multi-factor authentication (meaning you need “More Than A Password!”) on all your sensitive accounts. 
• For those considering joining the cyber community, we encourage you to See Yourself joining the cyber workforce. We’ll be talking with leaders from across the country about how we can build a cybersecurity workforce that is bigger, more diverse and dedicated to solving the problems that will help keep the American people safe. 
• For our partners in industry, we encourage you to See Yourself as part of the solution. That means putting operational collaboration into practice, working together to share information in real-time, and reducing risk and build resilience from the start to protect America’s critical infrastructure and the systems that Americans rely on every day. 

Current Non-Threats

• 2022 UTIA Security Awareness Training (email from me)
  • It’s that time of year when everyone is assigned the annual security awareness training. (Please note: Those with an E01 responsible account get their training assigned by UTK.)
  • This training is required of every member of the UTIA workforce per UTIA IT0123 – Security Awareness, Training, and Education Policy.
  • Training is role-based and is assigned based on your primary job duties.
  • New employees are assigned training shortly after their hire date, so if you already completed the training earlier this year, you won’t have to take it again!
  • K@TE has been quite slow with processing the assignments, but everyone should be able to see their assignment by the end of the day.
  • Training is due by 5:00pm on Wednesday, November 30, 2022.
  • Anyone who has not completed training by the deadline will face losing access to any system, including email, that uses the assigned NetID for authentication. (see UTIA IT0123 for specifics)
  • The training should take approximately 30 minutes to complete.

Current Threats

• Multiple Quick Requests (spear phishing)
  • Currently, the subject is most often Quick Request but it does vary.
  • The sender appears to be your department head.
  • The sender’s return address is usually a gmail address.
  • The email is NOT from your department head, dean, director, or anyone else at the Institute.
  • The email is from a random cybercriminal who has done a little bit of research on websites and social media sites to determine the organizational structure of any given unit or department.
  • You are not the only recipient as the sender would lead you to believe.
  • The sender has blind-copied the rest of your department trying to see if anyone will fall for their ploy to make you feel like you are being trusted to do a very special favor.
  • The content is a quick ask for a mobile number that the sender can call.
  • If you give the sender your cell phone number, they will likely text you right away to ask you to do them a favor.
  • The favor will involve you going to a store to buy gift cards, then texting those gift card numbers and codes to them.
  • Please do not respond to these emails.
  • If you get carried away and do reply with your cell phone number, make sure you do NOT respond to any texts you get from an unknown number.
  • As long as you don’t buy the cards and give the person those card numbers, you are okay except for giving your cell phone number to someone who may sell it as a targetable number on the Dark Web.
  • The purpose of spear phishing is for the sender to make easy money.
  • At this time there has been no malware or breach involved because spear phishing does not include links or attachments.
  • The department head’s email has not been compromised, as the sender is impersonating the department head. (This is true for whomever is being impersonated.)

• Hurricane-Related Scams
  • CISA is warning all users to remain alert for malicious cyber activity targeting both victims and donors in the aftermath of the recent hurricanes.
  • Fraudulent emails are common after a major natural disaster.
  • Please do not click on links or open attachments in emails you were not expecting and especially from someone you do not know.
  • In addition to taking extra caution with this kind of email, please be wary of social media posts, texts, and door-to-door solicitations relating to disastrous events.

Thanks for all you do every day to protect the Institute and its data. And remember if you need me, please email or call me at any time. And as I encourage you always, please share information with peers, clients, students, and family.

Have a great rest of the week!

Sandy