Info (in a) Sec: Dec 2021

This edition marks the one-year anniversary of our quarterly newsletter.In our newsletters, we share a little bit about the projects we are working on, the services we provide, and things we think you’ll be interested in. Add yourself to our Newsletter list to receive future installments.

Spotlight on Log4j

So, what’s all this I have been hearing about Log4j? Log4j is a chunk of code that helps applications log their activities, kind of like a running journal. It’s free and widely used across the Internet. For example, Minecraft uses Log4j and it was one of the applications affected by this vulnerability. The vulnerability allowed attackers to gain control of the affected application by sending malicious code. That meant A TON of programs were exposed and Information Security teams across the globe were working nights, weekends, holidays, during vacations, and probably in their sleep to patch exposed systems. 

Our security team at Berkeley was no different. They worked diligently alongside many IT professionals both here on campus and with vendors to make sure our Berkeley networks and systems were patched and protected. 

What can you do to help? I’m glad you asked. Make sure your systems and apps are up to date and if you get any suspicious emails be sure to forward them to

General Updates

Telephone Call Retirement for CalNet 2-Step  

We are retiring the use of telephone calls as an option for completing the CalNet 2-Step on Jan. 12, 2022. Remind me again, why? There are several reasons, but the biggest is that telephone calls are less secure than other authentication methods. The good news is that there are many easy-to-use options available and you can register multiple devices, so be sure to register that new phone/tablet/watch, etc. that you got over the holidays. If you need help converting, we are hosting in-person drop-in hours Jan. 11, 12, and 13, 10:00 a.m. - 2:00 p.m. in the Academic Innovation Studio (AIS) -  Dwinelle Hall 117 (Level D).


No, it’s not a hip new way to abbreviate Mississippi. The MSSND stands for Minimum Security Standards for Networked Devices and it’s gotten a refresh. Cool… what does that mean for me? It means that any devices you have connected to the Berkeley network or devices that store, process, or access “institutional information” (which is like, basically everything) are required to follow these standards. So get your devices in shape by Dec. 31, 2022 (but, you know, sooner is better).

Cybersecurity Awareness Month

In case you missed it, October was Cybersecurity Awareness Month and we were super jazzed to host Nathan Wenzler for his talk, “Choose Your Own Cybersecurity Adventure: How to get started and succeed in the InfoSec field.” Even if you aren’t interested in getting a job in this field, it’s fascinating to see the different skill sets used across the industry and what future cybersecurity professionals should be learning.

Staff Updates

It is with mixed emotions that we wish Greg Snow a happy retirement! Uh, why mixed? For starters, if you've worked with Greg in his over 35 years here at Berkeley, you would know that he always has the best dad jokes. But seriously, Greg helped build many of the systems that make Cal, Cal, including the SIS Campus Solutions and the Cal1Card system. Starting as a programmer in Residential and Student Services Programs, Greg’s role grew to include large-system design and architecture AND he was known as being a highly technical, big-picture, and detail-oriented team member, and an overall wonderful person.  We will miss working with him and wish him well in retirement.

We'd also like to congratulate Karl Aquino for being promoted to a Security Analyst IV position! Karl joined the Information Security Assessments team in late 2020. Since then, he has conducted dozens of assessments for the campus. Karl also manages our risk assessment tool and continues to supervise the Student Affairs Information Security team. Kudos, Karl!


Dear ASCII, 

What’s so special about Special Purpose Accounts? 

-I don't get IT

Dear I don't get IT,

Clever name. There are lots of neat things that SPA accounts can do for you. First, let's spell out what a "SPA" is for the folks at home. SPAs are essentially a CalNet ID that can be shared with multiple individuals (e.g., "ISO" is a SPA that is owned by the Information Security Office shared with several folks across our team).

SPAs can be used to create Shared Drives to easily manage access to files in the Berkeley Google Suite. You can use them to send emails on behalf of a department or role and to create departmental calendars to share your department’s events. Oh, and unlike a personal account, the SPA (and any resources created or managed by the SPA) are owned by the department, so if a person leaves Berkeley, all that work is readily accessible by the rest of the team.

Here is a list of steps with links to detailed instructions to help get you on your way. 

  1. Create a SPA account
  2. Connect it to a bMail account
  3. Learn how to log in directly
  4. Access the SPA's email by forwarding or delegating access
  5. Create a SPA-Owned Shared Drive
  6. Move Google docs to the Shared Drive
  7. Add or remove Direct Members

Questions? Contact

What keeps us busy?

These charts may help explain. The first chart shows the number of alerts processed by our threat detection systems and the second chart shows detected compromises and vulnerabilities for this quarter.

If you get a security notice from our office be sure to follow the instructions to remedy the situation immediately. 

Q4 of 2021 Threats detected
Q4 of 2021 Compromises, vulnerabilities blocked graph