Info (in a) Sec: October 2021

Add yourself to our Newsletter list to receive future installments.

Spotlight: Cybersecurity Awareness Month!

October is Cybersecurity Awareness Month y’all! We have a ton of events going on this year and each week has a different focus (the second week being “Phight the Phish”) and well, I don’t want to brag, but we had our “Fight the Phish” campaign created way back in 2019.

Ugh, I don't have the time to learn more things. Hey, totally get it, here are three things you can do right now. You can do three things, I believe in you! 

#1: Use Duo to Push

Use the Duo App to send a Push to complete your CalNet 2-Step. A "push" is an approval request that you can send to your smartphone or tablet and it’s quicker and more secure than entering text passcodes or phone calls.

#2: Do the “Minimum”

Visit our How To Secure Devices page to secure your devices under the Minimum Security Standards. We include detailed instructions on how to set up your devices to meet campus Policy requirements. 

#3: Sign up for FREE LastPass Premium

Get your free LastPass Premium account. UC Berkeley offers faculty, staff, and students a free LastPass Premium account. This tool manages all your passwords and syncs across all your devices.

Note for the detail sticklers: Yes, #2 is a set of things, but we have clear instructions to follow. Again, I believe in you - you got this!

General ISO Updates

Telephone Call Retirement

We will be retiring the use of telephone calls as an option for completing the CalNet 2-Step in Jan. 2022 What? Why? Well, for a few reasons, but the biggest is that telephone calls are less secure than other authentication methods. The good news is that there are many easy-to-use options available and you can register multiple devices, you know, in case you accidentally drive away with your phone on the roof of your car and then back over your phone trying to find it.

Ch-Ch-Ch-Changes

Duo App redesigned screenshotIf you use the Duo App to complete your CalNet 2-Step, (cough, which we recommend, cough) you will see some changes starting Oct 11 for both iOS and Android platforms. Don't worry, if you enabled automatic app updates on your device, you don't have to do a thing - and if not, just manually update 

The redesigned DuoApp will improve the App's accessibility and you will notice they switched the positions of the Approve / Deny buttons. So be careful if you are used to hitting the "left side" of your screen as you get used to the new layout.

Special Speaker Event:

Choose Your Own Cybersecurity Adventure: How to get started and succeed in the InfoSec field

Zoom link to webinar

It's no secret that technology is evolving faster and faster each day. This means the types of skills and the needs of organizations to protect and secure those technologies is changing just as quickly. Trying to get started in the Information Security or Cybersecurity fields can be difficult, at best, with the ever-changing curriculums and often unreasonable levels of skill being asked for by many hiring managers. For both students and educators, it can be difficult to know what the most relevant courses are, what topics should be focused on and what additional skills will help position the next generation of security practitioners for success. And this leads to the questions: What area of cybersecurity should I specialize in? How do I demonstrate skill and experience when I'm first interviewing? How do we better prepare students to be successful in their careers?  Are there some skills and knowledge that are more in demand than others?

In this discussion, Nathan Wenzler, chief security strategist at Tenable, the creators of Nessus and the leaders in Risk-Based Vulnerability Management, will share what he's seen work for both educators and students over a 25 year career of mentoring new practitioners and leaders in the cybersecurity field as well as what trends are being seen in the industry for what skills and topics both students and educators should include in their programs to remain relevant for the future. 

In this Issue

Ask ASCII

Dear ASCII,

I’m a recent postdoc and working in a music lab and they have given me a computer to use for composing, recording, etc., but I'm not 100% sure how to secure it properly. What do I need to do? Are there guidelines or benchmarks I need to follow?

New Kid on the Bach

Dear New Kid, 

You betcha. There is actually a whole list of Standards for devices that you connect to the Berkeley Network, but don’t fret (ha), we have resources both to define the big picture Standards and to walk you through the step-by-step process of how to implement them. Plus we are always here to help answer questions by emailing us at iso@berkeley.edu

Dear ASCII,

I’m a bit embarrassed to admit this: I got phished. It happened a few weeks ago. I got an email from what I thought was a professor in my department asking for help working on a project online. When they paid me the check was for $500 more than what I was supposed to make, but they said I could just cash the check and then pay them back with a transfer. After I transferred the money, the check bounced at my bank. So now I owe the bank the original plus I lost the money I transferred. I know this is all my fault, but could I have done something differently?

Feeling Fooled

Dear Feeling,

Oooh noo. First of all, I’m so sorry to hear this happened to you. And please don’t feel shame or blame yourself for this; there are several successful work scams out there where a “professor” or “researcher” asks for help or offers easy employment. It’s simple, but effective because they are taking advantage of you a) for being nice and b) for wanting to work for a prestigious Berkeley faculty member. The good news is that there are things you can do now and for next time - cause I hate to say this, but there will always be more phish… :( 

  1. Check out our Recognizing and Avoiding Job Scams article.

  2. If you aren’t sure about an email, forward it to phishing@berkeley.edu or check out our Phish Tank to see if we’ve posted it.

  3. Report it to us at security.berkeley.edu. This helps us protect others from falling for these scams ^^see Phish Tank^^ and we can work with police and federal agencies to stop these attackers from attacking us in the future.

Cybersecurity Events:

Click here for security events

We encourage you to learn more about good cyber hygiene at:

https://security.berkeley.edu/education-awareness

-Information Security. Made Bearable

What keeps us busy?

These charts may help explain. The first chart shows the number of alerts processed by our threat detection systems and the second chart shows detected compromises and vulnerabilities. If you get a security notice from our office be sure to follow the instructions to remedy the situation immediately. 

graph of general alerts per month
Compromises and Vulnerabilities