Info (in a) Sec Spring 2023

Welcome to our quarterly newsletter!

With so much happening in Information Security these days, we want to use this newsletter as a way to share a little bit about projects we are working on, services we provide, and things we think you’ll find helpful or interesting. Please feel free to forward this to your campus networks and let colleagues know they can join our newsletter list to receive future installments. ~ Allison Henry, Chief Information Security Officer, Berkeley IT

Inside this issue...

In the Know: What’s happening in ISO & Berkeley IT

Join us in congratulating Jake Harwood on his promotion to Senior Information Security Manager. In this new role, Jake will have direct oversight of the Security Operations, Security Assessment, and Security Development teams. While we work to backfill the Security Operations Manager role that Jake is leaving, John Ives has graciously agreed to step in as Interim Manager. Read more about Jake and John
The Network Services team has rolled out a new network service requirement, all new campus subnets must be secured by either a bSecure Departmental firewall or the bSecure Shared Firewall. This requirement went into effect in March 2023. View the details on this new firewall requirement
Our Associate Chief Information Security Officer, Charron Andrus, was recently interviewed by the UC IT Blog. Take a moment to read up on Charron’s eclectic path to Information Security and her continued focus on diversifying the technology space.

Last Pass Update & Lessons Learned

As many of you are no doubt aware, last year LastPass, our password management vendor, suffered a significant security breach. In January of this year we were made aware that attackers were able to access backup copies of all LastPass encrypted customer vaults. The Information Security Office responded with guidance and new requirements for LastPass business customers

More recently LastPass released public details about how the breach occurred and the steps they are taking to secure their systems and processes. I encourage you to read it through as there are some valuable lessons learned, especially for IT staff with privileged access to protected systems and data. The attackers initially gained access to the staffer’s home network through a vulnerability in a third-party package that had not been patched. Once on the network, the attackers were able to install a keylogger on the IT staff member’s home machine, which then captured the password to the staffer’s work LastPass vault, accessed from their home machine. These credentials were used to unlock the backup of the user’s vault which the attackers had previously downloaded.

Since many of us work from home at least part of the time, we should all ensure that home systems are patched, including routers and media devices (and that potentially untrusted devices should be on isolated networks where possible). We should also ensure that any work that involves passwords or credentials is done from our work machines with appropriate security controls, like FireEye agents, installed on our devices. These agents offer protection against malicious tools like keyloggers.

In the News: Top Stories in Cyber Security+

The city of Oakland suffers ransomware attack, bringing down IT systems and exposing sensitive information. With this striking so close to home, now would be a really good time for everyone to back up and store a copy off-line of your sensitive files.
Biden-⁠Harris Administration Announces National Cybersecurity Strategy Makes our Security team wonder how they envision safeguarding privacy and how closely that might align with Berkeley’s.
US Universities follow state policies to ban TikTok from campus devices and networksWhile TikTok bans have not yet come to California, there are two bills concerning TikTok working their way through state legislature (AB227 and SB74), which UC is tracking closely. Banning TikTok would be a challenging task. Overall, while it is technically possible to ban TikTok, it would require significant effort and cooperation between governments, social media companies, and other stakeholders.
Security scams follow Silicon Valley Bank shut down. This is a good reminder of how cyber criminals are always ready to take a situation and use it to their advantage.

Policy Updates

Required use of @berkeley.edu Email for University Business: Please remind your staff and University customers of this campus-wide message on the importance of using your @berkeley.edu email for all university business. Per the excerpt from their message, Benjamin E. Hermalin, Executive Vice Chancellor and Provost; and Jenn Stringer, Associate Vice Chancellor for IT and Chief Information Officer, conveyed the following:

What you can do now to ensure you are in compliance with policy:

Use your UC Berkeley email for all university business — for both sending and receiving.
Turn off any automatic forwarding you may have set up that sends your Berkeley email to a non-Berkeley account.
Use your UC Berkeley email for communication in all business systems, including those that do not require CalNet authentication.
List your UC Berkeley or other UC email in the campus directory on your syllabus, etc.

Learn more about the policy requirements associated with the use of a Berkeley email address. If you have questions, please share them using this form

Updates to Departmental Information Security Contact Policy: Following formal campus review and revision, we are pleased to announce that the updated Departmental Information Security Contact Policy has been ratified effective Dec. 1, 2022. This Policy defines Department-level responsibilities for ensuring prompt and appropriate action in the event of an information security incident. The main purpose of the Policy remains unchanged: to ensure that ISO is able to contact the proper people in each Department and have them take appropriate action in the event of a security incident. The specific responsibilities for both Departments and Information Security Contacts (aka “Security Contacts”) have been updated and clarified, along with the definitions and resources associated with this Policy. A summary of all policy changes is available here

Digital Spring Cleaning

Many of us are familiar with the concept of spring cleaning. This year, consider taking some time to spring clean your digital life, too. Just like your home, your digital life can become cluttered; things pile up, get out of date, get lost, are no longer needed, or need some care.

Here are a few quick tips for refreshing, renewing, and reinvigorating your cyber life. For more info on any of these, see the full article

Review Online Accounts
Update and Purge Devices
Lockdown Logins
Tune-up Web Browsers
Securely Dispose of Electronic Devices

For additional digital spring cleaning tips, SANS’ OUCH! Newsletter offers Digital Spring Cleaning in 7 Simple Steps

Success Stories from the Field

For months, our campus has seen a substantial increase in students receiving fraudulent job offers or internships. The criminals quickly take the conversation away from email, usually asking to be texted on a mobile number, or asking for a non-campus email or mobile number making it harder for us to detect. These offers require students to deposit bogus paper checks and then use a tool like Zelle to send the criminal money. To date, students have lost more than $25,000. However, we have recently had two incidents where quick-thinking students suspected something was not quite right and were able to put a stop to it before they lost any money and contributed that to some of our anti-phishing materials like our Phish Tank

Grow Your Cyber Skills with Professional Development

Plus many other cybersecurity-related courses via LinkedIn Learning. As a reminder, all UC employees have free access to content on all kinds of topics for professional and personal development.