This week you will have received an email asking you to complete the cybersecurity survey for 2020. This annual survey lets us know what the MRU community has learned over the past year and helps us determine the direction and focus for the year ahead.
This year the survey is being administered through the Security Education Platform. This allows us to more easily analyze the data that we collect. The survey appears in your assignment list. Although it looks like an assessment, it is not. Completion is voluntary. No one sees the individual results except the IT security team and the data will be anonymized for reporting purposes.
We want to know what your cybersecurity habits are as well as what you know. The goal is to determine if the information and tips we are giving you are helping you practice cybersafe behavior or if we need to approach things differently to provide you the support that you need. As a thank you for helping make the program better, everyone who completes the survey by December 21, 2020 receives two contest entry codes into the Cybersecurity Challenge draw for a $250 Best Buy gift certificate.
With phishing attacks on the rise and everyone being vigilant sometimes legitimate communications are flagged as suspicious. This week we had a student report their e-transfer refund notification. Last month it was Cybersecurity Awareness Month notifications and the month before that it was a survey. While I am absolutely delighted that people are erring on the side of caution, I thought I would share a little tip that might make it easier to determine if a communication is official or not.
Without exception, official communications include who to contact if you have questions. There may not be a name but there will always be a department or email. Senders know that you may have questions and in true Mount Royal University fashion, we want to be able to help. If you are not sure if an email is legit, look for that contact information. Take note of it and then search the Mount Royal website or directory to find an email that either matches the one in the message or is for the department that sent the email.
Once you know you have legitimate contact information, create a new email asking for verification that the email is official. It only takes a couple of minutes and it will get you an answer faster than if the IT security team does the same thing.
Note that I am not telling you to use the links in the email to contact the sender. That is because some emails are sent using services and the URL for the links take you to that service before you are sent to the final destination rather than directly to the intended URL. This makes it difficult to determine if the links are legit or not. To be on the safe side, just create a new email to contact the sender for verification.
I am hoping that my little tip, will empower some of you and make you feel more in control of your inbox. That said, we will always be happy to have you report those emails that you just aren’t sure of. Keep up the good work!
Just when I thought it was going to be a quiet week, this showed up on my phone.
Considering how much we pay for cellular service in Canada, this is a mighty enticing message. I will admit it, I desperately wanted it to be true. I have two university students on my plan so you can just imagine what my monthly bill is. Having money returned to me by my blood sucking mobility provider is a dream. A message like that makes your whole day.
However, there is this little matter of the link…why does it have to have a link? Crud. Add to that the vagueness of the term mobility provider and you have a real life smishing attack. I have to admit though, I do love how they add the dreaded Data rates may apply in attempt to make it look official. That is rather clever of them.
I am not sure what is more annoying, the fact that I won’t be getting money back from my mobility provider or that the message interrupted my day. Okay I am going to be honest, it’s the money. That is definitely more annoying. For one brief moment I had hope.
Let’s take a closer look at how my hopes dissolved into wisps of despair. Firstly, if this was from my mobility provider, the actual name of the company would have been in the text. No organization is going to be coy about refunding you money. They are going to make sure you know who is blessing your day with a shower of funds. Second if they were issuing me a refund, they wouldn’t send me a text with a link. Unless I was closing out my account, they would just deduct the refund from my bill which is much more efficient and economical.
That said, I am an eternal optimist. I decided to check my account to see if perhaps I had overpaid and the blood suckers were indeed returning funds. I used my mobility provider’s app on my phone to check my account. My assumptions were correct, the text was fake. Nuts.
This is a gentle reminder to never click on links in text messages unless you have asked for the link to be sent to you. Instead access accounts through apps or a bookmark on your computer to verify information. No matter how tempting it is, don’t click.
Documents in Google Drive can just be shared or shared and findable. A shared document is one that you are giving a specified person or group of people access to. If you don’t have the link to the document or the document isn’t shared exclusively with you then you can’t access it. In other words you have to specifically been given permission to see the document.
A findable document is one that anyone with an @mtroyal.ca email address can search for. All they need to do is enter a term in the search field in Google Drive and Google will find all the documents that contain that term in the filename or contents. Therefore they don’t need to have the link to access the document, they can just search for it.
Currently, the option to make a document findable is buried in the settings wheel that is only accessible when you want to generate a document link that can be used by members of the Mount Royal University group.
This makes it difficult to accidentally make a document findable. However, a few years ago this option was part of a drop down that included other sharing permissions. This made it much easier to select it when you didn’t intend to. The good news is, only MRU community members can search for the document. The general public cannot. So if you accidentally made the document findable, you are somewhat protected.
Now for more good news. While there is no easy way to determine which documents have been shared. There is an easy way to determine which of your documents are findable, just type owner:me source:domain in the Google Drive search bar and press Enter on your keyboard. It will bring up all the documents that you own that are marked findable. As a document can’t be findable unless it is shared with the whole campus, this should help you track down some of your accidentally shared documents and folders as well.
You are welcome!
This week the phishing training program resumed. This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails. For most of you, it worked great!. For some of you, not so much.
As the PhishAlarm button is a browser based tool (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.
Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.
So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache. It will empty all the information stored there and download it from the Internet again. This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.
There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments. The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.
In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.
The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed
Here is an example of the types of emails being used.
Often the attachment is a Word document . Once you open it, you are asked to “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.
This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.
To avoid these types of attacks:
- Only accept assignments submitted through regular channels.
- Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
- Verify the sender actually sent the message whenever possible.
- Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
- Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.
If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to email@example.com.
The 2019/2020 Cybersecurity Challenge wrapped up on September 30 last month. A big congratulations to Stephanie Spencer in Continuing Education! She is the winner of the $250.00 gift certificate to Best Buy! Have fun shopping Stephanie.
The winner of the Golden Superhero Award is once again the Facilities Management team. Congratulations team for an outstanding effort! Here is the gang in their COVID glory,
A huge thank you to everyone who participated! It was the best year ever for the Challenge. That said, this year’s Challenge is shaping up to be a close race. For the first time in three year’s, the Facilities Management team is not in first place and the top four teams are running neck and neck. Who will be the winner next year? Tune in on March 31, 2021 and find out!
With the move to working from home, many of our business processes have changed. For example, documents that we used to save on the J: drive have had to be moved to the Google Drive to ensure everyone has access to them. However unlike the J: drive where everything saved on it is viewable only by your colleagues in your department, the Google Drive allows you to share a single file or a whole folder with anyone. To quote Winston Churchill
Where there is great power there is great responsibility…
It has come to our attention that many of you are struggling with this power. We have found there are many documents sitting in the Google Drive that are viewable by anyone with a Mount Royal email address that really shouldn’t be. Submitted student assignments, job offer letters and lecture recordings are just some of the documents that are viewable by the entire MRU community.
We appreciate that you are doing the best that you can with what you have. We have all been thrown into a working situation that none of us were expecting. In the middle of which, Google decided to change its file sharing dialog box. So even if you were familiar with how to share files, you have had to relearn it. Throw in Shared Drives and it is no wonder so many documents are viewable by the wrong people.
If you have read this far and are thinking, “I know how to share files, I am sure that no one has access to them who shouldn’t”, please take a moment to check the sharing permissions on your files that contain sensitive information. As I said before, Google has changed their Sharing dialog box and we have oodles of sensitive documents that are viewable by the whole campus. You may think that your documents are secured, but they may not be. Don’t assume, check.
If on the other hand you have read this far and tears of frustration are streaming down your face, I come with a message of hope. File sharing is easy once you understand a few key concepts.
The Google Drive is one massive server
When you save or create a document on the Google Drive, you are placing it on a huge server that the whole world has access to. You only see the files and folders that you have been given permission to see. By default that is all the files and folders you create. The same is true for anyone else who uses Google Drive. So when you create or save a document to the Drive, is it unviewable by anyone except you until you share it with someone else.
A document has the same sharing permissions as its folder
When you save or create a document in a folder, it takes on the sharing permissions of the folder. To help you keep track of which folders you have shared and which you haven’t, Google gives you a confirmation dialog box to remind you that the document you are creating in a folder will be shared.
It also gives you one when you move a document to a folder that is shared.
Unfortunately, it does not give you a reminder when you upload a file into a shared folder. How do you remember which folders are shared and which aren’t? It can be confusing. A neat little trick I use is color coding. I color all the shared folders red. That way I can quickly and easily see which folders are viewable by others and which are only viewable by me.
Any folder in the Shared with me section may be viewable by others
When someone shares a document with you, it appears in your Shared with me section of your Google Drive.
Any folders found here were not created by you. If they are shared with you, they likely are shared with other people as well. Before you create or add a file to one of these folders, check its sharing permissions so you know who will be able to access your document.
Documents in Shared Drives may be shared with people who are not members
When Shared Drives first came out, they were called Team Drives and only people who were members of the Team could access the documents. Google has updated this feature. Along with a new name, you can now share folders and files in the Shared Drive with people who are not Team Members. Once again, this makes it challenging to determine which folders are shared with who. Unfortunately you cannot change the color of the folder icon in Shared Drives. Instead, ask all Team Members who create folders to put SHARED in the folder title if it is shared with people outside the Team.
The fewer people that have access to a document, the more secure it will be
Only share a document with the entire Mount Royal community or everyone who has a link, if that document really needs to be accessible by all those people. There is no need to share a contact list with the whole campus when only your department needs access to it. Don’t share a recording of your lecture with the whole campus if only your students need to access it. As soon as you open up document access to a large audience, you start to loose control over its contents. Before you know it, you have people contacting you asking for more information about about a topic that they should have no knowledge of. Keep your documents secured, only share them with those who absolutely must access them.
I hope that this information has cleared up some of the confusion around safely sharing files on Google Drive. For details on how to share files, visit the Google Drive Help webpage.
Welcome to another Cybersecurity Awareness Month (CSAM)!! Although we can’t meet in person, we do have a full list of activities that you can participate in.
Cybersecurity Challenge 2020/2021
The Challenge is back with several improvements. As before, you earn contest entry codes by participating in cybersecurity activities. Each entry gets you one chance to win a $250 Best Buy gift certificate from Cisco Systems Canada. However the contest now runs from October 1, 2020 to March 31, 2021. This should prevent Challenge fatigue while still ensuring everyone has the opportunity to participate.
The teams have also been updated. They are now only 100 members in size. As all the teams are the same size, the leaderboard will display the actual number of entries rather than percentages. Lastly, the sharing of codes officially became against the rules. If you don’t participate and enter a code, you will be disqualified from the Challenge.
Virtual Treasure Hunt
To replace our Hack the Room activity, we have a virtual treasure hunt. Bluebeard has hidden a chest full of crypto currency. Solve the clues, collect contest entry codes and find the treasure. Everyone who finds the treasure is entered into a draw for a $100 Amazon gift certificate courtesy of WBM Technologies.
The Cybercrime Series
Come join us for tales of cyberhorror. The Cybercrime Series looks at cybernightmares and how to prevent them. We have two scheduled for October.
- Cybersecurity: Are our graduates ready for the new economy? – Angele McAllister
- The Cybersecurity Monster Manual: Stopping things that go “hack” in the night – Michael McDonnell
Double codes for completing training in October
To encourage you to complete your cybersecurity training, we are offering two contest entry codes for completing your training this month.
Our regular activities
Keep an eye out for our regular activities as well. Participating in them earns you contest entry codes for the Challenge. You can subscribe to the newsletter, show off your cybersecurity sticker, join us in the Cybercafe or complete your training.
Who would have thought that 2020 would have everyone who can, working and taking classes from home? In a few short weeks we had to find a workspace, navigate chaos at home and learn a whole new set of skills. In the shuffle, it is easy to have work/school seep into our home life and vice versa. While it is normal to have this happen occasionally, as a general rule you should make sure you are using your email accounts appropriately. Here are a couple of tips that will help you sort through the work/school/home mess.
Use your MRU email only for work/school purposes
While this was a good idea before the pandemic, it is even more important now. Criminals know our home networks don’t have all the security bells and whistles that are on our corporate networks. Attacks are on the rise as they look for vulnerabilities. One of those is using your MRU email for personal purposes.
The more places you use your MRU email address the greater the chances you are going to reuse passwords and expose yourself to credential stuffing. As we are notified when your MRU email address has been used for a login credential of a breached account provider, we sometimes find out more about your personal life than we would like. Save us both the risk and embarrassment. If an account is for personal use, use your personal email address for your username.
Don’t use your personal email address for work/school
Since we have begun working at home, it feels like I have responded to 55.1 requests to view Google documents. The requests have come for quick reference guides, user manuals, registration forms, you name it. Every time I have had to reply with…
This document is only viewable by those with a Mount Royal email address. Please login to your Mount Royal email to access the document.
It gets mighty tiresome. I don’t know who the requester is unless they use their Mount Royal email address. For that reason, I do not grant non MRU email addresses access to documents. Everyone on campus should be following this protocol.
As important as it is to use your work email address to access documents, it is even more important for attending Google Meetings. Don’t make your meeting host guess who you are or whether you should be attending. Make it clear you are supposed to be participating by using your Mount Royal email address.
When you must use your MRU email address
To access some accounts, you must use your Mount Royal email address as a username. In these instances it is especially important to use a unique password. It prevents criminals from gaining access to your email by using a password that they have stolen from another account provider.
By following these simple rules you will decrease your vulnerability to cyberattacks, protect your privacy and make your colleagues, instructors and students lives easier. Happy days for everyone!