Employee Follows Policy to Report Colonial Pipeline Attack

A little before 5 a.m. on May 7th, 2021, an employee at the Colonial Pipeline noticed a ransom note on their computer demanding cryptocurrency. This employee followed the company’s policies and procedures and immediately reported the situation. The Colonial Pipeline attack might be one of the largest and most impactful cyberattacks in history. It started when […]

Test Your Knowledge Competition

Bear Bucks Logo

To wrap up another successful Cybersecurity Awareness Month, we invite you to show us what you know by entering our Test Your Knowledge Competition.  Complete this activity to test what you know and receive an entry for one of several Bear Bucks awards.  Prizes Grand Prize: $500 BearBucks credit. Additonal Prizes: $250 BearBucks credits. Don’t […]

Enter Our Student Prize Competition

On October 20th, CISO Chris Shull and WashU Computer Science Major Skylar Fong cooperated to run a webinar discussing Careers in Cybersecurity. Dozens of students participated in the evening event. Chris Shull offered valuable insights about the interdisciplinary nature of cybersecurity and the qualities that he looks for in a prospective new hire. Skylar shared […]

He Held Her Hostage with His Words

Bonus Scam of the Month  On Father’s Day, 2021, Jaime Bardacke, a licensed clinical social worker in San Fransisco, received a phone call from a man who identified himself as Lt. Timothy Reid of the San Mateo County Sheriff’s Office. Initially, Bardacke was not surprised by the call. She had dealt with legal issues involving […]

Scam of the Month: DocuSign Phishing

Example of DocuSign Phish

Attackers continuously adjust their tactics to circumvent our defensive strategies, using new methods to access our systems, data, and personal information. Even as attackers develop new scams, one element seems to carry on—impersonation. Our office frequently publishes about impersonation because it forms the basis of most phishing attempts. Often, attackers impersonate a high-ranking employee in […]

Meet Your InfoSec Team: Betsy Ball, Information Security Architect

Betsy Ball InfoSec Architect Headshot

Betsy Ball is a highly experienced IT professional with more than 30 years of experience, including work in user support as well as server, network, and firewall administration. In her role at WashU, she serves as an Information Security Architect, working with the Risk Assessment team on IT infrastructure assessment and supporting the Cybersecurity Maturity […]

Verify and Report

Graphic encouraging users to verify communications.

This week, read about how the employees of FireEye and SolarWinds responded to a hack and where a timely verification would have changed the outcome. The SolarWinds hack was first spotted by someone at FireEye, a cybersecurity company. A staff member noticed that an employee signed in using their username and password but a new […]

Student Prize Competition 2021

Thank you for your interest in our student prize competition! Use the Phish Alert Button (PAB) to report phishing attempts for your chance to win! To participate, register here by November 3rd: https://wustl.az1.qualtrics.com/jfe/form/SV_7418aAb5ROape6i Additional Resources from Webinar Slide deck Event Recording Using the Phish Alert Button About the KnowBe4 Program

The Race Against Ransomware

Be suspicious infographic

Ransomware is a specific category of malware that causes harm to the computer and the computer system. The U.S. Cybersecurity and Infrastructure Security Agency defines ransomware as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” The threat actors (hackers) behind […]

Cyberattacks are speeding up

Go Slow Infographic

Organizations have been a driving force behind cybersecurity awareness and training. It’s more important than ever to be up to date with cybersecurity knowledge so that attacks don’t happen on your watch.  In these special edition Cybersecurity Awareness Month articles, you’ll read about damaging attacks that happened in 2021 — and how employee actions changed […]

Cybercrime and Human Intelligence

Restricted Intelligence Video Still

To defend ourselves against cybercrime, we cannot rely on technology alone. Cybercriminals constantly try different attack strategies, attempting to confuse, surprise, and manipulate their targets. Phishing emails are the most common attack strategy, and these messages are subject to the limitless creativity of their criminal authors. As a result, even state-of-the-art technology cannot perfectly detect […]

October is Cybersecurity Awareness Month

Road to Security

Cybersecurity Awareness Month is here!  Cybersecurity Awareness Month is a global effort to help everyone stay protected whenever and however they connect. The Office of Information Security is proud to be a Cybersecurity Awareness Champion, supporting online safety throughout the year. We’re here to help every member of our community gain the knowledge and tools […]

SHRED-IT: Electronic Waste & Paper Shredding Drives

On Tuesday, October 19 and Tuesday, October 26, Operations & Facilities Management Department, the Office of Sustainability, WashU Office of Information Security, and BJC Information Security are teaming up to bring the WashU community e-waste recycling and confidential paper shredding services. All are welcome to bring accepted items to the collection drive. All confidential papers and hard drives […]

Scam of the Month—September 2021

Eavesdropping

Zero-Click Security Threat Earlier this month, the Office of Information Security published an alert about “zero-click” spyware. Typical cyberattacks require the target to interact in some way with malicious content by clicking on a link or downloading an attachment from an unknown sender. Zero-click attacks do not require this sort of engagement. According to the interim […]

Meet Your InfoSec Team: Denise Woodward, Information Security Manager

Denise Woodward is an Information Security Manager in Governance, Risk, and Compliance for our Office of Information Security. She has 27 years of experience in IT, 22 of which are in information security. She got her start in information security working on the Help Desk of A.G. Edwards & Sons and has enjoyed solving problems […]

Revised and Updated Policies 2021

The Washington University Office of Information Security (OIS) supports education, research, and clinical care by protecting systems and data for everyone at our institution. Security threats today are constantly changing as cybercriminals try new tactics to steal and hold ransom user and institutional data. To adapt to changes in the information security landscape, the OIS […]

InfoSec Alert: Critical Security Updates for Apple Devices

Apple recently released a critical software update for all Apple devices designated iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2. Apple issued these emergency updates in response to reports that “zero-click” spyware has been discovered on their devices.  Users can update their own devices using the following steps (please note that download times may […]

Get Inside the Hacker Mindset to Create Stronger Passwords

By Harrison Stites. In the last issue of SECURED, Chris Shull, Chief Information Security Officer, wrote about the importance of passwords. Specifically, Chris emphasized using unique and long passwords for each login to prevent hackers from accessing your accounts. However, for most users, remembering long, unique passwords is not feasible. Today, we will describe the tactics […]

Safety Tips for Back to School (Poster/Graphic)

By Harrison Stites. The Office of Information Security wishes everyone a safe and productive return to the classroom. In support of your return, we want to remind you of a few simple but important security strategies that you can use to protect yourself and your data.  Back-Up Devices Back up your devices and accounts to prevent […]

Protect Yourself from Misinformation

By Harrison Stites. The internet provides a platform for anyone to share information, and legitimate news must fight through the noise of misinformation to reach readers.  Misinformation is false or misleading information created by actors with malicious intent. It is especially dangerous when readers fail to detect its illegitimacy and perpetuate it by sharing it on social […]

Scam of the Month—August 2021

SMiSh Example

The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim.  The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]

Meet Your InfoSec Team: Kevin Hardcastle, WashU Associate CISO

Kevin Hardcastle, a long-time leader in information security has been instrumental in keeping WashU secure. Kevin was first drawn to IT while studying at Missouri State, where he received a bachelor’s degree in computer information systems. He has 36 years of experience in information technology, including 21 years of experience in information security. He began […]

InfoSec Alert: SMiShing Detected on Campus

The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim. The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]

Workday Security

Washington University recently adopted Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU.  WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive information such […]

How to use your source-checking skills to stay safe from phishing

By Harrison Stites According to IC3, an FBI subsidiary, 241,342 Americans were victims of successful phishing attacks in 2020. The tactics used in phishing continue to evolve with the intent of getting you to divulge sensitive information or download malicious attachments. However, you already possess the skills to prevent phishing attacks and stay safe online. […]

Save, Secure, and Share with Box and OneDrive

Institutions such as Washington University have incredible data storage and transfer needs. Members of our community are continuously engaged in research, teaching, and patient care, producing large quantities of data that need secure storage as well as accessibility. Further, the COVID-19 remote-work era has demonstrated the need for file access from multiple devices, in multiple […]

Phishing 101

Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims.  Phishing works so well because it takes advantage of human emotion, convincing unsuspecting […]

Scam of the Month—July 2021

Before we get to our Scam of the Month for July, we wanted to take a minute to say thanks to one of our readers who took the time to reach out and provide some additional clues from last month’s column. Here is a link to our post from last month: https://informationsecurity.wustl.edu/scam-of-the-month-june-2021/ Our reader points out […]

Don’t Let Digital Highwaymen Spoil Your Summer Adventures

Highwayman Robbing Coach Sketch

After more than a year of remote work and learning, summer vacation is calling, and families are ready to roam! According to the American Automobile Association (AAA), more than 47.7 million Americans will travel this Independence Day (July 1-5) ( Hall 2021 ), a 40% increase in travel volume over last year. Most travelers (43.6 […]

Avoiding Workday Phishing Scams

Washington University will soon adopt Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU. Background WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive […]

Meet Your Infosec Team: Chief Information Security Officer, Chris Shull

On June 1, 2021, Chris Shull assumed the role of Chief Information Security Officer (CISO) for Washington University in St. Louis. He comes to WashU from Huron Consulting Group, which is working on several other projects at WashU. Chris has joined Joe Susai, the CISO for the School of Medicine, and Kevin Hardcastle, Associate CISO […]

Scam of the Month—June 2021

In each issue of the newsletter, we will feature, discuss, and dissect a scam that has appeared on our campus. These scams are “real” attempts to infiltrate our systems and/or gain access to sensitive and personal information of individuals in our community. By sharing these examples with our readers, we hope to enhance your awareness […]

The Office of Information Security (OIS) is Your Ally in the Cybercrime Arms Race

Educational institutions such as WashU are prime targets for cybercriminals who use ever-evolving tactics to infiltrate systems, steal data, block access, and demand ransoms under the threat that they will publish sensitive data online. Universities operating medical centers are especially vulnerable, as they manage large amounts of sensitive patient health data. According to the Ponemon Institute, […]

Social Engineering Red Flags

Phishing, the practice of sending fraudulent emails in order to induce recipients into surrendering private information and login credentials, is the single most common type of cybercrime today. According to a recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), nearly one-third of complaints received in 2020 were about various forms […]

Updated Device Security Guidance and Best Practices

Device security is essential for protecting your privacy and data. Sound device security involves using features built into your devices, such as setting a passcode or adjusting privacy settings and protecting the physical security of the device itself. Devices are valuable and are enticing to opportunistic passersby, whether they are after the device itself or […]

SHRED IT: E-Waste Recycling and Paper Shredding Events

On Tuesday, April 20 and Tuesday, April 27, the Office of Sustainability and the Office of Information Security will be hosting e-waste recycling drives and confidential paper shredding services at the Danforth Campus and School of Medicine, respectively.  Visitor restrictions related to COVID-19 health and safety require these events to be restricted to our campus […]

Phishing Alert: Tax Scam Targeting Educational Institutions

The Internal Revenue Service (IRS) issued a warning today (Tuesday, March 30, 2021) about an ongoing impersonation scam targeting educational institutions. Faculty, students and staff with email addresses ending in .edu are primary targets for this scam. How this Scam Works This criminal scam attempts to capture personal information from recipients by prompting them to […]

Phishing Alert: Credential Phishing Detected on Campus

The Office of Information Security received a reported phishing message that contains a dangerous credential phishing scam. This malicious email states that there is a document available in OneDrive, but that the recipient will need to follow a link in the email to sign in and see it. Unsuspecting victims who type their credentials into […]

The Magical World of Password Managers

Adapted from Tara Schaufler/EDUCAUSE I admit it. I was hesitant and fearful of using a password manager. But then my employer purchased password management software and asked me to introduce it to our organization. What a conundrum! I had avoided using the software up until this time. But why? Honestly, I did not trust that […]

Security Guides for iOS/macOS Posted, WIN and Android Coming Soon

Most of us rely heavily on our computers and personal devices to do our jobs, shop for our households, navigate unfamiliar roads, communicate with others, and myriad other tasks. Today, we may take this continuous access to the Internet as a given, hopping on and off networks as we move through the world, allowing location […]

Keep Your Information Secure This Tax Season

Tax season is here again, and as always, that means internet scammers are looking for openings to take advantage of heightened online traffic. According to IRS Commissioner Chuck Rettig, “This is generally the hunting season for online thieves, but this year there’s a dangerous combination of factors at play that should make people more alert” […]

INFOSEC ALERT: Social Security Vishing on Campus

Our office received a report of a vishing (fraudulent phone call) attack targeting a WashU student. In the attack, the caller claimed that the student’s social security number had been associated with overseas drug-trafficking activity.  Another popular Vishing campaign involves impersonating support personnel from companies like Apple or Amazon. In this scam, the attackers call […]

Seminar – Securing Research Data Compliance CMMC/NIST 800-171

This free, one-day seminar will bring you up-to-speed on the new, government-mandated research data (Controlled Unclassified Information – CUI) cybersecurity requirements. The new requirements reach beyond IT cybersecurity by requiring processes, procedures, and documentation throughout any part of our organization that provides resources for the regulated Department of Defense (DoD) research. Follow this link to […]

The Importance of Risk Assessment When Reading Terms and Conditions

Adapted from Ken Ries (CISO UW-River Falls) for EDUCAUSE. Did you buy new tech for the holidays? Read the terms and conditions. As the chief information security officer for the University of Wisconsin (UW)-River Falls and UW-Stout, I have been asked to review an increasing number of web and mobile applications (from an information security […]

Device Security for the Entire Family

The holiday season is here! As we prepare our hearths and homes to celebrate the holidays with friends and family, we sense that this season will be different. According to the National Retail Federation (https://nrf.com/media-center/press-releases/nrf-expects-holiday-sales-will-grow-between-36-and-52-percent ), online sales are expected to grow by at least 30% this year, adapting to the constraints of a pandemic […]

Top Phishing Threats Last Year: Impersonation and Credential Phishing

The Office of Information Security works diligently to protect our institution from phishing threats. Ultimately, however, our shared security depends on your vigilance. You can protect yourself by avoiding engagement with phishing attempts, and you can help protect all of us by swiftly reporting these threats to our office. When you report a phishing attempt, […]

KringleCon Holiday Hack Challenge 2020

For more than a decade, SANS has offered a free Holiday Hacking Challenge. In 2018, the challenge was dubbed “KringleCon.” WUIT personnel banded together to join the challenge in 2019. Working in their spare time, they ventured deep into the mystery of KringleCon. Alas, they did not make it to the end. This year, the […]

Thank You for Participating in Cybersecurity Awareness Month 2020

The Office of Information Security extends its gratitude to the faculty, staff, and students who participated in the events and activities of Cybersecurity Awareness Month 2020! During the month of October, we hosted a slate of webinars and presentations to help our community stay informed and empowered in the digital era. This year, our program […]