The Information Security Office recently became aware of the reemergence of a malware distribution network previously taken down by law enforcement. This phishing email may look like a reply from a previous familiar email chain. This malicious phishing email uses three types of email attachments to install malware. These attachments include: Microsoft Excel spreadsheets Microsoft […]
Michael Mayer is an Information Security Analyst II working in Governance, Risk, and Compliance. This part of our office is a critical component of our information security posture. Michael cooperates with researchers and other university offices in support of safe and ethical research. He works with the Institutional Review Board to evaluate security requirements for […]
Members of the WashU community are receiving phishing emails impersonating university leadership, including Chancellor Martin and Dean Perlmutter. These messages request changes to direct deposit information due to suspicious activity. Phishing scams often impersonate people in leadership positions to encourage a heightened sense of urgency in the recipient. Additionally, information about leaders is publicly available […]
We’re on the last leg of our road trip, but our cybersecurity adventure is far from over. The WashU Office of Information Security will always be your trusty navigator and loyal travel companion on the Road to Cybersecurity. We’ll help you steer through the twists and turns of the road ahead and give you a […]
A little before 5 a.m. on May 7th, 2021, an employee at the Colonial Pipeline noticed a ransom note on their computer demanding cryptocurrency. This employee followed the company’s policies and procedures and immediately reported the situation. The Colonial Pipeline attack might be one of the largest and most impactful cyberattacks in history. It started when […]
To wrap up another successful Cybersecurity Awareness Month, we invite you to show us what you know by entering our Test Your Knowledge Competition. Complete this activity to test what you know and receive an entry for one of several Bear Bucks awards. Prizes Grand Prize: $500 BearBucks credit. Additonal Prizes: $250 BearBucks credits. Don’t […]
On October 20th, CISO Chris Shull and WashU Computer Science Major Skylar Fong cooperated to run a webinar discussing Careers in Cybersecurity. Dozens of students participated in the evening event. Chris Shull offered valuable insights about the interdisciplinary nature of cybersecurity and the qualities that he looks for in a prospective new hire. Skylar shared […]
Bonus Scam of the Month On Father’s Day, 2021, Jaime Bardacke, a licensed clinical social worker in San Fransisco, received a phone call from a man who identified himself as Lt. Timothy Reid of the San Mateo County Sheriff’s Office. Initially, Bardacke was not surprised by the call. She had dealt with legal issues involving […]
Attackers continuously adjust their tactics to circumvent our defensive strategies, using new methods to access our systems, data, and personal information. Even as attackers develop new scams, one element seems to carry on—impersonation. Our office frequently publishes about impersonation because it forms the basis of most phishing attempts. Often, attackers impersonate a high-ranking employee in […]
Betsy Ball is a highly experienced IT professional with more than 30 years of experience, including work in user support as well as server, network, and firewall administration. In her role at WashU, she serves as an Information Security Architect, working with the Risk Assessment team on IT infrastructure assessment and supporting the Cybersecurity Maturity […]
This week, read about how the employees of FireEye and SolarWinds responded to a hack and where a timely verification would have changed the outcome. The SolarWinds hack was first spotted by someone at FireEye, a cybersecurity company. A staff member noticed that an employee signed in using their username and password but a new […]
Thank you for your interest in our student prize competition! Use the Phish Alert Button (PAB) to report phishing attempts for your chance to win! To participate, register here by November 3rd: https://wustl.az1.qualtrics.com/jfe/form/SV_7418aAb5ROape6i Additional Resources from Webinar Slide deck Event Recording Using the Phish Alert Button About the KnowBe4 Program
Ransomware is a specific category of malware that causes harm to the computer and the computer system. The U.S. Cybersecurity and Infrastructure Security Agency defines ransomware as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” The threat actors (hackers) behind […]
Organizations have been a driving force behind cybersecurity awareness and training. It’s more important than ever to be up to date with cybersecurity knowledge so that attacks don’t happen on your watch. In these special edition Cybersecurity Awareness Month articles, you’ll read about damaging attacks that happened in 2021 — and how employee actions changed […]
To defend ourselves against cybercrime, we cannot rely on technology alone. Cybercriminals constantly try different attack strategies, attempting to confuse, surprise, and manipulate their targets. Phishing emails are the most common attack strategy, and these messages are subject to the limitless creativity of their criminal authors. As a result, even state-of-the-art technology cannot perfectly detect […]
Cybersecurity Awareness Month is here! Cybersecurity Awareness Month is a global effort to help everyone stay protected whenever and however they connect. The Office of Information Security is proud to be a Cybersecurity Awareness Champion, supporting online safety throughout the year. We’re here to help every member of our community gain the knowledge and tools […]
On Tuesday, October 19 and Tuesday, October 26, Operations & Facilities Management Department, the Office of Sustainability, WashU Office of Information Security, and BJC Information Security are teaming up to bring the WashU community e-waste recycling and confidential paper shredding services. All are welcome to bring accepted items to the collection drive. All confidential papers and hard drives […]
Zero-Click Security Threat Earlier this month, the Office of Information Security published an alert about “zero-click” spyware. Typical cyberattacks require the target to interact in some way with malicious content by clicking on a link or downloading an attachment from an unknown sender. Zero-click attacks do not require this sort of engagement. According to the interim […]
Denise Woodward is an Information Security Manager in Governance, Risk, and Compliance for our Office of Information Security. She has 27 years of experience in IT, 22 of which are in information security. She got her start in information security working on the Help Desk of A.G. Edwards & Sons and has enjoyed solving problems […]
The Washington University Office of Information Security (OIS) supports education, research, and clinical care by protecting systems and data for everyone at our institution. Security threats today are constantly changing as cybercriminals try new tactics to steal and hold ransom user and institutional data. To adapt to changes in the information security landscape, the OIS […]
Apple recently released a critical software update for all Apple devices designated iOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2. Apple issued these emergency updates in response to reports that “zero-click” spyware has been discovered on their devices. Users can update their own devices using the following steps (please note that download times may […]
By Harrison Stites. In the last issue of SECURED, Chris Shull, Chief Information Security Officer, wrote about the importance of passwords. Specifically, Chris emphasized using unique and long passwords for each login to prevent hackers from accessing your accounts. However, for most users, remembering long, unique passwords is not feasible. Today, we will describe the tactics […]
By Harrison Stites. The Office of Information Security wishes everyone a safe and productive return to the classroom. In support of your return, we want to remind you of a few simple but important security strategies that you can use to protect yourself and your data. Back-Up Devices Back up your devices and accounts to prevent […]
By Harrison Stites. The internet provides a platform for anyone to share information, and legitimate news must fight through the noise of misinformation to reach readers. Misinformation is false or misleading information created by actors with malicious intent. It is especially dangerous when readers fail to detect its illegitimacy and perpetuate it by sharing it on social […]
The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim. The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]
Kevin Hardcastle, a long-time leader in information security has been instrumental in keeping WashU secure. Kevin was first drawn to IT while studying at Missouri State, where he received a bachelor’s degree in computer information systems. He has 36 years of experience in information technology, including 21 years of experience in information security. He began […]
The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim. The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]
Washington University recently adopted Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU. WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive information such […]
By Harrison Stites According to IC3, an FBI subsidiary, 241,342 Americans were victims of successful phishing attacks in 2020. The tactics used in phishing continue to evolve with the intent of getting you to divulge sensitive information or download malicious attachments. However, you already possess the skills to prevent phishing attacks and stay safe online. […]
Institutions such as Washington University have incredible data storage and transfer needs. Members of our community are continuously engaged in research, teaching, and patient care, producing large quantities of data that need secure storage as well as accessibility. Further, the COVID-19 remote-work era has demonstrated the need for file access from multiple devices, in multiple […]
Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims. Phishing works so well because it takes advantage of human emotion, convincing unsuspecting […]
Before we get to our Scam of the Month for July, we wanted to take a minute to say thanks to one of our readers who took the time to reach out and provide some additional clues from last month’s column. Here is a link to our post from last month: https://informationsecurity.wustl.edu/scam-of-the-month-june-2021/ Our reader points out […]
This month, we met with Joe Susai, WUSM CISO, to learn more about what he does at WashU and his background. Please read on for our questions and his answers. What is your role at WashU? I am responsible for all aspects of information security practice and programming for Washington University School of Medicine’s clinical, […]
After more than a year of remote work and learning, summer vacation is calling, and families are ready to roam! According to the American Automobile Association (AAA), more than 47.7 million Americans will travel this Independence Day (July 1-5) ( Hall 2021 ), a 40% increase in travel volume over last year. Most travelers (43.6 […]
Washington University will soon adopt Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU. Background WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive […]
On June 1, 2021, Chris Shull assumed the role of Chief Information Security Officer (CISO) for Washington University in St. Louis. He comes to WashU from Huron Consulting Group, which is working on several other projects at WashU. Chris has joined Joe Susai, the CISO for the School of Medicine, and Kevin Hardcastle, Associate CISO […]
In each issue of the newsletter, we will feature, discuss, and dissect a scam that has appeared on our campus. These scams are “real” attempts to infiltrate our systems and/or gain access to sensitive and personal information of individuals in our community. By sharing these examples with our readers, we hope to enhance your awareness […]
Educational institutions such as WashU are prime targets for cybercriminals who use ever-evolving tactics to infiltrate systems, steal data, block access, and demand ransoms under the threat that they will publish sensitive data online. Universities operating medical centers are especially vulnerable, as they manage large amounts of sensitive patient health data. According to the Ponemon Institute, […]
Phishing, the practice of sending fraudulent emails in order to induce recipients into surrendering private information and login credentials, is the single most common type of cybercrime today. According to a recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), nearly one-third of complaints received in 2020 were about various forms […]
Device security is essential for protecting your privacy and data. Sound device security involves using features built into your devices, such as setting a passcode or adjusting privacy settings and protecting the physical security of the device itself. Devices are valuable and are enticing to opportunistic passersby, whether they are after the device itself or […]
On Tuesday, April 20 and Tuesday, April 27, the Office of Sustainability and the Office of Information Security will be hosting e-waste recycling drives and confidential paper shredding services at the Danforth Campus and School of Medicine, respectively. Visitor restrictions related to COVID-19 health and safety require these events to be restricted to our campus […]
The Internal Revenue Service (IRS) issued a warning today (Tuesday, March 30, 2021) about an ongoing impersonation scam targeting educational institutions. Faculty, students and staff with email addresses ending in .edu are primary targets for this scam. How this Scam Works This criminal scam attempts to capture personal information from recipients by prompting them to […]
The Office of Information Security received a reported phishing message that contains a dangerous credential phishing scam. This malicious email states that there is a document available in OneDrive, but that the recipient will need to follow a link in the email to sign in and see it. Unsuspecting victims who type their credentials into […]
Adapted from Tara Schaufler/EDUCAUSE I admit it. I was hesitant and fearful of using a password manager. But then my employer purchased password management software and asked me to introduce it to our organization. What a conundrum! I had avoided using the software up until this time. But why? Honestly, I did not trust that […]
Most of us rely heavily on our computers and personal devices to do our jobs, shop for our households, navigate unfamiliar roads, communicate with others, and myriad other tasks. Today, we may take this continuous access to the Internet as a given, hopping on and off networks as we move through the world, allowing location […]
Tax season is here again, and as always, that means internet scammers are looking for openings to take advantage of heightened online traffic. According to IRS Commissioner Chuck Rettig, “This is generally the hunting season for online thieves, but this year there’s a dangerous combination of factors at play that should make people more alert” […]
Our office received a report of a vishing (fraudulent phone call) attack targeting a WashU student. In the attack, the caller claimed that the student’s social security number had been associated with overseas drug-trafficking activity. Another popular Vishing campaign involves impersonating support personnel from companies like Apple or Amazon. In this scam, the attackers call […]
This free, one-day seminar will bring you up-to-speed on the new, government-mandated research data (Controlled Unclassified Information – CUI) cybersecurity requirements. The new requirements reach beyond IT cybersecurity by requiring processes, procedures, and documentation throughout any part of our organization that provides resources for the regulated Department of Defense (DoD) research. Follow this link to […]
Adapted from Ken Ries (CISO UW-River Falls) for EDUCAUSE. Did you buy new tech for the holidays? Read the terms and conditions. As the chief information security officer for the University of Wisconsin (UW)-River Falls and UW-Stout, I have been asked to review an increasing number of web and mobile applications (from an information security […]