Have a Happy (and Secure) Thanksgiving

Turkeys Photo

People across America are preparing to travel over the river and through the wood, visiting friends and family for Thanksgiving. The American Automobile Association predicts more than 53 million people will travel for Thanksgiving this year, an increase of 13% from 2020 and the most significant single-year increase since 2005. Many of us are eager […]

Online Holiday Shopping Scams

Black Friday Shopping Dog

Winter-holiday shopping of yesteryear kicked off with the deep discounts and early-bird specials of Black Friday, a retail frenzy on the day after Thanksgiving. Traditionally, shoppers forwent their post-feast dreams, waking early to await doorbuster sales at their favorite retailers. Today, shoppers avoid the crowd, line, and occasional brawl by shopping online. The move to […]

Last Chance for Prizes and Cybersecurity Awareness Month 2021 Recap

Bear Bucks Logo

Cybersecurity Awareness Month 2021 is in the rearview mirror! This year, we set out on the Road to Cybersecurity together. We hosted several events, sent out weekly security tips, and published a great newsletter full of original content authored by WashU’s information security staff. Competitions Our Cybersecurity Awareness Month competitions are always popular. In 2020, […]

Easy Security with WUSTL ONE and WashU’s DocuSign

DocuSign Email

Last month, we published an article about a common tactic that uses fake DocuSign emails to trick users into handing over personal information. This month, we take a closer look at the process using WashU’s enterprise (i.e., university-provided) DocuSign service. When you receive a DocuSign request from a WashU sender, you will receive an email […]

Bonus Scam of the Month: Emotet Attachment Scam

Emotet Macro Image

The Information Security Office recently became aware of the reemergence of a malware distribution network previously taken down by law enforcement. This phishing email may look like a reply from a previous familiar email chain. This malicious phishing email uses three types of email attachments to install malware. These attachments include: Microsoft Excel spreadsheets Microsoft […]

Meet Your InfoSec Team: Michael Mayer, Information Security Analyst

Michael Mayer InfoSec Analyst

Michael Mayer is an Information Security Analyst II working in Governance, Risk, and Compliance. This part of our office is a critical component of our information security posture. Michael cooperates with researchers and other university offices in support of safe and ethical research. He works with the Institutional Review Board to evaluate security requirements for […]

Scam of the Month: Direct Deposit Phishing Scam Impersonating University Leadership

Chanc Impersonation Direct Deposit Phish

Members of the WashU community are receiving phishing emails impersonating university leadership, including Chancellor Martin and Dean Perlmutter. These messages request changes to direct deposit information due to suspicious activity.  Phishing scams often impersonate people in leadership positions to encourage a heightened sense of urgency in the recipient. Additionally, information about leaders is publicly available […]

Keeping Information Security Simple – Backup, Backup, Backup

Letter from the CISO, Vol 1 Issue 5 Washington University Community: Many years ago, a respected colleague told me that for her, the ultimate security was knowing that she could get her data back if something bad happened. This was a bit of a shock to me, as I was young and inexperienced enough to […]

Know the Rules of the Road

Reporting Graphic

We’re on the last leg of our road trip, but our cybersecurity adventure is far from over. The WashU Office of Information Security will always be your trusty navigator and loyal travel companion on the Road to Cybersecurity. We’ll help you steer through the twists and turns of the road ahead and give you a […]

Employee Follows Policy to Report Colonial Pipeline Attack

A little before 5 a.m. on May 7th, 2021, an employee at the Colonial Pipeline noticed a ransom note on their computer demanding cryptocurrency. This employee followed the company’s policies and procedures and immediately reported the situation. The Colonial Pipeline attack might be one of the largest and most impactful cyberattacks in history. It started when […]

Test Your Knowledge Competition

Bear Bucks Logo

To wrap up another successful Cybersecurity Awareness Month, we invite you to show us what you know by entering our Test Your Knowledge Competition.  Complete this activity to test what you know and receive an entry for one of several Bear Bucks awards.  Prizes Grand Prize: $500 BearBucks credit. Additonal Prizes: $250 BearBucks credits. Don’t […]

Enter Our Student Prize Competition

On October 20th, CISO Chris Shull and WashU Computer Science Major Skylar Fong cooperated to run a webinar discussing Careers in Cybersecurity. Dozens of students participated in the evening event. Chris Shull offered valuable insights about the interdisciplinary nature of cybersecurity and the qualities that he looks for in a prospective new hire. Skylar shared […]

He Held Her Hostage with His Words

Bonus Scam of the Month  On Father’s Day, 2021, Jaime Bardacke, a licensed clinical social worker in San Fransisco, received a phone call from a man who identified himself as Lt. Timothy Reid of the San Mateo County Sheriff’s Office. Initially, Bardacke was not surprised by the call. She had dealt with legal issues involving […]

Scam of the Month: DocuSign Phishing

Example of DocuSign Phish

Attackers continuously adjust their tactics to circumvent our defensive strategies, using new methods to access our systems, data, and personal information. Even as attackers develop new scams, one element seems to carry on—impersonation. Our office frequently publishes about impersonation because it forms the basis of most phishing attempts. Often, attackers impersonate a high-ranking employee in […]

Meet Your InfoSec Team: Betsy Ball, Information Security Architect

Betsy Ball InfoSec Architect Headshot

Betsy Ball is a highly experienced IT professional with more than 30 years of experience, including work in user support as well as server, network, and firewall administration. In her role at WashU, she serves as an Information Security Architect, working with the Risk Assessment team on IT infrastructure assessment and supporting the Cybersecurity Maturity […]

Verify and Report

Graphic encouraging users to verify communications.

This week, read about how the employees of FireEye and SolarWinds responded to a hack and where a timely verification would have changed the outcome. The SolarWinds hack was first spotted by someone at FireEye, a cybersecurity company. A staff member noticed that an employee signed in using their username and password but a new […]

Student Prize Competition 2021

Thank you for your interest in our student prize competition! Use the Phish Alert Button (PAB) to report phishing attempts for your chance to win! To participate, register here by November 3rd: https://wustl.az1.qualtrics.com/jfe/form/SV_7418aAb5ROape6i Additional Resources from Webinar Slide deck Event Recording Using the Phish Alert Button About the KnowBe4 Program

The Race Against Ransomware

Be suspicious infographic

Ransomware is a specific category of malware that causes harm to the computer and the computer system. The U.S. Cybersecurity and Infrastructure Security Agency defines ransomware as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” The threat actors (hackers) behind […]

Cyberattacks are speeding up

Go Slow Infographic

Organizations have been a driving force behind cybersecurity awareness and training. It’s more important than ever to be up to date with cybersecurity knowledge so that attacks don’t happen on your watch.  In these special edition Cybersecurity Awareness Month articles, you’ll read about damaging attacks that happened in 2021 — and how employee actions changed […]

Keeping Information Security Simple – Physical Security Comes First

Letter from the CISO, Vol 1 Issue 4 Washington University Community: Physical safety is a fundamental need of all animals, humans, computer systems, and devices. Last month I encouraged everyone to adopt a healthy dose of skepticism and paranoia regarding email, text, and social media messages to avoid becoming victims of social engineering attacks. This […]

Cybercrime and Human Intelligence

Restricted Intelligence Video Still

To defend ourselves against cybercrime, we cannot rely on technology alone. Cybercriminals constantly try different attack strategies, attempting to confuse, surprise, and manipulate their targets. Phishing emails are the most common attack strategy, and these messages are subject to the limitless creativity of their criminal authors. As a result, even state-of-the-art technology cannot perfectly detect […]

October is Cybersecurity Awareness Month

Road to Security

Cybersecurity Awareness Month is here!  Cybersecurity Awareness Month is a global effort to help everyone stay protected whenever and however they connect. The Office of Information Security is proud to be a Cybersecurity Awareness Champion, supporting online safety throughout the year. We’re here to help every member of our community gain the knowledge and tools […]

SHRED-IT: Electronic Waste & Paper Shredding Drives

On Tuesday, October 19 and Tuesday, October 26, Operations & Facilities Management Department, the Office of Sustainability, WashU Office of Information Security, and BJC Information Security are teaming up to bring the WashU community e-waste recycling and confidential paper shredding services. All are welcome to bring accepted items to the collection drive. All confidential papers and hard drives […]

Scam of the Month—September 2021

Eavesdropping

Zero-Click Security Threat Earlier this month, the Office of Information Security published an alert about “zero-click” spyware. Typical cyberattacks require the target to interact in some way with malicious content by clicking on a link or downloading an attachment from an unknown sender. Zero-click attacks do not require this sort of engagement. According to the interim […]

Meet Your InfoSec Team: Denise Woodward, Information Security Manager

Denise Woodward is an Information Security Manager in Governance, Risk, and Compliance for our Office of Information Security. She has 27 years of experience in IT, 22 of which are in information security. She got her start in information security working on the Help Desk of A.G. Edwards & Sons and has enjoyed solving problems […]

Keeping Information Security Simple – Be Skeptical and a Little Paranoid

Letter from the CISO, Vol 1 Issue 3 Washington University Community: “Keep Information Security Simple” has been my motto for nearly a decade. This month, I’d like to share an important thing that everyone can do to improve our security—slow down, just a little bit because haste makes good people fall for bad tricks. In the first […]

Get Inside the Hacker Mindset to Create Stronger Passwords

By Harrison Stites. In the last issue of SECURED, Chris Shull, Chief Information Security Officer, wrote about the importance of passwords. Specifically, Chris emphasized using unique and long passwords for each login to prevent hackers from accessing your accounts. However, for most users, remembering long, unique passwords is not feasible. Today, we will describe the tactics […]

Safety Tips for Back to School (Poster/Graphic)

By Harrison Stites. The Office of Information Security wishes everyone a safe and productive return to the classroom. In support of your return, we want to remind you of a few simple but important security strategies that you can use to protect yourself and your data.  Back-Up Devices Back up your devices and accounts to prevent […]

Protect Yourself from Misinformation

By Harrison Stites. The internet provides a platform for anyone to share information, and legitimate news must fight through the noise of misinformation to reach readers.  Misinformation is false or misleading information created by actors with malicious intent. It is especially dangerous when readers fail to detect its illegitimacy and perpetuate it by sharing it on social […]

Scam of the Month—August 2021

SMiSh Example

The Office of Information Security has received reports of a SMiShing campaign targeting students at our institution. SMiShing occurs when cybercriminals use tactics common to phishing campaigns in text messages, attempting to communicate legitimacy to the unsuspecting victim.  The reported SMiShing attempt is posted below. The message sender is posing as someone in a position […]

Meet Your InfoSec Team: Kevin Hardcastle, WashU Associate CISO

Kevin Hardcastle, a long-time leader in information security has been instrumental in keeping WashU secure. Kevin was first drawn to IT while studying at Missouri State, where he received a bachelor’s degree in computer information systems. He has 36 years of experience in information technology, including 21 years of experience in information security. He began […]

Keeping Information Security Simple – Multi-Factor Authentication

Washington University Community: Thank you for the positive feedback on June’s first issue of our new Information Security Bulletin, “Secured!” If you missed it, you can read it and other articles of interest at https://informationsecurity.wustl.edu/blog/. For almost a decade, I’ve been trying to “Keep Information Security Simple” (KISS) for my clients, employers, and friends. KISS is […]

Workday Security

Washington University recently adopted Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU.  WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive information such […]

How to use your source-checking skills to stay safe from phishing

By Harrison Stites According to IC3, an FBI subsidiary, 241,342 Americans were victims of successful phishing attacks in 2020. The tactics used in phishing continue to evolve with the intent of getting you to divulge sensitive information or download malicious attachments. However, you already possess the skills to prevent phishing attacks and stay safe online. […]

Save, Secure, and Share with Box and OneDrive

Institutions such as Washington University have incredible data storage and transfer needs. Members of our community are continuously engaged in research, teaching, and patient care, producing large quantities of data that need secure storage as well as accessibility. Further, the COVID-19 remote-work era has demonstrated the need for file access from multiple devices, in multiple […]

Phishing 101

Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims.  Phishing works so well because it takes advantage of human emotion, convincing unsuspecting […]

Scam of the Month—July 2021

Before we get to our Scam of the Month for July, we wanted to take a minute to say thanks to one of our readers who took the time to reach out and provide some additional clues from last month’s column. Here is a link to our post from last month: https://informationsecurity.wustl.edu/scam-of-the-month-june-2021/ Our reader points out […]

Don’t Let Digital Highwaymen Spoil Your Summer Adventures

Highwayman Robbing Coach Sketch

After more than a year of remote work and learning, summer vacation is calling, and families are ready to roam! According to the American Automobile Association (AAA), more than 47.7 million Americans will travel this Independence Day (July 1-5) ( Hall 2021 ), a 40% increase in travel volume over last year. Most travelers (43.6 […]

Avoiding Workday Phishing Scams

Washington University will soon adopt Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU. Background WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive […]

Meet Your Infosec Team: Chief Information Security Officer, Chris Shull

On June 1, 2021, Chris Shull assumed the role of Chief Information Security Officer (CISO) for Washington University in St. Louis. He comes to WashU from Huron Consulting Group, which is working on several other projects at WashU. Chris has joined Joe Susai, the CISO for the School of Medicine, and Kevin Hardcastle, Associate CISO […]

Scam of the Month—June 2021

In each issue of the newsletter, we will feature, discuss, and dissect a scam that has appeared on our campus. These scams are “real” attempts to infiltrate our systems and/or gain access to sensitive and personal information of individuals in our community. By sharing these examples with our readers, we hope to enhance your awareness […]

The Office of Information Security (OIS) is Your Ally in the Cybercrime Arms Race

Educational institutions such as WashU are prime targets for cybercriminals who use ever-evolving tactics to infiltrate systems, steal data, block access, and demand ransoms under the threat that they will publish sensitive data online. Universities operating medical centers are especially vulnerable, as they manage large amounts of sensitive patient health data. According to the Ponemon Institute, […]

Social Engineering Red Flags

Phishing, the practice of sending fraudulent emails in order to induce recipients into surrendering private information and login credentials, is the single most common type of cybercrime today. According to a recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), nearly one-third of complaints received in 2020 were about various forms […]

Letter from the CISO – Everyone is in InfoSec

Washington University Community: I welcome you to this inaugural edition of our new Information Security Bulletin. My primary goal for the bulletin is to empower every member of our community to do their part in protecting us from cybersecurity attacks. A few years ago, the CISO for a health system was asked how many people […]

Updated Device Security Guidance and Best Practices

Device security is essential for protecting your privacy and data. Sound device security involves using features built into your devices, such as setting a passcode or adjusting privacy settings and protecting the physical security of the device itself. Devices are valuable and are enticing to opportunistic passersby, whether they are after the device itself or […]

The Magical World of Password Managers

Adapted from Tara Schaufler/EDUCAUSE I admit it. I was hesitant and fearful of using a password manager. But then my employer purchased password management software and asked me to introduce it to our organization. What a conundrum! I had avoided using the software up until this time. But why? Honestly, I did not trust that […]

Security Guides for iOS/macOS Posted, WIN and Android Coming Soon

Most of us rely heavily on our computers and personal devices to do our jobs, shop for our households, navigate unfamiliar roads, communicate with others, and myriad other tasks. Today, we may take this continuous access to the Internet as a given, hopping on and off networks as we move through the world, allowing location […]

Keep Your Information Secure This Tax Season

Tax season is here again, and as always, that means internet scammers are looking for openings to take advantage of heightened online traffic. According to IRS Commissioner Chuck Rettig, “This is generally the hunting season for online thieves, but this year there’s a dangerous combination of factors at play that should make people more alert” […]