Keeping Information Security Simple – Chocolate v. Kale and the Importance of Reporting Information Security Mistakes

Open Letter

Letter from the CISO, Vol 3 Issue 1 Washington University Community: Do you like chocolate more than kale? Of course! In a recent keynote presentation at the Gartner Security and Risk Management Summit, Mary Mesaglio, a Managing Vice President who leads Gartner’s Executive Leadership Dynamics team, discussed the importance of getting people to care about […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Scam of the Month: Sheriff Impersonation

The Office of Information Security observes a trend in which criminals impersonate the sheriff’s office over the telephone. These scammers claim you signed for a subpoena, are an expert witness, or are a juror and never showed up for court and then demand payment. Along with a false accusation, scammers may list your personal information […]

Policies, Standards, and Guidelines

With the new design of our Policies page, visitors can conveniently locate, search, and preview our office’s policies, standards, and guidelines. Along with a contemporary design, the three terms each include a brief definition. Understanding their differences can prevent confusion and help you find the information you need to carry out your work securely. So, […]

Meet Your InfoSec Team: Hannu Turri, Cloud Security Architect

Picture of Hannu Turri against the St. Louis skyline

Hannu Turri, cloud security architect, is an integral part of the InfoSec team at WashU. Hannu comes to us from Finland, where he first served in the military and transitioned into IT, working as a CISO. After attending an AWS re:Invent event in Las Vegas, where he met his future wife a few years ago, […]

Keeping Information Security Simple – InfoSec Requires Advanced Preparation

Open Letter

Letter from the CISO, Vol 2 Issue 12 Washington University Community: Are cyber threats like pop quizzes? I was recently asked, “How are cyber threats like pop quizzes?” I’ve realized this is an interesting question, but not in the way I originally thought. Initially, I thought of reasons they were similar. They are unexpected, test […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

SECURED is Getting a New Look

SECURED newsletter design in the new template

Starting with our June edition, SECURED will have a new look. Information Security is a big part of the future of IT at WashU, so we are aligning our published content with the rest of the great information and news coming from WashU IT. You can learn more about WashU IT’s strategic plan on the […]

Business Associate Agreement (BAA) Explained

HIPAA Compliant

If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]

Scam of the Month: DEA Impersonation

The Drug Enforcement Administration (DEA) is warning the public of a widespread fraud scheme where scammers impersonate DEA agents to extort money or steal personally identifiable information. DEA personnel will never contact members of the public to demand payment or sensitive information. No legitimate federal law enforcement officer will request cash or gift cards from […]

Splunk and CrowdStrike Server Installation Initiative

Data Center Servers

A campus-wide initiative is underway to improve computer security by installing the Splunk Forwarder and CrowdStrike on all servers by the end of June, as InfoSec Policy requires. The Splunk Forwarder gathers real-time log data from servers into a searchable repository. This log data can help detect and troubleshoot security incidents quickly and efficiently. CrowdStrike, […]

Keeping Information Security Simple – Congratulations: You are a Risk Manager and a Systems Administrator – Know It or Not, Like It or Not

Letter from the CISO, Vol 2 Issue 11 Washington University Community: With Great Power Comes Great Responsibility As Uncle Ben in Spiderman said to the young Peter Parker, “with great power comes great responsibility.” Thinking back to the way I learned to program computers in high school by writing FORTRAN code onto paper by hand, […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you to a couple of resources that will help you protect yourself from cybercrime and understand how our office can support you. We’d like to thank our challenge participants. We recently […]

Vulnerabilities, Threats, and Risks Explained

Threat, Asset, Vulnerability, and Risk

These three fundamental cybersecurity concepts are related but have distinct meanings. Security experts define these three concepts in a variety of ways, and the terms threat and risk are sometimes used interchangeably. This article’s definitions come from paraphrasing Computer Security: Principles and Practice by William Stallings and Lawrie Brown. Each term can be thought of […]

Scam of the Month: Phish Text “from Andrew Martin”

Hi Parker, let me know once you receive this text. Andrew D. Martin

The Office of Information Security has observed a trend in which criminals impersonate Chancellor Andrew Martin over text message. Impersonation is one of the most effective social engineering tactics used by scammers, and it can be particularly powerful when the person being impersonated is in a position of authority. If you see a message like […]

Meet Your InfoSec Team: Armin Toric, Information Security Analyst I

Headshot of Armin Toric

Armin Toric, Information Security Analyst I, is passionate about “protecting the university from cyber villains!” After attending St. Louis Community College and Ranken Technical College, Armin took advantage of CompTIA certifications and other cybersecurity boot camps. He took the initiative to obtain his Network+, Security+, and CySA+ certifications to build his skills around topics like […]

Keeping Information Security Simple – Top Ten Social Engineering Techniques

Letter from the CISO, Vol 2 Issue 10 Washington University Community: I often encourage everyone to “be vigilant, skeptical, and a little paranoid,” and I usually provide a few pointers on things to watch out for and what to do when (if) you see them. Which Half Are You In? A recent report concluded that […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Job Posting Scam

A man holds Phone with LinkedIn application on the screen.

Job scams that target students are on the rise. As you may already know from reading our Scam of the Month posts, hackers can and will target you by impersonating a university employee looking to hire a student worker. Often, these scams will reach you via email or your cell phone number. When the hacker […]

Scam of the Month: Windows Defender Pop-ups

Windows Defender Security Center pop-up scam screenshot.

The Office of Information Security has observed a trend in which criminals send a fake error message on a website, saying there is a virus on your computer. These fake error messages aim to scare you into calling their “technical support hotline,” and they will likely ask you to install applications that give them remote […]

InfoSec Allies: Craig Pohl, Senior Director of Research Infrastructure Services

Many hands touching a speech bubble.

WashU researchers must persevere through myriad challenges in the quest for knowledge. Among these challenges is developing a comprehensive security plan for their data, applications, and research results. Increasingly, research sponsors require these plans as a condition of funding. Our researchers are pioneers, bringing their expertise to the frontiers of discovery, but they aren’t always […]

Secure Electronic Waste & Paper Shredding Drive on Danforth Campus

Photo of electronic waste

On Tuesday, March 28, from 8:30 am to 10:30 am, the Office of Sustainability and WashU Office of Information Security are teaming up to bring the WashU community e-waste recycling and confidential paper shredding services. Certified vendors will securely and safely recycle all confidential papers and hard drives. All are welcome to bring accepted items […]

Serving you better through ServiceNow integration

The Office of Information Security is changing how we manage emails sent to infosec@wustl.edu. Starting 2/27/2023, every email that reaches our inbox will automatically be assigned to a ticket in ServiceNow. Tickets are how the rest of WashU IT handles work and requests, and we intend to align with this standard. Apart from solidarity, the […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a few resources to help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish Alert Button? […]

Protect Yourself When Using Peer-to-Peer Money Exchange Apps

Assorted apps for payment .

You’ve all heard the phrases, “just Venmo me”, “do you have Zelle?”, and “can I send you Apple Cash?”. In the blink of an eye and a tap of a finger, your money can be sent to whomever you choose. However, without considering some basic protections, this convenience could come at a cost. As quickly […]

Scam of the Month: Available Cell Phone? Quick response?

The Office of Information Security observes a trend in which criminals send an email impersonating a Professor of Mathematics, hoping that victims will share their phone number and eventually purchase gift cards for them. If you see a message like the one below, please do not interact with the sender or phone number, and do […]

Meet Your InfoSec Team: Adam Coyle, Information Security Analyst I

A Team Of Workers Put Hands Together

Adam Coyle, Information Security Analyst I, believes that information security is becoming one of the most critical roles in any organization. Over the first nine years at WashU on the Deskside Support team, Adam became fascinated with information security and the strides the university takes to become more secure. His current role as a security […]

Multi-Factor Authentication

Most of the time, using an online service – checking email, shopping, and using social media – requires users to log into an account with a password. As we covered in the Password-based Authentication article, passwords are “something known,” so they can be leaked. And security breaches happen often. Recently, LastPass had its second security […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a couple of resources that will help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish […]

Advanced Data Protection for iCloud

With the release of iOS 16.2, Apple offers Advanced Data Protection for iCloud as an optional setting to adult US users. For those who enable the feature, iCloud will provide end-to-end encryption for Photos, Notes, iCloud Backup, and more. As a result, nobody else – not even Apple – can access your end-to-end encrypted data. […]

Scam of the Month: Invoice from PayPal LLC

The Office of Information Security observes a trend in which criminals send a convincing fraudulent PayPal invoice, hoping that victims will click a malicious link. If you see a message like the one below, please do not interact with the sender or phone number, and do not follow any special instructions. Simply report the email […]

Meet Your InfoSec Team: Madeline Quigley, Cybersecurity Awareness and Culture Specialist

Madeline Quigley, Cybersecurity Awareness and Culture Specialist, is the newest member of the Cybersecurity Awareness, Behavior, and Culture team. Madeline spent her childhood in Rhode Island and moved to St. Louis to attend Maryville University from 2018 – 2021, earning a bachelor’s degree in Cybersecurity with a minor in Creative Writing. Madeline has resided in […]

A quick dip into the world of artificial intelligence

By Chris Shull, CISO Over the past few weeks, the Artificial Intelligence (AI), called ChatGPT from OpenAI, has captured many headlines, ranging from wonder to panic. Central to the panic is the idea that knowledge workers would be put out of work and students would use ChatGPT to do their homework and take their exams. […]

InfoSec Alert: LastPass Security Breach

On December 22nd, 2022, LastPass notified their customer base of a cybersecurity incident that put customer data and passwords at risk. This incident occurred in November of 2022. Bad actors could potentially possess encrypted user data that includes “usernames, passwords, secure notes, and form-filled data,” according to LastPass. While in possession of this data, the bad […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you toward a couple of resources that will help you protect yourself from cybercrime and understand how our office can support you. Guidance for Reporting Phishing Have you seen the Phish […]

Biometric-based Authentication

In the last two months, we covered password-based authentication and token-based authentication. When properly implemented and used, both methods can provide secure user authentication. Still, passwords and tokens each have their shortcomings: Complex—and therefore secure—passwords are hard to remember. A token can be lost. Either can be stolen. Meanwhile, biometric authentication uses personal data that […]

Securing New Devices

A recent market forecast predicted that the average volume of electronics per person in the Consumer Electronics market will increase to 2.8 pieces in 2022 (Consumer Electronics – US: Statista market forecast). With gift-giving season approaching, you or someone you know will likely receive some tech. Follow the strategies below to keep your shiny new […]

Scam of the Month: Job/Employment Offer

The Office of Information Security observes a trend in which criminals send fraudulent job requests, hoping that victims will click a malicious link. If you see a message like the one below, please do not interact with the sender or phone number, and don’t follow any special instructions. Simply report the email using the Phish Alert […]

Meet Your InfoSec Team: Richard Edwards IV, GRC Analyst II

Since Richard Edwards IV, Governance Risk and Compliance Security Analyst II, began working in IT, security has been his top interest. For one, he enjoys how information security challenges him to keep learning. He also noticed a trend: As technology becomes more incorporated into everyday life, so too do threats and vulnerabilities to our technology. […]

Keeping Information Security Simple – Your Internet Bodyguard

Letter from the CISO, Vol 2 Issue 6 Washington University Community: High School Bodyguard? When a friend’s daughter was in high school, she had written to a German exchange student who was coming to the US, writing about her kickboxing class and her job as a lifeguard at the neighborhood summer swim club. Unfortunately, when […]

Chance to Win $100 in Our Monthly Challenge

Trophy with five stars

The OIS is always looking for ways to improve your security and reward your participation in our efforts. This month, we want to point you to a couple of resources that will help you protect yourself from cybercrime and understand how our office can support you. We’d like to thank our challenge and giveaways participants. […]

Token-based Authentication

By: David Puzder Last month, we covered password-based authentication explaining how to authenticate a user based on something they know. Another means to authenticate a user’s identity is through something they possess – a token. A common instance of token-based authentication is a house key. Ideally, only the person who possesses the proper key can […]

Tips for Traveling and Shopping Safely This Holiday Season

Thanksgiving message with autumn leaves and an orange pumpkin

With Black Friday, Small Business Saturday, and Cyber Monday around the corner, it can be tempting to buy discounted items on impulse. Before getting caught up in a “while supplies last” frenzy, remember that scammers capitalize on hasty decisions involving payment information. According to the Federal Trade Commission’s Consumer Sentinel Network data, online shopping scams […]

Scam of the Month: Package Scheduled for Delivery Today

The Office of Information Security has observed a trend where criminals send fraudulent delivery notifications in hopes that victims will scan a QR code. If you see a message like the one below, please do not interact with the sender and do not follow any special instructions. Simply report the email using the Phish Alert […]

Meet Your InfoSec Team: Victor Tinsley, GRC Security Analyst

Victor Tinsley

Victor Tinsley, Governance Risk and Compliance Security Analyst I, has always been curious about how malicious actors manipulate a target environment. How do they devise new ways to exploit a system? Following his interest, he pursued a Bachelor of Science with a focus on information security. Aside from having interest in the field, Victor believes […]

Keeping Information Security Simple – You’re smart and getting smarter, but…

Letter from the CISO, Vol 2 Issue 5 Washington University Community: Everyone loves to hear how smart they are! Right? I don’t know anyone who doesn’t like hearing how they are “smart,” “bright,” “clever,” “hard-working,” “correct,” and best of all, “you’re right; I was wrong.” Today I have good news, better news, bad news, and […]

Password-based Authentication

By David Puzder Virtually every online account requires a password. Many account providers require additional authentication steps, like the Duo push alert, to increase security. As for password-based authentication, the principle is relatively straightforward: the user provides an account name or identifier (ID) plus a password, and the system compares the given password to the […]