VWCC PhishTrain Summary Report

Information security is a daily concern in today’s work environment.  Bad actors/hackers are continually attempting to access sensitive data and systems by impersonating “real employees” within an organization.   Some of you may have received emails asking you to contact a senior staff member or purchase gift cards, and some VCCS agencies have seen emails requesting unauthorized changes to payroll direct deposit accounts.

On September 12th, the Information Security Shared Services (ISSS) team (Natalie Talbott & Brenda Bowling) launched the first of what will become on-going Phishing Campaigns.  The use of phishing emails to infiltrate networks and steal sensitive data is increasing at an alarming rate. The goal of our internal campaigns is to educate employees at all levels on basic ways to identify phishing emails and raise awareness of cyber-attacks.

How the Campaign was Conducted

An email was sent from a false account (rsandel@vwcc.edu) using a sender name Bobbie Sandle.  The message indicated Dr. Sandel needed your assistance and to click here.  There were several red flags in the email to include the misspelling of the sender’s name, the incorrect email address, and the contents of the message made no sense.

Expected Results

  • Some users would view this message as suspicious and not click the link because of the false account, and report it to the Help Desk as phishing.
  • Some users would trust the sender’s name and click.
  • Some users on mobile devices where often the from email address cannot be viewed would click without checking for suspicious information.
  • Some users would click because it looked like there was more to read.
Kudos to all who questioned the legitimacy of the email or reported it as phishing by the method above.
  • The phish email was sent to 599 users.  Note that some of you may have never seen it as our Junk Mail filter may have already caught it.
  • Quite a lot of users called or emailed the Help Desk asking for guidance and/or reporting the emails as phishing attempts.
  • 7 users clicked on the link.
  • 6 users clicked from the desktop.
  • 1 users clicked from an android mobile device.

Guidelines for Handling Suspicious Email

  • If you receive a junk or phishing email in your Inbox, you should contact the VWCC Help Desk for verification before clicking.
  • Check the address – is it familiar to you?
  • Check the sender (From).  Do you know that person?
  • Check the content – does it make sense to you? Does it sound like something the person would write?
  • Check the grammar in the email for obvious mistakes and misspellings.
  • Hover over the link BEFORE you click – is it real?
  • If in doubt – DON’T (click, enter credentials, etc.)
  • Check the emails you send to make sure they don’t LOOK like spam.

While cyber threats and phishing attempts are becoming more sophisticated over time, please keep in mind that 95% of all cyber breaches involve human error. Thus, not clicking on various email links and deleting these emails or reporting them, as Phishing, immediately will go a long way in keeping the VCCS’s data safe from these types of threats!

If you have any questions, please contact Natalie (ntalbott@vccs.edu), Brenda (bbowling@vccs.edu) or Shivaji Samanta (ssamanta@virginiawestern.edu)!

Virginia Western, VCCS & Commonwealth of Virginia Standards Compliance

Virginia Western’s computer systems are governed by VWCC guidelines, VCCS guidelines and Commonwealth of Virginia policy. These standards are revised frequently in order to adapt to changing security challenges. Information and Educational Technologies is tasked with managing VWCC compliance as a system owner.  Storage guidelines are part of an overall effort to improve information systems reliability and security in the Commonwealth of Virginia, as well as protect the privacy of the individuals we serve.

Our systems are subject to APA and VCCS audits. As a user of resources governed by this standard, your stewardship is a key element of our compliance efforts.

Raising security awareness and assessing risks is the key to any successful information system security program.

What is Sensitive Data?

What is Sensitive Data? Sensitive data is the first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data elements are neither encrypted nor redacted.

Definitions

Encrypted means to encode the data in such a manner as to render it unreadable without an encryption key, as defined by accepted encryption standards.

Redact means to alter or truncate data such that no more than parts of the following information is accessible.

Sensitive Items

  1. Social security number
  2. Drivers license number or state identification card number issued in lieu of a driver’s license number.
  3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.
  4. Other personal identifying information, such as insurance data or date of birth.
  5. Five digits of a social security number; or
  6. The last four digits of a driver’s license number, state identification card number, or account number.

Note: The term does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public

All agency systems, processes, logical and physical data storage locations that contain personally identifiable information are considered sensitive, raising the standard of compliance to the standard of compliance for systems containing sensitive data. 

Storage of these items on COV and VWCC systems is not permitted unless it is specifically required for college business. Normal college business operations require that sensitive information be maintained in many departments. If your department is required to store sensitive information as defined in the next section, you as the data owner, are responsible for notification of Information and Educational Technologies of the need to store sensitive information and to classify your data storage requirements as defined in the college’s Continuation of Operations and Disaster Recovery Plans.

Sensitive data is never to be stored on portable storage devices in unencrypted form, including laptop computers, CD/DVDs, USB Keys, cell phones or PDAs. In the event that there is a business requirement to store sensitive data on a portable device, documentation of the nature of the data and justification for storing it on portable media must be submitted in writing to the College Chief Information Security Office along with documentation of processes that will be used to secure this data. Information and Educational Technologies will work with the data owner to establish storage that is in compliance with the applicable state, VCCS and college guidelines.

Secure Transmission of Sensitive Data

Sensitive data must be protected from exposure to unauthorized persons or when it is exchanged with authorized recipients outside the normal security boundaries of the VCCS network.   Authorized recipients may include other VCCS employees, consultants, cloud services providers, or other entities with approved non-disclosure and acceptable use agreements on file. 

Transmission of sensitive data using email is not allowed unless the data is included as an encrypted attachment or the email itself sent encrypted.  Note that some email servers will reject or strip off unrecognized attachments, so this method is not always reliable.  Send the encryption key (password) to the recipient using an alternate communication method (cell phone) to ensure the data and the encryption key are transmitted separately.

VWCC has standard operating procedures for transmission of secure data as detailed in SOP-VWCC-007 Data Encryption available for review on request. Specific procedures for sending encrypted data are detailed in Secure transmission of information using Outlook Email (PDF).

Please contact the Help Desk if there are additional questions on the process.

ID Badges

All employees of VWCC are required to have a VWCC ID badge in their possession and must present it upon request of Campus Police, faculty, or staff. This ID badge is important for you to have as you conduct college business, such as traveling and purchasing.

New employees must have their ID badge issued within 30 days of beginning employment.

Once you have been given a completed ID Badge Form by your school office/department, please make an appointment with the Student Activities Office (540-857-6326) in the Student Life Center to have your photo taken and your badge issued. Adjunct faculty are provided semester stickers to place on their badge which indicate that the badge is current for the semester.

If your badge breaks, take the broken parts to the Student Life Center for a free replacement.

If you lose your badge, the Student Life Center will replace it for a $5.00 fee.

VW Mass Notification System

Get alerted about specific college events, emergencies and other important community news by signing up for the VW Mass Notification System. This system enables Virginia Western to provide you with critical information quickly in a variety of situations, such as campus events, registration and financial aid deadlines, severe weather, unexpected road closures, missing persons and evacuations of buildings or neighborhoods.

You will receive time-sensitive messages wherever you specify, such as your home, mobile or business phones, email address, text messages and more. You pick where, you pick how.

Click here to sign up or edit your preferences.

Please contact the Help Desk at helpdesk@virginiawestern.edu or 540-857-7354 if you have any questions/concerns.

Click here for the Inclement Weather policy and Delayed Class Schedule.

NOTE: If all you need is text alerts for school closings and emergencies, you can also sign up to our separate text gateway by texting VWCC to 888777 from your mobile device .

ISO27000 Standard

Virginia Western is one of 23 community colleges in the Commonwealth of Virginia and all information technology policies and guidelines are derived from the ISO27000 Standard.

To review all VWCC’s information technology policies and guidelines, visit IET’s site on VWConnect (on-campus or virtual desktop only).

Password Security & Tips

VWCC faculty, staff, and administrators have both VWCC and VCCS (MyVWCC) accounts to access a variety of systems. You are responsible for your VWCC and VCCS accounts and anything that happens with your account. Make sure your passwords are secure, so your accounts cannot be used for nefarious purposes.

Once you have established a secure password, keep your password secret. Do not share your password with others. Do not write down your password and keep it near the computer.

Password Tips

  • Always immediately change default passwords.
  • Do not use simple, obvious, or predictable passwords.
  • Include at least one number, preferably not at the end.
  • Use a varying combination of upper- and lowercase letters.
  • Do not use spaces.
  • Do not use names or nicknames of people, pets, places, or personal information that can easily be found out, such as your address, birthday, or hobbies.
  • Create passwords that are easy to remember but hard to guess.
  • Do not write your passwords down or post them to your computer monitor.
  • Never share your passwords with others.
  • Change your passwords regularly.

VWCC Password Requirements

VWCC passwords must be changed every 90 days. You will receive a reminder in your email, and when you log on to your computer.

Passwords:

  • Must not contain all or part of the user’s account username.
  • Must be at least 8 characters in length.
  • Must contain characters from 3 of the following 4 categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Base 10 digits (0 through 9).
    • Non-alphanumeric characters (e.g. !` ~ ! @ # $ % & ^ * ( ) _ + { } [ ] – \ / ? : ,).
  • Should not be real words, family names, or place names.

VCCS (MyVWCC) Password Requirements

VCCS passwords must be changed on a regular basis. You will be notified upon login when your password has expired.

Passwords:

  • Must not contain all or part of the user’s account username.
  • Must be at least 8 characters in length but not more than 32.
  • Must contain at least one English uppercase letter (A through Z).
  • Must contain at least one English lowercase letter (a through z).
  • Must contain at least one number (0-9).
  • Must contain at least one special character (e.g. !` ~ ! @ # $ % & ^ * ( ) _ + { } [ ] – \ / ? : ,).
  • Should not contain family names or place names.

Security Awareness and FERPA Education

The state of Virginia requires that all employees participate in IT security awareness training every year. Virginia Western has partnered with VCCS Information Security Shared Services (ISSS) to provide a consistent security management and reporting framework at the college.

Are you aware the majority of security breaches occur because of human error? Security awareness education arms you with habits and knowledge that will keep our students, our organization, and us safe. Learn how to recognize and respond to a phishing email, avoid downloading malicious code from the Web, keep your social media posts secure, and more.

Virginia Western is using the KnowBe4 Security Awareness Training application for all full-time and adjunct faculty, full-time staff, and administrators. The training is completed online and a certificate of completion is awarded when all videos/courses have been successfully completed. Trainings on FERPA and PCI (if applicable) are also required.

This training is required annually. You will receive an email when your training is due, and will have 30 days to complete it. That email will also contain login instructions.

Any questions? Contact Security Awareness Education Help at SAEHelp@vccs.edu.

Guidelines & Policies for Computer Use

Virginia Western Technology Use Policies

VWCC Information & Educational Technology Service Level Agreement (SLA) (PDF) This service level agreement (SLA) provides the basis for managing the services provided and relationships between the Information & Educational Technology (IET) department and the Faculty, Staff and Students at Virginia Western Community College (VWCC). This agreement describes how user service requirements are understood and addressed and attempts to create a realistic service expectation level.

VWCC Information Technology Use Policy (PDF) The purpose of this policy is to ensure the appropriate, responsible, and safe use of electronic communications and social media by employees. This policy establishes minimum standards for all state employees.

VWCC Information Technology Use Policy Q&A This document contains answers to some of the most frequently asked questions regarding technology use at Virginia Western. If you do not find your answer here contact the Help Desk directly.

Virginia State Employee Guidelines

Use of Electronic Communications and Social Media (PDF)

The purpose of this policy is to ensure the appropriate, responsible, and safe use of electronic communications and social media by employees. This policy establishes minimum standards for all state employees. Agencies may supplement this policy as necessary, as long as such supplement is consistent with this policy.

Virginia Community College System Guidelines & Standards

Information Technology Employee Acceptable Use Agreement (PDF) As a user of the Virginia Community College System’s local and shared computer systems, I understand and agree to abide by the above acceptable use agreement terms. These terms govern my access to and use of the information technology applications, services and resources of the VCCS and the information they generate.

Information Technology Student/Patron Acceptable Use Agreement As a user of the Virginia Community College System’s local and shared computer systems, I understand and agree to abide by the above acceptable use agreement terms. These terms govern my access to and use of the information technology applications, services and resources of the VCCS and the information they generate.

VWCC Information Security Plan (ISO27002 Standard) (PDF) The Virginia Community College System (VCCS) provides shared information technology resources and services to faculty, staff, and college patrons, collectively “Users,” for activities supporting the VCCS mission. The purpose of this standard is to protect the integrity of VCCS Technology Resources and the Users thereof against unauthorized or improper use of those resources. The above standard describes responsible behavior expected by those given access to the technology resources and services. The System Office Information Technology Office provides practical guidelines for the application of this standard and general oversight to govern the implementation.