Office of Information Security

Dear OSU Community,

As we get deeper into 2023, I’m happy to share that UIT is making great progress on the new Identity and Governance Administration (IGA) tool!  The IGA tool is a key enabler for the OSU community to have access to the right system, and the right data at the right time.  We are targeting moving the current ONID credential process to the IGA by the end of June, and then later in the year work on other credentials—like system administration accounts and the famous “DINO” accounts.  Also we will be working with stakeholders to define “roles” to be used to provide more discrete access strategies that will simplify what is today a very convoluted process.  Think of a “role” as a type of access need—like “Advisor,” or “Data Analyst.”  So, keep an eye out for more communication about this!

About this time of year is when we see tax scams start to come out.  While cyber scams are often themed with the time of year, the threat is constant.  Please look over e-mails you receive for any signs of phishy intent.  Was this an e-mail from someone you normally do not communicate with?  Is there a sense of urgency associated with the message?  Does the e-mail address look right?  Are the banners telling you the e-mail is coming from outside OSU, or is from someone you do not communicate with often?  Please report any e-mail that looks like a phish; we prefer that you report using the Microsoft Outlook “Report a message” feature in the Outlook Client, mobile Outlook Client or Outlook Web Mail, but you can send reports to [email protected] as well.

The Beav’s are getting ready for baseball which means Spring is near!

Dear OSU Community,

Happy New Year!  2022 was a banner year for OSU; largest enrolling Freshman class, largest graduating class, and the Beavers won a bowl game!

A little bragging about this website…OSU placed first in the higher education division of the MS-ISAC (Multi-State Information Sharing and Analysis Center—learn more about them here: https://www.cisecurity.org/ms-isac) Best of the Web contest.  I have to thank the people who made this possible—Ian Walker and Elise Schey both worked as analysts within OIS and took on the task to win this contest!  Of course, it isn’t just about the contest itself; we are trying to make this site as compelling and informative as possible for you, so please let us know how we are doing and what would make this a better site for the OSU Community.

As classes start up again, please be aware that students are being targeted by scammers with employment fraud, and employees are seeing similar scams.  In general, scammers want you to provide a personal e-mail address after they make contact with either a “fabulous” job offer, or a quick request for help.  Keep a sharp lookout for key-giveaways for fraud…someone may claim to be an OSU faculty member or staff, but the e-mail address doesn’t seem right or match who they claim to be.  The external banner on e-mail will often be present, so take a second look when you see this on an e-mail: [This email originated from outside of OSU. Use caution with links and attachments.]

A big thank you to the OSU Community for reporting phishing and spam e-mails!  Over the month of December, which is normally a slow month, over 1600 phishes were reported and actioned!  Keep up the great work!  The best way to report phishing is to use the “Report a Message” button in Outlook, Outlook Web Access or the Outlook mobile app. You can learn more here about this capability and contact the Service Desk if you need assistance in setting up the service.  Of course, we are still using [email protected] as way for people to report phishing emails; the Microsoft reporting allows us to respond and act much faster.

Welcome back, Beavs!

Campus gets a wonderful infusion of energy and excitement with the return of students and faculty for Fall Term!   We are so happy everyone is back!

The OSU Community aren’t the only ones happy to see students back…cyber scammers have increased the targeting of students with employment scams.  So what do these scams look like, and how can students protect themselves?  First of all, OSU faculty will never reach out to students with an unsolicited job offer by e-mail.  Secondly, if it sounds too good to be true, it probably is.  Thirdly, NEVER give banking or contact information over e-mail to someone you do not know.  Lastly, look at the e-mail carefully…does the e-mail have an external banner at the top of it ([This email originated from outside of OSU. Use caution with links and attachments.])?  What is the e-mail address?  If you hover over the name does it actually show something like: [email protected]?  Scammers will also apply pressure to cause action: “This is a new opportunity available only for a short time,” or “You seem like a good fit for this, but you need to contact me today about this.”  If you have any concerns or questions about whether a message you receive is a scam, please send it to [email protected] and we can help you determine if the e-mail is legitimate or not.

October is Cybersecurity Awareness Month!  Look for activities that will be on campus over the month!  We are planning to have several events, including a booth in the Student Experience Plaza on October 12th (come see if you can recognize a phish and win a prize!), a Lunch and Learn about Phishing on October 14th via Zoom, a Panel Discussion on October 18th at the MU Horizon Room over the lunch hour (register for a lunch), and an Information Security Town  Hall on October 26th via Zoom.  We’ll have details posted here on our Information Security webpage!

Dear OSU Community,

Congratulations to the Class of 2022!  All the hard work and commitment have paid off!  All of us in the Office of Information Security are proud of you and what you have achieved!

I’d like to thank the entire OSU Community for their resilience and assistance in helping protect our Cyber Dam.  We saw recent phishing attacks that were quite focused, and the community helped by reporting them to us, which allowed us to take rapid action.  If you would like to learn more about how to protect against phishing attacks, see the recording of our recent “FYI Friday” where Marjorie McLagan talks about what these attacks looked like.  

You can find a direct link here.  

We have additional resources about phishing on our website!

The summer is a quiet time at OSU, but this summer we will make some improvements to our cybersecurity services.  Look for some great improvements when everyone returns next fall!

I wish everyone a safe and enjoyable summer!

Open Phishing Season

Unfortunately for the OSU Community, Phishing Season never closes!  Cyber criminals use a technique called Phishing that uses e-mail messages as the attack path.  Phishes vary widely from very crudely written ones to very sophisticated, very targeted ones that are difficult to detect.  Phishes commonly use similar characteristics:

—they tend to evoke a sense of urgency (we have a one-time special offer that expires soon; your mailbox is full and will be disconnected; you owe money and you have a short time to resolve the problem; we detected a problem in your account and need you to enter your password for us to fix it; etc.)

--they ask for sensitive information (please enter your password and user name; provide us your bank account or credit card)

--they can appear to be from legitimate sources, but likely have something about them that is just off (why is that gmail.com address in an Oregonstate.edu e-mail address?  Why is my good colleague asking me to buy gift cards?  Why did the service desk send me an e-mail asking for my user name and password?)

Cyber actors are always changing their techniques and are becoming more sophisticated in their phishing attacks.  Whenever you suspect something may be off—it likely is!  Report suspected phishes to [email protected] or through the Microsoft reporting tool (those OSU community members who use G-mail; please send to [email protected]).  These reports make a huge difference for the community. During March, OSU was protected from over 303,000 phishing e-mails by our technology, and 543 phishes were reported to Microsoft.  

Conflict in Ukraine

The world is still processing the terrible situation in the Ukraine.  Russia has very sophisticated cyber capabilities that could be used in response to sanctions or to influence world opinion.  The best action we can take to prepare for this or any other cyber threat is to ensure our operating systems and applications are as up-to-date as possible and all recommended security settings are in place.  The Office of Information Security is sharing critical update information for our systems and services; if you receive a notice from us, please take action, or ask us how to protect your system if you cannot apply up-to-date software.  For your personal devices, turn on automatic updates and be sure to apply them (and reboot your system if necessary!).

Job Scams Targeting Students

OSU’s students are continually being targeted with fake job offers.  Legitimate student work will not come in the form of an unsolicited e-mail.  Legitimate student work will not require students to buy gift cards as a part of their employment.  Be wary of promises of a check to be mailed to you, with the sender asking you to deposit the check and then make purchases.  We have seen cases that the check is fraudulent, and the student has been scammed.  If you have questions about any apparent job scam, please reach out to [email protected] or to the Oregon State University Department of Public Safety.

Happy Tax Season!

This time of year, we start thinking about our obligation to file for taxes.  Unfortunately, scammers are always thinking about the calendar, and as we put away the holiday decorations, they are starting to think about putting away their holiday schemes and move to other campaigns.  The IRS has published a webpage that contains a good amount of information about tax fraud schemes and scams.  I would encourage you to visit to learn more: https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant

What is true for tax scams is also true of other cyber scams—review notifications you receive in e-mail, text, voice mail and physical mail.  If the communications seems to be asking for urgent action, or is asking for account information, passwords or unusual requests for sensitive information, pause for a moment and evaluate.  If you have concerns about the communication, do not contact any phone numbers or e-mail addresses on the suspicious communication; find a legitimate contact at the agency by searching for the agency’s official website.  As always, if you have concerns, you can contact the Office of Information Security.

Log4j And You

Welcome to 2022!  

December found the OSU IT Community dealing with something called Log4j.  What the heck is that one might say…is it a numbered component to a Beaver Dam?  Or maybe the first part of Reser Rising?  Or is it a new math function that is being taught?  Actually, it is none of those things, but it had a lot of IT people around the world working hard over the holidays.  Apache Log4j is an open source Java-based logging utility that is widely deployed in systems and software.  On December 9, 2021, a Zero Day vulnerability was released that became known as Log4Shell, which was critical to be addressed by the OSU IT community due to the risk of attack caused by Log4Shell.

The OSU IT Community really rallied around finding all locations where Log4j might be in OSU systems and services, and while we are still seeing scans looking for this vulnerability, we are confident that we have taken prudent steps to ensure risk to OSU has been mitigated.  

For home users, you may have found that your Minecraft instance was needing patching one day in mid-December…Minecraft was one of many systems that had the Log4Shell vulnerability.  The action taken to protect Minecraft is the same action home users should take.  Make sure the systems and software you use are updated regularly!  Home users can take additional steps to protect their home networks by following these recommendations from the Cybersecurity and Infrastructure Security Agency (CISA):  https://www.cisa.gov/uscert/ncas/tips/ST15-002

We’ll publish some information soon about Tax Fraud tips as we approach tax season, so stay tuned for more information.

Holiday Scams 

Fall Term is well past its prime, the Football Beavs are bowling this year and the holidays are fast approaching. With the holidays come family, celebrations, crazy sales and unfortunately, cyber scams. Cybercrime has been on the rise over time and the numbers are astonishing. 

The FBI’s Internet Crime Complaint Center reports that in 2020, non-payment or non-delivery scams cost individuals more than $265 million and $129 million more in credit card fraud. Learn how to protect yourself this holiday season with guidance from the National Cybersecurity Alliance: https://staysafeonline.org/wp-content/uploads/2020/11/Online-Holiday-Sho...

Following these simple guidelines will go a long way to keeping the holidays festive and enjoyable and not ruined by a cybercriminal. 

Passwords 

Big news on campus is that we are asking everyone to reset their passwords. Although this is inconvenient and can be disruptive to the OSU Community, changing passwords and using strong authentication methods, such as Duo, are important tools available to OSU to protect against an increasing cyber threat. Thank you everyone for helping to keep OSU cyber-safe! 

Go Beavs!

Welcome Back to the “New Normal!” 

I can’t tell you how excited we all are to see more people coming back to campus for Fall Term! The Pandemic has certainly caused disruption, concern and uncertainty; I think it also has shown that the OSU community is resilient and adaptable. 

From a cybersecurity perspective, the pandemic provided amplification for certain types of threats. For the Oregon State community, the important thing is not to live in a state of fear of these threats, but to recognize them and take steps to protect yourself and the institution from them. 

A concerning trend we see is the targeting of our students by actors claiming to be affiliated with OSU, or another institution by making job offers for non-existent positions. Common themes are that these offers are initiated by the fraudster, they ask for personal information (such as banking info) to help “facilitate payment,” and ask favors, such as buying gift cards with a promise of repayment. No legitimate job offer from OSU would involve buying gift cards!! If you are a victim of such a fraud, I would encourage you to report it to the Oregon State University Department of Public Safety, or to a law enforcement agency near you. The Office of Information Security also can provide resources to help address a fraud. 

October is Cybersecurity Awareness month! The Office of Information Security will have several programs over the month that we hope you will find valuable for your professional and personal lives. Understanding common ways cyber criminals conduct their attacks, and the very simple things you can do to make it harder for them will go a long way to allow OSU to “Defend our Cyber Dam!” 

If you have any questions or concerns, please contact the Office of Information Security. Find us at beav.es/Infosec. 

Go Beavs!