From the desk of the Director of IT

An endpoint is any device that sends and receives communications with a network to which it is connected.  
Endpoints can include:
• Desktops/workstations
• Laptops
• Smartphones
• Cash registers
• Tablets
• Servers

It also could be data terminal equipment (such as a digital telephone handset, router, or printer) or a host computer (such as a workstation or a server).

Yet today, endpoint is used most commonly in network security and end-user mobility circles to mean any device outside the college firewall. This could be laptops, tablets, or mobile phones on the “edge” (or periphery) of the network, where individuals connect to the BCC central network (or intranet).

The critical issue surrounding endpoints is they represent one of the key areas of vulnerability for colleges, and can be an easy entry point for cybercriminals.  Through endpoints, attackers may execute code and exploit vulnerabilities on and with our assets. Today, the workforce is more mobile than ever, with employees connecting to internal networks from outside the campus and from endpoints anywhere in the world.

Endpoint management is the practice of authenticating and supervising the access rights of endpoint devices to a network and applying security policies that prevent any external or internal threats posed by that access. Network owners typically use endpoint security management software to:
• Restrict access to the network for only authorized endpoint devices and its users, either on premises or over a broader network (e.g., a wide area network or the internet).
• Apply and monitor endpoint security policies throughout the entire network with small software apps on each managed device (called agents).
• Enable security administrators to manage these devices and processes from one central console or application.
• PCs, laptops, tablets, and smartphones accessing networks either on premises or over remote/internet connections are the most prevalent devices that require endpoint management.

Endpoint use is increasing in the higher education world due to student, faculty and staff mobility where computer users are much less tethered to a desk, classroom or office. Traditional network-focused protocols are designed for the PC-era and the desktop. With an ever-growing amount of data outside the firewall on endpoint devices, IT needs to deal with security and communications in real time across varying locations and bandwidths. Adding to this risk are the possibly insecure apps loaded on employees’ ever-increasing number of devices, with consistent exposure to malware as a result of network usage.

IT teams solve for the challenges of endpoints using virtual private networks (VPNs), that enable safe connection to the main, managed network. Endpoint cloud backup technologies enable real-time backup of the data on endpoints, minimizing the risk of data loss. They provide IT the tools to manage institutional data on endpoints. They can even be used to automatically detect a malware or ransomware attack, allowing an IT admin to address it immediately – before it causes further damage.

Ironically, endpoints are quickly becoming more commonly used to compute and communicate than the local, fixed desktop machines from which they were derived. The notion of a safe and secure network and insecure endpoints is fast giving way to a more modern concept — computing across any device or network, with always-on security protecting Berkshire Community College users accessing cloud-enabled storage (like OneDrive in the Office365 Suite).  Endpoint users re encouraged to never save items to a local drive on their endpoint in the event the data becomes unrecoverable due to theft, disk corruption, endpoint failure or unintentional deletion of such material.  Saving to a cloud-enabled storage resource allows backup and recovery in the event of any of these catastrophic occurrences.

Due to the large volume of endpoints and wide range of permission rights for users, setting each device individually is not practical. This develops the need for endpoint security management policies. Management can decide which permissions, and even what types of devices, can use the network. With endpoint security management policies, administrators can efficiently grant or deny (based on supervisor and stakeholder approval) specific rights on the network, restricting which areas, workloads, and applications the user can access.   As changes are made in the roles of the person, administrators and security managers can modify policies and distribute changes dynamically.

Because protecting access to the network is increasingly important, and passwords can be hacked, endpoint security management can also entail embedding device-specific tokens (e.g., encrypted software-based IDs) onto devices to ensure the endpoints (and their users) are authentic and authorized. Once users gain access to the network, endpoint security software steps in to provide protection.

Endpoint security and endpoint security management function best when they work together. Endpoints are work tools and network interfaces, and as such, they constantly create and exchange data. It is the function of endpoint security software to analyze and vet all changes and movement of data, scan for malware and viruses, and apply patches and updates where needed.  Endpoint security management should coordinate and prioritize updates, consolidate and communicate monitoring alerts and reports, and provide unified security services managed by IT.

While endpoint security software does the grunt work of detecting and protecting endpoints and the network from threats, endpoint security management unifies, simplifies, and strengthens BCC's overall security posture and daily threat preparedness. Colleges that deploy endpoint security management typically realize the following benefits:
• Faster response and mitigation of security threats
• Rapid deployment of the latest security features and technology
• Enhanced security communication across the campus
• Lower costs, yet tighter security
• Pathway to future enhancements and automation

The most pressing reason for endpoint management is that most successful attacks begin at the endpoint. In fact, according to an International Data Company study, the endpoint was the cause of 70 percent of successful attacks.  This statistic is probably no surprise since endpoints represent all the devices connecting to the BCC network. Therefore, if those devices are not well-managed, attacks can quickly morph from a brushfire to a widespread blaze.

The definition of a secure endpoint has changed over the years and is much more complex in 2021 than it was even a few years ago.  New critical threats materialize all the time, and for most IT and security teams, it is a constant struggle to prioritize the threats that can cause the most harm. When Berkshire Community College lacks sufficient visibility into potentially infected enterprise endpoints, vulnerabilities are patched haphazardly, leaving the college more vulnerable.
 
Attacks aimed at endpoints are hurtling toward us at an unprecedented rate. In 2021, the attackers are getting stealthier. Bad actors (hackers) may not be changing the strains of their attacks, but their tactics, techniques, and procedures are more sophisticated than ever.

Getting started with endpoint security and management is not simple, nor is it something you can do in a single day – it takes a lot of time, planning, resources, training, and practice to build a solid foundation.

The first task for securing endpoints is assuring that only authorized devices and users can connect to the network. Typically, this entails setting up username and password authentications on approved devices so that authorized members of the network can log in and perform work.  Quick question!  Do you know the difference between the terms, authentication and authorization?  Authentication is basically your username and password.  It provides access to the resource proving that you are who you say you are.  Now, just because you are logged into a resource doesn’t mean you can use it in anyway you want.  That is where authorization comes in.  It authorizes you (gives you permission) to use elements of the resource into which you logged.  

Antivirus solutions are imbedded in the operating system or installed on endpoint devices both inside and outside BCC’s firewall—these typically include desktop and laptop computers and network servers but can also include things like mobile phones. Traditional endpoint antivirus solutions feature large databases of virus signatures (characteristics common to virus attack mechanisms) and definitions. They find malware by scanning files and directories and looking for patterns that match the virus signatures and definitions on file. These systems can only recognize known threats. Endpoint antivirus vendors, constantly lookout for new malware, so that they can add it to the databases.  Since new malware is being developed all the time, with endpoint antivirus, the software must be updated regularly.  

Most endpoint antivirus solutions include the following capabilities:
• The ability to run scans both at scheduled intervals and manually
• Internet safety features, including warnings when you are about to visit a site that appears malicious and blocking automatic and malicious downloads
• Updates automatically to ensure that the endpoint is protected against the newest threats
• The ability to identify the type of malware attacking the endpoint.

Encryption is an essential component of a layered data security strategy. Every higher education institution incorporates multiple layers of protection, including firewalls, intrusion prevention, antimalware, and data loss prevention. Encryption acts as the final layer to protect data in case it falls into the wrong hands.

There are two basic types of endpoint encryption:
• Whole drive encryption renders a laptop, server, or other device unusable except for holders of the correct PIN.
• File, folder, and removable media (FFRM) encryption locks only designated files or folders.

Whole drive encryption protects the operating system and data on laptops and desktops by encrypting the entire drive except for the master boot record. This is left unencrypted so the machine can boot and locate the encryption driver to unlock the system. When a computer with an encrypted drive is lost, it's unlikely that anyone will be able to access the data on it. Whole drive encryption is automatic, so any content stored on the drive is automatically encrypted.

There are two methods of authorizing a user on an encrypted drive:
• With the first method, the drive boots into the operating system, and the user signs in before accessing applications or data.
• The other method is pre-boot authentication, which requires a user to enter a PIN or password before the operating system boots. Pre-boot authentication is considered to be more secure, as the data remains encrypted until authentication is complete. Pre-boot authentication defeats exploits like Windows password crackers, which require restarting the computer.

File, folder and removable media (FFRM) encryption encrypts selected content on local drives, network shares, or removable media devices. The encryption software deploys agents that encrypt files based on an institution's policies. File-based encryption supports both structured and unstructured data, so it can be applied to a database as well as documents and images. File-based encryption keeps the data encrypted until an authorized user opens it. 

This is different from whole drive encryption, which decrypts all the data after the user is authenticated and the system has booted. Therefore, file-based endpoint encryption continues to protect the data even after it leaves the institution. For example, when an encrypted file is sent as an email attachment, the recipient must be authenticated to decrypt the file. Recipients who don't have the appropriate encryption/decryption software receive a link to a portal that can authenticate them and decrypt the file, or they receive a password protected zip file, where the recipient has to enter a password communicated by the sender.

Endpoint encryption software may include a variety of management capabilities, such as:
• A central dashboard with status reports.
• Support for mixed encryption environments.
• Key management capabilities, including creating, distributing, destroying, and storing keys.
• Centralized encryption policy creation and management.
• Automatic deployment of software agents to endpoints to enforce encryption policies.
• Identification of any devices that lack encryption software.
• The ability to lock endpoints that fail to automatically check in.

Encryption is an important layer in an institution's security infrastructure. Security products such as firewalls, intrusion prevention, and role-based access control applications all help protect data within Berkshire Community College. Data encryption can protect data even after it leaves BCC. Encryption is a key defense against data theft and exposure.

Emotet is a malware, its purpose went through multiple itera-tions, but its final incarnation was for turning computer into “bots”. Bots are computers that run under their control, and they rented that control out to other cyber-criminals. Law enforcement shut down their servers – and the threat was thought gone. However, it has just started to crop up again – the most common way to be infected is from email attachments generally some form of Office file.

The best way to think of this may be the analogy of bad fantasy novel or movie. The villain raised an army of zombies and set them against the good people of the land. The forces of good destroyed the artifact the allowed our villain to control his horde – there was much rejoicing – roll credits. Time for the sequel, our villain has returned and is again trying to spread their zombie plague. So please be careful with emails you get, or you may be one of the victims of our villain.

I wanted to address one other topic today. How to delay the delivery/sending of an email.

So, you can do this with the Outlook program on your computer – but that has an issue. The email sits in your Outbox until the send time hits. Therefore, if your computer is off, Outlook isn’t running, etc. – the message won’t be sent. So proba-bly not the best way to do this.
Instead, I am going to discuss doing it through the web email. You don’t need to be logged into the web email when it is told to send – once it is set up you are done. So how to you do this? It is very easy, you have already seen it – but you probably overlooked it (I know I did.) What you need to do is:

• Compose your email like normal.
• Don’t click Send rather click the drop-down arrow next to it and pick Send later
• Select the date and time and hit the Send button

That is it – it should go out at that date and time.

A global network that uses different protocols to con-nect millions of computers worldwide. It can include different networks, such as private, public, organiza-tional, academic, government, etc. It allows users to communicate with each other and share massive amounts of data in various formats. Internet is availa-ble in both modes, wired and wireless. In wired mode, the data travels through fiber optic cables, whereas in wireless mode, the data travels through radio waves.

Some of the essential applications of the Internet are listed below:

• File sharing
• Downloading media files and software
• Sending and receiving emails
• Browsing any information
• Using social media platforms, forums, and communities
• Voice Calls, Video Conferencing, and Chatting with friends, family members, and colleagues

Owned and used privately by the College. It is mainly used to connect all the computers and establish a private net-work of an organization to provide employees the ability to collaborate on projects, manage or update information, share calendars, and to-do list, etc. Organizations prefer using Intranet to keep their data inaccessible from outsiders, making their suspicious data and project information secure. Intranet includes a firewall to prevent unauthorized users from accessing the network.

The websites created over Intranet look almost similar and act like any other website on the Internet. However, these websites are much more task-oriented than promotional design websites on the Internet. Like the Internet, the intranet's websites can also provide the interface to form communication in the shape of chatting, image sharing, audio-video conferencing, etc. All these activities can only be used by authorized users who have permission to access the Intranet network.

Some other essential applications of the Intranet are listed below:

• Sharing the updates regarding the company's rules and regulations
• Onboarding of employees and customer details
• Submitting and sharing project details and reports

Director’s Intro

Having joined the Berkshire Community College family on July 19th, I thought it time to introduce myself and publish this little monthly update.

I am Steve Vieira, the Director of Information Technology at the college. In my career, I have held multiple IT-related roles and have a breadth of knowledge on a number of topics.

I have enjoyed providing support for students, faculty and staff at several community colleges, large and small universities and comprehensive colleges in Canada.

I have an “open door policy” and welcome opportunities to hear how you think the IT department might improve the use of technology on campus. In the past, many truly unique ideas have been offered that we have put into place.

In this little newsletter, I plan to update everyone on ongoing and new projects in which the IT staff is engaged. My hope is that if you have heard about something IT is doing, you heard it here first.

The IT Team is dedicated to solving all of your problems in a timely and efficient manner. Statistic show that requests are being resolved in a day or less in most cases.

One item that seems to be underutilized is the Knowledge Base. This is an area where articles about commonly asked questions should be addressed, helpful enough to provide answers to issues that might not need the IT Help Desk to resolve. The IT Team would like to expand the coverage for materials specifically designed to help faculty and staff. The Student Knowledge Base has been well populated and now it is time to do the same for the professional community.

This also help generate an IT Service Catalog, another topic in this newsletter.

Projects and New Tools

• Handshake = Handshake connects you, your school, and employers together to find jobs meant for students. Handshake has opportunities for students and new college grads recruiting specifically at BCC. Handshake gives you personalized job recommendations based on the information you provide on your profile, so you can find jobs and internships that are right for you. 80% of students who fill out their profile receive a message from a recruiter and Handshake uses your job interests to recommend opportunities to you, part-time job, full-time job, or internship, in the cities you’d like to live and work in. Download the Handshake App from the App Store or Google Play, to search and apply to jobs right from your phone. You’ll also be notified when you receive a message from an employer.
• Vector Solutions Safe Colleges = Safety means so many things in society today and having the training support for all types of situations is the key goal of Safe Colleges. Designed for students, faculty and staff, suggested training modules are provided for subjects from health-related to cybersecurity to diversity and inclusion. The course materials are simple to use, informative and provide knowledge to better understand complex topics helping with better decision-making when facing day-to-day challenges.
• Mongoose Cadence = With mobile being the preferred device of communication today, texting has replaced email as the “immediate delivery” tool everyone uses. Texts are typically brief, direct and meant to provide a timely conversation exchange.
  Cadence provides targeted text messages that can be sent to customized or campus-wide groups. From emergency messages to reminders about important dates (for financial aid, commencement, etc.), this tool enables on-demand communications capabilities designed to increase information exchange across campus.
• Ellucian Experience = MyBCC, the campus portal played an important role at Berkshire Community College. 

The Need for Knowledge – Knowledge Base That Is!

One might ask what a Knowledge Base is. At Berkshire Community College, it is one of the first sources of information that everyone should explore when having a technology problem.

The Knowledge Base is located here.

Every college in the country has a Knowledge Base and they are all populated with the guidelines and training materials for using the applications offered to students, faculty and staff.
BCC is no different with the greater portion of the Knowledge Base directed to helping students.
Berkshire Community College and Information Technology are in the process of updating this useful tool to ensure that more faculty and staff questions can be answered quickly and efficiently.
We need your help! Have you searched for something that you expected to be explained in the Knowledge Base and didn’t find it? Is there an article in this repository that is not clear? Is there something you would like to have explained or even a training video built, that might help you? Then this is the place to tell us!

Email Steve and send along your suggestion. The Knowledge Base is better when everyone contributes ideas to make it better. I hope you will take a moment to send us your suggestion. If we determine that it would provide needed information and steer more of the BCC community to the KB, we will publish it and give you credit.

At Your Service! Do You Know What Services IT Offers?

A Service Catalog lists the services that an Information Technology team provides for the community it supports. In building the Service Catalog, IT is compiling a list of all the various requests that have been resolved, including the instructions on how to help yourself in the Knowledge Base, and defining the service provided and the agreed upon time for the issue to be resolved.

This timeline is part of a Service Level Agreement and every service offered has a key performance indicator that describes the steps to ensure your satisfaction with a problem that has been addressed.
Constructing a Service Catalog is a dynamic process where services are added and eliminated as the technology changes. In the coming weeks, the list of services provided by IT will expand to capture everything we do. One important piece of the collection of services will be a link that details how you can get the service you are requesting.

Sometimes, this link will lead to the Help Desk where you can open a ticket to get help. That ticket is immediately connected to someone who can help and will notify you of the fact that we have your ticket and we are working toward a solution designed specifically for you.

Hal’s Handy Hints – Using your Phone – Forward and Transfer

Are you leaving your desk and your phone for a while? Did you know you can forward your phone to another number while you are away? Call forwarding starts by pressing the forward button just below the screen on your phone.

Now, just follow the phone’s screen prompts. To forward calls to another extension, just dial the extension. To forward calls to an external number, dial 9 + the number (for example 918005551212).

When you return to your desk, simply turn call forwarding off.

One important reminder! When you forward your calls, your voicemails usually go to the forwarded voicemail, instead of popping up in your inbox. If the phone you forward your calls to, picks up too quickly – then the message will end up there. For example, if someone forwards all calls to their cell phone, but the cell phone was setup to answer after 1 ring, the voicemail will go to the cell and not your desk phone.

Use the transfer option to transfer a call to someone else. Press the transfer button beneath the screen, type an extension, your phone will start calling the extension. You can then either press transfer again to transfer the call, or stay on the line to talk to the person you are calling and then hit transfer to transfer the call.

As an example, transferring a call to the Help Desk (3004) would be ‘transfer’ 3004 and then (if you choose not to talk to me) ‘transfer’ again. You can also transfer calls straight to someone’s voicemail. It works the same as described above except you dial an * (asterisk) before the number. To send a call straight to the Help Desk’s Voicemail would be: ‘transfer’ *3004 ‘transfer’. For further help, please contact the IT Help Desk.

Stop Before You Click!

Did you think you were being offered Mrs. Laurie Keller late dad’s 2014 Yamaha Baby Grand piano? Did you send a ransom to the bitcoin address (BTC Wallet)? Did you get a package confirmation from PayPal that you did not expect?

All of these examples of phishing attacks (all were sent to people at BCC) are symbolic of preying on the anxiety students have to fill out all their paperwork or miss out on something important, and the new staff members completing their paperwork as part of the hiring process and making sure they do it in a timely manner. So much paperwork, things to complete and needed as soon as possible. This causes people, who get caught on a regular basis, to click before taking a moment to ensure they understand what they are clicking. A scammer’s best friend – anxiety and timelines.

Phishing and spear phishing are attacks on personal information. Phishing goes for volume (when thousands of scam type emails are delivered hoping to catch one poor soul who clicked on the wrong link or attachment). Spear phishing is directed at a single person (someone in charge that has greater privileges and access to data than others.

Be cyber secure. Don’t click if you receive unexpected attachment or links even if they look real. Be cyber aware! Let the IT Help Desk help you.