SWTJC Information Security
SWTJC is committed to the security of all the information resources under our control. To that end, we incorporate best practices and are constantly monitoring the technology infrastructure to make sure it is protected from unauthorized use. You are a critical part of that protection. A common misconception about cyber-attacks is that they involve sophisticated tools and techniques, and sometimes they do. However, typically the most effective techniques involve simple mistakes. The resources on this page are intended to help you protect the privacy and security of SWTJC's information.
SWTJC is currently implementing Multi-Factor Authentication (MFA) for certain cloud services. MFA provides a secondary source of identification for access to SWTJC resources and helps prevent the misuse of those resources. Any information or updates on the progress of the roll out will be provided here.
Access to the SWTJC Information Security Standards and Policies is now available. Faculty and Staff can review the policies and controls SWTJC uses to ensure a secure infrastructure.
Resources
The Texas Risk and Authorization Management Program (TX-RAMP) was created to provide a "standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency." TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13)). As of January 1, 2024, this requirement applies to all data regardless of classification. SWTJC complies with the statutory requirements of contracting for cloud services, Level 1 for non-confidential data or low-impact systems and Level 2 for confidential data or high impact systems.
SWTJC must only enter into contractual agreements with cloud services that are certified through TX-RAMP and must obligate the service provider to maintain TX-RAMP compliance and certification throughout the contract period. In addition, the service provider must notify SWTJC of data breaches.
SWTJC follows the convention of assigning one of three levels to data - Confidential, Sensitive or Public. The following guidelines apply to each level:
- Confidential - Information protected specifically by federal or state law, college or system rules or regulations which, if exposed, would likely result in substantial harm to the college, but for which there are no proscribed administrative, punitive or monetary penalties. Data in this category is generally not subject to release under open records laws. Examples include: social security numbers, driver license numbers, passport information or criminal investigation information.
- Sensitive - Information related directly to or proceeding from the operation and administration of the college and normally restricted to college employees, but which is releasable in accordance with the Texas Public Information Act. Examples include: IT Policies and Procedures, non-disclosure agreements, contractual data or unpublished research as well as employee appraisals or salary information.
- Public - Information which is generally available publicly or appropriately and intentionally made public by the college. Information in this category has no requirement for confidentiality.
Multi-Factor Authentication (MFA) is the process of protecting resources by adding another factor to identify the user. By combining something you know (a password) with something you have (Microsoft Authenticator on your smart phone) access to those resources are better protected. This will require that users download and install the MS Authenticator app. The app does not store any record of the access, it just confirms your identity. What this helps prevent is the use of compromised credentials, especially while using your email account.
We are currently rolling out MFA for Students, see MFA Configuration for instructions on installing and configuring MS Authenticator. If you want to wait, the first time you log into Microsoft 365 you will be presented with the QR codes to install MS Authenticator, and then be taken through the process of verifying your phone connection, again using QR codes.
Please contact the Service Desk at (830) 591-7323 if you have a current threat, they will evaluate and isolate the threat as well as contacting the appropriate staff members to assist.
Contact the Information Security Officer at (830) 591-7299 if you have a question about suspected threats or anything you think is suspicious.
Contact the Service Desk about email scams or spam email.
Current Items of Interest
TikTok
On December 7, 2022, the Governor of the State of Texas issued a Directive banning the use of TikTok and it's apps on any state owned device, that includes cell phones, tablets, desktop and laptop computers, and other Internet capable devices. SWTJC defined a policy that states we will abide by the Prohibited Technologies list. Other applications and sites affected include Tencent Holdings, WeChat and Kaspersky among others. Please see Prohibited Software and Applications for the full list.
What this means is that Faculty and Staff are banned from using this technology on college owned devices, and the college is preventing the installation of the technology on our networks.
We have also blocked access to any banned technology from our network, wired or wireless. There will be no access to a banned application on any device, college owned or personal while using SWTJC's network.
Please call the Information Security Officer at (830) 591-7299 with any concerns or questions.
Ransomware
An annual report from the Security Information Exchange says ransomware has surpassed data breach attacks as the largest category of cyber attacks on schools.
Often, these attacks target K-12 districts, but attacks are up across the board, and often, the threat actors reach out and contact parents directly looking for a pay out.
In 2023, Ransomware attacks were up 84% from 2022. The United States accounted for 60% of the global attacks, up from 43% in 2022.
The most common attack vector are phishing emails and zero-day vulnerabilities.
PayPal Invoice
PayPal has a feature which can be used to send invoices from within PayPal to anyone. This feature has been used to send fake invoices in an attempt to get the target to call the phone number provided in order to secure your account, there is no reason to call. In SWTJC's case, there would be no reason for PayPal to be sending anyone an invoice, and if you receive such an email at your personal account, verify with PayPal before calling the provided contact.
Phishing scams
There has been a significant increase in the number of phishing emails lately, and it appears that there are a good number of compromised credentials as well. SWTJC is investigating, but the most likely reason is that simple passwords are being used. We are looking at a couple of things to do to remedy the problem, primarily looking at MFA for Microsoft 365. This won't prevent compromised credentials, but it will reduce the number of what appear to be internal users abusing the system.
Also, with the use of AI to produce these phishing emails, threat actors are getting better at avoiding detection and convincing users to provide sensitive information. They still use the same techniques, requiring urgent attention, threatening the loss of access or needing you to access a Google doc for a colleague. Even though the grammar is more refined the intent is the same, and you are the last defense against an AI email phishing scheme.