Blog

How To Share Microsoft Excel Spreadsheets


Have you ever been working with an Excel document that needed to be accessed by multiple people? Often it is possible to grant access to these people, but only one person is able to edit. Here’s a simple trick to avoid that problem!

Step 1:

  • In your Microsoft Excel document, click the File tab on the upper left hand corner of the screen and select Options from the left side menu.
  • A new tab will open. Select Trust Center and then Trust Center Settings.
  • A new tab will open. Select Privacy Options on the lower left hand of the column and then under Document-specific settings make sure “Remove personal information from file properties on save.” is unchecked. Press Ok.

Step 2:

  • Under the Review tab at the top of the Excel worksheet, click on Share Workbook.

  • A new tab will open. Make sure there is a check mark next to the box that states “Allow changes by more than one user at the same time.”


And there you have it! Now you can share Microsoft Excel spreadsheets without the worry of being unable to edit content due to multiple users at the same time!

New Device? Check Your CyberSecurity

From the Desk of Thomas F. Duffy, Chair

Last month, we talked about how you can minimize your risk of identity theft and malicious cyber activity while doing your online holiday shopping. In this month’s issue, we’ll focus on another aspect of the holiday season: that new device you get or give during the holidays. Whether it’s a smartphone, laptop, desktop, tablet, or another device, check out the below tips to help you protect your new technology and secure your personal data.
  • Configure your device with security in mind. The “out-of-the-box” configurations of many devices and software are default settings often geared more toward ease-of-use and extra features rather than securing your device to protect your information. Enable security settings, paying particular attention to those that control information sharing.
  • Change the device’s password – the default passwords for many brands of devices are well known to hackers. 
  • Remember to secure your Internet of Things (IoT) devices. Internet of Things devices include smart home thermostats, home surveillance cameras, smart refrigerators, lights, and many other examples. These need to be secured just like your phones, tablets, and laptops. One way to do this is to change the default password that comes pre-configured on the device to a strong password of your own choosing. This makes it much harder for cyber criminals to compromise your household devices.
  • Turn on your firewall. Firewalls provide an essential function of protecting your computer or device from potentially malicious actors. Without a firewall, you might be exposing your personal information to any computer on the internet.
  • Lock the device. Locking your device with a strong PIN or password makes unauthorized access to your information more difficult. Passwords are more secure than PINs and should be at least 8 characters long combining upper and lower case letters, numbers, and symbols. If you have an Android device and want to use a lock screen pattern, make sure the pattern includes at least 7 points and doubles back over itself (e.g. at least 2 turns). Additionally, make sure that your device automatically locks after a brief period of inactivity, preferably between 30 seconds and two minutes. This way, if you misplace your device, you minimize the opportunity for someone to access your personal information.
  • Regularly apply updates. Manufacturers and application developers update their code to fix weaknesses and push out the updates. Enable settings to automatically apply these updates to ensure that you’re fixing the identified weaknesses in the applications.
  • Install antivirus software. Install antivirus software if it is available for your device and enable automatic updating of the antivirus software to incorporate the most recently identified threats.
  • Disable unwanted and unneeded services. Capabilities such as Bluetooth, network connections, mobile wallets, and Near Field Communications provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not needed. Also consider disabling or uninstalling other features or apps that you no longer use.
  • Be careful when downloading apps. Apps provide a lot of wonderful capabilities for your device, but they are a common way that malicious actors disseminate malware or gather information about you. Always make sure you trust the app provider and download the app from the Google Play Store, Apple’s App Store, or other trusted source, as they proactively remove known malicious apps to protect users. Be proactive and make sure that you read the privacy statement, review permissions, check the app reviews, and look online to see if any security company has identified the app as malicious.
  • Set up a non-privileged account for general web use. Privileged (such as Administrator or Root) accounts allow you to make changes in how your device operates, but a compromised administrator account provides attackers with the authority to access anything on your device. Use a non-privileged account when browsing websites and checking emails.
  • Maintain your device’s security. Remember that setting your device to be secure is great, but you have to keep those settings, as well. It may be tempting to do away with some of the security, such as a lock screen password, or allowing the settings to change when you get an app update, but that puts your device and information at risk.
By using caution and following these tips, you can help secure your new device and protect your information. Have a safe, secure, and joyous holiday season!
Citation:

Make Your Agency’s Intranet Page YOUR Home Page!

With the exception of a few agencies, when you open your internet browser you will be immediately directed to the State’s Home Page.

Recently, some agencies have been looking into the option of the internet browser defaulting to their agency’s intranet website. Department of Health happens to be one of the more recent agencies to make this conversion. When asked why they went this route, Barb Buhler explained:

“The goal of the switch is really to drive staff to the DOH Intranet and the resources that are posted there. We’ve made a concerted effort to add information staff need and have asked for (policies, fiscal forms, ACES guides, etc.) and wanted to make it as easy as possible for them to find it. Also, in spite of the fact there is a link to our Intranet in the footer of our main website, some staff commented it was hard to find. J This whole effort is just one part of a larger internal communications objective identified in our department strategic plan and our workgroup is continuing to look at expanding resources on the intranet.”

Barb later joked, “So far the response has been positive – one person commented they appreciate the easy access to our Intranet site but missed the “pretty pictures” on the state’s home page!”

While there might be a lot of other persuasive reasons to consider relinking your agency’s home page to it’s personal intranet- the point of this article is to inform you that the option exists! If you have further questions on how to go about this route, please contact your BIT Point of Contact (POC). They will be happy to assist you!

Employees of the Quarter!

Eric Swiggum

Eric Swiggum serves as a Database Administrator (DBA) focused on SQL database administration and support in the BIT Data Center DBA Team. Eric started with BIT in December 2012 as a SQL Server DBA and quickly learned the ropes in his new position. Eric came to BIT as an experienced technologist with a focus on database technology from the perspective of a business intelligence developer. Included in his background was a diverse knowledge in database technologies outside of SQL Server including IBM DB2, Oracle & Teradata. Eric also had prior experience administrating SQL Server, Informatica and enterprise scheduling software.

Over the past 20 months Eric has been converting workflow packages in SQL Server DTS* (Data Transformation Services packages) to SQL SSIS (Server Integration Services packages), working with developers as needed to get these packages converted. A majority of Eric’s efforts in this work have been focused on converting the legacy Visual Basic 6 script to Visual Basic .Net script. There were more than 450 packages to convert and this was a manual effort. A factor that increased the difficulty of this conversion was coordinating with all the different groups, developers and end-users. At times it was even difficult to find anyone in BIT that was familiar with the legacy DTS packages. Undaunted, he reached out to end users with knowledge of the processes involved to understand the business requirements of the code so that he could be sure to convert it while maintaining its functionality.

*DTS packages are a legacy facility replaced by SSIS packages and there is no automated migration available. 

The DTS to SSIS conversion is important as future versions of SQL Server will not support DTS packages. Normally this is the type of work a developer would take care of but development could not spare the resources for this project and the estimate provided by a service provider to perform the migration for BIT was nearly $200,000. Instead of costing the tax payers such a hefty fee, Eric volunteered to apply his development skills he brought to BIT and perform this work himself as time permitted, saving our citizens a tidy sum of money and allowing Development to stay focused on other client engagements.

Shawn England


Shawn England serves as a Technology Engineer III for the division of Telecommunications within the Bureau of Information and Telecommunications. Shawn began his journey with state government in September of 2009, briefly left for a couple of years to work for the Pierre School District, and was hired back at BIT in June of 2012.

Shawn’s primary focus as a Technology Engineer III consists of dealing with technology in schools, Fortinet, security, networking, servers, and wireless. About 2 years ago, Shawn proposed implementing a Border Gateway Protocol (BGP), which is a standardized exterior designed to exchange routing and reachability information which amount to autonomous systems (AS) on the Internet.

It was quite evident from the start that Shawn was willing to invest time into analyzing BIT’s current technology as well as researching telecommunications provider technology. This solution came as part of the Communications Transport RFP which included connecting more than 800 sites to the DDN. Shawn evaluated features of network infrastructure hardware which allowed BIT to consolidate the on-site infrastructure from three devices to one. This effort has allowed BIT to save one-time and ongoing costs.

In addition to heading this effort, Shawn has stepped into a leadership role in the security and network areas within the last year at BIT. Shawn is easy to work with and always willing to help, making him a perfect candidate for the employee of the quarter award.

Outside of work, Shawn enjoys playing trombone, shaving “old-school-style” with lather and a brush,

and bicycling. He can also be found building cardboard box forts with his daughter, Bentley, drinking cold brew coffee and discussing school politics.

Susan Dutt

Susan’s primary day-to-day responsibilities include development and support of several DOT applications. One of these is the Concept To Contract (C2C) app, which tracks construction projects from the cradle to the grave. If there’s a DOT construction project in progress, planned, or even completed many years ago, Susan can locate the associated information.

In the fall of 1986, Susan graduated from SDSM&T as a computer science major and became a full-time DOT application developer. This was also around the time the IBM 286 PC (with an actual hard drive) first hit the market. A hard drive was pretty high tech, so she settled with a machine with dual floppies instead.

Susan kept up with the ever changing application development landscape over the years. She started programming in Natural and COBOL, but moved to the cutting edge to develop apps using dbase and DOS commands. Some of her original systems have made the transition from dbase to Access and then to SQL.

While Susan may write or review code once in a while, her main focus over the last few years has been as an analyst and project manager. Understanding the client’s business needs, personalities, and workflows allows her to excel. Many times, she understands the application and workflows better than the people utilizing or requesting the application.

Recently, Susan has acquired the role of scrum master. The scrum master is the facilitator/coach of a team of developers that utilize the scrum development methodology for creating applications. Her most recent Scrum development project is an Environmental Tracking System for DOT. Even though resources have been pulled from the project, she still manages to keep the project pointed in a positive direction.

Susan grew up in Tolstoy, SD–go Greyhounds!–and still spends many weekends there with her mother and other family members to lend a helping hand. She also enjoys reading, cooking, gardening, crocheting, and the occasional cross stitch.

Congratulations Eric, Shawn, and Susan! BIT is happy to have you!

It’s Cyber Monday! Are You Prepared?


How do attackers target online shoppers?

  • Creating fraudulent sites and email messages – Unlike traditional shopping, where you know that a store is actually the store it claims to be, attackers can create fraudulent, malicious websites or email messages that appear to be legitimate. Attackers may also misrepresent themselves as charities, especially after natural disasters or during holiday seasons. Attackers create these malicious sites and email messages to try to convince you to supply personal and financial information.
  • Intercepting insecure transactions – If a vendor does not use encryption, an attacker may be able to intercept your information as it is transmitted. This could include intercepting your name, address, and payment card information.
  • Targeting vulnerable computers – If you do not take steps to protect your computer from viruses, malware or other malicious code, an attacker may be able to gain access to your computer and all of the information on it. It is also important for vendors to protect their computers to prevent attackers from accessing customer databases.


How can you protect yourself?

  • Do business with reputable vendors.
  •  Make sure your information is being encrypted (SSL). Make sure the URL in your browser begins with https: 
  • Be wary of emails requesting personal, credit card, or email information. 
  • Use a credit card – In contrast to using a debit card, the money is subtracted from your bank account directly, making it very hard to get back. With a credit card, you can always dispute the charge.  
  • Check your shopping app settings – Apps on mobile devices sometimes request far too many permissions. Your shopping app wants to access your calendar? We don’t think so. 
  • Check your statements – After entering your credit card information online, most shoppers falsely assume the threat ends here. Unfortunately that’s not always the case. Merchants or someone else may use your information to make additional purchases or charges. · Check privacy policies – Most privacy policies provide an explanation about merchant policies in regards to sharing your data. 

Email Phishing Is Real And Very Dangerous!


In August of 2016 29% of state government employees failed an authorized internal phishing. Nearly 30% of the set of employees tested clicked on a fake link that could have downloaded malware to their computer or compromised it in some manner. This is a serious problem!

The magnitude of this failure indicates we need to increase efforts to educate and inform employees of the significant risks associated with a simple email message. In a typical month, state government receives nearly 10 million email messages, of which over 80% are identified as spam or malicious and are automatically blocked. 8 million are blocked by technical processes! But our automated defenses are insufficient to block all nefarious messages. It is imperative that every employee with an email box be consciously aware of a message before clicking on it and any contents within or attached to the message. The phishing threat occurs within state government every day!

Yes – a simple email message can put at risk all of that confidential data entrusted to us. We must be smart with every message we receive.

Phishing is defined as sending a malicious electronic communication, e-mail, text, etc., and is recognized as the most common attack vector in cyber-crime today. A variation of phishing, spear-phishing, is a more targeted phishing attack aimed at specific organization or group of individuals. The attackers research the organization, seeking names of departments and managers, and use this information to construct emails which appear to be legitimate and authentic.

The very recent data exfiltration’s from the Democratic National Committee and presidential campaign are rumored to have been initiated with a Gmail phishing message. Once the foothold from downloaded malware or compromised credentials is achieved, hackers can ‘leap frog’ from computer to computer looking for valuable data.

Whaling, yet another form of phishing, targets high-level executives with more focused and topically-researched malicious emails. State government has experienced very specific whaling messages being delivered to senior level departmental executives within the past month. Again, the threat is at our front door.

Please, be particularly wary of unexpected emails relating to local, national, and world natural disasters. Hackers frequently use headline-causing events as the subject of their malicious emails, seeking to capitalize on people’s curiosity and empathy. They will construct messages that appear to originate from a charitable organization, but the only people they are interested in helping is themselves.

Telltale signs of a potential phishing email or message include messages from companies you don’t have accounts with, spelling or grammatical mistakes, messages from the wrong email address (e.g. info@yourbank.fakewebsite.com instead of info@yourbank.com), generic greetings (e.g. “Dear user” instead of your name), and unexpected messages with a sense of urgency designed to prompt you into responding quickly providing you no time to verify the information. “Resume” and “Unpaid Invoice” are popular attachments used in phishing campaigns.

Easy tips to protect yourself from phishing:

  • Do not follow links embedded in an unsolicited email. Instead type in the address yourself. Better yet, look up the organization’s main URL and go directly there. Be especially wary of “tiny links”. Very short URLs are commonly used by hackers to hide the actual destination site.
  •  ALWAYS hover over URLs to verify they represent the site they purport to denote. In the example below, the message claims to be from Apple asking the user if a purchase was legitimate. Of course they make it sound like the transaction should be canceled. If you hover over the link of apple.com though, you see the true link for the URL is diligentproperty.com. It is NOT apple.com. 
  • Only open email attachments you’re expecting, even if the email came from your friend. They may already be infected and this could be a malicious email sent by the malware infecting their machine. 
  • Be cautious about container files, such as .zip files, as malicious files could be packed inside. Those files are extremely dangerous and should not be opened. 
  • To verify a suspicious email and/or attachment – forward it to the BIT ReportSpam@state.sd.us mailbox, and we will safely evaluate the contents. 
  • Use antivirus software to detect and disable malicious programs, such as spyware or backdoor Trojans, which may be included in phishing emails. Your state computer is regularly updated with new definitions and features. To facilitate timely installation of these updates, do not delay when you are asked to “Restart” your computer; please do so that day. 
  • Be suspicious of unsolicited emails, text messages, and phone callers. Use discretion when providing information to unsolicited phone callers, and never provide sensitive personal or account information via email. 
  • If you want to verify a suspicious email, contact the organization directly with a known phone number. Do not call the number provided in the email. Or, have the company send you something through the US mail (which scammers won’t do). 
  • Do not send any sensitive personal information via email. Legitimate organizations will not ask users to send information this way. 

Dan Maxfield, State Disc Golf Champion!

On September 17th and 18th our fellow BIT employee Dan Maxfield participated in the 2016 State Disc Golf Championship Tournament hosted in Pierre by the Sharpe Shooters Disc Golf Club. The tournament took place at Oahe Downstream and Steamboat Park, al…

A New Hacking Trend? USB Drives


If you receive a mysterious USB drive in your mailbox- don’t open it!

In Australia, residents have been receiving unmarked USB drives in their mailboxes. Upon plugging in these drives, users see what appears to be a promotional offer from Netflix or another streaming service.

Those who proceeded with the installation found that it didn’t contain free entertainment, but rather infectious ransomware.

In more recent years, ransomware has become an ever-increasing threat. Viruses are used to steal data and use IT machines for nefarious purposes. Ransomware can give criminals an immediate payday when someone is successfully infected. Ransomware works by encrypting files stored on the machine and unlocking payment methods stored within the machine.

Moral of the story: If you receive an unmarked USB in your mailbox… Throw it away!

Citations

http://www.extremetech.com/computing/236157-australian-police-warn-of-ransomware-usb-drives-showing-up-in-mailboxes

October: National Cyber Security Month

The popularity of social networking sites continues to increase, especially among teenagers and young adults. The nature of these sites introduces security risks, so you should take certain precautions.

While the majority of people using these sites do not pose a threat, malicious people may be drawn to them due to the accessibility and amount of personal information that’s available. The more information malicious people have about you, the easier it is for them to take advantage of you. Predators may form relationships online, and then convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation. The personal information can also be used to conduct a social engineering attack. Using information that you provide about your location, travel plans, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

What can you do?

  • Limit the amount of personal information you post
  • Remember that the Internet is a public resource 
  • Be wary of strangers
  • Be skeptical
  • Evaluate your settings and privacy policies – Take advantage of a site’s privacy settings.
  • Be wary of third-party applications
  • Use strong passwords, and change them frequently
  • Keep software, particularly your web browser, up to date
  • Use and Maintain anti-virus software · Be cognizant of the company you keep. If you receive strange or unusual requests from ‘friends’ it is possible their account may have been compromised or cloned.

October: National Cyber Security Month

Ransomware is a category of malicious software that can literally hold computers hostage until a ransom is paid. Across the world, thousands of computers are impacted by this malware. The virus will digitally lock (encrypt) the files on a computer rendering the pictures, spreadsheets, and other documents completely inaccessible to the user.

Ransomware usually propagates via infected email attachments, website downloads, and USB drives. Following infection, the malware encrypts all files on the computers’ hard drive and any connected network drives. Those files remain encrypted and inaccessible until a ransom payment is made. Often, the malicious actor places a “self-destruct timer” to instill a sense of urgency in the victim and threatens that if ransom is not paid by a certain date, the files will be inaccessible forever. Victims that do not have adequate data backups have a decision to make: pay the ransom or lose their documents. Many times, even if the ransom is paid, the criminals do not remove the encryption and in some cases, ask for more ransom payments.

BIT has, unfortunately, had to rebuild an agency computer compromised by ransomware. Coincidentally, we have seen many email messages with malicious ransomware-infected attachments. Efforts to fight ransomware continue in information technology and law enforcement departments worldwide. Nearly a year ago the FBI and Interpol had been provided the decryption keys for files locked by a specific ransomware application This success followed the public issuance of an indictment against a Russian hacker who was a primary contributor to the development of many ransomware applications. This victory was short lived, however, as newer versions of that ransomware and closely related clones of that software, such as CryptoWall and TorrentLocker, are back in business.

So how can you help prevent a ransomware infection?

  • Don’t open or click on links in unsolicited emails, and don’t download files from untrusted sources.
  • Do not use free or found USB drives.
  • Backup, backup, backup! BIT regularly backs up data stored on network drives. However, individual files stored on a computer are not backed up by BIT. Make sure to backup your files on your home computers.