Background
Calendars that are publicly visible to the internet present risks to Berkeley Lab by providing information that could be used by cyber attackers. This article is intended to provide context on the risks of calendar sharing and recommendations to manage and secure your Google calendar.
What Do I Need To Do
Review the Risks/Impacts and consider the recommended calendar changes below. It is fine to leave your calendar open to the public, if you are aware of the risks.
Risks/Impacts
Fuel for targeted phishing campaigns: Targeted phishing attacks are designed to entice recipients into providing data to the scammer. An attacker could use publicly available calendar data like meetings, agendas, attendees and attached materials to launch attacks.
Zoom links and passwords: Nearly all meetings these days involve Zoom, and calendar events usually include Zoom conference information. These Zoom conferences are not as exclusive as they could be if your calendar details are fully readable to the internet. The meeting details of the Zoom conference room are vulnerable to unwanted or malicious attendees accessing your zoom-hosted meeting.
Exposed data: Event invitees, agenda and materials linked or attached to the meeting are exposed if your calendar is fully public. In addition, meetings in which YOU are an invitee (that is, meetings owned by others) present on your calendar will also be exposed to the internet.
Private information: If you have information on your calendar related to you travel plans, sick/vacation days, doctor's appointments, personal events, that can be exposed to an attacker/stalker.
Recommendations
Recommendation 1: Disable 'Make available to the public'
Most people do not need to have their calendars public to the internet to conduct business. Publicly available calendars should be reserved for necessary business use-cases (Example: seminar event calendars).
Recommendation 2: Consider 'Make available to Berkeley Lab (Univ of California) - See only Free/Busy'
In most cases, calendars serve as a means for determining when to schedule others to collaborate, Free/Busy visibility facilitates this need. It is safe to share calendar free/busy time with other Berkeley Lab employees.
Recommendation 3: Share calendar details with specific people only
If you wish to share more calendar details, consider sharing only with specific individuals. This allows you to share information on your calendar with greater control on who and what level of permission an individual may view or modify your calendar information.
Recommendation 4: Review calendar access permissions routinely
Take time to review your calendar share permissions now. Review calendar access permissions regularly. Limit or remove access if it no longer needed.
Recommendation 5: Create a group calendar and share it with anyone/public
If you need a calendar and its events to be shared publicly, then we recommend that you create a separate (group) calendar and share it with anyone/public and add specific event(s) to that calendar instead of your primary calendar.
Create a calendar: https://support.google.com/calendar/answer/37095
Share a calendar: https://support.google.com/calendar/answer/37082
