On this page:
- Strategies for IT Security
- Secure Passwords
- Antivirus Software
- Security Updates
- Computing Habits
Strategies for IT Security
Because no one is immune to malicious viruses and intrusion, we all need to do our part so that protection is in place for our computers and personal information. CaTS is working to ensure a safe computing environment on campus, but for this to happen, faculty, staff, and students need to understand how to secure their computers, whether they are used on campus or at home. Follow the six security strategies listed below and you'll be on your way to a safe and secure computing experience. Note: If you're using a CaTS supported computer on campus (contact the Help Desk at 937-775-4827 if you're not sure), firewalls, anti-virus software, and security updates are already done for you on that computer.
Passwords can be the weakest link in computer security. Selecting a good password is essential. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful than ever. Below are tips to create a strong password:
- Choose characters from each of the following groups:
- Upper case letters (A-Z)
- Lower case letters (a-z)
- Numbers and symbols
- DO NOT Use the following symbols: %, #, . , @ , ? , !
- Do not use a name or dictionary word in any language. Do not use a repetitive series like "456xyz". Don't use a common word, a friend's name, a pet's name, your nickname, etc. Co-workers, friends, and even casual acquaintances may know this information.
- Use a different password for each system. (For example Banner Admin and CAMPUS passwords)
- Never write down a password.
- Create passwords that can't be guessed from personal information such as name, address, SSN, birthdate, phone #, etc.
- Never save a password online.
- Change your passwords often.
A computer virus is a program that is infectious and can be highly complex. Viruses implant instructions in other programs or storage devices that can attack, scramble, or erase computer data. The destructiveness of computer viruses lies in their ability to replicate themselves and spread from system to system. Few computing systems seem to be immune to infection. There are two categories of viruses that are common today: macro viruses and worms. Computer viruses are never "naturally occurring." They are always man-made. Once created and released, however, their spread is not directly under human control.
CaTS now requires that all computers connected to the university network have virus scanning software installed. For university-owned systems, you can call the Help Desk at 937-775-4827 to have Microsoft's Endpoint Protection installed on your Windows or Macintosh system free of charge. For personally-owned systems, you can download antivirus software free of charge from the CaTS ConnectWright website under 'Security Software'.
The following activities are among the most common ways of getting computer viruses. Minimizing the frequency of these activities will reduce your risk of getting a computer virus.
- Freely sharing computer programs and system disks
- Downloading executable software from public-access bulletin boards
- Opening email attachments from people you don't know
Antivirus Information: Checklist for Safe Computing
Preventing viruses from infecting your computer is key to keeping your computer healthy. The following is a checklist for safe computing habits.
- Make sure your office computer and your home computer have virus detection software. There are two general functions antivirus programs perform: scanning for and removing viruses in files on disks, and monitoring the operation of your computer for virus-like activity (either known actions of specific viruses or general suspicious activity). Most antivirus packages contain routines that can perform each kind of task. Free virus detection software is available on the CaTS Antivirus Software website.
- Regularly back up your files. Viruses are one more very good reason to back up your files. Note: if you back up a file already infected with a virus, you can re-infect your system by restoring files from the backup copies. Check your backup files with virus scanning software before using them.
- Obtain software only from reputable sources. Check newly downloaded software for any signs of infection before you copy it to a hard disk. This can also help protect your computer from Trojan Horse programs.
- Open email attachments only from people you know. And even when you do that, be on the lookout for virus-infected attachments. Do not open attachments from unfamiliar individuals or attachments you were not expecting to receive.
- Quarantine infected systems. If you discover your system is infected with a virus, immediately isolate it from other systems. In other words, disconnect it from any network it is on and don't allow anyone to move files from it to another system. Once the system has been disinfected, you can copy or move files.
Spyware and adware are two of the most frustrating threats for computer users today. Spyware is software that watches your activities and collects personal data without your permission. Adware displays pop-ups and other forms of unauthorized advertising. Because these programs run in the background while you use your computer, they consume system resources and can slow down your PC significantly.
CaTS recommends that you use a combination of Lavasoft Ad-Aware and Spybot Search and Destroy on Windows computers to combat spyware and adware as well as other threats. Using these programs aggressively is the best thing you can do to keep your computer running efficiently. Visit the ConnectWright webpage to download these applications.
Windows Spyware Protection Tips
Aside from using Lavasoft Ad-Aware and Spybot Search and Destroy on Windows computers, there are other steps you can take to prevent spyware and adware.
- Update your software.
- If you are using Windows XP, one way to help prevent spyware and adware is to make sure all of your software is updated. You can visit Microsoft Update to make sure that you have Automatic Updates turned on and that you have downloaded all the latest critical and security updates.
- Use a firewall.
- While most spyware and other unwanted software come bundled with other programs or originate from unscrupulous websites, a small amount of spyware can actually be placed on your computer remotely by hackers. Installing a firewall or using the firewall that is built into Windows XP provides a helpful defense against these hackers. For more information on firewalls, go to the Firewall security strategy website.
- Surf and download more safely.
- The best defense against spyware and other unwanted software is not to download it in the first place. Here are a few helpful tips that can protect you from downloading the software you don't want:
- Only download programs from websites you trust. If you are not sure whether to trust a program you are considering downloading, contact the CaTS Help Desk at 937-775-4827.
- Read all security warnings, license agreements, and privacy statements associated with any software you download.
- Never click "agree" or "OK" to close a pop-up window. Instead, click the red "x" in the corner of the window or press the Alt + F4 buttons on your keyboard to close a window.
- Be wary of popular "free" music and movie file-sharing programs. Most of these promote illegal file sharing and you can get caught.
Security updates patch operating systems from known vulnerabilities. These updates are crucial to defending against new viruses and securing holes in the operating system from attacks. Select your operating system below to get specific information on setting automatic updates. Note: If you're using a CaTS-supported computer on campus (contact the Help Desk at 937-775-4827 if you're not sure), security updates are already installed for you on that computer.
Macintosh Update Server
Download the Macintosh Update Server Installation File. The new Macintosh update server will result in faster downloading of updates and allow CaTS to test the updates for compatibility with university applications before they are applied to campus computers.
Frequently Asked Questions
Why should I patch my computer?
Hackers are constantly looking for vulnerabilities in Microsoft, Macintosh, Linux, and other operating systems. Patches usually safeguard your computer from these vulnerabilities. Without patches or security updates, your computer could be compromised on a high-speed connection.
Do my applications need patches also?
Yes, most software vendors will supply you with the necessary patches to protect your applications. As Windows and other operating systems make it harder to compromise your computer, hackers are turning to applications that get into your machine. This is why it is so important that you regularly update your operating system and applications. Most vendors offer updates either automatically through the program or manually at the vendors website.
Setting Automatic Security Updates
Internet-based attacks cannot be prevented. Therefore, it is important to stop them at the first point of contact. Hardware and software on the perimeter of Wright State’s network are able to identify and limit the effects of an attack while supporting an open academic and research-oriented environment. CaTS acknowledges the challenges of perimeter security and seeks to recognize, control, and manage Internet traffic. A perimeter firewall seeks to control and manage Internet traffic, while a personal firewall seeks to control and manage traffic from the campus network. A personal firewall (installed locally on a computer) is used to monitor and control communication to and from your computer. Firewalls are used to prevent someone from remotely gaining access to your computer. Running firewall software is a key part of keeping your computer secure. Any computer on the Wright State network will be more secure with an enabled firewall.
All departmental computers running Windows and connected to the Wright State Active Directory Domain will have Microsoft’s native firewall turned on and preconfigured. This is managed centrally by CaTS. All other computers not joined to the domain should have the native firewall turned on to help protect the system.
If you are a student in the Wright State residence halls, a desktop firewall is required. See the links below for a few software suggestions, or see the setup directions for your specific operating system.
Setting Up a Firewall
Along with security strategies such as passwords, updates, firewalls, and spyware and virus protection, your computing habits can play a very important role when it comes to securing data. One of the best computing habits to develop is storing sensitive university data on your personal H:\ drive (also known as the users drive on the Mac). By storing files on your H:\ drive, you ensure that only you have access to these files. To read more about the many other computing habits you should be aware of to help ensure data security, check out the five areas below.
1.1 Overview of Privacy and Protected Information
Wright State University is responsible for collecting, storing, and distributing very large amounts of information. Some of this information is federally legislated as private and must be protected in accordance with laws such as the Family Education Rights and Privacy Act (FERPA) of 1974 (for student records), the Gramm-Leach-Bliley Act (GLBA) of 1999 (for personal financial information), and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for personally identifiable health information). All of us—faculty members, custodians, administrative assistants, computer support staff—have a responsibility to protect information about our students from public disclosure. It doesn't matter whether this information is on the network computer, on a printout, a computer screen, a diskette, a CD-ROM, etc. Information that is classified as “protected” cannot be disclosed or disseminated to the public (people who are not employees of the university). Much of the information about our students is considered protected.
Examples of protected information include:
- Social security number
- Home phone number
- Home address
- Health information
- Student grades
- Citizen visa code
- Veteran and disability status
- Courses taken
- Test scores
- Advising records
- Educational services received
- Disciplinary actions
1.2 General Privacy Guidelines
All employees and users of network computing resources at WSU have a role in protecting the University's information assets because their machines provide potential gateways to protected information stored on the network. Therefore, whether or not you deal directly with protected or confidential University information, you should take the following steps to reduce risk to WSU’s information assets.
- When in doubt don't give it out!
- Identify information as "PROTECTED" on the print-out pages, diskette, screen, etc.
- Use special care when posting grades (assign random numbers, do not use part of Social Security numbers).
- Do not leave paper documents containing protected information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing protected information in locked files.
- Do not leave the keys to file drawers containing confidential information in unlocked desk drawers or other areas accessible to unauthorized personnel. Shred confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information, and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- Make arrangements to immediately retrieve or secure protected documents that are printed on copy machines, fax machines, and printers.
- Restrict access to information and systems to people who need it to perform their jobs.
- Regularly review the list of users who have access to systems that contain protected information.
- Test internal processes to ensure data integrity and security.
2.1 Overview of Physical Security and General Guidelines
The physical security of computing resources (computers, equipment, files, etc.) is actually the first principle of good security because as long as someone can obtain physical access to your computer he/she can gain control over it. By instituting a few simple safeguards, you can greatly limit security breaches and other unauthorized access to computing resources. Here are a few helpful hints to safeguard the physical security of items that are your responsibility:
- Never allow another person to use your computer account.
- Log out when you leave your computer for long periods of time and “lock” your computer every time you step away. View the following PDFs for directions on how to lock your screen: Locking Your Computer Screen in Windows (PDF) or Locking Your Computer Screen on a Macintosh (PDF).
- Close and lock your office door every time you leave.
- Use security devices to lock down computers that are in public or otherwise unsecured spaces. Restrict the number of keys to your office.
- Know who accesses your office. It may be necessary to maintain an attendance log for high-security areas.
- Use a screensaver that requires a password to get back into your computer after the screen saver activates. View directions on Setting Up a Screen Saver Password for Your Windows Computer (PDF).
- Workstation screens should not be visible to anyone but the authorized user of secure documents.
- Keep your passwords and computer ID's a secret.
- Report suspicious-looking persons or activity to the WSU Police department.
- Express any concerns about physical security to your supervisor.
2.2 Security of Surplus Equipment
When university-owned computer systems reach the end of their usefulness in your department, you have the option to surplus that equipment through ESPM. However, this presents its own share of security risks that need to be addressed. Due to the significant risk of sensitive information leaving the university on hard drives that have not been properly erased, all computers (desktops and laptops) that are being sold through ESPM must have their hard drive removed by CaTS before sending it to ESPM. CaTS will ensure proper disposal of the drive. To arrange a removal, contact the CaTS Help Desk at 937-775-4827.
2.3 Security of Physical Media
Ensuring the confidentiality of information requires that all physical media (CDs, floppy disks, hard drives, etc) be disposed of properly. This means that, in addition to being properly erased before being discarded, hard drives must also be erased before being returned for any type of warranty work. Additionally, other media such as floppy disks, CDs, DVDs, and paper must also be carefully destroyed if they contain confidential information. Floppy disks should be destroyed by breaking the disk in half and cutting the center ring with scissors. CDs and DVDs should be broken into multiple pieces, and paper documents should be shredded. If assistance is needed in properly disposing of any physical media, contact the CaTS Help Desk at 937-775-4827.
2.4 Security of Laptop Computers
Laptops are easy targets for theft because they are so portable. They can be stolen from almost anywhere, including your office. Keeping your laptop secure, especially when traveling, is of utmost importance in order to safeguard University information. Follow the guidelines below to prevent your laptop from being stolen:
- Never leave your laptop unattended in a public place.
- During off-hours, place your laptop in your office or work area and lock the door.
- Place your laptop in a locked drawer or cabinet if you are unable to lock your office or work area.
- When traveling, lock your laptop in the trunk of your car, and watch out for potential thieves as you do this.
- Do not use your business card as a luggage tag since it discloses your place of work.
Data Theft Techniques
3.1 Social Engineering
Social engineering is a term that describes a non-technical kind of intrusion that relies on human interaction and involves tricking people to break normal security procedures. Social engineering relies on the fact the people are unaware of the value of the information they possess and are careless about protecting that information.
Social engineering can occur in many forms:
- A phone call asking for certain information such as a username and password, or other confidential information.
- Someone looking through trash to find printed documents with confidential information about students, faculty, and staff.
- A phone call from someone pretending to be an outside consultant or internal system support personnel.
- Emails asking for personal information
If you receive a phone call or visit from someone asking you for personal or confidential information, ask questions. Here are a few to ask that may help you stop a potential intruder:
- Ask for their name and correct spelling.
- Ask for identification to verify who they are.
- Ask for their phone number so you can return their call.
- Ask why they need the information.
- Ask who authorized the request and let the person know that you will need to verify this information with that authority.
Phishing is a new type of social engineering used to gather personal information about someone. Phishing refers to email messages that are sent to fool the recipient into providing personal or financial information. These messages are often disguised as an email from a financial institution, such as a credit card company, bank, or e-commerce sites such as eBay and PayPal.
The recipient will receive an "official-looking email" asking them to verify account information in order to update their account profile. The email will then ask the recipient to click on an email address or website link, which will take them to the "official" website of that company. The website then asks the recipient to enter personal information. What's not known by the recipient is that this is not a legitimate page, and by entering personal information into the website, the creators of the website have stolen the information.
If you receive a phishing email, simply delete it. Do not click the links or fill in personal information. Remember, financial institutions will never ask for your personal or account information via email. They have this information already in their records. If you have any doubts or questions about a particular email, contact the organization or company listed in the email to verify the message's authenticity.
3.3 Infected Websites
Another type of data theft technique is the use of infected websites to obtain a user's personal information. The largest number of computer infections (nearly 70%) are now coming from exploits that are embedded in websites. These websites are most often delivered through email links, where a user clicks on a link in their email program that opens a browser window. Once the website is open, a script on the site automatically installs unwanted software on the user's computer, without interaction from the user. Often times this happens in the background and the user doesn't know about the software. The end result is that the installed software tracks the user's web usage, and can collect information such as bank account and credit card numbers, addresses, and Social Security Numbers. These types of infections are similar to phishing, except that these websites do not require user interaction, whereas phishing does. To prevent this type of attack, do not click on links from unsolicited emails or from untrusted sources.
4.1 Email Usage
Email has become one of the quickest and most efficient ways to contact individuals and groups of people. However, using email presents its own set of security risks and challenges that you need to be aware of. Viruses, worms, and spyware are often spread as attachments through email. Here are a few tips to guide you down the path of using email appropriately and avoiding security pitfalls:
- Keep in mind that email is not secure; it can be forged very easily. Never put sensitive information, such as Social Security Numbers or bank account numbers into any part of your email or email attachments.
- Faculty and staff: Please note that any attachments containing ePI (electronic personal information) must be encrypted before being sent via email.
- Do not open unexpected attachments, and do not open or download attachments from unknown parties.
- Immediately delete messages from parties you don't recognize.
- Clear your email inbox of old messages on a regular basis.
- Password protect your local email folder file, such as Outlook's Personal Folder (.pst file).
- Make it a habit not to send any information via email that you wouldn't want to be disclosed to a third party.
- Be careful when forwarding email to others, as many of the emails you receive as forwards are actually hoaxes, and may contain viruses.
- When sending an encrypted message through email, never place the password to unlock the file in the same email.
Spam is an unsolicited email. It is a form of advertisement that is sent in mass quantities to email addresses. There's not much that can be done to stop spammers from creating and sending out these messages. The best that we can do is create filters that will block most spam. Spammers are constantly working to find ways around spam filters, so even if filters are turned on and set to their highest setting, some spam email can still get through. If you receive any spam messages, simply delete the email. There are a few things that you can do to minimize the amount of spam you receive:
- Modify your settings on the WSU anti-spam service. You can read more about the service, including how to set it up, by going to the CaTS Anti-spam Service webpage.
- Do not click the "unsubscribe" or "remove" link within spam messages; this simply confirms to the spammer that your email address is valid.
- Do not give your email address to a person or an online website or newsletter without knowing how it will be used. It could end up on a marketing list that is sold to spammers
Protecting Data Integrity
Encryption is the process of transforming information from clear or plain text into a non-readable format so that only the intended reader can understand or change the message content. Encryption ensures privacy. It is a way to keep prying eyes from reading confidential information that is sent across the public Internet. Certain software applications have encryption methods embedded in them for sending and receiving secure information and for the storage of information. There is also third party software available that can be used to encrypt information.
5.2 Virtual Private Network (VPN)
A virtual private network (VPN) is a secure and private connection between two points across a public network such as the Internet. A VPN allows users to access their organization's network securely from their home, hotels, or off-campus public locations.
Any student, staff, or faculty member may use the Wright State's VPN service. You must fill out a form located on the CaTS VPN webpage and follow the directions. Contact the CaTS Help Desk at 937-775-4827 for more information on WSU's VPN service.
One of the most important steps you can take to ensure that the integrity of your data is protected is to backup your files on a regular basis. Data loss can come at any time, and for a number of reasons:
- Theft of computer
- File corruption
- Hard drive failure
- Accidental deletion of a file or files
- Natural disasters
You should perform a backup of your files at least once a week, and backup critical files more often if they change. If you need assistance in backing up your files, contact the CaTS Help Desk at 937-775-4827 and they will be glad to assist you.
5.4 Mobile and Cellular Devices
Information stored on laptop computers, personal organizers (e.g., Blackberry, Palms), cellular phones, thumb drives, and other similar mobile devices are susceptible to equipment failure, damage, or theft. Information transmitted via wireless connections is not always secure - even networks using encryption are vulnerable to intruders. Here are some tips to keep your information secure on a mobile device:
- Protect and secure mobile devices from theft at all times.
- Use internal firewalls and strong authentication when transmitting information via wireless technologies.
- Use personal firewalls on laptops that will access the WSU Network from a remote location.
- Back up the data on your mobile devices on a regular basis.
- Password protect mobile devices when not in use.
- Encrypt documents containing sensitive information before they are placed on portable devices.
- Charge batteries on mobile devices as soon as the "low battery" prompt appears to avoid losing information, configurations, and settings.