Posted: June 11th, 2013 by Sam
Since the beginning of 2010, UVM Police Services has sought ETS’s help in 104 device-theft cases pertaining to UVM students, faculty, and staff. One recurring theme is that there are two simple steps that users can take to reduce the impact a stolen device has on themselves and the institution, and that these steps can only be taken before a laptop, tablet, phone, or portable storage device goes missing.
- Enroll your portable device (laptop, tablet, or phone) in a “locate-and-wipe” service (e.g., Apple’s “Find My iPhone/iPad/etc.”, the Prey Project, LoJack). These programs sport features that run the gamut from simply reporting the device’s location to wiping all data from its storage and even taking pictures using the device’s camera. In the best cases, these can help authorities recover your stolen property; at the very least a successful remote wipe can prevent the (ahem) “new owner” from having access to your UVM (or personal!) data indefinitely.
- Encrypt the device’s storage to prevent unauthorized access to the data contained within it. This is another way of keeping the new owner’s grubby mitts off your grading spreadsheets, personnel reports, family photos, saved Amazon password (which leads to your saved credit card info), etc. Besides: Section 16.1 of UVM’s Information Security Procedures states that, “Digital storage devices and media that contain Protected University Information must be encrypted…” This also applies to external hard disks containing your backups and any removable devices you use to store Protected University Information.
Note that whole-disk encryption only provides meaningful protection if the device is powered off or hibernating when it’s stolen. You can maximize this technology’s defensive value by powering off your laptop when you’ll be in transit for more than just a few minutes, or away from it in a public place.
These are powerful defenses against the ill effects of losing your device and the data on it, and people using them are measurably better-off when things “grow legs”. But remember:
These technologies can only help if you start using them before your device is stolen.
If you need help with these techniques, ask your friendly local UVM technology professional or contact the Information Security Operations Team for assistance by emailing email@example.com.
Sam Hooker, for the ISO Team
 Please note that not all technology staff at UVM will have experience with these services. This is meant as a list of alternatives for your investigation, and doesn’t imply that your local tech pro will be willing to support your use of a particular package. When in doubt, ask them first.
 I say “successful” because the device must be connected to the Internet somehow in order to receive the “tell us where you are” and “erase your data” commands. If the thieves erase the device and reinstall fresh software, it won’t phone home looking for such instructions. But hey: At least your data is probably gone…maybe…
 Laptops (and technology pros) make a distinction between “sleep” and “hibernation”. If you’re not sure how to get your hardware to hibernate, ask your pet technologist for help.
 But really, consider taking it with you. I promise that stashing it in your bag for that trip to the restroom is way less of a hassle than filling out police paperwork and wracking your brain trying to remember whether or not you logged out of online banking. Leave the power cord behind if it helps you feel better.
Posted: June 4th, 2013 by Dean
Encryption protects the people whose information we collect and manage, while protecting UVM from significant liability.
Encryption encodes information in a way that only someone knowing a secret key can read it. If you store sensitive or confidential information — what UVM calls “Protected University Information” — anywhere but on password-protected UVM servers, it must be encrypted. Laptops, smartphones, iPads, tablets, and even USB drives can be encrypted, often quite easily and conveniently. The encryption requirement applies to backups and “temporary” storage as well. For example, an external hard drive must be encrypted if it is used to transfer files containing Protected University Information from an old computer to a new one.
Need help? Contact the ISO Team at firstname.lastname@example.org.
 See UVM’s Information Security Policy: http://www.uvm.edu/policies/cit/infosecurity.pdf
Posted: May 21st, 2013 by Dean
Passwords serve to protect our privacy, our financial well-being, our reputations and even our identities. Often, a password is all that stands between us and catastrophe.
Choosing a password: A good password is easy to remember, hard to guess or crack, and for UVM accounts, changed at least once a year (every 120 days for College of Medicine accounts). Here are some ideas for picking a password:
- Use the first letters of the first 8+ words to a song, poem, or passage from a book
- Use the first letters, numbers, and symbols from a phrase you make up
- Make up a nonsense phrase, even one that contains dictionary words, as long as you use 3 or 4 words and punctuation
- Use a password generator 
Different passwords everywhere: Using the same password for everything? You shouldn’t. One password means that a single key unlocks your entire kingdom. Keep your passwords different and never re-use your UVM credentials for outside accounts. Instead, come up with a password formula known only to you that helps you keep your password unique yet easy to remember.
Microsoft  offers this sensible advice: “Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.” You’ve probably seen news reports of sites like Yahoo, LinkedIn, and Twitter being compromised and passwords stolen; it happens both to major sites and to many smaller ones we never see in the news. If we don’t use different passwords, we expose ourselves — and those whose sensitive information we have access to — to significant risk.
Securing the Human  and Lifehacker  are good sources for ideas about choosing and managing passwords.
Posted: May 14th, 2013 by Dean
UVM provides secure and reliable network storage for academic work, research, and business files. Saving confidential or sensitive information on desktop or laptop hard drives, or on tablets and phones, greatly increases the risks of loss and inappropriate disclosure. And information classified as critical or nonpublic (what the Information Security Policy calls “Protected University Information”) must not be stored on external services without a contract protecting the University’s interests, approved by the Information Security Officer.
The easy-to-use webfiles.uvm.edu and sharepoint.uvm.edu are the best places for most of your files. The College of Medicine provides storage for its faculty and staff. You can get to your files wherever you happen to be, and they’re backed up daily. When web-based file management doesn’t meet your needs, there are other convenient ways to use and manage your UVM network storage.
To meet security, legal, and policy requirements (such as HIPAA), other storage options are more appropriate for some types of sensitive or confidential information. Contact the Information Security Operations Team at email@example.com for advice.
Posted: May 7th, 2013 by dpientka
The Clouds are not all created equal. Be sure to research the terms of service, license agreement, usage agreement, copyright content ownership and everything else before signing up for a cloud service. Check to see if the University offers a service that will be of use before looking into an outside service. If you intend to use the cloud for University purposes, it is especially important to check with the appropriate data steward for prior approval and be sure it isn’t a use prohibited by University Policy(ies). Remember also that any cloud service that requires a purchase needs to be reviewed through Procurement. And all cloud services with “Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University’s interests, approved by the ISO.”
For free services, remember that nothing is free – there is a reason a company is offering a cloud service. Whether for personal or business use, look carefully at what the host provider may be getting in return for its monetary investment in this infrastructure. Is the business selling advertising, selling/using/sharing your information (UVM information?) for other purposes, giving you a small portion of its feature set in the hopes that you will purchase the enhanced version? Be sure to do your research and reach out to the appropriate people if you have questions.
Data Stewards: Members of the University community who have the operational responsibility for particular collections of information such as student, employee, or alumni records (collection(s)).
Information Security Policy = http://www.uvm.edu/policies/cit/infosecurity.pdf
Information Security Procedures = http://www.uvm.edu/policies/cit/infosecurityprocedures.pdf
Procurement Policy = http://www.uvm.edu/policies/procure/procurement.pdf
Information Security Office = firstname.lastname@example.org
Posted: April 16th, 2013 by Sam
We’ve all seen URLs shortened by bit.ly and its cousins: Unwieldy juggernauts like http://www.megaconference.us/register.qxv?event=megacon%20xxviii&wonderment=true%20enough%20for%20mom&prepop=1&campaign=225817558&api_key=3e7a67b1f9c00d601dbe reduced to tidy morsels like http://blag.foo/5Vf2.
Who doesn’t enjoy that? It’s cleaner! Efficient! More user-friendly!
Information security pros, that’s who. Why? Because it’s opaque.
How did you know that clicking http://go.uvm.edu/9utlr (if that’s how you got here) was going to bring you someplace that’s safe to visit?
In our efforts to improve users’ online safety through education, we often preach “Know Where You’re Going” — in other words, find out where that link’s going to take you before clicking it. Use of these URL shorteners necessarily defeats this simple technique. Because of this, it’s hard to know whether http://blag.foo/5Vf2 points to the conference registration link you wanted or some scammer site claiming that you can log into the conference reg site with your UVM Webmail credentials. And even if the user is savvy enough to spot the fraud based upon the Address bar contents when their browser finally comes to rest (“Hey — that says megaconference.premline.ru…”), how many drive-by malware sites did they visit to get there?
It’s impossible to know from http://blag.foo/5Vf2.
Still: Cleaner! Efficient! More user-friendly!
Fortunately, the fantastic folks of ETS SAA have come up with an answer that reduces the risks somewhat: http://go.uvm.edu will happily shorten your links for you, and your users can breathe easier (especially once the information security people have made them hyperventilate over URL shorteners) because every http://go.uvm.edu URL can be traced back to a UVM NetID.
(Astute readers will, no doubt, point out that this doesn’t prevent a UVMmer from defrauding Internet users through a http://go.uvm.edu URL. And that’s a fair assessment. But information security is a game of reducing exposure to risks rather than eliminating them altogether. Sad, but true.)
So please feel free to Shorten the Internet! Just use http://go.uvm.edu when you do it! And if you have questions, please let us know.
Sam Hooker, for the Information Security Operations Team
Posted: October 19th, 2012 by Sam
It’s the eleventh hour. You’ve been working on a project for months. Maybe it’s a grant application. It’s all coming together: people; facilities; legal; technology. Suddenly, someone steps in and says, “Wait a minute: Have you considered information security?”
Or maybe you have a favorite online service you’d really like to use to manage some aspect of your UVM life. You already know how to use it; you’ve already arranged your workflow around it; you need a little technical help to make it work just right. Then your tech-savvy helper says, “I think we should ask the information security people about this…”
UVM’s Information Security Office and Operations Team are charged with helping all university units protect the institution’s information. It’s our job to enable all our constituents to make informed decisions about technology products, services, and techniques by helping decision makers understand real risks to UVM. We’re not here to say, “No.” We’re here to ask, “How?” and then assist you in finding answers.
On this site, we hope to share our answers to the “whys”, and we’ll probably start with the ones we’re asked most often. There will almost certainly be other answers, some of them contrary, in many cases. We invite you to engage us directly by sending your comments to email@example.com.
Additionally, if there is a question you would like to see answered here, please email it to firstname.lastname@example.org.
Sam Hooker, for the Information Security Operations Team