UVM's Information Security Operations Team answers "Why?" Why?security

Posts

Why would anyone want my NetID and password?

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

Ever wonder why you get all those messages asking you to “Confirm your account now!” or “Login today or your email permissions will be revoked!” or “Verify your password or else!” or any number of other threats with a link that brings you to a site that might be a UVM-looking page (or not)?

The reason is simple: Your username and password opens a lock. Unlocking that lock permits the user onto the UVM network (from anywhere in the world), gives them access to your email, and may allow logins to other UVM systems with access to all the same information you have.

And if you happen to have used the same username and password on other sites there could be money at stake (your bank? Amazon?). Could be that they can access other information about you that can be used to set up an identity that looks, electronically, just like you and can open the door for medical fraud, financial fraud, and other cyber crimes that can haunt you just as you are about to buy a house, get your first credit card, and snag you during a background check for that job you always wanted.

Protecting something as simple as your NetID and password now can help you avoid these problems in the future.

We encourage you to STOP before entering in your password on a site that was linked in an email. STOP before reusing that same password on multiple sites. STOP before posting information about yourself that may hint at what your password is. (Fortunately, it’s easier to change your password than rename your dog.)

Then THINK about the possible implications of this action: Would anyone really close your account because you didn’t respond to one threatening email? What are the consequences of not entering your username and password?

Finally, CONNECT with the sender’s organization to find out whether the message was real or a scam. Work with your bank/retailer/organization to have more options than a simple username and password combo to access their services.

A little effort now can help you avoid future mayhem, or at least reduce the effort necessary to undo the damage when your username and password are compromised.

 

Darcy Pientka, for the Information Security Operations Team

Situational Awareness for Everyone

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

Paying attention to what is going on around you can go a long way toward keeping you and your data safe online.

We encourage you to STOP before automatically connecting to that open WI-FI hotspot.

Then THINK about both the name of the network you are connecting to — Is that actually the Starbucks WiFi network? — as well as the transactions you are performing over WiFi; make sure that any web transactions — especially shopping and banking — are only to secure web sites indicated by https:// in the URL instead of just http://. NEVER click through “invalid-” or “expired certificate” errors on shopping or banking or University websites.

Finally, CONNECT  with caution.

In addition to the caveats above, consider using a VPN to protect your data in transit over an open WiFi network. A VPN creates an encrypted tunnel between your computer and the VPN server, thus protecting your data.

Note: sslvpn.uvm.edu is available for use by any UVM affiliate.

 

Lynne Meeks, for the Information Security Operations Team

Traveling Abroad without Making the News (Mobile Tech Edition)

Occasionally, a member of the community approaches the ISO Team to ask for our advice on traveling safely with mobile technology. While individual circumstances (including the nature of the mobile technologies/data in play, the nature of the trip, the particular destination) will dictate specifics, our general recommendations (below) will cover a lot of ground for a lot of folks.

  1. Unless there is a tremendously-compelling reason to do otherwise, leave your normal work machine (with your years of research data, UVM/previous employer’s email, grant proposals, intellectual property, personal finances, countercultural rantings, etc.) at home and take a loaner machine (provided by your Helpful IT Folks) containing only the materials necessary for the trip.
  2. This loaner should be wiped and get a fresh OS install to keep from leaking data belonging to the *last* person who traveled with it…and to keep the new traveler from picking up any *ahem* latent “gifts” acquired by the last user. Set all installed browsers to clear all private data on session termination, and disable (browser-based) password storage.
  3. Make liberal use of webmail.uvm.edu, webfiles.uvm.edu, and sslvpn.uvm.edu while abroad.

These suggestions apply to smartphones/tablets/Google Glass/smart watches/any other device that stores data which could be 1) a liability to the university if lost or 2) embarrassing to the user if confiscated. Or data the export of which is controlled under ITAR rules. (Yes, that applies to Higher Ed.)

[Edit 8 November, 2013: It’s worth considering, too, that not all travel destinations feature the robust freedoms of expression that we enjoy in the U.S., so feel free to substitute/append “…or could precipitate your detention if confiscated and found to be at variance with local law.”]

Why incur this much potential inconvenience? One reason is that humans have a tendency to (subconsciously) downplay the risks inherent in the data they tote around on a daily basis, and while “safe” might cost them an extra few hours over their two-week trip, “sorry” can manifest in more…time-consuming ways.

Incidentally: Simply having the storage encrypted doesn’t suffice in a number of travel zones, as customs officials may be invested with the authority to compel the owner to unlock/decrypt it. (And encryption is illegal in certain jurisdictions.)

Want to share your own tips/travel-tech stories? Got questions? Need to chat about your specific circumstances? Please let us know! As usual, we can be reached at iso@uvm.edu.

 

Cheers,

Sam Hooker, for the ISO Team

How Do *You* Spell “Shutdown”?

With so much (*ahem*) “excitement” in Washington this week, it’s little wonder opportunists would seize the moment and go on a domain-registration spree, seeking to capitalize on interest in these topics of nationwide scope. The incident handlers at the Internet Storm Center (sponsored by SANS) posted an entry to their Diary today entitled:

Obamacare related domain registration spike, Government shutdown domain registration beginning

Of course, not all of the activity referenced in that post will manifest as scams, but it’s worth keeping an eye out for variations on 0bamacare.com and federalshutdown.gov.premline.ru just the same. (I’m making those up; I haven’t seen the source data mentioned in the article, though would like to.)

Fitting that this should happen just in time for National Cybersecurity Awareness Month, eh?

 

Stay safe online,

Sam Hooker, for the Information Security Operations Team

P.S.: I’d call dibs on 0bamacare.com but, predictably, it’s already been registered…

Student Employees, their Laptops, and UVM Information

Where would UVM be without student employees?  University departments hire students  and other temporary employees for a wide variety of important jobs, and some of those jobs involve working with sensitive or confidential information.  As is true for regular faculty and staff, any work with Protected University Information (definitions of which are in the Information Security Policy and the Privacy Policy) should be done on UVM-owned equipment.  Laptops should have their hard drives encrypted.

What Can Go Wrong

There is a cost that comes with providing desktop computers or encrypted laptops for use by students and other temporary employees, but use of personally owned computers to access or work with Protected University Information presents an unacceptable risk, both to the University and to individuals whose personal information could  be exposed, through theft of other mishaps.  A theft is a personal tragedy for the owner, but it is potentially catastrophic for individuals whose personal information, present on the stolen device, is exposed and misused.  Students are victims of laptop theft much more often than University departments, and their laptops are unlikely to be encrypted.

The UVM Information Security Policy requires personally owned devices to be encrypted if they’ll be used for any Protected University Information, but that still leaves several possibilities of inappropriate data exposure, including the owner making unencrypted backups, backing up to a cloud service such as Dropbox, and the likelihood the owner will decrypt the device, without securely erasing the files, when UVM employment ends or when selling it off.

Avoiding Catastrophe

For those reasons, the Information Security Operations Team asks departments to:

  • insist that employees, especially temporary employees, do UVM work only on UVM equipment;
  • insist that only UVM email be used for messages containing Protected University Information (including not forwarding UVM email to a service like Gmail, in the absence of a suitable agreement with UVM);
  • require that files and email related to UVM work be stored only on University approved services like UVM SharePoint sites, network folders, or UVM-provided, encrypted external drives, rather than being stored in non-UVM services (e.g., DropBox, Carbonite).

Temporary employees could be required to sign off that they’ll comply.

Should anyone use a personally owned computer, tablet, phone, external drive, or other device for any Protected University Information, it must comply with UVM requirements for encryption, access, secure erasure, and so on, as described in the Information Security Policy and its Procedures.

Let’s Talk

Do you have a way of addressing temporary employees’ secure computing needs?  Please share it via the IT-Discuss or Security listservs, or by emailing the ISO Team at iso@uvm.edu.  Please contact the ISO Team if you have suggestions or concerns, or if you need help setting up temporary employees to work securely.

Is it ever okay to share my password?

One’s UVM password must never be shared with anyone — not even with trusted family members, the boss, or information technology personnel.  Our passwords protect our personal information and assets, and because we’re each responsible for all use of our accounts, keeping the passwords secret protects us from any liability for others’ actions.  Please report any attempt to obtain your password to the ISO Team at iso@uvm.edu.

Some UVM Net-ID accounts are provided for departments and recognized organizations.  While a carefully controlled small group of people may know the password to such an account, each person is responsible for all use of the account.   The password must be changed immediately when any member of the group leaves or changes roles.  Department accounts are sometimes used for managing external social media, such as Facebook and Twitter; the Social Media University Operating Procedure spells out registration and management of those account and passwords.

Additional Resources:

Computer, Communication, and Network Technology Acceptable Use policy [PDF]

Social Media University Operating Procedure [PDF]

“Ouch!” newsletter, May 2013, “Passwords

Why?security blog, May 21, 2013, “Please don’t make me change my password. It’s the one I use everywhere.”

Stolen Devices and the Inconvenience of Time Travel

Since the beginning of 2010, UVM Police Services has sought ETS’s help in 104 device-theft cases pertaining to UVM students, faculty, and staff. One recurring theme is that there are two simple steps that users can take to reduce the impact a stolen device has on themselves and the institution, and that these steps can only be taken before a laptop, tablet, phone, or portable storage device goes missing.

  1. Enroll your portable device (laptop, tablet, or phone) in a “locate-and-wipe” service (e.g., Apple’s “Find My iPhone/iPad/etc.”, the Prey Project, LoJack[1]). These programs sport features that run the gamut from simply reporting the device’s location to wiping all data from its storage and even taking pictures using the device’s camera. In the best cases, these can help authorities recover your stolen property; at the very least a successful remote wipe[2] can prevent the (ahem) “new owner” from having access to your UVM (or personal!) data indefinitely.
  2. Encrypt the device’s storage to prevent unauthorized access to the data contained within it. This is another way of keeping the new owner’s grubby mitts off your grading spreadsheets, personnel reports, family photos, saved Amazon password (which leads to your saved credit card info), etc. Besides: Section 16.1 of UVM’s Information Security Procedures states that, “Digital storage devices and media that contain Protected University Information must be encrypted…” This also applies to external hard disks containing your backups and any removable devices you use to store Protected University Information.

    Note that whole-disk encryption only provides meaningful protection if the device is powered off or hibernating[3] when it’s stolen. You can maximize this technology’s defensive value by powering off your laptop when you’ll be in transit for more than just a few minutes, or away from it in a public place[4].

These are powerful defenses against the ill effects of losing your device and the data on it, and people using them are measurably better-off when things “grow legs”. But remember:

These technologies can only help if you start using them before your device is stolen.

If you need help with these techniques, ask your friendly local UVM technology professional or contact the Information Security Operations Team for assistance by emailing iso@uvm.edu.

Cheers,

Sam Hooker, for the ISO Team

[1] Please note that not all technology staff at UVM will have experience with these services. This is meant as a list of alternatives for your investigation, and doesn’t imply that your local tech pro will be willing to support your use of a particular package. When in doubt, ask them first.

[2] I say “successful” because the device must be connected to the Internet somehow in order to receive the “tell us where you are” and “erase your data” commands. If the thieves erase the device and reinstall fresh software, it won’t phone home looking for such instructions. But hey: At least your data is probably gone…maybe…

[3] Laptops (and technology pros) make a distinction between “sleep” and “hibernation”. If you’re not sure how to get your hardware to hibernate, ask your pet technologist for help.

[4] But really, consider taking it with you. I promise that stashing it in your bag for that trip to the restroom is way less of a hassle than filling out police paperwork and wracking your brain trying to remember whether or not you logged out of online banking. Leave the power cord behind if it helps you feel better.

What is encryption, and why should I care?

Encryption protects the people whose information we collect and manage, while protecting UVM from significant liability.

Encryption encodes information in a way that only someone knowing a secret key can read it. If you store sensitive or confidential information — what UVM calls “Protected University Information”[1] — anywhere but on password-protected UVM servers, it must be encrypted. Laptops, smartphones, iPads, tablets, and even USB drives can be encrypted, often quite easily and conveniently.  The encryption requirement applies to backups and “temporary” storage as well.  For example, an external hard drive must be encrypted if it is used to transfer files containing Protected University Information from an old computer to a new one.

Need help? Contact the ISO Team at iso@uvm.edu.

[1] See UVM’s Information Security Policy: http://www.uvm.edu/policies/cit/infosecurity.pdf

Please don’t make me change my password. It’s the one I use everywhere.

Passwords serve to protect our privacy, our financial well-being, our reputations and even our identities.  Often, a password is all that stands between us and catastrophe.

Choosing a password: A good password is easy to remember, hard to guess or crack, and for UVM accounts, changed at least once a year (every 120 days for College of Medicine accounts).  Here are some ideas for picking a password:

  • Use the first letters of the first 8+ words to a song, poem, or passage from a book
  • Use the first letters, numbers, and symbols from a phrase you make up
  • Make up a nonsense phrase, even one that contains dictionary words, as long as you use 3 or 4 words and punctuation
  • Use a password generator [1]

Different passwords everywhere: Using the same password for everything?  You shouldn’t. One password means that a single key unlocks your entire kingdom. Keep your passwords different and never re-use your UVM credentials for outside accounts. Instead, come up with a password formula known only to you that helps you keep your password unique yet easy to remember.

Microsoft [2] offers this sensible advice: “Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.”  You’ve probably seen news reports of sites like Yahoo, LinkedIn, and Twitter being compromised and passwords stolen; it happens both to major sites and to many smaller ones we never see in the news.  If we don’t use different passwords, we expose ourselves — and those whose sensitive information we have access to — to significant risk.

Securing the Human [3] and Lifehacker [4] are good sources for ideas about choosing and managing passwords.

[1] http://preshing.com/20110811/xkcd-password-generator

[2] http://www.microsoft.com/security/online-privacy/passwords-create.aspx

[3] http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201105_en.pdf

[4] http://lifehacker.com/5830355/xkcd-password-generator-creates-high+security-easy+to+remember-passwords

I have some sensitive data. Where should I keep it?

UVM provides secure and reliable network storage for academic work, research, and business files. Saving confidential or sensitive information on desktop or laptop hard drives, or on tablets and phones, greatly increases the risks of loss and inappropriate disclosure. And information classified as critical or nonpublic (what the Information Security Policy calls “Protected University Information”) must not be stored on external services without a contract protecting the University’s interests, approved by the Information Security Officer.

The easy-to-use webfiles.uvm.edu and sharepoint.uvm.edu are the best places for most of your files. The College of Medicine provides storage for its faculty and staff. You can get to your files wherever you happen to be, and they’re backed up daily. When web-based file management doesn’t meet your needs, there are other convenient ways to use and manage your UVM network storage.

To meet security, legal, and policy requirements (such as HIPAA), other storage options are more appropriate for some types of sensitive or confidential information. Contact the Information Security Operations Team at iso@uvm.edu for advice.

Skip to toolbar