UVM's Information Security Operations Team answers "Why?" Why?security


How Do *You* Spell “Shutdown”?

With so much (*ahem*) “excitement” in Washington this week, it’s little wonder opportunists would seize the moment and go on a domain-registration spree, seeking to capitalize on interest in these topics of nationwide scope. The incident handlers at the Internet Storm Center (sponsored by SANS) posted an entry to their Diary today entitled:

Obamacare related domain registration spike, Government shutdown domain registration beginning

Of course, not all of the activity referenced in that post will manifest as scams, but it’s worth keeping an eye out for variations on 0bamacare.com and federalshutdown.gov.premline.ru just the same. (I’m making those up; I haven’t seen the source data mentioned in the article, though would like to.)

Fitting that this should happen just in time for National Cybersecurity Awareness Month, eh?


Stay safe online,

Sam Hooker, for the Information Security Operations Team

P.S.: I’d call dibs on 0bamacare.com but, predictably, it’s already been registered…

Student Employees, their Laptops, and UVM Information

Where would UVM be without student employees?  University departments hire students  and other temporary employees for a wide variety of important jobs, and some of those jobs involve working with sensitive or confidential information.  As is true for regular faculty and staff, any work with Protected University Information (definitions of which are in the Information Security Policy and the Privacy Policy) should be done on UVM-owned equipment.  Laptops should have their hard drives encrypted.

What Can Go Wrong

There is a cost that comes with providing desktop computers or encrypted laptops for use by students and other temporary employees, but use of personally owned computers to access or work with Protected University Information presents an unacceptable risk, both to the University and to individuals whose personal information could  be exposed, through theft of other mishaps.  A theft is a personal tragedy for the owner, but it is potentially catastrophic for individuals whose personal information, present on the stolen device, is exposed and misused.  Students are victims of laptop theft much more often than University departments, and their laptops are unlikely to be encrypted.

The UVM Information Security Policy requires personally owned devices to be encrypted if they’ll be used for any Protected University Information, but that still leaves several possibilities of inappropriate data exposure, including the owner making unencrypted backups, backing up to a cloud service such as Dropbox, and the likelihood the owner will decrypt the device, without securely erasing the files, when UVM employment ends or when selling it off.

Avoiding Catastrophe

For those reasons, the Information Security Operations Team asks departments to:

  • insist that employees, especially temporary employees, do UVM work only on UVM equipment;
  • insist that only UVM email be used for messages containing Protected University Information (including not forwarding UVM email to a service like Gmail, in the absence of a suitable agreement with UVM);
  • require that files and email related to UVM work be stored only on University approved services like UVM SharePoint sites, network folders, or UVM-provided, encrypted external drives, rather than being stored in non-UVM services (e.g., DropBox, Carbonite).

Temporary employees could be required to sign off that they’ll comply.

Should anyone use a personally owned computer, tablet, phone, external drive, or other device for any Protected University Information, it must comply with UVM requirements for encryption, access, secure erasure, and so on, as described in the Information Security Policy and its Procedures.

Let’s Talk

Do you have a way of addressing temporary employees’ secure computing needs?  Please share it via the IT-Discuss or Security listservs, or by emailing the ISO Team at iso@uvm.edu.  Please contact the ISO Team if you have suggestions or concerns, or if you need help setting up temporary employees to work securely.

Is it ever okay to share my password?

One’s UVM password must never be shared with anyone — not even with trusted family members, the boss, or information technology personnel.  Our passwords protect our personal information and assets, and because we’re each responsible for all use of our accounts, keeping the passwords secret protects us from any liability for others’ actions.  Please report any attempt to obtain your password to the ISO Team at iso@uvm.edu.

Some UVM Net-ID accounts are provided for departments and recognized organizations.  While a carefully controlled small group of people may know the password to such an account, each person is responsible for all use of the account.   The password must be changed immediately when any member of the group leaves or changes roles.  Department accounts are sometimes used for managing external social media, such as Facebook and Twitter; the Social Media University Operating Procedure spells out registration and management of those account and passwords.

Additional Resources:

Computer, Communication, and Network Technology Acceptable Use policy [PDF]

Social Media University Operating Procedure [PDF]

“Ouch!” newsletter, May 2013, “Passwords

Why?security blog, May 21, 2013, “Please don’t make me change my password. It’s the one I use everywhere.”

Stolen Devices and the Inconvenience of Time Travel

Since the beginning of 2010, UVM Police Services has sought ETS’s help in 104 device-theft cases pertaining to UVM students, faculty, and staff. One recurring theme is that there are two simple steps that users can take to reduce the impact a stolen device has on themselves and the institution, and that these steps can only be taken before a laptop, tablet, phone, or portable storage device goes missing.

  1. Enroll your portable device (laptop, tablet, or phone) in a “locate-and-wipe” service (e.g., Apple’s “Find My iPhone/iPad/etc.”, the Prey Project, LoJack[1]). These programs sport features that run the gamut from simply reporting the device’s location to wiping all data from its storage and even taking pictures using the device’s camera. In the best cases, these can help authorities recover your stolen property; at the very least a successful remote wipe[2] can prevent the (ahem) “new owner” from having access to your UVM (or personal!) data indefinitely.
  2. Encrypt the device’s storage to prevent unauthorized access to the data contained within it. This is another way of keeping the new owner’s grubby mitts off your grading spreadsheets, personnel reports, family photos, saved Amazon password (which leads to your saved credit card info), etc. Besides: Section 16.1 of UVM’s Information Security Procedures states that, “Digital storage devices and media that contain Protected University Information must be encrypted…” This also applies to external hard disks containing your backups and any removable devices you use to store Protected University Information.

    Note that whole-disk encryption only provides meaningful protection if the device is powered off or hibernating[3] when it’s stolen. You can maximize this technology’s defensive value by powering off your laptop when you’ll be in transit for more than just a few minutes, or away from it in a public place[4].

These are powerful defenses against the ill effects of losing your device and the data on it, and people using them are measurably better-off when things “grow legs”. But remember:

These technologies can only help if you start using them before your device is stolen.

If you need help with these techniques, ask your friendly local UVM technology professional or contact the Information Security Operations Team for assistance by emailing iso@uvm.edu.


Sam Hooker, for the ISO Team

[1] Please note that not all technology staff at UVM will have experience with these services. This is meant as a list of alternatives for your investigation, and doesn’t imply that your local tech pro will be willing to support your use of a particular package. When in doubt, ask them first.

[2] I say “successful” because the device must be connected to the Internet somehow in order to receive the “tell us where you are” and “erase your data” commands. If the thieves erase the device and reinstall fresh software, it won’t phone home looking for such instructions. But hey: At least your data is probably gone…maybe…

[3] Laptops (and technology pros) make a distinction between “sleep” and “hibernation”. If you’re not sure how to get your hardware to hibernate, ask your pet technologist for help.

[4] But really, consider taking it with you. I promise that stashing it in your bag for that trip to the restroom is way less of a hassle than filling out police paperwork and wracking your brain trying to remember whether or not you logged out of online banking. Leave the power cord behind if it helps you feel better.

What is encryption, and why should I care?

Encryption protects the people whose information we collect and manage, while protecting UVM from significant liability.

Encryption encodes information in a way that only someone knowing a secret key can read it. If you store sensitive or confidential information — what UVM calls “Protected University Information”[1] — anywhere but on password-protected UVM servers, it must be encrypted. Laptops, smartphones, iPads, tablets, and even USB drives can be encrypted, often quite easily and conveniently.  The encryption requirement applies to backups and “temporary” storage as well.  For example, an external hard drive must be encrypted if it is used to transfer files containing Protected University Information from an old computer to a new one.

Need help? Contact the ISO Team at iso@uvm.edu.

[1] See UVM’s Information Security Policy: http://www.uvm.edu/policies/cit/infosecurity.pdf

Please don’t make me change my password. It’s the one I use everywhere.

Passwords serve to protect our privacy, our financial well-being, our reputations and even our identities.  Often, a password is all that stands between us and catastrophe.

Choosing a password: A good password is easy to remember, hard to guess or crack, and for UVM accounts, changed at least once a year (every 120 days for College of Medicine accounts).  Here are some ideas for picking a password:

  • Use the first letters of the first 8+ words to a song, poem, or passage from a book
  • Use the first letters, numbers, and symbols from a phrase you make up
  • Make up a nonsense phrase, even one that contains dictionary words, as long as you use 3 or 4 words and punctuation
  • Use a password generator [1]

Different passwords everywhere: Using the same password for everything?  You shouldn’t. One password means that a single key unlocks your entire kingdom. Keep your passwords different and never re-use your UVM credentials for outside accounts. Instead, come up with a password formula known only to you that helps you keep your password unique yet easy to remember.

Microsoft [2] offers this sensible advice: “Don’t use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.”  You’ve probably seen news reports of sites like Yahoo, LinkedIn, and Twitter being compromised and passwords stolen; it happens both to major sites and to many smaller ones we never see in the news.  If we don’t use different passwords, we expose ourselves — and those whose sensitive information we have access to — to significant risk.

Securing the Human [3] and Lifehacker [4] are good sources for ideas about choosing and managing passwords.

[1] http://preshing.com/20110811/xkcd-password-generator

[2] http://www.microsoft.com/security/online-privacy/passwords-create.aspx

[3] http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201105_en.pdf

[4] http://lifehacker.com/5830355/xkcd-password-generator-creates-high+security-easy+to+remember-passwords

I have some sensitive data. Where should I keep it?

UVM provides secure and reliable network storage for academic work, research, and business files. Saving confidential or sensitive information on desktop or laptop hard drives, or on tablets and phones, greatly increases the risks of loss and inappropriate disclosure. And information classified as critical or nonpublic (what the Information Security Policy calls “Protected University Information”) must not be stored on external services without a contract protecting the University’s interests, approved by the Information Security Officer.

The easy-to-use webfiles.uvm.edu and sharepoint.uvm.edu are the best places for most of your files. The College of Medicine provides storage for its faculty and staff. You can get to your files wherever you happen to be, and they’re backed up daily. When web-based file management doesn’t meet your needs, there are other convenient ways to use and manage your UVM network storage.

To meet security, legal, and policy requirements (such as HIPAA), other storage options are more appropriate for some types of sensitive or confidential information. Contact the Information Security Operations Team at iso@uvm.edu for advice.

“To the Cloud!” Or not?

The Clouds are not all created equal. Be sure to research the terms of service, license agreement, usage agreement, copyright content ownership and everything else before signing up for a cloud service. Check to see if the University offers a service that will be of use before looking into an outside service. If you intend to use the cloud for University purposes, it is especially important to check with the appropriate data steward for prior approval and be sure it isn’t a use prohibited by University Policy(ies). Remember also that any cloud service that requires a purchase needs to be reviewed through Procurement. And all cloud services with “Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University’s interests, approved by the ISO.”

For free services, remember that nothing is free – there is a reason a company is offering a cloud service. Whether for personal or business use, look carefully at what the host provider may be getting in return for its monetary investment in this infrastructure. Is the business selling advertising, selling/using/sharing your information (UVM information?)  for other purposes, giving you a small portion of its feature set in the hopes that you will purchase the enhanced version? Be sure to do your research and reach out to the appropriate people if you have questions.

Data Stewards: Members of the University community who have the operational responsibility for particular collections of information such as student, employee, or alumni records (collection(s)).
Information Security Policy = http://www.uvm.edu/policies/cit/infosecurity.pdf
Information Security Procedures = http://www.uvm.edu/policies/cit/infosecurityprocedures.pdf
Procurement Policy = http://www.uvm.edu/policies/procure/procurement.pdf
Information Security Office = iso@uvm.edu

Using URL Shorteners

We’ve all seen URLs shortened by bit.ly and its cousins: Unwieldy juggernauts like http://www.megaconference.us/register.qxv?event=megacon%20xxviii&wonderment=true%20enough%20for%20mom&prepop=1&campaign=225817558&api_key=3e7a67b1f9c00d601dbe reduced to tidy morsels like http://blag.foo/5Vf2.

Who doesn’t enjoy that? It’s cleaner! Efficient! More user-friendly!

Information security pros, that’s who. Why? Because it’s opaque.

How did you know that clicking http://go.uvm.edu/9utlr (if that’s how you got here) was going to bring you someplace that’s safe to visit?

In our efforts to improve users’ online safety through education, we often preach “Know Where You’re Going” — in other words, find out where that link’s going to take you before clicking it. Use of these URL shorteners necessarily defeats this simple technique. Because of this, it’s hard to know whether http://blag.foo/5Vf2 points to the conference registration link you wanted or some scammer site claiming that you can log into the conference reg site with your UVM Webmail credentials. And even if the user is savvy enough to spot the fraud based upon the Address bar contents when their browser finally comes to rest (“Hey — that says megaconference.premline.ru…”), how many drive-by malware sites did they visit to get there?

It’s impossible to know from http://blag.foo/5Vf2.

Still: Cleaner! Efficient! More user-friendly!

Fortunately, the fantastic folks of ETS SAA have come up with an answer that reduces the risks somewhat: http://go.uvm.edu will happily shorten your links for you, and your users can breathe easier (especially once the information security people have made them hyperventilate over URL shorteners) because every http://go.uvm.edu URL can be traced back to a UVM NetID.

(Astute readers will, no doubt, point out that this doesn’t prevent a UVMmer from defrauding Internet users through a http://go.uvm.edu URL. And that’s a fair assessment. But information security is a game of reducing exposure to risks rather than eliminating them altogether. Sad, but true.)

THIS JUST IN (2 October, 2013): Adding a tilde (~) to the end of your shortened URL will cause the user to make a quick stop by a small page on go.uvm.edu which explains where they’ll be taken. This nicely addresses the apparent hypocrisy inherent in this article. Try it for yourself by visiting UVM’s IT security site using these two links:

So please feel free to Shorten the Internet! Just use http://go.uvm.edu when you do it! And if you have questions, please let us know.


Sam Hooker, for the Information Security Operations Team

“Why security?”

It’s the eleventh hour. You’ve been working on a project for months. Maybe it’s a grant application. It’s all coming together: people; facilities; legal; technology. Suddenly, someone steps in and says, “Wait a minute: Have you considered information security?”

Or maybe you have a favorite online service you’d really like to use to manage some aspect of your UVM life. You already know how to use it; you’ve already arranged your workflow around it; you need a little technical help to make it work just right. Then your tech-savvy helper says, “I think we should ask the information security people about this…”

UVM’s Information Security Office and Operations Team are charged with helping all university units protect the institution’s information. It’s our job to enable all our constituents to make informed decisions about technology products, services, and techniques by helping decision makers understand real risks to UVM. We’re not here to say, “No.” We’re here to ask, “How?” and then assist you in finding answers.

On this site, we hope to share our answers to the “whys”, and we’ll probably start with the ones we’re asked most often. There will almost certainly be other answers, some of them contrary, in many cases. We invite you to engage us directly by sending your comments to iso@uvm.edu.

Additionally, if there is a question you would like to see answered here, please email it to  iso@uvm.edu.



Sam Hooker, for the Information Security Operations Team

Skip to toolbar