Technical and Security Issues
For urgent assistance with a technical or security issue, please call the IT Service Desk at 877-466-6728 or report the issue via the 亚洲无码 Service Desk.
To submit an IT request, report an issue, or view the status of submitted requests, visit the .
Product/Service Risk Assessment Request
To submit an security risk assessment request, go to .
Additional Information and Resources:
Phishing
Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Here's what you need to know about Phishing:
How phishing works:
Phishing attacks typically rely on social engineering techniques applied to email or other electronic communication methods, including direct messages sent over social networks, SMS text messages and other instant messaging modes.
Phishers may use social engineering and other public sources of information, including social networks like LinkedIn, Facebook and Twitter, to gather background information about victims' personal and work history, interests and activities. Pre-phishing attack reconnaissance can uncover names, job titles and email addresses of potential victims, as well as information about colleagues and the names of key employees in organizations. This information can then be used to craft a believable email.
Targeted attacks, including those carried out by advanced persistent threat (APT) groups, typically begin with a phishing email containing a malicious link or attachment. Although many phishing emails are poorly written and clearly fake, cybercriminal groups increasingly use the same techniques professional marketers use to identify the most effective types of messages, which favor the phishing hooks that get the highest open or click-through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around major events, holidays and anniversaries, or take advantage of breaking news stories, both true and fictitious.
Typically, a victim receives a message that appears to have been sent by a known contact or organization. The attack is carried out either through a malicious file attachment that contains phishing software, or through links connecting to malicious websites. In either case, the objective is to install malware on the user's device or direct the victim to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
Successful phishing messages, usually represented as being from a well-known company, are difficult to distinguish from authentic messages. A phishing email can include corporate logos and other identifying graphics and data collected from the company that is being misrepresented. Malicious links within phishing messages are usually also can look legitimate, because they are designed to make it appear as though they are official links to the organization or company that is being spoofed. The use of subdomains and misspelled URLs are common tricks, as is the use of other link manipulation techniques.
Malware and Trojans
Malware is a more generic term that can be used to refer to nefarious software, which has been specifically designed to disrupt or damage a computer system, while Trojans are programs that pretend to be something they're not, and include malicious additions.
Trojans are often bundled with legitimate software (downloaded via P2P or file-download sites) but keep the original software intact to avoid suspicion and allow the Trojan to spread further. Once silently installed, a Trojan can have a number of different payloads - including letting hackers install additional malicious software, which expands the access these hackers have to your machine.
Distributed Denial of Service (DDoS) attack
A Distributed Denial of Service (DDoS) attack is an attempt made to take a website or online service offline. Attackers use a variety of ways to do this, but they all are designed to overwhelm the site with traffic from multiple sources. In a DDoS attack, the traffic flooding the site can come from hundreds or thousands of sources, which makes it near-impossible to stop the attack simply by blocking a single IP address. They can be distributed by infected computers via botnets, or coordinated. Sites also struggle to differentiate between a legitimate user and attack traffic.
We are becoming increasingly reliant on technology and storing personal information online. This trend increases the opportunity for hackers to acquire sensitive information such as credentials, personal data and financial records.
Malicious viruses acquired through internet and other uses can give hackers the ability to access your computer or infiltrate online accounts and the information they find can potentially be leaked to others.
The good news is that even as hackers update their strategies, there are several sensible strategies you can use to stay safe online.
Use Caution Clicking Links and Attachments
Emails, attachments, and website links are the three things you should use the most caution while interacting with on the Internet. Many cyberattacks begin through sending out emails infected with malicious content.
Phishing is one-way hackers infect your computer. This strategy is executed by sending emails posing as a reputable company in attempts that the user believes it is an authentic email and updates their personal information on a malicious website. You can often determine if a website is a legitimate a few ways:
- Check for a different or misleading URL. If you are not sure about the source of the message, you should always hover over the hyperlinked website address to verify that it is a valid link for the site.
- Check the e-mail address of the sender. It may only be a letter off a valid email from the company they are trying to mimic, so make sure you look carefully.
- Check for spelling and grammar mistakes. Most company communications will thoroughly review their messages for mistakes, while many phishers have a poor use of English grammar. So, language errors may be a signal that the email is not coming from a reputable company.
- Check the IP address of the sender if you are suspicious. If you check the source code, the IP address can be found following the lines “Received: from.” You can then google the IP address and view information about the computer it was sent from.
Clicking unknown links is also a dangerous game. Untrustworthy sites can begin downloading files, rerouting you through other malicious websites, and scam you for information the moment you open the link. If you are skeptical whether you should open a link you believe has potential to be infectious but are going to commit to it, it is best to right-click and copy the link, then paste it in a separate browser so you can take a look at the URL. The most secure sites include a “HTTPS” to begin the URL. Especially look out for this if you are inputting sensitive information such as a credit card or social security number.
The easiest way hackers send viruses to your system is through attachments. They are especially dangerous in the workplace, school, or anywhere that many people are connected to the same network. Do not open attachments unless you are certain you know what they contain as well as who the sender is. Word documents, PDFs, and EXE’s are amongst the most dangerous files that you should be worried. If one recipient opens an attachment, there is a chance that it could spread to every computer connected to the network.
Two-Factor Authentication
Over the last few years, websites have developed more ways to strengthen security and provide their users with more opportunities to protect against cyber-attacks. One emerging strategy is called two-factor authentication. This entails a confirmation from a cell phone or some other kind of verification in addition to a password to be able to access an account.
You should check websites you frequent to see if they have a two-factor authentication process available. Sometimes, there are settings that only require this procedure if you are logging in from a different device, which is especially important. If a company gets breached by a cyberattack, the hackers most likely won’t be able to access your account if two-factor authentication is enabled unless they had some kind of personal device or personal information already.
Security questions are another preventative measure used to be able to recover your account if it was lost or stolen. However, if these answers are not unique or can be found with a little research, then they can actually work against you and give unwanted guests access to your accounts. You should avoid common questions typically offered such as “What’s your mother’s maiden name” or “What was your first pets name” because these questions can likely be found online through records or social media. Some don’t even answer the question being asked to ensure anyone that but themselves can access the account. For example, instead of putting “Turner” for your father’s middle name, you could put something random such as “Finding Nemo.”
Browser Safety
- Don’t stay signed in to your email or other online accounts. Also, lock your PC when you walk away.
- Never let your browser (e.g. Chrome, Firefox) save your password. You could also change the setting of saving password in browser. Instead, use a secure password manager like LastPass.
- On a regular basis clean your browser history, passwords, cache, and cookies.
Use a VPN
A Virtual Private Network (VPN) is an effective way to ensure that your identity is not revealed online and is a good defense to your sensitive information falling into the wrong hands. VPNs are especially useful when utilizing public networks, such as a coffee shop or library. These kinds of connections offer minimal security to its Wi-Fi guests and should be taken with the most caution while browsing. Whether you are on a public or private network, taking the precaution of using a VPN is wise. A VPN adds security by connection a public network to a private network to mask your IP address and have more peace of mind accessing private data. There are many services online that offer VPN’s to their users, and many can be found that are inexpensive or even free of charge.
The following are tips to creating good passwords, provides background on why strong passwords are important, provides an overview of 亚洲无码 Colleges and Universities' operating instructions on passwords, and answers some common questions about the instructions itself.
Table of Contents
- How do I choose a strong password?
- Why can't I share my password?
- What is a "strong password"? Why can't I just use my dog's name for a password?
- Why do I have to change my password? I just memorized my old one!
- Why is my account locked out after I mistype my password a few times?
- Why can't I memorize my password and just change a number at the end?
- What else can I do to remember all these passwords?
- Do PCI systems that process credit card purchases have different requirements?
Introduction
Passwords allow you to authenticate, or prove your identity, when you access information, services, and resources in the computing environment. Every person in the system has access to at least some sensitive, nonpublic information, such as his or her own contact information and grades. Staff and faculty also have a business need to access other people's nonpublic information. If we didn't require passwords, literally anyone could act as you or assume your identity.
Think of all the information you store on your computer and your college or university computing account. If someone else had your password, they would also have access to your electronic life including email, education records, class projects and your class registration and transcripts. A malicious individual with your password would be able to use your accounts to commit fraud, change a grade, steal, store illegal content, send spam, make threats, break into other systems and much more. If anything malicious or criminal is done with your account, evidence will place the burden on you to prove you are not the culprit.
Due to increased reliance on passwords for protecting sensitive data, Operating instruction 5.23.1.1, Password Usage & Handling was passed in April 2008. This guideline was developed by a collaborative group of IT and security staff from around the system. It was reviewed by the CIO at each institution and approved by the System CIO. This group based this guideline on current best-practices, including information from the National Institute of Standards and Technology, Microsoft (see , especially table 13) and OWASP.
This FAQ includes additional information about the operating instructions. Each question includes the relevant text of each requirement set forth in that guideline. If you have additional questions or concerns that are not addressed here, please speak with your CIO so that they may pass your question on to the Information Security Office so we may address them here.
How do I choose a strong password?
Passwords must be at least eight characters in length and contain three of the four following character types:
- Uppercase alphabetic characters (e.g. A-Z)
- Lowercase alphabetic characters (e.g. a-z)
- Digits (i.e. 0123456789)
- Special characters (i.e. ~!@#$%^&*()_+-=<>?{}|[]\;':",./)
You can visit the free by clicking on the link and typing a few example passwords. This checker should indicate "How Strong" for any password that satisfies operating instruction 5.23.1.1.
Passwords should not:
- Be restricted to a maximum length that limits the ability to use passphrases, (i.e. 8-40 characters is better than 8-10 characters).
- Be a single word that can be found in any dictionary, even if you add a number to the beginning or the end, (e.g. Password1).
- Be a word that only uses simple character substitution, (e.g. C00k13 instead of Cookie).
- Be based on any publicly available information such as user ID, family member's name, birthday, etc.
- Be based on a keyboard pattern (e.g. asdf1234) or duplicate characters (e.g. aa11BB)
Passwords should use one or more of the following techniques:
-
- Combine multiple password-creation techniques. For example, character substitution plus additional characters: C_0ok^i3.
- Be composed of multiple words. For example, My=furr3y*d0g-F1do.
- Be based on information known only to you. For example, a quote from your favorite poem or book: 0!C4pta1n,myC@ptAin
- Be based on something that makes you laugh. For example, MyM0therf0rg0t_myB1rthday!
- Be composed of punctuation and initial characters of each word of a phrase known to you. For example, "We hold these truths to be self-evident, that all men are created equal," becomes "Whtt2Bs-e,tamace,". This technique is effective with your favorite book, your own writings, etc.
- Be composed of part of, or a whole sentence. For example, "We.the,Pe0ple.0f,the.United,5tates". This technique is also effective with your favorite book, your own writings, etc.
- Be composed of a complete, proper sentence. For example, "My dog Fido is black." (Note that not all systems support a space character in the password.)
While some of these recommendations may seem extreme, the longer examples of passphrases are quite often easier to recall and easier to type than a random eight-character password. Adding length beyond the minimum also exponentially increases the strength of your selected password. Additionally, using a password safe not only prevents you from losing passwords, but they enable you to use arbitrarily long and complex passwords if you so choose, so long as you still set and remember a good passphrase to protect your "keychain" of passwords.
Why can't I share my password?
Subpart A. Password protection. Users must protect their passwords from unauthorized use and refrain from sharing passwords with others.
This requirement from the guideline is a reiteration from the requirements set forth in the Acceptable Use system procedure. As users within the 亚洲无码 Colleges and Universities, we are given access to different systems like email or Desire2Learn, but we are responsible for protecting that access to prevent abuse. If an individual shares their password with another person, they have just given that person access to data and information for which they are not authorized. Additionally, the individual that shared their password is still liable for any actions taken with their account.
What is a "strong password"? Why can't I just use my dog's name for a password?
Subpart B. Strong Passwords. Users must use a password or passphrase that is a minimum of eight characters and must include a minimum combination of two character types and should include a combination of 3 character types such as: numbers, special characters, and lower and upper case letters.
A password is a combination of letters, numbers and "special characters" that is known only to the account-holder and the system or application used by the account-holder. A strong password is one that holds a high degree of entropy. That is, there is a high degree of randomness in the value of that password. Put more simply, a strong password is one that is impossibly hard to guess. A password of "truck" holds very little entropy, whereas "CAg1DI5`b1P:UeIv;H" holds a very high degree of entropy.
We don't allow a simple word like "truck" or "fido" as a password because this would literally take seconds for a hacker to guess using widely available tools. However, we don't require a completely random password, either. Random passwords are extremely difficult to recall, which makes them a usability nightmare. For a password to be usable, then, we need both randomness and memorability. Thus, the user selects their password, but we must require a minimum length and minimum complexity. This results in a longer password with many, many more potential values, which will thwart a guessing attack. [1]
To balance the requirement for security with the requirement for usability, the guideline development group settled on what is probably the most common set of requirements: a minimum length of eight characters combined with a complexity requirement of three of the four types of characters available. These requirements are also commonly enforceable in the systems and applications around the colleges and universities.
Why do I have to change my password? I just memorized my old one!
Subpart C. Required Changes. Passwords or passphrases must be changed at least every 180 days and should be changed at least every 90 days.
Requiring password changes every six months will further reduce the risk that someone who attempts to get your password will be successful, and will prevent others who may have your password from using your account for nefarious purposes. (Or any other unauthorized purpose, for that matter!) Periodic password changes will also stop any unknown and unauthorized use of your account. Essentially, if an attacker was trying to guess your password, our minimum password requirements mean the attacker will require more than six months to successfully guess your password. By that time, your password will have changed.
We've kept that requirement to every six months, because we do realize the difficulty incurred by frequent password changes. This requirement also reduces the risk that a user's account is abused if they've previously shared their password. For example, if a professor shared their password with a student in tech support, and that student later attempted to change a grade in that professor's course, the chances that this professor's password is still valid is greatly reduced.
Why is my account locked out after I mistype my password a few times?
Subpart D. Lockout for Failed Attempts. College or university and Office of the Chancellor system administrators should establish a standard for locking a user's account if the user fails to login to the system within a specified number of attempts. The lockout may be for a designated amount of time or until the account is administratively reset.
This requirement is directed at IT departments rather than the individual. By locking out an account for a short period, (usually 30-60 minutes) a hacker trying to actively guess a password will not only be considerably slowed, but this increases the chance that IT staff can identify that individual while they're trying to attack the system. Unfortunately, this requirement is sometimes technically infeasible depending on the application or system in question. If this requirement were 100% implementable, the risk of brute-force password guessing attacks would be greatly reduced.
Why can't I memorize my password and just change a number at the end?
Subpart E. Password Administration. College or university and Office of the Chancellor system administrators should enable password history, limiting the ability to re-use passwords.
By regularly changing your password, and ensuring that each new one is not similar to previous passwords, you greatly reduce the risk that your password could be guessed or cracked. Password reuse is also prohibited to prevent users from changing their password, then changing it back to their old one.
Some users do like establishing a pattern, but avoiding a pattern does increase your security. If your passwords followed a pattern and an attacker learned your password at one point in time, they could determine your password any time. For example, if an attacker learned your password was Winter09, they would have some confidence that your next password would be Spring10. (This pattern is extremely common and should be avoided.)
What else can I do to remember all these passwords?
Use a password "safe"
A password safe is a virtual safe that you can use to securely store your usernames, passwords, and other information associated with your various online accounts. There are numerous free and commercial products available, but the most popular ones are probably and . Both have Windows versions. KeePass also has versions for UNIX, and Linux, as well as agents for iPhones, PocketPC, BlackBerry, Palm, and Android phones & PDAs. Password Safe also has a "U3" version, which lets you store your password safe encrypted on a thumb drive for portability, and there are ports that also support Mac users. Both Password Safe and KeePass are open source projects. Another option for Mac users is 1Password, which is a popular commercial package that also has an iPhone agent.
Write it down
We briefly considered, but ultimately did not include "do not write this down" because some people may need to do so for a short period in order to learn a new password every six months. If you must write your password down, it should not be kept with your laptop, under your keyboard, taped to your monitor, etc. You wouldn't put your PIN on a note on your monitor, just as you wouldn't tape a $20 dollar bill to your monitor. You also wouldn't write your PIN on your ATM card or keep your PIN in your wallet. If you lost your wallet, you lose your ATM card and your PIN, which would enable the finder or thief to withdraw funds from your accounts. Your wallet is a good place to store a written password, however. Just don't write your username with it, or even label it as a password.
Do PCI systems that process credit card purchases have different requirements?
A "PCI" system is one that stores or transmits credit card data. These systems have additional requirements. If you weren't aware of any of this, you can probably disregard this section.
Passwords for any system or network device covered by PCI-DSS must meet these following requirements:
- Minimum Length: 8 characters
- Change Frequency: Every 90 days
- Complexity: At least 3 of 4 types of characters
- Lockout: After 6 attempts, minimum 30 minute lockout
- No shared accounts
- No password reuse
- Inactivity time-out: 15 minutes
Footnotes
-
We calculate the relative strength of a password by examining its keyspace, or the total number of possible combinations. A PIN requires "4 numerals", and has a keyspace of 10,000 (or 104), meaning there are 10,000 possible combinations for a PIN. Without the requirement of an ATM card to strengthen this authentication, (and the ATM machine that will keep your card after several incorrect guesses,) this PIN could realistically be cracked in a matter of minutes.
The keyspace for the new requirements is 948, or about 6.096 x 1015, which makes cracking within 6 months infeasible. If an attacker were able to achieve a sustained rate of two million attempts per second, it would take almost a century to exhaust the keyspace.
The calculation: (948 possible passwords / 2*106 attempts per second) / 60 seconds / 60 minutes / 24 hours / 365 days ~= 96.7 years. If this attacker had 100 computers, it would still take almost a year.
While there are ways to speed this up, the reality is that many places where authentication takes place would allow far fewer attempts per second, perhaps not even 1/10th that number.