• Information Security Awareness

    Information Security is the responsibility of every member of the Worcester State University community. It affects us all in some way, even if your position at the University doesn’t require you to handle sensitive information on a daily basis. Data is one of the University’s most important assets, and its loss or theft can lead to serious financial and security consequences. In order to protect both the institution’s and our own personal information, we need to be aware of what comprises good data handling practices. Information security involves not just electronic data—it applies to any sensitive material in both electronic and paper form.

  • Hardware/Software
    Keep virus protection up to date. The University provides and installs antivirus on all college owned computers and servers. We provide free antivirus for student machines as well.

    Keep your system up to date. Information Technologies performs regular patching of college owned systems. Personal machines should have Windows Update set to automatic updates.

    Use spyware and spam blocking.

    Only install known products. Many free software programs contain malicious code. Do not install "free" add-ons. "Helpful" free toolbars often cause computer problems and security issues.
    Passwords/Personal Info

    Setting passwords, best practice and what to avoid:

    Have a password and do not share it with others.
    • A password serves as a means to authenticate the identity of the person using an account. Only the authorized user is meant to have access to the account and a password helps prevent misuse by unauthorized users Remember, the authorized user will be held responsible for misuse of the account if the password is shared.
    Make passwords hard to guess.
    • It is a safe bet a hacker knows all the tricks. Avoid using anything that is easily attainable online. Things such as your first or last name or a combination of can be easily cracked. Account names are another example of something to avoid. Silly tricks such as making your password, “password” are also easily cracked.
    At minimum use an eight character password using a mix of upper and lower case letters along with a numeric.
    • This increases the complexity of your password making it much more difficult to crack.
    Change your password on a regular basis.
    • You would be surprised how often you may accidently expose your password to others. This will cut down on the possibility of misuse by others.
    Store your password in a safe place.
    • While it's understandable that users often need to record their passwords, it really isn't a good practice to write them down. Password lists should be stored in a safe place, such as a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the password when it is used and to be sure to return it to a safe storage immediately after use. And so it follows…
    Don't leave passwords where others can find them.
    • Don't leave your password on a post-it on your desk or written down in any other places where someone could easily find it. Certainly do not write down, “This is the password for ….”. If you absolutely must write down your passwords, keep them in a secure, locked place. Also, don't leave your passwords where others can find them electronically. Never send them in email, post them to a site, leave them online in a file, etc. 
    Email Best Practices
    Never open email, a file, or any other form of data that comes to you from an unfamiliar source.

    Never click on a link in an email. Instead, copy and paste the link into your browser or use the hover technique.

    Be wary of emails containing links that claim to give away merchandise for free.

    Worcester State University Information Technologies will never send an email asking for your username, password or any other sensitive information. Nor will any other reputable organization.

    Here is a short video about this topic:
    Example of Phishing and Internet Security (from Cabrillo College)
    College Data

    Higher education and Data security

    In General, our institutional systems are designed on the principles of free information exchange to accommodate diverse user populations. The concept of free exchange of information, ideas and research do however create unique security challenges. Compliance with various regulations including FERPA, HIPAA, PCI DSS as well as other state and federal privacy regulations often puts the burden of protection on all our shoulders. The following are beginning steps, we as a community can take, to share the security responsibility.

    Institutional culture

     What is at risk?
    • personally identifiable information (PII)
    • credit card
    • bank account numbers
    • health records
    • financial records of students and possibly their parents
    • registrar's office
    • financial aid
    • research databases

    What steps can you take to better secure your information?

    • Use strong passwords and change your passwords often.
      • Remember a strong password is one that is not obvious or easy to guess. A strong password should be 8 - 12 characters long and include a combination of upper and lowercase letters, numbers, and symbols such as punctuation marks and special characters.
      • Do not share your password or username with others.
      • Do not email your password to others.
      • Always change the default password when you receive a new account that requires a password and assigns a default.
      • Make it a practice to change your password every 90 days, especially when using public computers. This practice will better prevent people from knowing and utilizing your password.
      • When setting up multiple accounts, try to use unique passwords for each account.
      • Try not to write your passwords down; choose passwords that are easy to remember. If you must write them down, keep it in a secure place. This included the electronic saving of passwords.
      • Do not log others into a computer with your password, as you are responsible for your account.
    • Use the standard campus-wide anti-virus program and be aware of steps to take to minimize computer virus risks
      • New viruses appear constantly and daily virus definition updating decreases the risk of computers becoming infected. While IT provides anti-virus software and maintains the update schedule you should never attempt to turn it off. If you believe it is necessary, contact the IT Helpdesk for assistance.
      • All computers joining the WSC domain are mandated to be virus protected.
    • Email and attachments - Remember, If you receive an unexpected email attachment, even if you know the sender, do not open the attachment unless you can answer "YES" to all three of the following conditions:
      • I know exactly what this file is.
      • I have scanned this file with my virus scan AND I have ensured that my virus scan was recently updated.
      • I have verified the identity of the sender and their intentions via email or phone call.
      • This includes Chat rooms and associated links.
    • Do not save sensitive date to unsecured devices.
      • Laptops, memory sticks, memory cards should be encrypted whenever sensitive data is involved.
      • You can also encrypt data when sent via an email.
    Theft Protection

    Encryption of laptops, desktops, and removable media  

    • As of March 30, 2010, All University owned laptops have been encrypted. All College owned desktop computers in key areas have been encrypted and any future new or reimaged desktop computer will be encrypted.
    • What is Encryption? Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.

    Remember YOUR WSU Network Username/Password is key. Don’t Give It Away!  

    • The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions. (Technically, a code is a means of representing a signal without the intent of keeping it secret; examples are Morse code and ASCII.) Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that undoes the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to break the cipher. The more complex the encryption algorithm, the more difficult it becomes to eavesdrop on the communications without access to the key.

    Report lost or stolen items immediately.

    • The University is prepared to handle Lost or Stolen computer hardware but we must be made aware. It is imperative that you contact University Police or UTS Help Desk if your computer or laptop has been lost or stolen. When you report the issue you will be asked specific questions about the incident, please know that we are only trying to help recover the items, protect lost data, and inform as needed. We understand things happen beyond our control. The sooner we know the faster we can protect You and the University.

    Lock offices; do not leave laptops unattended for even a short-time

    • As mentioned earlier, we are all responsible for Information Security Awareness. Even if leaving your area for a short time be sure that you lock your door if you leave your office. If you are in an open office be sure that there are other members of the staff who know that you are going to be away and secure your laptop in a locked drawer of your desk whenever possible. At minimum use the Windows+L keyboard keys to secure your Windows computer, which will require someone to login to view the open applications/documents. Other devices should have a similar lock sequence.  If this does not seem feasible, please contact the Information Technologies Help Desk so that we can discuss your situation and provide assistance.
  • ISA Tip of the Month

    What is Phishing?

    Phishing is a type of attack carried out in order to steal usernames, passwords, credit card information, Social Security Numbers, and other sensitive data by masquerading as a trustworthy entity. Phishing is most often seen on campus in the form of malicious emails pretending to be from credible sources such as the Worcester State University Help Desk or technology department or financial organizations related to the university.

    By tricking campus users into giving away their information, attackers can:

    • Steal money from victims (modify direct deposit information, drain bank accounts)
    • Perform identity theft (run up charges on credit cards, open new accounts)
    • Send spam from compromised email accounts
    • Use your credentials to access other campus systems, attack other systems, steal confidential University data, and jeopardize the mission of the campus

    The goal of most Phishing emails is to trick you into visiting a web site in order to steal your WSU credentials. Attackers will setup web sites under their control that look and feel like legitimate web sites. Often the Phishing emails will have an immediate call to action that demand you to "update your account information" or "login to confirm ownership of your account". If you enter your WSU credentials into these illegitimate web sites you are actually sending your WSU username and password directly to the attackers.

    This information adapted from the UC Berkley What is Phishing webpage.