Cyber Security Information

You are here:

Home
Cyber Security Information

LIU’s CyberSecurity team protects users and resources from potential attacks.

LIU Cyber Security works with campus students, faculty and staff to identify and neutralize attacks on campus IT resources and data, educate users to cyber threats, and ensure compliance with information security laws and policies.

LIU Information security policies

Business Continuity

Two Factor Authentication

Because of constant security threats on LIU systems and services. IT is rolling out two factor authentication (TFA) for certain crucial systems in phased implementation.

Report a Security Breach / Inappropriate Misuse

Help keep your peers safe. Report suspicious email phishing attempts, lost or stolen electronics, or possibly hacked computers / hacking attempts. The speed with which the campus can respond to an incident can limit the damage and minimize the cost of recovery. Please provide as much information as possible.

Compromised LIU Accounts

If you suspect your LIU account has been compromised, follow these steps.

DUO Security

Report a Security Breach

Compromised Accounts

Introduction

E-mail Best Practices

Never open an e-mail unless you know the sender. If you do not know the sender, you can block the sender and process it as ‘junk’ depending on your e-mail client. Never click on a link in a Spam E-mail. You may be prompted to give up your login credentials, or unknowingly install viruses and spyware on your PC. This includes ‘Removal Links’ in any e-mail unless you know who the sender is.
Change the password to your e-mail account every 90 days to ensure that your account remains safe. Never e-mail anything sensitive to a Hotmail or Gmail account. These services make money by indexing all e-mail for marketing purposes. You do not want your data ending up in their advertising database. If you must e-mail sensitive information, encrypt any attachments using a program such as 7-zip. This will use your password (secure) and encrypt the attachment. You can then e-mail the encrypted attachment to the recipient and provide the password in a second e-mail, or telephone call.

How do hackers gain access to my data?

The most common way hackers intercept data is by gaining access to your computer. There are several ways evil-doers can achieve this. By mimicking a sender’s address, as in “…@liu.edu”, cybercriminals can deceive you. These messages typically contain a link or an attachment that looks innocent but includes malicious software that can record all your keystrokes, or search among files on your computer. The goal of these practices is to gain access to your passwords and confidential information. These programs can also use your email account to send similar packages to all your contacts, distributing the software to even wider circles. Other methods include accessing webmail on public computers. Without logging off properly, the next user may be able to view your account.

How can I protect my computer and email account from viruses?

Think before opening any attachment or clicking any link – even if it appears to be sent from someone you know! This means that you should be suspicious of any document or link sent to you, unless you are expecting it.
Some other practices that can help protect you and your data include:
Changing your password frequently, and changing your password to make it more difficult to guess.

Do not use a word or clue to your password in any of your social media accounts.
Think of a phrase that’s easy to remember but difficult to decipher. A password created by using the first letter of each word in the phrase is stronger.
Never use a word found in the dictionary in your password.

Be skeptical of messages that contain:

misspellings
threats that non-compliance will lead to closing your account.

Be wary of links in emails.Any word, sentence or image can be linked. What may look like a legitimate link, can be easily disguised. By resting the cursor over a link – and being careful not to click on the link – you can read the Java hint of the actual URL.

What should I do if I suspect I have received a spam or phishing message?

1. Attach the message to a new email message and forward it to Information Technology. Doing so allows IT to view metadata in the header of the email message.
a. Outlook on a PC:

Create a new message.
In the message window, on the Message tab, in the Include group, click Attach Item. Click Outlook Item.
Browse through your folder list to find the folder that contains the item that you want to attach.
Under Items, click the item, and then click OK.

b. Outlook on a Mac:

With your inbox open and the suspicious message highlighted, on the Home tab, click Attachment (paperclip icon with an arrow).
This will generate a new email message with the suspicious message attached.
You can also create a new message and drag the message to be attached from your inbox to the new message.

2. IT will immediately review the message and provide feedback on the veracity of the message. If the message is fictitious, IT will ask you to reset your password. A password change can be initiated by going to:

http://outlook.liu.edu > Options > Change Password (Options is located in the upper right-hand)

3. Remember that your password should include at least 1 capital letter, 1 lowercase letter, 1 number, 1 special character (e.g., @, #, %, ^), and no less than 8 characters in total.

What should I do if I have opened a suspicious attachment or clicked a link within a spamming or phishing message?

Contact your IT office immediately. We will reset your password and address any and all concerns to your computer equipment.
If you have any questions, suspicions or concerns, please contact your local IT office.

Password Practices

Never share your password with anyone! The Department of Information Technology will never ask you for your username and password.
Never use the same password for your e-mail account and any other account that is registered to it. For example, the password for your social networking accounts should not be the same as the e-mail address they’re registered to. If someone were to compromise your password, they can also log into your e-mail account.
Never use a dictionary word as a password. These passwords are much easier to ‘crack’ and your data will be at risk. Always set your password to be at least 10 characters, but preferably 12 or more. You should use at least one capital letter, one number (1,2) and one symbol ($,!).
For Home Banking and other financial sites, change your password every 90 days to ensure that your account is safe.
To make strong passwords, instead of using a simple dictionary word you could use a phrase or sentence for example, ‘ilikeapplepie’. It will be more difficult for a hacker to crack. In addition, you should also use the substitution method. Using the chart below, you could substitute the characters in the password ‘ilikeapplepie’ for ‘!L!ke@pP1eP13’. It will be much more difficult to crack this password.

Lower Case

Upper Case

Special

Lower Case

Upper Case

Special

A password should be something that you can remember. You should never have to write your password down as this could compromise your password. Using the phrase method, this should be easy to accomplish with a commonly used phrase or passage.

Document Best Practices

Always keep a backup! When you do, ensure that you protect your backup in the same manner that you’d protect the actual data. Remember, you no longer need the password to take a backup and read it on a different computer.
If you use a cloud-based service such as iCloud, Dropbox, Google Docs or Amazon E3, do so knowing that your information may be accessed by this vendor according to their terms of service. Please refer to their terms of service prior to storing anything sensitive such as financial documents, bank statements and account information.

Home Networking Best Practices

If someone can get access to your home network, they can conceivably download and make malicious use of your personal information. They can also use your bandwidth to engage in illegal activities. For these reasons, it is important that you follow these simple principles when setting up your home network. If you have a wireless router in your home, always place the router towards the middle of your home. That way a weaker signal will bleed through your walls to the outside of your home. Always set the password for your home router. Hackers will know the default passwords for dozens of home networking devices so you will not be secure. Always lock down your home wireless network. You should use WPA2 with a strong password (sometimes called pre-shared key) with the AES algorithm. If your home router does not support WPA2, you should use WPA.
If you must, use WEP for legacy wireless devices, but choose 128-bit WEP and use a randomly generated WEP key. WEP is less-secure than WPA2/WPA, but it will dissuade the passersby from using your Wireless Networking.

Mobile Device Security

Creating a strong password for your e-mail account is a good first step towards being secure. However, many smart phones will have the Username and Password fields populated during their configuration. This is a nice feature for ease of use, however anyone can simply pick up your phone and go through your e-mail. Many Smart Phone’s come with the capability to lock and password-protect the device when not in use. This is critical to keeping your personal information safe. A malicious individual can make use of not only your e-mail, but your recent call list and phone book.
In addition to locking the device, ensure that you install software from trusted vendors. iPhone’s make use of the App Store, which is fully vetted by Apple Computers to ensure that every program is safe and secure. If you Jailbreak your iPhone, you may add some additional capabilities but you are sacrificing a line of defense between malicious programs and your mobile device.

Malicious Programs

There are good programmers, and bad programmers in this world. While some would like to introduce new software to improve your day-to-day, others are trying to rip off your financial information so they can sell it to the highest bidder. It is important to be mindful of the latter and ensure that your computer is secure at all times. On University Machine’s we use a product called Forefront Endpoint Protection to monitor all computers for Viruses, Malware and Spyware. All three are malicious types of programs designed to harvest sensitive information, passwords and decrease productivity.
If you would like to protect your personal computer, you can download Microsoft Security Essentials for free via the link http://windows.microsoft.com/mse. Microsoft Security Essentials will scan running processes and downloaded files to ensure they contain no malicious code. It is important to update the Definitions for your virus scanner often to ensure you are protected against the newest threats that exist.

Recognizing a Phishing Attempt

For Identity Thieves, one of the most lucrative means of collecting personal information is called Phishing. It involves a malicious individual sending misleading e-mail requesting your personal information. Typically, they will require your Username and Password for some purpose such as ‘preventing your account from being disabled’, or ‘to receive your cash prize’. Phishing e-mail is simply a modern take on a very old scam. Once the user gives up their username and password, their e-mail account is harvested for Financial Information, Blackmail Material and then used to send additional phishing e-mails to their contacts.
No reputable organization will ever ask for your username and password via e-mail. If they need to reset your password, they will not need your current password to do so. Be very careful to whom you give any personal information to. Below you will see samples of actual Phishing Attempts that were received by University Personnel. Never give your username and password to anyone who asks for it via e-mail!

EMAIL IS THE NUMBER ONE WAY TO GET A VIRUS

Is the email asking you to login to my.liu.edu or outlook.liu.edu?

Please make sure you see the green lock/green link as shown in the picture below before you enter your credentials to login into
MyLIU or Outlook.

Red Flags:

Is the email scaring you into losing something?
Is the email stating something that did not happen? i.e. a friend request on social media, a TV you didn’t buy on Amazon, etc.
Is there an attachment of any kind?
Is the email sender new, in a leadership position, or not recognized?
Is the type of email normal, something new, or requesting you do something new?
Does the email message sound “too good to be true”?

Normal Actions:

Did you use the “hover” technique on links in the email BEFORE clicking them?
The “hover” technique means putting your mouse cursor over any links, waiting, and verifying the link matches the pop-up link in the email message.
Did you verify the email address isn’t spoofed (fake) by double-clicking the email sender address and verifying it matches.

Suspicious Email Actions:

Forward the message to IT to verify it’s legitimate.
Call the sender using a trusted people directory for their number, especially if they are a new email contact.
Do not follow suggested actions in an email without understanding why you would do them.

Examples of Phishing Emails

Phishing Example 1:

Subject: EMAIL QUOTA ALERT!!!
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It.
To Re-Validate –> Follow Link Here
System Administrator
Notice in Example 1 that this malicious individual is attempting to create an immediate need to ‘validate’ your e-mail address. This is done to cause anxiety for the reader and hopefully get them to follow its instructions before thinking about it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail.

Phishing Example 2:

From: lbyrneandsons@eircom.net; on behalf of; Long Island University helpdek@liu.edu Subject: Notice
Your account subscription has expired and your email account is about to be suspended, Confirm your account information to keep your email active.Click the secured below to extend your account.
secure/liu.edu
Thank you
© 2012 – Long Island University
Notice in Example 2 that the e-mail is purportedly coming from Long Island University, yet the actual e-mail address is lbyrneandsons@eircom.net. Also, the spoofed account is misspelled as helpdek@liu.edu instead of helpdesk@liu.edu. Those are both red flags, and should cause the reader to question the validity of this e-mail and simply delete it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail!

How to Handle Sensitive Information

What is Sensitive Personal Identifying Information (PII)

Sensitive Personal Identifying Information (PII) is defined as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
In general terms it is any information that could be used by criminals to conduct identity theft, blackmail, stalking, or other crimes against an individual. Federal and State laws, and University regulations dictate how this information must be stored, transmitted, and processed.
LIU requires that all laws and regulations are followed to ensure the protection and safety of our community. Contact Information Technology at it@liu.edu for more information about PII.
Sensitive PII include:

Social security numbers
Academic Student information
Date of birth, address, bio-demographical information
Credit card and debit card information
Passport information
Driver’s license and state ID information
Healthcare related information

Listed below are some key regulations:

Cyber security framework based on Department of Commerce National Institute of Standards and Technology (NIST)
A government-issued guideline document of standards, guidelines and practices for reducing cyber risk to critical infrastructure.
NYS Information Security Breach and Notification Act
Business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents.
Family Educational Rights and Privacy Act (FERPA)
All student record data including financials are considered private.
Examples: Student grades, major, and other academic/financial records
Health Insurance Portability and Accountability Act (HIPAA/HITECH)
May apply to our clinic sites off campus
Gramm-Leach Bliley Act (GLBA)
Federal legislation that deals with banking industry and the exchange of information.
Example: GLBA applies to LIU since we collect financial information.
Payment Card Industry Data Security Standard (PCI-DSS)
Europay, Mastercard, Visa technical standard (EMV)
Example: Credit card transactions

Should I send confidential information via email?

Unencrypted email is not a secure method for transmitting confidential information or sensitive data over the Internet. If it is necessary to send such information, take steps to secure it by encrypting your message, taking into account the sensitivity of the data being transmitted and the level of security at the source and destination systems.
At LIU, do not send sensitive data via email unless:

It is required by your role within the university
You’ve been issued appropriate storage solution for more secure alternatives by IT for larger data size

Otherwise, do not use email to transmit sensitive information unless you are utilizing an IT approved method of securing the email.
University policy prohibits personal identifying information including but not limited to the examples below from being communicated via email:
· Social security numbers
· Academic Student information
· Date of birth, address, bio-demographical information
· Credit card and debit card information
· Passport information
· Driver’s license and state ID information
· Healthcare related information
There are secure methods to receiving/sending sensitive information containing PII data. In the event that data of this nature must be transmitted via email, please contact your local Information Technology office for more information on secure methods available.
As a precaution, the university has implemented a data loss prevention (DLP) protocol to prevent the possibility of inadvertent sensitive information from being sent out. Here are some illustrations of this new product that is turned “on”.
This screen will appear in Outlook if you attempt to send an email that is determined to contain sensitive data.

In the case the DLP mis-flagged an email as containing sensitive data in error, you can override the policy by clicking the override link. A screen like this will appear:

You must put a reason for this override in the field provided. These will be reviewed by our Information Technology security team and you will be contacted to discuss the override at a later date.
Information Technology takes security of all LIU information systems, assets and data very seriously. As is the case with any new solution, there may be unforeseen issues that arise. Please communicate with us and let us know how the process is going for you.
For more information about IT security best practices, policies, and your IT services visit it.liu.edu.

What is a Security Incident?

A security incident is attempted or actual:

Unauthorized access, use, disclosure, modification, or destruction of information
Interference with information technology operation
Violation of campus policy, laws or regulations

Examples of security incidents include:

Computer system intrusion
Unauthorized access to, or use of, systems, software, or data
Unauthorized changes to systems, software, or data
Loss or theft of equipment used to store or work with sensitive university data
- Personal devices:
  The IT Help Desk may be able to remotely wipe your device. In addition, once all data has been securely removed, contact your service provider to cancel service for your personal phone. To report lost or stolen electronic media or a computing device, please contact the Department of Public Safety (Brooklyn | Post).
- University-issued mobile phones:
  If the device was University-issued, notify the IT Office immediately. We will suspend voice services and issue a remote wipe of the device, if applicable.
- Personally identifiable, restricted, regulated, or confidential information:
  If the lost of stolen electronic media or a computing device was used to store personally identifiable, restricted, regulated, or confidential information, please notify IT immediately. We will work with you to determine the next steps, and whether the event requires notification.
Denial of service attack
Interference with the intended use of IT resources
Compromised user accounts

What should I do if I suspect a serious Security Incident?

A security incident is considered serious if the campus is impacted by one or more of the following:

potential unauthorized disclosure of sensitive information
serious legal consequences
severe disruption to critical services
active threats
is widespread
is likely to raise public interest

Sensitive information is defined as personally identifiable information that is protected by laws and regulations, as well as confidential research protected by data use agreements, such as:

Social security number
Credit card number
Driver’s license number
Student records
Protected health information (PHI)
Human subject research

If you know or suspect that the compromised system contains sensitive data, please take these steps to respond:

Do not attempt to investigate or remediate the compromise on your own
Instruct any users to stop work on the system immediately
Do not power down the machine
Remove the system from the network by unplugging the network cable or disconnecting from the wireless network
Report the incident using the instructions above

In the case of a serious incident, please be aware that continued interaction with a compromised machine can severely affect later forensic analysis.

Cloud Services

Cloud services can help the Institute to deliver instruction, collaborate, and share information and ideas. While it can be very simple to create an account with a cloud service provider and start using their service, there are some things we need to consider to ensure we are meeting our obligations to our students and each other. Before entering into an agreement with a cloud service provider, you should consider the following items:

Consider the type of data to be shared with the cloud service provider
1. Is this data protected by federal law (e.g FERPA, HIPAA)
2. Does the Institute consider this information to be sensitive
Contact LIU procurement and LIU Legal to assist with purchasing the service:
Read research agreements to verify they allow the use of cloud services
Verify the cloud service agreement provides the following guarantees:
1. LIU maintains sole ownership of our data
2. The cloud service provider must notify LIU in the event of a data breach
3. LIU has the right to reclaim our data
4. LIU has the right to review independent audit reports or to audit the cloud service provider
Verify the cloud service implements the following security measures if you are considering using the service in conjunction with sensitive LIU data:
1. Storage encryption
2. Transmission encryption
3. Password protection
4. Data backup
5. Secure data/drive disposal

Encrypted Laptops

Why Encrypt?

Encrypting your laptop and desktop computers and mobile devices is the single most important step you can take to protect your personal information, and LIU’s data, in the event that the device is lost or stolen.

The Process

As users of LIU Secured Peoplesoft Access, all users are personally, professionally, ethically, and legally responsible for their actions.It is essential to safeguard data (electronic or paper), which is used or accessed, that is confidential (protection of data required by law) and that is restricted (considered protected by either contract or best practice, including student data).

All users must adhere to requirements for device encryption, email forwarding, and cloud-based file storage and applications.

Device Encryption

To ensure proper handling of data, users are required to enable encryption on their computers – university issued laptops. The process for encryption will depend on the hardware and operating system:

Windows Only:

To allow off campus access to any PeopleSoft system modules we need to encrypt your Windows laptop which involves the following:

The reason for the access The Duration for the access, and the Authorization from your respective VP to have offsite PS access
Your PC Laptop must have a TPM (Trusted Platform Module) Chip for encryption. IT can help you find that out.
In ALL Cases we reformat the entire systems.

What CAN or CANNOT be done while using the Encrypted VPN Session:

The session gives you access to only a listed pre-approved URL’s or websites within LIU Systems.

A Citrix session needs to be started to establish a secure tunnel from your external laptop to the system in the University Network. This process my take some time to establish the initial connection.

You cannot surf or access any other websites besides the one given access to. If you do need to do that for some reason, the VPN session needs to be stopped.

The DO’s and DON’Ts of Cyber Security

DO’s

01

DO use hard-to-guess passwords or passphrases. A password should have a minimum of 10 characters using uppercase letters, lowercase letters, numbers and special characters. To make it easy for you to remember but hard for an attacker to guess, create an acronym. For example, pick a phrase that is meaningful to you, such as “My son’s birthday is 12 December, 2004.” To use that phrase as your guide, you might use Msbi12/Dec,4 for your password.

02

DO use different passwords for different accounts. If one password gets hacked, your other accounts are not compromised.

03

DO use privacy settings on social media sites to restrict access to your personal information.

04

DO pay attention to phishing traps in email and watch for signs of a scam.

05

DO destroy information properly when it is no longer needed. Place paper in designated confidential destruction bins throughout the office or use a crosscut shredder. For all electronic storage media, consult with IT.

06

DO be aware of your surroundings when printing, copying, faxing or discussing sensitive information. Pick up information from printers, copiers or faxes in a timely manner.

07

DO lock your computer and mobile phone when not in use. This protects data from unauthorized access and use.

08

DO remember that wireless is inherently insecure. Avoid using public Wi-Fi hotspots. When you must, use LIU provided virtual private network software to protect the data and the device.

09

DO familiarize yourself with your responsibilities under university policy in regards to acceptable use of IT resources. Review and follow security policies and related standards.

10

DO report all suspicious activity and cyber incidents to IT. Challenge strangers whom you may encounter in the office. Keep all areas containing sensitive information physically secured, and allow access by authorized individuals only. Part of your job is making sure university data is properly safeguarded and is not damaged, lost or stolen.

DONT’s

01

DON’T leave sensitive information lying around the office.

02

DON’T leave printouts or portable media containing private information on your desk. Lock them in a drawer to reduce the risk of unauthorized disclosure.

03

DON’T post any private or sensitive information, such as credit card numbers, passwords or other private information, on public sites, including social media sites.
DON’T send it through email unless authorized to do so.

04

DON’T open mail or attachments from an untrusted source. If you receive a suspicious email, the best thing to do is to delete the message, and report it to IT.

05

DON’T click on links from an unknown or untrusted source. Cyber attackers often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.

06

DON’T be tricked into giving away confidential information. It’s easy for an unauthorized person to call and pretend to be an employee or business partner. DON’T respond to phone calls or emails requesting confidential data.

07

DON’T install unauthorized programs on your work computer. Malicious applications often pose as legitimate software. Contact your IT support staff to verify if an application may be installed.

08

DON’T plug in portable devices without permission from your department management. These devices may be compromised with code just waiting to launch as soon as you plug them into a computer.

09

DON’T leave devices unattended. Keep all mobile devices, such as laptops and cell phones physically secured. If a device is lost or stolen, report it immediately to IT.

10

DON’T leave wireless or Bluetooth turned on when not in use. Only do so when planning to use and only in a safe environment.

Compromised Accounts

What To Do

1. Change your MyLIU password

If you suspect your MyLIU email has been compromised or stolen, change your password immediately to limit access to the account.

Change your MyLIU password.
Set new security questions if you had previously set them in MyLIU Account Management.

If you suspect a personal account has been compromised, change the password for that account. Choose a strong password and make it unique to that account. Do not use the same password for multiple accounts; that puts all your accounts at risk if one is compromised.

2. Report it

If you suspect your MyLIU email has been compromised or stolen, report it. A compromised MyLIU email account is considered an IT security incident that should be reported.

If you suspect a personal account has been compromised, check the account documentation to find out how to report the compromise.

3. Monitor your accounts

Check your MyLiu email for suspicious activity. Make screen shots showing any settings that have been tampered with to include in your report of the incident to it@liu.edu

Check activity on your account by clicking the Details link at the bottom of your inbox (when accessing your mail from a Web browser). See Google’s Last account activity help. Click the Sign out all other web sessions button if you see suspicious activity.
Check the Trash and Sent mail folders for messages you didn’t send or delete.
In your Mail Settings, review Forwarding and Filters and delete those you don’t recognize.
In your Mail Settings, under Account, check the settings for Send mail as and Grant access to your account to be sure these have not been changed.

Learn more about monitoring and securing your Google Mail, as well as about protecting your personal information and privacy, at Google: My Account.

Check your other MyLIU services for suspicious activity.

For example, look for files in your online storage space that you did not put there.

FAQs

Internet Security

How do I set passwords on administrative and user accounts?

In today’s computing environment, passwords are still the primary method of securing access to your personal and sensitive data.

Do not share your passwords
Use different passwords for different accounts. If your password gets compromised and many accounts use the same password, all of those accounts would be at risk.
Do not write down passwords and leave them lying around. If you must write down a new password for fear of forgetting it, keep it somewhere that stays with you. Try to memorize your new password and destroy the written copy as soon as you feel you can remember it.
Change your passwords often. Changing passwords every two to three months makes it more difficult for passwords to be cracked.
Use complex passwords. Using a password that is 12 characters or more that combines upper and lower case letters along with numbers and special characters will decrease the likelihood of your password being hacked.

Are links in pop-up messages safe?

Pop-up ads are a form of online advertising on the Internet intended to attract Web traffic or capture email addresses. Clicking on links in pop-up windows often allows third-parties to download malicious software onto your computer. Windows users and most Linux users can close pop-up messages by clicking on the X in the upper right hand corner, or by pressing ALT + F4 on your keyboard. Mac OS users can press Command + Q on their keyboard to close pop-up windows. Ignore pop-up warnings offering solutions to what they say are your computer problems.

How do I turn on Windows Firewall?

Windows users should make sure they are running Windows Updates periodically to take care of exploits and make sure their Windows firewall is turned on since some viruses attempt to turn it off. To turn on your Windows firewall:
Go to the Start Menu > Control Panel > Windows Firewall and make sure it is turned on.

What should I do with suspicious email attachments?

Unexpected or suspicious email attachments should never be opened. They may execute a disguised program (malware, adware, spyware, virus, etc.) that could damage or steal your data. If in doubt, call the sender to verify. A good rule of thumb is to only open file attachments if you are expecting them and if they are relevant to the work you are doing.

How do I identify if an email message is a phishing scam?

Recognizing a Phishing Attempt

Phishing Example 1:

Phishing Example 2:

From: lbyrneandsons@eircom.net; on behalf of; Long Island University helpdesk@liu.edu Subject: Notice
Your account subscription has expired and your email account is about to be suspended, Confirm your account information to keep your email active.Click the secured below to extend your account.
secure/liu.edu
Thank you
© 2012 – Long Island University
Notice in Example 2 that the e-mail is purportedly coming from Long Island University, yet the actual e-mail address is lbyrneandsons@eircom.net. Also, the spoofed account is misspelled as helpdek@liu.edu instead of helpdesk@liu.edu. Those are both red flags, and should cause the reader to question the validity of this e-mail and simply delete it. To reiterate, no Systems Administrator will ever ask for your Username and Password via e-mail!

CyberSecurity

How do I keep my computer secure?

To help keep your computers and the data on them safe, follow these tips:

Passwords

Set a password for your computer and be sure to use it! That is, when you step away from your computer, lock it (PC) or put it to sleep (Mac) and be sure a password is required to re-access it.
Use strong passwords and a secure system for having a different password for every site/function.

Antivirus

Be sure your computer has antivirus software on it but only ONE. If you have any expired or sample antivirus software, remove it.

Firewall

A Firewall acts like a wall between your computer and outside connections, helping to protect you. Be sure your computer’s Firewall is on. You can find Firewall settings in the Control Panel (PC) or System Preferences (Mac).

Updates

Computers need to be updated regularly to keep current with any updates, for example a Microsoft security update. You can even set your computer to run the update program automatically, every week or so. You can access updates in the Control Panel (PC) or System Preferences (Mac).

Keep a Record of Device IDs

For all your computers/laptops (and mobile devices, too), record their serial numbers and Wi-Fi/MAC addresses. Store the list of numbers/addresses in a secure place separate from your device. In the case of a lost/stolen device, these numbers can be used to help recover your device.

How do I know if my computer is infected?

All malicious programs are covered under the umbrella term malware – adware, ransomware, rootkits, spyware, trojans, worms, and viruses – all are considered malware. It is important that you regularly check your computer for malware, as a malware infection puts your personal data at risk. Keep all system software up to date to reduce the risk of infection.

Symptoms of Malware

Your computer or web browser has dramatically slowed down over a period of a few days/a week
Your computer cannot connect to otherwise normally functioning wifi networks
Frequent freezing or crashing
Modified or deleted files
New programs or desktop icons that you do not recall installing/creating
Programs running without your consent
Programs closing without your consent
Changes in your security settings
Unusual emails/facebook messages being sent without your permission to a large audience
An increase in pop-up advertisements
Your default search engine has been changed without you altering it
New toolbars in the web browser
Browser links redirect to the wrong web page

What’s the Next Step?

You should run an antivirus scan immediately.

For More Info

Check out Google’s article/video on keeping your devices secure.

What precautions should I take to secure my computer and data?

Here are some tips to help protect your computer’s security and keep your data safe.

Back Up Your Work

You should always back up your computer files so you have a copy of them someplace other than on your computer. This is important in case the computer ever has a serious problem, such as a virus infection, defective hard drive, or corrupt operating system. Viruses and hard-drive failure can damage files to an unrecoverable extent.

Buy an external hard drive
Burn files to a CD or DVD

Install Antivirus and Keep Virus Definitions Up-to-Date

Viruses are malicious programs that run on a computer. They can take control by being:

Destructive: compromising computer files; allowing outsiders to access your files; replicating itself through email (using your address book) or through the network; etc.
Non-destructive: consuming computer resources making a computer slow; annoying pop-ups or error messages; etc.

Keep Your Operating System Up-to-Date

Having an up-to-date operating system reduces the likelihood of being exploited by malicious software. Windows Updates are released periodically when vulnerabilities have been discovered and updates subsequently released.
Be sure to run Windows Updates weekly or turn on Automatic Updates (in Control Panel). Apple also releases software updates. Be sure to run your Apple Software Updates.

Set Passwords on Administrative and User Accounts

In today’s computing environment, passwords are still the primary method of securing access to your personal and sensitive data.

Do not share your passwords
Use different passwords for different accounts. If your password gets compromised and many accounts use the same password, all of those accounts would be at risk.
Do not write down passwords and leave them lying around. If you must write down a new password for fear of forgetting it, keep it somewhere that stays with you. Try to memorize your new password and destroy the written copy as soon as you feel you can remember it.
Change your passwords often. Changing passwords every two to three months makes it more difficult for passwords to be cracked.
Use complex passwords. Using a password that is 12 characters or more that combines upper and lower case letters along with numbers and special characters will decrease the likelihood of your password being hacked.

Do Not Use File Sharing Programs

File sharing programs that allow you to download and distribute copyrighted music, games, movies, television programs, and other files are illegal. You put yourself at legal and financial risk by downloading and sharing copyrighted material. In recent years, authorities have cracked down on file sharing across college campus networks. Another risk is that file sharing programs often allow for the easy transfer of viruses and spyware from computer to computer because they give other people sharing the server with you access to your computer. Spyware or viruses can be packaged into the files you download and may infect your computer.
Examples of file sharing programs are: Limewire, Bearshare, Bittorrent, Kazaa, iMesh, Grokster, Xolox, Morpheus, etc.

Turn on a Firewall

Connecting to the Internet can expose your computer to the world. Firewalls are like building a moat around your castle. Intruders will have to first break through the firewall to try to exploit your vulnerabilities.
Windows has a built-in firewall that is enabled by default and can be controlled from the Control Panel. Other Windows firewall products may be purchased.

Do Not Open Unexpected or Suspicious Email Attachments

Unexpected or suspicious email attachments should never be opened. They may execute a disguised program (adware, spyware, virus, etc.) that could damage or steal data. If in doubt, call the sender to verify. A good rule of thumb is to only open file attachments if you are expecting them and if they are relevant to the work you are doing.

Do Not Click on Links in Pop-Up Messages

Clicking on links in pop-up windows often allows third-parties to download malicious software onto your computer. Windows users and most Linux users can close pop-up messages by clicking on the X in the upper right hand corner, or by pressing ALT + F4 on your keyboard. Mac OS users can press Command + Q on their keyboard to close pop-up windows. Ignore pop-up warnings offering solutions to what they say are your computer problems.

Avoid Phishing Scams and Do Not Open Mail From Unknown Senders

Phishing attempts come in the form of emails that falsely claim to be an established legitimate organization or business, like a bank or store, in an attempt to scam the user into surrendering private or financial information. If you suspect the email to be illegitimate, we recommend calling the company to verify (but, please, do not use the contact information from that email).

Run Removal Tools for Spyware

Applications such as spyware and malware are installed on your computer, typically without your knowledge, to gather and refer information about you to advertisers and other interested third parties. Without your knowledge, spyware and malware can be easily installed when you access certain websites or download certain programs.
These applications do a number of things besides gathering information about you. For example, they can do all of the following:

Make your computer slow/crash
Slow down your Internet speed
Monitor your computer activity
Hijack your computer to send out spam or viruses

It is important to periodically run spyware scans since not all spyware can be prevented. Programs that allow you to download illegal copies of movies, music, games, television programs, and other files have also been known to allow spyware through. You should be careful with all freeware programs.

What additional security measures should I take when I am traveling domestically and internationally?

Employees should make a reasonable effort to secure and protect devices that have access to University data. When traveling abroad with mobile devices such as laptops, tablets, and smartphones, additional measures are required. The number of safeguards should increase if visiting a country known to have an adversarial relationship with the United States, or countries actively involved in cyberwarfare.

When Traveling:

Consider using an iPad or a feature-limited tablet instead of a fully-loaded laptop during the length of your trip.
Carry with you only the minimum amount of data required to complete necessary tasks while traveling internationally.
If you require the use of a laptop while traveling, use one that can be completely wiped clean prior to departure and upon return.
Smartphones and tablets being used to store or access University data should have safeguards in place comparative to those used for securing a laptop.
Install only the minimum number of applications needed.
Make sure antivirus is installed on the laptop.
Enable the local firewall or install the Symantec firewall included with Symantec Endpoint Protection. Microsoft Windows and Apple OS X come with a built-in firewall.
Make sure the Operating System and installed applications are patched and up to date.
Encrypt your hard drive. Be sure to check laws in the country being visited before doing so, as some levels of encryption are illegal in certain countries.
- Windows 7 includes a free encryption option called BitLocker.
- Mac OS includes a free encryption option called FileVault.
- iPhones and iPads have encryption built-in and enabling a Passcode will enable this functionality.
- Most Android devices support encryption, but it must be enabled within the device’s settings.
Enable vendor supplied tracking software available for most major smartphones.
- iPhones and iPads offer Find My iPhone.
- Android devices offer Android Device Manager.
Always enable a pin code on all smartphones and tablets.

Follow Safe Computing Practices:

While browsing the Web, never ignore a warning message regarding a website’s SSL security certificate being invalid.
Never leave a laptop unattended at any point. Physical security is of utmost concern when traveling.
Change the password on any account accessed while overseas upon return (NetID, banking logins, etc.).
Avoid saving any University data to the local hard drive whenever possible.
Disable wireless and bluetooth when not in use.
Use complex, lengthy, and hard-to-guess passwords.
Document the MAC addresses and serial numbers of all mobile devices leaving the country.
Follow all export control laws applicable to data you have access to. Some data is not permitted to leave the country at all, even if stored securely on your device.
Always be wary of free Wi-Fi hotspots at untrusted locations. Avoid using them whenever possible and never access sensitive data while connected to one.
Assume that any device and all credentials used while abroad have been compromised. That means you must wipe the device and reset all credentials that were used while traveling upon return. This may seem excessive, but it is common for passwords to be intercepted and malware to be secretly installed on a device while visiting another country, with the primary goal of compromising the network you connect to when you return to the United States.
Do not check email or surf the Web while logged in as the local administrator. Use a standard unprivileged account instead.
Connect to the campus VPN before accessing campus resources.

Advanced Protections:

If using a Windows computer, Bitlocker should be combined with a Trusted Platform Module (TPM).
- Require a TPM pin at boot up.
Install or enable application whitelisting. This functionality is built-in for Windows 7 by means of AppLocker.
Configure the host file with the IP address of the VPN server. Be aware that this would require a manual update if the VPN IP address changes while traveling. It should be removed upon return.
Deploy laptop anti-theft and tracking software (i.e. Prey, Lojack).
Enable a BIOS password at boot up.
Configure your system in accordance with the Center for Internet Security (CIS) benchmarks to ensure that it is adequately hardened.

How do I choose a strong and secure password?

Password/Passphrase Complexity

Use passwords of 12+ characters, sequential numbers/letters and avoid dictionary words.
To help you remember your complex password, try using a sentence (aka passphrase). Passphrases are easier to remember than random character strings and longer (therefore less hackable). Many sites/applications allow you to use special characters, punctuation, and even spaces. Switch a few letters for characters and use both upper and lower case for the best passphrase, so you could have a passphrase like this (but don’t use this password!):
I ne3d a rea1ly b!g coff3e n0w!

Unique Passwords

Use a different, unique password for each program/application.

Changing Passwords

Plan to change your passwords every 3-6 months. Learn how to change your password.

Managing Passwords

Overwhelmed by the thought of needing separate passwords for all your accounts AND needing to change them regularly? Consider using a password manager.

Password Privacy

Keep your passwords private and do not share them. Know that DoIT will NEVER ask for your password through email nor over the phone, and you should never submit your password in a email/web form.
If you receive an email that is suspicious but inadvertently fill out a form or click on a link, contact Client Support and change your NetID password immediately.

How do I protect my mobile devices?

To help keep your mobile devices and the data on them safe, follow these tips:

Passcodes

Set a passcode for your device and be sure auto-lock is on so that your device locks automatically after being idle.
Avoid common device passcodes like 1111, 0000, and the all-in-a-row 2580.
In addition to locking devices and requiring a passcode, be sure encryption is enabled. For Apple devices with a passcode, encryption is automatically enabled, but for Android devices, you must enable encryption.

Apps

Update mobile browsers and apps when there are bug fixes or security updates.
Search the mobile device’s app store for antivirus options.
Always review apps before installing them. Read privacy policies for what device data the app can access.
Install a find-my-device software program, which, in the case of a lost/stolen device, allows you to view a map of where the device is (search your device’s app store for options). Campus police have been able to recover lost/stolen devices with such apps installed.

Keep a Record of Device IDs

For all your mobile devices (and computers/laptops, too), record their serial numbers and Wi-Fi/MAC addresses. Store the list of numbers/addresses in a secure place separate from your device. Again, in the case of a lost/stolen device, these numbers can be used to help recover your device.

How do I stay secure online?

To keep you safe when online, follow these tips:

Recognizing Spam & Phishing Emails

When dealing with email, it’s important to be able to recognize suspicious emails and to know what to do with them.
Some characteristics of suspicious emails (spam emails and/or those phishing for your personal information) include

Vague subjects, greetings, and/or content
Incorrect names, dates (e.g., far in the future), misspellings, mismatched names/email addresses
- For example, the message could say it is from the “IT Help Desk”, instead of “Client Support.”
Awkward wording/language/grammar, strong calls to action (e.g., Urgent!!!!), long alphabetical lists of recipients. Usually important emails are proofread a few times before sent out, so Urgent! emails with errors might be spam.
Web links that don’t match sender or are misspelled – You can hover over links to see where it will take you. If you receive an email that looks like it’s from your bank but the links go to elsewhere, don’t click on the links or attachments.

What To Do with Suspicious Emails

If you have a suspicious email, do not click on any links nor attachments in it. Instead, use your email program’s spam/junk function to mark the message as spam or for phishing in Google Mail, report phishing. “When in doubt, throw it out” (or just click the Spam button. The message will remain in our Google Mail spam folder for 30 days). If you are unsure whether an email is legitimate or not, contact Client Support.
If you accidently click on a link in a suspicious email, change your password right away and monitor your account for any suspicious activity. Also let Client Support know.

Web Smarts

Devices

When accessing the internet, be sure the device you use is secure. That is, password protect devices and be sure to sign out when using shared devices or public wifi.
For sensitive online tasks (e.g., banking, online shopping, anything with account numbers), use your own computer or mobile device and a secure network (so don’t do banking on public wifi at a coffeehouse!)
Be leary of popups. Even clicking the exit button on it can be a link to a site you wouldn’t want to go to. To avoid this, simply close your browser, run a virus scan, and contact Client Support if you think your computer may have been infected.

Browsing

Be sure the browser you use to access the Internet is up-to-date.
When visiting websites, pay attention to website URLs. In particular,

Check for any inconsistencies between the site you want to visit and the URL (e.g., if visiting LIU University sites, URLs with liu.com instead of .edu might be suspicious).
Look for https, shttp, or a locked padlock (as opposed to just http) at the beginning of URLs, especially for online banking and shopping. This indicates that the site has extra security in it.

Responsible Online Behavior

Remember that online actions have the potential to affect many. When online, be cognizant of potential effects of your behavior.
Also, never share your password, even if the requestor seems legitimate. Similarly, if you run across an offer online that seems too good to be true, it probably is. Contact Client Support with any questions about legitimacy of emails, requests, etc.

Operating System Updates

How do I keep my computer's operating system up-to-date?

Having an up-to-date operating system reduces the likelihood of being exploited by malicious software.

Windows Updates

Windows Updates are released periodically when vulnerabilities/updates have been discovered.
Once a month, Microsoft releases its latest security/software updates. You can go to Windows Update in the Start menu of your computer or visit http://update.microsoft.com/ to make sure your machine is running the latest Windows Updates. Even if you updated your computer in the last month, please run Windows Update prior to registration as there will likely be a new update to apply.
Be sure to run Windows Updates weekly or turn on Automatic Updates (in Control Panel).

Apple Updates

Apple Updates can be installed using the Mac App Store (Mountain Lion OS X 10) or by clicking the “Apple” logo in the upper left corner of your screen, and then selecting “Software Update” from the drop-down menu (Previous versions of Mac OS X).
To find out what version of Mac OS X you are currently running, simply click the “apple” logo in the upper left hand of the screen, and select “About” from the drop-down menu.

Copyright & Intellectual Property

Copyright infringement is the unauthorized copying, storing, displaying, or distributing of another’s intellectual property without the express permission of the copyright owner. In the file-sharing context (peer-to-peer or P2P shareware programs), downloading or uploading another’s work product without authority constitutes an infringement, and is prohibited by the federal Copyright Act of 1976 and Digital Millennium Copyright Act of 1998.

Penalties for copyright infringement are both civil and criminal in nature. For civil violations, individuals may be ordered to pay actual damages or statutory damages of not less than $750 and not more than $30,000 per infringement. For willful infringement, awards of up to $150,000 per incident may be granted; criminal penalties include imprisonment for up to five years and fines of $250,000 per offense. Attorney’s fees and costs may also be assessed. For more information, see www.copyright.gov, and www.copyright.gov/help/faq.

Users of University IT resources may use only legally obtained licensed data or software and must comply with all applicable licenses, copyright, trademark and other intellectual property laws. Much of what appears on the internet or is distributed via electronic communication is protected by copyright law, regardless of whether the copyright is expressly noted. Users of the University computer resources should assume that material is copyrighted unless they specifically know otherwise, and may not copy, download or distribute copyrighted material without permission. Protected material may include, among other things, music, movies, text, photographs, audio, video, graphic illustrations, and computer software.

The University continues to use appropriate technology to reduce and/or eliminate the practice of illegally sharing copyrighted materials. Known vectors used to share files are blocked from the campus. In addition, students are bound by existing University policy that specifically prohibits the use of copyrighted material without the permission of the copyright holder. Violators of the policy are subject to removal of network access and referral to the appropriate disciplinary body.

A list of legal downloading sites is available here: www.educause.edu/legalcontent. The University encourages all students and staff to take advantage of these resources.

It is the responsibility of every person who uses University IT resources to download or upload data to make sure that copyrighted work is not misappropriated, and that all necessary permissions are obtained from the copyright holder.

Desktop and Laptop Security

To ensure the continued integrity of its information technology resources, facilities and controls, the University may audit, inspect and/or monitor network or resource usage, at any time, without notice. The University may limit or terminate the network access of any user who is in violation of any University or Information Technology (IT) policies.

Examples of improper use include, but are not limited to the following:

Unauthorized access to network or electronic data in any form;
The use of another’s password or account;
The use of University data, networks or IT resources for commercial or political purposes;
The unauthorized alteration of electronic files, including any disruption or interference (hacking / spam / viral programs);
Software license or intellectual property violations;
The violation of any University policy, local, state or federal law, harassment or defamation.

Users with access to confidential, privileged or financial data protected by law or University policy must adhere to the following security requirements:

Desktop security: All computers must be secured and non-approved software removed. Only approved software may be installed. Individual users on administrative systems may not add or remove software without Information Technology involvement. USB ports will be disabled to prevent the transportation or misuse of confidential information.

Internet: Internet browsing will be limited to approved, business websites by unit Directors. Personal webmail such as Yahoo, Google, etc. is not allowed.

Passwords: Frequent password changes will be required using unique combinations of alphanumeric and character sets such as “#, !” and so forth. Staff must not share passwords.

Remote Access: Remote access will be limited to LIU-owned computers utilizing virtual Citrix software that prevents the accidental transfer of information. All remote access must be authorized for business operation continuity purposes and approved by a University Officer.

Laptop security: Laptop use is not authorized for persons with access to extremely privileged information due to the risk of loss and associated threat of security breach. When laptop usage cannot be avoided, strong data encryption must be applied.

The University may also restrict unlimited electronic access. If an imposed limitation interferes with a user’s bona fide educational or research activities, the user may direct a written request for a waiver to his or her Department Chair, who, on approval, shall forward the request to the appropriate Dean for review. The University reserves the right to limit the use of information technology resources based on institutional priorities, technical capacity and fiscal considerations.

Article 156 of the New York State Penal Code and federal law (18 USC §§ 1030, 1302, 2252, 2501) impose criminal sanctions for certain offenses involving computers, software and computer data, including unauthorized use, fraud, computer trespass, computer tampering and unauthorized access to student records. Misuse of the University’s information technology resources is subject to disciplinary and/or legal action.

Downloadable PDFs

Basic Tips & Advice
Ransomeware Facts &Tips
Tips for Parents on Raising Privacy-Savvy Kids

Bots and Botnet Facts and Tips
Privacy Tips for Using Public Computers & Wireless Networks
Fact Sheet