Security Best Practices
Use Strong Passwords
Q: What is a good way to choose a strong password?
A: These days we use electronic user accounts for almost everything including email, work computers, online banking or shopping, or filing our tax returns. Different systems force different levels of password length and complexity, but here are some recommendations for creating passwords that you can remember and that are hard for hackers to guess, even with password cracking software.
- The longer it is, the better.
- Shorter passwords, even with character substitutions such as “@” for “a” or “$” for “S” are easier to guess than longer ones.
- Choose a passphrase over a single word as your password. Even with character substitutions, a phrase is stronger than a word.
- Avoid phrases that are common sayings, song or movie titles, like “2BeOrN0+2B” and choose something that comes from a dream, your imagination or something only you would know. “i-LUVr@wWormz” may not be true but no one else would think of trying that.
- Don’t use personal information such as your family’s or pet’s names or birthdays.
- Don’t use confidential information such as your Social Security Number.
- Use different passwords or phrases for different electronic accounts.
Avoid Phishing Attempts
Q: How can I tell if an email message contains a phishing attempt?
A: “Phishing” is the act of sending an email message disguised to look like a legitimate message for a benign purpose, but that actually contains links that will do harm such as opening a web page that has been infected with a virus that can spread to your computer, or initiating a download of malware that can collect and upload information from your computer to a server somewhere else.
Some common disguises have included:
- receipts for eBay purchases or PayPal transactions
- warnings from a bank that one’s account will be suspended unless online action is taken
- notice of email inbox limit reached
- pending requests on social media sites such as LinkedIn or FaceBook
What they have in common is links that appear to be helpful for you to complete what appears to be an urgent request, but will do harm if you fall for it.
Think before clicking email links!
- Is the system that the message appears to be from actually linked to the address where you received it? For instance if you signed up for PayPal using your personal gmail account, then a message from “PayPal” to your UW email address can’t be legitimate.
- If your bank or other vendor has actually contacted you, then you can complete the requested action by logging into the system from a web browser instead of clicking an email link. Think you need to take care of something in your online bank account? Open a web browser and type in the address for your bank – don’t use the email link.
- Inspect the links themselves.
- Hover your mouse above the links to see where a click will actually take you. Just because the text of the link may say, “Cancel order” doesn’t guarantee the destination of the link itself. See illustration for example.
One helpful action you can take is to forward the suspected message to email@example.com. To do this, please click on More in the Respond section of your Outlook ribbon and select Forward as Attachment and enter in firstname.lastname@example.org in the email field, then click send. This will help in UWs efforts to reduce the amount of spam and phishing that makes it through the Universities spam filters.
The Office of the Chief Information Security Officer (CISO) publishes several online training courses on aspects of data and system security. View the training on “Phishing at UW” here (Flash version) (HTML5 version) (iPad version).
- Mac: Control+Shift+Eject will cause your screen to go dark and require a login to re-enter.
- PC: Use the “Windows” button + L to lock your screen and require a login to re-enter.
Hard Drive Encryption
Q: How are our computers encrypted?
A: Central Advancement requires staff computers to be encrypted. PC hard drives are encrypted using the computer’s TPM (Trusted Platform Module) and the Windows utility, Bitlocker. This allows the operating system to require a security key to log in if the hardware has been tampered with such as the hard drive removed and placed into a different computer. Macs have FileVault hard drive encryption enabled within the OS X operating system.
Virus Protection, Here and at Home
Q: How can I protect my computers against viruses?
A: Please refer to our page on Virus Protection for more information.
Advancement computers are all protected by the Sophos virus scanning software. It is installed on all central UA computers, Macs and PC’s, and it is configured to update its virus definitions (the files that allow it to recognize what is a virus) automatically on a daily basis.
This virus software is free to use on your home computers as well, as long as you are employed by the UW. Refer to the UW “UWare” software page here in order to download and install it on your personal computers. It is available for Mac, PC, and Linux. It will require a UW NetID login.
- Require a password, swipe pattern, facial or voice recognition, in order to enable use of the device.
- Install a malware protection application on the device to scan for viruses and other threats. Lookout is available in free and pro versions for iOS and Android. Windows Phone 8 is built with malware security built in and there are no third party vendor recommendations at this time.
Office of the CISO e-Learning
Q: Where can I go for additional tips on how to comply with computing security guidelines?
A: The Office of the Chief Information Security Officer has created some online learning modules on the following topics:
- Security and Privacy 101
- Social Media Guidelines
- Mobile Devices
- SSN Use at the UW
These online training lessons are available in Flash, HTML5 and iPad versions.