Security Recommendations for Users of Financial, Student, and Employee Data
University of Oregon
Revised: April 24, 2012
Desktops and Laptops
1. Current versions of popular operating systems are significantly more secure than earlier versions.
Therefore, users of financial, student and employee data who are running Microsoft Windows MUST run Windows 7 (and not an earlier version of Microsoft Windows such as XP or Vista).
Users of financial, student and employee data who are using Mac OS X must run the latest version of Lion (OS X 10.7) until such time as Mountain Lion (OS X 10.8) is released (expected in the Summer of 2012).
Hardware that cannot run the most recent version of Microsoft Windows or Mac OS X must be replaced.
2. Operating systems must be patched for known vulnerabilities. In particular, users should understand that as soon as vendors release new patches, hackers race to develop exploits for those vulnerabilities so that they can crack systems that haven't yet been patched, therefore it is critical that you install new patches as soon as they are available
For systems that are actively administered, the administrator responsible for those systems shall ensure that all available patches are installed within 48 hours of their general availability.
Systems that are administered by individual users shall have automatic updates enabled, and all available patches shall be installed within 48 hours of their general availability.
When a reboot is required to complete the installation process, reboot your computer immediately after applying updates rather than waiting to do so at a later point in time.
You will NEVER be sent patches by email. Any "patches" you may receive by email are likely to actually be malware.
4. Third party "helper" applications (such as Java, Adobe Flash, and Adobe Reader), are a prime attack vector, and must be kept up-to-date.
For Windows OS, install Secunia PSI or Secunia CSI to help do this.
On the Mac, http://www.macupdate.com/ may help you monitor third party applications for available updates.
5. Malware writers are churning out new versions of malware faster than anti-virus vendors can keep up. However, many cyber criminals still rely on old malware that antivirus software can identify and block.
Per University of Oregon policy, all users of financial, student and employee data must install antivirus software. This includes keeping it up to date, enabling on-access scanning, and scheduling a re-occurring weekly scan. Information Services providers the McAfee antivirus product for this purpose at no charge.
6. Loss of a system with unencrypted personally identifiable information (PII) on it may result in material costs to the University.
Therefore, any user that may have PII of any sort on their system must enable full-disk, or at least home directory, encryption. For Windows OS, Bitlocker is recommended. For Mac OS X, Filevault is recommended. Some may also like TrueCrypt for this purpose.
Because it will generally be impossible to access the contents of a system that's been secured using whole disk encryption without the password, be careful not to lose or forget that password. Password escrow for whole disk encryption should also be considered.
7. Enable and configure the operating system firewall. After doing so, check your system by visiting the GRC "Shield's Up" site at https://www.grc.com/x/ne.dll?bh0bkyd2 (when it is time to select what to check, request to check "all service ports"). For a typical administrative workstation, all such ports should show "green." Any ports that are "red" or "blue" need to be investigated and resolved with your computer support person of UO Information Systems.
Consider use of a hardware firewall to supplant the operating system firewall.
8. Require a username and password to login into or unlock the computer. Set the computer to auto-lock the screen after 10-minutes of inactivity (or less).
- Whenever possible, systems with financial, student or employee data should use a two factor (or two channel) authentication solution to supplement passwords. This could include hardware one time password cryptographic "fobs", a smart phone-based 2nd channel solution, client certificates store on hard tokens, or biometric solutions.
- Any passwords MUST be transmitted over an encrypted connection. If you are logging in to a web site, that login page MUST be an "https" ("secure") web page.
- Choose LONG passwords or use a passphrase consisting of several words. Your password or passphrase must be at least ten characters long, and should include a combination of upper and lower case letters, numbers, and or special symbols.
- Do not use the same password on multiple accounts or websites.
- Never share your password with anyone. This includes your supervisor, co-workers, and IT staff. No university person will EVER ask you to disclose your password, so don't get phished!
10. Do NOT send or save passwords in e-mail, within the web browser, or in an unencrypted file on the computer.
11. You may NOT use peer to peer (P2P) file sharing applications and or other non-essential/recreational applications on a system used for financial, student or employee data.
12. Be sure your system is backed up. Because backups may contain sensitive information, protect your backups as you protect the computer itself. (Backups should be encrypted)
13. Physically secure your system, backup media, and other portable media (USB thumb drive, data CD/DVD, etc.) against theft. Do not leave your computer or related media unattended in places where it (or the data on those devices) could be stolen. It is not safe to leave your laptop in your car, even if it is locked in the passenger compartment or trunk. Keep your office door locked when you're not present.
Travelers need to take special care—many hotel rooms (and even hotel room safes) are not secure. Your best bet will normally be to keep your computer and other media with you wherever you go.
There may be some destinations (such as China, Russia, and other areas overseas) where it may be difficult or impossible to prevent your computer from being attacked and electronically compromised. Some nations such as China and Russia may also forbid you from using whole disk encryption. If you anticipate traveling to destinations of that sort, consult with the Information Services Security group.
14. Never insert any flash drive, CD or DVD you "find" lying around (such as in or near a parking lot) into your system. It may be intentionally infected, and planted in an effort to infect you or others.
15. Promptly report any suspicious issues or activity with your computer to your IT support staff. If you believe that your computer has been infected with a computer virus or has been compromised, inform the Information Services Security group and your Banner security officer immediately.
IS Security Group
16. Physically secure your device against theft. Do not leave device or related media unattended in places where it could be stolen (vehicle, airport lounge, etc.). Keep your office door locked when you're not present.
17. Promptly report stolen computers or any evidence of network tampering to your IT support staff and the Information Services Security group.
18. Do not use a personally-owned computer to store or access financial, student or employee data. Only use University-provided systems.
19. YOU are a critical part of keeping University of Oregon computers, networks and sensitive information safe. Do NOT let someone con you! Be skeptical and if you're in doubt, ask others for help rather than being pressured into doing something you think might be unsafe online!
Note: These recommendations should not be viewed as covering every possible scenario; they are general guidelines designed to improve your overall security, but your particular circumstances may require additional steps. If you have any additional questions or concerns, please contact your IT support staff or the Information Services Security group for assistance.
Mobile Devices (Smart Phones and Tablets)
The following steps can be used to reduce the common risks associated with accessing or storing sensitive data on a mobile device:
1. Apply operating system updates in a timely fashion. Some devices, typically older iOS devices (such as some iPads or iPhones) do not receive updates over the air and need to be routinely re-connected to your computer to download and install updates.
2. Keep any 3rd party applications up to date.
3. Install antivirus software, keep it up to date, enable on-access scanning, and schedule a re-occurring weekly scan, if antivirus software is available for your device. Note that such software is not available some mobile devices, including the iPad and iPhone.
4. You may not jailbreak or root University-provided mobile devices, as this may disable built-in security mechanisms or introduce additional security risks.
5. Only install software from trusted sources, such as the vendor's app store. Avoid brand new applications that do not have an established reputation.
6. Physically secure your device against theft. Do not leave device or related media unattended in places where it could be stolen (vehicle, airport lounge, etc.). Keep your office door locked when you're not present.
7. Promptly report stolen or lost devices to your IT support staff and the Information Services Security group. In some situations it is possible to remotely disable or wipe the device to prevent unauthorized access to e-mail and sensitive data. You should separately record pertinent information about your mobile device (including your phone number, device serial number, and any other identifiers, as well as the contact number for your carrier, should you need to report it lost or stolen).
For non- managed devices:
- Configure device to require a strong pin or password to unlock device
- Configure device to auto-lock after 10-minutes
- Enable, if available, native data encryption
- iOS 4 or later
- Android 4.0 (ICS)
- Blackberry 4.0 or later
- Install or enable, if available natively, anti-theft/data protection software
For centrally managed devices:
- Require strong pin or password to unlock device
- Enforce screen lock timeout (10-minutes)
- Enable remote wipe
- Enforce remote wipe upon a specified number of failed authentication attempts
- Enforce data encryption for users accessing or storing sensitive data.
Portable Media (CD, DVD, portable hard drive, USB thumb drive)
Encrypt sensitive data being transferred or stored on portable media. Devices that have native support for strong encryption, such as the IronKey flash drive, should be used rather than devices that do not support encryption. Sensitive files being saved to CD or DVD should be encrypted before being written to those media. PGP or GNU PrivacyGuard provide the strongest encryption for that purpose.
Promptly report the theft or loss of any device that is storing sensitive information. You must notify both your local IT support staff and the Information Services Security group.
Remote Banner Users
Remote Banner users must use an institutionally owned computer that is checked out to the user on loan. The department is responsible for tracking security patches and updates, and ensuring that they are applied to the computer in a timely manner. A laptop is recommended for portability -- the user is more likely to bring a laptop back to the department to have security patches and updates applied.
This computer is for use the employee only, and MUST NOT be used by any other individuals. Note: This includes spouse or significant other, children, friends, and visiting relatives.
The computer should be for work-related use ONLY, and it MUST be password protected. There should be no personal/recreational use. Note: This includes peer to peer/distributed file sharing, games, personal/recreational web surfing, and personal/recreational messaging.
Use the Cisco VPN client to encrypt connections to and from campus.
- For INB, use the bannervpn connection entry.
- For other campus services, use the standard campus VPN.
- Connections should be via DSL/cable broadband connection only (NOT modem).
- Configure your home wireless router to use a strong wireless password and WPA2/AES encryption. WEP encryption is NEVER acceptable
Note: modem access is not recommended due to the high bandwidth commonly required to download critical updates.
Prior to any computer being re-issued for use by other staff, critical data should be backed up, the hard disk should be securely reformatted and operating system and applications reinstalled from the original media or from a clean image. The computer should then be updated and secured prior to issuing it to another user.
Re-usable portable media (USB flash drives, portable hard drives) should be securely reformatted prior to re-use. Single use media (DVD, CD) should be securely disposed of, in accordance with the university’s confidential material disposal policy. See http://libweb.uoregon.edu/records/conf_recyc.html.