Your primary responsibility is keeping your workstation secure. Given the nature of the data within the HRS system it's very important to have an updated machine.
The most common forms of computer attacks are executed via email, malicious websites, removable media, and social engineering. Although the computer itself is under attack, the primary target is the end user. The attacker is attempting to trick the user into performing the actions needed to execute the attack. To protect yourself and your workstation you will want to:
- Recognize malicious emails and refrain from clicking on attachments or links.
- Keep your work computer for work purposes by not clicking on advertisements or random links on a webpage.
- Be careful with removable media. If you find a lost USB drive or other removable device, do not connect it to your computer. Instead, turn it into the Office of Cybersecurity to prevent data loss.
- Beware of social engineering. Social engineering is the clever manipulation of human willingness to trust other people. The best-automated defenses cannot protect against this type of attack.
Your secondary responsibility is securing any personal computer devices that can impact the security of UW-System. If you utilize a personal computer for any work purposes, you need to ensure the security of that device. There are several best practices that you can utilize to secure personal devices:
- Keep your operating system patched with the most recent updates. A few examples of these applications are your Internet browser, Adobe products and Java.
- Install and maintain anti-virus software.
- Ensure that a host-based firewall is enabled.
- Password protect your workstation with a strong password.
Securing Mobile Devices
The primary concern is that mobile devices can be easily lost or misplaced. Additionally, you need to be aware of protecting your mobile device against the following:
Malware and Spyware: The amount of malware reported for mobile devices is rapidly increasing.
Dialing for Dollars: An attacker sets up a premium text message system. The attacker creates malware to dial that number. The malware is installed as part of a downloadable game. The cell phone then periodically texts the number adding charges to the owner's cellular bill.
QR Codes and Shortened URLS: Short URL or QR Codes do not indicate where the end user is getting directed. They could be sent to a site that attacks the users device.
Phishing Websites: Phishing websites are not new. Scammers have been targeting mobile devices because it is more difficult to recognize the site as malicious with a mobile device such as a smart phone.
Drive-by Downloads: This is a real website that an attacker has compromised and installed hidden malware. The malware will download when a user visits the site. This site is difficult to detect without security software.
BEST PRACTICES FOR MOBILE
- Be sure to use a strong and unique passcode or pattern sequence. If your unlocked phone is stolen your work accounts can be accessed easily.
- Keep your device up to date. That includes both the operating system and the apps running on your device.
- Be cautious when clicking on links or QR Codes.
- Research an app before installing it.
- Only use trusted sources for purchasing and downloading apps.
- Only download applications that you need.
- Review permissions requested by applications carefully. If something doesn’t look right, don’t install the app.
- Applications sometimes contain viruses or malware that can steal important information on the phone. Even the official app stores sometimes offer malicious apps that slip through their screening process.
Connecting Remotely and Public Access
While the Internet allows us to work from nearly anywhere, it also makes it easier for attackers to listen in on our communications. You should be especially mindful of how you're accessing campus resources from an untrusted network.
- Best practice when working in these locations is to use a Virtual Private Network, or VPN. Most campuses offer a VPN service that can be downloaded on work and personal machines. Using a VPN will protect your internet traffic from being monitored by someone else using the public network.
- Do not use kiosks to access any work or personal accounts and services.
- It is easy for someone to eavesdrop on you, both physically and electronically. They can listen in on your conversations, view your screen, and watch your network traffic (if unsecured). Work in a location where others can't peer over your shoulder to easily see what you are working on.
- Avoid storing restricted or sensitive data on your devices if at all possible. If you're unsure of what you may have stored, you can use data discovery tools, like Identity Finder (available at many campuses), to scan your workstation for restricted data. Identity Finder is a Windows and MacOS X software package that helps locate restricted data and personally identifiable information on your machine.
Lost Mobile Device Stats
In 2011, Symantec conducted a Honey Stick Project, which involved tracking devices that were intentionally lost in several major cities. The test found:
- 96 percent of the lost devices were accessed by the finders
- 89 percent of the devices were accessed for personal related apps contained personal data
- 83 percent of devices were accessed for corporate related apps contained work-related data
- 50 percent of finders attempted to contact the owner
There is an increasing demand for mobile devices in the work place. There are several Mobile Device Managements solutions that can be utilized to protect these devices. Some features that are typical for Mobile Device Management solutions include:
- Remotely locate your device.
- Remotely wipe your device if absolutely necessary.
- Prevent the installation of some malicious applications.
Stolen Laptop Stats
Below are statistics from University of Wisconsin Police Department regarding the reporting and recover of stolen laptops.
|Year||Computers Stolen||Computers Recovered|
According to UW Police "almost all of our laptops are stolen when unattended and unsecured. Those little laptop locking cables actually are a deterrent, because most thefts are opportunistic and if in a area with other people around, the last thing a thief wants to do is to attract attention. If in a isolated area, a cable may be easily compromised."