Safe Computing Practices

Phishing

• This is the number one way credentials are stolen. Pause before you click. If you receive a message that doesn't look 100% right, call or text the sender to confirm the message's legitimacy.

Social Media

• Update your privacy settings in social media. StaySafeOnline has compiled a list of many online service providers and shows you exactly how to check your privacy settings in each one. Adjust your settings so you only share what you intend to share.
• Be choosy about who you friend.
• Photos can be a privacy risk in two ways: One is the geo-tag that may be attached to the photo when it's taken. The other risk is the background of your photo. The backgrounds in your vacation photos, for example, tell the world that you are away from your home for an extended period.
• Don't reuse passwords on multiple sites, and use stronger passwords for sites with highly sensitive personal information (like banks).

Personal Identity

• Protect your Social Security Number and other information that can be used to open an account or start a company.
• Consider getting credit monitoring service, or credit lock or freeze, to protect your financial identity.
• Don't give out your social security number to anyone but the Social Security Administration, Bank, and Employer. Others who ask can find another way to identify you.
• Don't share your entire birth date on social media. Keep the year discreet, so that it is not known to the general population.

Mobile Device Security

• Set a PIN, passcode or password on your mobile device, and allow your device to erase your data after 10 failed password attempts.
• Enable Find My Device.
• Enable Encryption.
• Don't Jailbreak your device.
• Download from trusted sites only.

Follow basic computer hygiene

• Install anti-virus or other malware protection on your device.
• Download from trusted sites only.

Scammers are getting increasingly good at making their email messages look legit. It can be difficult to distinguish a real message from a dangerous fake. Here are some simple things you can do to protect yourself from phishers who are out to steal your identity, your money or your security:

• Never click on unknown email links. Even when an email appears to be legitimate, mouse over the link to verify that the URL address is one you recognize and trust.
• Pay attention to the 'Reply To' address, even in emails that seem to be from someone you know.
• Never click on links to website logins, as they may redirect to fake login pages. If you need to, manually type the company's address into your browser so you know you're logging in to a page you trust.
• Never give out personally identifiable information like user IDs, passwords, birthdates, SSNs, addresses or password recovery information.
• Be wary of untrusted email attachments, and scan all attachments before opening them.
• Never respond to offensive messages or spam.
• Beware of scare tactics informing you of account revalidation processes or quota limits. Most online services will never ask for your username and password.
• Don't fall for enticing 'Prize Winnings,' 'Purchase Order' or 'Work Opportunity' scams. You are not the 999,999th visitor.

Faculty/Staff Email Security

• ODU faculty/staff email is protected by Microsoft Advanced Threat Protection (ATP), which automatically analyzes all links and attachments for malicious content. While this provides an additional level of protection, you should still exercise caution with all email links and attachments. Learn more about what ATP means for the security of your ODU email.

QR codes (quick response codes) are those square matrix barcodes that allow us to access coupons, promotional websites, receive exclusive offers, or learn about products. Most smartphones have QR code readers installed that allow us to point our camera at the square to open the promotional website.

Why are QR codes used?

QR codes save us the hassle of typing in a web address or URL. They can be placed in magazines, on posters, packaging, menus, or on billboards, anywhere a smartphone camera can be pointed. They are easy and helpful for consumers, and they are beneficial for companies or organizations.

What is the risk of using a QR code?

Like many conveniences that are enabled by technology, QR codes can be used in malicious ways. Understanding how this technology works and how it can be used maliciously can help us avoid being a victim of fraud or cyber-attack.

• Cyber attackers can print their own QR code and tape or glue the code on top of a legitimate QR code. An unsuspecting recipient will use the code, thinking it is taking them to a legitimate site, only to be directed to a malicious site.
  • A malicious QR code can send the device to a compromised website that downloads and installs malware.
  • A malicious QR code can send the device to a fake login page, where supplied credentials are gleaned, then used to attempt unauthorized access to online services.
• Cyber attackers can pose as a legitimate cause or service and print posters with a QR code to attract well-meaning passersby. Scanning any QR code from an untrusted source is a risk.
• Over time, a domain name used by a company may become available to be purchased because it is no longer used by the company. If a company has existing QR codes or other promotions using an old domain name URL, and a malicious actor has purchased the domain, they can use the domain for malicious purposes instead of the original use. When a customer scans the old QR code, their device is taken to the new location.
• As with any program, there is the potential of a bug in the QR code reader software. Being directed to a malicious site can leverage bugs in the software on the device, to compromise the camera, sensors, or data on the device.

What can we do to protect against malicious QR Codes?

• Never scan a QR code from an untrusted source. If the code is in a questionable email or on a physical poster of uncertain origin, then it is untrusted.
• If a QR code is on a poster, check to see if there is a sticker over the original QR code.
• Use a trusted QR code reader that is automatically patched. Some readers offer security features, such as previewing the content of a website before taking the device to that site or checking for known malicious sites to warn the customer.
• If you find a potentially malicious QR code, report it to the owner of the business or to the information security office of your organization.

A QR code should not automatically be trusted just because it appears on a poster with a compelling message. Do some research before scanning the code. A little prevention can save you from becoming an unsuspecting victim.

Password guidelines

• Use a longer passphrase rather than the minimum (MIDAS passwords can have up to 24 characters).
• Change passwords occasionally, or whenever there is a security concern.
• Never share your password with others.
• Never write down your password.
• Don't reuse passwords for multiple sites (bank, school, email, social media).
• Consider using a password manager (see below).
• Never enter passwords on untrusted web pages (look for a green padlock, or other indication of encryption security, in the address field).
• Be wary of using the "save password" option.
• Use two-factor options when available.

Why does my MIDAS password have to be so complex?

Your MIDAS credentials give you access to a wide range of web services, including ­MyODU portal, email and dozens of other ODU services. This reduces the number of accounts and passwords you must remember, increases the security of your personal and private information, and makes it easier to access ODU resources.

However, because it gives you access to so many systems, the MIDAS password rules and complexity must meet a lot of requirements. ODU's password practices (MIDAS password length, complexity, and rotation frequency) all blend together to adhere to industry standards and meet the requirements for identity assurance certification.

ODU takes the security and privacy of our students' information seriously. In order to have a less complex password that is still secure, the length of the password would have to increase or the frequency of change would have to be made shorter. We strive to balance these aspects and ultimately deliver a secure yet user friendly computing environment.

ITS Acceptable Usage Policy prohibits sharing your MIDAS password with anyone else.

Password managers

The best passwords are complex and unique. And for added security, you shouldn't write them down or duplicate them. So how do you remember all of those different passwords?

One option is to use a password manager. Password managers digitally store all of your passwords in one place, and in many cases can generate random secure passwords for you. You only have to remember one master password that unlocks them all.

Here are some password managers:

• 1Password - A password manager that protects a variety of data behind one master password. Store anything from passwords to account numbers, and search easily on any device. There is an annual subscription ($2.99/month, billed annually), but the first six months are free.
• BitWarden - A cross-platform and browser-based, open-sourced, password manager that allows you to sync to all of your devices from anywhere. There are paid versions with added features available along with the free open-source version.
• DashLane - A password manager and digital wallet that can keep track of many types of secure information. The free version works on any one device, but to access passwords in multiple places, you'll have to go premium ($39.99/year).
• KeePass - A free and open-source password manager. KeePass only runs on Windows, but there is a product called KeePassX which will run on Mac OS X and Linux.

These days, browsers will offer to remember your passwords for you. However, browsers are frequently targeted for attacks. It's better to use a password manager, whose sole purpose is to encrypt and protect your data.

Wireless internet (WiFi) networks in public places may be convenient, but they're not always safe. Many public WiFi spots are not secured, leaving users at risk of exposing sensitive information and data. The information you send over an unsecured WiFi network is not encrypted. Keep that in mind when deciding what information you access in public.

(Side note: MonarchODU is encrypted. AccessODU is not.)

You should always know what network you are joining. In an Evil Twin attack, a user is tricked into joining an imposter network that mimics the authentic public access network. Once the user joins, the attacker can easily intercept sensitive information.

Tips

• First and foremost, reduce your computer's vulnerablity by ensuring that your operating system and firewall software are up-to-date before connecting to any wireless network.
• Be aware that data sent through a unsecure WiFi network is sent in the clear and can be intercepted.
• Wireless data is not limited to just the range of your computer. Hackers can increase their range by using amplified antennas to intercept the signal from greater distances.
• Be cautious about the wireless network you join. Wireless networks that require a network security key or password protect the information sent over the secured networks as the information is encrypted.
• Be careful about what information you are sending. Never send personal information such as a user ID, password, banking information or credit card numbers.
• Disable shared folders while you're using public WiFi; file and printer sharing enables computers on the same network to access resources on your laptop, leaving you vulnerable to hackers.

These general practices are your first line of defense for staying safe while you are connected to the internet.

• Avoid questionable webites.
• Use caution with free software and file-sharing applications. There are many legitimate free and open-source applications that are quite useful, but there are also a lot of shady or downright malicious titles out there. Do your research before downloading anything free.
• Increase your browser security settings to a medium or high level.
• Type in a trusted URL for a company's site into the address bar of your browser instead of clicking on links in an email or instant message.
• Avoid clicking on pop-ups, even to close them. Instead, close pop-ups from the system tray area with a right mouse click.

Spotting a fake website

A scammer recently tried to gain access to MIDAS IDs and passwords by imitating the Monarch-Key web login page. Depending on your role at ODU, you may see this page several times a day and think nothing of entering your credentials. But in this case, there were some clues that indicated this was not a legitimate ODU login page. You should always pay close attention to your online surroundings to keep from entering important personal information on fake pages.

Image

Mobile devices are convenient and almost necessary in today's connected society. But if your smartphone or tablet is ever lost or stolen, or if you share data over networks that aren't secure, your personal information could be exposed. Take the following precautions to protect yourself and your data.

Protect your device

• Set a device password. This is your first line of defense if your device falls into the wrong hands. This password should be at least 8 characters long, complex and unique. Change your password every 30 days, or whenever anyone else learns what it is.
• Enable inactivity time out. Set your device to turn itself off after no more than five minutes of inactivity.
• Enable Erase Data to automatically erase the device after ten failed passcode attempts.
• Don't leave your device unattended. Be extra careful when travelling. One in twenty mobile devices is lost or stolen.
• Do not jailbreak. Only download apps from reputable developers in your device's app store.
• Keep your OS and all apps up-to-date. When your device is no longer supported with new updates, consider upgrading. And when your device has reached the end of its life with you, make sure it is erased or wiped before reassigning, replacing or returning it.

Protect corporate data

• Do not use cloud services to backup company data. And do not store any regulated data (HIPAA, FERPA, etc) on your mobile device at all.
• Do not send work related email to personal email accounts.

Protect your connections

• Ask to join WiFi networks. Make sure your device isn't automatically connecting to open networks without your knowledge.
• Be smart about WiFi connections. Do not use untrustworthy hotspots. When using open WiFi hotspots, make sure that the data you are transferring is encrypted. Check site certificates on any web authentication page before entering your credentials.
• Turn off unused connection services. If you're not using Bluetooth, WiFi, VPN or Location Services, turn them off to prevent unauthorized connections.

Facebook, X, and Instagram are great for connecting and sharing with each other. But an increasing number of people are falling victim to online harassment, identity theft or legal action because of things they share on social media. Here are some things to keep in mind while using these sites:

Quick tips

• Never post personal or sensitive information on a social site.
• Be careful how much information you share in your profile.
• Keep in mind that when you access applications or games on a social site, you are often giving complete strangers access to you and your friend's profiles.
• Be careful clicking unsolicited links inside social sites.

Minimize your exposure to phishing attacks on social media.

• Limit interactions to users you're sure you can trust. Make sure that you've either met them in person or that you have mutual connections and their profile seems credible. Don't interact with profiles if they don't know you or are contacting you for suspicious reasons.
• Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. On LinkedIn, it's common to share attachments like cover letters, resumes and letters of recommendation. When in doubt, pass the link or attachment in question to an open source malware detector.
• Ensure two-factor authentication is enabled on all of your social accounts. This provides another barrier of protection should an attacker ever steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account, so be on the lookout for any sort of suspicious activity.

If you wouldn't post it on a resume don't post it online.

Don't get fired before you get hired. Employers have Internet access too, and they scour social networking sites to learn about potential employees. Innapropriate content or behavior will immediately lower your reputation and reduce your odds of employment. Keep your page appropriate, because you never know who is looking at it.

Sensitive information is for your eyes only.

A rising number of people are exposing sensitive information on social networking sites. Many don't realize that what they post can be read by people they don't know, and that information can be used maliciously and for identity theft. Do not share information that could help somebody guess your security questions, PIN numbers, address or social security numbers.

Security is essential.

While most social networking services allow you to block strangers from accessing your profile, people you don't know could still gain access to your page. Following these practices will help prevent such intrusions.

• Always log out of online services, especially if you are using them on public access computers.
• Avoid the use of automatic login as well, as it creates multiple avenues for hackers to gain access.
• Use different passwords for every online account, and reset your password whenever you feel your account may have been compromised.
• Finally, remember that just because you deleted something from your page doesn't mean it's gone; someone could have downloaded or kept your information somewhere else.

Options for greater security vary from site to site. Facebook, for example, allows users to set up log-in notifications, to allow you to ensure that you are the only person with access to your account. Many sites (banking in particular) will also use 2-factor authentication: Users are given a personalized key that the website displays to prove you're at the actual website. If you can enable 2-factor authentication, do so.

For people managing university social media accounts

If you manage an ODU social media account, you need to be even more mindful of Internet security. Remember, you are contributing to ODU's reputation while you use the ODU name.

• Use a different strong password for each account. Change those passwords whenever a member of your team leaves the University, or any time you feel the account may have been compromised.
• Use 2-factor authentication whenever possible.
• If the social media channel allows it, have it notify you when the account is accessed from unauthorized devices.
• Do not use auto-login options.
• Log out of your accounts on all devices after each use.
• Use social media management platforms like Hootsuite that can help with management and prevent sharing of accounts.

Traveling overseas with a laptop can be risky for your equipment, your data and your privacy. Because you can't always count on networks to be secure, you should assume that your device could be compromised at any time. There are some things you can do, however, to reduce your risks while traveling:

Protect your laptop

• Take a laptop that can be re-imaged when you get back.
• Back up your hard drive before you leave.
• Make sure your laptop has all of the latest security patches, anti-virus or malware protection, and local firewall enabled.
• Keep minimal data stored on your laptop (only non-sensitive or non-critical presentation-type data that you need during your travels). Instead, use ODU servers or cloud storage to access university data (via the VPN), and use personal cloud storage for important personal data.
• If you lose your laptop, report it to itshelp@odu.edu right away.

Protect your mobile device

• Back up your device settings prior to departure.
• Restore your device to default settings upon your return. You can re-download apps or restore from your backup when you get back.
• Use a longer device passcode or password.
• Enable find-my-device, remote wipe, and encryption; allow your device to erase itself after 10 unsuccessful login attempts.

Physical security

• Always keep devices in your physical possession.
• If they are taken for any reason (by customs or border agents, for example), assume they are compromised.

WiFi security

• Don't conduct any sensitive business over public WiFi.
• Do not download apps from hotels, internet cafes or other untrusted WiFi or devices while traveling.
• Pay attention to HTTPS vs. HTTP.
• Do not enter passwords or conduct sensitive business on public devices while traveling; if you need to use public devices, use them only for browsing non-sensitive materials.

VPN set up

• Use the ODU VPN every time you go online, especially when you need to access ODU resources or services.
• Test VPN access prior to departing.

Returning to the US

• Change your MIDAS password as soon as you get back.
• Re-image your laptop before connecting to any of your trusted networks (at home or ODU) to prevent any cross-network malware infections.
• Restore your mobile devices to a pre-travel backup.

The Travel Channel has some additional tips for protecting your personal data while traveling.

For more information about protecting your research and data while overseas, read the FBI's Best Practices for Academics Traveling Abroad.

Desktop "administrative rights" (as they are called on personal devices) should really be thought of as "administrative privilege" in a managed enterprise computing environment. The capabilities that come with desktop administrative privilege are powerful - to the user, to the support team, and to any adversary.

Local administrative privileges come with the power to do almost anything on a workstation: download any application, use any program, ignore or even undo anything IT administrators do to support your devices. Many users feel handcuffed or slighted without complete control, but that is certainly not our intention. The decision about whether to allow local administrator privileges must be based on the facts of the impact to the broader community.

Why do we restrict local administrator privileges?

• Administrative privileges give the user more power than is necessary - We base our decisions about administrative privilege on the fundamental security principle of least privilege - applying the minimum resources and authorization necessary to perform job functions. Most attacks begin with either a compromised computer or compromised credentials (or both), and a compromised desktop with unlimited rights can open a pathway to our entire enterprise computing environment. We simply have notably better security when we limit desktop administrative rights to provide only the capability you need while lowering our risks to an acceptable level.
• Routine Web browsing and email phishing put Windows workstations at constant risk - A user with non-essential administrative privileges puts the desktop at a much higher risk of infection and unauthorized control, leaving the broader computing environment at risk. The first host to be compromised is rarely the final target, but it becomes a staging area for a larger attack against the institution via "lateral movement," reconnaissance, internal targeting of higher-value targets, additional credential compromise, and ultimately to devastating results.
• By limiting administrative privileges, desktops are cleaner and more stable, with a longer lifespan - In an environment where administrative privilege is limited based on business needs, there are fewer Help Desk calls, system rebuilds, severe security events, and overall inconvenience.
• An administrator can turn off firewalls, malware protection, logging, and other security features - One of the first things an attacker does on a compromised workstation is to turn off the very settings, configurations and tools meant to protect the device and the enterprise. When we limit administrative privileges, an attacker has a harder time exploiting individual computers. The greater the administrative privileges of a user, the higher the risks and more difficult the support of their device becomes.
• There is NO WAY to protect a workstation that runs routinely with administrative privileges - Microsoft's own Security Policy states that a user in the local admin group can manage the computer 100%. There is no way of controlling administrators with Group Policy. They can do what they want, full stop.
• Modern attackers, including Ransomware criminal rings, know how to exploit local administrative privileges to allow them to reside on a network, undetected, for a longer period of time. This gives them an advantage in finding the most valuable targets that can cause the most harm to individuals and to the organization.

At ODU, the ITS Desktop Support and IT Security Teams have put a lot of work into providing options for administrative workstation privileges that balance required privileges with lowered risks. (More information at https://odu.edu/facultystaff/computing/workstations/standards.)

Option 1: ODU-managed workstation
The most common, most secure, and most supportable option.

• Individual users have no administrative privileges on their computers and must contact the ITS Help Desk to make changes or install software that requires elevated privilege. ITS provides responsive support to all requests.
• To make things a little easier, users can download and install common applications on ODU-managed workstations using Company Portal (Windows) or Jamf Self Service (Mac) without ITS intervention.

Option 2: Administrative rights on ODU-managed workstations
Available with supervisor approval and justifiable business need.

• Computers are fully managed, patched and supported, with a protected operating system and access to University networked resources (file, print).
• Workstations are protected by security monitoring, detection and response (automated in some cases).
• This option removes the desktops as a barrier to being covered under the University cyber insurance plan.

Option 3: Self-Administered Workstation
User is given a local admin account to perform administrative functions on a University-owned computer.

• This option is primarily for research computing environments that have specialized requirements that cannot be supported by the university's standard computer configuration.
• Desktops are not joined to the University Active Directory Domain, meaning extra steps are required to access university file shares and printers over a VPN connection.
• Computers provide a subset of security settings, including endpoint monitoring with alerts, but we have a reduced capacity for ITS support if assistance is needed, and ITS is not able to remotely control these devices.
• You are responsible for backing up your own data and must sign an agreement taking responsibility that includes CISO's agreement.

References:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models#on-workstations

https://www.channelfutures.com/security/removing-admin-rights-key-to-stopping-microsoft-vulnerabilities

https://odu.edu/about/policiesandprocedures/computing/standards/04/03

https://odu.edu/facultystaff/computing/workstations/standards