Meloria • Ever Better
Search Tools Main Menu

Security Tip of the Week Archive

Install Anti Virus Software

  1. Don't let spyware control your computer use

    Did you know that eight out of ten computers are infected with spyware? Spyware is computer software that is surreptitiously installed on your computer and takes partial control of it without your consent. This malicious software can perform many behaviors, including:

    • bombarding you with pop-up advertisements
    • changing your home page or search page settings
    • adding extra toolbars to your web browser
    • slowing down your computer
    • crashing your system
    • tracking your activities

    Lower your risk by taking the following steps:

    • Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads
    • Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them regularly
    • Download free software only from sites you know and trust. Enticing free software downloads frequently contain other software, including spyware
    • Don't click on links in pop-ups
    • Don't click on links in spam or pop-ups that claim to offer anti-spyware software

    Visit http://onguardonline.gov/spyware.html or http://www.rochester.edu/it/security/computer/spyware.html for more information concerning spyware.

    Back to top...

  2. Malware

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Malware is short for "malicious software"; it includes viruses – programs that copy themselves without your permission – and spyware, programs installed without your consent to monitor or control your computer activity. Criminals are hard at work thinking up creative ways to get malware on your computer. They create appealing web sites, desirable downloads, and compelling stories to lure you to links that will download malware, especially on computers that don't use adequate security software. Then, they use the malware to steal personal information, send spam, and commit fraud.
    Computers may be infected with malware if they:

    • Slow down, malfunction, or display repeated error messages
    • Won't shut down or restart
    • Serve up a lot of pop-up ads, or display them when you're not surfing the web
    • Display web pages or programs you didn't intend to use, or send emails you didn't write.

    If you suspect malware is lurking on your computer:

    • Stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. Malware on your computer could be sending your personal information to identity thieves.
    • Delete all unwanted email messages without opening them.
    • Do not click on web links sent by someone you do not know
    • Confirm that your security software is active and current. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall.
    • Once your security software is up to date, run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem.
    • If you suspect your computer is still infected, you may want to run a second anti-virus or anti-spyware program – or call in professional help.

    Monitor your computer for unusual behavior. If you suspect your machine has been exposed to malware, take action immediately. Report problems with malware to your Internet Service Provider (ISP) so it can try to prevent similar problems and alert other subscribers, as well as to the Federal Trade Commission.

    Back to top...

  3. Don't Click on FakeAV

    One of the most successful social engineering attacks to appear recently is FakeAV.  Criminals are creating authentic-looking copies of Windows screens and notices that make users believe their machine is infected with viruses and offer an anti-virus (AV) program to help remove the infection.  The screens may even entice users with recent events, such as a celebrity’s death, to lure you into clicking their link.  Once the user clicks the link and installs the anti-virus program, they must pay money to make it operational and/or uninstall it.  The FakeAV program will continue sending annoying messages and intrusive alerts until the user provides payment.  In addition to being annoying, some of these programs even steal user’s local data and install keyloggers to steal passwords.
       
    If you observe a Windows page that states you have a virus or other computer related issue, contact your department’s information technology department before clicking any links.  Once you click on the link, the file is installed and your computer is infected.  Either way, you’ll be contacting your department’s information technology.

    Back to top...

  4. Keep Your Computer Virus-Free

    Are you worried about your computer becoming infected with a virus? Don't want to spend a small fortune on antivirus software? Then today is your lucky day!

    The University provides Sophos Antivirus Software FREE to all faculty, staff, and students. This software should be installed on University computers, and any personal computers that access University resources. The software offers a broad range of protection for desktops, file servers, and email servers and gateways.

    Download Sophos desktop antivirus software for PCs and Macs.

    ** URMC users, please click here for more specific antivirus information and contact the ISD Help Desk at 275-3200 for assistance **

    Antivirus software helps prevent a virus from invading your computer. Here are some safe practices you can follow:

    • If you are unsure about an attachment, delete it. Especially if it is from a source you don't recognize.
    • Don't download unknown programs from the Web. This includes freeware, screensavers, games, and any other executable program - any files with an ".exe" or ".com" extension, such as "coolgame.exe." If you do have to download from the Internet, be sure to scan each program before running it.
    • Update your antivirus software regularly. New viruses, worms, and Trojan horses are born daily, and variations of them can slip by software that is not current.
    • Configure your antivirus software to boot automatically on start-up and run at all times. This will provide you back-up protection in case you forget to scan an attachment, or decide not to scan.
    • Scan all incoming email attachments. Do this even if you recognize and trust the sender; malicious code, like Trojan horses, can slip into your system by appearing to be from a friendly source.
    • Delete chain emails and junk email. Do not forward or reply to them. These types of email are considered spam - unsolicited, intrusive messages that clog up inboxes and networks.
    • Don't automatically open attachments. Be sure your email program doesn't automatically download attachments. This will ensure that you can examine and scan attachments before they run. Refer to your email program's safety options or preferences menu for instructions.
    • Back up any important files on an external drive or disk. In case a virus finds its way to your computer, be prepared. If a virus destroys your files, you will be able to replace them with your back-up copy. You should store your backup copy in a separate location from your work files. *

    * Please see our tip of the week regarding Backing up your data

    Back to top...

  5. Apple Users Targeted

    The growing success of Apple's Mac OS, bolstered by iPhone sales and new iPad tablet users, has caught the attention of cybercriminals who are setting their sights on Apple users.

    Recently, Apple computer owners are being subjected to a number of specialized malware attacks that insist Mac users download a malware version of the popular MacDefender antivirus application, infecting their computers as a result.  Additional information about this malware can be found at:

    http://isc.sans.edu/diary.html?storyid=10813

    http://tech.fortune.cnn.com/2011/05/04/is-mac-under-a-virus-attack/

    Another recent announcement involved the availability of a new Do-It-Yourself crimeware kit that has become available that is aimed at the Mac OS X platforms.  The toolkit is being sold in low numbers on several black hat hacking forums.

    Additional information about this attack can be found by clicking here.

    What Can You Do?

    To help protect yourself from malware, you should make sure that your Sophos antivirus software is up to date.  Sophos antivirus is available free to the University of Rochester community. 

    For University departments that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.

    For Medical Center departments, please reference here

    Additionally, you should disable "Open safe files after downloading" in Safari to prevent malware from automatically becoming installed.

    Back to top...

  6. Has Your Computer Been Infected?

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be printed as a poster.

    Chances are you have received an email or had a free antivirus scan pop-up on your screen. Scammers and identity thieves are exceptionally good at identifying new opportunities and one area they have been dabbling in recently is the antivirus and anti-spyware market.

    There are many criminals who are now selling, or even giving away, software that would appear to offer essential protection to those who surf the net. In reality, many of the programs do not function at all, or are designed to infect and spread the malicious codes they were supposed to protect against.

    What Should I do?

    • Never click on pop-up advertisements. Not even to close them. This may cause trouble.
    • Only open an email attachment if you are POSITIVE about the source.
    • If you land on a website and see a warning from Google about its content, pay attention and leave the website.
    • If you aren't sure if a product is legitimate, search the name on Google to verify its authenticity.
    • Only buy anti-virus and anti-spyware products from reputable companies. Remember that scam artists will often use names that make their sites or products appear to be from reputable vendors.
    • Remember your home computer needs antivirus protection just as much as your computer at the University does.
    • NOTE: The University provides FREE antivirus software to all University students and employees.

    For University departments that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.

    For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
    HelpResources/ApplicationTips/AntiVirus/index.asp
    .

    Check out this list of rogue/fake anti-virus and anti-spyware products.  

    Our archive of past "Security Tips of the Week" is available for your information.

    Back to top...

  7. Protect Your Computer: Anti-Virus Software

    You are at the center of secURity.

    • For University areas, click here for a poster that can be printed and placed in your area.
    • For URMC areas, click here for a poster that can be printed and placed in your areas.

    The University has anti-virus software available for FREE to all faculty, students, and staff at the University.  This software, from Sophos, offers a broad range of protection for desktops, file servers, e-mail servers and gateways. 

    If you do not have Sophos Anti-Virus currently installed, please join the effort to keep the University network virus-free by installing this software now.

    For University departments and students that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.

    For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
    HelpResources/ApplicationTips/AntiVirus/index.asp
    .

    Back to top...

  8. Protecting University Data: Anti-Virus Protection

    You are at the center of secURity.

    The University coordinated a large volume anti-virus software purchase in 2006 to encourage widespread use of comprehensive anti-virus programs on the University's network. This software, from Sophos, offers abroad range of protection for desktops, file servers, e-mail servers and gateways.  This software is available for free to all faculty, students, and staff at the University.

    If you are not currently using any anti-virus software, then please join the effort to keep the University network virus-free.

    For University departments and students that are not part of the Medical Center, visit here for more information about anti-virus protection, and to download your version today.

    For Medical Center departments, please reference http://intranet.urmc-sh.rochester.edu/InfoSystems/
    HelpResources/ApplicationTips/AntiVirus/index.asp
    .

    Back to top...

  9. Protect Your Computer - Malware

    You are at the center of secURity.

    Click here for a printable version of this tip that can be used as a poster.

    What is Malware?

    Malware is short for "malicious software."  It includes viruses and spyware that get installed on your computer, phone, or mobile device without your consent.  These programs can cause your device to crash and can be used to monitor and control your online activity.  Criminals use malware to steal personal information, send spam, and commit fraud.

    Is My Computer Infected?

    Your computer may be infected with malware if it:

    • slows down, crashes, or displays repeated error messages
    • won't shut down or restart
    • serves up a barrage of pop-ups
    • displays web pages you didn't intend to visit, or sends emails you didn't write

    Other warning signs of malware include:

    • new and unexpected toolbars
    • new and unexpected icons in your shortcuts or on your desktop
    • a sudden or repeated change in your computer's internet home page
    • a laptop battery that drains more quickly than it should

    Keep in mind, malware can also silently infect computers.  The best way for detection and prevention is to have updated anti-virus/OS software before the infection happens.

    How To Avoid Malware

    • Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads.  Remember that support for Windows XP ends on April 8th, 2014.  Windows 7 should be installed as a replacement for Windows XP whenever possible. 
    • Use anti-virus and anti-malware software, as well as a two-way firewall, and update them regularly.  The University provides FREE anti-virus software to all faculty, students, and staff.  You can get more information about anti-virus software, and how to download it by going to http://www.rochester.edu/antivirus
    • Download free software only from sites you know and trust. Enticing free software downloads frequently contain other software, including spyware
    • Don't click on links in pop-ups
    • Don't click on links in spam or pop-ups that claim to offer anti-malware software

    Where To Go For Help

    Visit http://onguardonline.gov/malware and https://www.rochester.edu/it/security/computer/viruses_Worms_Malware.html for further information on malware.

    If you suspect your machine may be infected, and you need assistance, contact your departmental security liaison or your IT Help Desk for assistance.

    Spyware Game

    Try this fun Spyware Game to learn the clues about spyware.

    Back to top...

  10. CryptoLocker and Sophos Anti-Virus Software

    Over the past few weeks, the University has received several inquiries about the CryptoLocker trojan.  CryptoLocker makes your computer files inaccessible until you pay a fee to restore your access.  Sophos Anti-Virus has offered protection from CryptoLocker since early September, 2013. 

    Sophos Anti-Virus is provided FREE for all University faculty, students, and staff.  If you do not have Sophos installed, it can be downloaded from http://www.rochester.edu/antivirus.

    To ensure you are protected against the CryptoLocker trojan, we urge you to check your computer to verify that you have Sophos Anti-Virus installed and up to date.  Most URMC computers are centrally managed, and should be at the most current version.  If your version of Sophos is outdated, right-click on the Sophos shield icon and select 'Update Now'.  After it finishes the update, check to see if it's now running the current version.  If Sophos won't update to the latest version, please contact the University IT Help Desk at 585-275-2000 for University areas or the ISD Help Desk at 585-275-3200 for Medical Center areas.

    If you need help checking your version, you can follow the steps below.

    How to check Sophos on a Windows computer

    • Right-click the Sophos shield icon in the system tray and select 'Open Sophos Endpoint Security and Control'.
    • Click 'View product information' in the left pane menu.
    • Expand '+Software' under "Anti-Virus and HIPS and verify that Sophos Anti-Virus is at least 10.3.1 (10.0.11 if using Windows 2000).

    How to check Sophos on a Mac OS X computer

    • Click the Sophos shield icon in the Apple menu bar and select 'About Sophos Anti-Virus'.
    • Verify that the version is at least 8.0.19 if running MacOS X 10.4 or 10.5 or the version is at least 9.0.5 if running Mac OS X 10.6, 10.7, 10.8, or 10.9.

     

    Back to top...

  11. Password Protection - Check the Strength of Your Password

    logo

    Click here for a version of this tip that can be printed and used as a poster.

    Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.  Passwords are the first line of defense for all users. If someone knows your password, all other security is useless!

    A recent study shows that several of the top e-commerce websites scored low in password security.  Further information on this can be found at http://www.cbsnews.com/news/study-ranks-ecommerce-sites-by-security-and-password-policy/.

    Reminders:

    • At no time and under no circumstances should you share your password or login using someone else's password.   
    • If someone contacts you and asks you for your password on behalf of The University of Rochester, please contact your appropriate Helpdesk so we can investigate.
    • Do not use the "Remember Password" feature of applications (e.g., web browser).
    • Do not store passwords in a file on ANY computer system (including smart phones, thumb drives or any similar device) without encryption.

    Check Your Password Strength

    The strength of a password depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary.

    You can check the strength of your password by using the following secure password checker.

    Back to top...

  12. Sophos for Macs

    logo

    Do you have Sophos Anti-Virus installed on your Mac?  If so, you should check your system to ensure it is utilizing the current Sophos Anti-Virus server and obtaining the necessary version and definition updates.

    1) From the menu bar, click the Sophos shield icon and then click ‘Open Preferences…

    image1

    2) When the Sophos Anti-Virus preferences open, click on AutoUpdate.

    image 2

    3.) Check the Address text box.  If the Address text box begins with http://its-w2ks42.ur.rochester.edu, please proceed to step 4.  If the address text box has another address listed, your system is all set and no further action is required.

    image 3

    4.) Follow the directions at http://www.rochester.edu/it/security/computer/osx-remove.php to uninstall and then install a fresh copy of Sophos.

    Back to top...

  13. Protect Your Computer: Anti-Virus Protection

    logo

    Did you know that anti-virus software is the most important security software that you can have on your computer?

    To help ensure your safety, the University offers a premiere and comprehensive anti-virus solution to all faculty, staff, and students.  This software, from Sophos, has a broad range of protection for desktops, file servers, e-mail servers and gateways.  This software is available for free to all faculty, students, and staff at the University and can also be placed on your home computers.

    Please view our anti-virus video to gain additional information on where to obtain anti-virus software, or go to www.rochester.edu/antivirus.

     

    Back to top...

Keep Your Computer Updated

  1. Windows XP End of Support

    logo

    As of April 8, 2014, support and updates for Windows XP will no longer be provided by Microsoft.  End of support presents a risk to the University as there will be no more security patches supplied for Windows XP after this date, which raises the risk of infection by viruses and other malicious methods used by computer hackers on the internet. 

    If you haven't already done so, you should be upgrading your systems to a currently supported version of the Windows operating system.   For University owned systems, University IT's current recommendation is that you upgrade to Windows 7.  For home computers, you should be using either Windows 7 or Windows 8.x.

    Any questions concerning upgrading your Windows XP systems should be directed to your IT support area.

    Further information about Windows XP end of support can be found in a recent article in Rochester's local newspaper at http://www.democratandchronicle.com/story/money/business/2014/03/17/windows-xp-ends-small-businesses/6536181/.

    Back to top...

  2. Protect Your Computer - Attack Resistant Computers

    logo

    Click here for a version of this tip that can be printed and used as a poster.

    An up-to-date, properly configured computer is the best way to keep your computer safe from viruses and attacks. Making sure all security patches are installed, making sure anti-virus software is receiving daily updates, and disabling unneeded features such as file sharing and personal web sharing are all important steps.

    You should:

       While the software is checking for updates, you should notice that the left side of the shield is flashing green. If the updates are unsuccessful, the shield will change its appearance to this: Sophos Antivirus If you see the red X, try to run the updates again by double-clicking on the shield. If this does not work, contact the IT Center at 275-2000 (for University departments that are not part of the Medical Center) or the ISD Help Desk at 275-3200 (for Medical Center departments).

    • Only install the software packages that you need on your computer.

      Many exploits used by computer hackers target vulnerabilities in computers that are running unnecessary services. For example, applications such as the Java Runtime Environment should only be installed if another application you use requires it.  Java is a platform that is frequently targeted.  If you do need to install this software, you should keep the software current with any released patches.  

      You should contact your IT support area if you have questions concerning what software you should be installing.

    Back to top...

Create Strong Passwords

  1. Passwords are the key to your data

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Create a password that is easy to remember, but hard for anyone else to guess.

    When choosing a password:

    • Don't use passwords based on personal information that may be easily accessed or guessed.
    • Don't use words in any dictionary of any language.
    • Develop a mnemonic for remembering complex passwords.
    • Create passwords with uppercase and lowercase letters.
    • Also use a combination of letters, numbers, and special characters.
    • Use different passwords on different systems.

    Visit http://www.rochester.edu /it /security/yourself/passwords.html for more information about strong passwords, and to try the password checker to test the strength of your password.

    Back to top...

  2. 10 Most Easily Stolen Passwords

    Click here for a PDF version of this tip that can be used as a poster.

    You are at the center of secURing your data.

    A recent study looked at 32 million exposed passwords and revealed the 10 most common. They include:

    1. 123456
    2. 12345
    3. 123456789
    4. Password
    5. iloveyou
    6. princess
    7. rockyou
    8. 1234567
    9. 12345678
    10. abc123

    Many of the stolen passwords used common slang words, adjacent keyboard keys and names presumably important to the user (such as family members).

    It is important that you choose a complex password that you can easily remember. Please avoid these common password practices. Further information about passwords can be found by clicking here.

    Back to top...

  3. Password Protection - Comic and Quiz for Prizes!

    We thought you might enjoy the following comic to go along with this month's emphasis on choosing strong passwords to help protect yourself and your data.

     Password Comic

     

    Quiz -- Win Prizes!!

    To wrap up this month's campaign, we want to provide you with an opportunity to be entered for a random drawing to win one of three $25 gift cards to University IT Computer Sales by successfully completing our quiz.  You can get to the quiz by clicking here.

    Back to top...

  4. Password Protection - Passwords That Work

     

    You are at the center of secURity. 

    Click here for a version of this tip that can be printed and used as a poster.

    A good password has a system for creating codes that are easy to remember but hard to crack. Here are guidelines for creating effective and memorable passwords:

    • Choose a phrase that's at least five words long. It could be a book, a song title or quote. Draw your core password from that, perhaps by using the first letter of each word. For example, the first letters of the book title The Cat in the Hat Comes Back are: tcithcb. This step protects you from an attack where someone tries to crack your phrase using known words and proper names.
    • Now alter some of it. Replace some lowercase letters with capital letters, numbers or symbols. For example: Tc!tHc6 capitalizes the first and fifth letter, replaces the "i" with an exclamation point, and replaces the "b" with the number 6.
    • Customize the password for each use. Add a character or three to the core password to ensure that every pass phrase is at least seven characters long and includes a number. Generate an extra letter and number based on the name of the program you're accessing. For example: o5Tc!tHc6 could be a password for a Yahoo Web mail account, adding an "o" for the last letter of Yahoo, and a 5, for the number of letters in Yahoo.
    • Write down your hint. Now you can write down a mnemonic device that will jog your memory without being obvious to anyone else. Hide this piece of paper or keep it in your wallet. For example, you could write down "basic: cat" to recall the Dr. Seuss title.
    • Establish different levels of passwords. Use different core phrases to develop passwords for online banking, for accounts that use your credit card and for those that don't involve financial information. If you can't change your password every 90 days, do so whenever daylight-saving time starts and stops.

    Back to top...

  5. Password Protection - Password Storing Tools

    You are at the center of secURity.

    The average user has roughly 15 password protected accounts.  With the need to keep your passwords unique and secure, this can be very complicated to manage. 

    There are numerous products available to aid with your password management, the most common of which is a password safe.  A password safe encrypts all of your usernames and passwords using one strong master password.  Although we are not endorsing any of these products specifically, some examples include: 

    Free Software Product

    One software product that is available free of charge is KeePass Password Safe.  Information about KeyPass can be found at:  http://keepass.info/.

    Commercial Software Products

    There are several commercial software products available to assist with your password needs.  A 2011 Password Management Software Review Product Comparison can be found by clicking here.

    Portable Devices

    Portable devices can also be used to manage your password storing needs.  Some available products include:

    There are numerous other products that we did not mention here.  The important message is that you find a method that works for you, and use it to help keep your personal information safe.  Also, most password storing tools should require you to set a password.  Be sure to use a strong password when setting this up.

    Back to top...

  6. Password Protection - The 25 Worst Passwords of 2013

    logo

    Security firm Splashdata, which every year compiles a list of the most common stolen passwords, found that "123456" moved into the number one slot in 2013.  Previously, "password" had dominated the rankings.

    Weaker passwords are more susceptible to brute-force attacks, where hackers attempt to access accounts through rapid guessing.  When encrypted passwords are stolen, weaker ones are the first to fall to increasingly sophisticated cracking software.

    You should always avoid common words and phrases.  Consider using phrases of random words,

    Here is the full list of worst passwords from 2013, according to Splashdata:

    1. 123456
    2. password
    3. 12345678
    4. qwerty
    5. abc123
    6. 123456789
    7. 111111
    8. 1234567
    9. iloveyou
    10. adobe123
    11. 123123
    12. admin
    13. 1234567890
    14. letmein
    15. photoshop
    16. 1234
    17. monkey
    18. shadow
    19. sunshine
    20. 12345
    21. password1
    22. princess
    23. azerty
    24. trustno1
    25. 000000

    For more information on how to create a good password, visit https://www.rochester.edu//it/security/yourself/passwords.html

    Back to top...

  7. Password Protection - Valentine's Day Poster

    logo

    Sharing is caring! However, in honor of Valentine’s Day this Friday, the information security awareness team wants to remind everyone to think twice before sharing your passwords. No matter if it is with a loved one, friend, colleague or acquaintance, are you sure your password needs to be shared?

    We encourage you to download and distribute the following Valentine’s Day poster which provides fun reminders of what to share and what NOT to share.  Click here to access the poster.

    For more information on password security, please visit: https://www.rochester.edu/it/security/yourself/passwords.html

     

    Back to top...

  8. Students Talk About Password Security

    logo

    Hear what some of our students have to say about password security at the University of Rochester. 

    Back to top...

Log Off Public Computers

  1. Public Computer Safety

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Most of us will occasionally have to use a public computer for one reason or another. Whatever your reasons, using public computers will always carry an inherent risk of exposing your personal data. Here are some things you can do to protect yourself and lessen that risk.


    1. Delete your Browsing History
    This should be the first step you take to protect your privacy when Web surfing on a public computer. When you’ve finished browsing, it’s a good idea to delete your cookies, form data, history, and temporary Internet files.
    How:

    • In Internet Explorer 7, you can do this all at once under Tools | Delete Browsing History. In Mozilla
    • Firefox, go to Tools | Options, click the Privacy tab, and select Always Clear My Private Data When I Close Firefox. This erases your browsing history, download history, saved form information, cache, and authenticated sessions. Click the Settings button and select the options to erase your cookies and saved passwords, too.

    2. Don’t save files locally
    When you’re using a computer other than your own, even if it’s a trusted friend’s machine, it’s polite to avoid saving files locally if you can help it. Many of the files you would normally save locally, such as e-mail attachments, can contain private or sensitive information. An easy way to protect this data is to carry a flash drive and save files there when necessary. It’s also a good idea to attach the flash drive to your key ring so you’ll be less likely to misplace it and create a new security problem.


    3. Don’t save passwords
    This should be obvious when using a public computer, but if the option is already turned on, you might forget about it.
    How:

    • Internet Explorer 7, go to Tools | Internet Options | Content. In the AutoComplete panel, click the Settings button and verify that the Prompt Me To Save Passwords check box is deselected.
    • In Firefox, choose Tools | Options | Security and deselect Remember Passwords For Sites.

    4. Don’t do online banking or enter credit card information
    You should remember that ultimately, a public computer is never going to be anywhere close to completely secure, so there are some things you just shouldn’t use them for. If you really need to check your balance on the road, you’re much better off finding a branch office or ATM or using your phone.


    Public computers are not the place for online shopping. Your purchases from eBay or Amazon.com can and should wait until you can browse from a more secure location. A little added convenience isn’t worth the trouble of having your credit card hijacked.


    5. Delete temporary files
    Temporary files, often abbreviated to “temp files”, are created when you use programs other than a web browser. For instance, when you create a Word document, in addition to the actual document file you save, Word creates a temporary file to store information so memory can be freed for other purposes and to prevent data loss in the file-saving process. These files are usually supposed to be deleted automatically when the program is closed or during a system reboot, but unfortunately they often aren’t.
    How:

    Do a search on all local drives (including subfolders, hidden, and system files) for *.tmp,*.chk,~*.*
    This will bring up all files beginning with a tilde or with the extensions .tmp and .chk, which are the most common temp files. Once the search is complete, highlight all and Shift + Delete to remove them. (If you don’t hold down Shift, they’ll usually be sent to the Recycle Bin, which you would then have to empty.)


    6. Remember to log out
    Always log out of Web sites by clicking "log out" on the site. It's not enough to simply close the browser window or type in another address. Also remember to log off of a public machine when you are done using it. You are responsible for what happens while you are logged into your username.


    7. Pay attention to your surroundings and use common sense
    Finally, you need to remember to pay attention to things outside of the actual computer that could be a risk. Be aware of strangers around you (potential shoulder surfers) and remember that a public computer is just that — public. Don’t view any truly sensitive documents you couldn’t bear for others to see. Remember the security camera over your shoulder. Cover your hands from view when entering any login information to prevent any casual spying.

    Most important, remember that there is nothing you can do to make a public computer completely secure. A truly malicious owner or user could install a hardware keystroke logger that would be impossible to detect without actually opening the case and inspecting it. With that less-than-comforting thought, use common sense and use public computers only for non-sensitive tasks. The University has taken many of these risks into account when building the public machines and has made each machine as safe as possible for your use. But always keep these tips in mind when using an unfamiliar computer.

    Our archive of past "Security Tips of the Week" is available for your information.

    Back to top...

  2. Log Out of Public Computers

    Click here for a PDF version of this tip that can be used as a poster.

    To help protect yourself, and your data, please remember to log all the way out of your accounts on public computers or kiosks when you are finished using them. You are responsible for what happens on a computer system while you are logged into that system.

    If the person before you forgot to log out, be courteous and log out for them. To log out of the Public Kiosks, follow the directions on the kiosks’ desktop.


    The University of Rochester has taken the necessary steps to make each of the public stations safe for your use. It is up to you to take other precautionary measures to stay safe when using public computers.

    • Don’t save any of your login information including usernames and passwords.
    • Be aware of potential over-the-shoulder snoops.
    • Don’t leave the computer unattended with sensitive information on the screen.
    • Don’t enter sensitive information into a public computer like your social security number or any banking information.
    • Delete browser history before leaving a public station.

    Back to top...

Back Up Important Information

  1. How Secure is your Flash Drive?

    Click here for a PDF version of this tip that can be used as a poster.

    Flash Drives. We all use them. They are small, cheap, offer gigabytes of storage, and are easy to use. It is easy to fill one with important files, clip it to a keychain or slip it in a purse and hit the road.

    But what if you lose it while looking for change or misplace your keys and is found by a hacker?

    By following 3 simple rules you can protect any important information on your flash drive from falling into the wrong hands.

    Rule 1: Most importantly, minimize the amount of sensitive information you keep on it. The Ideal amount is Zero.

    If you can't follow rule 1:

    Rule 2: Keep the flash drive safely in your possession or otherwise locked up in a safe place, just like any valuable object.

    Rule 3: use a drive with built-in access control and encryption protection, and use that feature. Don't count on your ability to never lose drive, or never have it stolen.

    Encrypt your flash drive:

    Windows Users:

    Mac Users:

    • Use Disk Utility to create a password protected sparse disk image. Learn how here.
    • TrueCrypt - www.truecrypt.org

    Back to top...

  2. Protecting University Data - Backing up Your Data

    logo

    Many people rely on computers to store important information. If this sounds like you, then be sure to back up your data in case of computer theft or malfunction.

    You should:

    • Backup information that cannot easily be replaced, such as email, address books, bookmarks, personal projects, documents, and digital photographs.
    • University work related data should be stored on a departmental share or your personal home drive, if available. University IT and URMC-managed servers are backed up nightly. Please don't make unnecessary copies of this data as it is already backed up, and can increase storage costs and potential for loss and liability thereof.
    • Backup to removable media, such as an external hard drive. Store backup media in a secure location. A good place is a fire proof safe or safety deposit box, since the media is a collection of your most important information. It is a goldmine for someone looking to steal it. All University of Rochester data should be secured on University premises.
    • If sensitive or confidential data is contained within your backups, use additional protection measures.
    • Remember: Legally Restricted Information (SSN, HIPAA, FERPA, financial, PCI, personnel records) in paper form must be stored in locked or otherwise secured areas when not in active use. Legally Restricted Information in electronic form must be stored in secure designated data centers or, if authorized to be stored elsewhere, only in encrypted (or similarly protected) form. It must not be stored on desktop, laptop or other portable devices or media without encryption or similar protection. Contact Information Technology (University IT or ISD) or a Privacy Officer for advice and assistance.

    For questions about backing up your University provided computer, please contact your local IT support group, the University IT Help Desk at 275-2000 or ISD at 275-3200.

    Visit http://www.rochester.edu/it/policy/index.php to review the University's IT Policy.

    Back to top...

Keep Personal Information Safe

  1. National Consumer Protection Week

    March 1 - 7, 2009 is the 11th Annual National Consumer Protection Week. This year's campaign is Nuts and Bolts: Tools for Today's Economy, which is intended to highlight consumer education efforts across the nation. Information can help people get the most for their money, whether they are trying to stretch their paychecks, find a quick fix for a spotty credit history, or tell the difference between a real deal and a potentially fraudulent product or service.

    Visit the National Consumer Protection Week website (http://www.consumer.gov/ncpw/) to get the information needed to make informed decisions in today’s marketplace.

    Back to top...

  2. March 7-13 is National Consumer Protection Week 2010

    National Consumer Protection Week 2010

    The theme for this year's campaign is "Dollars and Sense"

    Visit http://consumer.gov/ncpw to get helpful information about topics such as

    Banking

    Credit and Debt

    Health

    Identity Theft and Privacy

    Investing

    Money

    Mortgages

    Rights and Responsibilities

    Scam Watch

    Back to top...

  3. Four Steps to Take if Your Identity is Stolen

    Click here for a PDF version of this tip that can be used as a poster.

    If you are a victim of identity theft, take the following four steps as soon as possible, and keep a record with the details of your conversations and copies of all correspondence.


    1. Place a fraud alert on your credit reports, and review your credit reports.
    Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of one of the three consumer reporting companies on www.annualcreditreport.com to place a fraud alert on your credit report. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. The Fair Credit Reporting Act guarantees you access to a free credit report from each of the three nationwide reporting agencies every twelve months.

    2. Close the accounts that you know, or believe, have been tampered with or opened fraudulently.
    Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. Send your letters by certified mail, return receipt requested, so you can document what the company received and when.


    Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts to have proof if errors relating to this account reappear on your credit report.


    3. File a complaint with the Federal Trade Commission.
    This will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them.


    You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.


    4. File a report with your local police or the police in the community where the identity theft took place.
    Call your local police department and tell them that you want to file a report about your identity theft. Ask them if you can file the report in person. If you cannot, ask if you can file a report over the Internet or telephone.

    Visit the FTC's Defend site for more information.

    Back to top...

  4. Identity Protection

    Click here for a PDF version of this tip that can be used as a poster.

    Awareness is an effective weapon against identity theft.

    • Become aware by learning how information is stolen and what you can do to protect yourself.
    • Monitor your personal information to uncover problems quickly and know what to do when you suspect your identity has been stolen.
    • Your Social Security Number is a prime target for identity thieves. Only give out your Social Security Number and other personal identifying information when absolutely necessary.
    • Many places use Social Security Numbers for user identification. Ask to use an alternate number if possible.
    • Do not print your Social Security Number on personal checks.
    • Do not carry your Social Security card with you.

    Make identity thieves' jobs more difficult by arming yourself with knowledge on how to protect your identity and take action.

    Visit http://www.rochester.edu/it/security/yourself/id_theft2.html for more information about Identity Theft and Protection.

    Back to top...

  5. Phishing is not just for email!

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Cybercriminals are expanding upon the traditional email phishing campaigns to also target social networks.  Here, they can easily use social engineering attacks, such as putting up fake web applications or other means, to steal confidential data.

    Some tips to help protect yourself when using social networks includes:

    1.  Use caution when you click links

    2.  Know what you've posted about yourself

    3.  Don't trust a message is really from who it says it's from

    4.  To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book.

    5.  Type the address of your social networking site directly into your browser or use your personal bookmarks

    6.  Be selective about who you accept as a friend on a social network

    7.  Choose your social network carefully

    8.  Assume everything you put on a social networking site is permanent

    9.  Be careful about installing extras on your site

    10. Think twice before you use social networking sites at work

    11. Talk to your kids about social networking

    Further information about these tips can be found at http://www.microsoft.com/protect/parents/social/socialnet.aspx

    Back to top...

  6. 6 Mistakes To Help Your Identity Thief

    You are at the center of secURing your data

    Six common mistakes that help identity thieves get access to your data are:

    • Exposing your social security number
    • Being careless with mail
    • Not securing sensitive information
    • Not checking your credit reports
    • Not scrutinizing bills and bank statements
    • Entering sensitive information on public computers

    Helpful tips to prevent each of these mistakes can be found by clicking here.

    As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month.  This week's quiz is on Identity Theft, and can be accessed by clicking here.

     

    Back to top...

  7. Beware of Japan Earthquake Relief Scams and Malware

    We are seeing reports of scams and malware associated with the tragedy in Japan.  Be on the alert!

    Every time there is a natural disaster involving human suffering, scammers set up fake charity sites.  We're seeing reports of scams involving charitable donations and malware disguised as video of the events in Japan.  Responding to these scams could lead to compromised accounts, identity theft and loss of money from your bank accounts.  The scammers' use of social media increases the likelihood that you'll be exposed to these scams. 

    FBI Recommendations (further information)

    • Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
    • Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
    • Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group's existence and its nonprofit status rather than following a purported link to the site.
    • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
    • Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
    • Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

    What To Do If You Suspect You Are a Victim

    • If you are the recipient or victim of an online scam the FBI recommends you report any suspected online scams to the Internet Crime Complaint Center at http://www.ic3.gov
    • If you believe your password may have been compromised, contact the appropriate Help Desk by calling 275-2000 for University departments or 275-3200 for Medical Center departments.

    If You Want To Help

    The following agencies are responding to the crisis: 

    For More Information

     

     

    Back to top...

  8. Epsilon Data Breach - How Can You Protect Yourself?

     

    Many of you likely received emails from Epsilon earlier this month notifying you of a data security breach.  With this particular breach, names and email addresses were taken.

    Be Very Careful

    With this type of breach, you should be on the alert for potential "phishing" schemes.  "Phishing" is a scam where internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims. 

    There have been reports of scammers taking advantage of the Epsilon data breach.  Some references include:

    BBB Warns of Phishing Email Received from Epsilon Data Breach from Better Business Bureau

    Scammers take advantage of Epsilon data breach, in Virus Bulletin 

    What Can You Do?

    OnGuardOnline.gov provides the following tips to help avoid being caught by a "phishing" scheme:

    • If you get an email or pop-up message that asks for personal or financial information, do not reply.  And don't click on the link in the message, either.
    • Area codes can mislead.
    • Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
    • Don't email personal or financial information.
    • Review credit card and bank account statements as soon as you receive them.
    • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
    • Forward phishing emails to spam@uce.gov.
    • If you believe you've been scammed, file a complaint with the Federal Trade Commission at www.ftc.gov/complaint.

    You can also receive additional information at http://www.rochester.edu/it/security/yourself/phishing.html.

    Back to top...

  9. Pharming

    Click here for a PDF version of this tip that can be used as a poster.

    You are the center of secURity.

    What is pharming?

    Pharming is a hacker's attack to redirect a legitimate website's traffic to a bogus website where a user can be fooled into entering sensitive data such as a password, bank account or credit card number. Once personal information has been entered at a fraudulent website, criminals have the information they need for identity theft. Pharming can be conducted either by changing the host’s file on a victim’s computer or by exploiting a vulnerability in domain name server (DNS) software.

    Take these simple precautions to protect yourself from pharming:

    • Before clicking on a link in a browser window, place your mouse over the link and check the link's address that's displayed in the bar at the bottom left of the window
    • Confirm that a website has a valid certificate of authority, from a service such as VeriSign, which matches the site's name before you enter any personal data.
    • Only use a secure web site when submitting credit card or other sensitive information via the web browser. The beginning of a secure web site address should read “https”. The ‘s’ on the end of http signifies it is a secure site.
    • Avoid completing forms in email messages that ask for personal financial information.
    • Change the default password that came with your wireless router to your own unique, strong password.
    • Make sure your browser is up to date and security patches are applied.
    • Regularly check bank, credit card, and debit card statements to ensure all transactions are legitimate.

    If you believe that you have been a victim of pharming, notify the Internet Crime Complaint Center (IC3) by filing a complaint on the IC3's web site: www.ic3.gov.

    Back to top...

  10. Identity Protection - Zombie Survival Game

    You are at the center of secURity.

    Please try our Identity Protection "Zombie Survival Game" for a fun way to check your identity protection knowledge.  You can access the game by clicking here.

    Back to top...

  11. Students Talk About Identity Theft

    You are at the center of secURity.

    You can find useful information about Identity Theft at http://www.rochester.edu/it/security/yourself/id_theft2.html.

    Hear what some of our students have to say about Identity Theft.

    Back to top...

  12. Protect Your Data - Vishing: New Take on an Old Scam

    You are at the center of secURity.

    What is Vishing?

    With many people catching on to the risks of clicking links within an email, or providing personal information through digital communication (most often referred to as “phishing”), many scammers are resorting back to the telephone. “Vishing” (voice phishing) is the attempt from scammers to acquire your personal information via the phone.

    Typically, the criminal will contact the victim directly or will leave a message, requesting that the victim returns a call to verify an account or some similar scheme. When the victim returns the call, they are asked to provide account and identifying information under the pretenses of "updating" the account.

    Vishing Video

    Watch the following video that shows a vishing scheme:  http://www.youtube.com/watch?v=jjECkBcHBbo

    Tips to Avoid Vishing

    To avoid vishing scams, remember the following tips:

    • Banks and credit card companies will never ask you to call a number and provide account information. If they are asking for your full social security number or account number, they are most likely not legitimate.
    • If the call sounds suspicious, hang up and call the institution that is requesting the information directly by referring to the number listed on the back of the card, monthly statement or from their official website.
    • Speak only to a live person when providing account information.
    • Don’t respond to text messages or automated voice messages from unknown or blocked phone numbers.
    • Report the suspicious call to the institution, which can then work with authorities to find the scammers.

    Back to top...

  13. Better Business Bureau (BBB) Cautions Consumers to Watch Out for Scammers in Wake of the Boston Marathon Attack

    You are at the center of secURity.

    Often when there is an event involving human suffering, scammers set up fake charity sites.  We're seeing reports of scams involving charitable donations emerging in the wake of the explosions at the finish line of the Boston Marathon.

    BBB Wise Giving Alliance, which is an affiliate of the Council of Better Business Bureaus, urges donors to give thoughtfully and avoid those seeking to take advantage of the generosity of others:

    BBB Wise Giving Alliance: Ten Tips for Giving with Confidence

    1. Thoughtful Giving

    Take the time to check out the charity to avoid wasting your generosity by donating to a questionable or poorly managed effort.

    2. Help Spread the Wise Giving Word

    Remind your friends and family to be cautious about giving requests in the wake of such a tragedy and ask them to spread the word as well.

    3. State Government Registration

    About 40 of the 50 states require charities to register with a state government agency (usually a division of the State Attorney General’s office) before they solicit for charitable gifts. If the charity is not registered, that may be a significant red flag.

    4. Respecting Victims and Their Families

    Organizations raising funds should get permission from the families to use either the names of the victims and/or any photographs of them.

    5. How Will Donations Be Used?

    Watch out for vague appeals that don’t identify the intended use of funds.

    6. What if a Family Sets Up Its Own Assistance Fund?

    Some families may decide to set up their own assistance funds. Be mindful that such funds may not be set up as charities. Also, make sure that collected monies are received and administered by a third party such as a bank, CPA or lawyer.

    7. Online Cautions

    Never click on links to charities on unfamiliar websites or in texts or emails.

    8. Financial Transparency

    After funds are raised for a tragedy, it is even more important for organizations to provide an accounting of how funds were spent.

    9. Newly Created or Established Organizations

    This is a personal giving choice, but an established charity will more likely have the experience to quickly address the circumstances and have a track record that can be evaluated.

    10. Tax Deductibility

    Not all organizations collecting funds to assist this tragedy are tax exempt as charities under section 501(c)(3) of the Internal Revenue Code. Donors can support these other entities but keep this in mind if they want to take a deduction for federal income tax purposes.

    Further information about these items is located at http://www.bbb.org/us/article/bbb-warns-of-charity-scams-offers-giving-tips-in-wake-of-boston-marathon-bombing-41366

     

     

     

    Back to top...

  14. National Cyber Security Awareness Month - Identity Protection

     

    button 

    You are at the center of secURity.

    Click here to access the National Cyber Security Awareness 2013 poster that can be printed and hung within your area.

    October marks the tenth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security.  The theme for National Cyber Security Awareness Month 2013 is "Our Shared Responsibility."

    Our Shared Responsibility means each of us must do our part.  The actions we take may differ based on our personal and professional responsibilities.  However, if each of us does our part - whether it's implementing stronger security practices in our day-to-day online activities, making sure the right tools are in place, raising awareness in the community, educating young people or training employees - together we will be more resistant and resilient, protecting ourselves, our neighbors and our country.

    At the University of Rochester, we will be focusing on keeping your Identity Safe throughout this month.    You can help to protect your identity by keeping your online accounts secure by making it difficult for someone to gain access to them.

    Back to top...

  15. Identity Protection - Five Ways to Protect Against Identity Theft

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Identity theft occurs when someone uses your name, Social Security number, credit card number, or some other piece of your personal information for financial gain. Thieves often use this information to apply for a credit card, make unauthorized purchases, gain access to your bank accounts, or obtain loans under your name.

    Five tips to help protect your identity:

    1. When you order checks, instead of your first name, have only your initials and last name put on them. If someone takes your checkbook, they will not know how you sign your checks. But your bank will know.
    2. Do not sign the back of your credit cards. Instead put "PHOTO ID REQUIRED".
    3. When writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line. Instead, just put the last four digits.
    4. Don't list any telephone number on your checks. You can always write it on the check at the time of the transaction. If you have a PO Box, use that instead of your home or work address.
    5. Place the contents of your wallet on a photocopy machine. Copy both sides of each license, credit card, etc. If your wallet is ever stolen, you will have a record of all the account numbers and phone numbers when you call to cancel your cards. Store in a secure place and update the copies when you change cards.

    More information about Identity Theft can be found at http://www.rochester.edu/it/security/yourself/id_theft2.html.

    Back to top...

  16. Identity Protection - Awareness Video

    You are at the center of secURity.

    Please watch our Identity Theft awareness video to hear about the personal experiences of one of our team members who was a victim of Identity Theft.

    Back to top...

  17. Identity Protection - Risk Calculators

    You are at the center of secURity.

     As part of National Cyber Security Awareness month, the National Cyber Security Alliance reminds you to always:

    Stop:  Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

    Think:  Take a moment to be certain the path is clear ahead.  Watch for warning signs and consider how your actions online could impact your safety, or your family's.

    Connect:  Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

    STOP.  THINK.  CONNECT.  Protect yourself and help keep the web a safer place for everyone.

    As part of our focus on Identity Protection this month, try these fun, interactive quizzes from the StaySafeOnline.org site to see what your risk level is for identity theft. 

    Back to top...

  18. Identity Protection - ID Theft FaceOff Game

    As part of National Cyber Security Awareness month, please remember to always

    Stop:  Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

    Think:  Take a moment to be certain the path is clear ahead.  Watch for warning signs and consider how your actions online could impact your safety, or your family's.

    Connect:  Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

    STOP.  THINK.  CONNECT.  Protect yourself and help keep the web a safer place for everyone.

    As part of our focus on Identity Protection this month, try this fun, interactive game from OnGuardOnline.gov to see how you would handle your identity getting stolen. 

    Back to top...

  19. Phishing Protection - Don't Fall for Phishing Schemes

    Click here for a PDF version of this tip that can be printed and used as a poster.

    You are at the center of secURity.

    We have seen a large increase in the number of phishing emails that are being circulated. 

    Could you tell if an email message requesting personal information was legitimate? In most cases you can trust your instincts, if an email message looks suspicious, it probably is. However there are some messages that look like the real thing but aren't.

    Even for legitimate emails from places you do business with, you should always ignore the links in the emails and go directly to the business's website.  For example, if you get an email that refers to your account at your bank or here at the University of Rochester, you should go to your browser and type in the url that you normally use to log into your bank or the University of Rochester myidentity system (http://myidentity.rochester.edu).

    Do you know how to spot a phishing email?
    It could be a phishing email if...

    • There are misspelled words in the e-mail or it contains poor grammar.
    • The sender's name doesn't seem related to the sender email address.
    • The message is making you an offer that is too good to be true.
    • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers.
    • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address."
    • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example:
    • Beware that some phishing emails use attachments (coupons, etc) which can house malware.
    • Shortened URLs can present danger.  Be careful to verify all web addresses.  It is safer to simply manually enter URL's into your web browser.

    How good are you at spotting phishing emails? Test your knowledge with these quizzes.

    Back to top...

  20. Consumer Protection - Online Shopping

    Click here for a PDF version of this tip that can be used as a poster.

    You are at the center of secURity.

    Shopping on the Internet can be economical, convenient, and as safe as shopping in a store or by mail, especially if you follow the tips listed below.  Remember to not use your work PC or work email address when shopping online as stated in the University's IT Policy at www.rochester.edu/it/policy.

    • Know who you're dealing with.
      • Be sure the company has a physical address and phone number.
      • If the company is new to you, research them at the Better Business Bureau online (http://www.bbbonline.org).
      • Check the company's website for customer feedback.
    • Know exactly what you're buying.
      • Read the seller's description of the product closely, especially the fine print.
      • Determine if the company has a return policy, and how easy the process is to follow, in case the product is not what you expected.
    • Know what it will cost.
      • Factor shipping and handling — along with your needs and budget — into the total cost of the order.
    • Pay by credit or charge card, for maximum consumer protection.
      • The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges.
      • Obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges.
      • For more information on credit card consumer protections, see http://www.privacyrights.org/fs/fs32-paperplastic.htm#3
      • Always read the privacy statement before you fill in the blanks.
    • Use secure web sites
      • Always verify that the site is using encryption before you submit any information — look for https in the web address and for a padlock or key on the web page.  Never enter a password, or other personal information, into a site that does not show https.
    • Don't send personal information (Social Security number, credit card number, etc.) in an email or through instant messaging.
    • If you are required to set up an account, do not use a password that you are using elsewhere.
    • Check out the terms of the deal, including refund policies and delivery dates.
    • Print and save records of your online transactions.
    • Consider using an escrow service, such as http://escrow.com.
      • This can reduce the potential risk of fraud by acting as a trusted third party that collects, holds and disburses funds according to Buyer and Seller instructions. There is generally a fee associated with using a service such as this.

    More information about safe online shopping can be found at http://www.onguardonline.gov/topics/online-shopping.aspx.

    Back to top...

  21. Data Privacy - Check Your Privacy Settings

    You are at the center of secURity.

    Check Your Privacy Settings

    Is your online presence as locked-down as you would like? Who has access to your posts? Have any privacy settings changed without your knowledge?

    For your New Year’s resolution, consider being more secure with your online information.

    Stay Safe Online provides your one-stop shop for easy instructions to updating privacy settings wherever and however you go online. We encourage you to bookmark this helpful page:

    http://www.staysafeonline.org/data-privacy-day/check-your-privacy-settings/

    Back to top...

  22. Data Privacy - Top Five Tips to Reduce Your Digital Footprint

    logo

    Top Five Tips

    Data Privacy Day, held annually on January 28th, encourages everyone to make protecting privacy and data a greater priority. 

    The Information Security team has put together their top five tips to help reduce your digital footprint. 

    1. Passwords - Your digital information is only as safe as your password is secure. To avoid hackers gaining access to your information, make sure your passwords are long, strong and unique. Here are some additional guidelines for password security:

      https://www.rochester.edu/it/security/yourself/passwords.html

    2. Data Classification - Be aware of data classification and how university documents should be stored. Know the difference between Legally Restricted, Confidential, Internal Use and Public. For more information, view the Data Security Classifications At A Glance document:

      http://www.rochester.edu/it/policy/assets/pdf/At%20a%20Glance%20Data%20Classifications.pdf

    3. Anti-Virus - Keep your computer or mobile device clean, secure and up to date. Use anti-virus software to help prevent hackers from stealing your information. Do not store personal information on these devices if not required. To download the University’s free anti-virus software for your work and home computer, visit:

      http://www.rochester.edu/it/security/computer/antivirus.html

    4. Social Networking - Be careful where you share information, whether it is through social media, texting, websites or in public places. Legally restricted data should never be shared through social networking or in public places. For more information, visit:

      http://www.rochester.edu/it/security/yourself/social_networking.html

    5. Phishing - Never give out your private information through email requests. Phishing attempts are on the rise and you should be cautious of links within email. Most, if not all, requests for private information through email are scams. To see some phishing examples, visit:

      http://www.rochester.edu/it/security/yourself/phishing.html

     To print a poster to be displayed in your area, please click here.

    Back to top...

  23. Social Networking - Check Your Privacy Settings

    logo

    It seems like privacy settings on social networking sites change daily. It has never been more important to know who has access to your information and what you might be sharing online. To assist, the information security awareness team put together your one-stop shop for easy instructions for updating privacy settings.

    Back to top...

  24. Largest Ever Phone Fraud Scam Targeting Taxpayers

    logo

     

    As April 15th nears, it is important to be aware that tax related phone scams are on the rise.  The Treasury Inspector General for Taxpayer Administration (TIGTA) has become aware of thousands of victims who have collectively paid over $1 million as a result of a scam, in which individuals make unsolicited calls to taxpayers fraudulently claiming to be IRS officials. 

    For more information, read the official TIGTA press release at:

    http://www.treasury.gov/tigta/press/press_tigta-2014-03.htm

    The IRS also provides some helpful links:

    IRS Report Phishing - http://www.irs.gov/uac/Report-Phishing

    IRS "Phishtank" - http://www.irs.gov/uac/Suspicious-e-Mails-and-Identity-Theft 

    Back to top...

  25. Five Quick Summer Vacation Tips For Staying Safe

    logo

    Spring is in the air and the summer vacation season is almost upon us! The information security awareness team wants to make sure that you enjoy your vacation to the fullest by avoiding the stress of dealing with identity theft. Check out our five quick and easy tips for keeping your information safe while traveling.

    Be Cautious of Public WiFi Networks

    It is very easy for a hacker to access your information via unsecured public WiFi. When you connect to email, social networking sites or online stores, make sure you are using a secure connection (https), so that traffic is encrypted and no one else can access the information. Similarly, be sure to follow hotel guidelines to properly connect to their network (hackers might try to setup sneaky networks like “HotelWireless1”).

    Avoid Posting Your Vacation Plans Online

    Sure, it’s natural to want to share your vacation experiences. However, enjoy the moment and wait to post those photos and status updates until after you return. Otherwise, you might be an easy target for criminals who now know where you ARE NOT.

    Secure Your Mobile Devices

    Make sure to have your smartphones and tablets locked with a security code/PIN to protect if stolen. Back up important data before traveling. If possible, activate the GPS tracking option to locate the device if stolen. If your device goes missing, report it immediately to the police AND your service carrier. If the thief might have access to your banking, email and other accounts, change your passwords immediately.

    Avoid Shared Computers / Protect Your Personal Computer

    Be cautious of public computers and avoid logging in to personal accounts. Thieves may have access to information stored on the computer, or might be hacking the devices. If you are able to bring your own computer with you, make sure you have reliable, up-to-date protection installed and that your software is properly updated to avoid security holes.

    Know Whom to Call / Monitor Account Activity

    Prior to your trip, write down important contact numbers such as credit card, banking and your cellular customer service so you can quickly report lost or stolen items. When you return from your trip, use a secure network to check your online bank account for any unauthorized purchases while you were gone.

     

    The Better Business Bureau has also issued a special alert concerning new scams that are targeting upstate New York travelers after our harsh winter weather.  This alert is located at http://www.bbb.org/upstate-new-york/news-events/news-releases/2014/04/bbb-alert-travel-scams-circulating/.

    Have a wonderful and safe summer!

    Back to top...

  26. Microsoft Phone Scammers

    logo

    University Help Desks have seen an increase in the number of calls coming through from the University community that have received calls from scammers posing as Microsoft support staff.  These scammers are targeting not only individuals but also businesses.

    These scammers rely on a combination of aggressive sales tactics, lies, and half-truths.  They pose as computer support technicians, and try to trick victims into believing that their computer is infected usually by having them look at a Window log that typically shows scores of harmless or low-level errors.

    These scams have been occurring often enough that Microsoft has developed their own information page concerning them.  For further information, tips on how to protect yourself, and what to do if you have already provided information to a support person scammer, consult http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx.

    Further information can also be found at http://www.computerworld.com/s/article/9248122/Aggressive_persistent_Windows_tech_support_scammers_continue_to_stalk_consumers.

    Back to top...

  27. Better Business Bureau Warns of United States Postal Service Scam

    logo

    The Better Business Bureau is assisting the United States Postal Service with spreading the word on a recent email scam using their name.  The scam involves fake email messages containing alerts about undelivered packages.  However, if you open the email and click on the included link, you will actually be downloading a virus.  These viruses generally are intended to phish for personal and banking information on your computer.

    Some Ways to Avoid Falling For this Scam

    The Better Business Bureau provides these tips to assist you:

    • Don't believe what you see
    • Be wary of unexpected emails that contain links or attachments
    • Beware of pop-ups
    • Watch for poor grammar and spelling
    • The message indicates immediate action is required, threatening consequences otherwise

    Further information about this scam can be found at http://www.bbb.org/blog/2014/06/fake-package-delivery-emails-carry-a-virus/ and information about other scams can be found at  http://www.bbb.org/council/bbb-scam-stopper/.

    Back to top...

  28. E-ZPass Email Phishing Scam

    logo

    The New York State Thruway Authority is cautioning customers that use their E-ZPass service to beware of a recent email phishing scam.    The scam involves fake email messages trying to collect unpaid tolls from E-ZPass customers.

    These emails messages are not from the New York State Thruway Authority, or any other toll agency.

    Some Ways to Avoid Falling For this Scam

    • Don't believe what you see
    • Be wary of unexpected emails that contain links or attachments
    • Beware of pop-ups
    • Watch for poor grammar and spelling
    • The message indicates immediate action is required, threatening consequences otherwise

    It is advised that you simply delete this E-ZPass phishing message if you receive it.  The New York State Thruway Authority would only contact you through the mail if it were trying to collect past due payment from you.

    Back to top...

  29. Toner Cartridge Scam

    logo

    The University has seen an increase in the toner cartridge phone phishing scam.  With this scam, departments are contacted asking to update their shipping and copier model number information.  With this information the scammer then ships and bills you for toner.  Often, these firms will use the name of an executive in their quest to get a machine model number and to have an order shipped.

    You should not provide this information to a caller from a company that you do not know.  Your usual supplier has all the account information needed to provide what you need. 

    Ask the caller for his/her name and phone number in order to call back. This request will often result in a hang-up or a revised story from the caller. DO NOT sign and return any order forms faxed to your department by an unfamiliar company.

    Please view our Phishing Awareness Video for further tips on how to avoid being phished.

    Back to top...

Limit Social Network Information

  1. Facebook Users Targeted by Password-Stealing Virus

    Facebook users should be on alert for any suspicious emails claiming to be from Facebook.

    A recent email spam attack targeted towards the users of Facebook. This email tells recipients that the passwords on their accounts have been reset and to click on the attachment to get their new login credentials.

    If the attachment is opened it downloads malware that steals passwords stored on your computer.

    Read the full article here.

    Remember: Only open an email attachment if you are POSITIVE about the source.

    More information:

    Back to top...

  2. Facebook Privacy Settings

    Click here for a PDF version of this tip that can be printed and used as a poster.

    Facebook's frequent policy changes and unclear privacy settings can be confusing. Privacy Defender can help manage this confusion by automatically configuring your Facebook privacy settings. Not only is it easy to use, but it is FREE!

    To access this application, go to http://apps.facebook.com/privacydefender/. Select your desired level of privacy protection and Privacy Defender does the rest.

    Privacy Defender is made available by Reputation Defender, a leading comprehensive online reputation management and privacy company.

    Faculty and Staff please follow your department's guidelines regarding use of social networking sites.

    Back to top...

  3. Staying Safe with Skype

    Click here for a PDF version of this tip that can be printed as a poster.

    You are at the center of secURity.

    Skype is a software application which allows users to instant message, voice chat, and share files with other Skype users.

    • Never use Skype to transfer University files, including documents and data files, and never accept documents from others.
    • Skype cannot be used for University conversations that contain confidential information.
    • University IT does not condone the use of Skype.

    Services like Skype open unsuspecting users to viruses, hackers, and identity thieves. To stay safe while using Skype do the following:

    • Read Skype’s Privacy Policy to understand Skype and what you can or cannot do
    • Read Skype's Online Safety Web Page
      • Create a strong and unique password
      • Always use antivirus software
      • Keep Skype up-to-date
      • Update Skype’s privacy settings
      • Do not authorize people whom you do not know and/or do not want to talk to
      • Remember:
        • The public parts of your profile can be seen by everyone on Skype
        • Don’t put things in your profile that you wouldn't’t normally share with strangers
        • You don’t have to complete your profile and can modify it at any time
      • Never respond to emails that request your credit card details
      • Know how to protect yourself against:
      • If you think your account has been compromised, change your password immediately

    Visit http://www.rochester.edu/it/security/yourself/passwords.html for more information about strong passwords, and to try the password checker to test the strength of your password.

    Back to top...

  4. Social Networking - Instant Messaging Security

    You are at the center of secURity.

    We are viewing Social Networking as the use of social software applications to establish and maintain a connection among users.  It has expanded to include many things over the past several years. 

    Instant messaging is one of the older methods of social networking, but is still widely used.  Instant messaging has many of the same security threats email does... and then some. Instant messaging can transfer viruses and other malware, and give hackers an easy way to find victims. If you regularly use instant messaging, be aware of the security risks associated with it and take steps to protect yourself.

    You should:

    • Keep your instant messaging client updated with the latest version, as often times updates are released to fix security problems
    • Never open pictures, download files, or click links in messages from people you don't know
    • Be careful when creating a screen name.  Generally, you shouldn't use your real name or include any personal information.
    • Create a barrier against unwanted instant messaging by not publishing your screen name
    • Never provide sensitive personal information
    • Never transmit confidential or legally restricted data within messages
    • Only communicate with people who are on your contact or buddy lists

    See the following links for more information on instant messaging safety.

    Back to top...

  5. Data Privacy - Information Lasts Forever

    You are at the center of secURity.

    Our focus continues on Data Privacy this month.

    You can find and print a poster version of this tip that can be placed within your area by clicking here

    Social and Professional Networking

    One of the important messages we want you to remember is once you post something on a social or professional networking site such as Facebook or LinkedIn, it stays there forever.  Some important points are:

    • Don't post important personal information about yourself such as social security number, address, phone number, or bank and credit card account numbers. 
    • Never post personal or protected information about someone else.  This includes information about students, faculty or staff, doctors or nurses, or patients. 
    • This is not the place to talk negatively about anyone or anything.  Remember schools, colleges, and future employers can get access to the information you post, and this will form one of their first impressions of you. 

    URMC Public Relations has put together a social media toolkit that provides some helpful guides at http://www.urmc.rochester.edu/news/social-media-toolkit/.

    You need to keep private data private, yours and also other people's.

    The Case of the Cyber Criminal (Game)

    With this game, a techie spy and his cunning crew are out to get your personal information.  Stop them cold by proving you're ready to protect yourself online.  Access the game by clicking here.

    Back to top...

  6. Meet the Social Networking Super-villains!

    logo

    They hide within the shadows of your social networking accounts.  They thrive off of the information you provide in your tweets, comments, and posts.  Their trail of destruction follows those who post too much.  Today you meet the faces of social networking terror! 

    Visit the following link to find out how to join the University's super alliance for social media security:

    www.rochester.edu/socialnetworking

    Back to top...

  7. Social Networking - Safety Tips

    logo

    As the popularity of social networking sites such as MySpace, Facebook, Twitter, and LinkedIn grow,  so do the risks of using them. Hackers, spammers, virus writers, identity thieves, and other criminals follow the traffic.

    Protect yourself and your privacy online by being…


    …proactive:

    • Understand the privacy policy for any social networking site you plan to use.
    • Customize your privacy settings to restrict access to only certain people; the default settings for some sites may allow anyone to see your profile.
    • Limit the amount of personal information you post, especially information that would make you vulnerable, such as your address or information about your schedule or routine.
    • Be considerate when posting information, including photos, about your friends.
    • Accept ‘friends’ on a social network selectively; identity thieves create fake profiles in order to get information from you.
    • Protect your account with passwords that cannot easily be guessed.

     …aware:

    • You are personally responsible for the information that you post.  Once you post information online, you can't delete it. Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums.
    • Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't. If you suspect a message is fraudulent, don’t open it.
    • Don't believe everything you read online. People may post false or misleading information. Take appropriate precautions and verify the authenticity of any information before taking action. Treat links in messages on these sites as you would links in email messages.
    • Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information.

    …responsible:

    • When at work, follow your department's guidelines regarding the use of social networking sites.  Many areas do not allow the use of social networking sites while at work.
    • Never post business related information - especially photos or anything that includes Legally Restricted Information such as Social Security Numbers (SSN) or Protected Health Information (PHI).
    • Talk to your kids about social networking. If you are a parent of a child who uses social networking sites explain what information is private, what pictures are okay to post, and how to decline requests to meet people.
    • Use and maintain anti-virus software. Antivirus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage.

    Click here for a PDF version of this tip that can be used as a poster.

    Back to top...

  8. Students Talk About Social Network Safety

    logo

    Hear what some of our students have to say about social network safety.

    Back to top...

Download Files Legally

  1. Copyright and File Sharing

    Did you know the University receives hundreds of copyright infringement notifications for students, faculty and staff? These notifications can lead to disconnection from the Internet and fines for students. Notifications pertaining to staff members are passed to their managers for the first offense, and Human Resources for subsequent offenses. Staff members have been dismissed for copyright infringement violations. Faculty members have the first notification passed to their department chair, second notifications are passed to the department chair and the Dean’s Office.

    Do not utilize University networks to download or share illegally obtained copyrighted materials. There are many alternatives to illegal file sharing. Please visit http://www.rochester.edu/its/security/yourself/file-sharing.html for more information concerning copyright and file sharing and to explore links for legal music and movies.

    When you connect to the University using VPN, for example from home or coffee shop or conference site, your computer is subject to the same rules and regulations as a computer located at work.

    As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month.  This week's quiz is on Copyright and File Sharing and can be accessed by clicking here.

    Back to top...

  2. Regulatory Compliance - Digital Millennium Copyright Act

    You are at the center of secURity.

    How many DMCA notices is the University receiving?

    For the 2010-2011 academic year, the University received 412 illegal file sharing notifications from copyright holders.  The University sent out 249 first time notifications and 84 second time notifications resulting in network disconnections.

    DMCA (Digital Millennium Copyright Act) was passed by Congress in October 1998 to provide legal protection of copyrighted material. The purpose of copyright is to protect the rights of the creators of intellectual property. Copyright holders have the sole right to copy, modify, and distribute their works. Therefore copyright helps to prevent the unauthorized use or sale of these works.

    If the University receives a complaint against you from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or other copyright holding associations, you will be notified by email. For each complaint filed against you, there will be escalating consequences:

    • 1st complaint-
      • Employee's supervisor will be notified of the violation. 
      • Students will receive a warning from University IT and an informal letter of warning from the Dean of Students Office.
    • 2nd complaint-
      • Employee's Human Resources representative and their supervisor will be notified and appropriate actions will be taken. 
      • Students will have their NetID account suspended and will incur a $150 reconnection fee.  In addition, there will be official disciplinary action from the Dean of Students' Office (e.g. disciplinary probation and community service).

    After the second complaint, there may be other actions taken.

    Here are a few court cases that have made the news.

    Back to top...

  3. Illegal Downloading - Digital Millennium Copyright Act

    You are at the center of secURity.

    Click here for a version of this tip that can be used as a poster.

    Click here for a different version of this tip that can be used as a poster.

    How many DMCA notices is the University receiving?

    For the 2010-2011 academic year, the University received 490 illegal file sharing notifications from copyright holders.  The University sent out 249 first time notifications and 84 second time notifications resulting in network disconnections.

    For this portion of the 2011-2012 academic year, the University has received 206 notices from September 2011 - January 2012.  The University has sent out 114 first time notifications and 10 second time notifications resulting in network disconnections.

    What is Digital Millennium Copyright Act?

    DMCA (Digital Millennium Copyright Act) was passed by Congress in October 1998 to provide legal protection of copyrighted material. The purpose of copyright is to protect the rights of the creators of intellectual property. Copyright holders have the sole right to copy, modify, and distribute their works. Therefore copyright helps to prevent the unauthorized use or sale of these works.

    The University's Acceptable Use Policy prohibits illegal downloading of copyrighted music, movies, books, images, etc.

    If the University receives a complaint against you from the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), or other copyright holding associations, you will be notified by email. For each complaint filed against you, there will be escalating consequences:

    • 1st complaint-
      • Employee's supervisor will be notified of the violation. 
      • Students will receive a warning from University IT and an informal letter of warning from the Dean of Students Office.
    • 2nd complaint-
      • Employee's Human Resources representative and their supervisor will be notified and appropriate actions will be taken. 
      • Students will have their NetID account suspended and will incur a $150 reconnection fee.  In addition, there will be official disciplinary action from the Dean of Students' Office (e.g. disciplinary probation and community service).

    After the second complaint, there may be other actions taken.

    Here Are A Few Court Cases That Have Made The News

    Back to top...

  4. Illegal Downloading - How Can You Avoid Digital Piracy?

    You are at the center of secURity.

    Click here for a version of this tip that can be used as a poster.

    The Motion Picture Association of America, Inc. provides a web site that has helpful information to Respect Copyrights. It provides detail as to what to do if you receive a notice from the MPAA, and a listing of where you can get movies and TV shows legally.

    They realize you have many choices when it comes to purchasing and viewing your favorite movies and TV shows online. They provide the following tips to help you make the right choices:

    1.  Watch for titles that are "Too New to be True"

    Movies that have yet to be released in theaters, or which are still out in theaters, are not legally available online.  If very recent titles are being sold or traded online, they are almost invariably illegal copies.

    2.  Trust Your Eyes and Ears

    In many cases, the quality of illegal copies is inferior with poor sound and can appear blurry or shaky.

    3.  Be Cautious When Websites Make Offers that are Too Good to be True

    Be wary of "too good to be true" offers, such as those for "free" content when searching for and purchasing downloads from unfamiliar sites; they typically indicate pirated product.  Look-out for terms like "Unlimited Movie Downloads," "100% legal," and "Millions of Files Shared." Offers for one-time or yearly fees with no details and no contact information should also alert you that you have entered an illegal site.  If the site avoids disclosing its location (for example, if there is no address in its contact information), this can also be a sign of an illegal website.

    You can access this website by clicking here.

    Back to top...

  5. Illegal Downloading - Video

    You are at the center of secURity.

    Sharing or downloading copyrighted files without permission over the UR network is illegal and a violation of University policy.

    Check out our video that shows some of the effects of downloading illegal music.

    Back to top...

Lock Your Computer

  1. Laptop Security

    Click here for a PDF version of this tip that can be printed as a poster.

    Secure laptop computers at all times. If your laptop computer is stolen, important information can be exposed, including your personal and financial information.

    1. Always keep your laptop with you - or lock it up securely before you step away.
    2. Never leave access numbers or passwords in your carrying case.
    3. Buy and use a laptop security device. Laptop lockdown cables are available at University Computer Sales and most computer or office supply stores.
    4. Laptops containing any University Confidential or Legally Restricted Data (defined in the University Information Technology Policy) must be encrypted.

    If your laptop has been lost, stolen or compromised and it contains University Confidential or Legally Restricted Data, contact Information Technology Security immediately at 273-1804 for University departments or 275-3200 for Medical Center departments.

    Click here for more information about laptop security.

    Back to top...

  2. Lock Your Computer Screen

    You are at the center of secURity.

    Click here for a printable version of this tip that can be used as a poster.

    When leaving your computer unattended, always make sure the screen is locked and password protected. Locking the screen will prevent others from accessing your session without your permission. All your applications and work will remain open in the background while the screen is locked, so when you return and enter your password, you can pick up where you left off.

    For more information on how to set up a password for your computer to lock automatically when the screensaver turns on, see http://www.rochester.edu/its/security/computer/Physical_Security.html

    Back to top...

  3. Protecting University Data - Lock Your Computer Screen

    logo

    Click here for a PDF version of this tip that can be used as a poster.

    Your computer screen is the way you view all of the information on your computer. It takes only a few seconds to secure your computer and discourage malicious individuals from snooping through your files. Lock your computer screen every time you leave your computer.

    Here are some ways to secure your computer.

    Windows:

    1. Hold down the Windows key (the flying window key at the bottom of the key board) and the L key. This will bring up your login screen and lock your computer down

     OR

    1. Click Ctrl+Alt+Delete
    2. Select "Lock Computer"
    3. This will bring up your login screen and lock your computer down.

    To log back in, type Ctrl+Alt+Delete if necessary, and type in your username and password.

    You should also set your screen saver with a time out, we recommend a maximum of 15 minutes, then click the checkbox for "On resume, password protect" or "On resume, display logon screen".

    Also, under Energy Saving Settings, it can be set to “Require a password on wake”.  When your computer wakes from sleep, no one can access your data without entering the correct password to unlock the computer.   

     

    Mac:

    If you have Check Point Full Disk Encryption for Mac installed, you can select 'Lock workstation' under the Check Point status icon on the menu bar. 

    If you do not have Check Point installed, you can do the following:

    1. Open System Preferences.
    2. Click on the Security icon.
    3. Check Require password to wake this computer from sleep or screen saver.

    You can also enable hot corners by:

    1. Open System Preferences and choose the Desktop and Screen Saver icon.
    2. Select the Screen Saver tab.
    3. Click Hot Corners
    4. Select 'Start Screen Saver' for one of the corners and click OK
    5. Click Show All
    6. Select Security & Policy
    7. Click the General tab
    8. Enable "Require password for sleep and screen saver" and then set to 'immediately'
    9. Close System Preferences.

    Now when you move your mouse to that corner, the screen saver will come on and the machine will lock.

    An alternative on the Mac to enabling the screen saver - press Shift+Control+Eject. This puts the display to sleep.

    Back to top...

  4. Information Technology Policy Updates

    logo

    Changes were recently made to two of the University's IT policies.

    Information Technology Policy

    The Information Technology Policy, which is located at http://www.rochester.edu/it/policy was updated to clarify the Access and Use of Legally Restricted Information.  Please feel free to review the entire policy, or the specific Access and Use section now reads:

    Access and Use:  Legally Restricted Information must be stored, used and disclosed to others only on a need to know basis to permit the individual faculty or staff member to perform their University functions for which the information was acquired and for which it is maintained.  Access to legally restricted information must be carefully safe-guarded.

    Protection of Legally Restricted Information from disclosure to or unauthorized access by anyone who does not have a legitimate need to access the information to comply with requirements of the law or to carry on necessary University functions is a primary responsibility of the Custodian.

    Alternatives to using Legally Restricted Information should be identified and used whenever possible.

    Disclosure of Legally Restricted Information to a third party agent or vendor is permitted only if the agent or vendor assumes a legally binding obligation to safe-guard the use and disclosure of the information.  The electronic exchange of Legally Restricted Information outside of the Univeristy of Rochester must have proper approval.  In addition,

    • the appropriate Information Security Office must be consulted to ensure appropriate security controls are employed (See contact list within the policy).
    • Corporate Purchasing must be consulted to ensure appropriate contract language is incorporated into any agreement

    Contact the Office of Counsel for appropriate contractual language.

    Policy on Acquisition and Disposal of Multifunctional Devices, Copiers and Similar Devices

    This policy had several changes made to reflect the arrangement that is now in place with a new print vendor.  The updated policy is located at http://www.rochester.edu/it/policy/assets/pdf/mdc.policy.pdf

    Back to top...

Secure Your Mobile Device

  1. Protecting Cell phones and PDAs

    Click here for a PDF version of this tip that can be printed as a poster.

    As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. Most cell phones can send and receive text messages; others connect to the internet. Although these useful features are convenient, attackers can take advantage of them to:

    • Abuse your service
    • Lure you to a malicious website
    • Use your cell phone or PDA in an attack
    • Gain access to account information

    How to protect yourself:

    • Be careful about posting your cell phone number and email address
    • Do not follow links sent in email or text messages
    • Be wary of downloadable software
    • Evaluate your security settings, such as Bluetooth connections, and disable Bluetooth when you are not using it
    • Encrypt your cell phone or PDA if it contains sensitive data

    Visit http://www.us-cert.gov/cas/tips/ST06-007.html for more information about protecting your cell phone and/or PDA.

    Back to top...

  2. Gadgets May Come Preloaded with Viruses

    Did you know some of today's hottest gadgets may be preloaded with viruses?

    Apple iPods, flash/thumb drives, digital picture frames, and TomTom navigation gear have all been guilty of harboring viruses fresh out of the package in the past. The viruses on these devices can steal passwords, open doors for hackers or make computers targets for spam attacks.

    How to protect your computer:

    • Keep your antivirus software up to date
    • Scan It! - Any time you plug in a new device, like a memory card, digital picture frame, mp3 player or navigation device, into your computer be sure to perform a virus scan on it before you run any programs associated with it
    • Disable AutoRun - AutoRun allows executable files on a drive to be run automatically when that drive is accessed. By disabling t AutoRun  you can decrease the chances of infecting your computer.

    Learn how to disable AutoRun on your Windows system here.

    Back to top...

  3. Mobile Device Safety

    You are at the center of secURity.

    Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more.  Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.

    Click here to access the University's Mobile Computing Device Security Standards.

    Here are some tips to keep you safe on the go:

    • Do not use your mobile phone to communicate with strangers.  Never reply to text messages from people you don't know.  Only give your number to people you know and trust, and do not give out anyone else's number without their permission. 
    • Know how to block others from calling your phone.  Using caller ID, you can block all incoming calls or block individual names and numbers.
    • Make a record of your Electronic Serial Number (ESN) and/or your International Mobile Equipment Identity (IMEI) number.  You can get your IMEI number by pressing *#06# on your mobile phone's keypad.  It will display a 15 digit number - that is your IMEI number.  The IMEI number is used to identify a valid device, and can be used for stopping a stolen phone from accessing the network.
    • If your phone is lost or stolen, report it to your local police station and your network operator immediately.
    • Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information).
    • Think about how a text message might be read or interpreted before you send it.
    • You should never take pictures or videos of anyone with your phone if you do not have their permission.
    • Do not allow others to take pictures or videos of you without your permission.  Remember - these pictures and videos can be posted to the Internet.
    • Be careful if you meet someone in real life who you only "know" through text messaging.  Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.

    Back to top...

  4. Mobile Computing Device Standards - Training and Quiz (for Prizes!)

    Over the past month, we have been focusing on securing Mobile Computing Devices.  We have:

    Training coming soon

    This week, we have been working on a training video to show what a mobile device is, why the University is concerned about the security of mobile devices, why a mobile device standard is needed, how you can stay safe on the go, and some step by step how-to's for several mobile devices.  This video will be available soon from the Mobile Computing Device Standards website at http://www.rochester.edu/it/policy/MobileDevice.html.

    Take our quiz for a chance at prizes

    We have some great prizes available for those that successfully complete our Mobile Computing Device quiz.   If you complete our quiz correctly, you will be entered for a chance to win one of three 8G padlock-encrypted flash drives.

    Click here to take this month's quiz.

    Back to top...

  5. Mobile Device Protection - Mobile Device Reminders and Safety Tips

    You are at the center of secURity.

    Mobile Device Reminders

    With this being a busy time of year for gift-giving and receiving, we want to remind you to take all necessary steps to secure any mobile devices that you are using, and to dispose of any old mobile devices properly. 

    • All mobile devices should maintain minimum security requirements related to physical protection, password protection, encryption, and inactivity time out protection.  Please review the University's Mobile Computing Device Security Standards website by clicking here.
    • If you are disposing of an old device, be sure to remove or wipe any residual settings, data, and applications before either disposing of it or giving it to someone else to use.
    • If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information). 

    Tips to Keep you Safe on the Go

    Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more.  Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.

    • Do not use your mobile phone to communicate with strangers.  Never reply to text messages from people you don't know.  Only give your number to people you know and trust, and do not give out anyone else's number without their permission. 
    • Know how to block others from calling your phone.  Using caller ID, you can block all incoming calls or block individual names and numbers.
    • Make a record of your Electronic Serial Number (ESN) and/or your International Mobile Equipment Identity (IMEI) number.  On most phones, you can get your IMEI number by pressing *#06# on your mobile phone's keypad.  It will display a 15 digit number - that is your IMEI number.  The IMEI number is used to identify a valid device, and can be used for stopping a stolen phone from accessing the network.
    • If your phone is lost or stolen, report it to your local police station and your network operator immediately.  If the phone contains University data, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Officer, and a Privacy Officer (if it was used to access or store Medical Center information).
    • Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information).
    • Think about how a text message might be read or interpreted before you send it.
    • You should never take pictures or videos of anyone with your phone if you do not have their permission.
    • Do not allow others to take pictures or videos of you without your permission.  Remember - these pictures and videos can be posted to the Internet.
    • Be careful if you meet someone in real life who you only "know" through text messaging.  Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.

    Back to top...

  6. Mobile Computing Device - Stay Secure on the Go

    Mobile devices are everywhere, and so is the potential for lost or stolen data.   Smart phones, laptops, iPads, and all portable devices are vulnerable.  The University’s mobile device standard requires these three security standards:

    1.    Encryption
    2.    Password protection
    3.    Inactivity timeout

    Additional recommendations include remote wipe capabilities and secure connectivity.

    Here are step-by-step instructions on how to secure your mobile device (Note: The instructions may vary slightly dependent upon the version and model number of your mobile device).

    Android
    Blackberry
    iPhone/iPad

    For more information, see the Mobile Computing Device Security Standards.

    http://www.rochester.edu/it/policy/MobileDevice.html

    Back to top...

  7. Mobile Computing Device - Safety Video

    You are at the center of secURity.

    We've developed a video to show some of the things you should do to keep your mobile computing devices safe.  Please click on the link below to view the video.

    Back to top...

  8. Mobile Computing Device Reminders and Safety Tips

    You are at the center of secURity.

    Click here for a version of this tip that can be printed and used as a poster.

    Mobile Device Reminders

    We want to remind you to take all necessary steps to secure any mobile devices that you are using, and to dispose of any old mobile devices properly. 

    • All mobile devices should maintain minimum security requirements related to physical protection, password protection, encryption, and inactivity time out protection. 
    • If you are disposing of an old device, be sure to remove or wipe any residual settings, data, and applications before either disposing of it or giving it to someone else to use.
    • If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Security, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information). 

    Tips to Keep you Safe on the Go

    Mobile devices can perform a variety of tasks: take pictures, send text messages, surf the Web, and more.  Be sure to take the same precautions on mobile devices as you would with your computer in regard to messaging and online safety.

    • Do not use your mobile phone to communicate with strangers.  Never reply to text messages from people you don't know. 
    • Only give your number to people you know and trust, and do not give out anyone else's number without their permission. 
    • Encrypt your mobile device if it contains PHI (Protected Health Information) or PII (Personally Identifiable Information).   Information about what is considered PHI or PII can be found in the Data Classification document.
    • Think about how a text message might be read or interpreted before you send it.
    • You should never take pictures or videos of anyone with your mobile device if you do not have their permission.  To all URMC workforce members, you cannot take pictures of patients, non-public areas of the Med Center, etc.  without specific written authorization from the patient.
    • Do not allow others to take pictures or videos of you without your permission.  Remember - these pictures and videos can be posted to the Internet.
    • Be careful if you meet someone in real life who you only "know" through text messaging.  Even though text messaging is often the "next step" after online chatting, that does not mean that it is safer.

    Back to top...

  9. Mobile Computing Device - Safety Video

    Please view our video to show what a mobile device is, why the University is concerned about the security of mobile devices, why a mobile device standard is needed, and how you can stay safe on the go. 

    This video is also available from the Mobile Computing Device Standards website at http://www.rochester.edu/it/policy/MobileDevice.html.

    Back to top...

  10. Mobile Device Safety - Did You Know?

     

    Know Your International Mobile Equipment Identity (IMEI) Number?

    Did you know there is a unique serial number that identifies each mobile phone? Press *#06# on your phone's keypad (this is not a phone number that you call), and for most models, it will display a 15 digit number. Make a record of that number, it is your International Mobile Equipment Identity (IMEI) number. 

    If your phone is lost or stolen, the phone can be identified even if a new SIM card is added. Your provider can also block others from using the phone on their network, which could help protect you against expensive 1-900 phone calls and similar mischief.

    Back to top...

  11. Laptop/Mobile Device Travel Safety

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    A laptop or mobile device defines convenience, but chances are you've heard stories about stolen laptops or mobile devices on the news or from friends and colleagues. Here are some tips to help prevent your laptop or mobile device from being stolen when you are traveling.

    • Keep a careful eye on your laptop/mobile device when you are in public.
    • Password protect your screen.
    • Avoid putting your laptop/mobile device on the floor. If it is your only option, place it somewhere you are aware of it, like in between your legs.
    • Don’t keep your passwords in your laptop carrying case. This could make it easier for a thief to access your personal or business information.
    • Consider using a suitcase, briefcase or a backpack to carry your computer when traveling. Laptop cases advertise what you are carrying.
    • Don’t leave your laptop/mobile device in your car. If you have no choice, make sure that your laptop/mobile device is completely hidden.
    • Don’t leave your laptop/mobile device for “just a minute.” Take it with you if you can or at least use a cable to lock it.
    • Pay close attention in airports especially when you go through security.
    • If your laptop/mobile device has been stolen, report it immediately to the local authorities.

    All laptops/mobile devices that contain University Confidential or Legally Restricted data should be encrypted. You may also want to consider taking a loaner device when traveling to other countries.  If your laptop/mobile device that contains University Confidential or Legally Restricted data has been stolen or compromised, contact Information Technology Security immediately at (585) 273-1804 for University departments or (585) 784-6115 for Medical Center departments. 

    Back to top...

  12. Mobile Device Security - Best Practices

    logo

    For a majority of us, our mobile devices are an integral part of our daily activities. Consequently, they typically store lots of personal information and important data. With your whole life in the palm of your hand, it is more important than ever to make sure you keep your devices safe and secure! Follow these six easy tips for mobile device security: 

    LOCK IT

    Require a PIN or password for access. Set the screen to auto lock after a short period of inactivity on the device.

    TRACK IT

    Turn on the “Find My Phone” feature or a device-tracking app. If your device is lost, you can track it or erase the data remotely:

    iPhone / Set up Find My iPhone.

    Android Phone / Android Device Manager

    Windows Phone / See Windows Phone: Find a lost phone (Windows 8) for instructions. For other versions of Windows, search the Windows Phone website.

    UPDATE IT

    Keep your software and/or firmware updated. Apps should also be updated to apply the latest security improvements.

    SHELTER IT

    Avoid using public open WIFI when possible, but if the need arises, try to use a Virtual Private Network (VPN) to protect your transmitted information. Install only trusted market apps (from App Store, Windows Store, Google Play Apps).

    DOCUMENT IT

    Make a record of your Electronic Serial Number (ESN) and/or your International Mobile Equipment Identity (IMEI) number.  You can get your IMEI number by pressing *#06# on your mobile phone's keypad.  It will display a 15-digit number - that is your IMEI number.  The IMEI number is used to identify a valid device, and can be used for stopping a stolen phone from accessing the network.

    UNHOOK IT

    Turn off GPS/location services for apps where you do not need it. When not using WiFi or Bluetooth, also turn them off (this prevents unauthorized access to your device through those connections).

    All University Departments should review the University's Mobile Computing Device Security Standard at http://www.rochester.edu/it/policy/MobileDevice.html

    URMC Departments should review the URMC standard at https://intranet.urmc-sh.rochester.edu/infosystems/mobile/mobile_devices.asp 

     

    Back to top...

  13. Mobile Device Safety - Risks of Geotagging

    logo

    When taking photos on your smart phone, did you know that metadata (including latitude and longitude coordinates) could be embedded within the file? This information is often retained by default desktop image software and many online photo storage websites and can disclose the exact location of where the photo was taken. The process, called geotagging, is related to the built-in GPS chip within your smart phone (often used with many apps).

    If not turned off, this metadata is available to anyone who has access to your photos. Not only could this information reveal the exact location of your home, business or commonly visited locations, it might also tell someone when you are out of town, making your residence susceptible to burglary.

    If you wish to disable geotagging on your photos, follow the steps below. If your phone is not listed, please check with your carrier for instructions.

    How to Disable Geotagging:

    iPhones/iPads
    Settings > General > Location Services > Turn off Camera (and any other services you do not wish to store metadata)
    OR
    Settings > Privacy > Location Services > Turn off Camera (and any other services you do not wish to store metadata)

    Android/Tablets
    Select Camera App > Store Location (or select menu) > Set to OFF

    Blackberry
    Open Camera App > Options > Set Geotagging to DISABLED
    OR
    Open Camera App > Select GPS Icon > Crosshairs w/o signal bars means GPS is off

    For more information, please visit the following link:
    http://www.wikihow.com/Avoid-the-Potential-Risks-of-Geotagging

    Back to top...

  14. Mobile Computing Device - Don't lose your smartphone!

    logo

    If You Found A Smartphone, What Would You Do?

    The Symantec Smartphone Honey Stick Project was an experiment involving 50 "lost" smartphones.  Before the smartphones were intentionally lost, a collection of simulated corporate and personal data was placed on them, along with the capability to remotely monitor what happened to them once they were found.  The intent of the project was to help businesses and individuals to understand some of the most likely threats to smartphones and their associated information.

    Here is what they found:

    • 96 percent of lost smartphones were accessed by the finders of the devices
    • 89 percent of devices were accessed for personal related apps and information
    • 83 percent of devices were accessed for corporate related apps and information
    • 70 percent of devices were accessed for both business and personal related apps and information
    • 50 percent of smartphone finders contacted the owner and provided contact information

    We suggest you watch this MSNBC video - The "lost" cell phone project, and the dark things it says about us that highlights the results of the project. (Sorry for the advertisement at the beginning of it.  Be patient - it is worth the wait to see the video)

    If I Lose My Smartphone, What Should I Do?

    If you lose your smartphone or are the victim of a stolen smartphone:

    • If a mobile device containing University of Rochester information is lost or stolen, report the loss immediately to University of Rochester Public Safety, the University or Medical Center Chief Information Security Officer, and a Privacy Officer (if it was used to access or store Medical Center information). 
    • Call your phone from another phone to see if the person who has it picks up and will return it.
    • File a police/security report on the lost/stolen phone, etc.
    • Perform a remote wipe/lock/message if your device has this capability.  Contact your appropriate IT Help Desk concerning this if you need assistance.   
    • Consider adding an ICE contact (In Case of Emergency) in preparation for any sort of emergency such as a lost phone or a situation where a first responder needs to contact a representative of yours to help in an emergency.

    Getting Your Phone Back

    Since your mobile device is locked there is no way for someone who finds it to figure out who it belongs to.  If you provide an alternate method of contacting yourself such as an email address written on the back of the phone or a business card or slip of paper with contact information inserted inside the case, you will have a much better chance of getting your phone back.

    Minimum Requirements For Mobile Devices

    To help protect your device, you should meet the following requirements:

    • Physical Protection - Individuals must keep mobile devices with them at all times or store them in a secure location when not in use
    • Password Protection - Access to the mobile device must be protected by the use of a password
    • Encryption - University data classified as Legally Restricted Information must not be stored on a storage card or the device (including with cached email) without proper encryption, password protection and inactivity timeout.
    • Inactivity time out Protection - Inactivity timeout must be set.  The recommended inactivity timeout is 15 minutes but must not exceed 60 minutes
    • Proper Disposal - Any residual settings, data, and applications on the mobile device must be removed or wiped prior to disposal or transfer to another user.  All attached storage cards that contain Legally Restricted Information must be destroyed or wiped so no data recovery is possible.

    Further requirements and recommendations for mobile devices can be found within the University or Rochester Mobile Computing Device Security Standards.

    Back to top...

Clean and Go Green

  1. LEAP

    University Electronic Cleanup

    Sponsored by the Data Security Task Force

    Wednesday, February 29, 2012 (1:00PM – 3:00PM suggested time)

    Click here to add a reminder to your calendar.

    The Data Security Task Force encourages everyone at the University to set aside two hours on Leap Day for electronic file cleanup. Taking time out of this extra day will help make your computer and your life more efficient and secure.

    Visit the LEAP Day Promise site to learn more.

    Back to top...

  2. Clean and Go Green - Digital Spring Cleaning

    logo

    Click here for a version of this tip that can be printed and used as a poster.


    It is that time of year when you break out the broom, vacuum, and old dust rag. However, keep in mind that spring cleaning is more than just tidying up around the house. Over the past year your work computer has been collecting digital dust in the form of countless emails, unorganized files, and a hard-drive filled nearly to its max.

    In order to help make your computer and your life more efficient and secure, follow these simple steps and clean up your digital clutter.

    http://www.rochester.edu/it/security/SpringClean

    Back to top...

  3. Clean and Go Green - Your Facebook Friends List

    logo

    Do you know who all your friends are?

    There is a wealth of information available on your Facebook account that can be used for identity theft. Go through your friends list and ask yourself, “Do I really know this person? Would I trust them with my personal information?”

    If the answer is “no”, consider unfriending them.  You can go to https://www.facebook.com/help/172936839431357 for information on how to unfriend someone on Facebook.

    Another option is to create custom groups that allow you to use the audience selector feature on Facebook.  For instance, all of your close friends could be added to one group, while your acquaintances who you do not want to have access to more personal posts could go into another.  Visit https://www.facebook.com/help/www/124794780932930 to find out how to create lists in Facebook. 

    Since Facebook continually adds new sharing features, it is also a good idea to occasionally check your privacy settings to make sure you are only sharing what you want to share.

    Back to top...

  4. Clean and Go Green - Device Disposal

    logo

    What is the only way to dispose of University electronic devices?  Contact your local IT support group to coordinate with University IT.  University IT offers easy and secure recycling for consumer electronics from all University departments (https://www.rochester.edu/it/recycle/).  Additionally your IT support group will ensure that the disposal of the equipment complies with the University Supply chain procedures at https://www.urmc.rochester.edu/purchasing/.  Information about electronic equipment disposal can be found at http://www.rochester.edu/it/security/data/disposal.html.

    Some important things to keep in mind. 

    • This is good for any type of device or data storage
    • The recycle group comes to you to pick up your device. 
    • This is suitable for destruction of devices containing legally restricted data such as Protected Health Information (PHI).

    For personal devices, there are several places that now accept old equipment to be recycled.  Before providing your device to such a place, or passing it along to anyone else, please be sure to remove all data from the device.   For cell phones, this should include performing a factory reset.  If you are unsure of how to do this, please see your cell phone manufacturer's web site.

    Back to top...

  5. Clean and Go Green - Record Disposal

    logo

    Click here for a version of this tip that can be used as a poster.

    The University of Rochester requires that some specific types of records (both paper and electronic) be retained for specific periods of time and in designated official repositories. Other records, documents or correspondence (those records not required to be retained or those that are in the possession of individuals or departments other than the official repository for the record) should be disposed of when they are no longer needed for active use by those who possess them.

    The University Policy on Record Retention can be found at http://www.rochester.edu/adminfinance/records.html.  The policy includes a schedule of records, the time of required retention and the designated repository.

    Information about what is classified as legally restricted or confidential data can be found at http://www.rochester.edu/it/policy/assets/pdf/At%20a%20Glance%20Data%20Classifications.pdf.

    Electronic Records

    To dispose of electronic records on your personal electronic devices, move them to the recycle bin and then empty your recycling bin.  Your personal electronic devices containing university data should be encrypted and disposed of in accordance with the Mobile Computing Device Security Standard http://www.rochester.edu/it/policy/assets/pdf/Mobile%20Computing%20Device%20Standards.pdf.

    If there are electronic records that have aged out of retention stored on servers or databases that you have access to, work with your team and local IT support group to develop a plan for purging these records.

    Paper Records

    As you dispose of any old paper records, please be sure to dispose of these properly based upon the information they contain.  Please be sure to shred or otherwise render unreadable confidential or legally restricted paper records  If they don't contain confidential or legally restricted data, then be sure to recycle! 

    Back to top...

Cloud Computing

  1. Cloud Computing - Protect University Data

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    The cloud computing model has been criticized by privacy advocates for the greater ease in which the companies hosting the cloud services control, and thus, can monitor at will (whether permitted or not by their customers), the communication between the host company and the end user, as well as the user's stored data.

    To protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University.  This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.

    If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.

    Back to top...

  2. Cloud Computing - Best Practices - Self Audit

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    We put more and more of ourselves in the cloud every day.  Email, device settings, data synchronization between devices, and access to much of our digital selves is tied to a handful of cloud service accounts with Google, Apple, Microsoft, and others.  These accounts can easily be put at risk if they are too interconnected.

    Best Practices - Self-Audit

    There are things you can do to make yourself less vulnerable to potential hacks or compromises of cloud services, or at least limit the damage that can be done if one is exposed.  Perform a self-audit of your identity in the cloud to find and fix potential problems:

    • Do you use strong passwords, and change them regularly?
    • Do you share access to your cloud services with other people, such as family members or friends?
    • Do you use the same email address and password as your credentials for more than one service?
    • Do you use two-factor authentication?  Using two-factor authentication allows you help protect your account by not only asking for something you know (your password), but it asks for something you have.  In many cases this would be an application on your smart phone that generates a numeric code that you type into the web site, or a text message that the site sends your mobile phone when you login.
    • Do you use the same credentials for iCloud and Amazon?
    • Do you use the same cloud-based email account as your password recovery contact address for more than one service?
    • Do you have multiple webmail accounts connected into a single mailbox?
    • How hard is it to guess or research your answer to your chosen security question?

    There are also some local protection items that you should consider:

    • Do you keep a local backup in addition to cloud backups?
    • Do you really need to reach back to that computer?  Only turn cloud synchronization on when you need it—and have virus scanners checking your synced folders.
    • How often do you update your malware and Web browsing protection?

    Further information about all of these items can be found at http://arstechnica.com/information-technology/2012/08/secure-your-digital-self-auditing-your-cloud-identity/

    Reminder - to protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University. This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.

    If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.

    Back to top...

  3. Cloud Computing - Did You Know?

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    We put more and more of ourselves in the cloud every day.  Email, device settings, data synchronization between devices, and access to much of our digital selves is tied to a handful of cloud service accounts with Google, Apple, Microsoft, and others.  There are both advantages and disadvantages for doing so. 

    Advantages

    • The use of cloud services reduces the risks involved with physically carrying data around on removable media.
    • Users often have on-demand access to their information anywhere they can connect to the internet.
    • Cloud services can provide easier collaboration with others due to ease of accessing and transferring information.


    Disadvantages

    • Control: Cloud services often run on an external or third party provider’s system, unlike systems directly under the user’s personal or institutional control. It is important to know who is actually storing your information and how it is being protected.
    • Security: Cloud vendors often have transparent or inadequate service level agreements, which do not clarify their level of security and privacy regarding your data.
    • Reliability: Many cloud vendors are new businesses and their future and success is uncertain. What would happen to your data if they fail or change their services? What happens if the service is temporarily down when you need to access your account?

    Reminder - to protect University data, it is imperative that no legally restricted or confidential data be placed in a cloud environment that is not sanctioned by the University. This would include environments such as Dropbox, Gmail, Facebook, LinkedIn, etc. that are not sanctioned.

    If you have a question as to whether it is safe to use a cloud service, please contact your area Information Security Officer.

    Back to top...

Email Safety

  1. 10 Scams to Screen from Your Email

    Click here for a PDF version of this tip that can be used as a poster.

    Email users have lost money to bogus offers that arrived as spam in their inbox. Con artists are very cunning; they know how to make their claims seem legitimate. Some spam messages ask for your business, others invite you to a website with a detailed pitch.

    To help minimize your risk:

    • Protect your personal information. Only provide your credit card or other personal information when you're buying from a company you know and trust.
    • Know who you're dealing with. Don't do business with any company that won't provide its name, street address, and telephone number.
    • Never give confidential information to an unknown person over the phone, no matter what they seem to know about you.  Even if the call seems legitimate, tell the caller that you will call them back via a telephone number that you can verify independently, such as a number listed in a telephone directory
    • Take your time. Resist any urge to "act now" despite the offer and the terms. Once you turn over your money, you may never get it back.
    • Read the small print. Get all promises in writing and review them carefully before you make a payment or sign a contract.
    • Never send money for a "free" gift. Disregard any offer that asks you to pay a fee for a gift or prize. Free means free.

    Some of the more common scams include:

    1. The "Nigerian" Email Scam
    2. Phishing
    3. Work-at-Home Scams
    4. Weight Loss Claims
    5. Foreign Lotteries
    6. Cure-All products
    7. Check Overpayment Scams
    8. Pay-in-Advance Credit Offers
    9. Debt Relief
    10. Investment Schemes

    Visit http://onguardonline.gov/spam.html for more information about these scams, or http://www.rochester.edu/uit/security/data/e-mail.html for more information concerning email safety.

    Back to top...

  2. Five Safe Email Practices

    Click here for a PDF version of this tip that can be used as a poster.

    Although many people think of email as being an "electronic letter," it's actually more like a postcard that can be read by any number of people along the route between sender and recipient. It can be easily forged and does not afford privacy. Because email is not secure, here are important tips to keep in mind when emailing:

    1. Confidential Information

    • Never put anything in an internet-based email you're not willing to share with the world.
    • Beware of emails that attempt to lure you into divulging personal information.
    • Never click links in a message that request personal or financial information.

    For more information about phishing, visit http://www.rochester.edu/it/security/yourself/phishing.html.

    2. Attachments

    Attachments require special attention since even ones coming from friends' computers could contain viruses. Following these tips can help lower the chance of infecting your computer:

    • Minimize the use of attachments as much as possible. 
    • Question unsolicited file attachments. 
    • Never open attachments from unknown sources or even from trusted senders if you weren't expecting them.
    • Question executable (.EXE) programs received via email. 

    3. Strange Messages

    • Examine your list of new messages carefully before you open them.
    • Don't reply to unsolicited "spam" mail, or other harassing or offensive email.
    • Disable the preview feature in email programs such as Outlook Express. This feature can allow you to unknowingly execute the code in an infected email. To turn off the Preview Pane in Outlook Express, go to the top menu bar > View > Reading Pane > Off.

    4. Infected Files

    If you receive an infected file from a friend, you should notify them as soon as possible. Do this if you know the person and are certain that the originating email address is accurate.  This helps the sender correct the problem within their system before passing the virus on to others.

    5. Antivirus Software

    Having up-to-date antivirus software installed on your computer is critical. This will help protect your machine and the machines of others on the internet.

    For more information about antivirus protection for your computer, visit http://www.rochester.edu/it/security/computer/antivirus.html.

    Back to top...

  3. 11 Ways to Prevent Email Spam

    Click here for a PDF version of this tip that can be used as a poster.

    1. Use more than one email address: one for personal email and the other for mandatory fields in online forms and access areas.
    2. Never post your real email address anywhere online, especially in newsgroups, online chat rooms and online profiles.
    3. Always check the privacy policy of any website that requests personal details, such as email addresses. Do not submit your information if the website does not allow you to opt out or does not have a privacy policy.
    4. When you are responding via website form, read it thoroughly. Some websites that include an opt-out option usually require you to check a box that you agree to be sent email (either from them or their associates). However, some of them ask that you uncheck a pre-checked box not to be sent email and many consumers have gotten burned by that.
    5. Never open email and/or download attachments from anyone if you are not expecting them and always virus scan attachments first.
    6. Block future messages from unknown users, if your email client allows it.
    7. Never reply to a spam email, not even to “unsubscribe."
    8. Keep your operating system, anti-virus, anti-spyware and firewall software up-to-date.
    9. Use any spam filters available by default from your ISP.
    10. Use anti-virus software and/or firewalls on every computer you own/use. Remember that children are easy prey to the “just click here” tactic so remind them not to click.
    11. Stay up to date with current scams and always report suspicious activity.

    Back to top...

  4. Backscatter

    If you’ve got questions, we’ll find the answers.  Once a month, the University Security & Policy team will answer your information security questions in a new Security Tip of the Week feature called Did You Know?  Please email your questions to UnivIT_SP@ur.rochester.edu.

    Have you ever received an email informing you that a message was not delivered, but you never sent the message in the first place?

    These “bounce back messages” fall under the category of unwanted email called backscatter and are the result of your email address being forged as the sender of spam messages.

    Unfortunately, there is no way to avoid receiving these messages and no way to prevent your email address from being forged. However, by limiting where you post your email address online and giving it only to people and businesses you trust, you can reduce the risk that your address will be harvested by someone looking to use it for malicious purposes.

    For more information, see our page on forged email.

    Back to top...

  5. Don't Get Hooked by a Phishing Expedition

    Click here for a PDF version of this tip that can be used as a poster.

    If you are ever asked to click on an email link to provide security or personal information, use extreme caution! Most of these request types are actually "phishing scams" to obtain your secure information. Lenders, brokerages, and banks would never ask for confidential information via e-mail as it is not a secure method.

    If you ever have a question as to whether a request is valid, call the business entity and ask. They can confirm appropriate information requests.

    Visit http://www.rochester.edu/it/security/yourself/phishing.html for more information about Phishing.

    As a reminder, we are providing a chance for you to win a $25 iTunes Gift Card or even an iPod Nano by participating in our Security Awareness quizzes this month.  This week's quiz is on Phishing and can be accessed by clicking here.

    Back to top...

  6. Email Use Policy

    You are at the center of secURity.

    The University has adopted and published a new policy related to the proper use of email. 

    The Email Use Policy is intended to describe the permitted use of University email.  This is an overarching policy, and does not replace more specific policies on specific email use (such as emailing of Legally Restricted data such as PHI).

    All University faculty and visiting faculty, physicians, staff, students, contractors, volunteers, and guests who are provided email services managed by or for the University of Rochester are to follow this new policy.

    Please review this policy for information related to the proper use of email, official email addresses, email forwarding, confidentiality and security, misuse, local policies permitted, retention and disposal, and sanctions. 

    The Email Use Policy is located on the IT Policy website, and can be accessed by clicking here.

    Back to top...

  7. Don't Pass On Chain Messages Or Send Warnings To Everyone You Know

    You are at the center of secURity.

    Click here for a PDF version of this security tip that can be used as a poster.

    Chain messages are a burden on email systems and to the vast majority of the people who receive them.  The simple response is to not pass them on.

    You may get messages from friends, warning you about a new virus, health scare, charity appeal or con trick.  These are very likely to be hoaxes or just plain wrong.

    Be very suspicious of messages that ask you to pass them to "everyone you know".  That leads to an endless chain of forwarded messages that go on long past any real or imagined threat.

    If it is really convincing, pass it to your IT Helpdesk for them to consider.

    Back to top...

  8. Phishing Protection - Phishing Quiz - Can You Spot a Phish?

    Test your phishing knowledge by trying this online quiz to see if you can identify a phishing attempt.  The quiz is located at https://www.opendns.com/phishing-quiz/.

    Back to top...

  9. Phishing Protection - Video

    You are at the center of secURity.

    Phishing is an internet sham where scam artists send official-looking email to people attempting to fool them into disclosing personal information. 

    Further information about Phishing can be found at http://www.rochester.edu/it/security/yourself/phishing.html

    Please also view our video to gain additional information regarding phishing.

    Back to top...

  10. Phishing Protection - Awareness Video and Phish Tank

    You are at the center of secURity.

    The University is experiencing a dramatic increase in targeted phishing and spam attacks.  Faculty, staff, and students have been receiving emails that are created to look as if they came from University Information Technology, Information Systems Division, the IT Help Desk, or other support locations.  The emails look remarkably like valid University communications - using the University logo, department names, and official branding or formatting.  

    We have created a "Phish Tank" that provides examples of some of the phishing emails that we have seen at the University of Rochester and the Medical Center.  The Phish Tank can be viewed at http://www.rochester.edu/it/security/phishtank/.

    Further information about Phishing can be found at http://www.rochester.edu/it/security/yourself/phishing.html

    Please also view our video to gain some important tips regarding phishing.

    Back to top...

  11. Phishing Protection - Grandma Got Phished by a Hacker

    We hope you enjoy our rendition of "Grandma Got Run Over by a Reindeer"- (or "Grandma Got Phished by a Hacker"....) to help remind you to be careful when clicking links found within your email.

    Phishing is an email fraud method in which the sender uses legitimate-looking email in an attempt to gather personal and financial information from recipients.  Typically, the messages appear to come from well known and trustworthy sources.

    For additional tips to help avoid Phishing, you can visit https://www.rochester.edu/it/security/yourself/phishing.html.

     

    Back to top...

  12. Phishing Protection - Phishing Bells

    Phishing is an e-mail fraud method in which the sender uses legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites.

    For additional tips to help avoid Phishing, including a link to our newly created awareness video, you can visit https://www.rochester.edu/it/security/yourself/phishing.html.

    We hope you enjoy our rendition of "Phishing Bells" to help remind you to be careful when clicking links found within your email.

    Back to top...

Miscellaneous

  1. Wireless Security

    Click here for a PDF version of this tip that can be used as a poster.

    Wireless Internet access offers convenience and mobility but the downside is anyone with a wireless-ready computer can use your connection. Unless you take certain precautions,  neighbors, or hackers lurking nearby, could “piggyback” on your network, or even access your personal information. If an unauthorized person uses your network to commit crimes or send spam the activity can be traced back to your account. Here are the following steps you should take to protect your computers on a wireless network:

    • Use encryption to scramble communications over the network. If you have a choice, use WiFi Protected Access (WPA) as it is stronger than Wired Equivalent Privacy (WEP).
    • Use anti-virus and anti-spyware software, as well as a firewall on both your computer(s) and router.
    • Change the identifier on your router from the default so a hacker can't use the manufacturer's default identifier to try to access your network.
    • Most wireless routers have a mechanism called identifier broadcasting. Turn it off so your router won't send a signal announcing its presence.
    • Change your router's pre-set password for administration to a passphrase or series of letters, numbers and symbols that only you know. The longer the password, the tougher it is to crack.
    • Allow only specific computers to access your wireless network using MAC address filtering.
    • Turn off your wireless network when you aren't using it.
    • Don't assume public "hot spots" are secure. You should assume other people can access any information you see or send over a public wireless network.

    Back to top...

  2. Physical Safety

    Click here for a PDF version of this tip that can be used as a poster.

    Do you know how to contact UR Security? Who to call in the event of an emergency? Report a crime, parking lot incident, or strange occurrence?

    Look to the back of your ID badge!

    Important University Emergency Phone Numbers: This will connect you to a University Security Emergency Dispatcher

    • Dial x13 From Any University Phone
    • Dial #413 From Any AT&T or Verizon Cell Phone. Program your AT&T or Verizon cell phone to call #413 for University emergencies. It works anywhere in Monroe County.
    • Use x13 or #413 to report University emergencies - dialing 9-1-1 will not provide your exact location and may hinder assistance.

    Not Inside or Without Your Cell Phone? Pick up a Blue Light Emergency Phone:

    • Pick up a Blue Light Emergency Phone receiver and to be connected to an emergency dispatcher. No dialing is required. If you are being followed, simply drop the receiver and walk toward another blue light emergency phone, repeat and keep walking – the emergency dispatcher will know your direction of travel and dispatch assistance.
    • Picture of a Blue Light Emergency Phone: http://security.rochester.edu/emerg.html
    • Using x13, #413 and the Blue Light Emergency Phones will provide emergency services, including UR Security, Rochester Police, Ambulance and Fire Department.

    Important Non-Emergency Phone Numbers:

    • Call UR Security: Dial 275-3333 for non-emergency issues.
    • Call University Operators: Dial “0” from any University phone, or dial 275-2121 or 275-2100 from any non-University external phone

    For more information, see UR Security’s http://www.security.rochester.edu/

    Back to top...

  3. Top 10 Scams and Rip-Offs of 2009

    The Better Business Bureau has released the top 10 Scams and Rip-offs of 2009. These include:

    1. Acai Supplements and Other “Free” Trial Offers

    2. Stimulus/Government Grant Scams

    3. Robocalls

    4. Lottery/Sweepstakes Scam

    5. Job Hunter Scams

    6. Google Work from Home Scam

    7. Mortgage Foreclosure Rescue/Debt Assistance

    8. Mystery Shopping

    9. Over-Payment Scams

    10. Phishing e-mails/H1N1 spam

    Further information about each of these scams can be found by clicking here.

    Remember - consumers or small business owners victimized by a scam can contact their local Better Business Bureau or file a complaint at www.bbb.org. Always research a business with the Better Business Bureau before you sign any contracts or hand over any money.

    Back to top...

  4. Finding more security information on Facebook

    You can get the latest news, tips, and computer store promotions from University Information Technology by becoming a fan on Facebook at http://www.facebook.com/UR.Technology.

    Our weekly security tips will continue to be posted to http://www.rochester.edu/it/security/securitytipofweek.html as well as to our Facebook page.

    Back to top...

  5. Remote Access Using VPN

    When you are off campus and need to access email or other University restricted resources, you should use VPN (Virtual Private Network). VPN provides a secure connection between your off campus computer and University resources while using the Internet.

    Please reference the following links for additional information about how to use VPN for remote access:

    http://www.rochester.edu/it/vpn for College and University

    http://www.rochester.edu/it/vpn/medcenter for the Medical Center

    Back to top...

  6. Enter to Win an iPod Nano - Help Us Get to 1,000 Fans

    Win an iPod Nano...

    …by becoming a “fan” of University IT on Facebook.

    Become a fan of University of Rochester – Get Technology on Facebook for valuable tips on keeping your computer safe and secure,  campus technology updates, and Computer Store promotions and specials. We're here to help you be in the know when it comes to technology at the University and staying secure online!

    If we get to 1,000 fans by October 29, 2010, we will enter everyone into a drawing for a chance to win one of the new iPod Nanos.  Join us today!

    *Faculty and Staff please follow your department's guidelines regarding use of social networking sites.

    Contest ends 12:00 Noon on October 29, 2010.

    Back to top...

  7. Stop. Think. Connect.

    As part of National Cyber Security Awareness month, please remember to always

    Stop:  Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

    Think:  Take a moment to be certain the path is clear ahead.  Watch for warning signs and consider how your actions online could impact your safety, or your family's.

    Connect:  Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

    STOP.  THINK.  CONNECT.  Protect yourself and help keep the web a safer place for everyone.

    So how cyber savvy are you?  Try these interactive quizzes to see just how savvy you are:

    Online Safety

    Identity Theft

    Laptop Security

    Phishing Scams

    Email Scams

    Peer-to-peer file sharing

    Remember to become our fan on Facebook (University of Rochester - Get Technology).  If we reach 1,000 fans by October 29, 2010, we will put everyone's name in for a chance to win a new iPod Nano.

    Back to top...

  8. 12 Scams of Christmas

    A leading security technology company is providing some helpful tips when it comes to online usage this holiday season:

    1. Charitable phishing scams.  Be wary of e-mails that appear to be from legitimate charities.  Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.
    2. Fake invoices from delivery services.  Scammers are sending out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the US Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address.  They ask you to confirm your address and give them credit card information to pay for delivery.
    3. Social networking friend requests.  Beware of authentic looking friend requests via e-mail.  Don't click on the links within e-mail, but instead log into Facebook and other services and look for friend requests from the site itself.  Clicking on a link could install malware on your computer or trick you into revealing your password.
    4. Holiday e-cards.  These can be used to deliver malware, pop-ups, and other forms of unwanted advertising.  Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know.
    5. Fake "luxury" jewelry.  If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true.  These links could lead you to malware and take your money for merchandise that will probably never arrive (or be fake if it does).
    6. Practice safe holiday shopping.  Make sure your wireless network is secure, and be sure you're shopping on sites that are secure.  Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https.
    7. Christmas carol lyrics can be dangerous.  Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media.  During this time, they create fraudulent holiday related sites.
    8. Job search related scams.  Beware of online offers for high paying jobs or at-home money making schemes.  Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too.
    9. Auction site fraud.  There is a rise in fake auction sites during the holidays.  Make sure you're actually going to eBay or whatever site you plan to deal with if you are making purchases through an auction site.
    10. Password stealing scam.  Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes.  Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.
    11. E-mail banking scams.  A common type of phishing scam is sending out official looking e-mails that appear to come from your bank.  Don't click on any links but type in your bank's web address manually if you need to access your account.
    12. Files for ransom.  Hackers use malware to gain control of your computer and lock your data files.  To access your own data, you have to pay them ransom.

    Back to top...

  9. Changes coming to IT Center and River Campus public computers

    You are at the center of secURing your data.

    Starting in January 2011, access to kiosks and public computers in the libraries and IT Center on the River Campus will require login credentials for use.  To ensure access to resources on public computers including the ability to login, you will first need to update your NetID.  The new login requirements are part of an effort to further protect information and will help preserve availability of computers for the University community.  The computers will log you off automatically after 15 minutes of inactivity, which will help preserve your security.  University IT reminds you, however, to always log off from public computers when finished using them, and to never share your password with anyone.

    Medical Center faculty, staff, and students will not be asked to update their NetIDs at this time.  Instead, they will be able to use their active directory accounts to access kiosks and public computers in the libraries and IT Center on the River Campus.

    Once you have updated your NetID, you will also have access to a new wireless service that will allow you to authenticate your laptop, smart phone, and other wireless devices just once.  These devices will automatically connect to the University network in the future and will not require you to login as you move around campus.

    Please look for an official communication concerning this via email this week (the week of January 4th, 2011).

    Further information on this important security change can be found by clicking here.

    Back to top...

  10. Public computers will soon require login

    You are at the center of secURing your data.

    Starting in January 2011, access to kiosks and public computers in the libraries and IT Center on the River Campus will require login credentials for use.  The new logon requirements are part of an effort to further protect information and will help preserve availability of computers for the University community.

    Please look for an official communication concerning this via email the week of January 4th, 2011.

    Further information on this important security change can be found by clicking here.

    Back to top...

  11. Top 10 Scams and Rip-Offs of 2010

    The Better Business Bureau has released the top 10 Scams and Rip-offs of 2010.  Those looking for jobs, and those struggling to make money and get out of debt were common targets in this tough economy. 

    The Better Business Bureau saw approximately a 30 percent increase in 2010 of complaints about debt relief and settlement services.  Complaints about the timeshare industry - including deceptive resellers - increased by over 40 percent.  Another large increase of roughly 40 percent was with itinerant home repair and roofers.

    The top ten items include:

    1. Job Hunter Scams

    2. Debt Relief and Settlement Services

    3. Work from Home Schemes

    4. Timeshare Resellers

    5. Not So "Free" Trial Offers

    6. Itinerant Home Repair/Roofers

    7. Lottery and Sweepstakes Scams

    8. Identity Theft

    9. Advance Fee Loan Scams

    10. Over-Payment Scams

    Further information about each of these scams can be found by clicking here.

    Remember - consumers or small business owners victimized by a scam can contact their local Better Business Bureau or file a complaint at www.bbb.org. Always research a business with the Better Business Bureau before you sign any contracts or hand over any money.

    Back to top...

  12. Test Your Security Awareness - Your Chance to Win an iTunes Gift Card or an iPod Nano

    Over the next month we will run a series of Information Technology security-based quizzes. Answer the questions correctly and you will be entered for a chance to win one of four iTunes gift cards. At the end of 4 weeks, all those that entered at least one quiz, and answered it successfully, will be entered for a chance to win an 8GB iPod Nano.

    Click here to get to this week's quiz.

    To stay up to date on what University IT has in store become a fan of us on Facebook, and look for the Security Tip of the Week every week in the Weekly Buzz and @Rochester.

    Back to top...

  13. Acceptable Use Policy

    You are at the center of secURity.

    The University of Rochester's Policy on Acceptable Use of Information Technology and Resources was recently updated.  This new version is intended to consolidate several separate Acceptable Use policies (Wireless, Resnet, Remote Access, and NetID) into one document that encompasses all Information Technology and Resources.

    The policy establishes specific requirements for the use of all computing and network resources at the University of Rochester.

    Please review this updated policy to understand what you can and cannot do when using University of Rochester computing resources.

    Back to top...

  14. The Case of the Cyber Criminal

    What type of free software may include spyware?

    Do you know the answer? Test your knowledge by playing The Case of the Cyber Criminal from OnGuard Online. Here you can test your cyber smarts with any of the interactive quizzes on everything from spam and spyware to phishing and file-sharing.

    Back to top...

  15. 12 Scams of Christmas 2011

    ‘Tis the season for consumers to spend more time online - shopping for gifts, looking for great holiday deals on new digital gadgets, e-planning family get-togethers and of course, using online or mobile banking to make sure they can afford it all. But before logging on from a PC, Mac, or mobile device, consumers should look out for the “12 Scams of Christmas,” the dozen most dangerous online scams this holiday season, provided by a leading security technology company.

    Things to look out for include:

    1. Mobile Malware
    2. Malicious Mobile Applications
    3. Phony Facebook Promotions and Contests
    4. Scareware, or Fake Antivirus software
    5. Holiday Screensavers
    6. Mac Malware
    7. Holiday Phishing Scams
    8. Online Coupon Scams
    9. Mystery Shopper Scams
    10. Hotel "Wrong Transaction" Malware Emails
    11. "It" Gift Scams
    12. "I'm away from home" Scammers

    Further information about each of these can be found by clicking here.

    How To Protect Yourself

    You can protect yourself from these cybercrimes by following these tips:

    • Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
    • Be extra vigilant when reviewing and responding to emails.
    • Watch out for too-good-to-be-true offers on social networks (like free airline tickets). Never agree to reveal your personal information just to participate in a promotion.
    • Don’t accept requests on social networks from people you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.

    Back to top...

  16. Protect Your Data - Seven Practices for Safer Computing

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    OnGuardOnline.gov, maintained by The Federal Trade Commission (FTC), provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. 

    See their 7 Practices For Safer Computing for detailed information about the following practices.   Use these practices to help stay safe with your personal computer use.

    1. Protect your valuable personal information
    2. Know who you are dealing with
    3. Use security software that updates automatically
    4. Learn about the security features of your operating system and Web browser
    5. Protect your passwords
    6. Back up important information
    7. Know what to do in an e-emergency

    Back to top...

  17. 12 Scams of Christmas 2012

    The holidays are just around the corner and amid the hustle and bustle many of us will fire up our devices to go online, order gifts, and plan travel. But while we’re getting festive, the cybercriminals are getting ready to take advantage of the influx of your good cheer to spread scams and malware.

    With online holiday shopping expected to grow 12.1% in the US alone this year, to as much as $96 billion, and more people than ever using social media and mobile devices to connect, the cybercriminals have a lot of opportunities to spoil our fun. Using multiple devices provides the bad guys with more ways to access your valuable “digital assets,” such as personal information and files, especially if the devices are under-protected.

    According to a McAfee global study commissioned by MSI International last year, consumers place an average value of $37,438 on the “digital assets” they own across multiple digital devices, yet more than a third lack protection across all of those devices.

    So, as you head online this holiday season, stay on guard and stay aware. Get familiar with the “12 Scams of Christmas” to ensure a safe and happy holiday season:

    1. Social Media Scams
    2. Malicious Mobile Applications
    3. Travel Scams
    4. Holiday Spam/Phishing
    5. The new iPad, iPhone 5, and other hot holiday gift scams
    6. Skype Message Scare
    7. Bogus Gift Cards
    8. Holiday SMiShing
    9. Phony E-tailers
    10. Fake Charities
    11. Dangerous e-cards
    12. Phony classifieds

    Further information about each of these can be found by going to http://blogs.mcafee.com/consumer/12-scams-of-christmas-2012.

    How To Protect Yourself

    You can help protect yourself from these cybercrimes by following these tips:

    • Stay suspicious - be wary of any offer that sounds too good to be true, and always look for telltale signs that an email or website may not be legitimate, such as low resolution images, misspellings, poor grammar, or odd links.
    • Practice safe shopping - Stick to reputable e-commerce sites.  Look for a lock symbol and "https" at the beginning of the web address (as opposed to just "http") to see if the site uses encryption to protect your data.
    • Use strong passwords - Make sure your passwords are at least eight characters long and contain a variety of letters, numbers and characters that don't spell anything.  Avoid using the same password for your important accounts, and never share your passwords with anyone.
    • Be careful when clicking - Don't click on any links in messages from people you don't know.
    • Computer security - make sure that your computer is kept current with patches, and has updated anti-virus software

    Back to top...

  18. Data Privacy - BBB Names Top Ten Scams of 2012

    You are at the center of secURity.

    Our focus continues on Data Privacy this month.

    The Better Business Bureau has named the Top Ten Scams of 2012.   

    Please review the following list, and remember that it is always important to protect your private information. 

    1. Top Overpayment/Fake Check Scam:  Car Ads

    2. Top Emergency Scam:  Grandparents Scam

    3. Top Employment Scam:  Mystery Shopping

    4. Top Advance Fee/Prepayment Scam:  Nonexistent Loans

    5. Top Phishing Scam:  President Obama Will Pay Your Utility Bills

    6. Top Sweepstakes/Lottery Scam:  Jamaican Phone Lottery

    7. Top Identity Theft Scam:  Fake Facebook Tweets

    8. Top Home Improvement Scam:  Sandy "Storm Chasers"

    9. Top Sales/Rental Scam:  Real Stars, Fake Goods

    10. Scam of the Year:  Newtown Charity Scams

    Further information about each of these scams can be found by going to http://www.bbb.org/us/article/better-business-bureau-names-top-ten-scams-of-2012-39388.

    Back to top...

  19. Security Tip Highlights

    You are at the center of secURity.

    In case you missed our weekly security tips over the past school year, we wanted to highlight some of the important messages that will help keep you and your information safe.

    Phishing

    The University is experiencing a dramatic increase in targeted phishing and spam attacks.  We created a video, which can be seen from this tip, to provide some important tips regarding phishing.

    http://www.rochester.edu/it/security/securitytipofweek_archive.html#yourself42


    Strong Passwords

    Passwords are the first line of defense for all users.  If someone knows your password, all other security is useless.  Check this tip for some reminders on creating secure passwords, and to access a tool to check your password strength.

    http://www.rochester.edu/it/security/securitytipofweek_archive.html#yourself32


    Anti-virus

    Did you know that anti-virus software is the most important security software that you can have on your computer?  Did you know that it is also provided FREE to all University faculty, staff, and students?  Check this tip for additional information on anti-virus software:

    http://www.rochester.edu/it/security/securitytipofweek_archive.html#computer18

     

    Keeping Your Computer up to Date

    Keeping your computer updated with the latest patches, including security patches, is important to keeping your computer protected and your information secure.  We provided the following tip that shows some ways to make your computer more attack resistant.

    http://www.rochester.edu/it/security/securitytipofweek_archive.html#computer17

     

    Further information

    We have been maintaining an archive of all of the security tips that we have been using.  If you would like to review any more of the tips, you can access the archive at:

    http://www.rochester.edu/it/security/securitytipofweek_archive.html

    Back to top...

  20. Security Terms Dictionary

    You are at the center of secURity.

    Do you know the difference between "phishing", "vishing" and "smishing"?  Impress your friends with your knowledge of the following information security terms…

    Phishing

    On the Internet, "Phishing" refers to criminal activity that attempts to fraudulently obtain sensitive information via email.

    Vishing

    The attempt from scammers to acquire your personal information via the phone.

    Smishing

    Uses cell phone text messages to lure consumers in.

    Pharming

    A scam where a hacker installs malicious code on a personal computer or server.  This code then redirects clicks you make on a Web site to another fraudulent Web site without your consent or knowledge

    Botnet

    A network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam

    Malware

    A generic term for a number of different types of malicious code.

    Spam

    Unsolicited bulk messages, especially for advertising and usually delivered via email.

    Worm

    Malware computer program which replicates itself in order to spread to other computers

    Drive-by Download

    Software which is downloaded without a person's knowledge or consent.  These are often a computer virus, spyware, or malware.

    Keylogger

    A program used to capture/record key strokes performed on a keyboard.  This is usually done in a manner unknown to the user.  Many times these are installed via malware to capture passwords or to bypass local security measures.

    Spyware

    Software which aids in gathering information about a person or organization without their knowledge and may send this information elsewhere without the user's consent.

    Vulnerability

    A weakness in a computer which allows an attacker to make unauthorized changes.  These include unpatched operating systems, applications, and poor configurations of both.

     

    If you are looking for more terms, the SANS organization, which is the leading organization in computer security training, has compiled a dictionary of security terms that you can use for reference.  It is located at:  http://www.sans.org/security-resources/glossary-of-terms/.

     

    Back to top...

  21. Identity Protection - Tips for the Summer Traveler

    Many people plan to vacation this summer, and many identity thieves are gearing up to take advantage of this.

    The National Cyber Security Alliance provides some very helpful tips for both before you go as well as while you are away.  These are located on their StaySafeOnline.org web site at http://www.staysafeonline.org/blog/identity-protection-tips-for-the-summer-traveler

    Hopefully these tips will help you and your family have a fun, safe vacation.

    Back to top...

  22. Protect Your Computer - Internet Security Risks and Their Fixes

    You are at the center of secURity.

    Click here for a PDF version of this tip that can be used as a poster.

    We all love the internet. It is easy to access and provides us with an infinite amount of information. But the internet wasn’t made with security in mind. There are a lot of things we do that open us and our private information to hackers, scammers and computer viruses. One of the best defenses is to ensure you are running an antivirus software package and keeping it updated.

    Here are 6 internet security risks and what you can do to fix them.

    Risk 1: Leaving your Wi-Fi unprotected

    Wireless internet is a great to have at home especially if you have a laptop. Leaving your wireless network open without a password is like leaving your home's doors and windows open when you're not there. It is easy for a passersby to access your network.

    FIX: Always password protect your wireless router and change the default password on your wireless router when you first set it up.

    Risk 2: Not enabling your firewall

    Firewalls plug virtual ports in your computer that make it vulnerable to the plethora of malicious programs that may try to access your computer.

    FIX: All modern operating systems incorporate some form of built-in firewall. Activate your firewall by going into your security settings and turning it on.

    Risk 3: Opening emails from strangers

    Opening email from an unknown source is never ok. Your anti-virus software is only as good as its most recent update.

    FIX: Never open an email from a suspicious sender. If the sender looks legitimate, never download attachments or follow links asking you to change personal information or passwords unless you were expecting them. Update your anti-virus software frequently.

    Risk 4: Downloading torrent files

    Torrents are a popular method of peer to peer file sharing. Copyright infringement is not the only potential issue with torrents; illegal downloads also often come bundled with viruses or malware which can harm your computer. You could have to pay a hefty fee if caught illegally downloading copyrighted files.

    FIX: This one is easy. Don’t use torrent sites to download software, music, or movies. It could save you hundreds of thousands of dollars in the long run.

    Risk 5: Not installing system updates


    Those annoying system update pop-ups remind us there is a new software update available. Software updates keep your computer secure.

    FIX:  Just do it. Update your software frequently.

    Risk 6: Not password protecting your hardware

    We have all heard stories of someone’s laptop or smartphone being stolen. If the device isn't password protected not only can the thief get your hardware, they also have your data.  They may potentially gain access to personal information contained on the device. 

    FIX: Require a password to be entered to unlock a device, to wake it up, or turn it on. It may get irritating to type your password every time your screen saver comes on but your information will be safer if your computer is ever stolen.

    Back to top...

  23. 12 Scams of Christmas 2013

    The holidays are just around the corner and amid the hustle and bustle many of us will fire up our devices to go online, order gifts, and plan travel. But while we’re getting festive, the cybercriminals are getting ready to take advantage of the influx of your good cheer to spread scams and malware.

    Each year, McAfee has been providing us with their version of the “12 Scams of Christmas” to help ensure a safe and happy holiday season.  This year, they have identified:

    1. Not-So-Merry Mobile Apps
    2. Holiday Mobile SMS Scams
    3. Hot Holiday Gift Scams
    4. Seasonal Travel Scams
    5. Dangerous E-Seasons Greetings
    6. Deceptive Online Games
    7. Shipping Notifications Shams
    8. Bogus Gift Cards
    9. Holiday SMiShing
    10. Fake Charities
    11. Romance Scams
    12. Phony E-Tailers

    Further information about each of these can be found by going to http://www.mcafee.com/us/about/news/2013/q4/20131112-01.aspx

    How To Protect Yourself

    You can help protect yourself from these cybercrimes by following these tips:

    • Review Apps - Review mobile apps before downloading.  You should check the comments section and confirm the app's legitimacy directly with the parties that the software claims are involved.
    • Deals and Steals - If an offer seems too good to be true, it probably is.  Purchase directly from the official retailer rather than from third parties online.
    • Research before Sharing - Banks and credit card companies should never ask you for personal information via text message.  You should always validate before responding.
    • Be Cautious When Traveling - Be sure that all your software is up-to-date, and run a virus scan. 

     

    Back to top...

  24. BBB Names Top Ten Scams of 2013

    You are at the center of secURity.

    Our focus continues on Data Privacy this month.

    The Better Business Bureau has named the Top Ten Scams of 2013.   

    Please review the following list, and remember that it is always important to protect your private information. 

    1. Top Overpayment/Fake Check Scam:  Car Ads

    2. Top Emergency Scam:  Grandparents Scam

    3. Top Employment Scam:  Mystery Shopping

    4. Top Advance Fee/Prepayment Scam:  Nonexistent Loans

    5. Top Phishing Scam:  President Obama Will Pay Your Utility Bills

    6. Top Sweepstakes/Lottery Scam:  Jamaican Phone Lottery

    7. Top Identity Theft Scam:  Fake Facebook Tweets

    8. Top Home Improvement Scam:  Sandy "Storm Chasers"

    9. Top Sales/Rental Scam:  Real Stars, Fake Goods

    10. Scam of the Year:  Newtown Charity Scams

    Further information about each of these scams can be found by going to http://www.bbb.org/us/article/better-business-bureau-names-top-ten-scams-of-2012-39388.

    Back to top...

  25. Data Privacy - 10 Resolutions For a Safe, Scam-Free New Year

    logo

    The Better Business Bureau is offering 10 Resolutions for a safe, scam-free 2014.

    These resolutions are intended to help you fight scammers, prevent identity theft, and save money.   

    The resolutions include:

    1. Always check a business out with the Better Business Bureau before you buy.

    2. Be skeptical of "job offers" that promise easy money.

    3. Always read the fine print - especially with "free" trial offers.

    4. Keep your computer safe.

    5. Never wire money to someone you don't know.

    6. Fight identity theft.

    7. Ask the Better Business Bureau for help.

    8. Create a budget and stick to it.

    9. Fight fake check fraud

    10. Get everything in writing.

    Further information about each of these resolutions can be found by going to http://newjersey.bbb.org/article/bbb-offers-10-resolutions-for-a-safe-scam-free-new-year-45216.

    Back to top...

  26. Security Awareness at the University of Rochester

    logo

    Check out our video to see what some of our students have to say about information security at the University of Rochester.

    Back to top...

  27. Top 10 Ways to Keep Yourself Secure

    logo

    We recommend you use these tips to help keep your information and data safe online:  

    1. Install antivirus software - Install the University's FREE antivirus software, available to all students, faculty, and staff.  Download at www.rochester.edu/antivirus
    2. Keep your computer updated - Keep your computer's software up to date including your anti-spyware.  Further information is available at http://www.rochester.edu/it/security/computer/Computer%20Updates.html
    3. Create strong passwords - Create strong passwords that combine at least eight characters including letters, numbers, and symbols.  Additional information, including a password strength checker, is available at https://www.rochester.edu//it/security/yourself/passwords.html
    4. Log off public computers - When using a public area computer, be sure to completely log off when you are finished using it.
    5. Back up important information - Make backup copies of your important computer data, store them securely, and consider storing extra copies at another location.  Further information about backing up data is available at http://www.rochester.edu/it/security/data/backups.html
    6. Keep personal information safe - Never respond to emails asking you to disclose any personal information.  The University will never email you asking for your personal information including your user ID and password.
    7. Limit social network information - Protect your social networking presence, such as on Facebook, by limiting the disclosed amount of personal identifying information.  Check this page for some additional Do's and Don'ts about social networking http://www.rochester.edu/it/security/yourself/social_networking.html
    8. Download files legally - Avoid peer-to-peer (P2P) networks and remove any file-sharing clients already installed on your system.  Copyright and file-sharing information is available here http://www.rochester.edu/it/security/yourself/file-sharing.html
    9. Lock your computer - When leaving your computer unattended, physically secure it to prevent theft and lock the screen with a password to safeguard data.
    10. Secure your mobile device - Secure your mobile device with a password or PIN.  Set an inactivity timeout and encrypt.  One of our past tips, Mobile Device Security - Best Practices, can be found here http://www.rochester.edu/it/security/securitytipofweek_archive.html#secure-mobile12

    This tip can be printed and used as a poster within your area by clicking here

    Back to top...

Protecting University Data

  1. SSN Registration

    This is a reminder to University Faculty and Staff to continue to register Social Security Numbers (SSN).

    After the June 30, 2009 deadline, a security breach, loss or potential illegal disclosure of Social Security Numbers that have not been registered will result in financial liability for the department(s) responsible for managing the data.

    SSN Registration is an ongoing policy at the University. If changes to a current collection are made, update and register the changes. Be sure to register any new collections.

    It is University Policy that all Social Security Numbers (SSN) are registered using the SSN registration form.

    For more information on the SSN Registration and SSN Policy visit:

    Back to top...

  2. Social Security Number and Personal Identifying Information

    In January, 2009, the University adopted a formal policy on the collection, maintenance and distribution of Social Security numbers (SSN) and Personal Identifying Information (PII). The policy specifies how to protect Social Security Number and employee Personal Identifying Information, which includes such things as employee home address and home telephone number, as well as employee SSN.

    • The policy applies to any medium – paper, microfiche, electronic, etc.
    • The first protection step is to reduce the number of places sensitive data is stored. By being thoughtful about what really needs to be retained, and then consolidating storage locations from individual offices to a departmental office or to the University’s Official Repository for that data (see new Data Retention Policy), the risk of exposure can be greatly reduced.
    • Leverage the "Clean and Go Green" initiative as a way to clear out unnecessary collections of SSN and PII.
    • As you dispose of unneeded copies of SSN and PII, you must do so in a manner that makes the data unreadable and unrecoverable.
    • If you decide that you need to retain a particular data collection containing SSN, you must register the collection with a Privacy Officer of the University. This registration is to be completed by June 30, 2009.

    Where can I get help?

    Information concerning the SSN and PII policy is located at http://www.rochester.edu/its/policy/SSN-PII/

    If you still have questions, or would like a University Privacy Officer to attend one of your staff meetings to discuss this topic, please call:

    University-wide
    273-1804
    Medical Center specific
    275-7059

    Back to top...

  3. Remember to Register your Social Security Number Collections

    It has been two years since the University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy was approved. It is University Policy that all SSNs are to be registered with a University Information Security Officer using the SSN registration form.

    This is a reminder for all University Faculty and Staff to continue to register any new Social Security Number collections.  If changes have been made to a previously reported collection, update the registration with the changes.   

    For more information on the SSN Registration and SSN Policy, visit the policy website by clicking here.

    Back to top...

  4. Monthly Campaigns - Starting with Regulatory Compliance

     

    The Information Security teams are working hard to educate faculty, staff, and students about best practices to protect your information.  Over the past 18 months, we have been raising information security awareness by distributing postcards and posters, broadcasting weekly security tips, creating videos, and placing photos on the University home page.  Often, these would cover a different topic each week.

    This month, we are launching a new approach that is designed to focus on a specific topic or theme each month, allowing us to cover each topic in more detail.  There will be an online quiz at the end of most months that will make you eligible for a chance at giveaways.

    You will also start seeing our new logo:

    Security Logo

    Monthly Theme

    This month, our theme is Regulatory Compliance

    The first topic that we will cover is Social Security Number protection.

    The University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy has been in place since January, 2009.  It is University Policy that all SSN collections are to be registered with a University Information Security Officer using the SSN registration form.

    This is a reminder for all University faculty and staff to continue to register any new Social Security Number collections.  If changes have been made to a previously reported collection, update the registration with the changes.    Your departmental Security Liaison should also be checking in with you about your current registrations to see if any updates are needed.

    For more information on the SSN Registration and SSN Policy, visit the policy website.

     

    Back to top...

  5. Regulatory Compliance - Policy website

     

    You are at the center of secURity.

    Continuing our focus on Regulatory Compliance this month, please take a few minutes to review the Information Technology Policy website at:

    http://www.rochester.edu/it/policy/

    Here, you will find important information concerning privacy, data classification and access restrictions, and enforcement within the IT Policy.

    You will also find links to the Acceptable Use Policy, Credit Card Policy, Mobile Device Standard, Multifunctional Devices and Copiers Policy, Record Retention Policy, and SSN Policy. 

    Be sure to check the Policy website occasionally as this will be the area where any new Information Technology policies will be added.

    Back to top...

  6. Data Classification - Legally Restricted Data

    You are at the center of secURity.

    Click here for a version of this tip that can be printed and used as a poster.

    Legally Restricted data is data that needs to be protected by law.  Some examples of Legally Restricted Data include:

    • Protected Health Information (PHI)
    • Social Security Numbers (SSN)
    • Credit/debit card information collected for payment of University goods or services
    • Bank account numbers
    • Personally Identifying Information (PII) - examples include an employee's social security number; home address or telephone number; personal electronic mail address; Internet identification name or password; parent's surname prior to marriage; drivers' license number; NYS non-driver identification card number; and account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals's financial account

    Some places that you may find Legally Restricted data include:

    • Patient records
    • Grant documents for current, retired, or rejected grants
    • Human subjects records
    • Personal tax forms
    • Federal reporting requirements (Welfare benefits and wage garnishing)
    • I-9 forms
    • Drivers license
    • Personnel file for faculty, staff, and retired staff
    • Appointment letters
    • Performance appraisals (historical contains SSN)
    • Records of payroll deductions
    • Salary records
    • Student health information
    • Financial Aid records (SSN)

    To help keep this data safe, please remember to secure paper formats in locked storage.  Encrypt saved content.  Encrypt information that is moved off University systems.

    When disposing of Legally Restricted data, you must make sure that the data is no longer readable or recoverable. 

    Back to top...

  7. Data Classification - Confidential Data

    You are at the center of secURity.

    Click here for a version of this tip that can be printed and used as a poster.

    Confidential data is information that can be sensitive or proprietary.  Some examples of Confidential Data include:

    • Large segments of the University budget
    • Unpublished intellectual property such as patent applications, inventions, manuscripts, Department academic files
    • Information the University has agreed to hold confidential under a contract
    • Personnel records
    • Department academic files
    • Student information
    • Records and communications of the Board of Trustees

    How to Keep Confidential Data Safe

    Use University computing resources when working with this data.  Transmit information using University email systems.  Save information on University equipment, preferably network storage instead of your laptop or computer at your desk. Avoid or minimize using personally owned devices to check email or work remotely. Encrypt any saved content. Encrypt content that is moved off University systems. Secure paper formats in locked storage. 

    How to Dispose of Confidential Data

    Data must no longer be readable or recoverable, whether electronic or paper. Remove from all storage locations or destroy the storage locations. Shred paper or use a document destruction service. 

    Basic Safe Data Handling

    • Never share account logins
    • Use University email systems for University business
    • Encrypt devices with passcodes and inactivity time-outs
    • Respect the privacy of others
    • When working from home, maintain personally owned equipment in good working order

    Unsure of the Data Classification?

    Try asking, "What consequences will the University incur if the data in question is exposed?"

    ...if significant legal expenses or lawsuits, the data is probably legally restricted.

    ...if embarrassment, perhaps requiring public apology, then the data is probably confidential.

    ...if regret, then the data is probably internal.

    ...if pride, then the data is probably public!

    Back to top...

  8. Data Classification - Internal Data

    You are at the center of secURity.

    Click here for a version of this tip that can be printed and used as a poster.

    Internal data is information that is necessary for people to perform their work at the University, is properly available to others at the University, but is not appropriate to be known by the general public.

    Some places where you can find Internal Data includes:

    • Health records pertaining to environmental safety
    • Radiation safety records
    • Asbestos monitoring and training
    • Security and incident reports
    • Accident and incident reports
    • Financial auditing work papers
    • Financial statements - unaudited
    • Department budgets
    • Purchase orders
    • Travel reimbursements
    • Organizational charts with names
    • Job descriptions
    • Search committee records - any staff level
    • Tenure and promotion cases
    • Affirmative action plans
    • Union agreements
    • Grievance files (not considered personnel file)
    • Sexual harassment complaints, investigations, and findings (not considered personnel file)
    • Real estate materials
    • Construction drawings
    • Alumni data
    • Gift records

    Basic Safe Data Handling

    • Never share account logins
    • Use University email systems for University business
    • Encrypt devices with passcodes and inactivity time-outs
    • Respect the privacy of others
    • When working from home, maintain personally owned equipment in good working order

    Unsure of the Data Classification?

    Try asking, "What consequences will the University incur if the data in question is exposed?"

    ...if significant legal expenses or lawsuits, the data is probably legally restricted.

    ...if embarrassment, perhaps requiring public apology, then the data is probably confidential.

    ...if regret, then the data is probably internal.

    ...if pride, then the data is probably public!

    Back to top...

  9. SSN Registration Reminder

    The University of Rochester's Social Security Numbers (SSNs) & Personal Identifying Information (PII) policy has been in place since January, 2009.  It is University Policy that all SSN collections are to be registered with a University Information Security Officer using the SSN registration form.

    This is a reminder for all University faculty and staff to continue to register any new Social Security Number collections.  If changes have been made to a previously reported collection, please remember to update the registration with the changes.   

    If you have any questions, please check with your departmental Security Liaison, HIPAA Security Official, or Privacy Officer.

    For more information on the SSN Registration and SSN Policy, visit the policy website.

     

    Back to top...

  10. Protecting University Data - Desktop Encryption

    You are at the center of secURity.

    What is it?

    Full disk encryption protects data on all areas of your computer’s internal hard disk from unauthorized access when the computer is off. Once encrypted, if your desktop or laptop should be stolen or misplaced, the computer’s data will not be accessible without proper login credentials. This protects individuals who may have sensitive information stored on your computer system, and protects the University by ensuring sensitive and confidential data are not released to unauthorized personnel.

    Any laptop or desktop that contains or has ever contained legally restricted information such as Protected Health information (PHI), Personally Identifiable Information (PII) including SSN’s etc, or other information such as an employee’s home address, phone number, birth dates or personal email address must be encrypted.

    If you have more questions, please reference:

    University departments:

    http://www.rochester.edu/it/encryption/faq.html.

    Medical Center:

    http://intranet.urmc-sh.rochester.edu/InfoSystems/
    HelpResources/Security/FullDiskEncryption.asp

    How do I get my computer encrypted?

    Information Systems Division has already deployed Pointsec encryption via policy to all URMC computers.

    As part of a University-wide program to improve data security, University Information Technology has been deploying full disk encryption for designated departments that handle high-risk sensitive data.

    To see if your computer is already encrypted, look at your computer's system tray for the Pointsec icon Pointsec icon

    If your computer needs to be encrypted…

    Windows XP, 2000, 2003, Vista, Windows 7 and Macintosh users

    • University departments - call the IT Center at 275-2000.
    • Medical Center - call the ISD Help Desk at 275-3200

    Back to top...

  11. January is Data Privacy Month

    logo

    Data Privacy Month  is intended to help raise awareness about keeping private information private. 

    It is your obligation to keep all private information you access from being shared with others.  This includes any information shared in the hallway, over lunch, or through social media.  

    Click here to access a poster that you can print and post within URMC areas.

    Click here and here to access posters that can be posted within University areas.

    StaySafeOnline.org also provides information, with an emphasis on a Data Privacy Day, to empower people to protect their privacy, control their digital footprint, and escalate the protection of privacy and data as everyone's priority.

    Back to top...

  12. Protecting University Data - Data Classifications

    logo

    Access to information owned by the University is generally broadly consistent with the concept of academic freedom and the open nature of the institution.  However, there are types of information where access must be restricted and caution in handling and storing the information is necessary. 

    Data Classifications

    We classify data as either Legally Restricted, Confidential, Internal University Use Only, or Public Information. 

    For information about each of these classifications, please reference Data Security Classifications At A Glance.

    Policy Website

    You can also reference the Information Technology Policy website at:

    http://www.rochester.edu/it/policy/

    Here, you will find important information concerning privacy, data classification and access restrictions, and enforcement within the IT Policy. 

    You will also find links to the Acceptable Use Policy, Confidentiality Statement, Copyright and File-Sharing, Credit Card Policy, Email Use Policy, Mobile Device Standard, Multifunctional Devices and Copiers Policy, Record Retention Policy, and SSN Policy. 

    Be sure to check the Policy website occasionally as this will be the area where any new Information Technology policies will be added.

    Back to top...

  13. Regulatory Compliance - HIPAA

    logo

    HIPAA, the Health Insurance Portability and Accountability Act, affects everyone at the University of Rochester.  As a healthcare provider, workforce members at URMC and Affiliates have regulatory responsibility to comply with HIPAA and maintain the privacy of patients’ protected health information (PHI).  However all UR faculty, staff, students and volunteers are patients themselves at some point either here at URMC or elsewhere and are therefore affected by HIPAA.  HIPAA is a good example of how the privacy of patient information intersects with IT security.  In fact, HIPAA Security regulations with their IT focus were enacted to ensure compliance with the HIPAA Privacy Rule.

    IT security controls are required to maintain not only the confidentiality but also the integrity and availability of PHI in the following ways:

    • Confidentiality—requires role-based access which permits users to have only the access they need to perform their job (HIPAA Privacy Rule requires adherence to a minimum necessary standard).  Strong passwords, session inactivity time outs, privacy and security training, proper user access templates, encryption of PHI whether in transit or at rest, appropriate physical security of data centers, servers, etc. are all required to maintain the confidentiality of PHI.  Users may only access PHI when they have a clinical or business need to do so.  Users who are not in compliance with HIPAA will be subject to sanctions as required by these federal regulations.
    • Integrity—physicians and others caring for patients must have confidence that the data they are using to base medical decisions is accurate and not able to be manipulated, deleted or tampered with by those who could potentially cause damage to a system.  Proper controls of access provisions and to systems are important to maintain the integrity of PHI.
    • Availability—in order to be sure that systems containing protected health information are available as needed, business continuity plans, back up of systems, data recovery, emergency preparedness, business impact analysis, etc. are all necessary components.

    With the launch of the eRecord system at Strong Memorial and Highland Hospitals all users as well the Medical Center’s Information Systems staff must be vigilant in their roles to maintain the confidentiality, availability and integrity of the medical information of over one million patients. 

    For more information on HIPAA, see the URMC intranet site at:  http://intranet.urmc-sh.rochester.edu/policy/HIPAA/

    Back to top...