Information Security

Directory
Integrated Information Technology Services (IITS)
Information Security

Protecting Utica University information is the responsibility of all Utica University employees.

Information Security at Utica University is here to help departments and individuals meet or exceed the legal requirements of protecting University information in paper and electronic formats.

Email attachments, bad links, sharing personal information via email. Watch the video below for tips on protecting yourself and University information.

Data Privacy

Email is not a secure method to share files. Use the Utica University file server or Utica University’s instance of Google Drive to share files defined as private and sensitive by the Data Security and Classification Policy. https://www.utica.edu/policies/policies.cfm?id=154

The Utica University instance of Google Drive offers secure storage, but those protections can be easily circumvented if the files are shared with the wrong people. Take extra care when saving and sharing files. When sharing files and folders click the advanced button. Here you can prevent editors from changing access and adding users.

Institutional versions of Box.com are also a secure locations to store files, but personal accounts from box.com, Dropbox, Google, and Apple do not offer the same level of protection and should not be used for Utica University business. If you need assistance sharing files you can contact the Director of Information Security at jfarr@utica.edu or 315 223 2386.

Polices and procedures related to the technological environment at Utica University. Subjects covered include privacy, security and responsible use of information technology resources, and policies that affect computer networks, e-mails, online course management, computer labs, help desk, software, and hardware.

Information Technology Policies

What is Phishing?

Image of fish looking at a hook

Phishing is a type of scam where carefully crafted email messages and websites attempt to trick users into providing their personal information such as username, password, Social Security Number, Bank information or other personal information.

Successful messages often look identical to those used by banks, merchants and colleges. These messages may ask you to reply directly to the message or provide a link to a website created to steal user's information.

What is Spear Phishing?

Spear phishing targets specific user groups, such as Utica University employees, with messages designed to look like official communication from the organization you work or do business with. These messages are especially tricky, but there are still clues to help you avoid these attacks.

Characteristics of Phishing Message:

Asks you to reply with your username and password
Asks you to click on a link that asks you to provide your personal information or automatically downloads malware onto your machine.
Name and Email address don't match
Email address does not match company name

What Can I Do to Prevent Being Caught?

Don't Trust the message. Verify it.
Delete suspicious messages
Be skeptical of messages urging you to take immediate action.
Do not use a number listed in the email message or found by clicking on the link. Verify the information by contacting the sender with a known good phone number. Ex, from the back of a credit card or billing statement.
Never send your username and password via email. (Companies have this information. You do not need to verify it.)
Be skeptical of unexpected email attachments.
Not sure if this is a Phish or not. Contact the Director of Information Security at jfarr@utica.edu

What should I do If I think I May Have Been Caught?

Immediately change your password and any associated recovery questions and answers. Also change all accounts tied to the affected on as the scammer may attempt to recover passwords from other accounts vie email reset.
make sure your software and antivirus are current

Visit the recently reported email scams tab below page for examples and to see if yours made the list.

Additional Resources

10 tips for spotting a phishing email from techrepublic.
Phishing tips from the FTC.
Avoiding Social Engineering and Phishing Attacks US-CERT

Latest Reported Information Security Scams

Below: Phishing Example (scanned image from MX-2600)

Image showing warning signs in a phishing message

How you know this is a Phishing Scam:

This email contains the "password" for the attached document. Never send the password to an attachment in the same message as the attachment. Call the user or send the password via US mail.
The subject line and message do not mention Utica College or the office the attachment was supposedly sent from.
The attachment claims to be a Word Document. Our scanners produce PDF files.

Image showing warning signs in a phishing message

How you know this is a Phishing Scam:

The email was sent to hhhhhhhhhhhhhhhh@mailinator.com and only copied the user. This is not how an actual shared Google Doc would arrive. It would be addressed to the actual user.
Clicking on the link prompted the user to allow the app Google Docs permission to read, send, delete and manage your email and contacts. A Google doc does not need permission to manage your email.

Description of red flags for this phishing message

How you know this is a Phishing Scam:

The grammar is suspect
The message says don't worry how I got your name, but then goes into detail how you are part of an alleged PayPal scam.
The attachment is a .dot file. (not the normal .docx)
The message claims this file is encrypted, but provids the password for the encrypted document. (Why would you send a password to a password protected file in the same message? If someone found the email, they would simply be able to download the attachment and use the supplied password.)

Image showing warning signs in a phishing message

How you know this is a Phishing Scam:

This email did not come from an @utica.edu email address
There are strange characters in the message
If you hover over the CLICK HERE link, you will notice the link goes to a non Utica College website.
We do not have an IT team. We have IITS
All campus messages should contain contact Information.

Image showing warning signs in a phishing message

How you know this is a Phishing Scam:

The email address is from a .hu address. Most likely you are not expecting email from Hungary.
By hovering over the Review transactions link reveals a long address, which is clearly not Paypal.
The end of of the message reveals citromail.hu with some letters that make no English word.

Suspected or Confirmed Breach of Confidential or Restricted Information

The Utica University Data Breach Notification policy states that Any office or individual aware of a potential breach of security containing protected information must immediately report the potential breach of security to the the Information Security Officer, John Oevering at 315-792-3115 or jwoeveri@utica.edu.

We will need:

Name
Direct phone number
Type of Information that may have been compromised
Location of the physical or electronic information.
Description on how you were made aware of the possible or confirmed breach.

If it sounds too good to be true, it probably is. IITS would like to make the campus community aware of some of the common scams and how do protect yourself. Some of these scams, such as the check cashing, have happened recently.

Check Cashing:

Check cashing scams can come in many different ways. Be skeptical of anyone that sends you a check or money order and asks you to deposit the amount and later wire transfer any amount of money back to them or a different person or account. Never wire transfer money to a stranger. Funds from a check may be available in 1-5 days, but that does not mean the check has cleared and that there are funds to back up the check. The check you received, even if it appears to be a cashier’s check, will be counterfeit and you will be personally responsible for the money you wire to them.

Scenario 1. Good Samaritan

You meet someone down on his or her luck and needs some money. They have a check, but have no way to cash the check. They give you a check and ask you to deposit it into your account then go your bank and arrange to transfer money back to them. An online version of this will ask you to wire transfer a certain amount of the check to their account. In person, they could ask you to go to the ATM and withdraw a few hundred dollars to get them buy. They are counting on your good nature to trust them and run off with your money. The check they give you will be counterfeit and you will be out that money.

Scenario 2: Seller/buyer

You are selling an item and the buyer offers to pay you more than the price of the item, but there is a catch. The buyer may indicate that the extra amount was a mistake and ask you to wire transfer back the amount he or she overpaid. The buyer may also claim that the extra amount should be sent to a shipping company who will come and pick up the item for him or her. In either scenario, the check will turn out to be counterfeit and you will be out any money you sent via wire transfer.

Key, never wire money to strangers. If they are legitimate buyers, ask them to send another check for the exact amount and to make arrangements with the shipping company directly. There is a difference between having the funds from the check being available and the check clearing. Ask your financial institution how long it will take the check to clear and do not release the item for sale until it does.

Scenario 3: Avoid taxes and fees:

Beware of a scam involving the transfer for funds to help process contracts and other official looking documents. Once they gain the victim’s trust the scam artist will send checks or wire deposits to the victim, instruct the victim to keep a portion of the funds and send the rest to another account. The need for the middleman may be to avoid taxes or fees, or to help in a political unrest situation.

Helping someone avoid the proper channels is bad for many ethical reasons. Financially, the bank will soon find out the check or wire transfer is fraudulent and remove those funds from your account. You will then be out whatever money you sent.

Employment scams

Scenario 1:

The job posting and check cashing scam involves the posting of what appears to be a very legitimate job opportunity through a reputable web site like a school's job board, monster.com, careerbuilder.com, and so on. The postings appear to be legitimate job openings but after submitting a resume, the applicant is then asked to send checks or money orders to continue the application process.

In some cases, applicants are ‘hired' and then asked to handle a monetary transaction between the employer and a buyer or supplier as a ‘job task'. Completing the transaction involves the applicant sending money from his or her own checking account. The employer will instruct the applicant to expect a package, usually containing a check to deposit into the applicant's account. The applicant is then instructed to wire transfer the money, minus an ‘administrative fee' as their compensation to the employer.

Legitimate employer will not ask an applicant to send money or handle a monetary transaction as part of the application process or to use their personal accounts to conduct company business.

Scenario 2: Fake Jobs

Do you want to work from home? How would you like to be a Mystery shopper?

There are legitimate work from home opportunities, but job sites should not be asking you to pay a fee to work for them. Use well know job sites and never pay a fee to learn more about the opportunity or apply for a job.

Information Security Guides

Guides, Tips, and Training to keep your devices and your information as secure as possible.

Papers and electronic information with confidential information such as driver's license, Social Security Numbers, credit card numbers, academic records, employment records, health records, financial records, etc. must be properly disposed of according to the Records Retention Policy.

Paper:

All confidential documents must be shredded using a cross cut of confetti shredder. If your office does not have a shredder one is located in the Copy Center.

If the project is too large, follow the procedures in the Records Retention Policy to arrange for an outside vendor to assist with the project.

Electronic:

Sending files to the recycle bin or trash on is for for normal files, but these files are easily recoverable for a few days, months or even longer.

Procedures for Macintosh and Windows machines vary based on the programs being used. Contact the Director of Information Security for details on your specific scenarios.

Note:
IITS securely removes files from all machines before disposal. When this is not possible a written agreement is made with a disposal company to ensure the files are securely removed. Information in Banner, Engage, Orbis and other online services are controlled by a central services. Users do not need to do anything special to remove files from these services, however any files on your local computer are still the responsibility of the individual user.

Computers, flash drives, external hard drives, CD/DVD media will all eventually fail. Make sure to have important files in two protected locations.

Secure location: The Utica University file server is a secure location to store your files work files. These locations are backed up regularly, minimizing the amount of data lost in case of an emergency.

Third party providers: Not all vendors provide the same level of security. Use only University approved vendors to store information containing personal, financial, and health information.

Notes:

Users that require more than 500Mb of storage should contact IITS to determine the best secure way to backup your files.
Personal files should not be stored on Utica College equipment or services.

Traveling with your electronic equipment require diligence to protect your equipment and information, but International travel has even more threats to consider.

Open Wi-Fi connections are problematic in the Unites States and internationally. Great care must be taken to protect your identity and information when off the Utica University network. However, some countries pose greater risks to data theft and computer viruses than others.

Low Risk Countries:

Low risk countries still pose a risk.

Consider taking a loaner computer with you and leaving your work and personal devices at home.
Consider getting a phone when you get there. These phones with local sim cards are affordable options available at most major airports and larger hotels. If taking your personal device, make sure you phone will work each country that is part of your itinerary.
Enable remote management of your mobile devices. This feature will allow you to attempt to locate and wipe all information from your phone in the event of loss or theft.
Backup all devices before you leave.
Use a VPN service to access Email, Google drive and other online resources. Controls in these countries vary wildly. VPN service may work, may be intermittent or may not work at all.
Take only the information you need.
Do not use public charging stations. These stations may compromise your device. Use only chargers you bring with you.
Keep valuables close, do not leave them unattended. Even hotel safes are not secure.
When you return, change any passwords used while out of the country.

High Risk Countries:

Visit the U.S. State Department's Alerts and Warnings web page to identify "high risk" countries you plan to visit.

Traveling internationally can pose significant risks to information stored on or accessible through computers, tablets and smartphones. This risk is partially due to an increased opportunities loss or theft of the device. Other countries have increased likelihood of networks that may monitor and capture information stored on your devices or used over an Internet connection.

The U.S. government prohibits traveling with encrypted devices to countries that are considered to support terrorism, namely Cuba, Iran, North Korea, Sudan and Syria. Do not bring encrypted devices to these countries.

Additionally, encryption is controlled or restricted in many countries. Some countries ban, or severely regulate, the import, export or use of this technology as it is treated the same as munitions or weapons. Taking your laptop with encryption software to certain countries could lead to your imprisonment or cause your laptop to be confiscated. Use loaner equipment when going to these countries. (Note: This is a partial list): Burma, Belarus, China, Hungary, Iran, Israel (personal-use exemption), Morocco, Russia, Saudi Arabia, Tunisia, Ukraine.

If you visit high risk countries there is a good likelihood that your device will be penetrated. Leave it behind and all sensitive, confidential, or private data.

We strongly recommend that you leave your current devices at home or on campus and travel with a Utica University loaner machine. Your office and home computers may not be encrypted. Even encrypted machines are vulnerable. Leave your work and personal devices at home.
Take only the information you need.
Use a VPN service to access Email, Google drive and other online resources. Controls in these countries vary wildly. VPN service may work, may be intermittent or may not work at all. Arranging a backup VPN service is recommended.
Leave your personal phone behind, even if you have an international plan.
Get a phone when you get there. These phones with local sim cards are affordable options available at most major airports and larger hotels.
Do not use public charging stations. These stations may compromise your device. Use only chargers you bring with you.
Keep valuables close, do not leave them unattended. Even hotel safes are not secure.
When you return, change any passwords used while out of the country.

What Will You do if it Happens to You?

Have a plan

Have your data backed.
Arrange for your loaner device in advance
Know what phone you will be using when you get to your destination
Do a factory reset on each device upon arriving back in the United States.

Utica University offers Information Security Training sessions throughout the year. There are in person or online offerings. Check the HR Training and Events page forthe latest offerings.

HR Training and Events

IT Training

Physical Security

Keep track of your phone, table, laptop and other mobile devices. Do not leave your mobile device unattended. It does not take long for someone to grab an unattended device.

Protect your Data

Password protect your device with a strong password.

Without a password your machine is unprotected and can be compromised by anyone with access to your device. A weak password like, Fluffy, Password1, QWERTY, or 1234 will be quickly guessed, allowing access to your device. Follow the advice on our website password.utica.edu. A strong password should be at least 8 characters, with a mixture of upper and lower case letters and number. Password cracking programs are on to our tricks. Simply replacing characters, like $ for the letter s, the number 0 for a letter o, or using the number 3 for the letter E are well known and can be easily defeated. You can take a phrase such as This year I will lose 10 pounds. convert that into TyIwl10#. Strong Passphrases can be less complex, but should be at least 14 characters long. Take a song title and shorten it. Wake Me Up Before you Go Go turns into WaMeupbeyogogo. WaMeupbeyogogo is not a good password, because it is published on this webpage. Come up with your own phrase.

Update your Software and Operating System Software

Many security incidents can be prevented by making sure your software on phones, tablets, and computers, is current.

Install current versions of Antivirus and Antimalware software.

Windows, Android, and Mac machines are vulnerable to viruses and malware.
Watch out for trial versions and software that is out of date and don’t let your protection expire. There are many free and paid products available.

Use a Firewall

Firewall software can help protect your computer against someone attacking your computer remotely. Remote attackers can use your device just as if they were sitting in front of the device. This allows the attacker to message your friend, steal your information, or erase everything on your device and on the cloud.

Be Careful on Public Wi-Fi

Open Wi-Fi networks are designed for ease of use, not security. Use these networks for casual browsing, but not for logging into personal accounts or making online purchases. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection on the go.

Be Careful Internet Café and Hotel Guest Machines

These machines are used my many people each day and often are not adequately protected. These devices have a higher likely hood of being infected with viruses, worms, key loggers or other malware. These devices may be good for looking up the weather, but do not log into any accounts or make any purchases on them. Make sure to clear your Internet history and completely log off the computer when done.

Encrypt Sensitive Data

First, don’t store sensitive data unless you need to. If it’s not there, nobody can steal it. Encryption helps protect data in the event your device is stolen. However, if you have an easily guessed password the thief can easily unlock the protection and access your encrypted files. Do not forget your encryption password or you may lose everything you are trying to protect.

Phishing

Don’t get caught off guard. Utica University will never email you asking for your personal information. Don’t send private information via email and be careful what links you click on.

Setting up a new device

When it’s time to get rid of your device

OnGuardOnline.gov: Tips to help you stay safe and secure online.
Federal Trade Commission: FTC tips for computer security.
StaySafeOnline.org: Promoter of Data Privacy day and many other initiatives to learn the basics on how to better secure their home computer from cyber threats.
Educause Higher Education Cyber Security Resources: Links to IT Security resources that have been created by colleges and universities.
SANS newsletters and tips-of-the-day: Monthly cyber security newsletter and tips-of-the-day from SANS

Contact Us

General IITS User Services Support

Monday through Friday, 8 a.m. - 5 p.m.

(315) 792-3115

helpdesk@utica.edu