Overview

Xavier University is committed to protect the confidentiality, integrity and availability of our information. Information Security is a responsibility that we all share. Security awareness is an integral part in protecting the information assets at Xavier. Please review the following messages in an effort to help protect Xavier’s students, faculty, staff and alumni.

Social Engineering and Phishing

Social engineering is the act of attempting to manipulate an individual to perform certain actions or divulging sensitive information. It is a common technique among attackers and identity thieves to get people to divulge information that should be safeguarded by pretending to be a trusted source, such as Technical Support or a bank employee. It is successfully used because it can be easier to trick someone than to get through technological controls. Attackers have been known to “name drop” important figures in an attempt to intimidate the individual.

Common examples of social engineering include:

  • You receive a fraudulent phishing email that claims to be from your bank. The email includes a link to a phony web site that asks for your online banking ID and password.
  • Telephone phishing: You receive a phone call from a caller who claims to be from Technical Support and   suggests that there is a problem with your computer or user account. They may even ask for your               username and password.
  • The Help Desk receives a call from someone that claims to be in a position of authority and demands that they reset their password.
  • Someone tries to follow you into a building or location that they don’t have access to.

 

Phishing is the act of surreptitiously trying to obtain sensitive information such as user accounts, passwords and credit card information by pretending to be a trusted entity in an electronic communication such as an email.

Characteristics of phishing:

  • The message is designed to invoke a sense of urgency in the recipient.
  • The content often has misspellings and grammatical errors.
  • The message often claims to be from a bank, technical support, social media or other legitimate                 business.
  • The site that is linked to asks for an ID and password.
  • The message asks you to update certain personal information.
  • The message has an unusual “from” address.
  •  The URL that is listed doesn’t match the official URL of the organization.
  •  The message is not personalized.

 

DO:

  • Question unsolicited messages.
  •  Use common sense when opening emails and answering phone calls.
  •  Report suspicious phone calls or emails to the Help Desk.
  • Verify the identity of anyone before providing any information to them.
  • If in doubt about an email or phone call, contact the organization using the phone number that is                provided on the official web site, not the number in the suspicious email.
  • Shred sensitive information instead of put it in the trash.

 

DON’T:

  • Divulge any information over the phone until you have validated their identity.
  • Respond to an unsolicited email.
  • Give your password to anyone.
  • Provide sensitive information without the proper approval.
  • Open attachments or click on links from untrusted senders
  • Open emails from an unknown sender.
  • Click on suspicious links in work or personal emails.

 Xavier University’s Information Technologies division will never call or email you and ask for information such as your password.

 

If you believe that your user account has been compromised, please reset your password by clicking on the following link: https://password.xavier.edu/

Amateurs hack systems. Professionals hack people. Bruce Schneier

 

Protecting Hard Copy Information

You may come into contact with hard copy documents that are sensitive in nature. It is your responsibility to properly protect that information. If you have sensitive hard copies, please remember to:

  • Secure the documents by locking them in a cabinet or drawer when they are not in use.
  • Shred any non-public information when it is no longer needed, unless it cannot be shredded due to            record retention requirements.
  • Don’t leave them where unauthorized people could see them.
  • Obtain the proper approval before removing the information from campus.
 If you are unsure if something should be shredded or secured, it is better to err on the side of safety.
 

Your account and password

Staff, Faculty and Students are issued a network account in order to provide access to network resources such as internet connectivity, the XU portal and various other services. Your user ID and password is unique to you, and should not be shared with anyone. Remember that you can be held accountable for activity that is performed by your account. Please remember to:

  • Never share your ID and password with anyone.
  •  Don’t keep your password written down in an easily accessible place.
  •  Log off or lock your computer before leaving it unattended. (Window button + L for Windows)
  •  If you think your password has been compromised, change it here:                                                           https://password.xavier.edu/QPM/User/Identification/
Try to make your password as complex as you can while still being able to remember it. Some strong password tips include:
  •  Make the password at least 8 characters
  • Avoid dictionary words, sequential numbers and keys such as “12345” or “qwerty”.
  •  Avoid using personal information such as family names, addresses and birthdays.
  • Use unique passwords for different resources. For example, do not use your Xavier password for online    banking or your personal email account.
  • Substitute numbers and special characters for letters.
  • Consider using a passphrase.

 Don’t Click that link!

Never click on a link unless you are sure where it will take you. Attackers often send emails that make you think you will go one place, while in reality they can take you to a malicious site. Some attackers will use a URL shortener to hide the actual destination of a link.

URL shorteners provide a convenient way to shorten a long URL so it can easily be shared, but they do also introduce some risk. For example http://bit.ly/MoneN3 actually is a link to www.badhackersite.com, a fictitious site used for this example.

Always make sure you trust the sender before clicking on a link.

Laptop, Tablet and Smartphone Security

Many people utilize a laptop, tablet or smart phone to as a convenient and portable computing solution. Here are a few tips on keeping your system and the associated information safe.

  • Don’t store sensitive information locally to a mobile device.
  • Don’t perform sensitive transactions while connected to an unknown or untrusted wireless network.
  •  Immediately report a lost or stolen device to the Help Desk.
  •  Lock your device in the trunk if you must leave it in a car.
  • Don’t store your password with your device.
  • Don’t let unauthorized people use a University owned device.
  •  If using your device in a public place, don’t allow bystanders to “shoulder surf” any sensitive information that might be on your screen.
 

Transferring Sensitive Information

At times you may need to transfer information that is sensitive in nature. Normal email is not a secure way to send a file to anyone outside of the University. Instead of just sending an email, ask yourself if the information should be sent by unencrypted email. Xavier University provides a file transfer service via Accellion for large files. To request access, contact the Help Desk at x4357,

Always remember to think twice before clicking “send”.

Information Security Incidents

What constitutes an Information Security incident and what should be reported?

As part of your responsibilities at Xavier, you may have access to sensitive student, health or other university information. It is all of our responsibilities to protect sensitive information at Xavier.

  • Unauthorized use of a system or account
  • Physical theft or loss of a system, electronic or hard copy information
  • Noncompliance with university policies
  • Execution of malicious code
  • Unauthorized attempts to gain access to a system or information
  • Unauthorized system changes
  • Denial of service
  • Unauthorized theft, loss or exposure of information
If you see or hear something that could be considered an Information Security incident, you can report it by calling or emailing the Information Security Administrator. If you wish to remain anonymous, you can report the incident through Ethicspoint, a third party servcies for reporting potential ethical misconduct or breaches of laws, rules, regulations or University policies, may be accessed online or by calling a 855-481-6238 toll free.
 
 

Malware

Malware is a malicious program that causes negative events to occur on a computing device. Examples of malware include viruses, worms, Trojan horses, etc. Malware is spread through multiple means, including visiting an infected web site, email and shared portable media. Malware is more common on Windows based systems, but they have been known to affect Linux, Android and Mac operating systems.

Some signs that a device might be infected with malware include: 
  • A pop up message from Antivirus software indicates that the system is infected.
  • A system crashes
  •  The system is out of memory or acts in an unexpected manner
  •  A Windows Update(s) that repeatedly attempts to apply and fails
If you think your system is infected:

  • Stop what you are doing and call the Help Desk at x4357.
  •  Do not click on any pop ups or follow any instructional prompts. 
Tips to help keep from getting infected: 
  • Be cautious when surfing the internet.
  • Don’t share your computing device with anyone.
  • Don’t open email attachments or links from unknown senders.
  • Only run authorized software.
  • Make sure you run current Antivirus software
  • Never disable or uninstall your antivirus software. 

Social networking security

Social and professional networking has become a way of life in recent years. Web sites and apps such as Facebook, LinkedIn and Twitter have created a great way to stay connected and share your life with personal and professional contacts. While there are definite advantages to using social media, it does introduce additional risk considerations. Here are some things to keep in mind when it comes to sharing information and social media:

  • Be careful how much you share on social media. The more information you share the more risk you have for identity theft.
  • Be mindful of the amount of personal or professional information that is available. Social media is a goldmine for attackers that want to carry out a social engineering based attack.
  • Don’t allow your personally identifiable information to be available to anyone.
  •  Don’t accept a person as a friend or contact unless you know who really sent the request. Attackers have been known to set up fake accounts for real people to connect and get information on that person’s friends or contacts.
  • Remember that once you publish pictures on the internet, you will never be able to have full control of those pictures again.
  • Don’t post anything online that could negatively impact Xavier.
  • Phishing attacks are not uncommon on social media. As always, be cautious of what you click on.
  • Social media can help to blur the line between professional relationships and personal relationships.
  •  It is not uncommon for employers to check the social media presence of a prospective candidate as part of their evaluation.

Shredding

As we approach the end of the semester and fiscal year, many of us tend to work on spring cleaning. The end of the year is a great time to de-clutter and dispose of old paper files. Before discarding hard copy information:

  • Consider the sensitivity of the information. If it contains personally identifiable information, student records, patient information or other sensitive information, it needs to be shredded.
  • Don’t print sensitive information without first considering a secure way to dispose of it.
  • Identity thieves have been known to “dumpster dive”, which involves digging through trash to find sensitive information that can be used to steal someone’s identity.