Security Basics: 101

Protecting your passphrases and passwords is fundamental to protecting your online information and accounts.  This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty, and staff.

Learn about the risks of stolen account credentials, how credentials are commonly stolen, and what you can do to protect your account information:

• Protecting your credentials
• Free LastPass Premium account(link is external)

Phishing scams are getting increasingly more sophisticated and harder to detect, especially with the introduction of AI-assisted phishing. A successful phish can give cyber-criminals access to your personal information and accounts, as well as sensitive campus data.

Following are resources for identifying and avoiding social engineering scams, like "phishing" messages:

• The Security website Phishing Resources section, including Anti-Phishing Tips
• Phishing FAQs
• The Phish Tank - recent real-world examples of phishing messages received on campus

As a student, faculty, or staff member, you may at some point receive a security notice from the Information Security Office (ISO).  Security notifications are sent via email and are generated by security tools that search the campus network for systems compromised by hackers and computing devices with known security weaknesses.  Outside reports of security problems may also initiate notifications.

The most common security notifications tend to be related to one of the following issues:

• A known vulnerability has been detected on your device (e.g., the device is running an unsupported operating system)
• The device has been potentially compromised (e.g., the device has been infected with malware)
• Your CalNet credentials have been exposed and must be reset

What should I do?

Read the notification message carefully. Follow instructions for resetting your CalNet passphrase immediately, if required.  Follow these steps if there is any indication that the system has been compromised:

• Remove the computer from the network (e.g., turn off wifi and unplug your ethernet cable) to prevent the malware from spreading
• Contact your IT service provider to assist with removing the malware and cleaning the system

• Respond to the ISO security notification to let us know when the issue has been resolved

If there is a legitimate explanation for the issue detected, and you believe the alert is a "false-positive", please reply to the notice and let us know.

For more detailed information, visit the Respond to a Security Notice page or contact ISO by sending an email to security@berkeley.edu(link sends e-mail).

Out of date software, applications, and operating systems can have vulnerabilities, or "holes" that let attackers in.  Keeping your devices patched and up to date is one of the most important things you can do to defend against cyber attacks.

Why Patch?

New vulnerabilities in operating system and application software are discovered every day. By not applying patches and updates, you might be leaving the door open for attackers to exploit these vulnerabilities. That can lead to the exposure of your personal information (e.g., CalNet ID, credit card info, etc.) or sensitive campus data.

Vulnerabilities in web browsers, for example, can allow malicious websites to infect or compromise your device with little or no action on your part other than clicking a link.

How to Patch

Most university-owned computers can be enrolled in the campus Berkeley Desktop(link is external) service, which automatically keeps your operating system and most software up to date. 

For students and employees who personally manage their computers, or who use personal computers or mobile devices, the following is a list of security patching resources.

Information resources for keeping your computer operating system up to date:

What is "Malware"?

Malware is short for "malicious software" and describes programs designed to disrupt computer operations, gather sensitive information, or gain unauthorized access to a system. The impact of malware can range from minor system performance issues to deletion or encryption of data to full, remote control access by an attacker.

Anti-malware

Anti-malware software is designed to detect and block malicious software on individual computers and is an important layer of protection for systems connected to the Internet or to each other.  

Here are some tips for using anti-malware programs:

• Most modern computers include anti-malware software that runs and is updated automatically. 
  • On a Windows computer, select the Windows Security app and confirm it is it running.
• If you're using separate anti-malware software:
  • Ensure that the anti-malware software receives regular signature updates. These updates contain information about new viruses and are often delivered multiple times a week.
  • In order to detect malware before it is able to infect a system, enable real-time scanning. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.

Considering how much we rely on our mobile devices, and how susceptible they are to attack, you'll want to make sure your smartphone is protected:

• Visit the "Top 10" guide for secure computing to find general tips for using mobile devices safely.
• Following are some helpful links to instructions for securing your Apple iOS device:

• Apple provides detailed iOS security configuration guides, including steps for iOS hardening, for each of the currently supported versions of the operating system:  Product security certifications, validations, and guidance for iOS(link is external)
• Google also provides detailed information concerning security settings for Android devices.(link is external)

Here are a few more important smartphone security tips to keep in mind:

• Do not modify your smartphone's security settings - jailbreaking or rooting your phone undermines the built-in security features
• Only install apps from trusted sources
• Understand app permissions before accepting them - be cautious about granting apps access to personal information, your location, etc.
• Accept updates and patches to your smartphone's software. If possible, set your phone to auto-update all apps. 
• Be smart on open Wi-Fi networks - your phone can be an easy target for cyber-criminals on a public Wi-Fi network. Wait until you're on a trusted network to do anything that should remain private.

Data Classification

Understanding the classification level for the campus data you handle is fundamental to knowing what security protections are required by university policy.  (Campus data is information relating to university activities or operations. It does not include an individual's personal information).

Data classification is determined by the potential adverse business impact to the campus due to the unauthorized exposure of sensitive information or loss of availability of data or IT resources. 

Business Impact

Considerations for evaluating adverse business impact to the campus include the following:

• Loss of critical campus operations
• Harm to individuals
• Negative financial impact
• Damage to the reputation of the campus or department
• Potential for regulatory or legal action
• Violation of campus mission, policy, or principles

Protection Levels

Protection Level indicates the impact to campus of loss of confidentiality or integrity due to unauthorized use, access, disclosure, modification, loss or deletion. The level of impact is designated by four (4) "Protection Level" classifications:

• P1 - Minimal impact
• P2 - Low impact
• P3 - Moderate impact
• P4 - High impact

Availability Levels

Availability Level indicates the impact to campus of loss of availability of data or an IT system/service. Like Protection Level, the level of impact is designated by four (4) "Availability Level" classifications:

• A1 - Minimal impact
• A2 - Low impact
• A3 - Moderate impact
• A4 - High impact

Classification Details and Examples

The full UC Berkeley Data and IT Resource Classification Standard contains the details and examples for each classification level, and is also an important reference guide for anyone responsible for campus data protection. 

Protection Profile Requirements

Data classifications align with security controls that are required for each protection level.  The "protection profile" is also determined by the type of device and its use, as well as the protection level.

These security control requirements are found in the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI), an important reference guide for IT support personnel and staff who are responsible for the handling of protected campus data.

For more information

The Data and IT Resource Classification Guideline provides further guidance for interpreting the Data and IT Resource Classification Standard.

Minimum Security Standard for Electronic Information

The UC Berkeley Minimum Security Standards for Electronic Information (MSSEI) is the campus policy that determines the level of care required for protecting campus data and systems. The MSSEI is aligned with the UCB Data and IT Resource Classification Standard in that it defines required security protections for each classification level. 

IT Resource Types

The type of computing device, together with the classification (Protection and Availability Level) of the data that is processed or stored on the device, determines the set of security requirements for the system.

There are three (3) IT Resource categories:

Individual Device - Generally refers to workstations, laptops, tablets, smartphones, and other electronic devices and equipment that are under the control of a specific individual and not accessible to others.

By default, employee workstations (including laptops, tablets and smartphones) issued by the university are categorized as Individual P3 devices.

IT Infrastructure - Servers-type systems, bastion hosts, back-up and storage systems, network appliances, life safety systems, cloud infrastructure, etc.

IT Service - Software or a program that is network accessible. Examples include web, database, cloud-based, and mobile applications.

Baseline Protection Profiles

The MSSEI defines "baseline protection profiles" that determine system security requirements.  Each baseline protection profile is a minimum set of required security controls that correspond to the Protection and Availability Level classification and the IT Resource type.

MSSEI Control Requirements

The MSSEI comprises 50 requirements in 15 categories. The standards are derived from UC Policy and industry-accepted best practices for cyber defense, such as UC's Electronic Information Security Policy (IS-3)(link is external) and the CIS Critical Security Controls(link is external).  The requirements range from physical security, secure device configuration, vulnerability scanning, account monitoring and management, security training, and much, much more.

Campus units are responsible for ensuring that the security requirements for the systems and devices used for handling campus protected data within the unit meet MSSEI requirements.  This can be accomplished by the following practices:

• Develop an MSSEI system security plan that details how control requirements are implemented.
• Gather feedback and recommendations for meeting control requirements by engaging the MSSEI Assessment Service with the Information Security Office (for UC P4 systems only).
• Notify service providers (both internal campus Service Providers and Procurement when contracting with 3rd-party vendors) of the protection level assigned to the data and systems that they support, so that they clearly understand the MSSEI security requirements.

For more information

Contact the Information Security Office for assistance with the MSSEI: iso@berkeley.edu(link sends e-mail)

An important requirement in the MSSEI is "4.1 Removal of non-required protected data(link is external)" and it applies to all data classified at P2 and above that is no longer required for University business purposes. The logic here is simple: By deleting sensitive data that is no longer needed, we reduce the risk of that data being inadvertently exposed or compromised.

Requirement 4.1 specifies an annual review of stored data to identify and securely remove or destroy protected data that is no longer required for business purposes.  A more frequent review process that removes data as it is no longer needed is preferable, if possible.

Secure Deletion Tools

Dragging files to the desktop Trash, and then "emptying" the Trash, does not actually delete the data stored on the disk. The markers that point to the location of the file on the disk drive are removed, but the data is still there until it is over-written by new data.  Because of this, special care is required for decommissioning disk devices that store sensitive data, and for deleting sensitive files from a workstation or mobile device. 

Specialized secure deletion tools are needed for this purpose - the Secure Deletion Guideline provides recommendations for disk and file deletion tools. There is also a UC Institutional Information Disposal Standard(link is external) that can help.

What can I do?

UC Berkeley staff members have an obligation to delete or destroy sensitive covered data that they handle when it is no longer needed.  Following are steps for meeting this requirement:

• Identify the sensitive data that you handle by referencing the Data and IT Resource Classification Standard (see "Know what you have" above).
• Determine an appropriate retention period for removing sensitive data (e.g., immediately upon completion of task, weekly, monthly, annually) - check with your manager or supervisor if in doubt, or reach out to the campus Records Management office(link is external).
• Determine the right file deletion tool or process to use for removing the data.
• Schedule time to perform the removal process on an ongoing basis.