Security Basics: 101

Protecting your passphrases and passwords is fundamental to protecting your online information and accounts.  This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty, and staff.

Learn about the risks of stolen account credentials, how credentials are commonly stolen, and what you can do to protect your account information:

• Protecting your credentials
• Free LastPass Premium account

Phishing scams are getting increasingly more sophisticated and harder to detect, especially with the introduction of AI-assisted phishing. A successful phish can provide a backdoor entryway to cyber-criminals, putting your personal information and accounts at risk, as well as sensitive campus data.

Following are resources for identifying and avoiding social engineering scams, like "phishing" messages:

• The Security website Phishing Resources section, including Anti-Phishing Tips
• Phishing FAQs
• The Phish Tank - recent real-world examples of phishing messages received on campus

As a student, faculty, or staff member, you may at some point receive a security notice from the Information Security Office (ISO).  Security notifications are sent via email and are generated by security tools that search the campus network for systems compromised by hackers and computing devices with known security weaknesses.  Outside reports of security problems may also initiate notifications.

If you receive a security notification, it will likely be related to one of the following issues:

• A known vulnerability has been detected on your device (e.g., the device is running an unsupported operating system)
• The device has been potentially compromised (e.g., the device has been infected with malware)
• Your CalNet credentials have been exposed and must be reset

What should I do?

Read the notification message carefully and follow instructions for resetting your CalNet passphrase immediately, if required.  Follow these steps if there is any indication that the system has been compromised:

• Remove the computer from the network (e.g., turn off wifi and unplug your ethernet cable) to prevent the malware from spreading
• Contact your IT service provider to assist with removing the malware and cleaning the system

	IT Service Provider	Phone	Email
Students	Student Technology Services (https://studenttech.berkeley.edu/techresources)	510-642-HELP (4357)	sts-help@berkeley.edu
Faculty/Staff	IT Client Services (ITCS)	(510) 664-9000, option 1	itcshelp@berkeley.edu

• Respond to the ISO security notification to let us know the issue has been resolved

If there is a legitimate explanation for the issue detected, and you believe the alert is a "false-positive", please reply to the notice and let us know.

For more detailed information, visit the Respond to a Security Notice page or contact ISO by sending an email to security@berkeley.edu.

Out of date software, applications, and operating systems can have vulnerabilities, or "holes" that let attackers in.  Keeping your devices patched and up to date is one of the most important things you can do to defend against cyber attacks.

Why Patch?

New vulnerabilities in operating system and application software are discovered every day. By not applying patches and updates, you might be leaving the door open for attackers to exploit these vulnerabilities. That can lead to the exposure of your personal information (e.g., CalNet ID, credit card info, etc.) or sensitive campus data.

Vulnerabilities in web browsers, for example, can allow malicious websites to infect or compromise your device with little or no action on your part other than clicking a link.

How to Patch

Most university-owned computers can be enrolled in the campus Berkeley Desktop service, which automatically keeps your operating system and most software up to date. 

For students and employees who personally manage their computers, or who use personal computers or mobile devices, the following are a list of security patch resources.

Information resources for keeping your computer operating system up to date:

Operating System	Resources
Microsoft Windows	Learn how to keep your PC current with automatic updates (includes instructions for supported versions of Windows O/S): Windows Update: FAQ Note:  If your PC is connected to a network where updates are managed by Group Policy, you might be unable to change settings related to Windows Update.  Contact your IT support staff for more information.
Apple MacOS	Some critical security updates for your Mac are released as automatic updates.  Your Mac checks for these updates daily, and when an automatic security update is available, it installs automatically and displays a notification. Make sure the following options are selected in the Settings > General > Software Update: Turn all options for "Automatic Updates" ON. For manually updating your Mac software, follow these instructions: Update the software on your Mac
Apple iOS	Learn how to update your Apple mobile device to the latest version of iOS - wirelessly or using iTunes: Update the iOS software on your iPhone, iPad, or iPod Touch
Google Android	Information about Android O/S updates for various device manufacturers: Check and update your Android version

What is "Malware"?

Malware is short for "malicious software" and describes programs designed to disrupt computer operations, gather sensitive information, or gain unauthorized access to a system. The impact of malware can range from minor system performance issues to deletion or encryption of data to full, remote control access by an attacker.

Anti-malware

Anti-malware software is designed to detect and block malicious software on individual computers and is an important layer of protection for systems connected to the Internet or to each other.  

Here are some tips for using anti-malware programs:

• Most modern computers include anti-malware software that runs and is updated automatically. 
  • On a Windows computer, select the Windows Security app and confirm it is it running.
• If you're using separate anti-malware software:
  • Ensure that the anti-malware software receives regular signature updates.  These updates contain information about new viruses and are often delivered multiple times a week.
  • In order to detect malware before they are able to infect a system, enable real-time scanning. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.

Considering how much we rely on our mobile devices, and how susceptible they are to attack, you'll want to make sure your smartphone is protected:

• Visit the "Top 10" guide for secure computing to find general tips for using mobile devices safely.
• Following are some helpful links to instructions for securing your Apple iOS device:

Set PINs and passwords	Use a passcode with your iPhone, iPad, or iPod Touch
Backup and secure your data	iCloud storage and backup overview
Use Find My iPhone to locate a lost device and Activation Lock to prevent anyone from using the device if lost or stolen	Find My iPhone, iPad, and Mac
Learn how to wipe data from your old phone before you dispose of it	Erase all content and settings on your iPhone, iPad, iPod touch, or Apple Watch

• Apple provides detailed iOS security configuration guides, including steps for iOS hardening, for each of the currently supported versions of the operating system:  Product security certifications, validations, and guidance for iOS
• Google also provides detailed information concerning security settings for Android devices.

Here are a few more important smartphone security tips to keep in mind:

• Do not modify your smartphone's security settings - jailbreaking or rooting your phone undermines the built-in security features
• Only install apps from trusted sources
• Understand app permissions before accepting them - be cautious about granting apps access to personal information, your location, etc.
• Accept updates and patches to your smartphone's software. If possible, set your phone to auto-update all apps. 
• Be smart on open Wi-Fi networks - your phone can be an easy target to cyber-criminals on a public Wi-Fi network. 

Data Classification

Understanding the classification level for the campus data you handle is fundamental to knowing what security protections are required by university policy.  (Campus data is information relating to university activities or operations.  It does not include an individual's personal information).

Data classification is determined by the potential adverse business impact to the campus due to the unauthorized exposure of restricted information or loss of availability of data or IT resources.. 

Business Impact

Considerations for evaluating adverse business impact to the campus include the following:

• Loss of critical campus operations
• Harm to individuals
• Negative financial impact
• Damage to the reputation of the campus
• Potential for regulatory or legal action
• Violation of campus mission, policy, or principles

Protection Levels

The level of impact to the campus is designated by four (4) "Protection Level" classifications:

• P1 indicates "minimal" impact and is information intended for public access, such as public directory information, public websites, course listings, and pre-requisites.
• P2 is assigned to data with a "low" adverse impact to the campus.  This level includes student records, staff, and academic personnel records, licensed software, and paid electronic subscription resources.
• P3 data has a "moderate" adverse impact to campus business and includes information such as FERPA-protected students records, staff and academic personnel records, certain types of research data, and most personally identifying info that isn't specifically classified as P2 or P4. 
• P4 pertains to Information and IT Resources requiring the highest level of confidentiality or integrity, including Notice-Triggering data and "Shared-Fate" data and systems. e.g., enterprise credential stores, backup data systems, and central system management consoles.  This scenario would be deemed to have a "high" adverse impact. A few examples of "notice-triggering data" include:
  • Social security number (SSN)
  • Driver's license number
  • Financial account or credit card numbers
  • Personal medical information
  • Personal health insurance information

Protection Profile Requirements

Data classifications align with security controls that are required for each protection level.  The "protection profile" is also determined by the type of device and its use, as well as the protection level.

These security control requirements are found in the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI), an important reference guide for IT support personnel and staff who are responsible for the handling of protected campus data.

For more information

The full UC Berkeley Data and IT Resource Classification Standard contains the details governing the classification of campus data and is also an important reference guide for anyone responsible for campus data protection. The Data Classification Guideline provides further guidance for interpreting the Data Classification Standard.

Minimum Security Standard for Electronic Information

The UC Berkeley Minimum Security Standards for Electronic Information (MSSEI) is the campus policy that determines the level of care required for protecting classified data.  The MSSEI is aligned with the UCB Data Classification Standard for defining the various levels of protection and the corresponding security control requirements.

Device/Use Categories

The purpose or "use" of a computing device, together with the classification or "protection level" of the data that is processed or stored on the device, determines the set of security control requirements for the system.

There are three (3) Device/Use categories:

Institutional Device - Servers that store, process or transmit sensitive data (e.g., database servers, application servers, web front-end servers, backup and storage systems, etc.).

Privileged Access Device - Any device where credentials are used to provide privileged access (e.g., superuser or administrator) to an institutional device that is utilized for protected data.

Individual Device - Devices that process, store or transmit protected data that cannot be classified as either institutional or privileged access.

By default, all employee workstations (including laptops, tablets and smartphones) issued by the university are categorized, at a minimum, as Individual UC P2/P3 devices.

Baseline Data Protection Profiles

The MSSEI defines the baseline data protection profiles that determine system security control requirements.  Each baseline profile is a minimum set of required security controls that correspond to the data classification protection level, the type of device, and the purpose or use of the device.

A list of the control requirements for each profile can be found in the following PDF diagram:  Protection Profile Matrix by role

MSSEI Control Requirements

The MSSEI policy is comprised of 34 requirements in 17 categories.  The policy is derived from industry-accepted best practices for cyber defense, such as the SANS 20 Critical Security Controls.  The requirements range from physical security, secure device configuration, vulnerability scanning, account monitoring and management, security training, and much, much more.

Campus units are responsible for ensuring that the security requirements for the systems and devices used for handling campus protected data within the unit meet MSSEI requirements.  This can be accomplished by the following practices:

• Develop an MSSEI self-assessment plan that details how control requirements are implemented.
• Gather feedback and recommendations for meeting control requirements by engaging the MSSEI Assessment Service with the Information Security Office (for UC P4 systems only).
• Notify service providers (both internal campus resources and 3rd-party vendors) of the protection level assigned to the data and systems that they support, so that they clearly understand the MSSEI security requirements.

For more information

The MSSEI Baseline Data Protection Profile Summary provides links to each of the control requirements, including basic information and some examples.  Separate guidelines are available for each of the control requirements, containing more detailed information and suggested recommendations.

An important requirement in the MSSEI is "4.1 Removal of non-required protected data" and it applies to all data classified at P2 and above that is no longer required for University purposes. The logic here is simple:  By deleting sensitive data that is no longer needed, we reduce the risk of that data being inadvertently exposed or compromised.

Requirement 4.1 specifies an annual review of stored data to identify and securely remove or destroy protected data that is no longer required for business purposes.  A more frequent review process that removes data as it is no longer needed is preferable, if possible.

Secure Deletion Tools

Dragging files to the desktop Trash, and then "emptying" the Trash, does not actually delete the data stored on the disk.  The markers that point to the location of the file on the disk drive are removed, but the data is still there until it is over-written by new data.  Because of this, special care is required for decommissioning disk devices that store sensitive data, and for deleting sensitive files from a workstation or mobile device. 

Specialized secure deletion tools are needed for this purpose - the Secure Deletion Guideline provides recommendations for disk and file deletion tools.

What can I do?

UC Berkeley staff members have an obligation to delete or destroy sensitive covered data that they handle when it is no longer needed.  Following are steps for meeting this requirement:

• Identify the sensitive data that you handle by referencing the Data Classification Standard (see "Know what you have" above).
• Determine an appropriate retention period for removing sensitive data (e.g., immediately upon completion of task, weekly, monthly, annually) - check with your manager or supervisor if in doubt.
• Determine the right file deletion tool or process to use for removing the data.
• Schedule time to perform the removal process on an ongoing basis.