Security Basics: 101

Protecting your account username and passphrase is fundamental to proper security practices.  This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty, and staff.

Learn about the risks of stolen account credentials, how credentials are commonly stolen, and what you can do to protect your account information:

• Protecting your credentials
• Free LastPass Premium account

Phishing scams can provide a backdoor entryway to cyber-criminals, putting your personal information at risk, as well as sensitive campus data.

Following are resources for identifying and avoiding social engineering scams, like "phishing" messages:

• The Security website Phishing Resources section, including Anti-Phishing Tips
• Phishing FAQs
• The Phish Tank - recent real-world examples of phishing messages received on campus

As a student, faculty, or staff member, you may at some point receive a security notice from the Information Security Office (ISO).  Security notifications are sent via email and are generated by network security tools that search the campus network for systems compromised by hackers and computing devices with known security weaknesses.  Outside reports of security problems may also initiate notifications.

If you receive a security notification, it will likely be related to one of the following issues:

• A known vulnerability has been detected on your device (e.g., the device is running an unsupported operating system)
• The device has been potentially compromised (e.g., the device has been infected with malware)
• Your CalNet credentials have been exposed and must be reset

What should I do?

Read the notification message carefully and follow instructions for resetting your CalNet passphrase immediately, if required.  Follow these steps if there is any indication that the system has been compromised:

• Remove the computer from the network (e.g., disable wifi access to Airbears) to prevent the malware from spreading
• Contact your IT service provider to assist with removing the malware and cleaning the system

	IT Service Provider	Phone	Email
Students	Residential Computing (http://www.rescomp.berkeley.edu)	(510) 642-4357	helpdesk@rescomp.berkeley.edu
Faculty/Staff	IT Client Services (ITCS)	(510) 664-9000, option 1	itcsshelp@berkeley.edu

• Respond to the ISO security notification to let us know the issue has been resolved

If there is a legitimate explanation for the issue detected, and you believe the alert is a "false-positive", please reply to the notice and let us know.

For more detailed information, visit the Respond to a Security Notice page or contact ISO by sending an email to security@berkeley.edu.

The computing devices we use, whether campus-issued or self-owned, are the gateway between data that needs to be protected and the Internet at large.  Keeping these devices patched is the most important defense against cyber attacks.

Why Patch?

New vulnerabilities in the operating system and application software are discovered every day.  By not applying patches, you might be leaving the door open for exploits of these vulnerabilities that can lead to the exposure of your personal information (e.g., CalNet ID, credit card info, etc.) or sensitive campus data.

Vulnerabilities in web browsers and email programs can allow malicious websites to infect or compromise your computing device with little or no action on your part other than clicking a link.

How to Patch

Some campus units subscribe to the campus-wide Berkeley Desktop standard, which automatically keeps desktop software up to date. 

For students and staff who personally manage their computers, or who use personal computers or mobile devices, the following are a list of security patch resources.

Information resources for keeping your computer operating system up to date:

Operating System	Resources
Microsoft Windows	Learn how to keep your PC current with automatic updates (includes instructions for supported versions of Windows O/S): Windows Update: FAQ Note:  If your PC is connected to a network where updates are managed by Group Policy, you might be unable to change settings related to Windows Update.  Contact your IT support staff for more information.
Apple MacOS	Some critical security updates for your Mac are released as automatic updates.  Your Mac checks for these updates daily, and when an automatic security update is available, it installs automatically and displays a notification. Make sure the following options are selected in the System Preferences for the App Store: Automatically check for updates Download newly available updates in the background Install system data files and security updates For manually updating your Mac software, follow these instructions: Update the software on your Mac
Apple iOS	Learn how to update your Apple mobile device to the latest version of iOS - wirelessly or using iTunes: Update the iOS software on your iPhone, iPad, or iPod Touch
Google Android	Information about Android O/S updates for various device manufacturers: Check and update your Android version

What is "Malware"?

Malware is short for "malicious software" and describes programs designed to disrupt computer operations, gather sensitive information, or gain unauthorized access to a system.  The impact of malware can range from minor system performance issues to deletion of data or even full, remote control access by an attacker.

Anti-malware

Anti-malware utilities are a standard and necessary layer of protection for networked systems, designed to detect and block malicious programming on individual computers.

Here are some tips for using anti-malware programs:

• Ensure that the anti-malware software receives regular signature updates.  These updates contain information about new viruses and are often delivered multiple times a week.
• In order to detect malware before they are able to infect a system, enable real-time scanning. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.

Considering how much we rely on our mobile devices, and how susceptible they are to attack, you'll want to make sure your smartphone is protected:

• Visit the "Top 10" guide for secure computing to find general tips for using mobile devices safely.
• Following are some helpful links to instructions for securing your Apple iOS device:

Set PINs and passwords	Use a passcode with your iPhone, iPad, or iPod Touch
Backup and secure your data	iCloud storage and backup overview
Use Find My iPhone to locate a lost device and Activation Lock to prevent anyone from using the device if lost or stolen	Find My iPhone, iPad, and Mac
Learn how to wipe data from your old phone before you dispose of it	Erase all content and settings on your iPhone, iPad, iPod touch, or Apple Watch

• Apple provides detailed iOS security configuration guides, including steps for iOS hardening, for each of the currently supported versions of the operating system:  Product security certifications, validations, and guidance for iOS
• Google also provides detailed information concerning security settings for Android devices.

Here are a few more important smartphone security tips to keep in mind:

• Do not modify your smartphone's security settings - jailbreaking or rooting your phone undermines the built-in security features
• Only install apps from trusted sources
• Understand app permissions before accepting them - be cautious about granting apps access to personal information
• Accept updates and patches to your smartphone's software
• Be smart on open Wi-Fi networks - your phone can be an easy target to cyber-criminals on a public Wi-Fi network

Data Classification

Understanding the classification level for the campus data you handle is fundamental to knowing what security protections are required by university policy.  (Campus data is information relating to university activities or operations.  It does not include an individual's personal information).

Data classification is determined by the potential adverse business impact to the campus due to the unauthorized exposure of restricted information. 

Business Impact

Considerations for evaluating adverse business impact to the campus include the following:

• Loss of critical campus operations
• Negative financial impact
• Damage to the reputation of the campus
• Potential for regulatory or legal action
• Violation of campus mission, policy, or principles

Protection Levels

The level of impact to the campus is designated by four (4) "Protection Level" classifications:

• UC P1 indicates "minimal" impact and is information intended for public access, such as public directory information, public websites, course listings, and pre-requisites.
• UC P2 is assigned to data with a "low" adverse impact to the campus.  This level includes student records, staff, and academic personnel records, licensed software, and paid electronic subscription resources.
• UC P3 data has a "moderate" adverse impact to campus business and is defined by a statutory requirement to notify affected parties in the event of a breach.  Examples include:
• Social security number
• Driver's license number
• Financial account or credit card numbers
• Personal medical information
• Personal health insurance information
• UC P4 pertains to Information and IT Resources requiring the highest level of confidentiality or integrity, including Notice-Triggering data and "Shared-Fate" data and systems. e.g., enterprise credential stores, backup data systems, and central system management consoles.  This scenario would be deemed to have a "high" adverse impact.

Protection Profile Requirements

Data classifications align with campus policy "protection profile requirements", a list of security controls that are required for each protection level.  The "protection profile" is also determined by the type of device and its use, as well as the protection level.

These security control requirements are found in the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI), an important reference guide for IT support personnel and staff who are responsible for the handling of protected campus data.

For more information

The UC Berkeley Data Classification Standard contains the details governing the classification of campus data and is also an important reference guide for anyone responsible for campus data protection. The Data Classification Guideline provides further guidance for interpreting the Data Classification Standard.

Minimum Security Standard for Electronic Information

The UC Berkeley Minimum Security Standards for Electronic Information (MSSEI) is the campus policy that determines the level of care required for protecting classified data.  The MSSEI is aligned with the UCB Data Classification Standard for defining the various levels of protection and the corresponding security control requirements.

Device/Use Categories

The purpose or "use" of a computing device, together with the classification or "protection level" of the data that is processed or stored on the device, determines the set of security control requirements for the system.

There are three (3) Device/Use categories:

Institutional Device - Servers that store, process or transmit sensitive data (e.g., database servers, application servers, web front-end servers, backup and storage systems, etc.).

Privileged Access Device - Any device where credentials are used to provide privileged access (e.g., superuser or administrator) to an institutional device that is utilized for protected data.

Individual Device - Devices that process, store or transmit protected data that cannot be classified as either institutional or privileged access.

By default, all employee workstations (including laptops, tablets and smartphones) issued by the university are categorized, at a minimum, as Individual UC P2/P3 devices.

Baseline Data Protection Profiles

The MSSEI defines the baseline data protection profiles that determine system security control requirements.  Each baseline profile is a minimum set of required security controls that correspond to the data classification protection level, the type of device, and the purpose or use of the device.

A list of the control requirements for each profile can be found in the following PDF diagram:  Protection Profile Matrix by role

MSSEI Control Requirements

The MSSEI policy is comprised of 34 requirements in 17 categories.  The policy is derived from industry-accepted best practices for cyber defense, such as the SANS 20 Critical Security Controls.  The requirements range from physical security, secure device configuration, vulnerability scanning, account monitoring and management, security training, and much, much more.

Campus units are responsible for ensuring that the security requirements for the systems and devices used for handling campus protected data within the unit meet MSSEI requirements.  This can be accomplished by the following practices:

• Develop an MSSEI self-assessment plan that details how control requirements are implemented.
• Gather feedback and recommendations for meeting control requirements by engaging the MSSEI Assessment Service with the Information Security Office (for UC P4 systems only).
• Notify service providers (both internal campus resources and 3rd-party vendors) of the protection level assigned to the data and systems that they support, so that they clearly understand the MSSEI security requirements.

For more information

The MSSEI Baseline Data Protection Profile Summary provides links to each of the control requirements, including basic information and some examples.  Separate guidelines are available for each of the control requirements, containing more detailed information and suggested recommendations.

The first requirement listed in MSSEI is "1.1 Removal of non-required covered data" and it applies to all UC P2/P3 and UC P4 devices (individual workstations and laptops, as well as institutional servers).  The logic here is simple:  By deleting the sensitive data that is no longer needed, we reduce the risk of that data being inadvertently exposed or compromised.

Requirement 1.1 specifies a "review of devices and storage media to identify and securely remove or destroy covered data that is no longer required for business purposes" at least once annually.  A more frequent review process that removes data as it is no longer needed is preferable, if possible.

Secure Deletion Tools

Dragging files to the desktop Trash, and then "emptying" the Trash, does not actually delete the data stored on the disk.  The markers that point to the location of the file on the disk drive are removed, but the data is still there until it is over-written by new data.  Because of this, special care is required for decommissioning disk devices that store sensitive data, and for deleting sensitive files from a workstation or mobile device. 

Specialized secure deletion tools are needed for this purpose - the Secure Deletion Guideline provides recommendations for disk and file deletion tools.

What can I do?

UC Berkeley staff members have an obligation to delete or destroy sensitive covered data that they handle when it is no longer needed.  Following are steps for meeting this requirement:

• Identify the sensitive data that you handle by referencing the Data Classification Standard (see "Know what you have" above).
• Determine an appropriate retention period for removing sensitive data (e.g., immediately upon completion of task, weekly, monthly, annually) - check with your manager or supervisor if in doubt.
• Determine the right file deletion tool or process to use for removing the data.
• Schedule time to perform the removal process on an ongoing basis.