Information Security Definitions and Information
Reporting Lost or Stolen Devices or Data
All PPS staff are responsible for the protection of student and staff information privacy. Breaches of this privacy are considered to be exposure of Personally Identifiable Information (PII) described in Administrative Directive 8.90.030-AD. Suspected compromises, such as via the loss of USB drives, computers, phones or communication of student data to non-PPS staff must be reported to OTIS immediately.
Passwords are used to provide you with access to the resources you need as well as to prove you were the one who accessed a resource or performed an action; therefore, it is essential to follow some good password creation and use habits to ensure your passwords are not easily obtained by anyone that is not you. This will help ensure that you are not mistakenly accused of performing actions that are illegal or that violate the acceptable use policies. Some of the best practices for password use and creation include:
- Never use the same password twice.
- Use a password manager.
- Create a completely new password when you change your password, do not just change a portion of your password.
- Do not use personal information, sports teams, hobbies, dates, or names to create your passwords.
- Do not write your password down.
- Do not save your password in a file stored on your computer.
- Do not store your password in your phone.
- Do use a different password for every website and/or account you use.
- Do use complex passwords that contain numbers, letters, and symbols.
- Do use passwords that are 16 characters or longer.
- Use passphrases when possible.
- Do not use password reset questions with answers that can be found by searching your social media or by knowing you as a person.
- Do use unusual answers that you will remember for password reset questions.
How to create a good password:
- Create a sentence about yourself that is general and does not contain specific proper nouns.
- Do not use spaces.
- Do use numbers and special characters.
- Example: MyChildrenOwn14PairsOfShoes&IHave5.
Notice this password has 33 characters, is complex, easy to remember, and hard to guess. Do not use this example as your password.
Email is the easiest way for intruders to steal your passwords or infect your computer with malware in order to break into a network, steal your identity, or steal your bank account information. Some of the current email best practices for limiting the likelihood that your computer, smartphone, or tablet is infected by bad email include the following:
- Never trust any links that have been provided to you in emails unless you can verify and trust the person that sent the email.
- Never click any links in emails unless you are expecting that exact email and trust the person who sent you the email.
- Never trust attachments in emails that come from someone you do not know.
- Never trust email addresses that look like they came from someone you know but which came from a new email service. (example: Dmarks@workemail.com is your boss but you received and email from Dmarks@hotmail.com).
- Do download and scan with antivirus any attachments you trust and are going to open.
The majority of malware and hacking attacks that are seen in the news and around the world succeeded because systems and software were not updated with the latest patches. It is critical to patch all software and hardware to protect yourself and your computer from malware and cybercriminals. Following the below recommendations will help ensure that you are keeping your software up to date.
- Update your operating system with the latest patches monthly. For Microsoft Windows users the month patch release is on “Patch Tuesday.”
- When you patch your operating system ensure you update your web-browsers (FireFox, Edge, and/or Chrome. Do not use Internet Explorer).
- Ensure your check for updates on your other devices monthly as well. (This includes your gaming consoles, your wifi-router, smart TVs, smartphones, and IOT devices.)
- Ensure you check for updates in the software you have installed on your computer, smartphones, and tablets. (This includes games like CandyCrush, programs from vendors such as Adobe, and pre-installed software such as Maps.)
- Update your security software definitions daily. (This includes antivirus signatures.)
Ensuring that you are using an antivirus product to protect yourself and your computer from automated attacks and attacks that use known tactics or software is critical to ensuring you, your data, and your computer are difficult to abuse. There are a lot of vendors that offer antivirus products but using the following recommendations will help you to follow some security practices:
- Only use antivirus products from well-known vendors.
- A number of antivirus products have been released in recent years that actually contain malware designed to steal your data. It is important to only use well-known and respected antivirus products.
- Update your antivirus product as soon as updates are released.
- Use the automatic updating features in your antivirus product to ensure you have the latest antivirus signatures as-well-as ensuring the antivirus product itself has been patched to prevent attackers from using it as a tool.
- Never use an antivirus product that is not widely known or that does not make it easy to determine which company and country it has originated.
- In recent years certain countries have covertly release antivirus products to smartphone app stores that contain back-doors and spyware in order to steal data.
Malware and Threat Terminology
The following table lists some common malware and threat terminology with their associated meanings to help you understand some of the security jargon that is used in the security industry and news.
This is a piece of software that was written in a programming language and must be compiled to run. This software is dependent, and unique to, the hardware and operating system architectures.
This is a piece of software that contains commands and does not have a requirement to be compiled to run. This software is not dependent upon the hardware and operating system.
Having the ability to run scripts or programs on a system in “root” or “system” level.
Changing permissions from restrictive user-level permissions to “root” or “system” level permissions. This term is usually associated with an attacker gaining advanced privileges to permit the execution of a program or script.
Remote Code Execution (RCE)
This is when a person or machine has the ability to run a script or program on a device (such as a smartphone or computer) across a network. This can be any type of network to include the internet. This term is usually associated with an attacker’s ability to run a script or program with elevated privileges.
A script or program that replicates itself to remote devices without any human interaction. A worm can be used to spread more harmful malware.
A script or program that replicates itself to remote devices by using human interaction. An example of this is a chain-letter that is emailed to some or all contacts. A virus can be used to spread more harmful malware.
This term refers to a program or script that looks innocent and that has a legitimate use but has malware hiding inside. An example would be a game that secretly allows attackers access to a device.
This term refers to a special type of malware that waits for a predetermined action to pass before it performs its malicious task. The event could be a certain date and time, user performed actions such as restarting a computer or closing a file, or system actions such as the screensaver loading.
This term refers to a program or script that encrypts the contents of the hard drive and potentially encrypts any attached storage devices as well; afterwhich, a message is displayed that informs the user(s) they will need to pay money to recover their data.
This is most commonly a software pop-up that is associated with questionable websites. It is designed to scare users into performing an action that is harmful or costly. Example that have occurred include pop-ups that stated they were an FBI warning and to call the number on the screen to pay a fine and a pop-up that stated the device was infected by malware and to pay a company to clean the malware off of the device.
This is a program or script that is designed to secretly track users’ habits and data. This is commonly associated with organizations that track users for advertising and data trending.
This is a program or script that records all of the keys pressed on a keyboard or the coordinates of finger presses on a touchscreen. This is commonly associated with stealing passwords, bank account information, and proprietary secrets.
This is a piece of software that is most commonly placed on a device by visiting a website, opening a compromised email or attachment, or having a compromised advertisement load. This software contains fully executable malware.
This is a piece of software that is most commonly placed on a device by visiting a website, opening a compromised email or attachment, or having a compromised advertisement load. This software can execute with or without human intervention, does not contain exploitable malware, and is designed to download and run malware from a remote host.
This term refers to a device that has been infected with malware that permits a remote user to issue commands that the device will perform.
This is a collection of Bot devices.
This is a person or server that is responsible for issuing commands to a botnet.
A piece of software that is programmed to secretly use a devices software to perform complex calculations in search of cryptocurrency. This malware degrades device performance by steals power, CPU cycles, and memory.
This email is distributed to a wide number of people based on analytics collected by advertising agents such as Facebook and Google. This is not phishing.
This email is sent by attackers and is designed to trick users into performing some action, (such as clicking on a link, opening an attachment, or enabling macros). Some phishing emails are designed to look like spam but they are not spam.