- Set up your device so it protects itself as much as possible by following StartSafe recommendations.
- Refuse unknown programs. A malicious program can undo all your security.
- Unfamiliar or unsolicited files from any source should be treated with caution. Particularly unsolicited download offers from web sites.
- Verify the sender of messages and message content whenever financial, account, or computer changes are involved.
- e-mail attachments
- e-mail links
- text messages
- Peer-to-Peer sharing services (music, videos, etc)
- Files found on open windows file shares
- Files offered from Web links found in e-mail, text messages, or any other unsolicited source
- Don't believe everything you see on your computer or the Internet.
- The FROM field in an e-mail message is absolutely worthless in determining the who sent the message.
- Anyone can put up a web site that says anything or looks like any other
- File names are often meaningless
- Do not make critical decisions based on unsolicited e-mail or text messages without verifying the source
- Providing passwords
- Providing sensitive information like account numbers
- Running programs on your computer
- Reconfiguring your computer
- Don't let someone else force their way into your computer
- Be aware of computer related threats and crime.
- Immediate threats are posted to the Computing alerts page
- Trending threats and issues are included with the security awareness content displayed during password changes
- Prepare for the inevitable failure. Backup critical data regularly.
- Recovery instructions for a security failure (infected computer, compromised account or computer)
Did you know that with one wrong mouse click you could make it possible for someone to read all your email, documents, or instant messages? That they could also view your grades, online bank accounts, or change your course schedule? That they could read or change anything on your computer? Or anything accessed from it? That they could turn on your computer's microphone to listen in on conversations or web cam to view your room? Or command your computer to attack other network users or sites? Or use your computer for a computer crime for which you may be blamed?
Did you know several such incidents have occurred on computers at JMU...from three year old windows laptops to linux servers? That they've been used to attack other computers and divulge information? Did you know all our computers are scanned constantly from around the world by people hoping to take advantage of them? Did you know that legitimate university, corporate, media, and government web sites have been hacked and subsequently used to publish fraudulent or harmful content to visitors?
Did you know that your behavior impacts your neighbors' security and their behavior yours?
The Internet, paired with today's software, provides us astonishing capabilities for sharing and communication. However, these same capabilities also provide access and computer power to more than 600 million people around the world...some of whom may not share our behavioral expectations. Examples, such as random acts of vandalism, can be found in any local newspaper.
The threats associated with online folks' behavior are very different from similar threats in the physical world. Using the same freedom and functionality we treasure, they can communicate with our computers almost instantaneously, almost anonymously, and en masse from around the world. They don't even need to be a computer expert. It only takes one person to write a destructive program to enable many people without technical knowledge to cause problems, just as all of us use word processors and web browsers without knowing how they work or being able to write one ourselves.
While the risks associated with these threats can be decreased by limiting communications, limiting computer functionality, and increasing the complexity involved with our computing environment, they can't be eliminated. Moreover, the more we wish to maintain our current freedom in communications and computing, the more necessary it is that we individually take steps to take care of ourselves and reduce the need for outside controls and limitations.
The only person ultimately in control of a computer is the operator in front of the keyboard. That person presently has the freedom to run any software he or she wants and communicate with anyone around the world. Our computers can do almost anything we tell them to do. Unfortunately, this versatility makes them very complicated. Perhaps the most complicated devices we are exposed to on a regular basis. This is true despite our most fervent wishes, occasional profanity, and manufacturers efforts. Computers have more decision points and varying functionality than almost anything else we use. They are not cars, televisions, or radios and efforts to make them appear to be so have sometimes backfired and caused security problems.
The goal of the R.U.N.S.A.F.E. program is to help you attain the knowledge and skills necessary to more safely operate an Internet connected computer. R.U.N.S.A.F.E. workshops are offered once per semester that describe the incidents we've seen at JMU, the threats we're exposed to, and that teach the defensive concepts and procedures described here. Onsite workshops are also available to groups. (contact IT Security Engineering to schedule one).
REFUSE to Run Unknown Programs
Our computing devices operate the way they do entirely because of the programs we run on them. When we run a program, we give control of our computer, its data, and our keystrokes to the author of the program. In fact, a computer break-in is typically just someone running a program on our computer to make it do what we don't want it to do.
A malicious individual may try to convince us to run their program which then takes control of our computer. Or they may force our computer to run their program by using software defects or unintentional access. The program may then tell our computer to email viruses to our friends. It may tell our computer to collect and reveal our passwords. It may tell our computer to disable its anti-virus and personal firewall protection. It may tell our computer to flood a web site with traffic in an attempt to disable it. Or it may tell our computer to break into someone else's computer to help hide the identity of the perpetrator.
Since programs control the computer and everything the computer does or has access to, it is very important that we not run programs written by people we don't know or trust. Almost every other security precaution depends upon our having control of our computers. If we run unknown programs, we don't.
A program can take many forms. It might be a Windows .exe file. It might be a Microsoft Word macro. It might be a script.
We may find programs in many places. They may be offered to us in email attachments. They may be on web sites. They may be on shared folders. As we'll see later, they even may be forced on us over the network or from a web site if we don't keep our computers up to date. For now, we'll concentrate on the programs over which we have a choice about running.
In our point and click world, knowing what to click and what not to click can be confusing. We are conditioned to click on everything. Here are some rules of thumb that may be helpful:
- We should pause a moment to consider the nature of the site, file, or message and how much we want to trust our computer to it before clicking:
- when our browser asks us if we want to allow extra access. For example, to download or execute a file, plug-in, or ActiveX control.
- when the file or icon is an email attachment or associated with a text message
- when the file or icon is in a shared directory accessible to other people on the network. For example, a public share or Windows File Sharing directory.
- when our Word processor or spreadsheet asks us if we want to allow a macro to run.
- when we don't know for certain where the file came from or through whose hands it passed
- We're generally safe to click in the following situations as long as our computer software is kept up to date.
- When the file is on our own computer. Note that an icon may point to a file actually on a shared drive or web site.
- When we go to a site expecting to download a file or program. Beware, however, of unexpected popups or false claims of virus infection or need for software updates.
In all cases, risk is decreased if we save a file and open it with its related application rather than double-click it or choose "Open this file from its current location".
- By design or defect, a file displayed on our screen may not always appear as it should. It may look like a relatively harmless Word document (resume.doc), picture file (mydog.jpg) or sound file but may actually be a malicious executable program (resume.doc.spy.exe). By saving it to disk and opening it with the application that should go with it, we'll protect ourselves from this scenario. The couple of additional mouse clicks it takes to do this may save a lot of aggravation or worse.
- For example, if you are offered a file displayed as "resume.doc" in an email attachment or on a web site, don't double-click it or open it from its current location. Instead, save it to disk, open Word, and use Word's File->Open menu to open the file you saved. If the file doesn't open properly, or its name changes, its almost a sure sign something is badly wrong with the file.
There have been many instances of malicious programs spread automatically or getting passed around purposely or innocently. When such a program is discovered, vendors of anti-virus software update their products to recognize the new program. Running the anti-virus product on our computers protects us from this recognized program if we fail in our efforts at refusing unknown programs. But like flu shots, anti-virus software won't protect us from new viruses. Fast moving, email based viruses can circle the globe in hours and infect a lot of computers before antivirus software can be updated. Nevertheless, installing and maintaining anti-virus software is an important part of maintaining the security of our computers. JMU has purchased licenses for Symantec anti-virus for faculty, staff, and students home and office computers. It is fully supported by the helpdesk. Why not install it now?
Once malicious software is run on our computer, it can do anything including disabling anti-virus software and personal firewalls. We can limit the damage malicious software can cause by operating our computers using safer accounts for day to day use. For Windows computers, this translates into using a 'standard' or 'limited' account for daily use. The run-as command can be used on the few occasions when Administrator privilege is necessary. Windows UAC feature makes it even easier. Macintosh computers should also be set up to use a safer account. Likewise, unix users should not use the root account for daily activities.
When we receive email, we can rarely be sure who sent it. The FROM: information is as easily falsified as the return address on a paper envelope. Virus programs running on an infected computer can easily send out email in anyone's name. Accordingly, email attachments, which may contain malicious programs, should all be treated with caution. One click is all it takes to lose complete control of our computer and everything it accesses.
- Be particularly careful of unexpected or unusual email or attachments regardless of the source, content, or attachment name.
- Treat any email attachment whose name ends in ".exe", ".com", ".bat", ."scr", ".pif", ".shs", ".js", ".hta", ".vbs", or any ending you're not familiar with as you would hazardous waste material. Find out what it is from the sender before opening it!
- Treat email attachments ending in .zip cautiously. They can hold harmless documents or more hazardous executable files.
- The appearance of e-mail links do not tell you where they lead. Hover your mouse over the link and the destination should appear in the email client's or browser status bar. Deciphering the real target and determining whether it is legimiate can be tricky, particularly in Microsoft Outlook Web Access. If you do click a link, check your browser's address bar to see if the domain is what you expect (.e.g. "jmu.edu"). Most modern browsers highlight the domain in some way making it harder to spoof.
Portable storage devices, such as USB drives, MP3 players, and cellphones, can harbor malicious programs or become infected by them.
- Use a USB drive with a write protect switch and set it to read-only when before plugging the drive into an unknown or untrusted computer. In fact, leave it in read-only mode unless you are planning to write from it.
- If your USB drive does not have a write protect switch, a partially effective workaround is to:
- Mark all files on the drive read-only
- If an autorun.inf file does not exist, create an empty one and mark it read-only.
- Use caution when plugging an unknown USB drive into your computer. On Windows computers, hold down the Shift key while inserting the drive to keep programs on the drive from automatically running on your computer. Better yet, disable the autorun feature on your computer.
-->more information on refusing unknown programs...
UPDATE Our Computers Regularly
Computer programs frequently contain defects. Some of these defects can allow third parties to run programs of their choice on our computers without any action on our part. This allows the third party to take control of our computers, and all the resources and data they have access to, for their own purposes.
- Defects in client programs like browsers, email clients, and media players may allow unwanted programs to run if we click a link to a malicious web page or receive malicious email. These types of defects can cause us to lose control of our computer simply by browsing the web or starting our email client.
- Defects in server programs like web or file servers, can allow someone to force unwanted programs to be run on our server. They exploit the defect by making malicious web or file requests. The exploitation might be carried out by an individual or by an automated program like a worm.
Running defective, vulnerable software on our networked computers is similar to leaving broken windows in our homes and offices for strangers to enter. Except with the Internet, people can enter these "windows" from anywhere in the world. Large scale scans from around the world are often seen within days of new vulnerabilities being announced. Machines with defective software or vulnerable configurations have been known to be compromised within hours of being attached to the network both here and elsewhere. Most software is out-of-date and full of vulnerable defects on the installation CDs and even sometimes when downloaded from vendor web sites. Scanners and automated worms may find a vulnerable server almost as soon as it is connected to the network. It is necessary to check for updates as soon as new software is installed and regularly thereafter.
All computer operators:
Defects in popular add-on programs are often discovered that are not covered by automatic update sites. If you run any of the following programs, you will be responsible for making sure you have the latest security updates from the vendor:
- Messaging and Communications Programs (Skpye, Pidgeon, etc.)
- Media players (RealPlayer, Winamp, etc.)
- Document viewing or presentation programs (Adobe Reader, Adobe Flash, Shockwave, etc.)
Keeping track of all your installed software and needed updates is tedious, time consuming, and errorprone. If your Windows computer is managed by JMU IT (set up by IT Desktop Services and joined to the IT domain) many of these tedious tasks are taken care of for you. Currently, IT manages over 2000 campus Windows computers.
One company that makes a product that can help with the update task and that has had favorable reviews is Secunia. They offer a web based service you can visit with a browser that will check your computer for needed updates for a few dozen of the most popular programs. If you want, they will email you reminders on a periodic basis to rescan your computer. They also offer a more comprehensive program that can be downloaded and installed on home computers that can check for updates for thousands of programs. Installing this program on JMU owned computers violates the license terms. As always when using a web service that requires downloading software, the terms and conditions and privacy policies should be examined.
* Click here for the web based service.
* Click here to download the program for home computers.
Microsoft Windows Systems
Windows Desktop Operators:
- Follow StartSafe procedures to set up automatic updates.
- Make plans to upgrade or replace software which Microsoft doesn't or soon won't support with security patches. Of particular importance in this respect are:
- Internet Explorer versions versions prior to 8
- Windows XP
- Microsoft Office versions prior to 2007
- Macintosh OSX versions prior to Snow Leopard (10.6)
- Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
Windows Server Operators:
Servers need to have more timely patches as they run software that is accessible to anyone on the Internet. Patches should be installed as they become available.
Linux and other Unix Systems
These systems often have server programs running after even a default desktop installation.
MacIntosh OSX is based on unix. Many unix related defects also affect MacIntosh OSX.
- Keep anti-virus software up to date.
- If available, check your vendor's security site monthly for critical security updates.
-->more information on updating our computers...
NULLIFY Unneeded Risks
Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers.
JMU Highly Confidential data (e.g. SSN, banking account numbers, credit cards) about people other than yourself must not be stored on personally owned devices. Any unauthorized storage of JMU Highly Confidential or Protected Data is a violation of university policy. Such data must not be stored in a way that it is exposed to unauthorized access physically or electronically.
When ordering Dell laptops from the JMU purchasing pages, be sure to specify the encrypting hard drive option.
-->more information on nullifying unneeded risk...
SAFEGUARD Our Identity and Password
Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:
- It can't be obvious. That is, it can't exist in an attack dictionary.
- Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination.
- It can't be a short
- A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long on the network. A minimum of ten characters is recommended.
- It can't be made up of just a few characters
- A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters:
- Uppercase letters ( A-Z )
- Lowercase letters ( a-z )
- Numbers ( 0-9 )
- Punctuation marks ( !@#$%^&*()_+=- ) etc.
Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.
How, you may ask, am I ever going to remember such a complicated password?
Never type your password into an untrusted computer or web site. An increasing number of forged e-mail messages may try to take you to forged web sites to collect sensitive information such as account numbers and passwords.
- Pick a sentence that reminds you of the password. For example:
- if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl)
- only Bill Gates could afford this $70.00 textbook (oBGcat$7t)
- What time is my accounting class in Showker 240? (WtimaciS2?)
- If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 600 million people on the Internet.
Use only applications that encrypt communications (e.g. SSL https web servers, SSH, IMAPS, SMTPS) when passwords are required.
Follow wireless usage and setup best practices.
Be careful not to type your password into the wrong field. For example, the username field. Doing so will generally result in your clear text password being recorded in a system log.
-->more information on safeguarding passwords...
ASSURE Sufficient Resources for Proper System Care
Do you want your organization's web server to become known as the one that makes headlines when it is used to bring down a high profile Internet site? That is used to break into your neighbors computer? That harbors illegal or inappropriate files? That gives away any privileged information that is stored on it? That is unreliable?
A publicly accessible network resource needs special care in its initial setup. Today's development projects often encompass many architectures, products, and technologies. Depending upon the level of your involvement with each component, you or your project team may need to be aware of a wide variety of issues. For example, a safe deployment of a web based application may involve taking into account implementation and development issues in any of the following environments:
- Core operating system issues in Unix or Windows
- Web server issues in Internet Information Services or Apache
- Web development issues in server and client side scripting and components
- Issues with transaction processors or application servers like Tuxedo or MTS
- Backend database issues with Access, Oracle, or MySQL
Issues with authentication, file access controls, data authorization, encryption, and network access controls often cross OS, web server, web development, application server, and database realms.
Perhaps less well known due to vendor marketing efforts and perhaps our own wishful thinking, a service needs ongoing monitoring and maintenance regardless of platform. Without this care, the server may not remain in operation long, it may not preserve the confidentiality and integrity of resident data and accounts, or it may be used as a base of operations for criminal activity including attacks on other computers.
- Budget planning, hiring procedures, staffing levels, and job descriptions should reflect the need for developer and administrator training and ongoing monitoring and maintenance in a complex and ever changing environment.
- Allow time for regular maintenance
- Elevate security and ongoing maintenance to the same level of consideration as cost, ease of use, functionality, and performance.
-->more information on assuring system care...
It is impossible to provide absolute security for our computers just as it is impossible to provide absolute security for ourselves or our possessions in the physical world. Insecurity is a fact of life. There are no technical panaceas.
There are over 600 million people with Internet access and we cannot control their actions. They have world-wide, almost instantaneous and anonymous access to our computers' network ports. There are practical compromises in the design of our computers and networks that may leave them vulnerable to certain activities. Accordingly, we must temper our actions with awareness and take some precautions.
- Keep up to date with current threats and scams
- Regularly backup critical or hard to replace data
- Be careful about whom and what you trust. Don't believe everything you see on the web or in email messages.
- Do not ignore warning messages. In particular, those associated with:
- Web browsers warning about site certificate mismatches
- Web browsers warning about file downloads or potential security problems
- SSH clients like Putty, F-Secure, and SecureCRT warning about host key mismatches
- Repeated virus warnings
-->more information on facing insecurity...
EVERYBODY Needs to Do Their Part
Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. Simple Windows and Macintosh desktops have been involved in security incidents. Even with switched networks, a compromised computer may be used to sniff network traffic from neighboring computers. Thus, your security is dependant upon your neighbors' security and their security on yours.
In the days of standalone computers, reckless or unauthorized use of a computer affected just one computer. With a networked computer and its access to shared network resources and common communications lines, the same actions may affect many computers, accounts, services, or people.
As long as we want to continue to have relatively open computing and communications choices, and preserve our privacy, services, and data, each one of us must do his or her part to help ensure the integrity of our network.
- Do your part - RUNSAFE
- Encourage and help your peers to do their part - RUNSAFE
-->more information on doing our part...