• Services
• Get Help
• Accounts
• Computer Labs
• Software
• Training
• Network
• Hardware Purchases & Repair
• Information Systems Applications
• Information
• Alerts & News
• Security
• Policies & Standards
• Forms
• About Information Technology
• IT Planning
• Staff
• Organizational Chart

Beware - Information Technology Threats

After preparation, awareness and behavior affect the success of security efforts more than any other factors.

Today's Threat Environment

It should be no surprise to anyone that criminals are joining the Internet revolution and that SPAM, fraudulent messages, viruses, and system break-ins are all too common occurances.

• A typical day at JMU:
  • Tens of thousands of SPAM e-mail messages received
  • Thousands of e-mail messages received attempting to infect computers or commit fraud
  • Thousands of e-mail messages coming from outside JMU pretending to be from JMU
  • Thousands of network reconnaissance scans from outside JMU
  • Thousands of network infection attempts from outside JMU
  • Dozens of virus exposures while browsing web sites
  • Daily attempts to break into our web and ssh servers from outside JMU
  • Daily exposure of JMU computers to malicious outside web sites serving disguised malicious software
  • Daily exposure of JMU computers to malicious outside web sites attempting to exploit security defects on JMU computers

Security measures at JMU stop a lot of this activity but not all...nor will they ever stop all. Computer users outside the JMU campus are likely exposed to more activity.

 The core ways to avoid problems are the same generic methods used for most threats and are described in the StartSafe and RUNSAFE web sites:

• Perform regular software security updates
• Use a firewall
• Use a regular user account for day to day activities
• Use anti-virus software
• Avoid unnecessary risk
  • Unsolicited electronic messages
  • Software downloads and installations unrelated to a business or academic need
  • Unsolicited offers of software downloads and installations

The most common threats and exploited vulnerabilities in our environment are described more fully below.

Computer Defects

Defects breaking security are found constantly in almost all computer software - destkop, enterprise, entertainment, media players, even security software itself. Criminals use these defects to force malicious programs on vulnerable computers. Mitigating this risk requires that security updates constantly be applied to computers.

StartSafe recommendations for desktops guide you in setting computers up so they automatically update core software. Third party products that are installed later must also be updated regularly and the products vary in their automatic update capabilties. Some of these updates are installed automatically on desktops and laptops managed by IT. Other computer and product updates are the responsibility of the individual computer operator. A list of defects in software commonly found at JMU can be found here along with additional risk reduction and automatic notification options.

Malicious programs

Malicious programs direct our computers to do these we don't want them to do. They may be simple or sophisticated. Their actions may be limited to creating a nuisance, or more likely these days, turn our computers over to criminals. Criminals use constantly evolving tricks and technology to convince us to install these malicious programs ourselves or force them on us using defects in our computer software.

Constant updates, refusing to install unknown or unnecessary programs, and using a regular user account for day to day operations are the most effective preventive measures following by anti-virus and firewall software.

More information on malicious programs can be found at Viruses and Worms and Trojans and Spyware, Oh My!

Malicious e-mail and other electronic messages

Electronic messages can rarely be verified for authenticity of content or sender. Many times messages are sent from compromised computers and accounts. The core protocols used in these technologies often do little to promote security. They're designed primarily to enable easy communications - not to provide security.

The end result is that most of today's electronic messages cannot be trusted. The more important the message and actions urged by the messages, the more important that they be verified independently. Under no circumstances should unsolicited messages or web sites reached by links within unsolicited messages be used as the sole basis on which to make a decision about:

• Installing software on your computer
• Disclosing financial or other sensitive information
• Disclosing passwords (JMU will NEVER ask for your password via e-mail. Nor should anyone else.)

In fact, care must be used in making decisions about whether or not to even click links in such messages as they can lead to web sites that exploit computer software defects to automatically infect computers without further action. Thus, operators of computers used for sensitive business operations should avoid unnecessary clicking of links in unsolicited e-mail and other electronic messages.

 General information about unsolicted e-mail (SPAM) can be found here.

Malicious web sites

The number of web sites harbouring malicious programs and automatically exploiting defects in visitors' computers is growing every day. Worse, the number of legitimate web sites that are compromised in ways allowing them to be used for criminal purposes is growing.

Constant updates, refusing to install unknown or unnecessary programs, and using a regular user account for day to day operations are the most effective preventive measures following by anti-virus and firewall software.

Handling passwords

Passwords are the keys used to gain access to  your accounts and data. Strong passwords and careful use are required in today's threat environment. More on passwords.

Handling personal information

Today's Internet provides many opportunities to communicate and share. There is risk, however, in sharing too much. Review privacy policies of web sites you use. Use caution posting information you would not want publicly available.

Handling sensitive data

The cautions relating to personal information apply even more to sensitive data. And sensitive data belonging to someone else entrusted to you implies even more responsibility and the need for caution and conservative operation.

Handling portable storage

Portable storage devices include the obvious things like USB thumb drives and USB external drives but also include things like digital cameras, picture frames, cellphones, and music players. All can be used to store data. All can be used by viruses to spread to the storage device and to other computers.

Internet fraud, phishing, and identity theft

Performing crime on the internet presents less risk to criminals than performing similar crimes in person. It also leverages free, world-wide communications, near anonymity, the power and complexity of the modern computer, and near instantaneous speeds.

Identity theft is arguably easier to commit and has more long term effects in our electronic world.

General information, recommendations, and links to help resources regarding internet fraud and identity theft can be found here.

Mistakes

Everyone makes mistakes. From the computer operator to the system administrator to the developer to large corporations handling millions of sensitive electronic transactions for other people. These mistakes are well documented and the security incidents that result from them show up regularly in the news media. Most computer security incidents are caused or enabled by mistakes.

The inevitability of mistakes in an environment like today's internet ripe with constant threats creates a situation where basic, common sense security principles like least privilege, defense in depth, and eliminating unnecessary risk are necessary to have even a remote chance at being successful in security. Applied to the daily operation of a computer, this translates to conservative operation, avoidance of software and media not related and necessary for academic or business pursuits, use of regular user accounts, layered security products, and layered network and system access controls.

Common Mistakes Affecting Our Privacy, Accounts, Computers, and Data

• Trusting unknown programs (and unverified electronic messages and web sites)
• Failure to periodically patch defective software
• Failure to run and update anti-virus software
• Treating a computer that accesses sensitive information as an entertainment device
• Unnecessary installation and/or misconfiguration of P2P music sharing software
• Using the same passwords on multiple systems with different levels of sensitivity and risk factor
• Microsoft File Sharing configuration errors 
• Installing and operating Linux, Windows NT, and Windows 2000 servers without first fixing known defects
• Failure to back up critical files
• Poor password choices
• Unsafe handling of passwords
• Forgetting to log out of shared computers like those found in labs
• Trusting unknown computers that may be running malicious software that records keystrokes
• Failure to assure sufficient resources to maintain servers