Security Self-Test - Information Technology Services

THINKING AT THE EDGEComputer SecurityUC Santa Cruz’s Basic OverviewQuestions & Scenarios2012its.ucsc.edu

Navigating This TutorialThis Computer Security Overview Trainingconsists of 10 different self-paced modules that you canview in your web browser or download to your computer.Each module is designed to take approximately5-15 minutes to complete and includes a certificate at theend that you can print out and have signed.Once you complete each module, you can go back to theITS Security Awareness Training site(http://its.ucsc.edu/security/training/index.html) to view ordownload the next one. You can also visit this website atany time to review the information in these training modulesor to take additional tutorials as they become available.2

Training Modules1. Introduction to Computer Security2. Beware of Scams3. Safely Using Internet & Email4. Password Strength and Security5. Mobile Devices and Wireless6. Ten Other Essential Security Measures7. Protecting PII and Other Restricted Data8. Reporting IT Security Incidents9. Additional Information & Resources10. Security Self-Test: Questions & ScenariosYou areHere

10. Security Self-Test:Questions & Scenarios

Scenario #1:Your supervisor is very busy and asks you tolog into the HR Server using her user-ID andpassword to retrieve some reports. What shouldyou do?a) It’s your boss, so it’s okay to do this.b) Ignore the request and hope she forgets.c) Decline the request and remind your supervisorthat it is against UC policy.See next page for answer5

Scenario #1:Answer: C.User IDs and passwords must not be shared.If pressured further, report the situation tomanagement, the ITS Support Center(http://its.ucsc.edu/get-help/index.html) or theUCSC Office of the Ombuds (http://ombuds.ucsc.edu).6

Scenario #2:You receive the following email from the Help Desk:Dear UCSC Email User,Beginning next week, we will be deleting all inactive email accounts inorder to create space for more users. You are required to send thefollowing information in order to continue using your email account. Ifwe do not receive this information from you by the endof the week, your email account will be closed.*Name (first and last):*Email Login:*Password:*Date of birth:*Alternate email:Please contact the Webmail Team with any questions. Thank you foryour immediate attention.What should you do?7

Scenario #2:Answer:This email is a classic example of “phishing” – trying totrick you into “biting”. They want your information.Don't respond to email, instant messages (IM), texts,phone calls, etc., asking you for your password. Youshould never disclose your password to anyone, even ifthey say they work for UCSC, ITS, or other campusorganizations.8

Scenario #3:A friend sends an electronicHallmark greeting card to your workemail. You need to click on theattachment to see the card.What should you do?9

Scenario #3:Answer: Delete the message.This one has four big risks:1. Some attachments contain viruses or other maliciousprograms, so just in general, it’s risky to put unknown orunsolicited programs or software on your computer.2. Also, in some cases just clicking on a malicious link caninfect a computer, so unless you are sure a link is safe,don’t click on it.3. Email addresses can be faked, so just because the emailsays it is from someone you know, you can’t be certain ofthis without checking.4. Finally, some websites and links look legitimate, butthey’re really hoaxes designed to steal your information.10

Question #4:Which workstation security safeguards areYOU responsible for following and/orprotecting? a) User IDb) Passwordc) Log-off programsd) Lock-up office or work area (doors, windows)e) All of the aboveSee next page for answer11

Question #4:Answer: E.All of the above12

Scenario #5:Real-life Scenario:One of the staff members in ITS subscribes to a numberof free IT magazines. Among the questions she wasasked in order to activate her subscriptions, onemagazine asked for her month of birth, a second askedfor her year of birth, and a third asked for her mother'smaiden name.Q: What do you think might be going on here?See next page for one possible answer13

Scenario #5:Possible answer:All three newsletters probably have the same parentcompany or are distributed through the same service. Theparent company or service can combine individual pieces ofseemingly-harmless information and use or sell it for identitytheft. It is even possible that there is a fourth newsletter thatasks for day of birth as one of the activation questions.Note: Often questions about personal information areoptional. In addition to being suspicious about situations likethe one described here, never provide personal informationwhen it is not legitimately necessary.14

Scenario #6:Real-life Scenario:We saw a case a while back where someone used theiryahoo account at a lab on campus. She made sure heryahoo account was no longer open in the browserwindow before leaving the lab. Someone came inbehind her and used the same browser to re-access heraccount. They started sending emails from it andcaused all sorts of mayhem.Q: What do you think might be going on here?15

Scenario #6:Possible answers:The first person probably didn't log out of heraccount, so the new person could just go to historyand access her account.Another possibility is that she did log out, but didn’tclear her web cache. (This is done through thebrowser menu to clear pages that the browser hassaved for future use.)16

Scenario #7:Two different offices on campus are workingto straighten out an error in an employee’s bankaccount due to a direct deposit mistake. Office#1 emails the correct account and depositinformation to office #2, which promptly fixes theproblem. The employee confirms with the bankthat everything has, indeed, been straightenedout.Q: What’s wrong here?17

Scenario #7:Answer:Account and deposit information is sensitive data that couldbe used for identity theft. Sending this or any kind ofsensitive information by email is very risky because email istypically not private or secure. Anyone who knows how canaccess it anywhere along its route.As an alternative, the two offices could have called eachother or worked with their computing people to send theinformation a more secure way.18

Scenario #8:Real-life Scenario:In our computing labs and departments, print billing isoften tied to the user's login. People login, they print,they (or their department) get a bill. Sometimes peoplecall to complain about bills for printing they never didonly to find out that the bills are, indeed, correct.Q: What do you think might be going on here?19

Scenario #8:Possible answer:Sometimes they realize they loaned their account to a friendwho couldn't remember his/her password, and the otherperson printed. Thus the charges. It’s also possible thatsomebody came in behind them and used their account.This is an issue with shared or public computers in general.If you don’t log out of the computer properly when you leave,someone else can come in behind you and retrieve whatyou were doing, use your accounts, etc. Always log out of allaccounts, quit programs, close browser windows before youwalk away.20

Scenario #9:The mouse on your computer screen starts tomove around on its own and click on things on yourdesktop. What do you do? a) Call your co-workers over so they can seeb) Disconnect your computer from the networkc) Unplug your moused) Tell your supervisore) Turn your computer offf) Run anti-virusg) All of the aboveSee next page for answer21

Scenario #9:Answer: B & D.This is definitely suspicious. Immediately report the problemto your supervisor and the ITS Support Center(itrequest.ucsc.edu, 459-4357, help@ucsc.edu orKerr Hall room 54, M-F 8AM-5PM)Also, since it seems possible that someone is controlling thecomputer remotely, it is best if you can disconnect thecomputer from the network (and turn off wireless if you haveit) until help arrives. If possible, don’t turn off the computer.22

Scenario #10:Which of the following passwords meets UCSC’spassword requirements?A. @#$)*&^%B. akHGksmLNC. UcSc4Evr!D. Password123

Scenario #10:Answer: C UcSc4Evr!This is the only choice that meets all of the following UCSCrequirements:• At least 8 characters in length• Contains at least 3 of the following 4 types ofcharacters: lower case letters, upper case letters,numbers, special characters• Not a word preceded or followed by a digit24

Scenario #11:You receive an email from your bank tellingyou there is a problem with your account. Theemail provides instructions and a link so youcan log in to your account and fix the problem.What should you do?25

Scenario #11:Answer:Any unsolicited email or phone call asking you to discloseyour password, financial account information, socialsecurity number, or other personal or private informationis suspicious – even if it appears to be from a companyyou are familiar with. Always contact the sender using amethod you know is legitimate to verify that the messageis from them.26

Scenario #12:A while back, the IT guysgot a number of complaintsthat one of our campus computers was sendingout Viagra spam. They checked it out, and thereports were true: a hacker had installed aprogram on the computer that made itautomatically send out tons of spam emailwithout the computer owner’s knowledge.Q: How do you think the hacker got into thecomputer to set this up?27

Scenario #12:Answer:This was actually the result of a hacked password. Usingcryptic passwords that can't be easily guessed, and protectingyour passwords by not sharing them or writing them down can helpto prevent this. Passwords should be at least 8 characters in lengthand use a mixture of upper and lower case letters, numbers, andsymbols.Even though in this case it was a hacked password, other thingsthat could possibly lead to this are:• Out of date patches• No anti-virus software or out of date anti-virus software• Clicking an unknown link or attachment• Downloading unknown or unsolicited programs on to yourcomputer28

Phishing and Spam QuizSonicWALL has published a fun, informative quizto test how well you distinguish between emailschemes and legitimate email. Check it out at:http://www.sonicwall.com/phishing/29

Would you like to:(please click on an option)Start againFinish & go to the certificateSelect another lesson30