Essential Security Measures

Backup Important Computer Files

Why should you back up important files?

If you don't back up your data, you run the risk of losing it. Your files could disappear
due to a virus, computer crash, accidental keystroke, theft, or disaster.
(Back to Cyber Security Basics page)

Make backup copies of files or data you are not willing to lose -- and store the
copies very securely.
To back up your files:

Check with the ITS Support Center or your ITS Divisional Liaison to find out if
there are regular backups of your department's computers.

Make copies of critical and essential files on a daily basis and non-critical files on
a weekly or monthly basis.

Store backups containing sensitive or critical data securely.

Store backups away from your computer, in case of fire or theft.

Periodically test the capability to restore from the backups.

Don't forget about mobile devices! Synch or back these up regularly, too.

Dont download unknown or unsolicited files

What's the risk of downloading programs and files?
They can harbor behind-the-scenes computer viruses and spyware, or open a "back
door" giving others access to your computer without your knowledge.

(Back to Cyber Security Basics page)

To help protect your computer and data:

Only download files, apps, and plugins from trusted sources.

Don't download plugins to view pictures, videos, music and other content online
without verifying their legitimacy. These often contain malware.

Don't download unknown software or files. Be especially cautious about free

software offered online or via email.
Use filesharing software with caution.

Improperly configured filesharing software can allow others access to your

entire computer, not just to the files you intend to share.

Viruses and other malware can be transmitted by filesharing software; files

offered by others may not always be what they say they are.

Although filesharing is not in itself illegal, if you share or download

copyrighted material without permission even unwittingly you are breaking
both the law and UC policy and could be subject to University, criminal, and/or
civil sanctions. Please see ITS Copyright Education web site for more
information.

Don't click on links or ads for software in email, popups, instant messages/texts,
or social networking sites such as Facebook and Twitter.

Don't open unsolicited attachments. If in doubt, contact the sender and ask if the
attachment is legitimate.

Don't use untrusted portable media, such as a stranger's flash drive. If the flash
drive is infected, it will infect your computer.

Never deactivate your computer's antivirus or other protective software. Set them
to update frequently and automatically.

Lock Your Screen

Why should you lock your screen when you're away?
This helps prevent others from viewing or using your device when you're not around. Set
up your computer and mobile devices to lock, log you out or go to screensaver after a
certain amount of inactivity.
(Back to Minimum Requirements Main Page)

What you should know:

UC Office of the President requires all campuses to implement certain minimum network
connectivity requirements. One of these requirements is that devices that store or
access restricted and/or essentialinformation are required to lock or go to screensaver
(or be turned off) when left unattended for an extended period of time. A strong
password must be required to start up or resume activity.
What should you do?
The following are required for devices that store or
access restricted and/or essential information and strongly recommended for all other
devices.

Shut down, lock, log off, start screensaver, or put your device to sleep before
leaving it unattended
o

<ctrl><alt><delete> or <Windows key><L> on a Windows PC

Apple menu or power button on a Mac

See below for mobile devices

Set your device to "lock," "sleep," "auto log-off", or go to screensaver when you're
not using it (max. 20 minutes of inactivity).

Make sure you have to enter a strong password to start up or wake-up your
computer.

Disable auto-login. You shouldn't be able to start up or wake up your computer

without entering a password. If you can, auto-login may be on.

FOR MOBILE DEVICES:

Set your device to require a strong password/PIN to start up or resume

activity, and to automatically lock when not in use--but still don't store anything
you're not willing to lose.

Some devices can be set to be erased remotely, or to erase themselves if

the password/PIN is entered incorrectly a certain number of times. Consider
turning these on to protect information in the case of theft or loss.

Physical Security
Why is physical security important?
To help prevent theft, loss, and unauthorized access

(Back to Minimum Requirements Main Page)

What should you do?

Lock up your computer with a cable and set an account password to login.

Secure laptop computers and mobile devices at all times: keep them with you or
lock them up securely before you step away -- even just for a second. And make
sure they are locked to or in something permanent.
o

Don't leave mobile devices unattended in public locations.

Be especially careful with portable electronic devices that store restricted

data (such as laptop computers, mobile phones, memory sticks,
CDs/DVDs/floppy disks). These items are extra vulnerable to theft or loss.

Some devices can be set to be erased remotely, or to erase themselves if

the password/PIN is entered incorrectly a certain number of times. Consider
turning these on to protect information in the case of theft or loss. Be sure to back
up your device regularly if you enable these features!

Dont leave sensitive information lying around, including on printers, fax

machines, or copiers.

Use a paper shredder or secure shred bin when throwing out personal or
sensitive information.

Be sure to lock up portable equipment and sensitive material before you leave
them unattended -- or take them with you.

Secure your area before leaving it unattended: take keys out of drawers, close
and lock windows, never share your access code, card or key, and don't hold secure
doors open for people you don't know.

Set up your workstation so that unauthorized people and passers-by cannot see
sensitive information on your monitor.

Securely delete all contents of computers and mobile devices, before discarding,
exchanging, selling or donating them.

In the case of theft or loss:

Report lost or stolen devices to the police. If the device contained sensitive
UCSC information or passwords, also report it to the ITS Support Center (contact
info below). Additional reporting information
Immediately change all passwords used or stored on the device.
See ITS' Mobile Devices and Wireless page for information about prevention in
case of theft or loss, and a checklist for lost or stolen mobile devices.

Turn off unnecessary servers

What are services?
When talking about computers, "services" generally refer to programs that listen for and
respond to network traffic. Other services allow direct access to your computer.
Examples include:

Web servers, file servers, FTP servers, email and proxy servers

Remote access programs such as Remote Desktop

Open ports

Allowing others open access to your computer and your files (this includes guest
accounts, which shold be disabled)

Why turn off unnecessary services?

Many computer break-ins are a result of people taking advantage of security

holes or problems with these programs.

The more services that are running on your computer, the more opportunities
there are for others to use them, break into or take control of your computer through
them.

(Back to Minimum Requirements Main Page)

How can you tell if services are necessary?

If you need assistance determining what services your computer is running or
determining whether they are appropriate, contact the ITS Support Center.
In general, services are necessary if:

There's a clear University business or educational need for them

They are generally appropriate given your role at the University

They don't allow anonymous access or guest access to your computer or files
unless there is a specific business need to do so (this is normally controlled with file
sharing settings)

Services also must NOT:

Introduce a security risk

Interfere with other University resources or the network

Create an excessive burden on campus infrastructure or resources

Services creating any of the harmful conditions above are subject to blocking or
disconnection from the campus network per ITS' Procedures for Blocking Network
Access.

---

Specific requirements for recursive domain name servers (DNS):

A specific example of an unnecessary, and frequently disruptive service that must be
disabled is open recursive DNS service. An open recursive DNS server is one which
allows recursive DNS queries to be issued from off campus. Attackers can use open
recursive DNS to flood a target system with DNS response traffic. This is called an
amplification attack and is a type of Distributed Denial of Service (DDoS) attack. UC
Santa Cruz DNS has been used in this type of attack.

Computer Security Training Take-Home Messages and Resources

Take Home Messages

1) Computer security at UCSC depends on everyone being responsible for the
computing systems and data over which they have control.
2) Be wary of schemes to subtly or not-so-subtly get you to disclose sensitive or
restricted information, or your password.
3) Use cryptic passwords that cant be easily guessed. Never share your passwords,
and dont write them down.
4) Dont open email attachments or click on web links unless you know for certain that
what you are opening is safe.
5) Be careful about providing personal, sensitive or confidential information on the
internet. This includes Instant Messaging (IM) social networking sites, blogs, etc.
6) Always secure your computer before leaving it unattended, and make sure it requires
a password to start up or wake up.

7) Protect Restricted and Confidential data, and dispose of it securely.

8) Make sure your workstation has all necessary security patches and anti-virus
software, and that they are kept up to date.
9) Dont install unknown or unsolicited programs on computers.
10) Report suspected IT security incidents to your supervisor