Skip to Content

Security

June 22, 2016

Recommended Best Practices for Use of Sensitive Data With Web Applications

Developers and website administrators incur risk when they collect sensitive data, such as student data, through web forms, and when they use web-based applications to analyze and display this data.

CASIT employs and recommends the following security practices when web forms are used for sensitive data:

Training

  • CASIT strongly recommends that all users of web forms that collect sensitive data or site administrators of sites that work with such data undergo training both in basic online security awareness and in the responsible use of UO sensitive data. We will post information on training opportunities as they become available. In addition to formal training opportunities, CASIT encourages our clients to speak to us about their web forms, data, and best practices.

Risk analysis

Sensitive data authorization

  • Before assisting a client with building a form, CASIT will verify that the requestor has the authority to collect the sensitive data in question. If sensitive data is to be used ‘downstream’ of this collection, it is the requestor’s responsibility to appropriately authorize any data consumers.

Content Management Systems

  • Web forms collecting or referencing sensitive data through content management systems (CMS) are deployed on fully supported and maintained platforms (e.g. Drupal Central Hosting, BAO’s forms.uoregon.edu, WordPress) or vendor supplied commercial off-the-shelf software (e.g. Qualtrics)

Custom Development

  • Web applications that collect or reference sensitive data are built and maintained or subcontracted by qualified applications teams that adhere to established best practices for applicable development technologies and hosting platforms.  Such applications are in included in application life-cycle management (ALM) portfolios to ensure that security best practices are adhered to in all development, maintenance and governance processes (e.g. requirements, architecture, coding, testing, maintaining, change/release management, disaster recovery planning).

Web application security

  • For access, use UO-approved single-sign-on (Shibboleth) wherever possible. Web applications which analyze and display sensitive data are maintained using web security best practices. For more information about web security best practices, see owasp.org.

Hosting and system governance

  • Whatever CMS is in use, developers should use an actively and professionally supported instance of the CMS. That is, for Drupal, UO’s Drupal Central Hosting is recommended. For WordPress, Campus Press (blogs.uoregon.edu) is recommended. Both environments have active governance teams constantly reviewing security-related issues.

Database security

  • Developers use a least-privilege approach, never allowing, for example, off-campus database port openings. Database connection strings stored in code repositories are restricted to the smallest possible group of developers. For Windows servers, database connection strings are stored in an encrypted password tool (e.g. Thycotic) are not stored in code repositories and are encrypted at rest in the server.

Service accounts

  • Service accounts adhere to the least-privilege principle. They should be non-person accounts, with credentials stored in a secure system.

Server security

August 19, 2015

Widespread security incidents with UO printers

Outside attacks on printers are a widespread problem on campus right now.

When UO Information Services’ security team detects a printer in CAS that they suspect is insecurely configured, CASIT is then informed and we immediately take actions to secure the printer. End-users are encouraged to report any unusual printing activity as well. Once secured, CASIT reports these printers to UO Network Services in order to block all such future threats via an edge-of-campus firewall.

CASIT is therefore examining each potentially compromised printer individually to change the security settings so that they are as strict as possible.

Please contact casit@uoregon.edu with any questions.

Thank you for your patience with this process.

October 21, 2011

FERPA Guidelines for CAS faculty and staff

The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records.  Faculty and staff should keep the following guidelines in mind when dealing with student records.  Refer any questions you may have to the Office of the Registrar.

For more specific information, please refer to the University’s guidelines.

July 18, 2011

Safe computing: Tips and Tricks

Anti-virus programs are very important for computer security, but security starts with you, the user. There are many things you can do in several different areas to ensure the safety of your computer and your data.

General best practices
Email security
File and Data security
Computer security
Web and social networking security


General best practices

  • Do not give out your log in information to anyone via e-mail or the phone.
  • Do not write your passwords on sticky notes and leave them laying around.
  • Make a password for your computer—and not something like “password1”!
  • Use KeePass, which manages all your passwords so you can save them (and avoid entering them all the time) and protects them with a master password.
  • Do not leave your office with your computer open and usable. Lock your computer or log off, shut/lock the door or use a computer cable lock, which secures your machine to the desk.
  • Avoid keeping strong magnets, liquids or messy food around your computer. Magnets can alter the hard drive, causing data to be unrecoverable, and liquid spills can vary from recoverable to completely ruinous!
  • When transporting your computer from one place to another, shut it down first or ensure it is sleeping/hibernating so that the hard drive is not spinning. Jostling a computer with a spinning (active) hard drive can cause errors and data loss.
  • Ensure your computer has adequate ventilation—avoid using it in bed on your lap! Overheating can warp the connections in a hard drive and is a major cause of data loss.

Email security

  • Avoid clicking links which look like gibberish, are sent to you by unknown persons or that seem unusual for the person who sent it.
  • Be wary of attachments as they are a popular venue for viruses. Look for common file extensions like .docx, .pptx, .pdf, and .jpg. Even so, be careful—some viruses masquerade as images! Avoid .exe or .com files unless you trust the person intended to send you one of those.
  • Set your anti-virus suite to scan incoming emails and downloaded attachments.
  • Check the “full headers” of an email message to determine the true source of it (look for the Return-Path field). Be wary of emails where Return-Path and From differ.
  • Be wary of emails asking for your log in information, especially if they appear to come from some “system administrator” or “IT team” or “security team.” Make sure the email address contains the correct domain (uoregon.edu for example) and check with CASIT if you think it still sounds fishy.

File and Data security

  • Make regular backups of important data to an external hard drive, to your department’s or your own server space or even to CD/DVD or a thumb drive. One copy is not enough!
  • For highly sensitive information, consider encryption. Encryption makes files unreadable by any but the authorized user. Consult CASIT for help.
  • When getting rid of an old computer/hard drive, request that it be securely wiped once you have made sure you have all of your data safely copied to your new computer/hard drive.

Computer security

  • Keep your anti-virus suite up-to-date so it can catch the latest viruses and malware.
  • Install an additional on-demand scanner for malware/greyware/spyware. Malwarebytes or Spybot Search & Destroy are both excellent choices. Keep this program up-to-date!
    • Run the “immunization” function of Spybot to ensure maximum browser security.
  • Keep your operating system (Windows or OSX) up-to-date; Microsoft and Apple both periodically release “patches” which fix flaws in the operating system. You can run updates from these locations:
    • Windows: Start > Control Panel > Windows Update
    • Mac: Apple menu > Software Update.
  • Make sure the firewall built into your OS is active.
    • Windows: Start > Control Panel > Windows Firewall
    • OSX: Apple menu > System Preferences > Security > Firewall

Web and social networking security

  • Use common sense. A trustworthy website will be well-organized, appear official and will help you find information or perform an action.
  • When deciding whether to click a link, hover your mouse over the link. Check the bottom bar of the program you are in, or wait for a little box to pop up over the cursor. If the link in one of these places differs from the link that was linked to you, don’t click it!
  • Avoid using excessive Facebook applications. Many applications are fronts for viruses or account hijackers.
  • Close suspicious windows and pop-up ads by using Alt-F4 rather than the X button.
  • Watch out for redirects. If you click on one link and end up on some other page, especially if it looks shady, the page may be dangerous or you may have a browser hijacker.
  • Use ad blockers, Javascript blockers and Flash blockers. Ask for help choosing Javascript or Flash blockers, since many legitimate applications and tools use these things (such as YouTube).

Back to Top

April 28, 2011

Installing McAfee Antivirus

McAfee is a virus protection software provided free of charge to students, faculty and staff through UO Licensing. If you need McAfee, you can get it from a DuckWare CD or from http://it.uoregon.edu/software/virusscan

Note: If you have a previous version of McAfee installed or already have virus protection software such as Norton Anti-Virus installed, you will need to uninstall it before continuing the installation.

  1. Once you have the McAfee installation file (uoavinstall.exe) saved to your system, double-click on it to run it.
    • Windows may warn you that it might be dangerous to run a program you downloaded off the Internet. You can safely proceed.
  2. After the McAfee installation window opens, click Next and wait for it to prepare the install.
  3. When prompted about unchecking update and scanning boxes, click OK.
  4. When prompted about the McAfee VirusScan Enterprise Setup, click Next.
  5. On the licensing window, select “Perpetual License” from the upper-left drop down menu, check the “I accept…” button below the license and then hit OK.
    • Windows 7 – When prompted, agree to remove Windows Defender.
  6. On the “Select Setup Type” window, ensure that “Typical” is selected and click Next.
  7. On the “Select Access Protection Level” select “Standard Protection” and click Next.
  8. On the “Ready to Install” window, click Install and wait for the installation to complete.
  9. After the installation process has finished, you will be given show two check boxes. Uncheck them both and hit Finish.
  10. You may be prompted with a warning about a network driver. Click OK to proceed through the warning.
  11. When you are prompted with the McAfee AntiSpyware Enterprise Module install window, click Next.
  12. On the licensing window, select “Perpetual License” from the upper-left drop down menu, check the “I accept…” button below the license and then hit OK.
  13. After the module installs, a completion window will appear. Hit Finish.
  14. When prompted about McAfee Update Handling, select “Managed” and wait for the McAfee Agent Setup to complete. When it does, click OK.
  15. When prompted to update your virus definitions, select “Update Now” and wait for McAfee to update.
  16. On the “Reporting Usage” window, select “Already Registered”.
  17. On the “Antivirus Installation Finished” window, save all your open files, close all other open programs and then select “Restart My Computer”.
  18. When prompted about restarting the computer, click OK.