Vulnerability Assessments, Vigilance, and Diligence
OIT routinely runs assessments on the servers that support the services used by the administrative and academic units at American University. The assessment tools look for and report on vulnerabilities and weaknesses that could pose risk of exploitation by malicious attacks. In addition to the network assessments, we subscribe to ongoing application security assessments to monitor and report on weaknesses in our Web-based applications.
Computer Health Check
American University uses network access control (NAC) as an approach for enforcing a baseline minimum-security standard for all workstations connecting to the University network, both wired and wireless. The solution currently used is Cisco Clean Access (CCA).
Connecting Securely from your Remote Computer
OIT provides a web-based Virtual Private Network (VPN) service for protecting your connection from a remote system to university services.
Are you interested in performing your own health assessment? Microsoft offers a free PC Safety Scan for Windows-based computers.
Do you have confidential data stored on your computer or network drives? Login to the portal to download MyIDProtector to help you identify credit card numbers, social security numbers, addresses, and other data elements that may expose you and or the University to identity theft, regulatory, or reputational risk.
Visit Apple's OS X website to review all of the built-in security features.
Secure Data Removal
OIT strongly recommends secure data removal, when you are donating your computer to an organization, transferring a computer from one employee to another, or when sensitive data has been handled to ensure the sensitive data has been virtually shredded (the trash or recycle bin does not completely remove the data). There are several for fee and for free tools to assist users with securely removing data from their computers. Our recommendations are available on the Protecting Sensitive Data page.
Creating Strong Passwords
Now days, we all have to juggle five, ten, maybe more passwords. Follow our recommendations for creating a strong, memorable password in three simple steps:
Think of a sentence you can remember.
Use this as the basis of your strong password. For example, if you think, "my daughter Sara is four years old." Use the first letter of each word to create a nonsensical word. Using the example above, you would get "mdsifyo".
Add complexity by mixing uppercase and lowercase letters and numbers.
It is valuable to swap out letters for numbers and symbols. For instance, in the password above, consider substituting the symbol $ for the letter "s" and the number 4 for the word "four", and the number 0 (zero) for the letter "o". This might yield a password like "Md$i4y0".
Change your password every 90 days.
Every 90 days equals about five changes per year. Instead of starting from scratch, change your current password by altering a number in your password. For example, after the first 90 days, you might change the password above by changing the 0 to a number 1, resulting in the new password: "Md$i4y1".
Test your new password with Microsoft's Password Checker, which is a non-recording feature on Microsoft's website that helps determine your password's strength as you type.
Has someone forwarded you an e-mail that looks suspicious or warns you of a virus or spam that is making the rounds? Before you forward the e-mail to all of your friends, you may want to perform a quick check on Snopes, Urban Legend website. It is a fantastic resource that collects information about the plethora of hoaxes floating around the Internet. Just cut and paste the subject of the e-mail into the search engine. Of course, you can always contact the IT Help Desk at 202-885-2550, firstname.lastname@example.org, or AskAmericanUHelp to help you with your concerns.
Developing Secure Code for Web Applications
Consider joining the Open Web Application Security Project (OWASP). The project is a world-wide free and open community focused on improving the security of application software. Their mission is to make application security "visible", so that people and organizations can make informed decisions about application security risks.