April 12, 2017

Network monitoring

The University of Alabama at Birmingham provides network and Internet access for faculty, staff, students, and guests.

Due to Federal requirements such as the Communications Assistance for Law Enforcement Act (CALEA), the Family Educational Rights and Privacy Act (FERPA), the Higher Education Opportunity Act (HEOA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the University employs various measures to protect the security and availability of its information resources.

Users should be aware that their uses of University computer and network resources are not private.  While the University does not routinely monitor individual usage, it does monitor the normal operation and maintenance of the University's computing and networking resources including backup, logging of activity, the monitoring of general and individual usage patterns, and other such activities that are necessary for information security and the delivery of service.  In addition, the University reserves the right to review, monitor and/or capture any content residing on, or transmitted over, its computers or network at its sole discretion without prior notification or approval.
UAB Enterprise Information Security can perform a security and/or vulnerability assessment of your system to identify vulnerabilities, which could lead to an information compromised or breach. Commercially vetted software tools are used to analyze your environment finding vulnerabilities in software and network systems. We offer mitigations consulting and assistance to address vulnerabilities before they can be exploited by unauthorized individuals. Assessments also can be performed on existing production systems to improve their security posture.

Any Internet-facing systems will be routinely scanned on a monthly basis to ensure that any changes in security posture are identified and addressed in a timely manner. Upon request of a firewall change in the UAB Border firewall, additional vulnerability assessments will be conducted to ensure compliance to UAB policies, standards, and rules.
September 22, 2016

Passphrase vs. Password

Passwords are the first line of defense against cyber-attacks.

Creating a safer password
Here are some general rules for creating a safer password:
  • Change your password frequently. People hate to hear this tip, but the fact is, most passwords will not be “cracked” or “guessed”, they will be stolen from an infected machine or a compromised website.  Changing your password often gives a shorter period of time for an attacker to use your compromised password.
  • Make passwords unique. When you change your password, consider it retired; attackers typically keep collections of old passwords that they routinely test in the hopes that someone reused them.
  • Make passwords unique. Add something to your password that customizes it and makes it different for each website or service account you use so a compromised password only works on the compromised site.
  • Create strong passwords. The longer a password is, the longer it takes an attacker to guess it; with current technology, an attacker can guess EVERY combination of an eight character password in 6 hours.  You should use passwords that use different character types including upper/lower-case, numbers and symbols.
  • Avoid obvious dictionary words. Anything related to your normal life (job, hobbies, pet names, etc.) should be excluded from your passwords.  An attacker might build a dictionary that is custom tailored to contain words related to information they gathered about you.

Creating a passphrase

One way to use these rules is by using passphrases versus a password. Here is one way to create one:
  • Start with a long phrase that you'll remember. This can be anything — such as a favorite song, poem or title. For example, we'll use a line from the UAB Alma Mater:
          Praise to thee our UAB
  • Make some memorable changes to the passphrase. In our example below, we removed the spaces, added a symbol, and replaced the word "to" with the number "2."
          praise2theeourUAB!
  • Make the password unique and memorable. Returning to our example, we'll add the first three letters of the web site where the passphrase will be used and something different like the number of letters in the name.
          apple.com = App5praise2theeourUAB!
          facebook.com = Fac8praise2theeourUAB!

Important links:
September 22, 2016

PhishMe Reporter

PhishMeReporter logoSo you’ve received a suspicious email and you think it may be a “phish” designed to steal your UAB account credentials. But how do you report this message and find out for sure?

Reporting suspicious messages used to be a multi-step process for UAB users, but now you can report a suspicious message with a single click. For those users on a Windows or Mac system who use Microsoft Outlook, UAB Information Security has partnered with PhishMe Inc. and made PhishMe Reporter available to all UAB users. PhishMe Reporter is an add-on software “plug-in” to Microsoft Outlook that allows for one-click reporting of suspicious emails.

If you are using the Microsoft Outlook client, you should use the PhishMe reporter tool to submit a phishing email.

If you cannot use PhishMe Reporter, immediately forward phish messages to abuse@uab.edu. NOTE: UAB IT may retrieve header information if needed for these messages from our mail server if they are not included in the forward.

Note: PhishMe Reporter is not intended for UAB Medicine employees (i.e. anyone with a uabmc.edu email address) as UAB Medicine IT will be rolling this out separately later this month.

Printable instructions for installing PhishMe
Installing PhishMe Reporter from Software Center
Installing PhishMe Reporter from an MSI
Installing PhishMe Reporter for Mac

Quick link to download Windows MSI
Quick link to download Mac .app
September 22, 2016

PhishMe

PhishMe LogoOne of the most effective ways for a cyber-attacker to compromise an organization’s cyber resources is to gain unauthorized access by compromising an account through phishing emails. In fact, industry experts report that 91 percent of all breaches start with phishing emails.  If such an email lands in a UAB inbox, we are just a few clicks away from having UAB’s security compromised.  This means UAB students, faculty and staff are all an integral part of our information security posture.

In an effort allow our users to become familiar and more resilient to tactics used in real phishing attacks, UAB Information Security will be working with PhishMe Inc. to send out fake phishing emails to our students, faculty and staff that imitate real attacks. These emails are designed to give you a realistic experience in a safe and controlled environment.

Please note, that we will not be receiving nor storing any passwords, there is no penalty to falling victim to one of the simulations, and victimized users will not be singled out.  However, we do ask the users who have fallen victim to the phishing email to take 30-60 seconds to review the education material that is presented after falling victim to one of the simulated attacks.
September 22, 2016

Keeper password manager

Keeper LogoKeeper is a password management application. It stores your login credentials for different websites so they are easily accessible to you while still being stored securely when not needed. Instead of having to remember all of your login credentials, you only need to remember the one master password for your Keeper Vault.

Keeper is available to UAB staff, students and faculty. It is not available to UAB Hospital staff at this time.

Register with Keeper.
To create a Keeper account and start your vault:
  • Register with Keeper here.
  • Create a master password that is not the same as your BlazerID password. When creating your Master Password, Keeper requires a 15-character password length with one special character (e.g. !@#%), one uppercase letter, one lowercase letter and at least one number. Ideas for secure passwords are available here. Note: Your browser may prompt you to save your Keeper Master Password. NEVER allow the browser to save your Keeper password.
  • To complete the registration process, you will need to enter your @uab.edu email address, and set a Master Password along with a "Security Question and Answer."  Keeper offers you the ability to choose between one of their security Q&A or you can create your own.
  • Next you must accept the terms of use and click "Create Account."
NOTE: You must use your @uab.edu email address that is listed in the UAB phonebook. That address can be either your BlazerID@uab.edu or Alias@uab.edu. You can check what your @uab.edu email address by searching your name or BlazerID in the UAB directory (available here).

Browser extensions
Install the browser extensions available for Chrome, Firefox, Safari & Internet Explorer here. These extensions allow Keeper to automatically create entries in your vault for credentials you enter into different websites. It also allows Keeper the ability to automatically enter credentials for sites for which you have saved entries. For example: If you have saved credentials for Facebook in your Keeper Vault, Keeper will offer to enter those credentials when you visit Facebook.com.

Keeper Vault
Download the Keeper Vault for your Desktop (Mac, Windows, Linux) from here

Keeper App
Download the Keeper App for your mobile devices.

  • Tutorials, Quick Start Guides, and 24/7 support & live chat are available here.
  • The UAB Keeper User Guide is available here.

UAB IT has a procedure for secure media destruction of discs, CDs, DVDs, tapes and hard drives. 

Departmental IT personnel should call AskIT or submit a ticket to AskIT requesting an appointment for secure media destruction, then fill out a UAB Secure Media Destruction Custody Form with the ticket number. AskIT staff will make an appointment for you to bring the media and the form to the AskIT help desk in Cudworth Hall (CEC 225).

  • The individual transferring the media to UAB IT's AskIT help desk is required to verify all media listed on the forms is present.
  • All media must be listed on forms and numbered.
  • Media not numbered or listed on forms will not be accepted.
  • All fields on forms must be completed.
  • Each form must accompany the related media.

Once in the possession of AskIT, the media is stored securely until it is picked up by UAB IT staff for transport to the destruction site. The media is delivered to the Waste Holding Facility to be destroyed using the metal shredder or incinerator as appropriate. UAB IT personnel are required to witness the destruction of media and record this on the form you submit. The form will be attached to the work order created with AskIT.

Related procedures:

Destruction of University Records Procedures

January 31, 2013

IT Security Newsletters

Monthly Training Newsletters

UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats.  Each month a newsletter will be released focusing on new and different cyber security threats.  Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems.