UCLA Policy 401 requires that electronic devices connected to the campus network install all the latest security updates released by operating system manufacturers such as Apple, Microsoft, and the Linux variants.

Anti-Virus Software

UCLA policy requires that devices connecting to the campus network run up-to-date anti-virus software. To facilitate this, UCLA provides Sophos, a free anti-virus software program to UCLA students, faculty, and staff. UCLA IT Security recommends that every member of the campus community download and use Sophos frequently: Sophos for Mac OS X 10.4 and above and Windows XP/Vista/7

• The anti-virus should always be active and configured to update on a regular basis.
• Configure your antivirus to automatically scan all downloaded files, removable media, and email attachments.
• Only download files and plug-ins from trusted sources. Just because an add-on, application, or plugin looks legitimate does mean that it is. Don't click on unknown links in email, texts, instant messages, social networking sites, ads, or pop-ups.
• Contact your department's help desk or, if you are a student, the UCLA Student Technology Center, if you believe that your computer is infected with malware. Disconnect the computer from the network immediately to keep the infection from spreading or sending information to an attacker.

Overview

Passwords are one of the most important controls on access to information. Too many passwords are easy to obtain from combining information known about a person (such as their street number or dog's name) with information freely available on their social media pages. In fact, many security questions rely on personal information that people freely post on Facebook or Twitter profiles!

So, what can a hacker or other malicious user do with your password:

• He or she an login under your name and gain access to any information that you are authorized to access.
• Since most people use the same password for many different computers and online applications, a known password can unlock A LOT more about your digital life.
• Whenever a person is using your username and password, they are you! This exposes you to potential legal liability, financial troubles, and social embarrassment.

How to Protect Yourself

Since a password is often the weakest link the security chain, you can best protect yourself with the following practices:

• Passwords: You're the only one who needs to know your password. Though it may be tempting to "back up" your password by communicating it to somebody that you trust, never, never, never give your password to anybody. You are the only one who needs to have it, regardless of how much you trust another person. Password sharing is a violation of the Bruin OnLine Acceptable Use Policy that may be subject to account termination.
• Never write down your password in your work area or any place.
• Change your password at least once every 3-6 months, or immediately after using a publicly-accessible computer.
• Don't choose a password that can be found in your username or a dictionary in any language, whether spelled forward or backward. Also, don't use personal information (especially when this information is available on social networking profiles). For example - names of family, places, pets, birthdays, address information, hobbies, etc.
• The longer and more complex a password, the harder it is to guess. Passwords should be at least 8 characters, use a mix of capital and non-capital letters, numbers, and special characters (!, %, ;, ^, &, etc.). You should substitute numbers or symbols for letters. For example - "@" for "a"
• Don't choose a password with letters that appear on successive keys on the keyboard (like qwerty) and don't use letters and numbers together (abc or 123)

Email is widely used at UCLA, but some often-overlooked common sense measures can put you at risk.

• Any phshing attempt to trick you into revealing confidential, personal, or financial information, your password, or sending money is a scam. Credible organizations will never ask for this.
• Malware, spyware, Trojan viruses, and other malicious software is often transmitted through email in the form of malicious links or seemingly credible attachments. Clicking these links or opening these attachments may infect your computer.
• Do not transmit sensitive, restricted information by email. It is not secure. This includes passwords, PIN numbers, or files containing restricted information (such as Social Security numbers).
• Delete spam. Do not reply to it or forward it. Replying to spammers validates that your address is legitimate and increases the chances that more spam will be sent to you in the future.
• Always be skeptical, as it is often difficult, if not impossible, to know for certain who sent an email. If need be, verify the legitimacy of a sender in person.

Social engineering is the manipulation of a person's trust, naivete, ignorance, and gullibility to obtain unauthorized information. A "social engineer" is always on the lookout for pieces of information that can help him or her assume someone else's identity, usually without that person's knowledge.

• Phishing: Legitimate organizations do not email, call, or otherwise contact their customers asking sensitive questions or for personal information, such as usernames and passwords. This is known as "Phishing," an attempt to trick gullible persons into revealing confidential, personal, or financial information, obtaining a password, or sending money. When in doubt, do not respond or give your information and contact the organization directly. UCLA will never ask you for your username or password in email communications.
• Dumpster Diving: Yes, that's right, a "harmless" gesture like throwing away a document can give a social engineer opportunities to impersonate you. Shred sensitive information and never put it in the garbage intact.
• Scam Artists: If an unknown party shows up to your office or asks you for information in person, always be skeptical. Ask for identification and never reveal information because their attire is professional or looks like it might be affiliated with the University in an official capacity. You will never be punished for confirming somebody's identity. Report suspicious and dubious behavior to your supervisor or the UCLA police.

Those who use the Wi-Fi wireless network on campus should connect to the "eduroam" network. It uses WPA2 encryption to protect your data and wireless connection and allows you to log in with your UCLA credentials on the UCLA network and at any other University of California campus.

When accessing University resources (such as MyUCLA, URSA, etc.), all UCLA students, faculty, and staff should connect to the Internet through the UCLA VPN. A VPN, which stands for "Virtual Private Network," encrypts your Internet connection through UCLA's servers and protects your data and connection from malicious intruders.

10 IT Security Tips »

	Windows XP/Vista/7:	This VPN @UCLA BOL
	Mac OS X 10.4 and above:	This VPN @UCLA BOL
	Apple iOS devices:	This VPN @UCLA BOL
	UCLA Android version 2.1+ VPN	This VPN @UCLA BOL

If you have recently upgraded to Mac OS X 10.7 ("Lion"), please be advised that the UCLA Cisco VPN is not compatible with this operating system. Please read these workaround instructions.

Physical protection of computers, tablets, and mobile devices parallels the importance of their digital protection. This section takes a look at some best practice physical security measures to prevent your devices from being stolen, especially keeping in mind that mobile devices and portable media are especially vulnerable to loss or theft.

Vigilance should always be observed in and outside of the workplace, particularly in public places such as lines, airports, restaurants, and residence hall common areas.

• Before leaving your work area, turn off, close the lid of, or lock your computer, put away sensitive documents, and lock up cabinets and other storage spaces. Take portable devices or media with you, or lock them up.
• Remove sensitive documents immediately from printers, fax machines, and copiers so that no one else can read them.
• Shred documents that contain sensitive information. Don't discard them in public wastebaskets.
• If you encounter an outsider looking for a colleague, escort that person to that individual's office.
• Leave nothing behind when you exit a conference room. Wipe the board and pick up all work documents and drafts.
• Don't leave portable equipment in a vehicle, even if it is locked. In addition to the possibility of theft, heat in a closed vehicle can sometime damage computer equipment.
• Avoid sharing a computer that you use for work. Sharing computers significantly increases the risk of loss, infection, breach of confidentiality, etc.
If you are not the sole user, make sure to create separate user IDs and passwords and always store your work documents in your own account.
• If your computer will be storing University-defined PII (Personally Identifiable Information) such as ….., get in touch with UCLA IT Security's encryption team and we'll help you encrypt your device
• Protect your computer, laptop, and/or mobile device with a complex password. Configure it to lock after a certain period of inactivity.
• Mac: System Preferences -> Security -> Require password (immediately) after sleep or screen saver begins.
• Windows: -> Start -> Control Panels -> Appearance and Personalization -> Appearance and Personalization -> "On resume, display logon screen"
• Apple iOS: Settings -> General -> Passcode Lock -> Turn Passcode On, then "Require Passcode: Immediately"
• Always protect your computer hardware and portable media against theft when traveling. Don't draw unnecessary attention to your baggage and digital equipment and don't leave it unattended.
• Shield personal identification and passwords from public view when working on your computer or smartphone in a public place – also when you use your credit or debit card at an ATM machine. iPhone, Android, Windows Phone 7, and other touchscreen smartphones have keyboards that may highlight letters, numbers, punctuation marks, special characters, etc. when typed that may make it easier for prying eyes to see user input. You should shield your phone when typing in usernames and passwords and politely ask anybody with you to look away.

Disclosing Information

The Internet offers a goldmine of information and gives users virtually unlimited communications options. Carefully consider the information you plan to disclose when registering for a site or providing information about yourself online.

• Don't post personal information about yourself or others – especially information that contains information that you use for answers in password or username-recovery security questions.
• When making online purchases or transactions, entering personal or confidential information, or entering your password online, make sure your connection is secure by checking for the presence of:
  1. A URL that beings with https:// (Firefox users should download the EFF's "HTTPS Everywhere" Add-On)
  A locked padlock icon in the location bar or corner of the browser window usually confirms this.
  2. The domain name (something.com) does not change after your secure connection has been established.

Safely Configure Your Facebook and/or Twitter

Facebook HTTPS

Facebook recently added an important security feature that allows users to encrypt their connections to the website to defend against "snooping" (sidejacking) attacks:

1. Click the "Account" drop-down

2. Select "Account Settings"

3. Click the "Change" link next to "Account Security"

4. Select the following checkbox:

Twitter HTTPS

Facebook recently added an important security feature that allows users to encrypt their connections to the website to defend against "snooping" (sidejacking) attacks:

1. Select your name in the upper right-hand corner drop-down menu on the menu bar and then select "Settings."

2. Under the account tab, scroll to "HTTPS Only" and select the "Always use HTTPS" checkbox:

   

If you are in the custody of Personal Information, contact your departmental IT Compliance Coordinator (ITCC) regarding the University’s requirements for encryption of the information. A full list of ITCC representative can be found at this link listed by the administration, the College of Letters and Science, Schools, and other organizations.

*According to UCLA Policy 404, "Personal Information, as used in this Policy, means an individual's first name or first initial, and last name, in combination with any one or more of the following: (1) Social Security number, (2) driver's license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, (4) medical information, and (5) health insurance information."