Current Topic

There is a popular email scam that requests the recipient to buy gift cards for their supervisor, department chair, dean or other senior person. No one should ever send a request asking you to buy gift cards in this manner. A person from this college would never ask for you to buy work items on your personal credit card. If you see any messages like this, please report them to infosecurity@med.uvm.edu and abuse@uvm.edu.

An example of one of these scams is similar to:

To: Person at LCOM
From: Dean, Chair, Director, Manager, Supervisor <somename@someplace.com>
Subject: New Request
Body: I need something done. Do you have a minute?

In these instances, please note that although the Dean’s name (or someone else you may be familiar with) is displayed as the sender, the address next to it is NOT an institutional email address. This is a common way scammers get your attention. They pretend to be someone in your organization, quite likely your boss or trusted colleague and ask you a simple question to get you to respond. Once you respond, they escalate their requests and add time pressure. All of this is calculated to make you do what they want.

If you ever have any question about the validity of an email, forward it to the person who it is supposed to be from – do not reply – to their work email address and ask if it is actually from them. Alternatively, contact the department administrator or your immediate supervisor. We would much rather take the time to answer your questions than to have you fall victim to this scam.

Ten Tips

to ensure the best security for our administrative, academic and research data

1. Beware the Phish.

Phishing scams typically come as an email, look like they are from a source that you may trust or that try to scare/intimidate you into doing something or giving away information that you normally would keep to yourself.

General guidelines to protect yourself are to not click on email links in emails you weren't expecting, double check the sender - is it someone you know/trust?, if it sounds too good to be true - it is. Delete the message without responding.

Report malicious messages to infosecurity@med.uvm.edu and abuse@uvm.edu.

2. Password Safety.

Create passwords that are easy to remember, hard to guess. How do you do that? Try using initial characters of a phrase you will remember.

Consider using passphrases - think of a nonsensical statement that you will remember but wouldn't make sense to anyone else.

NEVER use your name, children names, pet names, etc. - those things are too easy to guess and too easy to find via social networking (Facebook, Twitter, LinkedIn, and the like.)

NEVER share your password with ANYONE.

3. Different Passwords for Different Accounts.

Recycling is good for the environment but shouldn't be applied to passwords. Don't use the same password for multiple accounts. If your credentials are compromised and you have used those same names/passwords for work, online banking, online purchases, etc. then those other accounts are now also at risk.

4. IT Support Staff wants to Help.

Really. We do. If you think your credentials have been compromised - through your actions or not - tell us. We can help you to minimize any damage.

If you aren't sure if its a scam, ask. We will do our best to determine the safety of the communication you received don't know how to accomplish a technology task safely and securely? Not sure what protections have to be done? Ask. We will work with you to find the answers.

5. Malware is Bad.

Is your computer slow? Do you see pop ups or do you have annoying things happen that you don't think you initiated? Those are some classic signs of malware. But malware can also be very sneaky and secretive and you may not know you have it.

What should you do? For personal computers, there are a number of free reputable anti-malware applications out there. There are also those that you pay to license. Use them - they can be a great second line of defense for your machine. For institutionally owned computers, be sure they are enrolled in the LCOM and UVM management services to best protect them

What's the first line of defense? You. Malware can be passed in the same way viruses can (remember those pesky viruses?) by using infected USB sticks, opening infected attachments, visiting infected websites. Stay cautious and do your best to avoid risky behaviors.

6. Encryption is Good.

By University policy, minimally all university purchased laptops need to be encrypted using the Bitlocker or Casper whole disk encryption. Encryption makes the contents of your hard drive unreadable without a valid passphrase and thus protects any data that may be on that hard drive.

In order for encryption to protect information, proper usage is necessary - it should be installed, enrolled and set to encrypt. Once you pass the passphrase screen, the contents of the hard drive are readable so you must always SHUT DOWN your machine when you are done working on it so that you re-engage the encryption protection.

7. Don't Forget Physical Security.

Lock it up.

Lock it down.

Don't leave it alone.

Don't leave it in your car.

Don't lose it.

Don't let your kids/spouse/parents/babysitter/acquaintances/best friends use it.

8. Policy, Rules, Guidelines, Compliance, Regulation, Requirements.

Different data has different needs. You need to be aware of those security needs and fit your actions and processes to accommodate those needs. Minimally, all information at the University is subject to the policies of the University. Additionally, there may be local guidelines you must follow based on the rules set by your data steward. Research data may be subject to federal, state or other regulations based on data type and granting agency requirements. Student data is subject to FERPA. - Check about the requirements needed for the information you work with. If you don't know, ask. It is everyone's responsibility to protect information in our keeping.

9. Updates and Patches

Yes, you have to allow the updates to happen. Be patient. In the course of life, it's really not that long or painful. At the College of Medicine we have a applications which will alert you when an update needs to happen. You can wait until the end of the business day (unless you hear differently from us) but you still have to let it happen. All those updates and patches help protect you and your data.

10. Lost or Stolen equipment

First, you have to tell someone. Really. You do.

If the device has been stolen, you need to call the police. Then you need to call IT support. IT is going to have lots of questions about what the device had, or may have had, on it. Be patient - we need to know because we care. Don't forget that you have to follow policy to secure data and report the loss of data. Its not always fun but it does have to be done. The University has rules that it, too, must follow. Help us do that.