The Office of Information Security is your contact for questions about OSU's Information Security Policies and Procedures. Our mission is to raise OSU's standards and practices for secure computing.
To do this, the OIS coordinates with academic and administrative units to develop policy, benchmark and assess our level of risk, and educate and inform our community on best practices.
OSU's IT security policy is currently undergoing a scheduled review process. The policy is published to oregonstate.edu/fa/manuals/is and recent updates to the policy include:
Our Third Party Service Guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.
There are a variety of distributed computing offerings on the Internet that offer good value and ease of use for those without the available resources and staffing to run their own systems. Commonly referred to as "cloud" computing, services such as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), Software as a Service (SaaS) and off-site storage and backup services have become an important part of the Internet. Other service offerings marketed for widespread use by individuals, such as Dropbox, Cloud Drive, and iCloud offer similar abilities.
OSU doesn't discourage the use of these tools, but it has established policy to assist in compliance with the many laws and regulations we face. This guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.
Note that data elements listed as Protected in Appendix A have the highest restrictions. Third Party Services should be avoided for these data elements if at all possible. Please contact the Office of Information Security for assistance.
When you send us phishing attepts that came to your oregonstate.edu email, you help us shut down the scammers who sent them. So, when a phishing attempt lands in your inbox, forward it to us (directions at /accounts-support/ois/2014-osu-phishing-derby/webform/submit-your-phish).
Not quite sure how to spot a phishing attempt or how to distinguish it from spam email? Keep reading for more information.
It's an attempt to get you to give up sensitive information.
A phishing email looks like it comes from a trustworthy organization. It tries to get you to submit information like your username, password and credit card details.
It used to be easy to spot a phishing email. You could pretty much count on bad grammar, poor spelling and too-good-to-be-true offers.
Not so, anymore.
These days, lots of phishing attempts have gotten more sophisticated. Sure, you’ll still see some that fall into that old, easy to spot style. But more and more of them look professional. Because more and more phishing scammers are getting professional, spending real money to fool you, just as a professional fisher spends money on good bait. [Read more about phishing at Wikipedia.org]
In this case, the bait is any email you receive. A simple phish will try to create anxiety, typically saying something like there is a problem with your account and asking you to reply to the email and provide your username and password so they can resolve the problem. Those are easy to spot. Trickier phishes include a link (often disguised) that will take you to a webpage where you will be asked to complete a form. The trickiest ones are crafted to look just like an official notification from OSU. They use our logo, often capture language used in previous official emails, and are "signed" by real departments or people.
You may also see phishes that pretend to be from a bank or other online business.
Remember, if an email makes you feel that you need to take action immediately, be suspicious. Also know that IT support people will never ask you for your password; instead, they'll change your password to a temporary one that you both know to fix any account issues that require it. These instances are rare and will never be resolved over email.
If an email makes you suspicious, but you're not sure it's phishing, call the sender and ask if it's legitimate. Be sure to use a number you already have or one you can look up, not the one provided in the email.
In this case, the spot is a link in the email. When you place your cursor over that link and hover without clicking, the actual link will be shown, usually at the bottom of the window. In a phish you'll find that this link really goes to a different site than is shown in the link text. Check that link carefully -- the bad guys will frequently include portions of the authentic address to try to fool those who know the hover trick. Make sure that you inspect the entire address: if the portion before the first / in the address (after the http://) doesn't end in oregonstate.edu, don't click!
You can also hover using a mobile device. Simply touch the link and hold it. A window will pop up asking what you will want to do -- at the top of that window will be the actual link.
Be especially wary of URL shortening services such as tinyurl.com and bitly.com, since hovering doesn't work on them.
Spam email, another type of unsolicited email, is typically advertising. The sender of a spam message wants to get you to visit a website where they'll receive a small compenstation for every visit. Their goal is to get as many people to visit as possible, so they flood a network with thousands of email messages, hoping a few people will click on it.
You've seen lots of them: advertisments for pharmaceutical products, bargain hotels, special deals on travel -- if you can think of it, someone has sent a spam email about it.
Spam isn't just annoying though; often the websites linked in a spam email contain malicious software like viruses and adware. It is best to avoid them altogther.
Now that you know how to detect phishing emails, and how to distinguish it from spam email, are you ready to test your skills and "Catch a Phish?"
Congratulations to the winners of our Phishing Derby!
Everyone who entered helped make OSU a safer place. We collected 1,425 entries - that's 1,425 phishing attempts that got caught by our Derby participants. You rock! From those entries, we randomly selected 8 winners.
If you click on the images below, they'll show an image of the website linked in the phishing email.
How to know this page is fake:
How to know this page is fake:
How to know this page is fake:
Our phishing derby is over, but we still want you to submit phishing attempts that come to your oregonstate.edu email.
To submit your phish email you will have to export the message from your mail client; please use the directions provided below.
Once you have created the attachment, please email it to firstname.lastname@example.org. If you have problems please contact the OSU Computer Helpdesk at 541.737.3474
Because these are images of actual emails, hovering over the URL will not work. Please base your decision on the content of the email.
Remember these things about phishing and spam emails: