Office of Information Security

The Office of Information Security is your contact for questions about OSU's Information Security Policies and Procedures. Our mission is to raise OSU's standards and practices for secure computing.

To do this, the OIS coordinates with academic and administrative units to develop policy, benchmark and assess our level of risk, and educate and inform our community on best practices.

Security Policy

OSU's IT security policy is currently undergoing a scheduled review process. The policy is published to oregonstate.edu/fa/manuals/is and recent updates to the policy include:

Our Third Party Service Guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

Security Awareness

  • OSU Computer Helpdocs provides general information on protecting your computer from malware and malicious intrusions.
  • Be Aware is a student-focused site which presents effective ways to respond to security threats.

Reporting Security Issues

If you are the victim of a security-related issue such as a phishing scam or spam attack:

Security Awareness Training

The Office of Information Security provides security training for departments on campus that deal with Protected and Sensitive Information, including Personally Identifiable Information (PII). To learn more about this training, please contact Dave Nevin, Chief Information Security Officer.

Resources for IT Professionals

The Office of Information Security is here to assist you in your efforts to keep your network resources protected. We offer Risk Assessment and Forensics services as well as vulnerability scanning. To learn more about the resources available for IT Professionals, please contact Dave Nevin, Chief Information Security Officer.

Third Party Service Guide

There are a variety of distributed computing offerings on the Internet that offer good value and ease of use for those without the available resources and staffing to run their own systems. Commonly referred to as "cloud" computing, services such as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), Software as a Service (SaaS) and off-site storage and backup services have become an important part of the Internet. Other service offerings marketed for widespread use by individuals, such as Dropbox, Cloud Drive, and iCloud offer similar abilities.

OSU doesn't discourage the use of these tools, but it has established policy to assist in compliance with the many laws and regulations we face. This guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

How To Use This Guide

  1. First, become familiar with OSU's Information Systems - Data Classification and Stewardship Policy and with the specific data elements for Protected and Sensitive Information listed in Appendix A.
  2. Next, determine whether the information you wish to use on a Third Party Service is included in Appendix A.
    • If the information you wish to use on a Third Party Service is not included in Appendix A, and there are no contractual obligations preventing you from storing it outside of OSU-maintained systems, that information is classified as Unrestricted; there are no restrictions from storing it in any third-party service. We would encourage you to use caution when selecting a third-party service provider, and to avoid those without an established reputation for good, secure service.
    • If the information does include any of the data elements listed in Appendix A, please contact the Office of Information Security to see if a review of the service is required. In most cases, the completion of a Security Questionnaire by the vendor will be required as part of this review.

Note that data elements listed as Protected in Appendix A have the highest restrictions. Third Party Services should be avoided for these data elements if at all possible. Please contact the Office of Information Security for assistance.

What we do

Security Tools Used by the Office of Information Security

OSU’s Network contains data that, should it fall into the wrong hands, could cause harm to individuals within our community. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, and to assist IT units in taking steps to protect it. And, unfortunately, we’re also asked to track down the source of threats of violence against members of our community.

The Office of Information Security uses a variety of tools and multiple sources of data to perform these tasks. We are very much aware that we have the potential to impact the privacy that is an important part of our community. We feel that we’ve designed systems and processes to protect your data so that we can strike the best possible balance between protecting individual privacy and securing our data.

A part of striking that balance is our desire to be very transparent about our operations. This paper outlines the tools we use, the information collected using those tools with examples of how that information is used, and the policies and procedures surrounding the gathering of data.

Network Security Monitoring and Analysis Tool

We are in the process of implementing a network security analysis and monitoring tool. This tool is located on the outside edge of our network and receives a copy of all inbound and outbound network traffic. This traffic, in the form of data packets, contains information on which computer the data came from, to which computer it is headed, and the data being sent. Our tool strips the data portion from the packet, performs a one-way cryptographic hash function on that data, saves the key generated by this algorithm, logs the destination, source, and time, then disposes the entire packet.

Because it is one-way hash, the Office of Information Security is unable to decrypt the data portion to view the contents – so, for example, we cannot access the text or images or attachments sent in an email.  The remaining packet information (destination|source|time|hash value) is stored for analysis.

An example of how this information would be used is in our response to phishing emails. Due to our outreach efforts, people frequently send us a copy of phishing emails they receive. Using the tool, we would check to see if anyone else went to the link contained in the phishing email, and notify the individual or their IT support team to ensure that nothing bad resulted from clicking on that link.

This tool also analyzes network traffic, looking for abnormalities to help identify malicious behavior. Advanced attacks, such as those used by organized crime or nation states, frequently occur at low thresholds that defy conventional, signature based detection. We will also be able to compare hashed values of suspected malicious software against hash libraries to aid in detection. This tool is an essential part of our incident response toolkit, and helps us meet federal requirements for the protection of Controlled Unclassified Information. This tool also helps us to meet the Payment Card Industry’s Data Security Standards.

Network Security Monitoring and Analysis Tools are also used to offer protection in high-speed research networks, which frequently exceed the performance capacity of firewalls. In this role, the tool is placed in-line, where it performs a quick examination of the first few packets within a file and, if non-malicious, then allows all traffic to take place at full speed between the two systems without further interruption.

Analyzing network flows for malicious activity does have the potential for abuse. We feel that by designing the tool to store only one-way cryptographic hashes of data is the best balance of meeting the capabilities we need to detect attacks while preserving the privacy of the members of the OSU community. As with all our other tools, we’ve applied the appropriate technical safeguards, as well as implemented policies and procedures around the use of the data from this tool.

Log Collection and Aggregation

Information Services is in the process of deploying a Log Aggregation and Correlation tool. This tool will allow us to gather log data from a variety of sources and allows us to look for patterns of behavior.

During our testing of this tool, we used it to identify compromised user accounts. This was done by looking at the time and location of login. If an individual logged into an account on the Corvallis Campus at 8:00 am, and that same account was logged into from China 2 hours later, that caused an alert since there is no way for the same person to travel that far in that time period.

It would be difficult to perform the same task manually, as there are thousands of logins a day. We also believe that by automating this process we improve privacy, as we’re not looking at all records, just the ones that match a certain criterion that represents a risk to the institution.

Log data does contain information of a personal nature, such as the IP address of the computer used to visit one of the OSU websites and which web pages were visited. It contains the date and time a system was accessed and which files were downloaded. This information could be used, in certain situations, to track activities to a geographic location. We’re very cognizant that such a tool could be abused, and we have policies, procedures, and technical safeguards in place to prevent misuse of this information.

Vulnerability Scanning

Vulnerability Scanning tools scan devices on the network to see if they are running outdated software that has a known vulnerability. These tools can also identify insecurely configured devices. Hackers frequently use these types of vulnerability to gain access to systems.

The Office of Information Security has two vulnerability scanning systems. One system has been placed just outside our network, and so gives us a view of what an external hacker would see. Because of the large number of systems on our network, we only perform limited scans, looking for new vulnerabilities. The other is placed within our firewalled infrastructure and performs more intensive scans. Result of the scans are forwarded to IT units across campus so they can fix any problems found.

The operation of vulnerability scanning tools represent a minimal risk to privacy.

Firewalls and Network Segmentation

Due to the size and complexity of our network, network firewalls are only deployed where needed. We use network segmentation to divide the network into functional areas and network firewalls are placed in front of segments where confidential data is processed.

The operations of firewalls represent a minimal risk to privacy.

Network Malicious Program (Malware) Detection

Similar to the antivirus programs found on personal computers, Network Malware Detection tools scan network traffic to spot harmful programs. Network Malware Detection tools use two methods to detect harmful programs: signature based and virtualized testing. Signature based detection compares observed network traffic against a database of known malware. During virtualized testing, the tool creates a virtual model of an operating system and runs the suspected malicious file in that model to see if it is harmful.

Network Malware Detection tools capture and store complete packets, including the data component, for every item they alert on. Because the tools are not perfect, this creates a slight risk to privacy for packets which are captured in the event of a false alarm.  Fortunately, false alarms are rare. To mitigate this risk, access to Network Malware Detection tools are limited to OIS employees and alerts are reviewed before sharing any data with technical staff for resolution.

Intrusion Detection Systems

Similar to Network Malware Detection tools, Intrusion Detection Systems look for patterns of behavior in network traffic to flag threats. Intrusion Detection Tools are signature based.

The Office of Information Security is in the process of deploying Intrusion Detection Systems within network segments of high risk as an additional layer of security. Like Network Malware Detection, Intrusion Detection Systems capture the packets for traffic that generates an alert. False alarms are very rare, but possible, and so there is a slight risk to privacy if packets that are not a threat are captured. This risk is mitigated by removal of the captured packets for any event that is determined to be a false alarm.

 

OSU Phishing Derby

osu 2nd annual phishing derby has ended but you can still help us catch phish

Even though our Phishing Derby is over, we still want you to catch phish! 

When you send us phishing attepts that came to your oregonstate.edu email, you help us shut down the scammers who sent them. So, when a phishing attempt lands in your inbox, forward it to us (directions at http://is.oregonstate.edu/phishing-derby/submit). 

Not quite sure how to spot a phishing attempt or how to distinguish it from spam email? Keep reading for more information.

fish symbolSo what is phising?

It's an attempt to get you to give up sensitive information. 

A phishing email looks like it comes from a trustworthy organization. It tries to get you to submit information like your username, password and credit card details.

It used to be easy to spot a phishing email. You could pretty much count on bad grammar, poor spelling and too-good-to-be-true offers.

Not so, anymore.

These days, lots of phishing attempts have gotten more sophisticated. Sure, you’ll still see some that fall into that old, easy to spot style. But more and more of them look professional. Because more and more phishing scammers are getting professional, spending real money to fool you, just as a professional fisher spends money on good bait.  [Read more about phishing at Wikipedia.org]

email on a fish hookCheck the Bait.

In this case, the bait is any email you receive. A simple phish will try to create anxiety, typically saying something like there is a problem with your account and asking you to reply to the email and provide your username and password so they can resolve the problem. Those are easy to spot. Trickier phishes include a link (often disguised) that will take you to a webpage where you will be asked to complete a form. The trickiest ones are crafted to look just like an official notification from OSU. They use our logo, often capture language used in previous official emails, and are "signed" by real departments or people.

You may also see phishes that pretend to be from a bank or other online business.

Remember, if an email makes you feel that you need to take action immediately, be suspicious. Also know that IT support people will never ask you for your password; instead, they'll change your password to a temporary one that you both know to fix any account issues that require it. These instances are rare and will never be resolved over email.

If an email makes you suspicious, but you're not sure it's phishing, call the sender and ask if it's legitimate. Be sure to use a number you already have or one you can look up, not the one provided in the email.

Recent Developments: Did you know that phishing isn't limited to just email? You may receive a phone call using the same anxiety creating techniques. Don't give any personal information, such as social security number, credit card or bank account numbers, health insurance information, or passwords over the phone.

Examples of strong wording include:

  • IMMEDIATELY
  • NOW!
  • YOUR ACCOUNT WILL BE TERMINATED
  • ALERT

 Here are examples of phishing emails that we have received.

cursor hand hovers over a linkHover over the spot

In this case, the spot is a link in the email. When you place your cursor over that link and hover without clicking, the actual link will be shown, usually at the bottom of the window. In a phish you'll find that this link really goes to a different site than is shown in the link text. Check that link carefully -- the bad guys will frequently include portions of the authentic address to try to fool those who know the hover trick. Make sure that you inspect the entire address: if the portion before the first / in the address (after the http://) doesn't end in oregonstate.edu, don't click!

You can also hover using a mobile device. Simply touch the link and hold it. A window will pop up asking what you will want to do -- at the top of that window will be the actual link.

Be especially wary of URL shortening services such as tinyurl.com and bitly.com, since hovering doesn't work on them.

Try it out! Hover over the spot.

email symbolHow's this different from Spam?

Spam email, another type of unsolicited email, is typically advertising. The sender of a spam message wants to get you to visit a website where they'll receive a small compenstation for every visit. Their goal is to get as many people to visit as possible, so they flood a network with thousands of email messages, hoping a few people will click on it.

You've seen lots of them: advertisments for pharmaceutical products, bargain hotels, special deals on travel -- if you can think of it, someone has sent a spam email about it.

Spam isn't just annoying though; often the websites linked in a spam email contain malicious software like viruses and adware. It is best to avoid them altogther.

Now that you know how to detect phishing emails, and how to distinguish it from spam email, are you ready to test your skills and "Catch a Phish?"

Winners of the Phishing Derby - Congratulations! 

Congratulations to the winners of our Phishing Derby!

Everyone who entered helped make OSU a safer place. We collected 1,425 entries - that's 1,425 phishing attempts that got caught by our Derby participants. You rock! From those entries, we randomly selected 8 winners.

Winners of the $50 gift certificate to the Beaver Store

Harrod, H.
Johnston, K.
Larson, M.
Michels, A.
Rieth, M.
Schlonga, C.
Sumida, G.
Valenzuela, L.

Congratulations! 

 

Phishing Examples

Here are some examples of phishing emails we've recevied recently:

If you click on the images below, they'll show an image of the website linked in the phishing email.

Example 1:

Example 2:

Example 3:

Fake OSU Exchange Mail Page

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • This has three boxes to fill in which the acutal page has a different number
  • The title is New Item, which is incorrect

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu not wix.com
  • The title and picture of the webpage is wrong on the tab

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • The title and picture of the webpage is wrong on the tab
  • The site is asking for Username, Email, and Password instead of Username and Password
  • The site has a different college on the page Chabot College

Submit Your Phish

welcome to O.S.U.'s 2015 phishing derby

Rules and Submission Guidelines

fish symbolRules for Phishing Derby:

Our phishing derby is over this year, but you can still help shut down scammers by sending us phishing attempts that come to your oregonstate.edu email.

  1. To participate in the contest you must be a valid Oregon State University student or employee.
  2. Submission of phishing emails must come from an official OSU email address.
  3. Only one (1) prize will be awarded per individual.
  4. An entry into this contest is counted as one (1) unique phishing attempt submission. For a definition of a phishing email please refer to http://is.oregonstate.edu/phishing-derby. Any re-submission of the same phishing attempt by the same person will be disallowed and not counted as a submission for the contest.
  5. Submitting a spam email will not be counted as an entry into the phishing derby.

Our phishing derby is over, but we still want you to submit phishing attempts that come to your oregonstate.edu email.

email on a fish hookHow to prepare your phish email for submission

To submit your phish email you will have to export the message from your mail client; please use the directions provided below. 

Once you have created the attachment, please email it to phishing@oregonstate.edu. If you have problems please contact the OSU Computer Helpdesk at 541.737.3474


Staff Directory

We're sorry but there currently are no results for your selection. Please try filtering on a different value.