Office of Information Security

The Office of Information Security is your contact for questions about OSU's Information Security Policies and Procedures. Our mission is to raise OSU's standards and practices for secure computing.

To do this, the OIS coordinates with academic and administrative units to develop policy, benchmark and assess our level of risk, and educate and inform our community on best practices.

Security Policy

OSU's IT security policy is currently undergoing a scheduled review process. The policy is published to oregonstate.edu/fa/manuals/is and recent updates to the policy include:

Our Third Party Service Guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

Security Awareness

  • OSU Computer Helpdocs provides general information on protecting your computer from malware and malicious intrusions.
  • Be Aware is a student-focused site which presents effective ways to respond to security threats.

Reporting Security Issues

If you are the victim of a security-related issue such as a phishing scam or spam attack:

Security Awareness Training

The Office of Information Security provides security training for departments on campus that deal with Protected and Sensitive Information, including Personally Identifiable Information (PII). To learn more about this training, please contact Dave Nevin, Chief Information Security Officer.

Resources for IT Professionals

The Office of Information Security is here to assist you in your efforts to keep your network resources protected. We offer Risk Assessment and Forensics services as well as vulnerability scanning. To learn more about the resources available for IT Professionals, please contact Rich Giesege, Senior Security Analyst.

Contact the Office of Information Security

If you are the victim of a security-related issue such as a phishing scam or spam attack, students should contact the OSU Computer Helpdesk and employees should contact their IT support staff.

Third Party Service Guide

There are a variety of distributed computing offerings on the Internet that offer good value and ease of use for those without the available resources and staffing to run their own systems. Commonly referred to as "cloud" computing, services such as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), Software as a Service (SaaS) and off-site storage and backup services have become an important part of the Internet. Other service offerings marketed for widespread use by individuals, such as Dropbox, Cloud Drive, and iCloud offer similar abilities.

OSU doesn't discourage the use of these tools, but it has established policy to assist in compliance with the many laws and regulations we face. This guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

How To Use This Guide

  1. First, become familiar with OSU's Information Systems - Data Classification and Stewardship Policy and with the specific data elements for Protected and Sensitive Information listed in Appendix A.
  2. Next, determine whether the information you wish to use on a Third Party Service is included in Appendix A.
    • If the information you wish to use on a Third Party Service is not included in Appendix A, and there are no contractual obligations preventing you from storing it outside of OSU-maintained systems, that information is classified as Unrestricted; there are no restrictions from storing it in any third-party service. We would encourage you to use caution when selecting a third-party service provider, and to avoid those without an established reputation for good, secure service.
    • If the information does include any of the data elements listed in Appendix A, please contact the Office of Information Security to see if a review of the service is required. In most cases, the completion of a Security Questionnaire by the vendor will be required as part of this review.

Note that data elements listed as Protected in Appendix A have the highest restrictions. Third Party Services should be avoided for these data elements if at all possible. Please contact the Office of Information Security for assistance.

2014 OSU Phishing Derby

Welcome Sign for OSU 2014 Phishing Derby

For a chance at winning a prize (one of several $75 Gift Certificates) you need to submit any phishing emails you receive between now and November 6th. Each unique-to-you phishing email you submit will be counted as a seperate entry for the drawing.

But before we do that, let's make sure you know how to spot phishing, and how to distinguish it from spam email. Then we'll give you a chance to play our "Catch a Phish Game" for a free entry.

So what is phishing?

Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. [Wikipedia.org]

Check the Bait.

In this case, the bait is any email you receive. A simple phish will try to create anxiety, typically saying something like there is a problem with your account and asking you to reply to the email and provide your username and password so they can resolve the problem. Those are easy to spot. Trickier phishes include a link (often disguised) that will take you to a webpage where you will be asked to complete a form. The trickiest ones are crafted to look just like an official notification from OSU. They use our logo, often capture language used in previous official emails, and are "signed" by real departments or people.

You may also see phishes that pretend to be from a bank or other online business. 

Remember, if an email makes you feel that you need to take action immediately, be suspicious. Also know that IT support people will never ask you for your password; instead, they'll change your password to a temporary one that you both know to fix any account issues that require it. These instances are rare and will never be resolved over email.

Recent Developments: Did you know that phishing isn't limited to just email? You may receive a phone call using the same anxiety creating techniques. Don't give any personal information, such as social security number, credit card or bank account numbers, health insurance information, or passwords over the phone.

Examples of strong wording include:

  • IMMEDIATELY
  • NOW!
  • YOUR ACCOUNT WILL BE TERMINATED
  • ALERT

 Here are examples of phishing emails that we have received.

Hover over the spot.

In this case, the spot is a link in the email. When you place your cursor over that link and hover without clikcing, the actual link will be shown, usually at the bottom of the window. In a phish you'll find that this link actually goes to a different site than is shown in the link. Check that link carefully -- the bad guys will frequently include portions of the authentic address to try to fool those who know the hover trick. Make sure that you inspect the entire address: if the portion before the first / in the address (after the http://) doesn't end in oregonstate.edu, don't click!

You can also hover using a mobile device. Simple touch the link and hold it. A window will pop up asking what you will want to do -- at the top of that window will be the actual link.

Be especially wary of URL shortening services such as tinyurl.com and bilty.com, since hovering doesn't work on them. 

Try out hovering over the spot

How's this different from Spam?

Spam (short for "spamming") email, another type of unsolicited email, is typically advertising. The sender of a spam message wants to get you to visit a website where they'll receive a small compenstation for every visit. Their goal is to get as many people to visit as possible, so they flood a network with thousands of email messages, hoping a few people will click on it.
 
You've seen lots of them: advertisments for pharmaceutical products, bargain hotels, special deals on travel--if you can think of it, someone has sent a spam email about it.
 
Spam isn't just annoying though; often the websites linked in a spam email contain malicious software like viruses and adware. It is best to avoid them altogther.
 
Now that you know how to detect phishing emails, and how to distinguish it from spam email, are you ready to play "Catch a Phish?"
 

Phishing Examples

Here are some examples of phishing emails we've recevied recently:

If you click on the images below, they'll show an image of the website linked in the phishing email.

Example 1:

Example 2:

Example 3:

Fake OSU Exchange Mail Page

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • This has three boxes to fill in which the acutal page has a different number
  • The title is New Item, which is incorrect

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu not wix.com
  • The title and picture of the webpage is wrong on the tab

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • The title and picture of the webpage is wrong on the tab
  • The site is asking for Username, Email, and Password instead of Username and Password
  • The site has a different college on the page Chabot College

Submit Your Phish

Rules for Phishing Contest:

  1. To participate in the contest you must be a valid Oregon State University student or employee.
  2. Submission of phishing emails must come from an official OSU email address.
  3. Only one (1) prize will be awarded per individual.
  4. An entry into this contest is counted as one (1) unique phishing attempt submission. For a definition of a phishing email please refer to http://is.oregonstate.edu/ois/2014-osu-phshing-derby. Any re-submission of the same phishing attempt by the same person will be disallowed and not counted as a submission for the contest.
  5. Submitting a spam email will not be counted as an entry into the phishing derby.
  6. Submissions for this contest are only to come from the form below; any other way of submitted phishing will not be counted as an entry into this contest.

Prizes

There will be a drawing for serveral $75 OSU Beaver Store Gift Certificates for participants in the Phishing Derby.  

How to prepare your phish email for submission

To submit your phish email you will have to export the message from your mail client, please use the directions provided at the OSU Helpdocs site to do this.

Once you have created the attachment, please drag it to your desktop or another folder and submit the attachment here. If you have problems please contact the OSU Computer Helpdesk at 541.737.3474


Submit your phishing email

The exported phishing email from your oregonstate.edu affiliated email account.
Files must be less than 2 MB.
Allowed file types: txt rtf html pdf mbox msg eml.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Catch a Phish (Free Entry)

Enter your email address and selection from the options at the bottom of the page to earn one free entry into the OSU 2014 Phisihing Derby.

Because these are images of actual emails, hovering over the URL will not work. Please base your decision on the content of the email.

Remember these things about phishing and spam emails:

  • Spam is typically trying to get you to buy things
  • Phishing tries to get you to click on a link or enter your personal information to take action

 

 

Option 1

phishing option 1


Option 2

phishing option 2


Option 3

phishing option 3

phishing option 1
phishing option 2
phishing option 3
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.