Security and IT Policies

Reporting Security Issues

If you are the victim of a security-related issue such as a phishing scam or spam attack:

Security Training

Security Awareness Training: The Office of Information Security provides security training for departments on campus that deal with Protected Information (PI) and Personally Identifiable Information (PII). To learn more about this training, please visit the OIS website.

Be Aware: IS also developed Be Aware, a student-focused site which discusses security awareness and the effective ways to respond to security threats.

Helpdocs - Protect Your Computer: General information on protecting your computer from malware and malicious actors can be found on OSU's Helpdocs website.

Security News

Heartbleed Bug

A program (OpenSSL) that manages the secure transmission of data across the Internet was discovered to have a bug. This bug, known as “heartbleed,” could allow attackers to steal the private keys used to encrypt data prior to transmission across the Internet. With the keys, the attacker would be able to decode all of the data, including passwords and personal information entered into a website.

Information Technology personnel at Oregon State University have been aware of the problem since the disclosure of the bug on Monday evening, and have been working hard to identify and patch affected systems. So far, the impact on secure systems at OSU appears to have been minimal—ONID, for example, does not use a version of OpenSSL that is vulnerable to this bug; the main OSU secure webservers were not vulnerable as well.  Systems that have been discovered as vulnerable are being patched, and if warranted, new encryption keys are being generated. 

Although we have no evidence that any OSU sites have been compromised through this exploit, this bug existed for almost 2 years before being discovered by security researchers. We would encourage you to pay close attention to all your sensitive user accounts across the Internet and follow the recommendation of the owner of those services. Because of the widespread impact, we recommend that you change your OSU passwords, especially if you used the same password at multiple sites. 

Warning: We’re starting to see evidence of fraudulent email claiming to be from affected companies asking that you change your password by clicking on a link in the email or replying to the email. Please do not fall prey to these. 

If you run a server such as a web or email server or have a Network Attached Storage (NAS) or other device that uses OpenSSL, please follow the instructions at http://heartbleed.com to ensure that your device is secure. A running list of hardware/software vendors impacted by this bug is being maintained here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4.

Additional information on the heartbleed bug can be found here:

http://chronicle.com/blogs/wiredcampus/the-heartbleed-bug-and-how-internet-users-can-protect-themselves/51689

http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/

High Risk Malware Warning

CryptoLocker is malicious software that encrypts files on your computer, on an attached USB drive, or on a network share, then displays a screen that demands that you pay a $100-300 ransom within 96 hours to get them back. There is no guaranteed way to recover the files if you do not pay the ransom. DO NOT PAY THE RANSOM.

For additional information about CryptoLocker, including a tool to help prevent this infection on your personally owned computers, please read this document on the OSU Helpdocs website:

http://oregonstate.edu/helpdocs/safety-and-security/computer-viruses-fraud/computer-viruses/cryptolocker-dangerous-ransomware

 

Contact Us

The Be Aware website, and cyber security at OSU in general, is the product of a group of Information Systems Security Professionals from across campus. Questions about cyber security sent to the following e-mail will be answered by a practicing professional in that area.

Questions or suggestions about this site, or our promotions or contests can also be submitted below.

Thanks!

The Be Aware Team

Please tell us about your Question.

IT Changes

Information Services seeks to communicate with the OSU community about the changes we make to the IT systems that we manage. Our goal is to manage, maintain, and upgrade systems in a thoughtful way so that we minimize negative impact to services and customers.

Achieving this goal requires that we plan changes carefully, consult with members of the community regarding planned changes, and respond to unplanned changes systematically to ensure minimal downtime.

Change Management is the formal term for defining our policies and processes. Please read about the Change Management & Incident Response Project page for additional background about this initiative.

Change Advisory Board

The Change Advisory Board (CAB) convened in December, 2012 and began drafting appropriate processes for changes and incidents. As basic processes are defined, the CAB will begin performing its function as a change review body even as it continues to define and refine change processes.

Change Policies

These policies apply only to services and systems owned by OSU Information Services.

The Incident Response policy does not apply to Security Incidents, which are covered by the Information Security Manual section 502: Incident Response and Escalation.

Communicate Changes & Incidents

These forms are for Information Services staff only. If you need to report an unexpected service interruption, please contact the OSU Computer Helpdesk.

Incident UNPLANNED OUTAGE
  • Communicate ongoing or recent Incidents
  • World-readable on IS website, RSS, Twitter, Facebook
  • Email sent to Outages list
SIGNIFICANT or EMERGENCY
  • Submit change plan before making a change
  • Will be reviewed by CAB and your Director
  • Communication will be developed after review
STANDARD CHANGES
  • Optional form to communicate Standard changes
  • Posts to Maintenance blog only – no email is sent
  • Not a replacement for your Change Log

Communicate an Incident (Unplanned Outage)

Please avoid overly technical jargon, as your message will not only be sent to the Outages email list but will also show up at the following locations.

Communicate a Significant or Emergency Change Plan

In most cases (excepting Emergency changes), you will develop a technical plan and a communications plan for your change prior to filling out this form. Please upload this documentation when submitting this form if you are able.

After you submit this form, the Change Advisory Board (CAB) and Unit Director can help shape the communications plan before any message is received by any customer.

This form is for significant or emergency changes. For other changes, please use one of the links in the IT Changes menu box to the side or below the form.

 

Communicate a Standard Change

This optional communication will post your message to the Maintenance blog.