Cybersecurity basics
Good information security habits aren’t just for geeks — they help safeguard your personal information, protect your devices, and prevent theft.
Although the U's Information Security Office maintains controls to help protect our networks and computers from cyberthreats, we rely on you to be the first line of defense.
uNID responsibilities and two-factor authentication
University ID (uNID)
Your uNID (e.g., u1234567) uniquely identifies you and allows access to University of Utah’s network and information systems. You are responsible for all activity associated with your uNID account. Sharing your username, password, and/or assigned accounts for any reason is a violation of the U’s Information Security Policy (4-004).
If you believe your account has been compromised in any way, change your password immediately and contact your respective help desk.
Campus IT Help Desk
(801) 581-4000
helpdesk@utah.edu
University of Utah Health ITS Service Desk
(801) 587-6000
ServiceDesk@hsc.utah.edu
Duo two-factor authentication
Duo Security’s two-factor authentication (2FA) is like having an extra lock on your front door. It is a great way to prevent criminals from accessing your university accounts and personal data, including school records and financial data.
Duo 2FA is required to access university accounts and resources, such as UMail, UBox, Campus Information Services (CIS), and Canvas. You can set up and manage Duo 2FA for your University of Utah accounts through the Duo Management Portal. Duo’s mobile app works on most smartphones and tablets, and is the preferred method of authentication. You may also purchase a Duo token through the U Campus Store.
How does it work?
Duo offers five methods of authentication:
- Duo push: The Duo server “pushes” a confirmation to a smartphone/tablet app, where the login
attempt must be “approved” or “denied.”
- If you receive an unexpected Duo push notification, deny the login attempt and change your password as soon as possible to stop unauthorized attempts to access your account.
- One-time passcode: A time-based, one-time six-digit code is generated through the app on a smartphone or tablet (network connectivity is not required).
- Security token: A one-time six-digit code is generated by a hardware token.
- Security key: The Duo server asks for a plugged-in USB security key that validates the login request.
- Touch ID: Some configurations support biometric identification.
Passwords
Cybercriminals trying every possible password combination can crack a weak password in a matter of hours. The same process may take more than a lifetime if the password is longer, contains lower- and uppercase letters, and uses numbers and special characters, especially when arranged randomly.
Use passwords that cannot be easily guessed, and protect your passwords from others.
- Do not share your usernames or passwords.
- Avoid writing usernames and passwords down.
- Consider using a password manager, which securely stores your passwords across all devices.
The following passwords are weak as they can be easily guessed or deciphered.
- Eric1995
- Pa$$word
- ILikeTurtles
Strong, cryptic passwords contain a mixture of numbers, symbols, and uppercase and lowercase letters. You can create a strong and unique password by using a phrase and incorporating acronyms and shortcut codes.
Your passwords should also be:
- A minimum of eight characters.
- Difficult to guess.
- They should not include personal information, such as usernames; names of family, friends, or pets; birthdays; addresses; hobbies, etc.
- Unique for every account, especially critical accounts such as banking.
The following passwords are strong:
- 2BorNot2B_ThatIsThe?
- $ponge808_[]pant$
- $m3llyca+
You should password-protect all of your devices. Try our secure password tester to see if your passwords are strong enough.
To change your university password, log in to the CIS portal and select the “Change your Password” tile. Enter your current password at the top and a new, strong password at the bottom.
Data storage
Minimize the storage of sensitive and restricted information on your devices and regularly back up your data.
- Avoid storing sensitive information on your local workstation, laptop computer, and
other electronic devices, and delete it whenever possible.
- UBox and Microsoft OneDrive are cloud solutions approved to store sensitive and restricted data that can be used by students, faculty, and staff at no cost.
- Do not keep sensitive information or your only copy of critical data, projects, files, etc., on portable or mobile devices, such as laptops, tablets, phones, and USB flash drives, unless they are properly protected (e.g., encrypted, password protected, and securely stored) — these items are especially vulnerable to theft or loss.
- Make backup copies of files or data you are not willing to lose, and store the copies securely.
Safe browsing and email use
Protect your information when using the internet and email.
Picking the right network
- UConnect is the preferred secure Wi-Fi network on campus.
- ULink is the university’s wireless network for Internet of Things (IoT) devices, such as PlayStation, Xbox, Roku, Chromecast, smartwatches, etc.
- UGuest is an unsecured Wi-Fi network for guest use and is not recommended for regular use.
- Eduroam is a secured wireless network supported by the Utah Education and Telehealth Network (UETN) that allows students, faculty, and staff from participating institutions like the University of Utah to access the internet on campus and when visiting other participating institutions.
- The campus VPN is a secure virtual private network (VPN) to be used when accessing university resources while connected to public Wi-Fi.
Browsing online
- Only enter personal or sensitive information on trusted, secure webpages. Do not log in to websites or online applications unless the login page is secure.
- Look for https (not http) in the URL to confirm a secure connection.
- Be especially careful about what you do over Wi-Fi. Information and passwords sent via standard, unencrypted Wi-Fi (most public access wireless is unencrypted) are particularly easy for criminals to intercept.
-
Check your Wi-Fi preferences and/or settings to ensure your devices do not automatically connect to any wireless network they detect. Automatically connecting to unknown networks could put your devices and data at significant risk.
-
Use software to protect your devices and information. Students, faculty, and staff receive discounted rates for antivirus and other security software through the U’s Office of Software Licensing.
-
Be extremely careful with file-sharing software (e.g., BitTorrent). File sharing opens your devices to the risk of malicious files and attackers.
- If you share copyrighted files, you may be disconnected from the campus network, as well as face serious legal consequences.
Using email
- Use only official university email systems when conducting business by email. Per university policy, do not use private email systems for university business.
- Do not send restricted and/or sensitive data via personal email, text, or instant message. These are not generally secure
methods of communication.
- Send restricted and sensitive data via UMail by:
- Adding “PHI” to the subject for protected health information.
- Adding “[secure]” or “[encrypt]” to the subject for other sensitive information.
- Send restricted and sensitive data via UMail by:
Social media
Social media helps attackers to gather more in-depth information and better target you. What you post online can stay on the internet for a long time, so stay vigilant when using social media platforms. Always ask yourself before posting, commenting, or sharing, “Could this potentially be harmful to myself or others?” or “Would I be OK with all of my family, co-workers, bosses, etc., seeing this?”
Common mistakes
- Providing excessive personal information
- Sharing posts that let others know you are away from home (e.g., on vacation or a business trip)
- Ignoring privacy settings
- Using an easy-to-guess password
- Enabling geotagging features (which add geographical identification to messages, videos, and photos)
- Commenting on or sharing posts that ask, “What is your favorite hobby?” or “What was
your first car?”
- Questions like these are common security questions for resetting forgotten passwords
- Not using multifactor authentication
What you can do
- Be careful about what you share
- Be careful what you open, and keep an eye out for suspicious links
- Be wary of links from unsolicited/urgent messages
- Preview the page or link if your device allows it
- Report phishing via the Phish Alert Button or forward the email as an attachment to phish@utah.edu if you are unsure whether it is malicious
- Think twice before installing apps
- Only download apps from your device’s app store, not from a browser
- Do a quick search online for any security concerns with the app
- Monitor the app’s data usage in your device’s settings for any spikes
- Set your profiles and accounts to private so only your friends can see what you post
- Do not accept unknown connection/friend requests
- Use complex passwords
- Turn on multifactor authentication when available
Stalkerware
Criminals can employ technology to stalk the device’s user. Stalkerware allows a criminal or stalker to listen in on device activity, as well as control its screen, camera, microphone, and other features. Any device that connects to the internet is prone to stalkerware, however, it is more common on smartphones as they are almost always near you and contain more personal information.
Signs of stalkerware on your device:
- Features, such as Wi-Fi, cellular data, GPS, and Bluetooth, unexpectedly turning on and off
- Faster than normal battery depletion
- Higher than normal data usage (over Wi-Fi or cellular)
- The installation of unfamiliar apps
- Strange or unusual behavior from the device
To locate and remove stalkerware:
- Regularly check for unfamiliar apps in your device’s app library
- Uninstall unknown apps and apps you don’t regularly use
- Install trusted and up-to-date antivirus software
Stalkerware may be disguised as a “System” or read-only app on your device — if such an app has an uninstall button, it is likely malicious and needs removal. If the uninstall button does not work, go to your device’s accessibility settings, disable accessibility features for that app, then uninstall.
To prevent downloading stalkerware:
- Keep your device locked with a strong password only you know
- Enable automatic locking during periods of inactivity
- Do not leave your device unlocked and unattended
- Download apps only from your device’s built-in app store
- Do not restore a previously compromised device from a backup — set it up as a new device
Uninstalling stalkerware may escalate the situation with a stalker. If you are fearful of removing the stalkerware, contact the U’s Office of Equal Opportunity, Affirmative Action, and Title IX at 801-581-8365, the Office of the Dean of Students at 801-581-7066, or University Police at 801-585-COPS (2677). These university resources can transfer you to departments that can help you report the stalking and outline the best method in which to remove the stalkerware.
Antivirus software and patching
Make sure your computer is protected with antivirus software and all necessary security patches and updates, and that you know what you need to do, if anything, to keep them current.
You should shut down or restart your computer at least weekly — and whenever your programs prompt you when installing updates. This helps ensure software and security updates are properly installed.
Don’t install unknown programs
Do not install or download unknown or unsolicited programs or apps to your computer, phone, or other devices. These can harbor behind-the-scenes viruses or open a “back door,” giving others access to your devices without your knowledge.
Physical security
Physical security is the protection of personal hardware and information from actions and events that can cause damage or loss.
Lock your screen
Shut down, lock, log off, or put your devices to sleep before leaving them unattended, and make sure they require a secure password after starting or waking up. You should also set your devices to automatically lock when they’re not being used. An unattended and unlocked device is the perfect opportunity for a criminal to access your private information.
Secure your device
Keep your devices secured at all times — lock them up or carry them with you! Portable device theft is on the rise across university and college campuses; you may think it won’t happen to you until it does.
Phones and laptops are frequently stolen from cars and houses, and they can be just as vulnerable in your office, classroom, or dorm room as at coffee shops, meetings, conferences, etc. On average, your laptop has a 1 in 10 chance of being stolen on a college campus.
- Make sure your devices are locked to or in something permanent.
- If you keep your laptop and/or cellphone in your bag or backpack, do not leave it unattended.
Secure your environment
Secure your area before leaving it to prevent break-ins.
- Lock windows and doors, take keys out of drawers and doors, and never share your access code, card, or key.
- Lock up portable equipment and sensitive material.