Skip Navigation
UW Directories | Calendar | Tools
IT Connect
Connecting You to Information Technology at the UW

 

Safe and Secure Computing

IT Connect > Security

Security Basics

Software You Need

Tools for Safe and Secure Computing

Protect Yourself, Your Work, and the UW

Practicing secure computing is everyone's responsibility. One infected computer can quickly infect others. Help protect yourself and your UW colleagues from computer viruses and intruders by learning more about security.

Keep Your Operating System and Software Updated

The Internet is an unsafe place, and it's increasingly important that all computers have their operating systems fully up-to-date and be running anti-virus and anti-spyware programs (which also must be kept fully up-to-date). Attacks by viruses, Trojans, and other malware attack the known weaknesses in operating systems and software, which the updates can fix. A fully up-to-date computer is much less likely to get infected.

Most new computers are configured to automatically check for updates. When updates are available, you are prompted to OK installing them, which often requires restarting the computer. As soon as updates are available, you should install them.

Caution: Follow your computer support person's instructions whenever you add software or change the configuration of your computer.

Fight Viruses and Spyware

Important: If someone else manages or maintains your computer, check with them before installing anti-virus or anti-spyware software. They may already have done so or may prefer other software than what is recommended here.

Use anti-virus software

The UW provides Sophos anti-virus software to all current faculty, staff, and students on the Tools for Safe and Secure Computing page.

Use anti-spyware software

Use of antispyware software, as well as anti-virus software, is recommended. The Sophos software (for MS Windows workstations) provides both functions if the (optional) feature to "scan for adware and PUAs" (Potentially Unwanted Applications) has been enabled.

Microsoft offers an anti-spyware program named Windows Defender. The program SpyBot Search and Destroy is also well regarded (see Using SpyBot).

The Wikipedia page about spyware has a very good explanation of spyware and how it works.

Note: Running different anti-virus and anti-spyware programs at the same time can create conflicts. When you do an anti-spyware scan, it is a good idea to turn off your anti-virus software. Do your scan and then turn the anti-virus software back on.

Protect Your Password

Do not share your UW NetID password

Each person at the UW has his or her own personal UW NetID and password. It is against policy to share your personal UW NetID and password with someone else.

  • Do not give your UW NetID and password to anyone else, even if they are a close friend or member of your family.
  • Do not let others use your account, even if you log them in.

It is also important that you do not share your UW NetID password inadvertently:

  • Do not send passwords in email.
  • Do not write your UW NetID and password in a place where others could find them.
  • Be sure no one is watching when you enter your UW NetID and password.
  • If you enter your UW NetID and password into a Web site, be sure you exit all open Web browsers when you are finished.
  • Don't walk away from a computer (for instance in a computer lab or library) until you are certain that you have logged off.
Change your password; choose a good one

It is easy to change your UW NetID password. A good rule of thumb is to change your password once a month.

Computer hackers have developed methods for cracking simple passwords. Choose a complex password to reduce the likelihood of your password being guessed or cracked. Read more about choosing a good UW NetID and password.

Protect Your Computer From Viruses and Spyware

What is a computer virus?

If you depend on the information stored on your personal computer, you need to understand how computer viruses spread, and you should use anti-virus software to reduce the chance that a computer virus will infect your programs and files.

A computer virus is a program that makes copies of itself and infects files. Computer viruses can spread to other computers and files whenever infected files are exchanged. Often infected files come as email attachments, even from people you know. The email senders have no idea that they are passing on a file with a virus in it.

Some computer viruses can erase or change the information stored on your computer, other viruses may do little or no harm to your system. Writing and releasing any virus is prohibited by University policy, and anyone who does so will be held legally accountable for damages.

How do I protect my computer?

There are several things that you should do to protect your computer from virus infections:

  • Use a high-quality anti-virus program, and be sure to update it regularly. Use it to scan any files, programs, software, or diskettes (even new software from a commercial company) before you use them on your computer.
  • Make back-up copies of important documents or files, and store them on separate diskettes. Making backups will also protect your information against accidental file deletion, diskette failure, and other damage.
  • Whenever you use a computer in a campus lab, be sure to reboot or run "cleanup" before you start your session and log out when you end your session.
  • Do not share commerical software with anyone. It is a violation of the author's copyright to distribute such material, and it is a way to spread viruses.
  • When you get public domain (PD) software for which the author has granted permission to make copies, get it from a reliable source. (For example, an individual you do not know is not a reliable source.) Before you run PD material, use an anit-virus program to inspect for known viruses.
  • Always scan your disks and files after using them on another computer.
  • Always scan all files you download from the Internet.
  • Always scan Word or Excel file email attachments before you read them.
What if my computer gets a virus?

Not all damage to your programs and files is caused by viruses: worn out floppies, failing hard drives, user error, and poorly written programs can all cause you to lose data. If your computer is behaving strangely, or if you think your computer has a virus, use an anti-virus program to find out.

If your computer is infected with a virus, DON'T PANIC! Use an anti-virus program to remove the virus yourself, or turn your computer off and find someone who knows how to remove the virus.

If a virus is active in memory, it may prevent anti-virus programs from working correctly. To be sure no virus is active, turn off your computer and reboot from a known-clean system diskette before you begin the disinfection process.

Eliminate all copies of the virus as quickly as possible. Check all your diskettes, and warn anyone else who may have infected files or disks.

Remember, most virus infections can be prevented. With proper care, your computer can remain virus-free.

What You Need to Know About Spyware

Spyware is software that collects personal information from you without first letting you know that this is happening. This information is then transmitted to the spyware author and may include a list of the Web sites you've visited as well as your usernames and passwords(!). Spyware is often associated with "adware" -- software that displays advertisements. These unexpected advertisements may clutter your desktop and some may contain pornographic or other material that you might find inappropriate.

At present, spyware is primarily a problem for Windows computers and does not seem to be a significant problem for Macintosh computers. UW Technology knows of no antispyware programs for Macintoshes that it can recommend.

What happens if spyware gets on my computer?

The following are common symptoms of spyware:

  • Your computer may get generally "sluggish."
  • You may see an increase in advertisments on pages where you've never seen them before.
  • Your Web browser may open to pages you've never seen before, either as the "home" page or when doing searches.
  • You may find that you can't use Web pages you've used successfully before. For example, you may not be able to log in to MyUW.
How can spyware get on my computer?

Most often spyware is installed concurrently with some other software that you intentionally install. For example, if you install a "free" music or file sharing service or "free" games, it may also install spyware. Some Web pages will attempt to install spyware when you just visit the page. Sometimes, having the spyware installed may be a condition of using the software. For example, a "free" Internet service may require that you accept their adware in order to use the service. In this case, removing the spyware may prevent the desired service from working.

How can I protect myself against spyware?
  • Do NOT open the Web links found in email "spam" or other similar unsolicited messages.
  • Only install software from Web pages you trust.
  • If you do install "free" software, carefully read the fine print in the license for any reference to collecting information from your computer and sending it elsewhere. (Be ESPECIALLY wary of popular "free" music and movie file-sharing programs.)
  • When you open a Web page, if a dialog box appears unexpectedly asking you to accept a download, the safest response is to click the red "X" in the upper corner of the box to close the window (clicking "no" may not close the box).
  • Install software to detect, remove, and prevent the installation of spyware on your computer (see next section).

Follow Secure Computing Practices

The following are good security practices that will help protect you and your computer.

Do backups regularly

No matter how carefully you work to protect your computer, bad things can happen. Regularly making backups is one of your best defenses against loss caused by viruses, worms, or software and hardware failure.

  • Settle on one method for doing backups, such as using the backup utility that comes with your operating system. Other excellent utilities are also available. The point is to pick one, learn about its features, and use it in a consistent manner.
  • Do your backups on a regular schedule. How often you do backups depends on how much your files change, but once a week or once every other week is a good interval for many people.
  • Keep copies of the backups off-site. Your diligence in doing regular backups is wasted if you keep them next to your computer and you have an office fire.
  • Important Note: Backups, which are usually done to support recovery in the event of an accident, attack, or disaster, do not meet the requirements for records retention. University staff should have an additional systematic process for copying records to a secure yet readily accessible location and a schedule for eliminating records that are no longer needed.
Completely quit your browser after connection to sites that require logging in

Browsers remember your ID and password until you completely quit the browser. Simply closing the window you used to log in to the service will not clear its memory. You must close all windows of the browser program and quit the program itself.

Otherwise, after you leave your computer, someone could bring up one of the unclosed windows, go to the service, and get in without being prompted for an ID or password. The browser will thoughtfully provide the ID and password from its memory.

In a related situation, any time you have to give your UW NetID and password to get into a computer, such as in a computer lab or when using a kiosk, you should go through the complete logout and exit process before leaving the computer. DO NOT just walk away from your session.

Every Computer Needs Management

A well-managed computer is a secure computer

A well managed computer is a secure computer. Proper management includes the following:

What Is Your Role?

Your role in managing the computers you use depends on your situation:

Your Situation Your Role
Managed Workstation
Configuration, installations, and updates are done for you, usually automatically over the network. UW Technology's Nebula service is an example of a system for managing computers through the network. Many departments provide similar services.		 Do not change anything without explicit permission. Someone else is taking care of security management for you.
Supported Workstation
A support person works with you to do configuration, installs, and updates on your computer and guides you on additional steps you should take.		 Talk to your support person about what is being done for you and what steps you need to take yourself.
Do-It-Yourself
You have no assigned support person for your computer. You need to do all the steps of computer management yourself, perhaps with help from your friends.		 Much of what you need is on the Tools for Safe and Secure Computing page, including anti-virus and file transfer programs.

Four Steps of Computer Management

The following four general steps will go a long way toward making your computer secure. If your network manager or support person is not taking the following steps, you probably need to do them yourself.

Management Steps What Is Your Role?
Managed Workstation Supported Workstation Do-It-Yourself

1. Before Connecting

With any new computer, BEFORE doing any other work, take the following steps:

  • Apply operating system updates.
  • Install an anti-virus program.
  • Reset default passwords (such as the password for the administrator's account).
  • Turn off file sharing (you can turn it on later when you need it).
  • Consider running a firewall program. Do not run a firewall if your computer is network-managed or your computer support person says not to.

The Sophos anti-virus program for both Windows and Macintosh computers is available on the Tools for Safe and Secure Computing page.

 Done by your network manager. Talk to your computer support person about which steps you should do. You need to do all these steps yourself.

2. Have Protection

Establish a security routine:

  • Automate your operating system updates.
  • Automate your anti-virus updates.
  • Regularly do software updates.
  • Regularly run an antispyware program.
  • Consider running a firewall program. Do not run a firewall if your computer is network-managed or your computer support person says not to.
  • Do your work in non-administrator accounts.
 Done by your network manager. Talk to your computer support person about which steps you should do. You need to do all these steps yourself.

3. Be Prepared

Be ready for failures and infections:

  • Backup your files regularly.
  • Be prepared to rebuild:
    • Have installation CDs and software.
    • Have a plan for getting OS updates.
  • In case of infection:
    • Obtain the most recent anti-virus updates.
    • Run your anti-virus program scan, then reboot, then scan again, then reboot, etc., until fixed.
    • You may have to rebuild your system.
  • Plan for upgrading:
    • Support is fading for Windows 98 and Macintosh OS8.
 Done by your network manager. Talk to your computer support person about which steps you should do. You need to do all these steps yourself.

4. Be Skeptical

Don't be fooled into helping attackers:

  • Do not open unexpected email attachments.
  • Do not download unknown programs, such as free screensavers.
  • Do not trade lots of unknown files, such as with peer-to-peer programs like Kazaa.
  • Do not share your passwords with anyone.
  • Do not believe amazing offers and unlikely stories.
 Everyone needs to be careful and skeptical. Everyone needs to be careful and skeptical. Everyone needs to be careful and skeptical.

Comply With Rules and Laws

As part of its effort to provide quality and reliable technology services, the University of Washington is required to comply with a broad range of federal and state laws and regulations related to management of public records, use of public resources, privacy protection, copyright protection, ethics rules, and criminal behavior.

Beyond mandatory compliance requirements, the UW maintains its own high standards and commitment to the preservation and protection of privacy, intellectual property, and quality technology-related services for all students, faculty, staff, and citizens who become involved with the institution.

Everyone who enjoys the privileges and use of the UW's computer and network services is expected to help uphold UW's high security standards and to comply with all necessary state and federal statutes. The following are UW guidelines and policies as well as state and federal statutes and regulations that directly or indirectly affect the University of Washington's information systems security program.

Know the Rules

Washington Administrative Code (WAC) sections:
  • WAC 478-120 - Student code of conduct for the University of Washington
  • WAC 478-124 - General code of conduct for the University of Washington
  • WAC 478-140 - Rules and regulations for the University of Washington governing student education records
  • WAC 478-268 - Regulations for the University of Washington libraries
  • WAC 478-250 - Governance for indexing of public records
  • WAC 478-276 - Governance for access to public records
  • WAC 292-130 - Protection and management of public records
Revised Code of Washington (RCW) sections:
  • RCW 40.14 - Records management, retention, and destruction
  • RCW 42.17.020 - Public records "writing" inclusive of graphics and computer records
  • RCW 42.17.310 - Private and vital public records that are exempt from disclosure
  • RCW 5.60.060 - Communications made to a public officer in official confidence, when the public interest would suffer by disclosure
  • RCW 42.52.050 - Confidential information records improperly concealed
  • RCW 42.52.260 - Documents and indexes to be made public
  • RCW 70.02 - Uniform Health Care Information Act
  • RCW 71.05.390-420 - Mental health records
  • RCW 71.34.200 - Mental health care record of juveniles
  • RCW 70.24.105 - HIV/STD information
  • RCW 9.73 - Privacy Act
  • RCW 19.190.020 - Unsolicited Electronic Mail Act
  • RCW 9A.48.100 - Malicious mischief
  • RCW 9A.52.110, 120, 130 - Computer trespass
United States Code (U.S.C.) sections:
  • (5 U.S.C. 552a) Privacy Act - Collection, notification, disclosure, and handling requirements of personal data
  • (18 U.S.C. 2701, et seq.) Electronic Communications Privacy Act - Prohibitions for persons tampering with computers or accessing certain computerized records without authorization. The Act also prohibits providers of electronic communications services from disclosing the contents of stored communications.
  • (21 U.S.C. 1232g) Family Education Rights and Privacy Act [FERPA] - Protection, access, and disclosure of educational records and the ability to ensure their completeness and accuracy by a student or the parent of a minor student.
  • (Public Law No. 104-191 262,264: C.F.R. 160-164) Health Insurance Portability and Accountability Act [HIPPA] - Security and privacy of individually identifiable health information that is maintained or transmitted by a covered entity. HIPPA also requires these covered entities to apply many of its provisions to their business associates, researchers, employers, and others.
  • (42 U.S.C. 242m) - Prohibitions of disclosure of data collected by the National Centers for Heath Services Research and for Health Statistics that would identify an individual in any way.
  • (21 U.S.C. 1175; 42 U.S.C. 290dd-3) Drug and Alcoholism Abuse Confidentiality Statutes - Prohibition of disclosure of information collected for federally funded research and treatment of drug abuse and alcoholism.
  • (5 U.S.C. 552) Freedom of Information Act [FOIA] - Provisions for access to many types of records that are exempt from access under the Privacy Act, including many categories of personal information.
  • (39 U.S.C. 3623) Mail Privacy Statute - Prohibitions of opening mail without a search warrant or the addressee's consent.
  • (29 U.S.C. 1025, et seq.) Employee Retirement Income Security Act - Employer requirements to provide employees access to information about their accrued retirement benefits.
  • (42 U.S.C. 2000e, et seq.) Equal Employment Opportunity Act - Restrictions on the collection and use of information that would result in employment discrimination on the basis of race, sex, religion, national origin, and a variety of other characteristics.
  • (18 U.S.C. 1029) Fraud and Related Activity in Connection With Access Devices - Prohibitions and penalties associated with unauthorized possession and fraudulent use of access tokens, passwords, etc.
  • (18 U.S.C. 1030) Fraud and Related Activity in Connection With Computers - Prohibitions of unauthorized access and use of electronic systems.
  • (18 U.S.C. 1362) Communication Lines, Stations, or Systems - Prohibitions of malicious or willful destruction or intent to destroy or disrupt communications systems within the U.S.
  • (18 U.S.C. 2510, et seq.; 47 U.S.C. 605) Wiretap Statutes - Prohibitions of the use of eavesdropping technology and the interception of electronic mail, radio communications, data transmission, and telephone calls without consent.
  • (18 U.S.C. 2703) Requirements for Government Access - Rules for government agencies for obtaining disclosure of an electronic communication from a provider of such services<./li>
  • (47 U.S.C. 1001) Communications Assistance for Law Enforcement - Preserving law enforcements ability to engage in lawful electronic surveillance in the face of new technological developments.
  • (15 U.S.C. 6501 et seq. 16 C.F.R. ¤ 312) Children's Online Privacy Protection Act of 1998 - Requirements that a Web site directed at children under 13 years of age to obtain "verifiable parental consent" before collection personal information from children.
  • (H.R. 3162) "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" [USA PATRIOT ACT] - A variety of special laws specific to countering terrorist acts including expanded investigative options for law enforcement.
  • (28 CFR Part 20, Section 20.33 and elsewhere) - Restrictions on criminal history records remaining in control of criminal justice agencies.
Other primary authorities
Additional information sources regarding policy formulation
 
About IT Connect | News Feed | News Archive | Contact IT Connect