This document is available on the
Department of Chemistry and Chemical Biology web site. Any changes will be approved by the Director
of Computing and the Executive Director of Administration, and a notice on the
web site will direct users to the new version.
Please
note. This section was originally written as a stand-alone document to be
distributed to account holders on the FAS-ADMIN LAN.
The
following document is intended as a guide for use of the Department of
Chemistry and Chemical Biology network.
The goal of this document is to make you aware of security issues
surrounding your account and use of the network. Though this document is not all encompassing, the methods and
descriptions outlined below should be followed to help make the server as
secure as possible. If you have any
questions regarding anything you see contained in this document, please don't
hesitate to call me.
Passwords
The first line of defense for our network is password protection. Just like a fort with many gates, our network is made up of many points of entry. Specifically, the thousand or so workstations that access our server from around the university are all potential entry points for intruders with malicious intent. If security is compromised at any of these locations, the security of the whole network is compromised.
Password
Security:
You should never tell anyone your password!
1. DO NOT share passwords with
co-workers for any reason!
2. DO NOT write your passwords
down! No matter how clever the
hiding place, they can be found
and used without your
knowledge.
Choosing
a safe password:
Choosing a safe password is very important to the safety and security of the whole network. If one account is compromised, the security of the whole network is jeopardized. Therefore, it is critical that you do all you can to ensure the integrity of your password. Below, I've listed some guidelines that will help you pick a password.
Your goals in choosing a password
are:
1. The password should be easy for you to remember.
2. The password should not be
easily guessed by others.
A successful password adheres to
the following guidelines:
1. Must contain at least four
(4) distinct characters with
a minimum length of seven
(7) characters and a maximum
length of twelve (12).
2. Must not contain: #, @, :,
^X, ^U, ^S, ^Q (^ means the
control key), the delete key, or the backspace key.
3. Must contain alphabetic
and non-alphabetic characters.
4. Must not contain any three
(3) consecutive characters
from your name, address,
or userid.
5. Must not be physically
sequential keys on the keyboard
(forward, backward, or
diagonally).
6. Must pass a dictionary
check that looks for (and rejects
passwords with):
7. Four sequential characters that comprise a word
(forward
or backward).
8. Five sequential characters
that comprise a substring of
a word.
9. Alphanumeric strings where
substituting 0=O, 1=L, 1=I,
2=A, 3=E, 4=A, 4=H, $=S
would create a word which would
not pass the other checks.
10. Must not contain common
data formats such as xxx-xx-
xxxx.
11. Must not contain common
date formats such as dd-mmm-yy,
dd/mm/yy, or mmmyyyy.
Suggestions
for Password Creation
In general, stick to items you have
known (or should know!) over
a period of years. Trying to remember the initial letters of
your favorite song may be difficult
if your favorite changes on
a weekly basis! Using your current license plate number is
not
a good idea, since anyone who knows
what car you drive could
make a note of your license number
and try it as a possible
password. The names of your children, spouse, pet, or favorite
sports team are also easily
determined and could be used by
someone less honest than you to try
to break into your account.
The suggestions, which follow, use
combinations of letters and
numbers. You can further encrypt
your password by using some
upper case (capital) letters and some
lower case (small)
letters.
Use the initial letters from an
easily remembered phrase,
interspersed with numbers. For
example, IPA75TTF ("I Pledge
Allegiance To The Flag", with
a graduation date in the middle).
Choose the initials of someone you
know well (not your own) and
a date associated with that
individual (birthday, anniversary,
etc.). Begin your password with the
month (numeric), then insert
the initials, and end with the day or year. For example:
03TWM26.
Combine the initials of your
parents or a sibling with a wedding
or other anniversary (EB920TB).
(This would be a good way to
remember that date, too!)
Combine the first three (or last
four) digits of a telephone
number with the initials of the
individual associated with the
number. This one is a little
tricky--you don't want to use a
phone number that might be
published at Rutgers, so your home
number is not a good choice here.
The work number for one of
your children or your significant
other might be a possibility,
however. House numbers or non-RU
post office box numbers are
other numbers that could be
considered, keeping in mind that you
don't want to use anything that
might be published.
Choosing password generating
schemes is really no more difficult
and takes no more time than
choosing a new password. In fact,
once you've nailed down the scheme,
choosing new passwords from
time to time is a snap. Give it a
try !!!
Social
Engineering
Due to increased security measures
and smarter users, hackers
now attempt to gain access to
systems using Social Engineering
attacks. These attacks rely on deception to trick a user into
providing access to a system. These attacks vary in type but
often take the form of a caller who
claims to work for central
computer support and requests your
username and password or a
web page that appears to ask for
your local username and
password but is actually sending it
to a hacker. Users should
NEVER give their password to
anyone. Computer support personnel
have privileges that allow them to
access your information
without your password. In rare instances where support
personnel require your password,
they will have you enter it for
them. Users should be especially cautious when allowing anyone
to work on their computer or
answering questions that reveal
sensitive security information.
Forgot
your password?
Users
that have forgotten their password should contact the Computer
Support office to have their
password reset. Users who
are unable to successfully login
after having their password
changed or cause the password
administrator to be suspicious of
their request are required to
appear, in person, to receive
assistance.
Diskette
and Removal Media Security
Diskettes are just like small filing
cabinets and are prone to theft,
loss, and damage. Unlike filing cabinets they are cheap,
portable and
easy to duplicate.
If you keep files on your personal hard
drive (C, D or E drives if you
have them), or on a diskette, remember
that they are not backed up.
Disks and diskettes can be damaged in
such a way that the data they
contain can be destroyed even if the
drive or disk is still
operational.
If you have data that you consider so
confidential that you do not
want it stored on the server, save it to
diskettes or your local hard
drive.
Please make sure that you have at least one backup of the
files on another diskette. Diskettes are the least reliable method of
data storage and you should keep this in
mind when storing files on
them.
It is not necessary for you to back up files that are stored on
servers, because they are backed up
every workday.
Diskettes should be locked up anytime
you are not using them; either
in a drawer or filing cabinet. Remember to think of diskettes as the
actual documents they contain. You certainly wouldn't keep
confidential reports lying on your desk
in plain view for weeks at a
time and you should treat disks the same
way.
Local hard drives can also be damaged or
stolen, so please make sure
you back up your user files on these
devices too. It is not necessary
to back up the applications on these
drives as they can be restored.
If you have a complicated software setup
or many programs it may be
wise to make a complete backup of your
local drive(s) in case of
emergency. If you feel that this is necessary for your machine,
please ask me how this can be
accomplished.
Office
Security:
All University guidelines should be
followed for general office
security. Some highlights users should be aware of:
Do not prop open any building doors.
Keep the door to your office locked
when it is unoccupied.
Lock first floor windows, fire escape
windows, and security screens.
Do not allow strangers into the offices. If you see someone who looks suspicious call the University police immediately.
If your computer will be unattended for more than a few minutes log out and turn the computer off or lock the screen.
Conclusion:
In this document, we've looked at
password, diskette and office
security. Each of these areas are critical to the security of the
LAN.
You must remember that every LAN is only as secure as its
weakest link. If you compromise the security of your password, or
leave a Post-It note with your server
password stuck on your monitor,
you become that weak link! By following the suggestions we've made
for choosing passwords and protecting
your office and data, you will
also be ensuring the integrity of the entire Department of Chemistry and Chemical Biology LAN.