Educate employees about common tactics that attackers use and encourage them to report unusual crashes or systems operating very slowly.
Engage proactively with your organization’s Information Security Office.
While these are all great advice, they're akin to saying "drive safely" rather than offering actionable advice like "buckle your seatbelt" or "keep at least one car-length between you and the car in front of you for every 10 miles per hour."
So, we're expanding on this list with tips on how to accomplish each item:
1. Implement multi-factor authentication.
At UC Davis, this means using Duo, which is now enabled for all individual accounts. But you shouldn't stop with protecting your UC Davis account! We highly recommend enabling MFA for all of your online accounts that support it. Here are links explaining how to do that for several popular platforms:
In particular, we strongly recommend enabling MFA for any financial accounts (banks, investment, retirement, tax preparation, etc.)
We're working toward expanding the use of Duo for additional services including computer logins—particularly for connecting to both servers and individual workstations remotely.
One critical point about Duo and or any other MFA: if you receive MFA prompts that you did not initiate, it's a likely sign that someone is trying to break into your account. Please report any unexpected Duo prompts that you receive promptly!
2. Deploy modern security tools.
LS IT deploys a variety of security tools to the networks and computers we manage. Our current antivirus/antimalware platform is Sophos, though we are exploring switching to an alternative over the next year.
For personally-owned computers, we recommend the built-in Microsoft Defender on Windows systems and the free Sophos Home for Macs.
We are also improving our network security with a planned upgrade of our network firewalls over this summer. We'll be saying more about this in some an upcoming edition of Tuesday Tips!
3. Make sure your systems are patched and protected.
But there is an important aspect of patching where we need your help: in most cases, patches are not fully applied until your computer is restarted. When you receive a prompt reminding you to restart to apply updates, please take action on it as soon as you can without interrupting your work.
On both university-owned and personal devices (including mobile phones and tablets!) the most critical aspect of patching is keeping your device's operating system up to date. For macOS, Windows, iOS, and Android operating systems, the manufacturers only provide security patches for a limited time. While updating your OS can be disruptive, running an OS that is no longer receiving updates puts your device at serious risk (and violates UC policy). We recommend that you keep your OS version current. If you're running any version older than Windows 10, macOS 10.15 Catalina, iOS 15, or Android 10, please upgrade to a supported version.
An unfortunate reality is that older devices that cannot run current OS versions are inherently insecure. It hurts to consider recycling still-functioning devices just because they no longer receive software updates, but the risks of continuing to use an unsupported device can easily outweigh the cost of replacement. UC Davis and LS IT have programs in place to securely and responsibly recycle outdated technology—just contact LS IT to arrange pick-up or drop-off of old devices, and we'll handle securely wiping them and recycling them appropriately.
4. Back up your data.
Data backup is hard and expensive to do well. And, unfortunately, it's an area where UC Davis has struggled to provide robust services. There is a UC-wide effort focused on research data to explore better storage and backup options, and LS IT is participating in that effort. But we do have some services and recommendations in the meantime:
UC Davis offers the CrashPlan cloud backup service at a cost of $100/year for up to 4 computers. Just contact LS IT to get started with CrashPlan.
For specialized backup needs such as lab servers or high-sensitivity data, please contact LS IT to consult on available options.
5. Test your emergency plans.
If you're going skydiving, you probably want some assurance that the parachute strapped to your back has been tested. In most cases, this recommendation is handled for you either at the campus level or by LS IT. But there is one area related to #4 above that is critical: Don't just assume your backups are working correctly, periodically verify them!
We had a recent heart-stopping incident where a staff member's MacBook failed and we discovered only then that—even though the laptop had CrashPlan installed—the CrashPlan client wasn't correctly configured and hadn't backed up the critical data. Luckily, we were able to pay for data recovery services to get the data back (at significant cost).
Our recommendation is to set a calendar reminder for once a quarter to check that whatever backup system you're using has correctly backed up some recently-changed files AND that you can restore those files successfully.
6. Encrypt your data.
For all Windows and Mac computers that LS IT deploys, we enable full disk encryption along with key escrow. If your university laptop is lost or stolen, you have strong assurances that someone will not be able to access your data.
For personally-owned computers, we recommend that you enable the built-in full disk encryption systems, BitLocker for Windows and FileVault 2 for Mac. Both of these systems will give you the option to back up your encryption keys, which you should absolutely do and store in a safe place. You will hopefully never need it for normal operations, but there are cases (such as if the computer fails and you need to recover the data from the disk) where your data cannot be recovered without the key!
One common "gotcha" with encryption is that people forget about protecting backup disks, external hard drives, thumb drives, and other portable media. Both Windows and macOS support encryption for portable devices.
We increasingly use cloud-based services for storing and processing data. When evaluating cloud services, make sure that the service encrypts your data both "in flight" (while the data is being transmitted between your computer and the service) and "at rest" (while the data is stored on the cloud service). This is one of the service features we verify when conducting a Vendor Risk Assessment. Campus-licensed cloud services including Box, OneDrive, Canvas, and many others provide strong data encryption in flight and at rest.
7. Educate employees about common tactics that attackers use and encourage them to report unusual crashes or systems operating very slowly.
If you've read this far, congratulations: you're actively doing #7!
Here are some additional resources:
You can check for and report suspected phishing (including SMS-based phishing, voicemail-based phishing, and any other social engineering attack) at the UC Davis Phish Bowl.
8. Engage proactively with your organization’s Information Security Office.
For any questions or concerns about cybersecurity, please don't hesitate to reach out. In general, we recommend starting with LS IT, and we can provide concierge service for any issues that need to be escalated to the campus Information Security Office.
The Computational Research Service in May will offer a couple of advanced topics workshops for Stata. Enrollment is limited to a minimum of 4 and maximum of 6 participants. These tutorials will cover intermediate to advanced topics and a more detailed description can be found at: https://www.crs.ucdavis.edu/training
Stata Programming Topics: Macros and Loops: Friday, May 13, 2022. 3-5:00pm
For Stata users with 1-2 years of experience, a tutorial on how to leverage macros and branching which can make short work of large repetitive tasks. If you find yourself using a lot of cutting and pasting to accomplish something in Stata, then this is the class for you!
Stata Programming Topics: Matrices and Python: Friday, May 20, 2022, 3-5:00pm
A tutorial for users with 1-2 years of experience on how to manipulate matrices in Stata as well as an introduction to Python integration and how it can be used to augment Stata sessions. A mixture of old and new techniques, this workshop is designed to explore key but often overlooked features in Stata.
To enroll, please email the instructor jedaniels@ucdavis.edu to reserve a place. Additional sessions may be added to reflect demand.
Open Educational Resources (OER) Discovery Workshop
Thursday, May 5, 12:00 to 12:45pm – Online (via Zoom) and in-person (Shields 205)
Open educational resources encompass many types of teaching materials, including textbooks, assessment tools, and digital media. Learn strategies for finding, revising, and using OER that align with your syllabi. Explore and evaluate resources, and receive an introduction to Creative Commons licensing. No prior knowledge or experience with OER is necessary.
Register to joinonline via Zoom or in-person (box lunch provided). Open to UC Davis instructors, teaching faculty, graduate students and staff. Questions? Contact the UC Davis Library’s AggieOpen program at aggieopen@ucdavis.edu.
Quick Updates and Reminders
Supply Chain Delays
We continue to experience the effects of global supply chain delays on monitors, printers, some computers, and other equipment. In many cases, items we order today are not shipping for up to 6 months—and sometimes longer. Even when vendors provide an estimated ship date, we are frequently seeing those dates ship by weeks or months. Please plan ahead by ordering as soon as possible, and please be patient.
Supported macOS Versions
If you are running an older version of macOS than 10.15 Catalina, you are no longer receiving security updates and are out of compliance with UC-wide policy. Please contact LS IT for assistance upgrading to a supported macOS version.
UC Davis Phish Bowl
The UC Davis Phish Bowl is a fast place to check whether a suspicious email you've received is phishing or legitimate.
Letters and Science IT
Monday - Friday 7:30AM - 6:00PM
530-752-8800 lshelp@ucdavis.edu
2235 Social Sciences & Humanities
