Secure Computing

St. Cloud State recommends using Microsoft Defender for Windows 10 and Sophos Antivirus for Mac Home Edition software to help faculty, staff and currently enrolled students protect their home computers. Microsoft Defender is built in to all Windows 10 computers, learn more below. These antivirus software options are available at no extra cost to you.

• Microsoft Comprehensive Security
• Download Sophos for Mac Home Edition

If you are using Windows 7 SCSU highly recommends moving to Windows 10 to receive current security updates. Support for Windows 7 has ended.

Be sure to update your virus definitions or schedule them to update automatically to ensure protection.

Multi-factor authentication (MFA) enhances data security by verifying a user’s identity through multiple methods such as:

• Something you know (e.g. username and password),
• Something you have (e.g. mobile phone), and/or
• Something you are (e.g. fingerprint).

St. Cloud State requires multi-factor authentication for Office 365 employee and student accounts. MFA for O365 verifies an individual’s identity through their username/password combination, and device(s) they select (e.g. their mobile phone and/or work phone).

MFA is critical for Office 365 services at SCSU to ensure only authorized users have access to restricted and confidential data, and reduce phishing attacks on our campus community.

Learn more about MFA for Office 365.

Internet Guardian is a security service implemented system-wide for all Minnesota State institutions. This service will help protect the St. Cloud State campus community from various internet threats, including phishing attempts and accidental downloads of malicious software like malware.

The service will mostly be invisible to the campus community except for those times that a user clicks on a malicious link or visits a web page identified as containing malicious software. If this happens, you will be alerted by a browser screen that informs you why your access to a site was blocked.

If you feel the site was blocked in error, the system will allow you to report the issue to the MinnState Help Desk. If you you have a legitimate need to access a blocked site, please contact Phil Thorson, Deputy CIO, and we will work with the Minnesota State System Office to provide solutions that can reach these “bad” destinations without endangering the rest of the campus network.

The service will not protect against all security threats so we are asking users to forward all suspected phishing emails to phishing@stcloudstate.edu and continue to practice safe computing habits.

MoveItSecurely, licensed through the Minnesota State System, allows you to transfer non-public/restricted data and large files securely to another person via a secure server. This service is available to faculty, staff, and students with a StarID. Recipients do not need a StarID.

As the sender, you can indicate how many days the recipient has to download the file(s) from their MoveItSecurely "in box." Files can be saved for up to 14 days.

If you have a University owned computer (including Windows or Mac computers), by default, you will not have administrator level access on your machine. The computer has been configured as part of a centrally managed service to automatically receive updates and security patches and software installed either automatically, or by ITS staff, for you. This allows us to ensure that the University network and its users are not put at risk by computers having incorrectly configured, malicious or out-of-date software installed on them.

While this is suitable for most staff in the University, we recognize there are situations that mean some staff may need the level of flexibility given by having local administrator privileges on their computer.

Request Administrator Privileges

To request administrator privileges on your computer, please submit the Computer Administrator Privileges request form.

1. Complete and submit the form to HuskyTech@stcloudstate.edu or intercampus mail to Miller Center 102. Please contact your technician or HuskyTech at (320) 308-7000 if you need assistance in completing the request form.
2. After your request is received ITS staff will consult with the requestor to:
   • Identify specific needs and potential alternate solutions.
   • Provide a brief overview of possible issues and ramifications of having computer administer privileges.

Phishing

Phishing is online criminal activity involving fraudulent email messages sent in an attempt to obtain your online account information such as credit card, banking, or logon information. Once the cybercriminals have your account information, they might use it to steal your identity, make purchases on your account, or send out more phishing emails.

Phishing attempts will often:

• impersonate bank, credit card, online services or an organizations IT department using authentic-looking logos
• request personal information or ask for verification or confirmation of information
• include a sense of urgency or threats
• Be themed around current events like holidays, tax season, or Covid-19
• have poor grammar and/or spelling mistakes
• include hyperlinks that have text labeling them as one thing, but by hovering over the link, the actual url will be different.

Scams

Scams usually arrive by email in the form of spam or fake virus or vulnerability warnings, promotions or offers that sound too good to be true.

Common scams include but are not limited to:

• "If you receive an email titled [virus hoax name], do not open it! Delete it immediately!"
• "This virus was announced today by" (reputable organization name specified here, such as Microsoft or IBM)
• multiple > > > > > signs in front of each line
• email chain letters offering you money for passing on the message
• job offers including "work part time from home" or "$300 for a few hours a week"
• Gift card or wire transfer requests
  

Ransom or Extortion emails

In these emails the cybercriminals claim they hacked into your computer and installed malware. They will include a demand for money, often Bitcoin, and threaten to release private information about you if you don’t pay in a certain amount of time.

• claim to have your personal data and files
• may say they have recorded you visiting questionable websites
• can include a password from a recent data breach to make it more believable

Reporting suspicious emails

• If you receive a spam or phishing message to your inbox, please report it using the built-in "report message" function in Outlook. For instructions, refer to the How to Report Spam and Phishing Messages knowledge base article.
• If you don’t have the "report message" option: Create a new, blank email message with the following recipient: phishing@stcloudstate.edu
  • Drag and drop the phishing message into the new message. This will save the junk or phishing message as an attachment in the new message.

Junk Email folder

• St. Cloud State email utilizes Microsoft’s Advanced Threat Protection service. This service helps protect us from malicious phishing attacks by automatically sending most spam and phishing messages to the “Junk” folder.
• We caution all users from opening, forwarding, moving, or responding to any messages in the Junk Email folder. Unless you were expecting a message or see a message that was incorrectly identified as Junk, all messages in the Junk Email folder should be considered potentially harmful and can safely be ignored.
• Email in the “Junk” folder does not need to be reported, as the service has already determined that the messages are not legitimate.  

Safe Links

• Safe Links is a feature that provides an extra layer of security on hyperlinks in email messages. When a link is clicked, the destination is first checked against know malicious websites. If the link is determined to be malicious, a page opens explaining the site is blocked.
• Reference the Office 365 ATP Safe Links and Safe Attachments FAQ knowledge base article for more information.

The downloading or distribution of copyrighted music, movie and other content from online sites that offer these items free of charge is illegal, in direct violation of the federal Digital Millennium Copyright Act, against Minnesota State and SCSU policy, and pose cybersecurity risks to you and others on SCSU networks.

Pirate websites, stream-rippers, and Peer to Peer (P2P) networks are some common methods of obtaining, distributing, or sharing of these illegally pirated materials.

Risks

Copyright Infringement

This is a serious legal violation. Most music and movies are protected under federal copyright law and cannot be freely shared. Court cases and fines may be filed against those that illegally download and share protected content.

The Digital Millennium Copyright Act, a law intended to address digital copyright issues, has very specific procedures within it that Minnesota State and St. Cloud State University must follow when notified that someone using our network is allegedly violating copyright law. 

Malicious Software

Many P2P applications and pirate websites can install adware and/or spyware on your computer. These programs can cause annoying pop-up advertisements and collect information about you and your computing habits. In addition, these programs often interfere with your computer’s operation and can make tasks such as browsing the Web frustrating.  

P2P networks are also commonly used to spread viruses. While you may think you are downloading a new song or show, you are actually downloading a virus which will infect your computer and spread to other computers on our network and the Internet.

Although anti-virus and anti-spyware program might help, viruses and spyware can be very difficult to completely remove once they get installed. The best way to avoid viruses and spyware is to not engage in activities (such as P2P file sharing) which put your computer at risk.

Resources

• Network and ResNet Acceptable Use Policy
• Copyright Infringement Policy and Sanction Notice
• Legal alternatives

Keep a clean machine

• Keep security software current: having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.
• Automate software updates: many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
• Protect all devices that connect to the internet: along with computers, smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.
• Plug & scan: usbs and other external devices can be infected by viruses and malware. Use your security software to scan them.

Protect your personal information

• Lock down your login: fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
• Make your password a sentence: a strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, "i love country music."). On many sites, you can even use spaces!
• Unique account, unique password: separate passwords for every account helps to thwart cybercriminals.
• Write it down and keep it safe: having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

Connect with care

• When in doubt throw it out: links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
• Get savvy about wi-fi hotspots: limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
• Protect your $$: when banking and shopping, check to be sure the site is security enabled. Look for web addresses with "https://" or "shttp://," which means the site takes extra measures to help secure your information. "http://" is not secure.

Be web wise

• Stay current: keep pace with new ways to stay safe online: check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
• Think before you act: be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal information.
• Back it up: protect your valuable work, music, photos and other digital information by making an electronic copy and storing it safely.

Be a good online citizen

• Safer for me, more secure for all: what you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.
• Post online about others as you have them post about you: the golden rule applies online as well.
• Help the authorities fight cybercrime: report stolen finances or identities and other cybercrime to the internet crime complaint center (ic3.gov) and to your local law enforcement or state attorney general as appropriate.

Own your online presence

• Personal information is like money. Value it. Protect it: information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites.
• Be aware of what’s being shared: set the privacy and security settings on web services and devices to your comfort level for information sharing. It’s ok to limit how and with whom you share information.
• Share with care: think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future.

• the data elements for which loss of confidentiality could facilitate identity theft; or
• by law, regulation, or contract, the data requires high-level security controls, or
• the loss of confidentiality could cause significant personal or institutional harm

1. Social security numbers
2. Credit/payment card numbers and related information
3. Financial account numbers such as banking or investment account numbers
4. Security or access codes or passwords used to access highly restricted data
5. Personal health/medical information including insurance policy ID numbers and any information covered under HIPAA
6. Non-public investigation data (determined by legal counsel)
7. Credentials for IT systems that manage data elements in this classification level
8. Biometric information
9. Trade secret or intellectual property protected by a non-disclosure agreement

• by law is not public data, or
• requires limiting access to only persons with a legitimate need to know, or
• whose unauthorized disclosure will require statutory notification to affected parties (i.e., breach notification).

Includes:

1. Student records – admission applications, transcripts, exam papers, test scores, evaluations, grades, student discipline, student class schedule, student worker information, financial aid, and loan collection records
2. Student directory information that has been suppressed by the Student class lists
3. College, university, system office, or faculty trade secret or intellectual property
4. Library use information
5. Individual demographics including age, race, ethnicity, gender, citizenship, visa status, veteran or disability status, employee home address/phone, dependent information
6. Faculty/staff employment applications, personnel files, benefits information, birth date, and personal contact information
7. Donor contact information and non-public gift amounts
8. Privileged attorney-client communications
9. College, university or system office internal memos, email, reports, and financial data identified as non-public
10. Driver’s license numbers
11. Student ID numbers (if not directory data) and passwords
12. Employee performance information and other private personnel data
13. Parking lease information
14. Request for proposal vendor responses and scoring information prior to contract award
15. Credentials for systems that manage data elements in this classification level and systems classified as Low
16. Partial social security number
17. Business continuity and disaster recovery plans
18. Security information as defined by Minn. Stat. § 13.37

Institutional data must be classified as "Low" if by law it is available to the public upon request.

Includes:

1. Certain employee information name, job title, job description, work location and phone number, employee identifier, salary, gross pension, value and nature of fringe benefits, payroll time sheets, education/training and previous work experience, first and last employment dates, existence and status of complaints, terms of employment settlement disputes, final disposition of discipline, honors and awards received or as identified as public in Minn. Stat. § 13.43, subd. 2.
2. Student information (unless suppressed by the student) name, other information identified as directory information by the college/university in its published FERPA policy • Financial data on public sponsored projects
3. Course offerings
4. Invoices and purchase orders
5. Budgets
6. “Summary” or statistical data that does not identify an individual
7. Information authorized to be made available on or through a website that does not require a Minnesota State recognized authentication system (e.g., StarID)
8. Published research data
9. Campus maps
10. Job postings
11. Information in the public domain