Cyber Hygiene is a set of best practices users should follow to improve the safety and security of their devices.
For detailed information on minimum security standards for Servers, Endpoint, and Multi-Function Devices based on UH Institutional Data Category type (Public, Restricted, Sensitive, and Regulated), please visit the following page: https://www.hawaii.edu/infosec/minimum-standards/
When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
|Anti-Malware Software and Host Based Firewalls
Install Anti-Malware software and ensure its signatures are regularly updated. Anti-Malware software is a key protective measure to detect, quarantine, and remove various types of malware.
McAfee anti-virus software is licensed by the University of Hawaiʻi (UH), Information Technology Services (ITS) site license for use by active UH faculty, staff, and students: https://www.hawaii.edu/askus/1254
In addition to installing Anti-Malware software, most modern Operating Systems include built-in firewalls, which are commonly referred to as Host Based Firewalls. Host Based Firewalls run on your device and provide an additional layer of protection from network cyber attacks.
|Regularly Update Software
|Regularly performing software updates is one of the most effective steps one can take to improve their overall cybersecurity posture. Software updates can be for operating systems, firmware, patches, and security fixes. Most software today will automatically check for new updates.
Users are strongly encouraged to use Multi-Factor Authentication (MFA) whenever possible. The use of MFA is an additional layer of protection on top of your existing username and password. With MFA, you will need a second factor, such as your smartphone, to successfully log in. This makes accessing your account by attackers more difficult as they will need both your password and second factor to be successful.
ITS supports the use of MFA. Please visit the following sites for further information on MFA and how to set it up:
|Set Strong Passwords
Compromised or Exposed Passwords: If your password has ever been compromised or exposed in a data breach, this password should NEVER be re-used anywhere else.
Strong passwords are key to protecting unauthorized access. Best practices include:
With the use of Multi-Factor Authentication:
Without Multi-Factor Authentication:
Additional best practices include:
Data resides in numerous places, whether it be desktops, laptops, and removable storage media (USBs, external hard drives, and CD/DVDs). Attention is especially necessary if this data is considered sensitive. In order to protect sensitive information, the use of encryption is a key way to safeguard this data.
The following article discusses the encryption options available: https://www.hawaii.edu/infosec/resources-tips/encryption/
When sending files, consider using the UH File Drop service: https://www.hawaii.edu/filedrop/
|Back Up Your Data
|Regularly back up your data, either on removable media or within a cloud based service like Google Drive. This includes ensuring your data is encrypted when backed up. Backing up data is critical in the event your data is corrupt, lost, stolen, or is no longer recoverable.
|Lock your Devices
Whenever you step away from your device, lock the device so that a password is needed to regain access. This prevents others from accessing your information without the need for a password.
Configure your device to also automatically lock after a period of inactivity. The recommended setting is to automatically lock the device after 10 minutes or less of inactivity.
If you are done working with your workstation for the day, consider shutting it down or at the very least log out.
|Limit the use of Administrative Accounts
Administrative accounts are privileged accounts which can perform many actions a non-privileged user account cannot. Examples of these privileged actions include installing software, disabling anti-malware software, adding and removing user accounts, and stopping/starting services.
If a non-privileged account is compromised, the amount of damage done will most likely be minimized. The recommended best practice is to use a non-privileged user account for normal day to-day activities like using the internet and email. When you need to perform actions like installing or removing software, you log in with a privileged account, and then log out when done.
Phishing is one of the most common and simplest ways attackers attempt to compromise your device and steal your sensitive information. Best practices to minimize your chances of becoming a victim:
For more details, please visit the following:
|Mobile Device Security
Mobile devices also have cyber hygiene best practices due to their portability and common every day use. In addition to the other cyber hygiene best practices:
|Internet of Things (IoT) Devices
US-CERT refers to the Internet of Things (IoT) as any “object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.”
Common IoT devices include Network Attached Storage (NAS), sensors (e.g., Temperature Readers), Universal Plug and Play (UPnP), and IP devices like routers, cameras and printers.
Due to the increasing popularity of IoT devices at work and home, this section will discuss the risks, best practices, and how other Cyber Hygiene Best Practices (CHBP) work together to collectively reduce the risk exposure of these devices.
When evaluating IoT devices for a work or home environment, if the IoT device does not have these basic features, you are increasing the risk of the device being compromised.