Frequently Asked Questions

BSD Endpoint Continuous Security Assurance (BigFix)

Q: Why is BSD requiring the installation of BigFix on all desktops and laptops on the network?
A: Having visibility into devices’ security configuration is critical to protecting BSD data and computing resources. This will provide the BSD ISO with an accurate inventory of what devices are on the network and their security configuration status. Insecure devices are both a security and compliance risk to the organization.
Q: What to expect after installing BigFix?
A: The BigFix icon will appear on the System Tray (Windows) or Menu Bar (Mac OS X. The BigFix Client will run in the background and report the initial status of your system to the BigFix Server. BigFix will run in the background, consuming minimal CPU resources, periodically checking in with the server to provide ongoing updates of the system status as well as check for new tasks.
Q: What data does BigFix collect from personal computers? Why is collecting this information necessary?
A: BigFix collects user name and system configuration data such as operating system, CPU, RAM, hard drive space. No personal data or information, such as browser history or files in the hard drive, is collected. All system information retrieved by BigFix is treated as confidential by BSD IT staff. This information is necessary to verify encryption and associate the computer to the owner.
Q: Who has access to the administrator controls for BigFix system?
A: Designated BSD IT Staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within, are logged and regularly audited.
Q: What processes are in place to prevent unauthorized use of the BigFix system both from internal and external users?
A: In accordance with the University’s Acceptable Use Policy, administrator rights are limited to professional IT staff that follow industry best practices for system administration, including accessing the minimum amount of data to do their work. The BigFix system is housed in the Data Center with restricted physical access and continuous monitoring. Regular patches are applied to ensure system integrity. Administrator access logs are reviewed regularly to ensure appropriate access.
Q: Since I own and administer my computer, which is used only occasionally for BSD business, I can’t cede total control of my computer to a BSD IT administrator.
A: BigFix will not take away any rights/privileges from yours or any other local accounts. You can still install whatever you need without asking permission. It will just grant BSD admins the ability to check for encryption/antivirus software.
Q: Does BigFix prevent me from installing system software updates before they are “officially” approved by BSD IT? I routinely install system security and version updates, and do not want to be told by BigFix that I can’t install an update.
A: No – you can still install any new software or updates – it won’t prevent that.
Q: Does BigFix require an BSD IT’s administrator’s approval to install non-BSD-related software (e.g., personal finance, photography, network, printer, music, game, etc., software)?
A: No, no approval needed.

BSD 2FA (Two Factor Authentication)

Q: If someone is already enrolled in 2FA through the University, do they need to enroll under the BSD as well?
A: Yes, and this is very easy to do.  The Duo app that you use for cVPN is the same one you would use for BSD VPN. You would merely be adding a second key.
Q: Will 2FA affect all the applications I can access?
A: No. 2FA will only affect specific BSD protected sites and application.
Q: What is Duo?
A: Duo is a mobile application used by the University of Chicago Biological Sciences Division to facilitate 2FA. Using Duo, users can approve or deny log in requests, either through the app itself and via push notifications sent by the app. If a user is not connected to the Internet, he or she can also generate passcodes that can be used for log in. Duo Mobile is available for iOS devices on the App Store and for Android devices on Google Play; it is also available as an app on the Blackberry and Windows platforms.
Q: How long does 2FA last?
A: You may allow 2FA to last for 30 days by selecting the “Remember this device for 30 days” option near the bottom of the Two-Factor Authentication screen, which appears after you have logged in using your BSDAD username and password.
Choosing the “Remember this device for 30 days” option means that after authenticating via 2FA only once, you will be able to access all effected sites and services.
Q: How do I add a new device?
A: Visit https://2fa.bsd.uchicago.edu and click on Manage Devices.
Register your new phone, tablet, desk phone or token. Register your new phone, tablet, desk phone or token.
Q: What if I lose my phone?
A: See BSD 2FA – Lost or Stolen Device Procedure.
Q: I replaced my cell phone. How do I activate 2FA on my new phone?
A: See BSD 2FA – Lost or Stolen Device Procedure.
Q: Can I use multiple devices with 2FA?
A: Yes! In fact, we strongly encourage you to register multiple devices. Register your mobile phone, your landlines, and your tablet.
Q: I disabled push notifications for Duo on my phone (iOS) and want to re-allow them. How do I re-enable push notifications?
A: To re-enable or re-allow push notifications on your iPhone if you have disabled them, go into Settings and select Notification Center. From there you can re-enable the push notifications for the application.
Q: How does the 2FA text passcodes service work?
A: You may choose to have a set of 10 passcodes sent to your registered smartphone from the Manage Devices screen from the 2FA website: https://2fa.bsd.uchicago.edu. Simply find your smartphone from the list of your registered phones and click on the Text Passcodes button. A list of 10 one-time-use passcodes will be sent to your phone via text. To use one of the one-time passcodes, select Passcode at the Duo Prompt screen and click Log in to continue. It is important that you keep track of which codes you use; the passcode will be invalidated after you enter it. You can print out the list of passcodes to keep in a secure location for your use anytime you don’t have access to your regular devices.
Q: Can I use Duo without incurring any data or text message costs?
A: Yes. After selecting the Duo app on your smartphone, select the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using DUO to generate passcodes will not incur any data or text message costs.
Q: I’m going to be traveling and won’t have reliable cellular network access. Can I still use 2FA if I don’t have network access via my phone?
A: Yes. You can click on the key on the upper right-hand side of the screen in DUO on the iOS and Android or the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use even if your phone does not have any network connection. Alternatively, you can use the 2FA text passcodes feature (for more information, see question above “How does the 2FA text passcode service work?”) to generate a list of single-use passcodes that you can use if you won’t have any access to your phone at all.
Q: Do I still need to change my password regularly if I use 2FA?
A: Yes! Additionally, if you suspect your account or password has been compromised, you should report it to security immediately.
Q: What if I have other questions and issues?
A: Feel free to reach out to the Biological Sciences Division’s Information Security Office with any questions. Please send emails to security@bsd.uchicago.edu.

BSD Center for Internet Security

Q: What are CIS Security Benchmarks?
A: The CIS Security Benchmarks Division provides well-defined, unbiased, and consensus-based industry best practices to help the BSD assess and improve security. Resources include secure configuration benchmarks and automated configuration assessment tools (CIS-CAT).The CIS Security Benchmarks Division develops and distributes:
  •  Security Configuration Benchmarks – 94 Benchmarks which describe best practices for the secure configuration of target systems and are developed via extensive collaboration with the CIS volunteer consensus community.
  •  The CIS-CAT Benchmark Assessment Tool – provides systems administrators with a fast, detailed assessment of target systems’ conformance to CIS Benchmarks. The CIS-CAT Assessment Tool is available only to CIS Security Benchmarks Members. Members can download CIS-CAT from the CIS Members Website. You can try out CIS-CAT lite here.
Q: Why should we use CIS Security Benchmarks?
A: The Security Configuration Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls. Configuring systems in compliance with these Benchmarks has been shown to eliminate 80-95 percent of known security vulnerabilities. The BSD Information Security Office is developing system-hardening standards down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at University of Chicago, and will use the assessment tool to validate that systems meet the established system-hardening and security configuration standards.
Q: How do I get started?
  • To register, go to http://workbench.cisecurity.org/registration/ and complete the registration form. You must have a valid BSD email address. After a simple account validation step, you will receive an email indicating that your registration has been activated, along with a temporary password.
  • Log in to https://workbench.cisecurity.org/ to download and review CIS benchmarks for your platforms. Benchmarks are available as PDF reference worksheets for system hardening.
  • Download the CIS-CAT Benchmark Assessment Tool (available on the member website) and run against a representative hardened system. This cross-platform app examines your system and produces a report comparing your settings to the published benchmarks.
  • Participate in the CIS member forums to provide feedback, make suggestions, and discuss the CIS tools with other members.

Q: How do I use the tools?

A: The following tutorials are available:
Q: Where can I find more information?
A: If you have any questions about registration or accessing the tools, you can contact the BSD Information Security Office at security@bsd.uchicago.edu.

BSD Laptop Encryption Acceleration Program

Q: What is laptop encryption, and what does it do?
A:
Laptop encryption is a technology that protects the contents of your laptop from unauthorized access by converting the contents into unreadable code that cannot be deciphered easily.
Q: Why do I need to encrypt my laptop?
A: We must protect University data on laptops’ hard drives from unauthorized access when laptops are lost or stolen. If a device is stolen or lost, the BSD and University can be subject to serious consequences, depending on the nature of the data lost with the device.
Q: I don’t have PHI; why do I need to encrypt?
A: Encryption helps protect you if you store, send, or receive any Confidential Information. Examples include, but are not limited to:
  • Social Security numbers
  • Financial information, such as credit card and bank account numbers
  • Protected Health Information as defined by HIPAA
  • Research information
  • BSD proprietary information
  • Attorney/Client Information
  • Private Personal Information
  • Student Education Records
  • Student Loan Application Information
The full description of Confidential Information can be found in the Treatment of Confidential Information Policy. If a laptop is misplaced, lost, or stolen and is not encrypted, the burden of proof is on the BSD to prove that there was no confidential data stored on the laptop. This is done through forensic investigation, which typically costs $1000-$1500 per device. The forensic investigations and costs can be avoided if the laptop is encrypted.
Q: What type of encryption software is approved for use on BSD laptops?
A: Bitlocker for Windows laptops and Apple’s FileVault 2 for Mac laptops running OS X 10.7 Lion or higher. We also approve the use of Credant DDPE, which is provided by UCMIT.
Q: How much does it cost to encrypt my laptop?
A: For any BSD-owned laptop, encryption is provided at no additional charge. We will also consider encrypting your personal laptop for no additional charge if used for work-related activities.
Q: What if my computer is already encrypted?
A: As long your laptop is encrypting using Bitlocker for Windows and Apple’s FileVault 2 you don’t have to make any changes. All you need to do is register your laptop with the BSD ISO at  https://redcap.uchicago.edu/surveys/?s=frPnX2cPHE.
Q: Why do I need to register my laptop if its already encrypted?
A: If your computer is lost of stolen, documentation of it having been encrypted can save you and the University lots of time, money, and unwanted notoriety.
Q: Can I encrypt my laptop?
A: Yes, you can  encrypt your laptop using Bitlocker for Windows laptops instructions provided by Microsoft or FileVault 2 for MAC laptops provided by Apple. It is very important to remember your password correctly, without it only the recovery key can be used to decrypt data on the laptop. To prevent data loss after you manually encrypt your laptop the BSD ISO provides encrypt key escrow services.
Q: How do I securely store my encryption key?
The BSD Information Security Office provides secure encryption key escrow service (i.e safe deposit box for your encryption key). You can opt-in for this services when you register your device at  https://redcap.uchicago.edu/surveys/?s=frPnX2cPHE. This service is provided by default when you schedule encryption by appointment or user the self-service portal for Macs.
Q: How long does it take to encrypt my hard drive?
A: It takes about 15 minutes to install the encryption software, and then between 4 and 10 hours to finish the encryption, during which time you can use your computer normally. After the initial encryption is complete, the encryption should not disturb you while you work.
Q: Will my computer run slower once it is encrypted?
A: In general, this is unnoticeable on all but very old laptops — i.e., those more than four years old.
Q: Can I use Boot Camp on my Mac after it is encrypted?
A: With Boot Camp enabled on a Macintosh running OS X, FileVault 2 will only encrypt the Mac OS Partition. A Windows partition created using Boot Camp will remain unencrypted on the disk. Therefore, BSD-owned laptops cannot run Boot Camp. OS X users needing to run Windows must use a VM environment such as VMWare Fusion.

BSD Security Assessment and Authorization (SAA)

Q: Is there a way that I can confidentially submit a system for review?
A: Contact the BSD ISO directly via security@bsd.uchicago.edu for anonymous & confidential submissions and questions.
Q: What type of systems should complete the BSD Security Assessment and Authorization process?
A: Any planned, new or existing information systems that supports the BSD academic and research activities are expected to complete the SAA process.
Q: How long will the security assessment and authorization process take?
A: The SAA process could take approximately 2-4 weeks depending on the complexity of the system and assuming information is provided in a timely fashion.
Q: Will I still be able to operate my system if it is not authorized?
A: Yes, this SAA process will not hinder any research systems from operating. The BSD ISO will work with the system owners to develop a risk reduction plan with a timeline to bring the system within the organizational risk thresholds.
Q: Will my system be HIPAA compliant after completing SAA process?
A: The SAA process utilizes the NIST Cyber Security Framework which aligns to HIPAA controls. Although, this process does not certify for HIPAA compliance.

BSD UCM Phishing Email Assessment and Prescriptive Education Initiative

Q: I received an email about training and phishing emails. What is this all about?
A: The UCM and BSD Information Security Offices have launched a Phishing Email Assessment and Prescriptive Education Initiative to raise awareness on phishing emails and increase your knowledge of spotting a phishing email. The email contains instructions on how to access training.Q: Why are the BSD and UCM Information Security Offices sending “test” phishing emails to employees?
A: Every day, more than 15 million phishing attacks are launched around the world, and 80,000 email users fall victim to these attacks. This initiative will show you first-hand how easy it is to fall for a phishing attack. The “test” phishing emails are sent to reduce the risk of cyber-attacks and the loss of sensitive information, and avoid possible regulatory fines and penalties by providing immediate training to those who click on the links within the test emails.
Q: How can I opt-out of receiving the “test” phishing emails and participating in the Phishing Email Assessment and Prescriptive Education Initiative?
A: This initiative was sanctioned and approved by a variety of leadership throughout the BSD/UCM, including: Dean Polonsky, Sharon O’Keefe, executive leadership of both the BSD and UCM, shared Cyber Security Governance committees, BSD and UCM HR, and the University and UCM Legal Offices, and will include all employees at this time. The purpose of this initiative is to raise our organization’s awareness of phishing email scams and provide training to all employees.
Q: How do I access the “Anti-Phishing Training?”
A: You can access the training either from clicking on the training link from the BSD Information Security Office’s webpage at http://security.bsd.uchicago.edu/phish/ or by going directly to https://training.knowbe4.com/auth/saml/uchospitals.edu. You will be asked to enter in their CNet or UCHAD credentials to log into the training system. (Note, if you have both a CNetID and UCHADID, you will have to use your CNet credentials to log on.)
Q: I cannot sign in with my UCHAD credentials. Why not?
A: If you have both a CNetID and UCHADID, you must log into the system with your CNet credentials.
Q: Do I have to view the training video?
A: No. This training is not mandatory, but it is recommended in order to increase your awareness of phishing emails.
Q: What if I start watching the training video and do not complete it?
A: That is okay. You can always go back to https://training.knowbe4.com/auth/saml/uchospitals.edu and finish watching the training video at your convenience. You can pick up where you last left off.
Q: I tried viewing the training video, but my browser said it blocked a pop-up from training.knowbe4.com.
A: You can click on “Allow Pop-Ups” in the message in order to allow the training video to play. Or go to “Settings” within the browser and enable pop-ups only for training.knowbe4.com.
Q: I received a suspicious-looking email that I think was sent as part of this campaign. Should I delete this email? Should I report the email to the Information Security Office?
A: You are always encouraged to report any suspicious email to the Service Desk or Information Security Office before replying or clicking on any links. It is safe to delete the email.
Q: What will happen if I opened the email, but did not click on any links?
A: Nothing. You can simply delete the email. You should not click on the link in the email.
Q: I hovered my mouse over the link in the email, and the URL looks suspicious/weird. What should I do?
A: Nothing. One of the ways to identify a real phishing email is to hover (but not click) your mouse over the link within an email to see what URL you would be directed to if you were to click on the link. You can now delete the email.
Q: What will happen if I clicked on the link in the email?
A: The link in the phishing email is harmless and nothing will happen to you or your computer. The Information Security Offices will be tracking how many employees click on the link, but not who clicked. You will be sent an email that contains instructions on how to access the training video.
Q: Will I be reported to my manager if I clicked on the link?
A: No. Managers will have no knowledge of who clicked the phishing email link.
Q: I clicked on the link and was re-directed to the BSD Information Security Office’s webpage (http://security.bsd.uchicago.edu/phish/). Now what do I do?
A: Employees are instructed to follow the link on the BSD webpage to access training: https://training.knowbe4.com/auth/saml/uchospitals.edu
Q: I received a training email from security@bsd.uchicago.edu. What is this?
A: Employees will receive an email from security@bsd.uchicago.edu when they click on the phishing link. The email will provide instructions on how to access the training video to reinforce how to identify a phishing email.
Q: I already watched the training video, so why do I need to watch another video?
A: This additional training video is used to reinforce how to spot a phishing email and is only assigned to employees who click on the “test” phishing email sent as part of this initiative.
Q: Is this training mandatory?
A: No. This training is not mandatory, but is encouraged. Managers will have no knowledge of who has/has not completed training. The Information Security Offices will only be tracking how many employees have watched the training videos to gauge the effectiveness of training.
Q: Are there examples of real Phishing emails I can look at?
A: Yes, visit https://security.uchicago.edu/phishing/latest/ to see the most recent phishing emails that have been going throughout the network.

Casper Suite

Q: What is the Casper Suite?
A: The Casper Suite is a management platform for OS X computers providing inventory and security management. The main components are a central server holding settings and software installers, and a client that resides on a desktop/notebook computer and checks into the server for settings and software titles to install. The Casper Suite allows local IT administrators to proactively manage equipment lifecycles and troubleshoot computer issues.
Q: What benefits does a client receive from the Casper Suite?
  • Flexibility: You choose when and where to install new software or run maintenance on your device through Self-service portals.
  • Compliance: Your device will be in compliance with federal laws governing requirements for research or student data on University computers.
  • Security: Departmental IT can (with your permission) manage the security of your machine so you don’t have to. You can rest assured that software patches, antivirus protection, and firewalls are well maintained.
  • Confidentiality: Your data and files will remain confidential; no personal data is scanned, indexed, or transmitted off your device. BSD ISO servers also keep full audit logs of any actions performed by technicians.
Q: How does the Casper Suite work?
A: The Casper Suite consists of a management server cluster, known as the JAMF Software Server (JSS), a small software utility known as an “agent” on enrolled Mac OS X computers, and a Mobile Device Management (MDM) profile on enrolled Mac OS X and iOS devices.
The agent on a Mac OS X client checks in with the JSS at computer start up and every 15 minutes thereafter, consuming 2KB of network traffic, 4MB Real Memory, and 0.10% CPU. In addition, computer inventory is uploaded to the JSS once a day, causing less than 200KB of network traffic, 8MB Real Memory, and 3.74% CPU. On average the inventory process takes 30 seconds to complete.
An iOS client checks in with the JSS once a day, or on request by a Casper Suite Technician.
Client/server communication is encrypted by a certificate pair configured when the agent/profile is installed.
Q: What information does the Casper Suite Collect?
A: The BSD implementation of the Casper Suite has been customized to collect only the data needed to support Mac OS X computers and iOS devices. This information includes:
  • Hardware Specifications
  • Installed Applications & Usage
  • Services Running
  • Available Software Updates
  • Local User Accounts and Login/Logout Timestamps
  • Security Status (Firewall, SSH, etc)
  • Connected Peripheral Devices
No personal information is collected, such as the contents or names of personal files (documents, email, etc) or any browsing history.
Q: How is the Casper agent installed?
A: Your IT support group can enroll your BSD-issued device remotely or by sending you an invitation by email.
Q: What changes does Casper make to a Mac?
  • Casper installs the Self Service application in the Applications folder of a Mac. Content such as maintenance tasks and security configuration settings and documentation are provided within Self Service.
  • A service account will be created on the Mac with administrative privileges to carry out tasks from the server. This account is hidden from the general user interface and no human knows the password to this account. The service account password is maintained and randomized by the Casper Suite at regular intervals. SSH will be turned on and access will be restricted to the service account.
  • For OS X 10.7 and later, a Mobile Device Management (MDM) profile will be installed. You will be asked to encrypt your device if it has not be already encrypted to ensure compliance with BSD policies.
Q: How do I uninstall Casper from my device?
A: Clients who wish to remove their device from Casper should contact their IT support group for assistance.
Q: Is my device enrolled in the Casper Suite?
A: To find out if your BSD-issued device is enrolled, look for the Self Service application,. On Mac OS X, Self Service is located in the Applications folder or on the Dock. On iOS, the Self Service app is located on the home screen. See below for examples.
Q: What is Self Service?
A: The Self Service application is similar to the Apple App Store, but it provides customized content for BSD devices. This content includes access to maintenance tasks and security configuration settings you can choose to enable by clicking on the icon. The Self Service app gives you the flexibility of choosing what to install and when to install it.
The Self Service app is managed and maintained by the your departments local IT. If you would like to see something added, please contact your local IT contact.
Q: How will software be installed on my computer?
A: Your IT support group may push software as needed/requested. BSD ISO will not distribute software unless requested to do so by the client or department IT staff.
Q: Will I still have Administrative access to my Mac?
A: There will be no automatic changes to the privileges of your user account by enrolling in Casper. Your IT support group will contact you if changes are to be made.
Q: What policies are enforced?
A: There are no policies that are automatically enforced system wide. The distribution of policies is the responsibility of individual IT support groups. If you have any questions about what policies are enforced on your BSD-issued device, please contact your IT support group. The Self Service catalog will be setup by your IT support group.
Q: What if I have other questions?
A: For more information please contact your local IT administrator or the BSD ISO at security@bsd.uchicago.edu
Cyber Security Assessment Tool
Q:  Who should be participating in this survey?
A:  This survey is optimally designed for the department’s IT Manager with support from a small group of IT staff that have been with the department for long enough to have an understanding of its IT practices.
Q:  What should be done if a question doesn’t seem to directly apply to the department?
A: Each question must be answered in order to generate results.  If it appears that the question does not apply to your department, still select the answer you think most closely describes your department for that capability and leave a note with comments about why it does not apply to your department  If it is because another department handles the activity for you, please refer to the next FAQ.
Q:  What should we do if another department is handling an activity for us?
A: Do not automatically assume that the other department is performing the task in a complete and secure manner.  Ask yourself if you have a documented Transitional Service Agreement (TSA) with the department, and what security practices you KNOW they have in place.  When in doubt, err on the low side and leave a comment in the notes column.
Q:  What if none of the ratings describe the department or if the department falls between several options?
A:  Select the rating closest to what describes the department.  When in doubt, err on the low side.  Feel free to leave a comment in the notes column about the question justification for why you selected that option.
Q:  Are the questions in the People domain rating individuals or departmental people resources as a whole?
A:  The questions in the People domain are asking if the department has the appropriate quantity of people with the appropriate skill base for completing an activity and is not meant to single individuals out.
Q:  In the Process domain of the survey, what should be selected if the activity is consistently performed and communicated, but not documented?
A:  When this is the case, err on the low side.  If no documentation of the process exists, even if the activity is being performed completely, select ad-hoc.  This will allow your department to show quick improvement once documentation has been created.

 

Hardware-Encrypted USB Flash Drives

Q:  What’s considered confidential data?
A: There are various types of confidential information. For details on what is considered confidential information please review University of Chicago policy, HR601 – Treatment of Confidential Information.
Q: What Hardware-Encrypted USB Flash Drives are permitted for use?
AThe following Hardware-Encrypted USB Flash Drives models are permitted for the storage of confidential information:
  • Apricorn Aegis – All models
  • Kingston USB Storage – DataTraveler models
  • IronKey – D300 or S1000 models
Q: If I’m in Basic Sciences department and do not have confidential information, do I need to purchase a Hardware-Encrypted USB Flash Drive?
A: No, you do not need to purchase a hardware-encrypted USB Flash Drive unless you are storing confidential information on an insecure USB Flash Drive.
Q: If I’m in a Clinical department and utilize USB Flash Drives, but do not have confidential information, do I need to purchase Hardware-Encrypted USB Flash Drives?
A: Yes, Enforcement of secure hardware-encrypted USB Flash drives for Clinical departments will begin on 3/31/2018 and  non-secure USB Flash Drives will no longer be permitted for use.
Q:  I don’t know what type of department I’m in.  Should I get a hardware-encrypted USB Flash Drive?
A: As a general rule of thumb, if you work with or might potentially receive confidential or confidential data, then please use a hardware-encrypted USB Flash Drive.  If you don’t know, please refer to your department’s IT Custodian.
Q:  If I don’t get a drive through the Secure USB Flash Drive Exchange how do I purchase one?
A:  A better way to store your data is on UChicago Box which can be used to store and access files remotely without the need for USB Flash Drives. All USB Flash Drives must be purchased through Buysite.
Q:  I have a number of USB Flash Drives.  Should I replace them all?
A:  Yes.  All your USB Flash Drives should be replaced.  Non-compliant USB Flash Drives will no longer work after 03/31/2018.
Q:  Someone gave me a non-compliant USB Flash Drive.  Will I be able to download data from that drive?
A: Yes. You will be able to download data from non-compliant USB Flash Drives.  However, you will not be able to write/upload to non-compliant USB Flash Drives after 03/31/2018.
If you have any additional questions, please reach out to your local departmental IT for support.

Incident Management

Q:  What is a security incident?
A: A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents are typically identified through the continual review and analysis of events.  The BSD ISO will determine an event is an incident if the event affects the security (i.e. Confidentiality, Integrity, and/or Availability) of an IT system.
Q:  How is a security incident identified?
A:  During the Detection and Analysis phase, a potential incident event has been observed and reported to the BSD Information Security Office. The BSD Security Analyst gathers information related to the event to make a determination whether the observed event should be classified as an incident. If enough evidence exists to classify the event as an incident, the Security Analyst will work with the appropriate IT Custodians assigned to the affected systems in order to develop a valid Containment, Eradication, and Recovery (CER) strategy.
Q:  What are the IT Custodians expectations during the Incident Response (IR) program?
A: The IT Custodian has the following responsibilities during the IR program.
1) Reporting Responsibility–As a contributor to the BSD IR process, it is expected that potential incidents are reported to the BSD ISO as soon as possible.  If unsure whether, a suspicious event meets the threshold for reporting please contact the BSD ISO for clarity.
2) Expected Support–It Custodians are an integral role within the BSD IR Workflow.  It is through the IT Custodian that Security Analyst are able to properly investigate incidents and later remediate these incidents. IT Custodians will be contacted by Security Analysts at several points throughout the IR Workflow. it is expected that the IT Custodian will contribute to the investigation by:
  • Answering information requests from the Security Analyst
  • Executing assigned tasks within the CER strategy
  • Documenting CER execution progress and lessons learned within the GRC

Logging and Threat Management

Q: Is this program right for my department?
A: The BSD ISO Logging and Threat Detection program is designed to create actionable alerts on credible threats to your department’s sensitive systems. While the threat management program is designed to detect possible avenues of attack, the Security Event and Log Management program is designed to detect and alert on suspicious behavior while they are happening.
Q: What is required of my department in order to participate?
A: In order to participate in the Logging and Threat Detection program, the technical support contact for your systems will need to make several minor configuration changes to your Windows or Linux servers. These changes will allow you server to send its log files to the BSD’s log collector. From there, BSD Security will be able to monitor your systems for illegal logins and other threats.
Q: What happens if a problem with my system is discovered?
A: The goal of the Logging and Threat Detection program is to identify risks and help your department become more secure. If an offense is triggered, our automated Security Intelligence Platform will notify us as the event is taking place. BSD ISO will then determine the severity of the offense and inform your department’s technical contact if the problem needs immediate attention.
Q: What’s the difference between this program and the “Threat Assessment” program?
A: While the BSD ISO Threat Assessment program concentrates on finding, cataloging, and remediating server weaknesses before they can be exploited, the Logging and Threat Detection program will concentrate on finding anomalies in real-time server behavior with the goal of identifying threats as they happen.
Secure Remote Access – BSD VPN
Q:  Are there any advantages to switching to BSD VPN?
A:  Yes. The main advantages are:
  • Simplicity: You use a single set of credentials to access BSD resources; and
  • Stronger Security: 2-factor authentication better protects you from the impact of password guessing and hacking. With 2FA, a bad guy needs to get your password AND steal your phone in order to gain access to information.
  • Broader Utility: The system extends VPN access to research collaborators and BSD entities that would not otherwise have remote access to university resources because they do not have CNET IDs. This simplifies vendor access as well as research collaborator access.
Q:  Is the Department of Anesthesia and Critical Care (DACC) taking part in the BSD VPN?
A:  No. A vast majority of DACC personnel no longer have BSDAD accounts as part of the UCMIT/BSD/DACC email merger and account reconciliation project, and thus will NOT be able to connect to the new BSD VPN.  Please continue using the University CVPN along with your CNET credentials.
Q: I currently use Cisco AnyConnect secure (UChicago cVPN).  Will I still be able to use that?
A:  Yes. While these changes improve the Biological Sciences Division’s security posture and bridge gaps between access to our systems, we have not disabled access to the university VPN system (cVPN). The goal for BSD VPN was to add value without compromising current workflows. In addition, the University of Chicago’s VPN (cVPN) appliance and the Biological Sciences Division¹s VPN (BSD VPN) appliance are linked in a way that you can use the same version of Cisco AnyConnect but simply point it to the new system (bsdvpn.uchicago.edu).
Q: How do I access the BSD VPN?
A: Windows users may find instructions at Secure Remote Access – BSD VPN – Connection Guide for Windows.  Mac users may find instructions at Secure Remote Access – BSD VPN – Step-by-Step Installation Guide for Macintosh.
Q: Who can use the BSD VPN?
A: BSD staff and faculty of the University are eligible to use the BSD VPN.
Q: Can I use the BSD VPN if I’m running Linux?
A: BSD ISO does not support VPN client on the Linux OS. We do, however, provide installer packages (32-bit and 64-bit) for advanced users who support themselves. Users may also, use OpenConnect as an alternative. However, this is client is unsupported and you are using it at your own risk.
Q: Does the BSD VPN work with 64 bit OSes, like Windows 7 or Windows Vista?
A: Yes.
Q: Can I use the BSD VPN with Windows 98/ME/2000 or Mac OS 10.2/10.3/10.4?
A: BSD ISO does not support the VPN for use with versions of Apple OS X older than 10.5 or versions of Windows older than Windows XP. However, the VPN may still work with those operating systems.
Q: How do I connect to the BSD VPN with an iPhone?
A: Download and install the free Cisco AnyConnect for iPhone application from iTunes. Connect to the bsdvpn.uchicago.edu server. Input your BSDAD username and password to authenticate.
UChicago Box
Q: Who is Eligible for Box in the BSD?
A: All faculty, staff and students in the BSD departments can claim an UChicagoBox account.
Q: What Kind of Sensitive Data Can I Store on UChicago Box?
A: UChicago Box can be used to store student education records (FERPA) data and patient information (HIPAA), but may not be used to store Credit Card information. Anyone storing HIPAA data must follow special guidelines set by the UCMC Data Guardian Program found on the UCMC intranet site. For more information regarding what information can be stored on Box check the Data Usage Guide.
Q: Who Should I Ask for More Information about Storing Sensitive Information on UChicago Box?
A:If you are not sure, please contact the BSD Information Security Office, who will help you get your question answered.
Q: How Can I Use Box Sync and Tagging to Appropriately Deal with Sensitive Data?
A: Please see Securing Confidential or Sensitive Files.
Q: I’d Like to Get a Group Folder for My Department. How do I do that?
A: If you would like a department or group folder, please visit the ITServices website and submit the group folder request form located at https://itservices.uchicago.edu/page/request-box-group-folder. Please include the names and contact information of the required 2 administrators for the folder.
Q: Where Should I Go If I Have Questions or Problems Using UChicago Box?
A: Extensive help is available at box.com/support. If you have specific questions about using or configuring UChicago Box in the University environment, please contact the ITS Service Desk.
Q: What apps can I use with UChicago Box?
A: The following apps are approved for use with your UChicago Box account:
  • Box Capture (iOS)
  • Box for Android
  • Box for Android Tablet
  • Box for Blackberry
  • Box for iPad
  • Box for iPhone
  • Box for Office
  • Box Edit
  • Box Sync (Be sure to review Securing Confidential or Sensitive Files)
If you’d like to recommend an app for use with UChicago Box, contact the ITS Service Desk. Please note that Restricted information may not be linked to any apps outside of the Box environment. For example, you are not permitted to link Google Docs and UChicago Box together for patient information.
Q: If I leave the University, do I get to keep my UChicago Box account?
A: You will lose their UChicago Box accounts (associated with your @uchicago.edu email address) upon leaving the University. (However, if you are an alum, in addition to being faculty or staff, you will retain your account, as outlined above).
  • It is your responsibility to move any required data to another storage space prior to leaving the University.
  • 10 days after you leave the University, your account will stop working. You and any folder collaborators will receive an email regarding the folders you own.
  • 45 days after leaving the University, your account will be deleted, along with all of its data. This includes all folders and files you’ve shared with others.
Q: I try to log into UChicagoBox and keep getting rejected. Why?
A: You may not be eligible for UChicago Box. Please see the UChicago Box Failed Login FAQ.
Q: How long do my files stay in Trash before they’re deleted permanently?
A: Files remain in Trash for 30 days. After 30 days, they are permanently deleted.
Q: Who has access to my files?
A: You control sharing via links or invitations to collaborators. UChicago system administrators have the same level of access to your UChicago Box account as they do for University email – the right to access files is only invoked when approved by legal officials. We recommend that you do not store personal files on your UChicagoBox account, similar to University email.
Q: Can I use Box Sync for Restricted information?
A: It is advisable NOT to sync folders that contain Restricted information, such as patient information or human subject research. This will reduce the copying of data and the proliferation of those data onto insecure devices.
Q: Do I have to encrypt my device if using the UChicagoBox system within the BSD?
A: Yes. The BSD generally has access to, and uses, Restricted information. All Centers, Institutes, Core and Clinical departments are required to encrypt their devices. Even some Basic Science departments have access to, or use, patient information (PHI). To ensure the data are protected in case the device is lost or stolen encryption must be used. Please see <http://security.bsd.uchicago.edu/encryption for more details on how to encrypt your device.
Vulnerability Management – Qualys
Q: How do I use the tools?
A: The QualysGuard video series gives you immediate access to a large video library of tutorials (https://community.qualys.com/docs/DOC-1323).
Q: Will the scan have a negative impact on my network?
A: Scanning should not affect your infrastructure or cause any devices to stop responding. Most vulnerability detections are non-intrusive, meaning that the scanner never exploits vulnerability if it could negatively affect the host in any way.
Q: How does the scanner find vulnerabilities?
A: The scanning engine performs scans in a very dynamic manner to optimize speed and performance. The following is a simplified description of the main steps of a scan:
  • Checking if the remote host is alive – This detection is done by sending ICMP Echo Request (ping) packets, as well as probing some well-known TCP and UDP ports.
  • Firewall detection – This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.
  • TCP / UDP Port scanning – Detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.
  • OS Detection – The scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.
  • TCP / UDP Service Discovery – The scanner tries to identify which service runs on each open port by using active discovery tests.
  • Vulnerability assessment based on the services detected – The scanner performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version.
Q: The scan found vulnerabilities, how do I fix them?
A: In the scan report, a detailed description of each vulnerability will be provided as well as the steps required to resolve the vulnerability. Additionally, external links to security resources such as CVE, OWASP, and other security sites are suggested for more details. After the vulnerabilities have been fixed, rescan to confirm if the vulnerability has been addressed.