Q1. If someone is already enrolled in 2FA through the University, do they need to enroll under the BSD as well?

A1. Yes, and this is very easy to do.  The Duo app that you use for cVPN is the same one you would use for BSD VPN. You would merely be adding a second key.

Q2. Will 2FA affect all the applications I can access?

A2. No. 2FA will only affect specific BSD protected sites and application.

Q3. What is Duo?

A3. Duo is a mobile application used by the University of Chicago Biological Sciences Division to facilitate 2FA. Using Duo, users can approve or deny log in requests, either through the app itself and via push notifications sent by the app. If a user is not connected to the Internet, he or she can also generate passcodes that can be used for log in. Duo Mobile is available for iOS devices on the App Store and for Android devices on Google Play; it is also available as an app on the Blackberry and Windows platforms.

Q4. How long does 2FA last?

A4. You may allow 2FA to last for 30 days by selecting the “Remember this device for 30 days” option near the bottom of the Two-Factor Authentication screen, which appears after you have logged in using your BSDAD username and password.
Choosing the “Remember this device for 30 days” option means that after authenticating via 2FA only once, you will be able to access all effected sites and services.

Q5. How do I add a new device?

A5. Visit https://2fa.bsd.uchicago.edu and click on Manage Devices.
Register your new phone, tablet, desk phone or token. Register your new phone, tablet, desk phone or token.

Q6. What if I lose my phone?

A6. See BSD 2FA – Lost or Stolen Device Procedure.

Q7. I replaced my cell phone. How do I activate 2FA on my new phone?

A7. See BSD 2FA – Lost or Stolen Device Procedure.

Q8. Can I use multiple devices with 2FA?

A8. Yes! In fact, we strongly encourage you to register multiple devices. Register your mobile phone, your landlines, and your tablet.

Q9. I disabled push notifications for Duo on my phone (iOS) and want to re-allow them. How do I re-enable push notifications?

A9. To re-enable or re-allow push notifications on your iPhone if you have disabled them, go into Settings and select Notification Center. From there you can re-enable the push notifications for the application.

Q10. How does the 2FA text passcodes service work?

A10. You may choose to have a set of 10 passcodes sent to your registered smartphone from the Manage Devices screen from the 2FA website: https://2fa.bsd.uchicago.edu. Simply find your smartphone from the list of your registered phones and click on the Text Passcodes button. A list of 10 one-time-use passcodes will be sent to your phone via text. To use one of the one-time passcodes, select Passcode at the Duo Prompt screen and click Log in to continue. It is important that you keep track of which codes you use; the passcode will be invalidated after you enter it. You can print out the list of passcodes to keep in a secure location for your use anytime you don’t have access to your regular devices.

Q11. Can I use Duo without incurring any data or text message costs?

A11. Yes. After selecting the Duo app on your smartphone, select the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using DUO to generate passcodes will not incur any data or text message costs.

Q12. I’m going to be traveling and won’t have reliable cellular network access. Can I still use 2FA if I don’t have network access via my phone?

A12. Yes. You can click on the key on the upper right-hand side of the screen in DUO on the iOS and Android or the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use even if your phone does not have any network connection. Alternatively, you can use the 2FA text passcodes feature (for more information, see question above “How does the 2FA text passcode service work?”) to generate a list of single-use passcodes that you can use if you won’t have any access to your phone at all.

Q13. Do I still need to change my password regularly if I use 2FA?

A13. Yes! Additionally, if you suspect your account or password has been compromised, you should report it to security immediately.

Q14. What if I have other questions and issues?

A14. Feel free to reach out to the Biological Sciences Division’s Information Security Office with any questions. Please send emails to security@bsd.uchicago.edu.

Q1. Is there a way that I can confidentially submit a system for review?

A1. Contact the BSD ISO directly via security@bsd.uchicago.edu for anonymous & confidential submissions and questions.

Q2. What type of systems should complete the BSD Security Assessment and Authorization process?

A2. Any planned, new or existing information systems that supports the BSD academic and research activities are expected to complete the SAA process.

Q3. How long will the security assessment and authorization process take?

A3. The SAA process could take approximately 2-4 weeks depending on the complexity of the system and assuming information is provided in a timely fashion.

Q4. Will I still be able to operate my system if it is not authorized?

A4. Yes, this SAA process will not hinder any research systems from operating. The BSD ISO will work with the system owners to develop a risk reduction plan with a timeline to bring the system within the organizational risk thresholds.

Q5. Will my system be HIPAA compliant after completing SAA process?

A5. The SAA process utilizes the NIST Cyber Security Framework which aligns to HIPAA controls. Although, this process does not certify for HIPAA compliance.

Q: What are CIS Security Benchmarks?

A: The CIS Security Benchmarks Division provides well-defined, unbiased, and consensus-based industry best practices to help the BSD assess and improve security. Resources include secure configuration benchmarks and automated configuration assessment tools (CIS-CAT).

The CIS Security Benchmarks Division develops and distributes:

• Security Configuration Benchmarks – 94 Benchmarks which describe best practices for the secure configuration of target systems and are developed via extensive collaboration with the CIS volunteer consensus community.
• The CIS-CAT Benchmark Assessment Tool – provides systems administrators with a fast, detailed assessment of target systems’ conformance to CIS Benchmarks. The CIS-CAT Assessment Tool is available only to CIS Security Benchmarks Members. Members can download CIS-CAT from the CIS Members Website. You can try out CIS-CAT lite here.

Q: Why should we use CIS Security Benchmarks?

A: The Security Configuration Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls. Configuring systems in compliance with these Benchmarks has been shown to eliminate 80-95 percent of known security vulnerabilities. The BSD Information Security Office is developing system-hardening standards down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at University of Chicago, and will use the assessment tool to validate that systems meet the established system-hardening and security configuration standards.

Q: How do I get started?

• To register, go to http://workbench.cisecurity.org/registration/ and complete the registration form. You must have a valid BSD email address. After a simple account validation step, you will receive an email indicating that your registration has been activated, along with a temporary password.
• Log in to https://workbench.cisecurity.org/ to download and review CIS benchmarks for your platforms. Benchmarks are available as PDF reference worksheets for system hardening.
• Download the CIS-CAT Benchmark Assessment Tool (available on the member website) and run against a representative hardened system. This cross-platform app examines your system and produces a report comparing your settings to the published benchmarks.
• Participate in the CIS member forums to provide feedback, make suggestions, and discuss the CIS tools with other members.

Q: How do I use the tools?

A: The following tutorials are available:

• Tutorial: CIS-CAT in Windows (GUI) (video)
• Tutorial: CIS-CAT in Linux (GUI) (video)

Q: Where can I find more information?

A: If you have any questions about registration or accessing the tools, you can contact the BSD Information Security Office at security@bsd.uchicago.edu.

Q1. I received an email about training and phishing emails. What is this all about?

A1. The UCM and BSD Information Security Offices have launched a Phishing Email Assessment and Prescriptive Education Initiative to raise awareness on phishing emails and increase your knowledge of spotting a phishing email. The email contains instructions on how to access training.

Q2. Why are the BSD and UCM Information Security Offices sending “test” phishing emails to employees?

A2. Every day, more than 15 million phishing attacks are launched around the world, and 80,000 email users fall victim to these attacks.  This initiative will show you first-hand how easy it is to fall for a phishing attack.  The “test” phishing emails are sent to reduce the risk of cyber-attacks and the loss of sensitive information, and avoid possible regulatory fines and penalties by providing immediate training to those who click on the links within the test emails.

Q3. How can I opt-out of receiving the “test” phishing emails and participating in the Phishing Email Assessment and Prescriptive Education Initiative?

A3. This initiative was sanctioned and approved by a variety of leadership throughout the BSD/UCM, including:  Dean Polonsky, Sharon O’Keefe, executive leadership of both the BSD and UCM,  shared Cyber Security Governance committees, BSD and UCM HR, and the University and UCM Legal Offices, and will include all employees at this time.  The purpose of this initiative is to raise our organization’s awareness of phishing email scams and provide training to all employees.

Q4. How do I access the “Anti-Phishing Training?”

A4. You can access the training either from clicking on the training link from  this page above at https://uchicagomedicine.securityeducation.com/ . You will be asked to enter in their CNet or UCHAD credentials to log into the training system. (Note, if you have both a CNetID and UCHADID, you will have to use your CNet credentials to log on.)

Q5. I cannot sign in with my UCHAD credentials. Why not?

A5. If you have both a CNetID and UCHADID, you must log into the system with your CNet credentials.

Q6. Do I have to view the training video?

A6. No. This training is not mandatory, but it is recommended in order to increase your awareness of phishing emails.

Q7. What if I start watching the training video and do not complete it?

A7. That is okay. You can always go back to https://uchicagomedicine.securityeducation.com and finish watching the training video at your convenience. You can pick up where you last left off.

Q8. I received a suspicious-looking email that I think was sent as part of this campaign. Should I delete this email? Should I report the email to the Information Security Office?

A8. You are always encouraged to report any suspicious email to the Service Desk or Information Security Office before replying or clicking on any links. It is safe to delete the email.

Q9. What will happen if I opened the email, but did not click on any links?

A9. Nothing. You can simply delete the email. You should not click on the link in the email.

Q10. I hovered my mouse over the link in the email, and the URL looks suspicious/weird. What should I do?

A10. Nothing. One of the ways to identify a real phishing email is to hover (but not click) your mouse over the link within an email to see what URL you would be directed to if you were to click on the link. You can now delete the email.

Q11. What will happen if I clicked on the link in the email?

A11. The link in the phishing email is harmless and nothing will happen to you or your computer. The Information Security Offices will be tracking how many employees click on the link, but not who clicked. You will be sent an email that contains instructions on how to access the training video.

Q12. Will I be reported to my manager if I clicked on the link?

A12. No. Managers will have no knowledge of who clicked the phishing email link.

Q13. I clicked on the link and was re-directed to the BSD Information Security Office’s webpage (http://security.bsd.uchicago.edu/phish/). Now what do I do?

A13. Employees are instructed to follow the link on the BSD webpage to access training: https://uchicagomedicine.securityeducation.com

Q14.I received a training email from security@bsd.uchicago.edu. What is this?

A14. Employees will receive an email from security@bsd.uchicago.edu when they click on the phishing link. The email will provide instructions on how to access the training video to reinforce how to identify a phishing email.

Q15. I already watched the training video, so why do I need to watch another video?

A15. This additional training video is used to reinforce how to spot a phishing email and is only assigned to employees who click on the “test” phishing email sent as part of this initiative.

Q16. Is this training mandatory?

A16. No. This training is not mandatory, but is encouraged. Managers will have no knowledge of who has/has not completed training. The Information Security Offices will only be tracking how many employees have watched the training videos to gauge the effectiveness of training.

Q:  What’s considered confidential data?

A: There are various types of confidential information. For details on what is considered confidential information please review University of Chicago policy, HR601 – Treatment of Confidential Information.

Q: What Hardware-Encrypted USB Flash Drives are permitted for use?

A: The following Hardware-Encrypted USB Flash Drives models are permitted for the storage of confidential information:

• Apricorn Aegis – All models

• Kingston USB Storage – DataTraveler models

• IronKey – D300 or S1000 models

Q: If I’m in Basic Sciences department and do not have confidential information, do I need to purchase a Hardware-Encrypted USB Flash Drive?

A: No, you do not need to purchase a hardware-encrypted USB Flash Drive unless you are storing confidential information on an insecure USB Flash Drive.

Q: If I’m in a Clinical department and utilize USB Flash Drives, but do not have confidential information, do I need to purchase Hardware-Encrypted USB Flash Drives?

A: Yes, Enforcement of secure hardware-encrypted USB Flash drives for Clinical departments will begin on 3/31/2018 and  non-secure USB Flash Drives will no longer be permitted for use.

Q:  I don’t know what type of department I’m in.  Should I get a hardware-encrypted USB Flash Drive?

A: As a general rule of thumb, if you work with or might potentially receive confidential or confidential data, then please use a hardware-encrypted USB Flash Drive.  If you don’t know, please refer to your department’s IT Custodian.

Q:  If I don’t get a drive through the Secure USB Flash Drive Exchange how do I purchase one?

A:  A better way to store your data is on UChicago Box which can be used to store and access files remotely without the need for USB Flash Drives. All USB Flash Drives must be purchased through Buysite.

Q:  I have a number of USB Flash Drives.  Should I replace them all?

A:  Yes.  All your USB Flash Drives should be replaced.  Non-compliant USB Flash Drives will no longer work after 03/31/2018.

Q:  Someone gave me a non-compliant USB Flash Drive.  Will I be able to download data from that drive?

A: Yes. You will be able to download data from non-compliant USB Flash Drives.  However, you will not be able to write/upload to non-compliant USB Flash Drives after 03/31/2018.

If you have any additional questions, please reach out to your local departmental IT for support.

Q1.  What is a security incident?

A1. A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents are typically identified through the continual review and analysis of events.  The BSD ISO will determine an event is an incident if the event affects the security (i.e. Confidentiality, Integrity, and/or Availability) of an IT system.

Q2.  How is a security incident identified?

A2.  During the Detection and Analysis phase, a potential incident event has been observed and reported to the BSD Information Security Office. The BSD Security Analyst gathers information related to the event to make a determination whether the observed event should be classified as an incident. If enough evidence exists to classify the event as an incident, the Security Analyst will work with the appropriate IT Custodians assigned to the affected systems in order to develop a valid Containment, Eradication, and Recovery (CER) strategy.

Q3.  What are the IT Custodians expectations during the Incident Response (IR) program?

A3.  The IT Custodian has the following responsibilities during the IR program.

1) Reporting Responsibility–As a contributor to the BSD IR process, it is expected that potential incidents are reported to the BSD ISO as soon as possible.  If unsure whether, a suspicious event meets the threshold for reporting please contact the BSD ISO for clarity.

2) Expected Support–It Custodians are an integral role within the BSD IR Workflow.  It is through the IT Custodian that Security Analyst are able to properly investigate incidents and later remediate these incidents. IT Custodians will be contacted by Security Analysts at several points throughout the IR Workflow. it is expected that the IT Custodian will contribute to the investigation by:

• Answering information requests from the Security Analyst
• Executing assigned tasks within the CER strategy
• Documenting CER execution progress and lessons learned within the GRC

Q1:  Who should be participating in this survey?

A1:  This survey is optimally designed for the department’s IT Manager with support from a small group of IT staff that have been with the department for long enough to have an understanding of its IT practices.

Q2:  What should be done if a question doesn’t seem to directly apply to the department?

A2:  Each question must be answered in order to generate results.  If it appears that the question does not apply to your department, still select the answer you think most closely describes your department for that capability and leave a note with comments about why it does not apply to your department  If it is because another department handles the activity for you, please refer to FAQ #4.

Q3:  What if none of the ratings describe the department or if the department falls between several options?

A3:  Select the rating closest to what describes the department.  When in doubt, err on the low side.  Feel free to leave a comment in the notes column about the question justification for why you selected that option.

Q4:  What should we do if another department is handling an activity for us?

A4:  Do not automatically assume that the other department is performing the task in a complete and secure manner.  Ask yourself if you have a documented Transitional Service Agreement (TSA) with the department, and what security practices you KNOW they have in place.  When in doubt, err on the low side and leave a comment in the notes column.

Q5:  Are the questions in the People domain rating individuals or departmental people resources as a whole?

A5:  The questions in the People domain are asking if the department has the appropriate quantity of people with the appropriate skill base for completing an activity and is not meant to single individuals out.

Q6:  In the Process domain of the survey, what should be selected if the activity is consistently performed and communicated, but not documented?

A6:  When this is the case, err on the low side.  If no documentation of the process exists, even if the activity is being performed completely, select ad-hoc.  This will allow your department to show quick improvement once documentation has been created.

Q1.  What is cVPN?

A1.  The University of Chicago virtual private network (cVPN) provides faculty, students, and staff with secure access to University network resources that are not available to you when you’re off-campus. The cVPN should also be used when you are working on an unknown network such as a hotel or coffee shop wireless network.

Q2. How do I access cVPN?

A2. You can access cVPN by logging in to cvpn.uchicago.edu with your CNetID and password. Your identity will be verified using two-factor authentication (2FA) in order to access the cVPN.

Q3. Where can I go for more information and installation instructions for cVPN?

A3.  More information can be found on the cVPN page here.

Q: Is this program right for my department?

A: The BSD ISO Logging and Threat Detection program is designed to create actionable alerts on credible threats to your department’s sensitive systems. While the threat management program is designed to detect possible avenues of attack, the Security Event and Log Management program is designed to detect and alert on suspicious behavior while they are happening.

Q: What is required of my department in order to participate?

A: In order to participate in the Logging and Threat Detection program, the technical support contact for your systems will need to make several minor configuration changes to your Windows or Linux servers. These changes will allow your server to send its log files to the BSD’s log collector. From there, BSD Security will be able to monitor your systems for illegal logins and other threats.

Q: What happens if a problem with my system is discovered?

A: The goal of the Logging and Threat Detection program is to identify risks and help your department become more secure. If an offense is triggered, our automated Security Intelligence Platform will notify us as the event is taking place. BSD ISO will then determine the severity of the offense and inform your department’s technical contact if the problem needs immediate attention.

Q: What’s the difference between this program and the “Threat Assessment” program?

A: While the BSD ISO Threat Assessment program concentrates on finding, cataloging, and remediating server weaknesses before they can be exploited, the Logging and Threat Detection program will concentrate on finding anomalies in real-time server behavior with the goal of identifying threats as they happen.

Q: How do I use the tools?

A: The QualysGuard video series gives you immediate access to a large video library of tutorials (https://community.qualys.com/docs/DOC-1323).

Q: Will the scan have a negative impact on my network?

A: Scanning should not affect your infrastructure or cause any devices to stop responding. Most vulnerability detections are non-intrusive, meaning that the scanner never exploits vulnerability if it could negatively affect the host in any way.

Q: How does the scanner find vulnerabilities?

A: The scanning engine performs scans in a very dynamic manner to optimize speed and performance. The following is a simplified description of the main steps of a scan:

• Checking if the remote host is alive – This detection is done by sending ICMP Echo Request (ping) packets, as well as probing some well-known TCP and UDP ports.
• Firewall detection – This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.
• TCP / UDP Port scanning – Detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.
• OS Detection – The scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.
• TCP / UDP Service Discovery – The scanner tries to identify which service runs on each open port by using active discovery tests.
• Vulnerability assessment based on the services detected – The scanner performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version.

Q: The scan found vulnerabilities, how do I fix them?

A: In the scan report, a detailed description of each vulnerability will be provided as well as the steps required to resolve the vulnerability. Additionally, external links to security resources such as CVE, OWASP, and other security sites are suggested for more details. After the vulnerabilities have been fixed, rescan to confirm if the vulnerability has been addressed.

1. Who is Eligible for Box in the BSD?

All faculty, staff and students in the BSD departments can claim an UChicagoBox account.

2. What Kind of Sensitive Data Can I Store on UChicagoBox?

UChicagoBox can be used to store student education records (FERPA) data and patient information (HIPAA), but may not be used to store Credit Card information. Anyone storing HIPAA data must follow special guidelines set by the UCMC Data Guardian Program found on the UCMC intranet site.

3. Who Should I Ask for More Information about Storing Sensitive Information on UChicagoBox?

If you are not sure, please contact the BSD Information Security Office, who will help you get your question answered.

4. How Can I Use Box Sync and Tagging to Appropriately Deal with Sensitive Data?

Please see Securing Confidential or Sensitive Files.

5. I’d Like to Get a Group Folder for My Department. How do I do that?

If you would like a department or group folder, please visit the ITServices website and submit the group folder request form located at https://itservices.uchicago.edu/page/request-box-group-folder. Please include the names and contact information of the required 2 administrators for the folder.

6. Where Should I Go If I Have Questions or Problems Using UChicagoBox?

Extensive help is available at box.com/support. If you have specific questions about using or configuring UChicagoBox in the University environment, please contact the ITS Service Desk.

7. What apps can I use with UChicagoBox?

The following apps are approved for use with your UChicagoBox account:
• Box Capture (iOS)
• Box for Android
• Box for Android Tablet
• Box for Blackberry
• Box for iPad
• Box for iPhone
• Box for Office
• Box Edit
• Box Sync (Be sure to review Securing Confidential or Sensitive Files)

If you’d like to recommend an app for use with UChicagoBox, contact the ITS Service Desk. Please note that Restricted information may not be linked to any apps outside of the Box environment. For example, you are not permitted to link Google Docs and UChicago Box together for patient information.

8. If I leave the University, do I get to keep my UChicagoBox account?

You will lose their UChicagoBox accounts (associated with your @uchicago.edu email address) upon leaving the University. (However, if you are an alum, in addition to being faculty or staff, you will retain your account, as outlined above).
• It is your responsibility to move any required data to another storage space prior to leaving the University.
• 10 days after you leave the University, your account will stop working. You and any folder collaborators will receive an email regarding the folders you own.
• 45 days after leaving the University, your account will be deleted, along with all of its data. This includes all folders and files you’ve shared with others.

9. I try to log into UChicagoBox and keep getting rejected. Why?

You may not be eligible for UChicagoBox. Please see the UChicagoBox Failed Login FAQ.

10. How long do my files stay in Trash before they’re deleted permanently?

Files remain in Trash for 30 days. After 30 days, they are permanently deleted.

11. Who has access to my files?

You control sharing via links or invitations to collaborators. UChicago system administrators have the same level of access to your UChicagoBox account as they do for University email – the right to access files is only invoked when approved by legal officials. We recommend that you do not store personal files on your UChicagoBox account, similar to University email.

12. Can I use Box Sync for Restricted information?

It is advisable NOT to sync folders that contain Restricted information, such as patient information or human subject research. This will reduce the copying of data and the proliferation of those data onto insecure devices.

13. Do I have to encrypt my device if using the UChicagoBox system within the BSD?

Yes. The BSD generally has access to, and uses, Restricted information. All Centers, Institutes, Core and Clinical departments are required to encrypt their devices. Even some Basic Science departments have access to, or use, patient information (PHI). To ensure the data are protected in case the device is lost or stolen encryption must be used. Please see http://security.bsd.uchicago.edu/encryption for more details on how to encrypt your device.