Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO

INFORMATION TECHNOLOGY SECURITY

IT Security Hygiene

IT Security Hygiene is your one stop shop to make sure you are using the best IT Security practices.

Access Control

Risk

Deficient or non-existent access control to systems can lead to unauthorized access to data and information or unauthorized use of systems.

Impact

Data and information breach may result in the unauthorized disclosure of personally identifiable information, leaving the organization exposed to risks related to violations of FIPPA, PHIPA or PCI.

Controls

Access control should make use of authentication to systems that use one or more factors such as a combination of username and password to grant access to resources. Where appropriate, access to systems should require at least two-factor authentication. Two-factor authentication requires users to provide their username and password as well as one additional piece of information when authenticating to a system. The secondary piece of information may be a challenge-response to a previously configured personal question or a code from a key-fob or electronic one-time pad.

Authorization to perform actions on systems, data or information should always be granted using the principle of least privilege. The principle of least privilege ensures that users have access to the services and information that they require to do their job, and nothing more. Systems Activity Accounting is a valuable tool for monitoring access to resources. Logging successful and unsuccessful access attempts will help an administrator identify when unauthorized or inappropriate access has occurred.

Recommendations

Establish Control of Physical Access Where Applicable

  • Restrict physical access to server/s using appropriate door locks; swipe card access is preferred
  • Physical access should be granted using the principle of least privilege and authority
  • Ensure identity control is properly linked to IAM system

Enable Access Control Of Local Electronic Resources (Direct)

*NOTE: Local user access attempts, successful or failed, should be logged

  • Use a strong password or passphrase to protect administrator accounts
  • Two factor authentication should be used where appropriate
  • Disable and/or rename default administrator accounts
  • Disable, rename or delete unnecessary default accounts, including but not limited to operating system accounts, remote access accounts, application management accounts, service accounts
  • System BIOS and UEFI interfaces should be password protected; default passwords should be changed
  • Local access should be granted using the principle of least privilege and authority
  • Ensure identity control is properly linked to IAM system

Enable Control Via Remote Modes (i.e. Port Access)

*Note: Remote user access attempts, successful or failed, should be logged

  • Disable all unencrypted management interfaces (telnet, http, etc.).
  • Restrict access to management interfaces using local access control list(s).
  • Connections to management interfaces from outside of the McMaster University network should always be made through the Virtual Private Network (VPN)
  • Two factor authentication should be used where appropriate
  • Ensure identity control is properly linked to IAM system
  • Remote access should be granted using the principle of least privilege and authority

Enable Control Via Network Access

*Note: Network access attempts, successful or failed, should be logged

  • Access to applications and services should be restricted to only those that require access
  • Two factor authentication should be used where appropriate
  • Network access should be granted using the principle of least privilege and authority
  • Ensure identity control is properly linked to IAM system

Passwords

A common means of authenticating the identity of a user before authorizing access to a resource or service, passwords provide an essential layer of defense in securing McMaster University assets from unauthorized use or access. It’s the responsibility of the password creator to ensure its strength through adequate length and complexity.

Users must create and protect their passwords to prevent data breaches and losses. The following MacID password creation requirements and information will help maximize the security of your password and assets.

Expandable List

Passwords must be a minimum of eight (8) characters in length.

Passwords must include character(s) from at least three of these four-character sets:

  1. Uppercase letters A, B, C, …, Z
  2. Lowercase letters a, b, c, …, z
  3. Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  4. Symbols ~ ! @ # $ % ^ & * ( ) _ + ` – = { } | ] [ \ : ” ; < > ? , . /

A strong password should exclude your name or any part of it, be distinctive and memorable for you, yet challenging for others to guess. Avoid dictionary words; opt for something personally significant and unique.

  1. Once every year
  2. Immediately after the user has been given access to a new account, or when the password has been reset by a third party
  3. When there is any indication of a possible compromise. In such instances, incidents can be reported to the UTS Service Desk

Finally, passwords should never be written down or stored in a format that is human-readable. If possible, credential owners must encrypt passwords if they need to store the information, and this should only be done for backup, disaster recovery, and business continuity purposes.

Visit the Account Management page to access and manage your MacID.

Take me to Account Management

Beyond Password Security: Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA), also known as two-factor authentication (2FA) or two-step verification, is a way of adding an extra layer of protection to help prevent hackers from accessing your account in case it has become compromised (leaked, stolen, hacked into).

Once activated, MFA requires that users demonstrate at least two of the following in order to log in to online resources (does not apply to campus-hosted websites):

  1. “something you know” (like a password)
  2. “something you have” (like a phone)
  3. “something you are” (like a fingerprint)

McMaster University provides the ability to enable MFA for MacID users. Click here for more information

Keep in mind that opting-in for MFA still requires users to maintain and protect their MacID password, as this will become one of the required factors in the MFA option.

Information Box Group

How do I reset or change my MacID password? Reset or Change your Password

Forgot your Password? Recover your Password

Forgot your MacID? Recover your MacID

I am an Alumni. How do I reset my password? Click Here

Phishing

WHAT IS PHISHING? 

Phishing is a type of online attack in which an attacker — using both technological and psychological tactics — sends one or more individuals an unsolicited email, social media post, or instant message designed to trick the recipient into revealing sensitive information or downloading malware.  

 Phishing attacks can be generic or customized, and can target both individuals and entire organizations. Attacks that target a specific individual or organization are commonly referred to as spear phishing attacks.  

The main goal of a phishing attack is to get the individual to do something that compromises the security of their system and/or potentially their organization. To stop attackers achieving this, when you receive a suspicious email: 

  • DO NOT open email attachments that contain malware
  • DO NOT click on a link that leads to a fake website or page that installs malware
  • DO NOT enter user names and passwords or other sensitive information on a fake website
  • DO NOT reply to phishing emails with confidential information such as login credentials

If you do fall victim to a phishing scam, do not be embarrassed. Report any and all suspicious email messages to is-spam@mcmaster.ca.

If you have opened any suspicious emails, links or attachments please report it to the UTS Service Desk.

Information Box Group

Training Complete the Phishing Module

Complete the McMaster UTS Phishing Course on Avenue to Learn:

  • Log into Avenue to Learn
  • Navigate to the UTS Phishing Course via the link below

How to Recognize Phishing Messages Recognizing Phishing Messages

How to Protect Against Phishing Attacks Stay Protected

IT Hygiene – Internet Use

  • Guidelines for Safe Social Networking
  • Beware of posting too much personal information on social sites.
  • Think twice before posting photos or descriptions of activities that could be considered questionable.
  • Avoid posting material that could be considered pornographic.
  • Postings that you consider a joke might be taken seriously by a potential employer. Avoid causing bad impressions.
  • Untag material that in which you were tagged if you consider it unwanted or inappropriate.

IT Hygiene – Software Updates

The Threat

Software is imperfect; very often, operating systems and other applications are released for use with flaws.  These flaws are known as Common Vulnerabilities and Exposures, or CVE for short.  CVE can affect the can be exploited, putting the confidentiality, integrity and/or availability of a system at risk.

The Target

Every system and all software are at some time susceptible to exploitation due to the vulnerabilities and exposures in the code.

The Control

The Mitre Corporation maintains a database of common vulnerabilities and exposures (CVE).  This database is updated as new vulnerabilities and exposures are discovered in existing software.  In response, software manufacturers often release “patches” to repair their software.  Systems without the patches installed are vulnerable to the threat defined within the CVE document.

In the past, maintaining currency of software on servers and systems was a cumbersome task.  Updates and patches had to be tested extensively to ensure that they would not negatively affect another part of the system or application, as was often the case.  Today, the architecture of modern operating systems and the rigour applied to testing patches before they are released have all but eliminated the risk of interference when an update is installed.  There are still occasions that a patch may interfere with other applications, although these are rare.

Be Safe

  • Configure operating systems to automatically install critical updates
  • Configure important applications to automatically install critical updates
  • System administrators should regularly monitor CVE for those that affect their systems

Resources

Microsoft Windows:
http://windows.microsoft.com/en-US/windows/help/windows-update

Red Hat Linux:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Software_Maintenance-Plan_and_Configure_Security_Updates-Adjusting_Automatic_Updates.html

Apple:
http://support.apple.com/kb/HT1338

Traveling

IT Security Tips for McMaster Users Travelling Abroad

Last updated: February 2024

General Guidance for International Travel

  • Never give out your password to at anyone any point in time during your travel.
  • Watch out for spam or unsolicited SMS text messages or emails asking you to do something urgent right away or anything to do with your financial information. The Government of Canada is warning of increasing overseas fraud impacting Canadians.
  • Utilize a Virtual Private Network (VPN) connection wherever possible, especially if needing to access personal or financial data at transit terminals or at your destination’s Wi-Fi hotspot.
  • Always have either your work and/or personal device(s) on you or in your carry-on. If you need to store the device, ensure the battery and any storage devices (e.g. SD card, memory expansion cards) are removed prior to your departure.
  • Acquire an International SIM from a reputable and trusted cell provider that’s supported in the country that you’re travelling to.
  • Avoid using open Wi-Fi connection hotspots, using them as a last resort only, and turn off other unused wireless connectivity such as Bluetooth. 
  • Avoid storing any sensitive or personally identifiable information on your device while travelling since devices are easily lost or stolen.
  • Some travel destinations may not have a stable or reliable internet connection, or there may be latency for data to travel a further distance.
  • Review McMaster’s Travel Safety and Planning for additional tips and precautions to take while travelling.

Before Travel

  • Review the Government of Canada Travel Advisories for any cyber security and cybercrime advisories for the country or countries you are travelling to.  
  • Ensure that the clocks on your PC and phone are synced correctly to the destination’s time zone prior to accessing university email or any application that asks for your McMaster Microsoft account. (e.g: If travelling to Vancouver, ensure that the clock is synced to Pacific Standard Time and not Eastern Standard Time prior to logging into Avenue2Learn).
  • Ensure all software, applications and Windows or Apple products are all up to date.
  • Have all important files and documents backed-up onto a Cloud platform, such as Microsoft OneDrive, since portable drives may get damaged, lost or stolen.
  • Remove any sensitive files or documents on your phone or computer containing any logins to the websites you visit. Use a password manager, such as LastPass, Keeper, KeepassXC, etc.
  • Ensure all security features that your device supports are enabled on your device (i.e. passcodes, PINs, biometrics, timeouts, etc.).
  • Leave all nonessential devices at home if you’re not planning to use them all the time.
  • If possible, use a computer or device that doesn’t contain a lot of personal information, files, applications and contacts to reduce the risk in case the device is compromised, lost or stolen.
  • Acquire an international SIM card from reputable providers at their standalone stores (i.e: Bell, Telus, etc..) if you plan to go overseas.
  • If MFA is enabled on your account, ensure the device is properly working as intended (e.g: able to receive text messages or receive codes to the authenticator app).
  • Ensure your devices and data are encrypted in case your device is lost or stolen.
  • For additional cyber security tips while travelling, please see the Government of Canada Cyber security while travelling. 

During Travel

  • Make sure to keep your devices and chargers in a safe place.
  • Make sure to check the Wi-Fi you are connecting to and know it’s a recognized network.
  • Do not store personal devices in checked baggage. Always have your devices in your carry-on or with you.
  • Turn off unnecessary wireless communication services, such as location tracker and Bluetooth where applicable and when not actively using (e.g. listening to music or making calls).
  • Make a note of the accounts and applications you’ve used during your trip.
  • For additional cyber security tips while travelling, please see the Government of Canada Remaining cyber safe while travelling: security recommendations. 

After Travel

  • Reset any account passwords and reinstall apps used on your trip.
  • Clear browser history and session information.
  • Make sure to re-check default sign-in methods if you had them changed.
  • Check sign-in activity on your account a few days after travel to ensure no suspicious activity.
  • Reset passcodes and switch devices if possible.
  • Switch out the international travel SIM with the SIM provided by your Canadian service provide.

To report an information security incident, please visit: https://informationsecurity.mcmaster.ca/information-security-incidents/ for contact information.

Get Cyber Safe

Information Box Group

WEBSITE

Get Cyber Safe