Access Account Risk Mitigation

Routine Measures for Intrusion Detection & Prevention

Security Operations and Services (SOS), a unit of ITS, handles security issues related to Access Accounts. SOS uses a spectrum of tools to discover and prevent internal and external attacks and compromised systems on the network. Upon identification of a compromised Access Account, the Access Account is locked and the Access Account holder is contacted.

Incident Reporting Procedure

Any suspicious or questionable network activity should be reported to SOS.

Following are the current procedures Access Account holders should follow to report incidents as outlined at http://sos.its.psu.edu/reported.html.

Threatening or Harassing e-mail: messages received that are directly and personally threatening, abusive, obscene, or vulgar. To report electronic harassment or direct threats, forward the original e-mail message received with the full header showing to security@psu.edu. Also contact your local police department.

Denial of Service Attacks: massive amounts of e-mail or other network traffic sent to systems or individuals. This is usually done to crash the system(s), but may also be done to saturate the capacity of the network(s). Send an e-mail message to security@psu.edu describing the incident. Be sure to include any log files you may have that contain the date, time, source IP address, destination IP address, port numbers involved, and the time zone setting of your machine/logs.

Hacking/Cracking: the use of a piece of code that has been manipulated to do some action that it was not designed to do and/or exploiting programmable system details. Send an e-mail message to security@psu.edu describing the incident. Be sure to include any log files you may have that contain the date, time, source IP address, destination IP address, port numbers involved, and the time zone setting of your machine/logs.

Unauthorized Access Attempts: attempts to discover possible weak points in a computer system. Such weaknesses may subsequently be exploited to take control of an account or machine. Send an e-mail message to security@psu.edu describing the incident. Be sure to include any log files you may have that contain the date, time, source IP address, destination IP address, port numbers involved, and the time zone setting of your machine/logs.

Compromised Account: use of your Penn State Access Account or departmental systems account by an unauthorized individual(s). If you believe this has occurred, immediately change your Penn State Access Account password via https://www.work.psu.edu/ and your machine password. Send an e-mail message to security@psu.edu.

Copyright Violation: use of copyrighted materials (i.e., text, photographs, images, video, audio) without permission from the copyright holder. If reporting a copyright violation, send a detailed message to security@psu.edu. Include the title of the work being illegally copied, the name of the composer or writer, when and how the violation was found including date and time zone, and the location of the alleged illegal work (URL, IP address, printed newsletter, etc.).

Worm: a program that can make copies of itself, spread through connected systems, and exploit resources which can damage/compromise computers. To report a worm, forward the information with any applicable logs to security@psu.edu.

Virus/e-mail worm: a program that infects a computer by making copies of itself to the limit of available space or by attaching itself to another program and propagating itself when that program is executed. To report receipt of a virus/e-mail worm, forward the original e-mail message received with the full header showing to virus@psu.edu. If possible, include the name of the virus as indicated by your antivirus software. Do not include the infected attachment.

Hoaxes, Phishing, and Unsolicited commercial e-mail (spam): electronic equivalent of USPS junk mail. It is recommended that users filter and delete these e-mails."

Locking and Unlocking An Access Account

SOS will lock an Access Account for a policy violation. Some examples include:

  • Copyright infringement
  • User ID mistaken identity (e.g. family member with same initials)
  • Password violation (shared password)
  • Security concern
  • Access Account holder deceased
  • Immediate employment termination
  • Request from the University Judicial Affairs
  • Request from law enforcement

SOS staff members are able to perform the locking of an Access Account, which records the locking history in CACTUS.

The lock on the Access Account remains in effect until SOS deems it appropriate to unlock it. SOS personnel take action to unlock the Access Account (or elevate to a system administrator to resolve for "orange" color cases). Likewise, SOS staff can unlock the Access Account via the Security Interface.

Once the lock is removed, the Access Account holder will need to visit a signature station to acquire a new password.

Password Reset and Expiration

Password Reset at Initial Use: ITS-managed systems strongly recommend the password for any newly activated Access Account to be changed at first use. This ensures that only the person who has been assigned the Access Account knows the password.

An Access Account holder is encouraged to choose a strong password for his/her Access Account and periodically change it for security reasons. The password should be changed immediately if an Access Account owner believes that it has been compromised (for example, if there is a possibility that another person may have viewed or acquired the password). Guidelines for creating strong passwords are available at http://its.psu.edu/password/. Users can change their respective passwords via https://www.work.psu.edu/password/.

Mandatory Annual Password Reset: ITS-managed systems also force expiration of Penn State Access Account passwords once a year. Passwords will expire exactly 365 days from the date and time of last change. In addition to the University's annual password change requirement, ITS encourages individuals to change passwords more frequently throughout the year. Users can view expiration dates via https://www.work.psu.edu/.

Password Reset by authorized staff via DIMC: If an Access Account owner forgets his/her password, he/she may request a password reset. After verifying the person's identity, an authorized ITS staff member can reset the password. The new password consists of a system-generated alphanumeric string. An authorized staff member with full privileges is able to view the password and supply the new password to the Access Account owner, while a staff member with limited privileges can only perform the reset. The Access Account owner can then visit a signature station to reset/retrieve the password.

ITS-managed systems retain a history of three passwords. This means that the last three passwords cannot be re-used. When the password is changed, the Access Account owner must create a password that is different from the last three passwords. ITS strongly encourages Access Account owners to avoid reusing old passwords. A list of best practices for strong password creation is available via http://its.psu.edu/password/.

Access Logging History

All system access activities are logged, and the log history has been retained since inception.

Release of Identity Information

The release and retention of student, faculty, and staff directory information is based on Policy AD11 University Policy on Confidentiality of Student Records, as outlined at http://guru.psu.edu/policies/AD11.html.

The adoption of Shibboleth requires Penn State to release its identity subjects' attributes. In the process, Penn State releases only information that is necessary to obtain services from service provider.

Privacy of User Information

Access Account user IDs are searchable via Penn State Directory Services. Information such as address, phone number, major, position title, etc. are included in the listing. The University may publicly share directory information unless the individual takes formal action to restrict its release. If the individual prefers not to be listed in Penn State's directory, the person must request removal of the information by placing a confidentiality hold.

To request a confidentiality hold, an employee may contact the Human Resource representative designated for his/her area in order to make the change. A student needs to request the change through the Office of the University Registrar.

Information about Penn State Directory Services is found directly at http://www.psu.edu/directory/.