Welcome to Information Security Services
Report a Security Problem
You can request your service through
Information Security Services (ISS) at Washington State University (WSU) consists of two teams: Security Operations Center (SOC) and Governance, Risk, and Compliance (GRC).
The SOC team works around the clock to protect the data resources of students, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the university’s mission. These processes are completed through management and monitoring of numerous industry-best security applications and tools. This group also monitors WSU’s abuse@wsu.edu customer support email that assists with community questions regarding the safety of emails and attachments.
The GRC team assists in mitigating security risks to information technology assets at WSU, improves the security of system and network services, implements proactive risk management, and enforces crisis and security incident management. This team provides security and risk assessments, evaluating the security controls within an information system to determine the controls are implemented correctly, operating as intended, and producing the desired outcome. The GRC group also provides on-demand security consulting for WSU business units.
For a comprehensive list of all provided services, please view ITS’ Service Catalog.
Report a Security Problem
You can request your service through
Password Assistance
WSU Password Policy
Passwords will be required to be reset every 180 days, starting at the date of your most recent password change.
Reminder
Once you have reset your password, you will need to update your account information for wireless internet access and applications on your mobile devices.
Failure to do so may result in your account being locked out due to multiple failed attempts to connect with your account.
Change or Recover Network ID
Change Your WSU Network ID or Friend ID Password
Please go to https://account.wsu.edu and log in to begin changing your password.
- Once you have started the process, you will have 15 minutes to complete your password reset, then the session will time out.
Recover your WSU Network ID or Friend ID
Please contact Crimson Service Desk at crimsonservicedesk@wsu.edu or 509-335-4357.
Tri-Cities Account
Change Your Tri-Cities Account Password
Please visit https://tricities.wsu.edu/ctc/change-wsutc-network-password/ and fill out the form to reset your WSUTC password.
You can also reset your local WSUTC account with the following method:
- Log in to your work computer.
- Once logged in, press Ctrl/Alt/Delete and click Change a Password.
- Follow the instructions on the screen to complete the reset.
VetMed Account
Change Your VetMed Account Password
Please contact Veterinary Information Systems (VetMed IT) for assistance resetting your VetMed account (username@vetmed.wsu.edu).
Password Requirements
| Minimum Characters | 10 |
| Letter - Number - Special Characters (i.e., !, @, #, $, ?) | At least 1 of each |
| Case Sensitive | Yes |
| Character Change Requirement for PW Resets | 3 characters must change |
| Password Expiration | 180 Days |
| Inactivity Deactivation Threshold | 90 Days |
| Lockout Policy | 5 Consecutive Failures |
| Lockout Duration | 5 minutes |
Tips & Tricks
Create a strong password that you can remember.
Avoid names, places, family, pets, and dictionary words.
Passwords like KardashianFan, Cancun, George, and Fido, or passwords that use any word you could look up in a dictionary, are too easy for people to guess.
Hackers can build programs that automatically try known words so use abbreviated phrases and multiple words or fragments of words, instead. Substitute numbers and special characters for letters or entire words to break up patterns—make it easy to remember, but impossible for anyone else to guess.
Connect the first letters of a passphrase:
- 1ibLn+Tib5e = One if by land, two if by sea
Take a sentence and turn it into a password:
- WOO!TSwontSB = Woohoo! The Seahawks won the Super Bowl!
- PPupmoarT@O@tgs = Please pick up more Toasty O’s at the grocery store.
- W?ow?imp::ohth3r = Where oh where is my pear? Oh, there.
Nursery rhyme:
- HD504w,HDh4gf = Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall.
Favorite line of a song or movie:
- yMw4h4yF50e!! = Your mother was a hamster and your father smelled of elderberries!
Use a Keyboard Pattern:
- #WAxcvgy7890-
Consider doubling an easier password:
- B04t5xB04t5! = Boats x Boats
Reverse any of the above.
WSU Password Policy
As described in the existing WSU Executive Policy 18, passwords will be required to be reset every 180 days, starting at the date of your most recent password change.
Reminder
Once you have reset your password, you will need to update your account information for wireless internet access and applications on your mobile devices.
Failure to do so may result in your account being locked out due to multiple failed attempts to connect with your account.
Phishing
Phishing is an attempt to trick you into revealing private information. Emails, texts, or phone calls can “fish” for information by trying to lure you into clicking on a malicious link or attachment, or giving passwords, credit card numbers, etc., to a malicious third party. Report suspicious emails and phishing scams to abuse@wsu.edu
HOW TO RECOGNIZE A PHISHING ATTEMPT
- Legitimate companies do not ask for personal info via email or text.
- Messages may appear to be from organizations you do business with.
- Sense of urgency: Messages may include threatening statements to close an account if you fail to respond, often indicating that such threats will be executed “immediately.”
- Obvious grammatical errors, spelling errors, and strange word choices. Messages from legitimate companies are usually written by professional communicators who won’t make such errors.
Key:
- Sender’s email address: Official WSU communications will always be sent from a wsu.edu address. However be cautious, just because it does come from a wsu.edu address does not guarantee that it is legit either.
- Impersonal or awkward greeting: Most phishing emails do NOT refer to the recipient by name.
- Spelling: Official emails should not have spelling or grammatical mistakes.
- Ultimatum: Urgent warning attempts to scare you into responding quickly and without thought.
- WSU will never ask for your password or other personal information via email.
- Bogus URL: Official WSU websites will always end in wsu.edu. Website URLs are easily obscured. DO NOT click. Instead, hover over the link to verify destination URL.
- Security disclaimer: This does not mean the message is genuine.
- No signature or contact info: Official WSU business will always include WSU phone, email, and web address.
HOW TO SPOT:
Sample phishing email:
Date: Thursday, March 8, 2010 01:38:48 – 0500 From: WEBMAIL SERVICEDESK <upgrades2010@yahoo.com>1
To: Undisclosed Recipients
Subject: UPGRADE ACCOUNT QUOTA
Attn: Staff and Student: 2
This message from the educational webmaster is to remind you of the upgrade to your mailboxes coming soon. The webmail account team will be moving our data base and we need to confirm you are still a student.
We are deleting all of the unused accounts (wsu.edu) to create more space. If your account isn’t responding to us it will be permantently3 deleted. We have been sending this message to all of our wsu.edu webmail account owners so it is the last notice/verification for you.4
Confirm your account information below:
Email Account Username: ___________5
Password: ___________________________
Birthdate: ___________________________
School: ______________________________
Or visit http://wsu.webformsonline.tt/surveys/0fisa09ls6 and complete the questions there.
Warning: This message was authorized7 by the webmail account team and is confidential.
Do not forward!
8
WHAT TO DO IF YOU SUSPECT YOU’RE BEING PHISHED:
- If you think the message might be legitimate, or if you’re worried about the consequences of ignoring it, look up the organization independently and contact them directly.
- Do not click on links or call phone numbers provided in the message. They may redirect you to fake sites that mimic the real thing.
- Do not open attachments that are unexpected or from unverified sources.
- Do not send your password via email.
- Only sign in if you are 100% sure you are on the real site.
- Report suspicious emails and phishing scams to abuse@wsu.edu.
Malware
Any unprotected computer connected to the internet is likely to be infected within minutes. Malware infections put your personal data—and everyone you’re connected to—at risk.
PROTECT YOURSELF AGAINST MALWARE
- Keep your system up to date
- Use anti-virus software
- Do not install untrusted software
MALWARE SYMPTOMS:
- Change of browser homepage/start page
- Changed settings which cannot be changed back
- Ending up at a strange site when using search
- System firewall has been turned off
- Increased network activity while not active
- Excessive pop-up windows
- New icons, programs, or favorites which you did not add
- Frequent firewall alerts about unknown programs
- Bad/slow system performance
Policies, Standards, and Guidelines
WSU’s Information Security Program (ISP) is managed and operated by the university’s central Information Technology Services (ITS) department. Within ITS, the ISP has a broad role and responsibility with respect to information security and privacy across the institution. The mission of WSU’s ISP is to provide clear and flexible information security and privacy policies, procedures, standards, and risk mitigations to enable WSU to safely carry out its mission and accomplish its strategic goals.
The ISP exists to appropriately protect, maintain, and ensure legal, compliant, and appropriate use of the university’s information technology assets. Security and privacy policies work together to lay the foundation for the campus community to build and operate a high quality and trusted campus computing environment.
To complement the requirements outlined in WSU’s Business Policies and Procedures Manual (BPPM) and Executive Policy (EP) manuals, ISS created supplemental policies, standards, guidelines, procedures, and forms designed to ensure campus compliance with applicable policies, laws, and regulations.
All users and campus departments are expected to help safeguard and secure campus information and information resources by adhering to these policies and standards where applicable, or to request an exception.
Please report suspected violations to abuse@wsu.edu.
Policies/Processes
Standards
- WSU Information Security Program
- WSU Information System Audit Accountability Standard
- WSU Information Security Control Objectives
- WSU Authentication Management Standard
- WSU Account and Identity Management Standard
- WSU Tiered Administration Standard
- WSU Role Based Access Control Standard
- WSU Endpoint Security Standard
- WSU Boundary Device Standard
- WSU Cloud Acceptable Use Matrix
- WSU Information Security Compliance Template
- WSU ITS Software Inventory Standards
- WSU System Security Plan Template
Guidelines
- Security Tips For International Travel (PDF)
- Guidelines for Developing a Security Assessment Plan (PDF)
Forms
Identity Theft Prevention
WSU’s Information Security Program (ISP) is managed and operated by the central Information Technology Services Department (ITS) of WSU. Within ITS the ISP has a broad role and responsibility with respect to information security and privacy across the Institution. The mission of WSU’s ISP is to provide clear and flexible information security and privacy policies, procedures, standards, and risk mitigations to enable Washington State University to safely carry out its mission and accomplish its strategic goals.
The Program exists to appropriately protect, maintain, and ensure legal, compliant, and appropriate use of the university’s information technology assets. Security and privacy policies work together to lay the foundation for the campus community to build and operate a high quality and trusted campus computing environment.
To complement the requirements outlined in WSU Business Policies and Procedures Manuals (BPPM) and WSU Executive Policy Manuals (EP), ISS has created supplemental policies, standards, guidelines, procedures, and forms designed to ensure campus compliance with applicable policies, laws and regulations.
All users and campus departments are expected to help safeguard and secure campus information and information resources by adhering to these policies and standards where applicable, or to request an exception.
Please report suspected violations to abuse@wsu.edu.
WSU ITS RSS Feed
Chinese Government Hackers Reportedly Stole Trove of Sensitive U.S. Naval Data:
A new report claims that Chinese government hackers stole more than 614 gigabytes of sensitive data from a U.S. Navy contractor. The attacks occurred in January and February and were conducted by a division of the Chinese Ministry of State Security. The target was a contractor that works for the Naval Undersea Warfare Center and conducts research and development for submarines and underwater weapons systems. The stolen data is said to include secret plans to develop a new submarine-launched anti-ship missile as well as information about sensors and submarine cryptographic systems. Chinese hackers have frequently targeted U.S. military contractors and have previously succeeded in stealing information about the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system, and other sensitive projects.
Entire Article: https://www.theguardian.com/world/2018/jun/08/chinese-hackers-us-navy-submarine-missile-secrets-report
WSU Analyst Remark:
The suspected Chinese state sponsored group has focused on engineering and maritime entities with malware designed to establish presence on victim networks and exfiltrate credentials and data, likely in support of Chinese political, military, and economic interests. Given recent tensions between China and the U.S., and China’s ongoing dispute with regional and global actors over the South China Sea, It is not a surprise that Chinese espionage actors demonstrate a high interest in maritime entities.