Information Technology Services
Terms and Definitions
Confidential Information | Malware | Multi-Factor Authentication (MFA) | Passwords | Personally Identifiable Information | Phishing | Ransomware | Restricted Information | Shoulder Surfing | Social Engineering | Additional Information |
The term confidential information applies broadly to information for which disclosure or access may be assigned some degree of sensitivity, and therefore, for which some degree of protection or restricted access may be needed. Compromise of information in this category may have limited, moderate, or severe impact on University functions, which must be determined through risk assessment or business impact analysis.
Malicious software, or “malware”, is an umbrella term for viruses, worms, spyware, Trojan horses, and other destructive computer programs designed to damage a computer system or interfere with or capture its data. Malware can be tied to documents, downloads, links and websites that appear innocent.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA - also called two-factor or two-step authentication) adds an additional layer of protection for your accounts. With multi-factor authentication, you use a one-time code or some type of additional validation in addition to your username and password to log in. This means an attacker needs more than just your password to break in.
When it's offered by a UC service you use for work, or a service that you use for personal activities (e.g. Google, LinkedIn, etc.), enable multi-factor authentication to protect your accounts and the information accessible by those accounts.
As part of UCOP’s security program, a set standard for passwords is in place. The use of an Uppercase, Lowercase, Number and special characters makes it more difficult for passwords to be hacked. Although the minimum password length is 8 characters, longer passwords are more secure.
Your password holds the key to very valuable information such as your identity. Never share it. If you absolutely need to write down a password, keep it secret and store it securely.
- Social Security Number (SSN)
- Driver’s license number or California State identification card number
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account
- Account number (financial account), credit or debit card number in combination with a PIN, required security code, access code, or password that would permit access to an individual’s financial account
- Medical information (medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
- Health insurance information (individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or an individual’s application and/or claims history, including any appeals records)
A contraction of "fishing" and "phreaking", borrowed from the telephone network. Phishing refers to any attempt to trick people into revealing confidential, personal or financial information, passwords, or sending money, whether the attempt is in person, over the phone, via email, instant message (IM), text, Facebook, Twitter, etc. Phishing is conducted using a "hook" of lies and electronic or in-person fraud. A classic example is an email using your bank’s identity and containing a link to a phony web site, where you will be asked to confirm your card or account number along with your PIN (Personal Identification Number).
Sophisticated phishing messages can look very legitimate and can appear to be from someone you know. Because there are no specific characteristics common to all phishing messages, it is best to treat any unexpected message as potentially suspicious. Always think twice before clicking on links or attachments. Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message. If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it.
Ransomware is a type of malicious software (a.k.a malware - see definition above) that locks the victim out of their computer or files – often by encrypting them – until a ransom is paid. The ransomware typically displays a message letting the victim know that they have been locked out, along with instructions for how much and how to pay.
Ransomware is often spread through use of stolen credentials, malicious links, and harmful attachments in email; however, this is not the only mechanism. Other sources include malicious applications and files, and adware/spyware.
It is important to note that paying the ransom doesn’t necessarily guarantee that you’ll get access to your computer or files back. The FBI and law enforcement advise never paying the ransom.
For more information and how to protect yourself from ransomware, see this article.
Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.
Shoulder surfing refers to looking over someone's shoulder to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they fill out a form, enter their PIN at an automated teller machine (ATM) or a Point of Sale terminal, or on their phone; enter a password at a cybercafé, library or kiosk, etc. Public transportation is also an area of concern for shoulder surfing.
Social engineering is non-technical trickery used by criminals to obtain information by manipulating and exploiting the trust, goodwill or naivety of others. The social engineer typically calls or sends an email or text pretending to be someone else, or shows up at the workplace under a false pretext. It is one of the greatest threats that organizations today encounter. Phishing is a common example of social engineering (definition above).
See SANS Glossary of Information Security Terms for an extensive list of terms not covered here.