Install Anti-Malware software and ensure its signatures are regularly updated. Anti-Malware software is a key protective measure to detect, quarantine, and remove various types of malware.

Trellix (formerly McAfee) antivirus software is licensed by the University of Hawaiʻi (UH), Information Technology Services (ITS) site license for use by active UH faculty, staff, and students: https://www.hawaii.edu/askus/1254

In addition to Anti-Malware software, most modern operating systems have built-in Host-Based Firewalls. These firewalls run directly on your device, offering an extra layer of defense against network-based cyberattacks. Ensure your firewall is always active and properly configured to enhance your overall security.

• CISA.gov Security Tip Protecting Against Malicious Code: https://www.cisa.gov/news-events/news/protecting-against-malicious-code
• CISA.gov Security Tip Understanding Firewalls for Home and Small Office Use: https://www.cisa.gov/news-events/news/understanding-firewalls-home-and-small-office-use
• ITS MSS 4.4 – Implement and Manage a Firewall on Servers (CIS Control 4.4)
• ITS MSS 4.5 – Implement and Manage a Firewall on End-User Devices (CIS Control 4.5)
• ITS MSS 10.2 – Configure Automatic Anti-Malware Signature Updates (CIS Control 10.2)

• CISA.gov Security Tip Understanding Patches and Software Updates: https://www.cisa.gov/news-events/news/understanding-patches-and-software-updates
• ITS MSS 7.3 – Perform Automated Operating System Patch Management (CIS Control 7.3)
• ITS MSS 7.4 – Perform Automated Application Patch Management (CIS Control 7.4)
• ITS MSS 9.1 – Ensure Use of Only Fully Supported Browsers and Email Clients (CIS Control 9.1)

Multi-Factor Authentication (MFA) is required for all UH users when accessing UH resources. MFA adds an extra layer of security beyond just a username and password, requiring a second factor—like your smartphone—to log in. This significantly reduces the risk of unauthorized access, as attackers would need both your password and the second factor to succeed.

ITS supports the use of MFA. Please visit the following sites for further information on MFA and how to set it up:

• http://www.hawaii.edu/its/uhlogin/
• https://www.hawaii.edu/askus/1758

• UH Login: http://www.hawaii.edu/its/uhlogin/
• Getting setup for Multi-Factor Authentication (MFA): https://www.hawaii.edu/askus/1758
• ITS MSS 6.3 – Require MFA for Externally-Exposed Applications (CIS Control 6.3)
• ITS MSS 6.4 – Require MFA for Remote Network Access (CIS Control 6.4)
• ITS MSS 6.5 – Require MFA for Administrative Access (CIS Control 6.5)

If your password has been compromised or exposed in a data breach, NEVER reuse it on any other account. Reusing compromised passwords significantly increases the risk of further security breaches.

Strong passwords are key to protecting unauthorized access. Best practices include:

With the use of Multi-Factor Authentication:

• Passwords must be 8-32 characters long; and
• Passwords contain one uppercase character, one lowercase character, one number, and one special character.

Without Multi-Factor Authentication:

• Passwords must be 14-32 characters long;
• Passwords contain one uppercase character, one lowercase character, one number, and one special character;
• Passwords should expire every 365 days or less. For passwords compromised or exposed, you must change this password immediately;
• Password history of at least the last 10; and
• Devices unable to meet these best practices (e.g. Multi-Function Devices, Network Devices, Legacy Systems, etc.) should have password settings at the maximum complexity allowed by the system.

Additional best practices include:

• Change all default passwords. These pre-configured passwords usually have administrator level privileges and are readily known on the internet.
• Do not use the same password with multiple accounts.

Password Managers:

• Password managers can help you generate, store, and manage long, complex passwords for each of your accounts.
• The only way to access your password vault is by using one strong master password, which greatly reduces the amount of information you need to remember and protect.
• The following article discusses the use of password managers: https://www.hawaii.edu/infosec/resources-tips/password-manager/

• Appendix C in Executive Policy EP 2.210 Use and Management of Information Technology Resources [PDF]: https://www.hawaii.edu/policy/ep2.210
• CISA.gov Security Tip Choosing and Protecting Passwords: https://www.cisa.gov/news-events/news/choosing-and-protecting-passwords
• NIST Special Publication 800-63B Digital Identity Guidelines
  Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html
• ITS MSS 4.7 – Manage Default Accounts on University Assets and Software (CIS Control 4.7)

Data is stored across various devices, including desktops, laptops, and removable storage media like USB drives, external hard drives, and CDs/DVDs. Sensitive information requires extra care. Encryption is a critical method for safeguarding this data, ensuring that the information remains secure even if accessed by unauthorized individuals.

The following article discusses the encryption options available: https://www.hawaii.edu/infosec/resources-tips/encryption/

When sending files, consider using the UH File Drop service: https://www.hawaii.edu/filedrop/

• Encryption: https://www.hawaii.edu/infosec/resources-tips/encryption/
• UH File Drop Service https://www.hawaii.edu/filedrop/
• ITS MSS 3.5 – Encrypt Institutional Data on End-User Devices (CIS Control 3.6)
• ITS MSS 3.7 – Encrypt Institutional Data on Removable Media (CIS Control 3.8)
• ITS MSS 3.8 – Encrypt Institutional Data in Transit (CIS Control 3.10)
• ITS MSS 3.9 – Encrypt Institutional Data at Rest (CIS Control 3.11)

• CISA.gov Home Network Security Tips: https://www.cisa.gov/news-events/news/home-network-security
• ITS MSS 11.2 – Perform Automated Backups (CIS Control 11.2)
• ITS MSS 11.3 – Protect Recovery Data (CIS Control 11.3)
• ITS MSS 11.4 – Establish and Maintain an Isolated Instance of Recovery Data (CIS Control 11.4)

• Windows Instructions: https://www.hawaii.edu/askus/1807
• macOS Instructions: https://www.hawaii.edu/askus/1806
• ITS MSS 4.3 – Configure Automatic Session Locking on University Assets (CIS Control 4.3)

Administrative accounts have elevated privileges, allowing actions that standard user accounts cannot perform, such as installing software, disabling anti-malware programs, managing user accounts, and controlling services.

If a standard (non-privileged) account is compromised, the potential damage is usually limited. The best practice is to use a non-privileged account for everyday activities like browsing the internet and checking email. When you need to perform administrative tasks, log in with an administrative account and log out immediately after completing the task.

• ITS MSS 4.7 – Manage Default Accounts on University Assets and Software (CIS Control 4.7)
• ITS MSS 5.2 – Restrict Administrator Privileges to Dedicated Administrator Accounts (CIS Control 5.4)

Phishing is one of the most common and straightforward methods attackers use to compromise your device and steal sensitive information. Follow these best practices to reduce your risk:

• Never open links or attachments in emails that seem suspicious or are from unknown sources.
• Hover over links to verify they lead to legitimate sites before clicking.
• Be cautious of poorly worded emails with misspellings, as these are common signs of phishing attempts.

For more details, please visit the following:

• Phishing — Stay Safe Online!: https://www.hawaii.edu/infosec/phishing/
• Spearphishing: https://www.hawaii.edu/infosec/spearphishing/

• CISA.gov Security Tip Avoiding Social Engineering and Phishing Attacks: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

Mobile devices require strong cyber hygiene practices due to their portability and everyday use. In addition to general best practices:

• Set a secure PIN or password.
• Keep your device’s operating system up to date with the latest patches.
• Only install apps from trusted sources like the Apple App Store or Google Play.
• Limit the amount of sensitive information stored or transmitted on your device.
• Consider using encryption, as mobile devices are at higher risk of being lost or stolen due to their size.

• Mobile Device Security: https://www.hawaii.edu/infosec/resources-tips/mobile-device-security/
• CISA.gov Security Tip Privacy and Mobile Device Apps: https://www.cisa.gov/news-events/news/privacy-and-mobile-device-apps
• CISA.gov Security Tip Cybersecurity for Electronic Devices: https://www.cisa.gov/news-events/news/cybersecurity-electronic-devices
• ITS MSS 3.5 – Encrypt Institutional Data on End-User Devices (CIS Control 3.6)
• ITS MSS 4.3 – Configure Automatic Session Locking on University Assets (CIS Control 4.3)

CISA.gov refers to the Internet of Things (IoT) as any “object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.”

Common IoT devices include Network Attached Storage (NAS), sensors like temperature readers, Universal Plug and Play (UPnP) devices, and IP-based devices such as routers, cameras, and printers.

Given the increasing prevalence of IoT devices in both work and home environments, this section will explore the associated risks, best practices, and how various Cyber Hygiene Best Practices (CHBP) can work together to reduce the risk exposure of these devices.

Risks

• Data Exfiltration: Attackers often target IoT devices to steal sensitive data. This is especially concerning if you store UH Institutional Data at the Protected level (Restricted, Sensitive, Regulated) on these devices.
• Botnet Involvement: A compromised IoT device can become part of a botnet, which can be used to launch further attacks.
• Additional Malicious Activity: Compromised IoT devices are frequently used to target other computers or devices, leading to further malicious actions.

Best Practices

When considering IoT devices for work or home, lacking these basic security features significantly increases the risk of compromise:

• Strong Passwords (CHBP #4): Always set strong, unique passwords for your IoT devices. Many devices come with default passwords that are widely known and easily exploitable.
• Evaluate Security Settings: Enable security options that enhance protection, such as encryption (CHBP #5), activating the device firewall (CHBP #1), disabling unnecessary features, and requiring strong authentication (e.g., username and strong password) for access.
• Keep the Device Updated (CHBP #2): Regularly update the device’s software and firmware from the manufacturer to patch vulnerabilities.
• Connect Only When Necessary:
  • Assess whether the device truly needs to be connected to the internet. Once online, it becomes susceptible to scans for vulnerabilities, misconfigurations, and weak or default credentials.
  • If a connection is necessary, place the device behind a firewall.
  • Whenever possible, connect the device to the network only when needed to perform specific functions and disconnect it once those tasks are completed.
• Create an Inventory: Maintain an inventory of all IoT devices to keep track of what is connected to your network.
• Physical Security: If the device is accessible to the public, ensure that it, along with its ports and cables, is protected against tampering.

• CISA.gov Security Tip Securing the Internet of Things: https://www.cisa.gov/news-events/news/securing-internet-things-iot
• From Homes to the Office: Revisiting Network Security in the Age of the IoT: https://www.trendmicro.com/vinfo/au/security/news/internet-of-things/from-homes-to-the-office-revisiting-network-security-in-the-age-of-the-iot
• ITS MSS 1.1 – Establish and Maintain Detailed University Asset Inventory (CIS Control 1.1)
• ITS MSS 3.5 – Encrypt Institutional Data on End-User Devices (CIS Control 3.6)
• ITS MSS 3.7 – Encrypt Institutional Data on Removable Media (CIS Control 3.9)
• ITS MSS 3.8 – Encrypt Institutional Data in Transit (CIS Control 3.10)
• ITS MSS 3.9 – Encrypt Institutional Data at Rest (CIS Control 3.11)
• ITS MSS 4.1 – Establish and Maintain a Secure Configuration Process (CIS Control 4.1)
• ITS MSS 4.4 – Implement and Manage a Firewall on Servers (CIS Control 4.4)
• ITS MSS 4.5 – Implement and Manage a Firewall on End-User Devices (CIS Control 4.5)
• ITS MSS 4.7 – Manage Default Accounts on University Assets and Software (CIS Control 4.7)
• ITS MSS 4.8 – Uninstall or Disable Unnecessary Services on University Assets and Software (CIS Control 4.8)
• ITS MSS 7.3 – Perform Automated Operating System Patch Management (CIS Control 7.3)
• ITS MSS 7.4 – Perform Automated Application Patch Management (CIS Control 7.4)