Security is everyone's responsibility. Here are some things that you can do help keep more secure.

  1. Keep your software up to date

    Installing software updates is essential to protecting your devices. Attackers tend to use exploits that are written for known patched vulnerabilities. Consider turning on automatic updates for your operating system and programs, and reboot/restart programs as necessary to make sure you're running the latest and greatest.

  2. Use strong unique strong passwords

    Most places have password restrictions these days, but that doesn't mean that a password is good. What constitutes a "good" password?
    • A longer simpler password is better than a hard to remember short one. This was a common misconception for years, but the truth of the matter is that it's much easier for a machine to cycle through all the possible combinations of a short password regardless of the characters used than a longer password or passphrase. Shoot for at least 12 characters.
    • Use a unique password for each account. It's common for attackers to check a known password against other sites.
    • Avoid using similar passwords between accounts (eg I<3dogs4eva on one site and I<3cats4eva on another). It's also common for attackers to do these substitions, substitute a character, or add a 1 on the end of a password.
    • Don't use personal information in your passwords. They might make a password easy to remember but they're also easy for someone else to figure out.
    • Similarly, treat security questions as additional passwords. Never answer them truthfully.
    • Avoid weak, commonly-used passwords like Password1, Temp!, or asdf123. Have I Been Pwned can help you determine if a particular password was already part of a breach

    A password manager is also an excellent idea. This software will help you keep track of all these passwords, and help generate new secure passwords. LastPass Enterprise is a "UW CISO-approved browser-based password management tool," but there is a free version of it and its competitors (eg 1password or Dashlane). Don't like the idea of a password manager service, and want to make/manage your own password vault? You could also use KeePass to create a password vault on a cloud drive for similar basic functionality.

    Bonus: Though not a password per se, multifactor authentication is worth mentioning here. It will help keep your account secure, even if your regular password is compromised. Turn it on whenever you can!

  3. Backup on a regular basis

    Aside from the peace of mind of knowing that your data exists in backups even if you accidentally blow it away or lose a drive, there's also a security benefit to having a copy of that data somewhere else. One of the more popular attacks right now is ransomware. Basically, your files are encrypted by an attacker's malware using a key only they have, locking you out of your own files. They then offer to give you the key for a price. In this scenario, an unencrypted backup of those files would save you some sanity, and potentially money if you "have to pay." If you do decide to pay, not only would you be supporting a large criminal industry, but the chances of you getting your data back are still not good.

  4. Be suspicious

    The right mindset can help you avoid being tricked into trusting something you shouldn't. As a general rule of thumb: never give information to someone who contacts you first unless you can prove beyond a shadow of a doubt who they are. If you aren't sure, ask for a reference number and recontact them through a better-known channel.

  5. Control access to your machine

    You should know and trust anyone who has access to your machine, especially admin access. Related to this, don't give your account's access to someone else, and especially don't leave your machine unattended and logged in! You are giving free reign to any passerby to be you until you come back. This extends to things like mobile devices too.

  6. Use encrypted secure connections

    Encrypting connections to and from your machine prevents prying eyes from seeing your data in transit. It's good practice to always use encrypted connections (like HTTPS and SSH) whenever available, especially on untrusted networks. You can also take this a step further and use a VPN service to tunnel all of your traffic across an encrypted connection. The UW runs a free VPN service (with some additional routing rules) Husky OnNet.

  7. Practice software hygiene

    Install software from reputable sites, and don't run anything you wouldn't bet your data on. Use an antivirus to scan files you download, and/or scan them with a service like VirusTotal. CSE also offers students, faculty, and staff free or discounted access to an array of licensed software (see CSE's Software page) in addition to what you can get from the UW's UWare site.

  8. Firewall your machine

    Using a firewall lets you control what network traffic in or out of your machine is allowed. It's a good generic layer of defence that most modern operating systems ship with installed by default, but it may not be on by default. In an ideal world, you wouldn't actually need a firewall because each service would be correctly configured and never have any bugs that compromised that configuration.

  9. Stay informed

    Many software projects host security pages and/or mailing lists. Some useful links are: If you're running a service, check to see if that service has a security guidelines page.

  10. Ask for help

    Lastly, don't be afraid to ask someone else if you have questions. CSE Lab staff are an excellent resource, and always willing to help. Ask your favorite security researcher or UW-IT. No one wants to see you taken advantage of because you didn't feel comfortable asking for help.