Education & Training

• Install or enable anti-virus or internet security software on your smartphone, tablet, laptop and other internet connected personal devices to detect and protect against malicious software. Visit the Anti-Virus Software page on this website to learn more.
• To realize the full benefit of your security software:
  • Keep it up to date by installing the latest update or release as soon as becomes available.
  • Review the settings on your security software to confirm that you’ve enabled all of the recommended features. For example, make sure you’ve enabled automatic updates to the database your security software uses to identify threats.
  • If you receive a notification that your virus protection is out of date, don’t ignore it. Follow up to identify and address the reason.

The importance of Updates

• As developers make improvements to operating systems and software products, they often make those improvements available to current users in the form of an update. Such updates frequently include security patches to address potential vulnerabilities, malware, and more.
• Many threats work by exploiting known vulnerabilities for which security patches are available, so computers that don’t have all current updates applied are left susceptible to these types of threats. To help guard your computer and data, be sure to accept patches and updates from trusted sources as they become available.

How do I keep up?

• Though it’s possible (and sometimes necessary) to manually check for updates and patches, signing up for automatic updates and notifications is an easy way to stay up to date. Be sure to take advantage of such options for:
• • Your operating system (e.g., Windows, macOS, IOS, Android and Linux)
  • Web browsers (Chrome, FireFox, Edge, Safari, Opera, etc), and
  • Other software such as Adobe Flash and Java.
• Another way to stay on top of updates is to take advantage of Duo Security features that notify you when you don’t have the latest update. See knowledge articles Software Update Notification – Your Computer Software is Out of Date and Duo Security Checkup for more information.

What if I can’t update?

• If you’re unable to update your operating system or other software because you’re using an older device, consider replacing it with a newer one. Think of it this way: An automobile manufactured in 2010 cannot be retrofitted with all of the safety features available today, regardless of how well it’s maintained. Likewise, an older version of an operating system is generally not as secure as the current version, even if you’ve installed the most recent security patches available for the older version. The most recent version typically includes security enhancements not available in older versions.

Use Only Trusted Sources

• Be sure any updates you install come from a trusted source. See Downloading, below, for more information.

Take the following precautions when emailing and texting:

• Don’t be hasty in responding to an official sounding email that instructs you to take immediate action. Phishing attacks often create a sense of urgency by telling you there’s a problem you must address as soon as possible by clicking a link or sending your password, social security number, or other confidential information.
• When you receive a text or email that contains a link or attachment, don’t click, open, or download it unless you know and trust the sender – and are sure the email actually came from them. If in doubt, contact them independently to confirm that the email came from them.
• If the email appears to come from a government agency, financial institution or other official source, don’t click the link provided in the email.  Instead, do an internet search to find their official website and use the contact information found there.
• Visit the Phishing page on this website for a examples of recent phishing emails, to learn how to identify suspicious emails, and what to do if you should receive one.
• NEVER include confidential information such as your social security number, password, or financial accounts in an email or text, even if you’re responding to a request for that information. Such requests are a clear indication of phishing.

Take the following precautions when browsing the internet:

• Before you log into a website or enter confidential information such as your social security number, credit card, or bank account information, check the address (URL) of the webpage to confirm that it starts with https://.   The “s” indicates that the webpage encrypts (secures) data transmitted between your device and their server.
• Never ignore or override warning messages from your web browser or security software that indicate that a website is unsafe.
• Be careful what you click on.  Be alert for clues that may indicate that the site you’re visiting is not trustworthy, or that you’ve been redirected from the site you intended to visit, to a site that attempts to look like it.  If something seems fishy, check the address (URL) in the address bar of your browser to confirm that it’s what you would expect.

Take the following precautions before downloading apps and content from the web:

• Before downloading software or content from the internet, search the web for independent reviews to confirm that it has a good reputation and track record.
• Download mobile apps from official sites such as Google Play, the App Store, iTunes, etc.
• Download apps to your laptop or desktop directly from the software vendor’s site rather than a third party.
• Take advantage of free software downloads Penn State offers students, faculty, and staff for a variety of trusted security, antivirus, backup, and productivity products.
• If you’re not sure whether a software product or security patch is from a trusted source, check with the IT Service Desk.

Cybercriminals can easily take advantage of unsecured Wi-Fi connections to eavesdrop on your online activities and intercept the information you enter, including login IDs and passwords, credit card numbers, etc.

Take the following measures to protect yourself when you use Wi-Fi:

• Make sure your home Wi-Fi network is secure.  Learn how by visiting Secure your own home Wi-Fi network.
• Confirm that your device is not set to automatically connect to any available Wi-Fi network.
• Only enable file sharing over Wi-Fi when you need it and only if you’re on a trusted Wi-Fi network.

If you must use free public Wi-Fi (for example, in a coffee shop, hotel, or airport):

• Be sure you know the name of the Wi-Fi network offered by that location, so you don’t connect to a hotspot with a legitimate-sounding name that was set up by a hacker.
• Don’t assume that free Wi-Fi is secure just because you need a password to access it.
• Don’t visit any website that requires you to log in (e.g., social media, a bank account, or a Penn State website that requires login) or enter confidential information such as a credit card number unless you first log into a virtual private network (VPN).  See knowledge article Install and Run VPN to learn how to connect to the Penn State VPN.
  Note that some spyware can capture your password even when you connect to a website you’ve set to automatically log in to without typing in your ID and password!
• If in doubt, use a cellular data connection rather than Wi-Fi.

• Prevent others from accessing your device directly by setting your smartphone, tablet, laptop, or other device to lock after a certain period of inactivity, and require a password, fingerprint or other means to unlock it. Learn how to do this on your mobile device:
  • iPhone, iPad, and iPod
  • Android
• Keep your device with you. Never leave it unattended, even if it’s in a locked car or hotel room.

• Back up the data on your smartphone, laptop and other devices to the cloud or to an external device on a regular basis. This is one of the most important things you can do to ensure you’re able to recover should your device be infected with malicious software such as a virus, spyware, or malware.
• Visit the Data Backups page on the security website to learn more.

• Consider enabling the firewall that’s built-in to your operating system if you haven’t already.
• Visit the Firewall page on this website to learn more.

Sign up for Multifactor Authentication (MFA) for your non-Penn State accounts.  Many websites, including Google and most online banking sites, offer the opportunity to enable Multifactor Authentication (MFA) for your account.  Consider taking advantage of MFA where it’s available.

• Do some research to find out what encryption features are built into or available for your specific operating system and/or device.
• For other devices, use a whole disk encryption program such as Bitlocker (Windows), FileVault (macOS), or GnuPG (Linux) to automatically encrypt your files when they’re not in use.

Enable Bluetooth only when you need it. Hackers and data thieves can use Bluetooth connections to “eavesdrop” on your device and access your sensitive data.

Install or enable locator and/or remote access software on your laptop or mobile devices.  This will allow you to ensure the security of your personal information in the event that your device is ever stolen or lost.   Location services allows you to locate and control your mobile device remotely so that you can locate your device and even delete sensitive data on it.  Learn more about the services available for your device or operating system: 

• iPhone, iPad, and iPod
• Android

Wipe your personal device of all data before selling or disposing of it.  Search the web for tips on how to do this effectively, as deleted files can often still be recovered.

Using a strong password is one of the most important things you can do to help keep personal and Penn State information secure.  When you change or reset the password for your Penn State account, the Penn State Account Management Change Password page lists some basic requirements designed to help ensure that you choose a strong password.  In addition to those basic requirements, use the following guidelines to choose a password that is difficult for a person or computer program to determine:

• Choose a phrase that’s unique and familiar just to you.
• Go for length.  Longer passwords are more difficult to hack.
• Don’t base your password on a common phrase (e.g., “1justDOit!”) or personal information such as the names of your pets or children, wedding anniversary, or favorite sports team.
• Don’t base your password on a single dictionary word.
• Combine the first part of each word in a phrase, mixing at least 15 numbers, characters, and letters.  For example, “I love to play badminton” could become “ILuv2PlayB@dm1nt()n.”

Don’t share your password with anyone.  Penn State policy prohibits sharing the password for your Penn State account with anyone – even a parent, spouse, roommate, or friend.

Note that Penn State will never ask you for your password.

Take care never to inadvertently share your password. Never write it down, disclose it in an email, or save it anywhere on your phone, laptop, or other device – unless it’s to store it in a password manager.

Use a different password for each account you own. Cyberthieves often take advantage of the fact that many people use the same password for multiple websites and systems.  When that’s the case, all they need is the password to one of your accounts, and they’re able to access all of them.

Consider using password management software.

Password management applications allow you to securely create, store, and retrieve strong device and website credentials.  Using a password manager makes it easier to have a strong, unique password for each of your devices and accounts because it eliminates the need to remember each one.

Research your options by doing a search on “best password manager”.  Review articles such as this one in Consumer Reports for recommendations.

Whenever possible, use the Microsoft Authenticator app or FIDO2 security token method of multifactor authentication because they are the most secure methods.

Malware (malicious software) can be used to steal your user ID and password.  Protect your devices by following the recommendations in the previous section of this page, Protect your devices and data.

If you need to log into a Penn State resource from off-campus, use the Penn State VPN (virtual private network) to establish a secure connection to the Penn State network when any of the following apply:

• You’re accessing a secure enclave and/or data classified as Level 3 (High) or Level 4 (Restricted) according to the Information Classification Decision Tool.
• You need to log in to a Penn State resource using home Wi-Fi.
• You need to log in to a Penn State resource using public Wi-Fi.  Note that it’s best to avoid using public Wi-FI altogether, but if you must, always connect to the Penn State VPN before logging in to Penn State resources.

See knowledge article Install the Virtual Private Network (VPN) on an Operating System or Device to learn how.

• Don’t store or sync Penn State data to your personal device. Penn State policy prohibits storing Penn State data on a personal device, as your personal device may not have all of the security measures in place on a University-owned device.
• Store files in a Penn State protected resource such as OneDrive, G Suite, or Microsoft Teams instead.
• Establish a secure connection by logging in to the Penn State VPN before logging in to the application where the files are stored.

• When accessing, storing, or sharing confidential data, use the required security controls. Familiarize yourself with level of confidentiality and data protection requirements associated with different types of data by referring to the Information Classification Decision Tool.
• Do not use a personal device to access Level 3 or Level 4 data.  If you need to remotely access Level 3 or Level 4 data from a University-owned device, consult your supervisor and email security.psu.edu to confirm that the appropriate security controls are in place before accessing the data.

A security breach that affects your personal device or Penn State account may be the point of entry a cybercriminal uses to gain access to critical Penn State Systems.  Be sure to review and implement the recommendations listed in the previous sections on this page.

• Take appropriate measures to protect Intellectual Property (IP). Learn what IP is, and where to find Penn State policies that govern it by visiting Protecting Intellectual Property on this website.
• If you work on a project funded by a government or industry partner, make sure you’re aware of and honor any contractual agreements regarding sharing of project related data.
• Don’t share IP externally unless absolutely necessary. If you do need to share it, work with your IT staff to ensure that the data remains secure.  Refer to Penn State’s Encryption Standard to learn how to securely transmit data outside of the PSU network.

Use Penn State approved video conferencing applications. These include Zoom, which provides a number of collaboration tools, and Microsoft Teams, which is offered to Penn State students at no cost as part of the Office 365 suite of applications.

Log out of WebAccess and close all browser windows when you’ve finished accessing Penn State resources. Cyber criminals may be able to exploit information the browser temporarily stores in cookies and other temporary files.  Logging out of WebAccess and closing all browser windows is the best way to ensure that such information is cleared.