Where to start?
This is such a big topic. Everything IT does has a security component. Everything you do on your computer has a security component. Is your laptop encrypted in case it gets stolen? Do you have backups of data in case of CryptoLocker? Is your computer secure enough to prevent hackers coming in from the outside? Is it secure enough to prevent a script you accidentally open from hacking you from the inside? Do you leave your office door open with your laptop in plain site? Do you like to click on every link in every email?
The Very Basics
Never give your password to anyone. Anyone. We don't want to know it. IT Express doesn't want to know it. Anyone who asks you for your password is either evil or doing it wrong. My password is "No".
Keep your system and software up to date. If your system doesn't have a particular security patch, then it's a target for a particular hack.
Know where your data is. Did
you just put student records in your email? Did you store your Social
Security Number on Box.com? Depending on the data type, you can't just
stick it anywhere per all sorts of university, state, and federal
policies. The thing is you
*can* stick it anywhere, but you have to know where you're breaking policies so you don't. Check out the Data Sensitivity Guide in the following link for some guidance:
Never let anyone else work on your department owned computer until you've contacted Physics IT. Especially people from 1-800 web pop-ups. My IP address is "No".
The most popular way to lose your data or bank account contents is for someone to ask you for it. This is often done via cleverly crafted emails that may look genuine but are instead out to steal your credentials or money. Before responding to an email or clicking on a link or opening an attachment, review the email for the following:
- Capitalization, punctuation, greeting, signature. Does it seem like a real email? If an email is in all lowercase, odd sentence structure, it may still be real. But the Chancellor's office is going to use proper grammar.
- Check the From: Does the name match the email address? Are both names you recognize? Do they match the signature on the bottom of the email?
- Attachments and Links: Simple: don't open attachments or click links you aren't expecting, even if they are from someone you know. Check with the sender to make sure they sent it to you. Does the name of the attachment seem valid (hint: "Open_me.doc" is not valid.)
- Not sure? Forward it to mailto:email@example.com and we'll review it for you.
How Physics IT Can Help
We're happy to review your systems, administer your systems, and/or provide guidance on any security-related issue. Our basic recommendations because these take some of the administration load off of you:
- Join the computer to Campus Active Directory. Utilizes your campus login and passphrase, allows for your own secondary admin-level account to install software and such. Allows IT to monitor patching and apply basic security policies as recommended by campus.
- Install Bigfix. Basically an inventory and software patching tool. Gives more in-depth look at the system and allows us to patch particular pieces of software (generally limited to Java, Firefox, Acrobat, etc). Campus IET will not touch your computer with Bigfix.
- Review the system in general. As Windows is the #1 target of the bad guys, we're happy to review the system's security profile and recommend changes or fixes.
- Keep an updated operating system. Not always easy to do with the speed at which the operating systems come out and the old ones are retired. Also difficult when the new systems break old(ish) software (try running IDL on the latest MacOS...).
- Use Homebrew or some package installer. This keeps things under control in terms of dependencies.
- Turn off unneeded services (SSH, VNC, etc)
- Install regular security updates
- Ask IT to implement Puppet (which will automatically install security updates)
- Keep an eye on bugs for your applications and operating systems and patch/upgrade as necessary.