Our computing and communications systems are under increasing attacks from phishing and malware. We must adopt a set of practices that help to minimize the risk of degrading the confidentiality, integrity, and availability of our computing systems.
Accounts and Passwords
Your AndrewID and the associated password, and the computer accounts that it gives you access to, are for your exclusive use. That is, the AndrewID should NOT be shared with anyone else for any reason. Even if you feel there is no other way to get some aspect of your work done, we assure you that there are always ways of getting things done without sharing your AndrewID and password. Please protect your password against disclosure with utmost seriousness. Part of protecting passwords is to choose a good password that is nearly impossible to guess and then changing it periodically. Learn more.
Data is the valuable part of computing so protecting your data against loss or unintended disclosure is the core of information security. Classifying the data is important to determine how to properly protect the data and determines how and with whom the data can be shared. Learn more (link to university data classification guidelines).
Protecting your data
You should protect your data in the following way:
- Backup: Regular backups are a must for data protection. If you store your files on the Network Drives or Andrew Filesystem, then we automatically back up those files on a daily basis. If you store your data on your laptop’s hard disk, then you must ensure that CrashPlan Pro is configured to properly back up your data folders. Learn more.
- Storage: We recommend that you use the Network Drives to store and access your data. The Network Drives are the one place to store your data and then access it from anywhere (Windows, Mac, iOS, Android, Linux, Web, office, home, on the road, …, in short–from everywhere). Also, the Network Drives are set up to securely facilitate sharing data with colleagues. Linux users can use the Andrew Filesystem on our Linux systems. You can also store data on your laptop. We don’t recommend storing work data on portable drives unless you are moving files as they are easy to misplace. Learn more.
- Access Control: When using the Network Drives shared folder (S: Drive) or the Andrew Filesystem, please ensure that the folder/directory and file permissions are appropriate to the data sharing needs. You can grant read-only or read-write access to particular folders/directories or files depending upon you needs. Learn more.
- Encryption: For sensitive and restricted data, it may be necessary (depending on the Data Classification) to encrypt the data to protect it from disclosure. Encryption is a process where a secret key is used to scramble the data such that someone who gets a copy of the data cannot unscramble it without the key. The key is kept secret (and separate from the data) but the encrypted data can be stored and moved in relatively low security systems and methods without compromising privacy. Lean more.
Social Engineering and Phishing
Social engineering is simple the act of tricking people in order to have them do something that they otherwise may not do. For example, someone calls you and says they are from the IT department and they need your password to perform an upgrade to your account. (By the way, IT will never ask you for your password. Never.)
Phishing is a form of social engineering where the phisher uses manipulation to get you to reveal some otherwise private information. For example, an email claiming that your profile needs updating and asks for your name, address, phone, social security number, and other private information.
The most common target of social engineering or phishing is to gain access to your AndrewID and the associated password. Information about you (e.g., date of birth, address, names of family members, etc.) is also a common phishing target. There may be attempts to make you send money (e.g., “I am stuck abroad, please send me some emergency cash.”). Or, try to have you send otherwise confidential data (e.g., an email pretending to be from your boss or the Dean asking you to send personal data of employees).
While social engineering and phishing can take any form like phone calls, the most common is an email. (Because email can easily be forged or “spoofed” to come from anyone and cannot reliably be traced back to the phishers.) They will often tell you about an urgent, often emergency, situation (“your mailbox is full” or “the tax agency is coming for you”) where you must act immediately to avert disaster. The most common phishing requests are:
- To send personal information
- To login to “verify” or “enable” some system action using a login link that they provide that steals your AndrewID and password as soon as you enter it
- To open a dangerous document, script, or program that’s sent as an attachment. Opening such attachments leads to malware being installed on your computer
Malware is software that an attacker tries to install on your computer in order to carry out further malicious activities. Malware is a general term for computer viruses, keyloggers, data thieves, spying software (using your computer microphone or camera), “botnet” agents that let the attacker remote control your system, and “rootkits” that permit persistent control of your system from elsewhere. Malware is often delivered via email (malicious attachment or malicious links), when you visit a malicious website or a legitimate website that has been hacked. Learn more.
We have to be especially careful when going online to the web or accessing campus resources over the internet (especially from potentially insecure locations like Internet cafes, hotels, or airports). Some things you should be looking out for are:
- Web Browsing: Be sure that your web browser is configured properly (e.g., it warns you about broken secure connections, is NOT running Flash, etc.). Consider using Privacy Badger, no script, and ad blockers to make it difficult to track your online activities. Facebook, Google, and hundreds of other organizations are constantly tracking your web browsing in order to display relevant ads and to learn about your behavior. Consider periodically deleting all cookies (little tokens used for tracking) from your browser. Learn more.
- Virtual Private Network: When you use the Internet from a potentially insecure location (coffee shops, hotels, airports, etc.), you should use a virtual private network (VPN) to prevent attackers from intercepting or monitoring your network traffic. A VPN is a secure tunnel that connects your computer, tablet, or mobile with our campus using an encrypted connection. This prevents attackers from seeing your network activities since the tunnel uses encryption to protect your network traffic. Learn more.
- Secure Connection to Websites: We have all seen website URLs like http://it.qatar.cmu.edu. The “http” in the URL refers to the hypertext transport protocol (HTTP) which is how your browser talks to a website. HTTP uses insecure connection between browser and website. For a secure connection, use HTTPS (e.g., https://it.qatar.cmu.edu) which 1) encrypts the communication between browser and website using the TLS (transportation layer security) protocol and 2) verifies that the website that you have connected to is indeed the website it claims to be. If both of these conditions are satisfied, then you see a padlock icon next to the URL in your web browser and it indicates a secure connection to the website. Learn more.
In addition to all the normal concerns about computers and online security, mobile devices (smart phones, tablets) have particular considerations that are unique to mobiles.
First, and perhaps the worst, is that most mobile operating systems seldom receive updates after the initial shipment with the device. (Apple’s iOS running on iPhone and iPad is an exception and does not suffer from this.) Android devices are particularly bad at not updating the operating system against security vulnerabilities. Please regularly check your device and update your operating system in order to avoid software vulnerabilities.
Second, and also very important, don’t install apps from unknown sources. (Again, this is not an issue for Apple’s iOS.) Some Android devices are shipped with app stores of questionable trustworthiness. Use the Google Play Store to install your apps on Android systems. And don’t grant more permissions than necessary (like location access, contacts access, files access, camera and microphone access) for the use of the app.
Learn more about mobile security and best practices.