Beef Up Your Physical Security

With the threat of hacking, malware, phishing, and other digital threats constantly looming, it can be easy to overlook the importance of physical security best practices. Here are a few helpful resources and tips:

  • Prevent tailgating. In the physical security world, tailgating is when an unauthorized person follows someone into a restricted space. Be aware of anyone attempting to slip in behind you when entering an area with restricted access.
  • Don’t offer piggyback rides. Like tailgating, piggybacking refers to an unauthorized person attempting to gain access to a restricted area by using social engineering techniques to convince the person with access to let them in. Confront unfamiliar faces! If you’re uncomfortable confronting them, contact campus safety.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing away. Organizing campus-wide or smaller-scale shred days can be a fun way to motivate your community to properly dispose of paper waste.
  • Be smart about recycling or disposing of old computers and mobile devices. Make sure to properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Lock your devices. Protecting your mobile devices and computers with a strong password or PIN provides an additional layer of protection to your data in the event of theft. Set your devices to lock after a short period of inactivity; lock your computer whenever you walk away. If possible, take your mobile devices and/or laptop with you. Don’t leave them unattended, even for a minute!
  • Lock those doors and drawers. Stepping out of the room? Make sure you lock any drawers containing sensitive information and/or devices and lock the door behind you.
  • Encrypt sensitive information. Add an additional layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Back up, back up, back up! Keeping only one copy of important files, especially on a location such as your computer’s hard drive, is a disaster waiting to happen. Make sure your files will still be accessible in case they’re stolen or lost by backing them up on a regular basis to multiple secure storage solutions.
  • Don’t leave sensitive data in plain sight. Keeping sensitive documents or removable storage media on your desk, passwords taped to your monitor, or other sensitive information in visible locations puts the data at risk to be stolen by those who would do you or your institution harm. Keep it securely locked in your drawer when not in use.
  • Put the laptop in your trunk. Need to leave your laptop or other device in your car? Lock it in your trunk (before arriving at your destination). Don’t invite criminals to break your car windows by leaving it on the seat.
  • Install a remote location tracking app on your mobile device and laptop. If your smartphone, tablet, or laptop is lost or stolen, applications such as Find My iPhone/iPad/Mac or Find My Device (Android) can help you to locate your devices or remotely lock and wipe them.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Spring Cleaning – Recycling & Donating Old Devices

As you upgrade your personal devices to the newest options, do you recycle the old equipment? Being green shouldn’t make you blue. Take steps now to remove anxiety later that forgotten sensitive files on your last laptop could become a source of embarrassment or identity theft. Trying to securely delete data at the time you decommission equipment can turn into a multi-hour chore and a source of stress, but it doesn’t need to be that way.

Make sure saved copies of your tax filings, personal photos, and other sensitive files can’t be retrieved by the next person with access to your computer’s drive by making the drive unreadable to anyone else. Dragging files to the trash or recycle bin doesn’t remove data—it just removes the retrieval path to the file and marks that storage space available for other data to occupy sometime in the future. Your pirate treasure is still buried, but the map is missing. “Secure file deletion” functions go a step further to overwrite the data in those locations with random bits immediately.

The introduction and growth of solid state drives in consumer electronics, however, makes overwriting the data in these spaces less dependable than in the standard hard drives of the past. Today’s “delete/overwrite” protection comes most reliably from full disk encryption (aka whole disk encryption), which encrypts all data on the machine—including the operating system and temporary files you weren’t even aware you created. Follow the motto of a famous infomercial to “set it [full disk encryption] and forget it [the password/key]!” Even if someone removes the drive and puts it into a different machine, the encryption remains in place.

  • Plan A: Encrypt the full disk now using built-in functionality. Create a strong passphrase or password, since this becomes the decryption key! Everything will be encrypted, including the operating system, so you will have to “unlock” the encrypted drive with your personal passphrase every time you start or boot up your computer. Save the generated recovery key somewhere secure (like a password manager or printout stored in a secure office), in case you forget your password and need to access the data on that machine. Here are instructions for some of the most common built-in encryption functions:
  • Plan B: If full disk encryption wasn’t a built-in option, find a free or fee version of full disk encryption software that works with your operating system and personal capability. Check your favorite review sites or try Slant for recommendations.
  • Failsafe: Hammer time! Remove and destroy the drive (Geek Squad offers a three-minute tutorial on hard drive disposal). Most retail stores that accept computer donations for safe recycling will remove the drive and give it to you for secure destruction—just ask them to do that. Smash it, drill it, or hold onto the drive until there’s a secure shredding event at work or in your community.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Keep What’s Private, Private

You exist in digital form all over the Internet. It is thus important to ensure that the digital you matches what you are intending to share. It is also critical to guard your privacy — not only to avoid embarrassment, but also to protect your identity and finances!

Following are specific steps you can take to protect your online information, identity, and privacy.

  • Use a unique password for each site. Hackers often use previously coampromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
  • Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site.
  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Step Up to Stronger Passwords

A password is often all that stands between you and sensitive data. It’s also often all that stands between a cybercriminal and your account. Below are tips to help you create stronger passwords, manage them more easily, and take one further step to protect against account theft.

  • Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
  • Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
  • Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
  • Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
  • Step it up! When you use two-step verification (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Are You Practicing Safe Social Networking?

Who Else Is Online? Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.

  • Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
  • Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
  • Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)

How Do I Protect My Information? Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.

  • Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
  • Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
  • Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
  • Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
  • Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
  • Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.

My Information Won’t Be Available Forever, Will It? Well, maybe not forever, but it will remain online for a lot longer than you think.

  • Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
  • Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Basic Steps to Online Safety and Security

Follow these six National Cyber Security Alliance recommendations to better protect yourself online and make the Internet more secure for everyone:

  • Fortify each online account or device. Enable the strongest authentication tools available. This might include biometrics, security keys, or unique one-time codes sent to your mobile device. Usernames and passwords are not enough to protect key accounts such as e-mail, banking, and social media.
  • Keep a clean machine. Make sure all software on Internet-connected devices — including PCs, laptops, smartphones, and tablets — are updated regularly to reduce the risk of malware infection.
  • Personal information is like money. Value it. Protect it. Information about you, such as purchase history or location, has value — just like money. Be thoughtful about who receives that information and how it’s collected by apps or websites.
  • When in doubt, throw it out. Cybercriminals often use links to try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
  • Share with care. Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
  • Own your online presence. Set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Think You’ve Been Hacked? Here’s How to Shake It Off!

Face it: Hackers Gonna Hack. How to know if you’ve been hacked?

Your friends tell you. They’ve received a spammy or phishy e-mail from your account.

  • Your phone tells you. Collection companies are calling about nonpayment. Battery and data usage are higher than normal. Charges for premium SMS numbers show up on your bill.
  • Your browser tells you. Unwanted browser toolbars, homepages, or plugins appear unexpectedly. You’re seeing lots of pop-ups or web page redirects. Your online passwords aren’t working.
  • Your software tells you. New accounts appear on your device. Antivirus messages report that the virus hasn’t been cleaned or quarantined. You see fake antivirus messages from software you don’t remember installing. Programs are running or requesting elevated privileges that you did not install. Programs randomly crash.
  • Your bank tells you. You receive a message about insufficient funds due to unauthorized charges.
  • Your mail tells you. You receive a notification from a company that has recently suffered a cybersecurity breach.

Shake it off. Following are the steps you can take to recover.

  1. Change your affected passwords using an unaffected device. Not sure which passwords are affected? It’s best to change them all.
  2. Update your mobile software and apps. Make sure you keep them up-to-date.
  3. Update your antivirus software. Then run a complete scan. Follow the instructions provided to quarantine or delete any infected files.
  4. Update your browser software and plugins. Check frequently for new updates and delete any unnecessary or obsolete plugins.
  5. Is your computer still acting wonky? It might be best to start from scratch with a complete reformat of your machine so you can ensure that all affected software is fixed.
  6. Self-report to credit agencies. If you believe your personally identifiable information has been affected, you don’t want to deal with identity theft on top of being hacked.
  7. Be prepared with backups. Don’t let the next compromise ruin your day. Backup your files frequently. Consider storing at least two separate backups: one on an external drive and one in cloud storage.
  8. Stay ahead of the hackers. Check the Have I been pwned website to see if your accounts were hacked in a known attack.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

The ISO Attends the 2017 EDUCAUSE Security Professionals Conference

Last month the Information Security Office traveled as a team to attend the EDUCAUSE Security Professionals Conference in Denver, CO.  Visit the EDUCAUSE blog (link below) to read about our experience!

There’s No “I” in Team (Come to Think of It, There’s No “I” in SPC Either):

http://er.educause.edu/blogs/2017/6/theres-no-i-in-team-come-to-think-of-it-theres-no-i-in-spc-either 

Posted in Uncategorized

Stop Calling Me! Putting an End to Annoying Robocalls

If you are like me, you too have the pleasure of receiving annoying robocalls.  These unwanted phone calls or texts come at all hours of the day.  They disrupt your concentration at work, wake you up cell phone in handwhen you are sleeping, or interrupt your dinner.  They are indeed a nuisance, but even worse, some may also be a scam.  So what can we do?  For some helpful tips check out this Boston.com article “Robocalls flooding your cellphone? Here’s how to stop them”:

https://www.boston.com/news/technology/2017/05/11/robocalls-flooding-your-cellphone-heres-how-to-stop-them

Recommendations from the article include:

  1. Do not answer calls from numbers you do not recognize.
  2. List your numbers on the National Do Not Call Registry and if you still get unwanted calls, report them.
  3. Use apps to block unwanted calls (see article for recommendations).
  4. Turn the tables on telemarketers by using paid services to field the calls (see article for recommendations).
  5. Be cautious of scammers trying to get you to say the word “yes” so they can record it and use it to authorize unwanted charges.

Unfortunately, with the spread of internet phone systems making robocalling simple and inexpensive, we do not expect to see a reduction in the volume of calls anytime soon. – Tara

Posted in Uncategorized

Let the Training Begin!

Hi all! My name is Tara Schaufler, and I’m the senior information security training and outreach specialist in the Information Security Office. I’ve been at the University for 13 years, joining the ISO staff last fall and have been tasked with increasing security awareness across our campus.
Currently, we are offering monthly information security training sessions on a variety of topics. Visit our Events page on our website for class descriptions and dates. For example, this month we presented “Creating Strong Passwords,” where we shared password and passphrase recipes, as well as a number of tips, tricks, and tools for managing passwords. Some feedback received included: “I didn’t realize there was so much to know about creating and managing passwords!” and “Thanks for the interesting and useful information.” And after the classes, the comments kept on coming and for that we thank you. It’s incredibly helpful to hear from our campus community. This helps us deliver training that is relevant and hopefully worthwhile! That being said, please do not hesitate to contact us. We can be reached at infosec@princeton.edu or you can email me directly at tschaufl@princeton.edu. Thanks and I look forward to seeing you at our next training session. – Tara

Posted in Uncategorized