• Keeping your device with you helps ensure control of your data.
• ITS has loaner devices you can borrow when travelling.
• When a device is stolen, data thieves have more time to attempt to overcome passwords.
• Mobile device theft is more likely when travelling.
• If your device is lost or stolen contact Campus Safety right away.
• Always enable a password or passcode on your device.
• Be wary of storing devices in hotels and leaving them unattended for even brief periods of time.

Your laptop, tablet and cellphone are storehouses and or gateway to valuable information. If your device is lost or stolen and contains any Colgate information, you need to immediately contact Campus Safety. Information can be exploited should it fall into the wrong hands. Plan ahead so you can keep your device with you when traveling. ITS has basic loaner devices that you can borrow. We know from experience, devices are also accidently left on restaurant tables, in conference rooms and even bathrooms. For mobile devices, including laptops, maintaining control of these devices means you have it in your possession or it is secured in a locked location.

Hotel rooms are not secure locations. According to Department of Justice crime reports, the most frequent crime reported in hotels is property related. While theft on airplanes appears rare, the loss of luggage is not. Keep your devices in your carry on bag. A 2010 CNET survey notes that about 5.5 million computers were stolen in the United States over a three year period with only 3% recovered.

Another risk regarding stolen or misplaced devices is the time someone has with your device to try to unlock it. This underlines the importance of using strong passwords and passcodes, lock screens and disabling auto login. Mobile devices with a four digit passcode are at greater risk because they are smaller and easier to lose and typically people avoid  complex access controls.

Enabling location services is an essential step in protecting your devices. Many devices, particularly Apple iOS devices, provide a means to locate, lock down or erase your mobile device remotely.  To learn more, visit the following:

For more information on how to protect your mobile device from theft, check out this article:
http://www.wikihow.com/Protect-a-Mobile-Phone-from-Being-Stolen

Blog Post: Secure Your Mac When You Step Away
http://blogs.colgate.edu/its/2015/04/secure-your-mac-when-you-step-away.html

Blog Post: Secure Your PC When You Step Away
http://blogs.colgate.edu/its/2015/04/secure-your-pc-when-you-step-away.html

If your device does become lost or stolen, contact Campus Safety immediately at extension 7333.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Public Wi-Fi connections are vulnerable.
• Know the name of the network you are connecting to and who controls it.
• Turn off sharing features when connected to public Wi-Fi.
• Use Colgate’s VPN connection for a secure connection.
• Forget public networks when you are done using them.
• Keep your devices up to date.
• Enable two-factor authentication on services that support it.

Wi-Fi is a communal resource. Shared. Meaning – a path to your device for experienced data thieves. The danger of data theft is directly related to how you connect to a wireless signal. CNET.com offers some valuable advice to protect you when using a Wi-Fi connection.

Know your SSID
An SSID is a name given to a wireless connection point. You select the SSID, such as “Colgate”, when you setup a connection. In public locations, such as hotels, restaurants and cafés, it is important to verify the name of the SSID so you can verify its ownership. CNET notes, “it is easy for someone who wants to intercept your data in a man-in-the-middle attack to set up a network called “Free WiFi”, or any other variation that includes a nearby venue name, to make you think it’s a legitimate source”.

Turn Off File Sharing
File sharing, especially when connected to a public hotspot, is a potential risk that can expose data on your device to others. Turning off Internet sharing, Print Sharing and File Sharing reduces the “hooks” into your device.

Use Colgate’s VPN
Using Colgate’s virtual private network (VPN) is one of the best ways to keep your browsing session secure. A VPN client encrypts traffic between your device and the VPN server, which means it’s much more difficult for a potential intruder to grab your data. Also, consider using only https connections.

For more information visit:
http://www.colgate.edu/offices-and-services/information-technology/network-services/accounts

Avoid Auto-Connections
Do not configure your device to connect automatically. Use settings that only allow you to connect to known networks. Sometimes you may need to connect, but it’s important to forget the network when you leave a hotspot so that your device won’t automatically connect when you’re in range.

Update Your Device and Apps
Keep your devices up to date with the latest versions on a trusted network. According to CNET, travellers have been caught off guard by requests to update software packages when connecting to public or hotel Wi-Fi networks. If accepted by the user, malware was installed on the device.

Enable two-factor authentication
It’s good practice to enable two-factor authentication on services that support it, such as Gmail, Twitter and Facebook. This way, even if someone does manage to sniff out your password when on public Wi-Fi, you have an added layer of protection. For more information, visit: http://www.cnet.com/how-to/tips-to-stay-safe-on-public-wi-fi/

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

In our summer long series on security awareness, we’ve reviewed strategies and practices that can improve and protect your digital life. Putting these ideas into practice reduces the risk of an untoward event, improves data security at Colgate and can put your mind at ease knowing you are prepared and ready for any attempts at intrusion or loss.

Think about how you use your device and where. Know where your device connects and keep it with you. Review the risks to devices and data when you travel, when you connect to someone else’s network and when you access the web and email. If your computing environment changes – question it. ITS announces changes we make ahead of time and so do most service providers, like Google.

If you manage a database or file share, it’s critical to include a review of permissions at least annually. Here’s a quick list of what to review:

• Do you have a process for adding and taking away permissions as staff or students change their access needs?
• Do individuals that access the information understand the level of confidentiality of the data they use?
• Have all the individuals with access been appropriately trained to use the database?
• Are there any roles that can be eliminated?
• When access is granted, do individuals have the least access they need to accomplish their duties?
• Are responsibilities separated, so that there are checks and balances against accidents?

If something does happen, know that ITS is here to offer advice and help mitigate any suspected loss or intrusion. Remember to contact Campus Safety if a device is lost or stolen.

For more information, contact the ITS Service Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch, and Mark Hine.

SHARE

On June 5, 2014, UVA accidentally exposed the GPA, class rankings, work experience, recommendations and other sensitive data on a large group of applicants to a Listserv. Incidents like this do not leave UVA in a league of their own; last month Columbia University was found to have exposed 6,800 patient records on the Internet and Indiana University let 146,000 student records loose when it accidentally stored exported data in the wrong location earlier this year. At the heart of these breaches is the notion that our own misuse of sensitive data can pose as much or more risk to the institution as hackers. The loss of sensitive data can have an immediate and long-lasting effect on our reputation and our users’ lives. When our parents, alumni and students lose their trust in us; when they feel we cannot protect their private and personal information, they will go elsewhere. When easily avoided mistakes are made that put their financial and personal information at risk, their trust in us is lost – possibly forever. But mistakes can be avoided when dealing with sensitive data. Simple steps can be taken to mitigate or even prevent the slippage of data through our own hands. The privacy and security of our students’ data begins with each one of us.

As we shift resources into cloud  services such as Gmail or Salesforce and implement new solutions for handling “big data” such as Tableau and paperless solutions like Nolij, we begin to lower the risk posed by handling data in traditional ways. This transition does not happen over-night and even after we complete these projects there may still be a need to create documents outside these solutions. So how do we protect ourselves, our students’, alumni’s and employees’ sensitive information? We can follow these simple guidelines outlined below and ask ourselves, before exporting and sharing data, these simple questions:

 1. Do I really need to export this data?

2. Do I really need to export this type of / this much data?

We often tend to export more data than we need, “just in case”. By doing so, we set ourselves up for forgetting what data we exported. More-so, we seldom need to export sensitive data types such as Social Security Numbers, Financial Information, Medical Information, Driver’s Licenses, Passport Numbers or Academic Standings. Instead of exporting data you don’t need, limit the amount and type of data you export to only exactly what you do need. If you find you need more later, export it then, not before you need it. Remember, it is never permitted to store full Social Security Numbers along side of names outside of Banner nor Credit Card Numbers and CVV values anywhere.

3. How long do I need this data?

Throughout a year, month, week or even a day, some of us export several spreadsheets worth of data – data which once we’re done manipulating we never need again. Yet we tend to keep this data, again, “just in case”. This exported data tends to build-up on our hard drives, ending up on old forgotten folders, sub-directories, shared drives or even laptops, tablets, phones or personal cloud services like Dropbox! Instead of keeping this data around, be sure to delete exported data as soon as you no longer need it. If it is something that can be recreated, delete the exported data and recreate it when you need it.

4. Who needs to see the data?

Even if you are the only one who needs to see this data, never save it to your local hard drive. Each of us has a network drive and a Google Apps account. By saving the file to one of these locations, it is less-likely to be lost or stolen especially if you use a laptop! Additionally, data stored in these locations can often be restored if it is accidentally deleted. If you do need to share the data, take a moment to think about the why, what, how and with who.

The “why”

Be sure to ask yourself why you need to share this data – especially in its current format. Can (or should) this data be shared in a different manner like an aggregate presentation, person-to-person, or through a tool such as Tableau?

The “what”

Share only what the person(s) needs to see. Often we send entire spreadsheets of detailed data when all the other person ever needs to see is a summary. If they don’t need the detailed data, don’t send it! They can always ask for it later if they really need it.

The “how”

Typically, we tend to share data as an email attachment. This use to be the only method available but today, there are other options. By creating your spreadsheet as a Google Doc, you can share a link to the document in an email instead of the document itself. This protects you in several ways:

You can also share Excel documents using Goole Drive (although users can then download the spreadsheet if they so choose). When sharing the document, be sure to select the proper choice appropriate with the level of access you wish to grant. If you decide not to use Google Drive, save the Excel document to your department’s shared folder. You can then send a link to the document’s location instead of the document itself. Your collaborators can then access the data through the VPN instead of saving it to their local hard drive or storing a copy in their email.

The “who”

Finally, it only takes one fat finger to share the data with the wrong person(s). Be sure to double and triple-check the following:

By going through this exercise each time you work with data, you can virtually eliminate much of the risks associated with handling sensitive information. Doing so will not only help keep the University safe, it will help our students, alumni and employees live and work in a more-secure world. Practicing these tips can work for areas in your personal life as well – being careful where and how to store and share personal information about yourself with financial institutions, doctors and commercial enterprises can greatly reduce the risk of your identity being stolen. Combining these tips above with using strong passwords and knowing how to identify and deal-with fraudulent emails can and will make the Internet a safer, more-secure place for you and Colgate!

SHARE

The news is filled lately with reports of hackers breaking in to companies and either defacing their website or worse yet, stealing the passwords and credit cards or social security numbers of their customers. In fact, in the first month of this new year we were informed that nearly 110 million consumers had their information stolen from Target. Just last week, the University of Maryland lost 300,000 records to a hacker.

Hackers make news. Hacker stories sell papers (well, get re-tweeted). What we don’t hear about are the accidental data leaks that are potentially just as damaging as a hacked database. For example, Indiana University accidentally posted 146,000 records to a publicly accessible server. Many more can be seen here ranging from lost USB thumb drives to stolen laptops.

The fact is that accidents happen and regardless of the number of protections any IT department may put in place, the last bastion of security is always in the hands of the employee handling sensitive data. Here are some tips to keep in mind when dealing with sensitive data – tips that will go a long way to preventing accidental or inadvertent data loss.

1. If you do not absolutely need access to sensitive data, do not access it. Ask if there are ways to avoid seeing it at all while still having the information and access you need to do your job or research. If you can’t access it, you can’t lose it.

2. Never save sensitive data outside of the application you use to access it. For instance, cutting and pasting Social Security Numbers into a spreadsheet. If you don’t have the data, you can’t lose the data.

3. Scanned documents of sensitive data (such as passports) should not be stored outside of a protected, centralized and secure content management system. If the data is not on your local computer or laptop, it is not there to be lost or stolen.

4. When possible, avoid saving any sensitive data to plain text files, spreadsheets, or Word documents (or similar). If the files get placed in the wrong folder or posted to an open server, they will be clear of sensitive data.

5. Avoid using USB thumb drives or CDs to store files with sensitive information. If the removable media is lost or stolen, it will be clear of sensitive data.

6. Do not use personal file sharing services such as Dropbox or Box.net to store or share files with sensitive information. If sharing is accidentally turned on or the file-sharing service is hacked, your account will be clear of sensitive data.

For more information or tips on how to stay secure, check out the ITS Security page at http://colgate.edu/itsecurity

SHARE

It’s been a long time since arcades occupied spaces in every town, since Pac Man and Space Invaders could be found in every pizza joint and bowling alley. Today, online is where it’s at. With nearly every video game now requiring some kind of Internet connection comes a larger attack surface for hackers. Kaspersky gives us some pointers for playing it safe.

http://blog.kaspersky.com/5-tips-to-safeguard-your-online-game-profile/

SHARE

When we think of spam and phishing, we usually think of it as unwanted email filling our inboxes. Did you know spammers and phishers also use text messaging & SMS? Often, these messages will purport to come from the phone company or a popular email provider such as Google telling you you need to reply to a message to re-activate your account or to verify that your account has not been compromised. If you reply, any number of thing can happen from you being automatically signed up for unwanted services (and charged) to you being asked to verify your identity and password, or both! One common theme seen in these messages is as follows:

User #93848: Your Gmail account has been compromised . Reply to this message with  SENDNOW when you are able to verify your account.

As always, NEVER reply to these messages or click any link they may contain! With the proliferation of smartphones, some links may contain malware.

Here is a list of common US providers and their methods of contacting them about spam:

AT&T Wireless – http://www.att.com/esupport/article.jsp?sid=KB115812&cv=820#fbid=0gUs6DsD-dU

Sprint – http://support.sprint.com/support/article/Block_and_report_fraudulent_text_messages/case-gz982789-20120420-003932?question_box=MA:spam&id16=spam

T-Mobile – http://support.t-mobile.com/docs/DOC-2747

Verizon Wireless – http://support.verizonwireless.com/faqs/Features%20and%20Optional%20Services/spam_controls.html

When in doubt, you can usually find your text message online. For example, to verify if the above message was a smishing (SMS + phishing) message, I Googled the message (without the User #93848:) and here is what I found!

Have you received suspicious texts in the past? Post them here so others can see more examples of what these messages look like!

SHARE