Campus Security Awareness Campaign 2018
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting our security awareness resource page.
Given current norms and today's prevailing culture of a mobile "connect from anywhere" user population, institutions have no alternative recourse but to extend connectivity beyond and across their network perimeter in support of campus IT operations. But providing remote access to critical information systems, servers, and applications is a perilous endeavor. So what's an institution to do in order to help end users ensure secure remote access to IT resources? Use the information below to educate your staff, students, and faculty.
Get the Word Out
Newsletter or Website Content
It is well publicized that today's attackers are ever vigilant in their attempts to uncover weak points in networks, computers, and mobile devices to establish a foothold and leverage vulnerabilities, thus resulting in the compromise of critical assets or personal information. Areas of concern that can lead to a breach include the lack of physical security controls available at remote locations, the use of unsecured networks, and the connection of infected devices to internal networks. The challenge is especially daunting when:
- Staff, faculty, and students are accustomed to using use free public Wi-Fi hot spots, and some will use them to access institutional e-mails and documents.
- Some campus employees will e-mail work documents to and from their personal account, despite numerous security problems this creates.
- Some campus employees will use free USB charging ports available at airports and other public places. These ports pose the risk of transferring viruses and malware to unsuspecting users.
Planning for Secure Remote Access
- Assume the worst will occur and plan accordingly. Laptops and other wireless devices are prone to loss or theft. External networks not controlled by an institution are especially susceptible to compromise and data interception. Finally, remote users' devices may eventually become infected with malware.
- Develop an appropriate remote access policy. It should define what's allowable in terms of remote access. Data sensitivity is another factor to be considered, as access to confidential or sensitive information should be restricted.
- Configure remote access servers to enforce policies. Consider the placement of remote access servers at the network perimeter, so it serves as a single point of entry to the network and enforces the security policy before any remote access traffic is permitted into internal networks.
- Ensure personal devices are secured against common threats. Remote devices should receive the same security applications, software, and devices as those found on campus. They should employ antivirus software and data loss protection capabilities, whenever possible.
- Employ strong user authentication. Many external security threats will be mitigated through the deployment of multifactor authentication.
- Create a remote access policy. Users should take every reasonable precaution to ensure their remote access connections are secured from interception, eavesdropping, or misuse. To facilitate this, anyone remotely accessing campus resources for business, maintenance, or upgrade actions should use a virtual private network (VPN) provided by the institution. Also remind staff and faculty not save or store sensitive or restricted institutional data on any remote host or external computing (access) device.
Additional Requirements for System Administrators and End Users
- Apply computer and mobile device security software, applications, and operating system patches and updates regularly.
- Install and use antivirus, antispyware, and VPN software on computers, laptops, and mobile devices, keeping software definitions up-to-date and running regular scans.
- Install and enable a hardware and/or software firewall.
- Configure devices so that authentication is required (e.g., password, passphrase, token, or biometric authentication), runs in "least privilege" mode (e.g., user instead of admin), and times out after a 15-minute period of inactivity.
- Activate and use a "lock" feature prior to leaving the computing device unattended.
- Set the security settings to the highest level on Internet browsers and adjust downward as necessary for Internet use.
- At no time should a campus employee provide usernames or passwords to anyone, not even family members.
Note: These are Twitter-ready, meeting the 140-character length restriction.
- How to keep your Windows computer up-to-date https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date #OnlineSafety #CyberAware
- Use a #VPN for safe & secure remote access. Learn more about the pros & cons: http://er.educause.edu/blogs/2017/5/isp-law-and-the-pros-and-cons-of-vpn-usage #OnlineSafety #CyberAware
- Strong user authentication provides better #security & #OnlineSafety for all, so #LockDownURlogin! [https://www.lockdownyourlogin.org/] #CyberAware
- Keep a clean machine! Install the latest security software; keep OS & apps updated to defend against #malware. #OnlineSafety #CyberAware
- Get savvy about #WiFi hotspots, which aren't always secure. Limit sensitive transactions or use #VPN. #OnlineSafety #CyberAware
Ask staff members to add a tip to their e-mail signature block and link to your institution's information security page.
Information Security Office
Secure your home network to ensure that your remote access connections are protected from interception, eavesdropping, or misuse! Learn more. [Link "Learn more." to your institution's information security department page or the FTC's tips for securing your wireless network.]
Embed or Share Videos
How to Protect Your Home Network [https://www.youtube.com/watch?v=mQCWU8q-xS4] (1:49 min)
Computer Security | Federal Trade Commission (3:32 min)
Share these resources with end users or use them to inform your awareness strategy:
- Find out why it's important to lock down your login using multifactor authentication.
- TechHive explains How—and Why—You Should Use a VPN Any Time You Hop on the Internet.
- This NetworkWorld article describes How to Protect Your Data When Using Public Wi-Fi.
- Learn more about wireless security from the SANS Security Laboratory: Five Wireless Threats You May Not Know [https://www.sans.edu/cyber-research/security-laboratory/article/wireless-security-1].
- See our previous Campus Security Awareness Campaign blog about secure remote access: June 2016: Tunnel Into Secure Computing with VPN.
Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).