Protecting Your Personal Information & Devices
Over the last few years, the news has reported a dramatic increase in the number and scope of attacks by those who want to gain access to your personal information. Protecting you and your family, as well as the college, has become ever more complex in this increasingly interconnected digital world. However, there are some simple, common sense steps that you can take that will help protect your personal information and identity as you interact with online systems.
While the techniques involved in these attacks vary and may even seem transparent or obvious at times, the theft of your information can have results that go far beyond the simple click on a wrong link.
While we in Information Technology Services (ITS) do everything we can to protect you while you are on campus, each individual ultimately is responsible for their own protection, not only at the office, but at home as well.
Methods of Attack
We are all most familiar with phishing emails. These are emails you receive that try to trick you into providing your username, passwords or other personal information. These generally are similar in tone and often cover similar subjects. Here are some tips on how to learn to recognize them so you can protect yourself. Typical signs of a phishing email include:
- Odd or mismatched URLs in the addresses or links
- Poor spelling or grammar
- Unrealistic threats or urgency
- Request for personal information or money
- Responding to a request you didn’t make
- The message appears to come from a government agency
Spear Phishing or Whaling
Spear Phishing will appear to come from someone or some company that you know. Whaling emails will often appear to come from someone in a position of authority. Emails of this type generally will request an exchange of funds or information. They use the effect of familiarity or authority to persuade you to click on a link or provide information that is outside of normal processes. If an email from someone seems unusual, contact that person directly (not by responding to the email) to validate the request.
Facebook particularly has become a pasture for cybercriminals.
- Don’t confirm a friend request without verifying it by other means. Scammers can easily pose as a friend or a relative if privacy settings on your friend’s account are loose.
- Don’t post a profile photo that can be copied and used against you.
- Make sure your privacy is set so that people who aren’t your friends can’t view your photos or videos
- Edit your Friends list so no one else can see it.
If you have a friend or relative who hasn’t properly secured their account, it is possible for someone to grab the account, pose as your friend or relative and start a granny scam. In a Granny Scam, someone would pose as a friend or a relative and ask you through Facebook for money to help get them out of a predicament.
Beware of USB or external drives
It may be tempting to pick up a USB drive or an external drive you find and plug it into your computer. These are frequently handed out at conferences and found around offices or even accidentally dropped. They can even be intentionally dropped or left behind in order to infect a computer. Avoid using USB or external drives if you don’t know and trust the source. Additionally, if you do use a USB or another external drive, do not put sensitive or private information on it unless you encrypt it.
There has been an increase of phone call scamming or spamming of late. They take various forms:
- They pose as the IRS or another government agency and threaten to pursue legal action against you.
- They pose as Microsoft and offer to help you solve computer problems they have detected. Typically they will ask you for your user name and password and ask you to install software to let them access your computer so they can fix it.
- They may be contractors or services who suggest that you called them to request an estimate or a service and they are now following up with you.
Treat all unsolicited phone calls with skepticism and never provide any personal information.
Protecting Yourself and Your Device
If you are concerned that your personal information has been compromised in the wake of the September 7th Equifax security breach, learn more about protecting yourself after the Equifax breach.
Below are organizations which offer online information safety guidelines from a variety of different perspectives.
- USA.gov – Prevent and Report Identity Theft guide from the United States government.
- FDIC – Identity Theft prevention information from the organization whose charge is to promote public confidence in the U.S. financial system.
- Microsoft Safety and Security Center – Protect Your Privacy On the Internet guide from a trusted business source.
- Stay Safe Online – Guide on ID Theft, Fraud and Cybercrime from a non-profit organization focused on online safety.
- IRS site – The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
- Facecrooks – If you are active on Facebook, “like” Facecrooks to receive timely reminders and information about protecting your account.
- The Information Security Guide – The Higher Education Information Security Council (HEISC) produces resources for security information on a regular basis
- High Tea@IT Security Session – Presentation available for offices or groups by Information Technology Services
- Pomona ITS Security Blog – Subscribe to the ITS Security blog for timely examples of phishing or scams currently in our system or being experienced.
Mobile devices such as laptops, tablets, and smart phones provide easy access to computing resources. However, the small size and portability of these devices mean they can be easily lost or stolen. It is important to take steps to ensure the safety of these devices and any confidential information they may be used to access, including College records, financial accounts, and any other sensitive data.
Securing Your Devices
- Keep mobile devices with you or stored in a secured location when not in use. Do not leave mobile devices unattended in public locations.
- Mobile devices should be password protected with auto-lock enabled. Use as strong a password as possible.
- Set up encryption on your device.
- Set up tracking and data wipe features on your device. For Apple products, look in settings under “iCloud” for “Find my Mac,” “Find my iPad,” or “Find my iPhone.” On Windows or Android devices, consider installing a free or commercial application such as LoJack (Windows), GadgetTrak (Windows), AntiDroid Theft (Android), or Prey (Windows, Android).
- Ensure your device has current anti-virus software and all operating system and application updates installed. Firewalls should be enabled if possible.
- Physical locks and cables are available for laptops and may be available for some tablets.
- Wipe or securely delete data from the mobile device before disposing of it.
If Your Device is Lost or Stolen
- Immediately call Campus Safety (on campus, dial 7200; off campus dial 909-621-8170) and report what was lost or stolen and other details.
- Change all passwords on any account accessed from the device. Consider that there may be cookies in use on the device that store your password and account information.
- Change any passwords that may be stored in a file on the device. Do this even if the device is not used to access those account directly.
- If the device contained or was used to access confidential College data, contact Information Technology Services as soon as possible (on campus dial 18061; off campus dial 909-621-8061) or email the Service Desk.
A good way to add a further level of protection for your data is to encrypt the device that your data is stored on. This makes it very difficult for unauthorized individuals to access your data, as long as they do not have your username and password. All College owned laptops have been encrypted for some years now.
The following operating systems have data encryption built in: all you need to do is enable them. This information is for your personal device only.
Please Note: If you choose to encrypt your data, it is of the utmost importance that you save your recovery key in a safe place. If you forget your password, and lose your recovery key, it is highly unlikely that your data will be recoverable.
- Windows 7 Ultimate and Enterprise – BitLocker
- Windows 8.1 Pro and Enterprise – BitLocker
- Windows 10 Pro and Enterprise – Device Encryption
- Mac OS – FileVault
- Android – Data Encryption
- iOS – iOS Data Encryption
Note: Data Encryption settings can be found in Settings > Touch ID & Passcode or Settings > Passcode