General Security Issues

Security is an important issue - security depends on each one of us.

Basic security tips

  • make sure you never share your password with others
  • note IT staff or other support people should never have a need to see your password
  • do not use the same password on different systems (except where they fundamentally use a common authenitcation system of course)
  • aim to pick a strong password or pin (longer and more varied characters is generally better) and do not write it down
  • lock your screen when away from the device
  • password protect your confidential documents (eg MS Office and PDF files can easily be password protected)
  • before sending an email double check the addresses you are sending to are all correct and appropriate
  • if you really must email confidential information, then for regular communication with a person consider if you can setup encrypted email between you, and for occasional communication consider putting the information in to a password protected document as an attachment to the email (and then communicate the password via a different means such as over the phone if you know the person's voice)
  • when quoting emails (particularly when forwarding on) review all quoted content and remove what is no longer relevant, also review the subject line and update it to be relevant if the quoted contented is to demonstrate something other than the original subject info
  • be very suspicious of any email that asks you to follow a link and provide information or login, in particular double check any such link really does take you to the URL you expect (i.e. the site you end up at as shown in your browser address bar is correct) and that that site is using encryption if requesting login details or data (i.e. the URL begins with https and you see a padlock symbol in the address bar)
  • also see the specific information on emailing phishing
  • when using a self managed machine make sure you install and run anti-virus and malware detection software, and apply security updates in a timely fashion
  • only install applications/apps from trusted sources and only install apps you actually need on your own devices. Do not install any unauthorised programs on your work computer, even if permissions would allow it. Always be suspicious of Permission (“Allow”/“Run”/“Execute” etc) dialogs especially inside web browsers
  • make sure there is a suitable backup strategy in place for your data (be it using services that include backup such as departmental services, or be it registering your own device with a suitable backup service)
  • do not use an unprotected computer to access confidential information (eg in internet cafes, someone else’s machine etc), as any information you access and view on there can potentialy be exposed. Many internet cafe machines are already infected with viruses when you start using them and are potentially transmitting all the usernames and passwords that you type to a malicious third party
  • if using a public machine or someone elses machine make sure you log out and close any browser windows at the end, also consider changing your passwords for any services used once you are back on a trusted device
  • take the time to complete the Information Security Awareness module, look at the advice on the University's Information Security website and be aware of the Information Security Policy

Mobile device security tips

These days it can be very common for people to be accessing departmental and university services and information from a mobile device. This might simply be reading email or it may be accessing specific services and data.

Some additional tips specifically when using a mobile device or devices in public places include

  • be aware of shoulder surfing (i.e. people looking at what you type or view in order to obtain your account details or see material they should not see)
  • make use of remote access to services that can largely leave the data on the server and not on your device, e.g. use the remote access portal or web access to email
  • where possible do not copy confidential data onto removable media or mobile devices
  • consider enabling a remote tracking service and or remote wiping services for a mobile device
  • consider the pros and cons of encrypting data on a mobile device

Passwords

The first line of security against an attack is a users password. You should guard your password as though it were a pin number for a bank card or a piece of very confidential information. Never disclose your password to another user - no other user would ever need to know anothers password. In addition, never record your password in writing in a place where it could be identified as your password.

The choice of a good password is important. We have a script at the Institute which checks each new password to make sure it is not something obviously guessed by an attacker. The best password would be a random string of upper and lower case letters mixed in with numbers and punctuation marks, such as j^P1-oqs, but obviously this would be hard to remember.

Password changing frequency

There is no enforced password changing frequency at present. However, it is still good practice to change you password from time to time. If you change your password it is not advisable to simply change back to one you have used before.

Password sharing or caching

It is generally recommended that you use different passwords for different systems (e.g. one for your departmental computer account but a separate one for say your gmail account). By doing this you ensure that if one password is compromised or someone gains access via some other means (e.g. you leave yourself logged in with the screen unlocked etc) the security breach is limited to the single system that uses it. As more and more organisations converge to single sign on systems for their services the value of a single password increases, e.g. in the past you may have used separate passwords for each service provided by an organisation whereas now you may use a single password and hence if compromised access to all those services is compromised.

It is also now common place for certain applications (e.g. email clients, web browsers, messsaging systems etc) to offer to cache/store your password for the service they are used to access. It is up to the individual to consider whether to allow their password to be cached. If you are using an application to access a remote service, e.g. remote email or messaging system, and you allow the application to cache this separate password then if your account password is compromised the account can then be used to access this remote service without the need to compromise the password for it. There are of course ease of use benefits to caching and storing password and the individual needs to weigh up the risks associated with extending the network of trust associated with an account versus the possible benefits.

Physical Security

You must also be aware that our buildings contain a large number of computers. Always be careful to close and lock the doors marked to be closed, and do not let people tailgate you through key security points. Anyone who should have access to a room will have suitable card access. You must be very careful about letting anyone into a room. It is not uncommon for a thief to let their face be known in a building for a long while, then to gain access to restricted areas and to steal equipment. The same rule holds for giving people access to the buildings outside office hours or at weekends.

In addition, be careful about disclosing information about our computers to other people - computers are often stolen to order.