Security Best Practices
Security Best Practices
Enable multi-factor authentication
Multi-factor authentication (MFA) adds an additional layer of security to your account that can help protect you even if your password is obtained by a third party. Caltech uses Duo for MFA to protect email and access.caltech accounts. This service is currently required for certain groups, and available on an opt-in basis to all students, faculty, and staff. For more information, see multi-factor authentication.
Keep software up to date
Malicious software often takes advantage of security flaws in common programs and operating systems. These flaws are routinely discovered and fixed in updates. To make sure your devices stay protected, keep the programs you use and the operating systems on your devices up to date when new updates become available.
Make regular backups of your data
Whether due to a hardware failure, software bug, or security threat, data sometimes gets lost. Make sure your important data is backed up. Caltech has a site license for CrashPlan, a cloud-based backup service. For more information about backing up data see backup guidelines.
Use unique passwords for each account
It is important to use a unique password for each account. Passwords can be exposed in many ways, some of which might not even be within your control. If one of your passwords is exposed, all of your accounts using that password are at risk of compromise. A common way that Caltech accounts are compromised is through a breach at a completely unrelated service. People who had the same password on that service as the one they use at Caltech can suffer unauthorized access to their Caltech accounts as a result. Make sure to choose a different password for every one of your accounts. In particular, your access.caltech password should be unique and never used for any other account.
Choose strong passwords
Use long passwords or passphrases. Instead of a combination of letters, numbers and symbols, think of a sentence or a combination of words. This is typically both more secure and easier to remember. See password guidelines for more information.
Store passwords in a password management tool
A password manager is a great way to store passwords safely in an encrypted database. Instead of having to remember dozens of passwords for different services, you'll only need to remember one master password. This is much safer than storing passwords in a file on your computer, in your browser, or in a notebook, where they might be discovered by someone else.
Employ antivirus software
Recent versions of Windows include built-in antivirus software. It is important to note that no antivirus software can be completely effective in protecting your system from threats. Even if you are running antivirus software, you should still follow safe computing practices and routinely backup important data. See Secure your Windows computer and Secure your Mac computer for more information.
Enable your computer's software firewall
Operating systems including Windows and Mac OS come with a software firewall. Some antivirus products also include a software firewall. You should confirm that your computer is running one (but not both) of these software firewall options. Whether you are on campus, at home, or traveling, it is important that your computer is running a software firewall to protect itself from threats that can make it through hardware firewalls, or exist within networks protected by hardware firewalls, or when your computer is exposed directly to the internet and not protected by a hardware firewall. For more information, see enable software firewall.
Beware of suspicious emails, links, and downloads
Be aware when reading email and browsing the web. The sender of an email can be spoofed. If an email is suspicious, do not follow any links or download attachments. If you are unsure, hover your mouse over a link, or press-and-hold on a mobile device, to see where it points. Watch out for fake Caltech email addresses and URLs that are crafted to look legitimate, such as email@example.com or courses.caltech.edu.cvve.cf. See How to Read a URL for information on how to spot a malicious fake website based on the URL. If you receive an email you think is malicious (or if you're not sure), report it to information security.
Lock your screen when away from your desk
Make sure that your computer is not susceptible to being used by an unauthorized person while you are away from it. Use a keyboard shortcut to lock the screen manually when you step away. You should also configure your computer to lock itself automatically after a few minutes of inactivity in case you ever forget to do it manually.
Take care when handling sensitive data
All sensitive data and especially personal health information and financial information must be stored in accordance with institute policies including limiting access and encrypting data both at rest and in transit. See security policies for more information and contact Information Security with any questions or concerns about how data should be handled.
Change default settings on new devices
Many devices including network equipment, printers, instrument controllers, raspberry pi (and similar single-board education/experimental devices) arrive pre-configured with default administration credentials such as "admin/admin" that are well-known and routinely tried by attackers for remote access and compromise. Whenever possible these default credentials should be changed before placing such devices on the Caltech network. Devices with default credentials are often discovered by attackers within minutes of coming line.
Use Caltech-provided email services
Email continues to be the primary method by which scams and viruses, including ransomware, are introduced into the campus environment. IMSS does not recommend forwarding your Caltech mail offsite. Your Caltech Office 365 mailbox is protected by a variety of email security features and technologies. If you forward your email, you lose many of the benefits that our mailbox protection tools provide, since these tools won't be able to act on malicious messages that have been delivered to an offsite mailbox. IMSS also will not be able to proactively monitor access to your mailbox for anomalous activity, and in the event of a security incident involving your mail or access to your mailbox, we will have very limited ability to assist you in determining what happened.
Don't use admin accounts for routine computing
Use an unprivileged (non-admin) account for routine computing, reserving privileged account use for brief situations where elevated permissions are needed (such as for software installation). IMSS Managed Computing systems are configured this way.