Research Lab Security Expectations
Caltech's research laboratories are prime targets for cyber threats due to the high value of their data and intellectual property. A single compromised account or system can result in significant consequences including data loss, regulatory violations, and reputational harm.
To mitigate these risks, IMSS Information Security has established a set of essential security practices that represent the minimum standard for protecting Caltech systems and data, in alignment with the Caltech Network Security Policy.
Labs handling regulated data (e.g., FERPA, HIPAA, ITAR, EAR) may have additional compliance obligations. These groups must coordinate with the Institutional Review Board (IRB), the Office of Research Security, and IMSS Information Security to ensure appropriate controls are in place.
Essential Security Practices
To protect Caltech's research assets and maintain compliance with institutional policies, all labs must implement a core set of cybersecurity measures. These practices represent the baseline expectations for safeguarding systems, data, and intellectual property in today's evolving threat landscape.
System Hardening and Updates
To safeguard Caltech's research infrastructure, all devices connected to the Caltech IT Network (CITNet) must be proactively maintained and secured. This includes:
- Regular Updates: Ensure all systems are routinely patched and updated to address known vulnerabilities. Where feasible, enable automatic updates.
- Designated Responsibility: If automation is not possible, assign responsible personnel to manage and verify timely updates in accordance with vendor's best practices.
- Secure Configuration: All systems must be hardened following vendor-recommended security configurations to reduce exposure to cyber threats.
These measures are foundational to maintaining a secure and resilient research environment.
Secure Backups
Routine backups are critical to prevent against loss of research data1 ̶ whether due to accidental deletion, hardware failure, or a cyberattack. Maintaining a well-implemented process and schedule for backing up research data is essential to ensure that data remains available.
- Manual backups using an external drive: To ensure the security of your backup research data, adhere to the following guidelines when using an external drive for manual backups:
- Disconnect Immediately: After completing the backup, disconnect the external drive immediately.
- Avoid Internet Browsing and Email: Do not browse the internet or check emails while the external backup drive is connected to desktops or laptops.
- Automated backups: Consult with IMSS Information Security to make sure that your backups are being conducted in a way that keeps the data as safe as possible.
See Backup Guidelines for more information.
Security Awareness And Training
Cyber attackers frequently exploit human behavior through deceptive tactics such as phishing emails that impersonate trusted collaborators, vendors, or IT personnel. These social engineering attacks can compromise systems and data with a single click.
To mitigate this risk:
- Exercise Caution: Avoid installing software on Caltech systems without fully understanding the associated security implications.
- Promote Awareness: Ensure all team members are equipped to recognize and respond to common cyber threats.
- Mandatory Training: Complete the Cyber Security training available via MyLearn at access.caltech.edu to stay informed on best practices and emerging threats.
Building a culture of security awareness is essential to protecting Caltech's research and institutional integrity.
Endpoint Protection
To safeguard Caltech's research environment, all endpoints—including servers, laptops, and workstations, must be equipped with modern anti-malware solutions.
- Advanced Threat Detection (EDR and MDR): Endpoint Protection goes beyond traditional antivirus by detecting suspicious behavior, preventing ransomware, and alerting to active threats in real time.
- Caltech-Owned Devices: All Institute-owned systems are eligible for IMSS's enterprise-grade solution, CrowdStrike EDR. Work with IMSS to ensure it is deployed across all applicable devices in your lab or group.
- Personal Devices: For personally owned systems used in research, enable Microsoft Defender or a comparable solution such as Malwarebytes. Apply all security updates as soon as they are released.
Maintaining strong endpoint protection is a critical layer in Caltech's defense against cyber threats.
Account Management and Secure Authentication
To ensure the security and integrity of Caltech research systems, please adhere to the following guidelines:
- Enable SSO and MFA: Collaborate with IMSS to enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA) wherever possible. IMSS can assist in implementing Duo MFA for various systems, including Windows login and remote desktop. Caltech offers SSO with native MFA.
- Use Strong, Unique Passwords: Use strong and unique passwords for every account. Change any default or built-in passwords, avoid using shared accounts or credentials, and disable guest accounts.
- Configure Inactivity Settings: Configure operating systems to log off or lock the screen after 30 minutes of inactivity and require a password on wake.
- Use Caltech-Assigned Accounts: Always use Caltech-assigned accounts on all devices used for Caltech business. These accounts are the same ones used to access "Access.Caltech.edu".
- Avoid Non-Caltech Activities: Do not use your Caltech email address and accounts for non-Caltech related activities, such as social networking.
Personal Computing & Instrument Controllers
To mitigate the risks of damage or loss of important research data, please adhere to the following guidelines:
- Use Systems for Intended Purposes: Ensure that lab or group computing resources are used solely for their designated functions. Avoid using these resources for personal activities such as web browsing, email, or other non-research tasks.
- Instrument Controllers: Utilize instrument controllers exclusively for their intended purposes. Do not use them for personal or unrelated activities, as even seemingly harmless actions like web browsing can lead to malware infections and data loss.
- Network Segmentation: Place instrument controllers in their own network segment with restricted access, ensuring that only authorized personnel have access on a need-to-know basis.
Principle of Least Privilege
To minimize risk and maintain system integrity, access to research systems and data must be granted based strictly on operational necessity.
- Minimize Access: Users should be given only the permissions required to perform their specific responsibilities - no more, no less.
- Reduce Risk: Limiting access helps contain the impact of both accidental errors and malicious activity.
- Role Discipline: Avoid assigning elevated roles or capabilities unless they are explicitly needed. Regularly review and adjust permissions to reflect current responsibilities.
Adhering to the principle of least privilege is a foundational security practice that significantly reduces the potential for compromise.
Remote Access Security
Remote access, if not properly configured, presents a significant risk to research systems and institutional data. To mitigate this threat:
- Restrict Access: Disable remote access unless it is explicitly required. If remote access is necessary, use only one secure, vetted tool such as Windows Remote Desktop or Apple Remote Desktop.
- Secure Configuration: Ensure remote access tools and operating systems are fully updated. Enforce strong passwords and enable multi-factor authentication (MFA). IMSS can assist with implementing Duo MFA for Windows RDP.
- Network Controls: Configure firewalls to block off-campus traffic and require VPN for remote connections. Limit access to Caltech's campus IP range (131.215.0.0/16) or VPN range (131.215.248.0/22).
- Avoid Unsecured Tools: Refrain from using tools like VNC unless properly secured. Always use SSH tunneling to encrypt remote sessions.
For detailed implementation guidance, refer to Caltech's Remote Access Guidelines.
Secrets Management And Data Encryption
Protecting sensitive credentials and research data is essential to maintaining the integrity and confidentiality of Caltech's digital environment.
- Secure Credential Storage: Store passwords, encryption keys, API tokens, and other sensitive credentials using a trusted password manager. Avoid storing credentials in unsecured formats—whether on paper or in digital files.
- Use of 1Password: Caltech provides access to the 1Password password manager at no cost to faculty and staff. This tool allows secure storage and management of unique passwords for each account, reducing the risk of credential compromise.
- Data Encryption: All sensitive data must be encrypted both at rest and in transit. This ensures that, even in the event of device loss, theft, or network interception, unauthorized access is prevented.
Implementing strong secrets management and encryption practices is a critical step in safeguarding Caltech's research and institutional assets.
Centralized Security Logging
Proactive monitoring is essential to identifying and responding to cybersecurity threats in a timely manner.
- Log Integration: IMSS strongly recommends configuring research systems to forward security log events to the Information Security team. This enables centralized visibility into potential threats and supports rapid incident response.
- Incident Investigation: Centralized logs are invaluable for forensic analysis and can significantly reduce the time to detect and resolve security incidents.
- Getting Started: To begin sending syslog data to IMSS log servers, please contact the Information Security team for configuration support.
Centralized logging is a key component of a resilient and responsive cybersecurity posture.
Securing Internet of Things (IoT) Devices
IoT devices such as cameras, smart speakers, environmental sensors, and wearables—can introduce significant vulnerabilities if not properly secured.
- Default Security Risks: Many IoT devices ship with weak default settings, making them attractive targets for attackers seeking to access broader network resources.
- Access Controls: Restrict access to IoT devices using strong passwords and appropriate network segmentation. Ensure only authorized users can interact with these systems.
- Device Hardening: Change default administrator credentials immediately and keep device firmware and software up to date.
- Network Protection: Contact IMSS Information Security to block off-campus traffic from reaching these devices and to implement additional safeguards.
Properly managing IoT devices is essential to maintaining a secure and resilient research environment.
Footnotes
[1] US Federal Sponsors, some foundation and corporate sponsors and most journals require that data be made available.