Information Security Best Practice
Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.
Working from Home
As we adjust to a new environment where many of us work remotely from home, new challenges arise. Cyber-criminals see those challenges as opportunities to be exploited. In an effort to provide cyber-security guidance to those working from home, the California Community Colleges Information Security Center prepared the following information.
Although you might already be familiar with some of the topics (like social engineering), you might not be familiar with others (like home network security). The topics below are fundamental to basic cyber-hygiene, so you should take the time to familiarize yourself with all of them.
1. Social Engineering
The first major risk to consider is social engineering attacks. This is where an attacker(s) attempts to take advantage of an unsuspecting user in order to obtain confidential information or the means to access that information. This process is simplified when staff members transition out of the office into their own homes.
The videos linked below will help you identify common aspects of social engineering, and the steps they need to take if they suspect they have been targeted. These materials cover email phishing attacks as well as phone calls, text messages, and social media.
- SANS Social Engineering Video (4m 28s)
- SANS Phishing Video (3m 55s)
2. Home Network Security
The second major risk is having an unsecured home network. Wireless networks are the general means of connectivity in homes, usually controlled by a router setup by an Internet Service Provider (ISP); for example, FIOS, Spectrum, Xfinity, AT&T, etc. You will have to consult your router’s documentation or contact the ISP for instructions, which will be specific to your router.
First, you should change the default administrator password to access the router’s configuration dashboard. This should comply with password complexity guidelines, covered in the next section. You should also make sure that the password is WPA2 encrypted, which can be configured in the router’s dashboard.
A further consideration is to set up a separate guest network. Having a separate network for guests will prevent them from potentially accessing work devices.
Additional tips are provided in the following video:
The third major risk is weak passwords. According to the latest Verizon Data Breach Investigations Report, weak passwords are the primary vulnerabilities that result in data breaches. Following are four general recommendations you can take to help mitigate this risk:
- Use password managers (e.g., LastPass, 1Password, Google Password Manager)
- Implement two-factor authentication where applicable
- Do not share credentials with anyone
- Implement a cycle in which passwords are required to be reset based upon the risk factor associated with that account.
For more information regarding password recommendations, see Best Practices for Passwords and Passphrases.
4. Software Updates
The fourth major risk is outdated software, which is often open to vulnerabilities. Try to use the latest version of operating systems and applications on your desktops, laptops, and cellphones. Additionally, users should only be installing software from verified vendors and sources.
For more information about malware, please see the following.
When working remotely, users need to be careful about what devices they use (work or personal), where they use them, and what networks they connect to (coffee shops, hotels, air ports, etc.), and to make sure that others do not use district devices (including family, and friends).
- SANS Working Remotely Training Video (2m 42s)
If you have any questions regarding this advisory, please feel free to email the Office of Information Security.