Road Warrior 201110 - University IT · 2017-09-01 · • Public places, hotel rooms, and offices !...

STANFORD UNIVERSITY • INFORMATION SECURITY OFFICE

Security for the Road Warrior

Mark K. Mellis Associate Information Security Officer

Stanford University Information Security Office Version 1.1


Security for the Road Warrior v1.1

We are all mobile…

§  We all travel – from home to campus or from Palo Alto to London

§  What can we do to protect our own privacy and the University’s data while we are “on the road?”


Preview

§  Risks of Mobile Computing §  Common Controls §  Laptops §  Smart Phones and Tablets §  Why Carry a Device? §  Resources



Risks - What’s on the device?

§  Not merely documents •  Access credentials for networks and applications •  Presentations / Briefing Notes •  Stanford Email (including secure email) •  Address Book information •  Personal photos, movies, and email •  Personal health, salary, and benefits information

§  Indirect costs •  Regulatory Issues, Reputation Impact (think “donors”)

§  Enough to make you wish you never heard of computers should you lose it…



Risks – What could happen?

§  Loss or Theft of the Device •  At security inspection points •  In cabs and airplanes •  Public places, hotel rooms, and offices

§  Confiscation of the Device •  By the local police department, US Government, or other

governments

§  Spying •  Reading “over the shoulder” •  Targeted attacks – planting keyloggers or other malware •  Intercepting network traffic



Common Controls

§  Be mindful of how and where you use your laptop or smart phone •  Don’t be conspicuous •  Pay attention to your surroundings, including behind you •  Don’t leave the device unattended

§  Limit the data that you take along •  If you don’t have it you can’t lose it •  Consider using the web interface for email, directory, and

calendaring •  Throwing files in the trash isn’t enough, you need to wipe the

free space



Common Controls - label on your device


•  A label can help honest people return your lost device, even if the battery is dead.

•  “Anonymous” labels are available – the one pictured is from stuffbak.com


Common Controls – Networks

§  Beware of free WiFi hotspots •  Anyone can set up a hotspot named “Starbucks” •  Encryption is your friend - always use https or a

VPN; Stanford email is protected

§  The Stanford Public VPN can protect your network traffic from eavesdroppers •  Available for laptops – both Windows and Macintosh •  https://itservices.stanford.edu/service/vpn •  Provisioned for iPhones and iPads automatically as part of

Stanford Mobile Device Management (MDM)



Laptops

§  Stanford Network Self-Registration (SNSR) and Stanford Network Registration Tool •  Automatically apply “best practices” for privacy and security –

updates, patches, passwords, firewalls, anti-virus •  https://itservices.stanford.edu/service/selfreg

§  Big Fix •  Helps keep your laptop secure by applying incremental patches and

updates •  https://itservices.stanford.edu/service/bigfix

§  Stanford Whole Disk Encryption (SWDE) •  Protects the data on your laptop disk •  Required if you handle or store Restricted or Prohibited Data •  https://itservices.stanford.edu/service/encryption/wholedisk



Smart Phones and Tablets

§  There are a number of things we can do to protect our smart phones and tablets

§  This is an area of particular emphasis at Stanford now.



The Future is Mobile



Phones – Use a passcode

§  A four digit passcode is plenty §  Don’t use “1-2-3-4” or “6-6-6-6” §  Set the screen to auto-lock after a

minute or two §  Set the phone to erase itself if the wrong

passcode is entered too many times – ten or more is fine



Phones - Sign up for "find my iPhone”

§  Of course you might have an Android phone – “there’s an app for that.”

§  For iOS 4.2 or newer it’s available free – the URL is on our site.



Phones - Sign up for "find my iPhone”


Allows you to: •  Display a

message or make a sound

•  Set a passcode lock remotely

•  Remote wipe •  Display

location on a map ☞


Phones - Backups

§  If it’s an iOS device, you can use iTunes or iCloud to back it up. Other devices have other backup mechanisms.

§  If you have a good backup of your phone, and you lose it, you can do a “remote wipe” without having to worry about losing your contacts, photos, and other valuable information. It helps make “doing the right thing” easier.



Phones - Keep the software updated

§  Updates are issued frequently – as new vulnerabilities are exposed, the vendor patches them.

§  Applies to both the basic device software and applications – for iOS devices, the operating system is updated via iTunes or over the air, and applications are updated via the App Store.

§  The update story is not so nice for Androids.



Phones - Don’t “jailbreak” or “root” it

It is popular in some circles to circumvent the security controls on mobile devices in order to avoid paying for particular features or to enable capabilities that the carrier or vendor doesn’t provide. This is called “jailbreaking” or “rooting.” §  Jailbreaking removes a layer of protection that helps

keep malware from running on the device §  Jailbreaking is usually prohibited by mobile phone

company contracts §  Jailbreaking is contrary to security “best practices”

for those reasons



Phones – Mobile Device Management

§  Stanford has a new service called Mobile Device Management

§  It will set up your email and calendar, and these security and privacy “best practices” for you

§  Read about it athttp://mobilemanagement.stanford.edu



Phones – What if you lose it?

§  Next to the pictures of your loved ones, the most valuable things on your mobile device are probably your SUnetID and password

§  If your device is lost or stolen, call the Help Desk at 5-HELP. They will assist in changing your SUnetID’s password. Doesn’t matter if you are in MDM or not, works even for Androids and other unsupported devices that MDM doesn’t support yet.

§  If you are enrolled in Stanford MDM, the Help Desk can lock it, wipe University data, and help you think through your options for trying to recover the device.



Why Carry a Device?

You might say “Why carry a computer with me on the trip at all? Just about every hotel and airport has a business center that I can use to read my mail.” Using a business center computer is like brushing your teeth with a toothbrush you found on the floor in the hotel bar. Who knows where that thing has been? §  Don’t use a business center computer to read your

Stanford email §  Don’t use it for personal banking §  Don’t even use it for Facebook!


Road Warrior 201110 - University IT · 2017-09-01 · • Public places, hotel rooms, and offices !...

Documents

Transcript of Road Warrior 201110 - University IT · 2017-09-01 · • Public places, hotel rooms, and offices !...