The current situation surrounding the COVID-19 coronavirus has members of the Colby community rapidly adapting to working, teaching and learning remotely. Here are a few important areas of emphasis with regard to information security:

  1. Make sure you trust the network you are connecting to. Computers, smartphones and tablets are vulnerable to nearby devices on the local network, or LAN. This includes both wired and wireless connections, such as WiFi networks with the same name. There is a difference between your home network, which often consists of devices you also own and trust, and a public network like a library or a cafe. If you must connect to a public or otherwise untrusted network, it is recommended that you use the Colby VPN service (https://www.colby.edu/its/virtual-private-network-vpn/) to securely encrypt your network traffic.
  2. Beware especially aware of fraud. Scams and fraud increase significantly during times of crisis, and this period is proving to be no different. Just as is ‘fake news’ there are fake and fraudulent websites claiming to contain information on the crisis that can install malicious software or offering assistance when really stealing personal and financial information. Always inspect Internet search results, the websites you are visiting, all electronic communication closely and with a healthy degree of skepticism. There have been reports of fraudulent messaging purporting to come from College officials – remember that Colby’s official communications regarding COVID-19 are posted at http://www.colby.edu/covid-19/. Verify any electronic communication (email or website) you receive against that website, or, if in doubt, contact the ITS Support Center at support@colby.edu.
  3. Keep your computer’s software up to date. Colby-issued computers are managed and should automatically download updates. Smartphones (iPhones and Android) are typically well prepared to manage software updates. Checking to ensure that your operating system, like Windows or Apple OS, and your web browsers (Safari, Explorer, Firefox, Chrome, etc) are up to date is even more important when you are working from off campus.
  4. Exercise caution on computers or devices you do not own. Working remotely can increase your mobility and the devices you use to connect to online resources. If you are on a home or public computer, especially one you do not own, be careful when accessing personal information such as email, banking or any web sites that require you to log in. If you must enter an account and password on a computer you do not trust, consider resetting the password(s) for the account(s) once you are able to access a trusted computer again.
  5. Secure your online meetings. The sharply increased use of online meetings has brought on a rise in the hijacking and disruption of these meetings. If you’re hosting an online meeting, take steps to ensure the security of your meeting. If you’re attending an online meeting, inspect invitations carefully to ensure they are from someone you know and trust, and avoid downloading or sharing files in meetings in which you do not know all attendees.

For specific examples of security steps and precautions, please review the relevant subject areas listed below.


Information security and data privacy starts with you. Stay up to date on practices, procedures and policies to limit risks and keep data and information out of the wrong hands.

Information Security and You

The menu below contains important information on keeping your data, accounts and devices safe and secure.

If you have an immediate question regarding information security or about any of the information presented below, do not hestitate to contact the ITS Support Center at support@colby.edu, 207-859-4222 (x4222 on campus), or by visiting Lovejoy 146 on the ground floor of Lovejoy.

Workstation and Computer Security

  • Require a password or fingerprint to log on to your computer or mobile device
  • Ensure there are no unnecessary accounts on the computer
  • Log off or password-lock computer when not in use
    • Set the screen saver to require a password
    • Lock the computer whenever leaving the workstation
  • Do not allow anyone else to use your computer unless they use their own account
    • If someone needs access to your computer, contact the ITS Support Center at support@colby.edu or 207-859-4222.
  • Do not leave removable media (discs, CD’s, flash drives, etc.) inside or connected to your computer if not in use
  • Secure your workspace by locking doors and windows as appropriate
  • Turn your computer off at night (so it is off the network)

Account and Password Security

  • Set strong passwords by meeting the following criteria:
    •  At least eight characters in length
    • One or more punctuation characters (non-letter, such as ! or &)
    • Can not contain a dictionary word (a word that can be looked up in a dictionary)
    • Can not contain any part of your name or account/login
  • Do not write passwords down
    • If you must write a password down, do not write the associated account
  • Never share password or account information
    • If someone else requires shared access to your computer, contact the ITS Support Center at support@colby.edu or 207-859-4222.
  • Never use a Colby account password with any non-Colby account (or non-Colby ITS managed account)
  • Use strong passwords (see the first line under Account and Password Security) on any account tied to personal, financial or otherwise sensitive information
  • Never use Colby passwords for such accounts on ‘junk’ accounts, such as Hotmail or Gmail
  • Never send account or password information (in text form) through electronic text communication (e-mail or chat/instant messaging)—use the telephone or deliver passwords in person
    • “Phishing” attempts (usually e-mail and web scams) often ask for passwords, account and/or financial information (credit card or bank account numbers). Visit the ITS fraudulent e-mail page for more information on e-mail scams
  • Never have web browsers, e-mail or other programs save (or ‘remember’) accounts and passwords
    • If a web browser prompts to ‘remember me,’ choose ‘never’
    • Regularly clear browser history, temporary files, and other stored information
      • Contact ITS for assistance in configuring these options. Contact the ITS Support Center at support@colby.edu or 207-859-4222.
    • Change your password often
    • If you suspect that your password has been compromised for any reason, change it immediately and notify the ITS Support Center at support@colby.edu or 207-859-4222.Services at scshelp@colby.edu or ext. 4224
    • Remember that if someone else can use your Colby computer because they have your password, they can also access all other campus resources to which you have permission.

Internet and Software Security

  • Regularly check for and download software updates
  • Employ anti-virus software
    • Ensure that it is actively running on your system
      • College-owned computers have Cylance anti-malware software installed to automatically identify and quarantine threats observed on your computer. If you experience issues with an application or process quarantined by Cylance please contact the ITS Support Center at support@colby.edu or 207-859-4222.
    • Real time scans of applications, memory, and file access activities are automatically performed via the Cylance agent.
  • Delete (never respond to) unsolicited e-mails or any messages from an unknown sender or source
  • Never send account or password information through e-mail or chat/instant messaging
  • Never click an a web link in an unsolicited or unknown e-mail, even if it appears to be from a legitimate source (such as a greeting card or retail company).
  • Never forward virus or other warnings to people other than support as the warning may actually be a hoax
  • Never download files (through a web browser or other means) or open e-mail attachments unless you are sure of the provider/source and the contents
  • Never connect a USB or other mass media device (CD or external hard disk) from an untrusted source, doing so can potentially introduce malware onto your system.
  • Do not click on web browser popup windows unless from a trusted source
    • Activate popup blockers within all browsers and only grant permission to trusted sites
    • Contact ITS if you constantly receive popups or any other browser behavior problems (such as a changed homepage or bookmarks). Contact the ITS Support Center at support@colby.edu or 207-859-4222.

Data Security

  • Be organized—keep track of where your data are, both on your computer and in physical form (CD/DVD, flash drive, paper copy, etc.)
  • Verify access permissions for the folders in which you store files with sensitive information to make sure other accounts on your computer cannot access those files
    • Contact ITS support with any questions about access permissions. ITS Support Center at support@colby.edu or 207-859-4222.
  • Backup all important data
    • College-owned computer owners, ensure that central backups are being made and contact ITS if you have problems or questions. Contact the ITS Support Center at support@colby.edu or 207-859-4222.
  • Password protect and/or encrypt files containing sensitive data
    • Assume that your computer will be stolen and that the thief will have access to all your files—what will they be able to access?
  • Securely delete sensitive documents
    • Use secure file deletion that overwrites the file, making it impossible to recover the contents.

Network Security

  • Use the Colby VPN (virtual private network) when sending sensitive data (via web, email) or connecting to campus servers over untrusted network connections, such as:
    • Wireless networks (including the ‘Colby Wireless’ open network)
    • Off-campus networks (home DSL/cable networks, hotels, airports, other offices)
  • Turn off the wireless network radio in your computer when not in use to avoid accidental use and/or compromise
    • Contact ITS for assistance on locating the on/off control. Contact the ITS Support Center at support@colby.edu or 207-859-4222.
  • Be wary of any wireless networks (even those with registration or WEP encryption) especially those in public places (hotels, airports, businesses)
    • Use strong encryption (WPA or WPA2) whenever possible
    • If encryption is not available, use the VPN
    • Do not use email client software (Eudora, Outlook, Entourage, etc.) over a wireless connection without first connecting to the VPN
  • Maintain awareness of wireless network connections and profiles stored in software
    • Avoid automatically connecting to open (and especially public) wireless networks
    • Do not store open/public networks in wireless profiles
    • Contact ITS support for assistance on managing wireless profiles. Contact the ITS Support Center at support@colby.edu or 207-859-4222.

Transferring Data Securely

There are an increasing number of ways to copy or transmit data among individuals and accounts. Sometimes the easiest way may not be the most secure, especially when the data includes sensitive or private information. Use the following recommended methods of transferring or sending data especially if the data is sensitive in nature:

Transferring data between computers, mobile or other members of the Colby community

  • Use Filer to perform this action.
    • Filer is an on-campus only file server for access to file storage space.
      • Filer is firewalled, blocking it’s availability from the rest of the Internet.
    • Use this link to view access instructions for both Windows and Mac users.

Transferring data between a Colby faculty/staff/student and someone not associated with Colby

  • Use Colby’s Dropbox Service.
  • There are two distinct kinds of users that will be accessing the Dropbox system:
    • inside users, who are associated with Colby.
      • An inside user is allowed to create a drop-off that is to be delivered to anyone, whether he or she is an inside or outside user,
    • and outside users, which encompasses the rest of the Internet.
      • An outside user is only allowed to create a drop-off that is to be delivered to an inside user.
  • Colby Dropbox has a file limit of approximately 2 GB.
  • Colby Dropbox holds the information you “drop” into it for seven days before it is securely deleted.
  • Colby Dropbox encrypts the information while it is in transit and while at rest.

Data Security Tips

    • Be organized—keep track of where your data are, both on your computer and in physical form (CD/DVD, flash drive, paper copy, etc.)
      • It is poor practice to use removable devices (thumb drives, external Hard Drives etc.) to transfer sensitive information. (If the device ends up lost or misplaced, Colby, by law, will need to report the event which will cause financial and reputational loss).
    • Verify access permissions for the folders in which you store files with sensitive information to make sure other accounts on your computer cannot access those files.
    • Backup all important data
      • College-owned computer owners, ensure that central backups are being made.
    • Password protect and/or encrypt files containing sensitive data
      • Assume that your computer will be stolen and that the thief will have access to all your files—what will they be able to access?
    • Securely delete sensitive documents
      • Use secure file deletion that overwrites the file, making it impossible to recover the contents.

Social Media Tips

Social media – Facebook, LinkedIn, Instagram, Twitter, and similar services – involves sharing personal information on the Internet and should be used with caution to avoid having your own personal data or identity stolen or misused.

  • Always remember that you cannot ‘take back’ what you post on the Internet or social media – even if you delete it later.
  • If screen names are allowed, do not choose one that gives away too much personal information.
  • Be careful who you add as a “friend,” or what groups or pages you join. The more “friends” you have or groups/pages you join, the more people who have access to your information.
  • Be cautious in how much personal information you provide.  manage the site’s privacy settings; take advantage of the ‘groups’ selection. In that way you can separate close friends and family from work friends. Remember that the more information you post, the easier it may be for an attacker to use that information to steal your identity or access your data.
  • Use discretion before posting information or commenting about anything. Once information is posted online, it can potentially be viewed by anyone and may not be retracted afterwards. Keep in mind that content or communications on government-related social networking pages may be considered public records.
  • Understand what information is collected and shared. Pay attention to the policies and terms of the sites; they may be sharing your email address or other details with other companies.
  • Configure privacy settings to allow only those people you trust to have access to the information you post. Also, restrict the ability for others to post information to your page. The default settings for some sites may allow anyone to see your information or post information to your page; these settings should be changed.

Phishing and Fraudulent Email

Telling the difference between a legitimate email, message or popup and a fraudulent one is not easy. Vigilance is needed to carefully review who is sending the message, the address that the message actually came from, and what the message says or is asking for. Some common methods of identifying phishing or fraudulent email include messages that contain some of the following elements:

  • Claims to be from a company or vendor that you do not have an account with
  • Spelling or grammatical errors in the subject line or text
  • Vague references in the subject line or text, such as ‘RE: Your Account’ or ‘Dear Valued Customer’—if they know you have an account, they should know who you are
  • Requests for unnecessary or irrelevant information (such as a date of birth)
  • URL/website links within the message, such as unnamed (direct IP address, i.e. http://10.42.107.92) and manipulated or invalid host names (the name does not match the vendor’s or has been manipulated)
  • Requests to transfer money or purchase gift cards
  • No clear purpose at all – i.e. “do you have a minute?”

Test yourself by taking a simple online test.

If you receive a message that you believe is fraudulent and you do not know the sender, delete it. If you do know the sender and are suspicious about the message, contact the sender directly (at an address or phone number that you know) to verify the authenticity of the message – do not reply to the suspicious message.

If you think you may have accidentally responded to or fallen victim to a phishing attempt, make sure to immediately change any accounts or passwords that may have been compromised. If it is a Colby account, follow the instructions here: www.colby.edu/password. If it is a vendor (bank, credit card, online merchant) account, contact that vendor to have your information changed.

If you receive any email or other message on your computer requesting personal information (such as an account name, password, date of birth, or social security number), please review the following information before continuing any further. Always remember that Colby Information Technology Services (ITS) will NEVER request your personal information over electronic mail. Furthermore, you should always avoid sending any personal information via electronic mail.

As always, if you have questions about email fraud or computer security, contact the appropriate Colby ITS Support Center at support@colby.edu, 207-859-4222 or stopping by Lovejoy 146.

Ransomware

 

Ransomware Infographic provided by Wombat Security

Traveling Internationally

International travelers should limit the amount of sensitive information that is stored on or accessible to any mobile device taken on the trip.

  • Backup your data and remove files from your device that you don’t need.
    • TIP – Consider moving your documents to a College-provided folder (Filer) that you can access remotely instead of carrying these files on your local device(s).
    • TIP – Loaner computers may be available, consult ITS Support to see if this is an option.

Traveling internationally can pose significant risks to information stored on or accessible through the computers, tablets and smartphones that we take with us.  Some of the risk is associated with increased opportunities for the loss or theft of the device due to the increased amount of direct physical handling of the equipment by individuals, and just merely the distraction of traveling. Additionally, our devices are put at risk because they will use networks that may be managed by entities that monitor and capture network traffic for competitive or malicious purposes.

US Customs and Border Protection – Quick Reference

Inspection of Electronic Devices

Printable Travel Guide

Pocket Guide to Protecting your Data

Preparing for a trip:

  • Identify “high risk” countries you plan to visit
    • State.gov issues current travel alerts & warnings.
  • Understand the sensitivity of the data you bring or access.
    • Customs and Border Patrol can’t search what you don’t have. Limit what you bring with you.
    • Removing unnecessary sensitive data from any device will reduce risk of exposure who may gain access to the device.
  • Learn about software and hardware travel restrictions
    • import /export controls differ by country – care needs to be taken when traveling to certain countries.

Considerations during a trip:

    • When traveling by air, TSA recommends that travelers carry their laptops on to their flights instead of placing them inside checked baggage.
      • A laptop, even if it is in a laptop bag, does not count as a flyer’s carry-on item. In addition to a traditional carry-on bag, flyers are also allowed to bring one extra item on to a flight with them.
    • Avoid using public workstations
      • Public workstations cannot be trusted. Anything entered into one of these systems – IDs, passwords, etc… may be captured and used.
    • When accessing any Colby College resource use VPN where allowed.
      • VPN access may be limited based upon where you are located, as some do not allow VPN access from their county or province.
    • Be aware of your surroundings when working on your devices.
      • Shoulder surfing is a common way in which people can learn your passwords and usernames.
    • In the event of a theft or lost device contact the ITS Support Center at support@colby.edu or 207-859-4222.

Upon return to campus:

  • Change any passwords you used during your travel.
    • Upon returning home and returning your loaner device, change any passwords you used while you were traveling. Perform this from your normal Colby issued device