Security Best Practices

Passwords

• Never use your Central Piedmont username or password on a non-Central Piedmont website or application.
• Do not share your password with anyone (including the IT Service Desk, your instructors, employees, supervisors, administrative assistants, etc.).
• Never use your Central Piedmont credentials on a machine you don't trust (e.g., a rented computer, a public computer, or even at a friend's house).
• Use long, unique passwords for every account.
• Change your password if you think someone else might know it.
• Supplement your password with additional security through multi-factor authentication. Central Piedmont offers multi-factor authentication with Duo.
• Use a password manager like KeePass, 1Password, or LastPass to help you create and manage strong, unique passwords for each of your accounts.
• Always log out when you are finished using a system or service.

Workstations

• While your workstation will automatically lock itself after 15 minutes of inactivity, you are strongly encouraged to lock it manually whenever you leave your desk. You can lock a Windows workstation by holding down the Windows key and pressing the letter 'L.' When using the Central Piedmont Cloud, the "Disconnect" option is equivalent to locking the virtual workstation.
• Always log off of your workstation at the end of the day. Doing so will protect you from losing unsaved work and will also make it easier for us to provide critical patches and updates to your computer.
• Only install software required to fulfill your role at the college.
• Only use P2P, torrenting, and other file sharing methods for legitimate purposes. Sharing copyrighted media is a violation of college policy and could put you and the college at risk.

Email

• Do not open any email attachments or click on links in email messages from senders you do not know. Some of the linked websites can install malware on your computer without your knowledge.
• Never provide personally identifiable information (Social Security Number, birth date, password, credit card information) to anyone through email. No legitimate entity will ask you for such information via email.
• Email is not an encrypted format. While in transit, emails may pass through networks and devices that are outside of our control. Assume that anything you write in an email is public — do not send anything over email that is not public information.
• Always verify the email address of a message, not just the displayed name. It is common for malicious emails to spoof a display name of someone you know.
• If you receive a suspicious email in your Central Piedmont inbox, please report it to the IT Service Desk.

Internet

• Use a well-known, up-to-date browser. For the fastest and most reliable access to our sites and systems, Central Piedmont recommends using Google Chrome or Mozilla Firefox.
• Consider disabling Javascript, Java plugins, ActiveX controls, and other media add-ons if you don't need or use them. These are increasingly used to deliver harmful content.
• Be very careful when typing a URL into your browser. Commonly misspelled versions of some domains are often phishing sites set up to look like the real thing.
• Consider installing browser plug-ins that force sites that support HTTPS to use it by default. We recommend HTTPS Everywhere by the Electronic Frontiers Foundation.
• Consider installing browser plug-ins to block ads and trackers. We recommend uBlock Origin and Privacy Badger for these purposes, respectively.

Mobile Devices

• Never store sensitive information on a mobile device, as mobile devices can be easily lost or stolen.
• Keep mobile devices with you at all times; do not leave them unattended. If that is not possible, keep them in a locked location.
• Set your mobile device to lock after a timeout period and require a strong password or pin to unlock the device. Doing so will prevent malicious actors from accessing your data if your phone is lost or stolen.
• Enable remote wiping capabilities. Doing so can allow you to remotely access and disable the device should it become lost or stolen.
• Be careful about what apps you install. If allowed access, apps can share your contacts, emails, files, and text messages with third parties.
• Make sure you keep your mobile device updated. Obsolete devices can be susceptible to attacks, which could result in data theft or even financial loss.
• Set Bluetooth devices to “hidden mode” and disable Bluetooth when it is not in use. This will prevent unwanted users from connecting to your device.

Telephones

• Do not trust caller ID. If you receive a call appearing or claiming to be from your bank, the IRS, or other institution, do not provide any information. Request a name, extension, or reference number, hang up, and call them back at the number listed on a known trusted document, such as a bank statement, the back of your credit card, an official government website, etc. Legitimate institutions should be accommodating to these security measures. If you are met with resistance or feel pressured, you may be dealing with a scam artist.
• Never give out your password over the phone.
• In a large educational institution, you probably haven't met everyone. Before giving information to a caller you do not recognize, verify they are who they say they are (e.g., by calling their office number or the office of a co-worker that you do know).

Removable Storage

• Beware of unrecognized USB sticks and CDs that you find lying around. They may have been planted for the sole purpose of infecting any machine they are inserted into.
• Do not transport confidential or personal information on CDs, laptops, USB keys, portable hard drives, etc., unless necessary. If you do use these tools, only use them in a way that is encrypted and secure (contact ITS for advice and assistance with this).

Social Media

• Restrict who can view your profile and information.
• Avoid publishing your personal information (e.g. Social Security number, date of birth, address, telephone number, class/work schedule, or location).
• Be wary of answering online surveys that people post on your wall, comments, etc. Although they appear innocent, they can provide an attacker with useful information about you. This information can then be used for things like answering your secret questions to gain access to accounts or reset passwords.
• Remember that anyone can see what you post on the Internet. Always think about what you post and what people post about you.
• Don’t click on suspicious links or download files in messages, chat windows, or status updates. This can infect your computer with malware and spread to your contacts.
• Report spam, phishing, and access violations to the social network provider.

WiFi

• Be mindful of what you access on public WiFi networks. Unless you use encrypted services such as HTTPS websites or use a VPN to "tunnel" your traffic through an encrypted connection, attackers can hijack your session and view your data.
• Always enable personal firewalls, run up-to-date anti-virus software, and install system updates before connecting to public WiFi networks and hotspots. This can protect your system from malware and vulnerabilities.
• Never leave a personal WiFi router open without requiring a long password. You should also avoid using WEP or WPA encryption, as these have known weaknesses. You should use at least WPA2 encryption to secure your network.
• As an extra layer of access control, you can enable MAC address filtering on your wireless router. MAC filtering allows only the devices you specify to access your wireless network.
• Avoid sharing your WiFi password. Most routers allow setting up a guest network with a different password.

Additional Resources

• Microsoft: Security Help & Learning
• Apple: Report a Security or Privacy Vulnerability
• Google: Safety Center
• SANS Internet Storm Center provides information on threats, trends, and overall Internet health. The handler-on-duty daily diary provides excellent tips and other information.