Cyber Security Awareness Training FAQs

Printer-friendly version

By Sam Horowitz, Chief Information Security Officer

Cyber Security TrainingWe’ve received a number of questions about the UC Office of the President’s new Cyber Security Awareness training. Here are the most common questions and my responses.

The training instructed faculty and staff not to store data in the cloud. How does this impact departments or teams using Google Drive, Box (Connect Box), or Dropbox to store and share information?

The training was developed by a third party to inform UC employees of cloud computing risks. UCSB did not have influence over the content.

UC has a contract with Google covering faculty and staff use of Google Drive, including Google Docs. UC also has a contract with the widely used Box application (Connect Box at UCSB) covering faculty and staff use . We encourage you to use both of these services to store and share information, EXCEPT Personally Identifiable Information and Personal Health Information. No such agreement exists between UC and Dropbox. Therefore, Dropbox should not be used for storing restricted or confidential information.

You can find the policy regarding click-through agreements and the cloud storage of confidential information here: http://www.policy.ucsb.edu/policies/advisory-docs/clickthrough-guide.pdf.

 

Our staff and researchers travel frequently and almost always use personal computers and mobile devices for work-related purposes while abroad. Should we instruct travelers to consult with our division IT staff prior to departure, or should a wiped loaner computer or phone be used instead?

The geopolitical and business climate with regard to Intellectual Property (IP) and Personally Identifiable Information (PII) is in flux. In the 1960s, Air France bugged its first class cabin on overseas flights to gain competitive information that they passed on to French industrial companies. The recent breaches of Sony and the Office of Personnel Management were carried out by nation states. While we have no specific guidance at UCSB, many other universities across the country have issued explicit travel guidelines for researchers going to countries known to participate in espionage. UC Santa Cruz has published guidance at http://its.ucsc.edu/security/travel.html, and you can find an Educause article at http://er.educause.edu/articles/2015/8/designing-it-guidelines-for-global-travel.

As UCSB’s Chief Information Security Officer, I carry a clean laptop on international trips and rebuild it when I return. Researchers need to be aware of the intellectual property they carry and the economic risk if their information is compromised. Foreign researchers have been known to pirate English language papers and publish them in other languages as their own research. If they steal a paper before publication, it may have an impact on the ability to register a patent for Intellectual Property in the United States.

If you have no IP or PII data, it may be perfectly safe to take a personal laptop or mobile device abroad. Just remember that phones and tablets can be compromised too. Keep these devices on your person wherever you go and monitor those around you. Physical access to the device is the most common route to compromise.

It’s unfortunate that we live in such a state, but espionage isn't restricted to a single region or country. Many nations are targeting visiting researchers for information that may be used for political or economic gain. The safest way to mitigate this threat is to travel with a clean laptop, rebuild it when you return, and always monitor your physical environment.

 

Why do I need to take special precautions when I use public Wi-Fi?

Public Wi-Fi connections are a convenient way to access the Internet, but they often carry inherent security risks. Sharing a public connection opens your data - usernames, passwords, billing information - to a variety of untrusted strangers, hackers, or even criminals. The safest way to access untrusted Wi-Fi is to establish a Virtual Private Network (VPN). A VPN extends a private network (and its securities) across a public connection. Upon connecting to a public Wi-Fi network, try to establish a VPN to safe location, such as the University. This is my regular practice when I stay at hotels or visit public places like Starbucks. Unprotected networks are hotspots for criminals looking to capture unencrypted and sensitive data.

If you are a faculty or staff member, contact your IT staff to ask how you can access the campus’s free Virtual Private Network.