Faculty/Staff Survival Guide for Safe Computing

Protect Your Device with Anti-Virus

Keep all software, operating systems (mobile and PC) and apps up to date to protect against data loss from infections and malware. Stony Brook currently recommends Microsoft Defender for personal use. Microsoft Defender is free to use and is built into windows.

You must install and keep updated antivirus software if you are connecting to the Stony Brook network either physically or though the VPN.

Patching and Updates

Computers need to be updated regularly to keep current with any updates, for example a Microsoft security update. You can even set your computer to run the update program automatically, every week or so. You can access updates in the Control Panel (PC) or System Preferences (Mac).

Considerations when Working Remotely

When working remotely, be mindful of how you are connected to the internet. Are you at home, or are you in a hotel or coffee shop? Sensitive information should never traverse a network you do not trust or control, like a public wi-fi hotspot. If such a network is your only means of connectivity, ensure you are using the Stony Brook VPN before accessing any sensitive material.

Ensure the wireless network you are connecting on is encrypted with WPA2, which is the generally accepted security standard. Older networks may be encrypted with WEP encryption, which has significant security weaknesses. Most modern operating systems will warn you when connecting to a network like this.

Be mindful of shared devices, so household members are not exposed to confidential information inadvertently.

Remain cognizant of who may be around you or what is visible on your screen. Sensitive data should not be accessed while in a public place, for example.

When using a shared device to access web-based Stony Brook resources, ensure you are using your browser's private or incognito mode. Instructions on how to access this feature for each browser are linked below.

Secure Sensitive Data Before Sharing

We have provided some guidance on the Sharing Data Securely guide available on the left side menu. This includes using file protections built in to Microsoft Office, Adobe Acrobat, and more.

Passphrases

A passphrase is an easier to remember password that is longer and therefore stronger.

Password length most directly influences password strength. So a longer passphrase made of simpler components is more effective than a shorter, super complex password that is difficult to remember.

Using spaces in your passphrase add complexity while making it easier to remember and can be considered to be a special character like !@#$%^&*().

Examples:

Pizza123 - A very weak password
I ate two slices of pizza - Better
I ate 2 slices of p1zz4! - Best

You may find that creating and using passwords like this can be cumbersome or difficult, and so Information Security advocates using a password manager to securely generate and store unique passwords for each service. For Stony Brook passwords, we offer LastPass Enterprise; for personal passwords, Stony Brook staff members can sign up for a free LastPass Premium account.

Stay Two Steps Ahead with Multifactor Authentication

Turn on multi-factor authentication wherever offered to prevent unauthorized access. Some Stony Brook services, such as the VPN, use Duo for multi-factor authentication. You can request a Duo account here.

Passcodes

Set a passcode for your device and be sure auto-lock is on so that your device locks automatically after being idle (you can set this feature up under your phone's settings).

Avoid common device passcodes like 1111, 0000, and the all-in-a-row 2580.

In addition to locking devices and requiring a passcode, be sure encryption is enabled.

Apps and Software

Update mobile browsers and apps when there are bug fixes or security updates.

Review apps before installing them, and be mindful of the permissions you grant to apps. Should a photo editing app really be asking for access to your contacts?

Download apps only from trusted sources - only download apps from your device's app store or ources you are familiar with and comfortably trust. The default setting for Android devices is to prohibit the download of apps from third party sources, and Apple devices explicitly disallow third party app sources.

Phishing

Phishing is an attempt to obtain your sensitive information for malicious reasons, by the bad guys disguising themselves as a trustworthy entity through social engineering and electronic communications.

Avoid emails that have:

Vague subjects, greetings, and/or content
Incorrect names, dates (e.g., far in the future), misspellings, mismatched names/email addresses (e.g., "IT Help Desk", instead of "Customer Engagement & Support")
Awkward wording/language/grammar
Strong calls to action (e.g., Urgent!!!!), warn of a deadline that's very soon (e.g., "your account will be deactivated in 24 hours unless...)
Many recipients, especially if the list of recipients is arranged in alphabetical order
Web links that don't match sender or are misspelled - You can hover over links to see where it will take you

If these emails contain links, attachments, or request information, do not click on the links, download the attachments, or respond with your information. Immediately mark the message as spam or for phishing in Google Mail. Your personal information (passwords, usernames, etc.) will NEVER be requested via email. If you accidently click on a link in a suspicious email, change your password right away, monitor your account for any suspicious activity, and contact Customer Engagement & Support.

More information on phishing emails and determining if an email attachment is legitimate

Responsible Use of Information Technology

IT systems may be used for purposes pertaining to a staff members responsibilities and assignments. Stony Brook University takes this very seriously. Respecting others and the appropriate use of technology is essential to make the University safe and enjoyable for all.

You are accountable for any actions performed using devices attached to your NetID, whether they are performed by you or anyone else!

Stony Brook's Appropriate Use of Information Technology Policy (P109)