Learn about creating your digital MIT identity in our previous article Start your computing life at MIT.
As an MIT student you will have access to digital resources and information that make your Kerberos account, computer, and mobile devices high value targets for scammers and bad actors. In order to protect your account, devices, and information, Information Systems and Technology (IS&T) recommends that you take a number of precautions.
At a minimum, as a student you should implement the tasks for low risk data on MIT's Information Protection website, infoprotect.mit.edu, which contains the Institute’s policies about safeguarding data and devices.
As a starting point, the steps below walk you through a number of these tasks. All of the software and services referenced here are licensed by the Institute for use by you while you are a student at MIT at no extra cost.
Beware of phishing scams
MIT community members are popular targets for email scams like phishing. Attackers try to trick recipients into doing things like purchasing gift cards for them, sharing passwords through fake login pages, or installing malware via malicious attachments. Common scams pretend to be from IS&T, department heads and deans, or other companies and services you may use (e.g., UPS). The best defense against phishing attempts is to not click on links or download attachments in any email that you weren’t expecting, even from someone you may know.
If you are ever unsure about the legitimacy of an email message or want to report phishy emails, please forward the email as an attachment to firstname.lastname@example.org. The IS&T Security team will verify its legitimacy or take steps to protect the community if it’s determined to be a scam. You can also review examples of phishy emails that others at MIT have received in the MIT Phish Bowl.
Note that IS&T will never ask you to send or reset your Kerberos password via email.
Use a password manager
It is good cybersecurity practice to create strong, unique passwords for all of your accounts, at MIT and elsewhere. Using the same password for multiple sites is never a good idea; once a password is compromised, attackers will try to access your accounts on other apps and services.
IS&T recommends that you use a password manager to generate, store, and manage original, secure passwords. IS&T offers LastPass Enterprise to MIT community members, which encrypts your passwords before storing them and makes them easily accessible to you on your computer or mobile device. The IS&T Knowledge Base (KB) has a guide on how to get started with LastPass.
Enable automatic updates
One of the most important things you can do to protect your computer and mobile devices is to enable automatic updates of their operating systems and applications. Not applying critical security patches and updates can leave your device vulnerable to attack.
Run security software
IS&T recommends that you download and install CrowdStrike, which protects your computer by looking for bad behaviors instead of just known bad files. Certain actions are logged to a central repository where they are analyzed for anomalous or suspicious activity using CrowdStrike’s machine learning algorithms. CrowdStrike is available from the IS&T software grid for Linux, Mac, and Windows clients and the KB has installation instructions.
Running Sophos Anti-Virus software is also recommended. Sophos provides traditional anti-virus capabilities and can also block access to websites that contain malicious code. It can be downloaded from the software grid and the KB has installation instructions for Linux, Mac, and Windows clients.
Encrypt your devices
Implementing whole disk encryption will protect the information on your device in case it is lost or stolen. IS&T recommends BitLocker for Windows and FileVault for Macs. For your mobile phone, enabling encryption is as easy as setting a password.
Back up regularly
Backing up your computer regularly enables you to recover quickly from a lost, stolen, damaged, or compromised computer. IS&T offers Code42 for Enterprise, a cloud-based backup solution that will run in the background to automatically back up all your data, ensuring that new files and changes are saved.
NOTE: Cloud storage services like Dropbox and Google Drive are not substitutes for full system backups. Only true backup services like Code42 will allow you to fully recover all of the data and information on your computer in case of disaster.
The KB has instructions for obtaining and using Code42.
Use MIT’s VPN
The MIT Virtual Private Network (VPN) enables you to connect securely to Institute resources even when you are working away from campus. You can connect to MIT’s VPN anytime from anywhere using the GlobalProtect VPN client on your computer and mobile devices. The KB has installation instructions.
MIT’s VPN also provides you a safer way to use free public WiFi by encrypting your connection, ensuring that nobody nearby can eavesdrop on your activity. It also guarantees that you will use MIT’s domain name services (DNS) and not be unknowingly directed to a rogue DNS server that could send you to malicious websites. IS&T strongly recommends always using the Institute’s VPN when on public WiFi, whether or not you need to access MIT resources.
IS&T is here to help!
If you have any security-related questions or need to report a security incident while at MIT, email the IS&T Security Team at email@example.com.
Don’t hesitate to contact IS&T’s Service Desk with any computing questions 24 hours a day, 7 days a week and be sure to follow IS&T on Twitter, Facebook, Instagram, and Snapchat to keep up with important cybersecurity news at MIT.
Learn about all of the software and cloud-based services you have access to while you’re an MIT student in our next article Get useful applications and services.