IS&T is committed to strengthening the security of MIT's infrastructure and information.
Even computers that don’t appear to have any valuable information can be attractive targets for attacks. Compromised computers and other devices can be used as a foothold allowing attackers to spread through the network. Networked devices in MIT's public IP space are constantly under attack from devices across the globe. IS&T provides a variety of security services and software to protect the MIT community.
Take steps to protect your computing and the information you handle at MIT.
- Enable automatic updates for your operating systems and software to protect against the latest security threats.
- Install Sophos Anti-Virus and CrowdStrike Falcon. Sophos protects your computer against known viruses, worms, and malware. CrowdStrike provides advanced protection against emerging threats, using machine learning to detect patterns commonly seen in attacks.
- Use a password manager such as LastPass to generate and protect strong, unique passwords.
- Back up your computers using CrashPlan. This cloud-based backup solution makes it easy to recover data from computers that have been lost, stolen, or damaged by malware.
- If you handle personally identifiable information (PII), install Spirion to help you detect and securely encrypt or delete files with sensitive information.
Be secure when working remotely
Working, teaching, and learning away from the MIT campus poses new risks to securing information. IS&T recommends that community members follow these best practices when engaging in activities remotely to help reduce the chance of the information and data you handle at MIT being compromised.
- Make sure your devices are running newer operating systems supported by the vendor (e.g., Windows 10, macOS 10.15, or newer) and that all updates have been applied.
- When exchanging high risk (i.e. sensitive or personal) information over email (e.g. birth certificates, loan applications), make sure to protect it by encrypting files before sharing.
- Make sure your home router’s firmware is up-to date, that you have changed the default password to something strong, and that you have enabled WPA2 encryption for your home WiFi network.
- Use MIT-approved and licensed enterprise video conferencing tools, such as Zoom, Microsoft Teams, and Webex, which offer protections for your security and privacy, and follow suggested best security practices.
- If accessing systems on campus from remote locations, securely configure the remote connection with encryption and multi-factor authentication.
Beware of phishing and other scams
Phishing emails and email scams continue to be an effective way for scammers to steal credentials, install malware, or extort cryptocurrency. Many of these emails are targeted to a specific department or lab, and may appear to come from someone you know or do business with.
There has been an uptick in malicious attacks to take advantage of the COVID-19 pandemic. Be wary, in particular, of phishing attacks and also of scams that try to trick you into making donations to fraudulent organizations or causes or revealing sensitive information. Protect yourself and your information by using caution when opening emails and attachments.
If an email looks suspicious, report it to email@example.com by forwarding the email as an attachment. The IS&T Security team will take steps to protect the community.
MIT's Information Protection website provides access to policies and guidance on safeguarding information at the Institute. The Awareness I: IT Security and Awareness II: IT Security courses are available in the Atlas Learning Center.
Report an IT security incident
It's important to report any IT security incident as soon as you are aware of it so the Security team can take proper steps to limit the impact and extent of loss, investigate, protect other members of the MIT community, and meet any regulatory or legal requirements.
If you believe a breach of MIT information occurred, immediately report the IT security incident by sending email to firstname.lastname@example.org. The IS&T Security team will contact you to evaluate the situation and determine the next best step. If necessary, they will assemble the Data Incident Response Team. You should not address these situations on your own, as that may corrupt forensic information needed to determine the scope of the issue and the risks to MIT.