Letter from the CISO, Vol 1 Issue 4
Washington University Community:
Physical safety is a fundamental need of all animals, humans, computer systems, and devices.
Last month I encouraged everyone to adopt a healthy dose of skepticism and paranoia regarding email, text, and social media messages to avoid becoming victims of social engineering attacks.
This month, I would like to encourage everyone to be a little more paranoid about the physical security of their devices and our work environments, which often now include our homes as well as our offices.
Keeping our devices secure requires diligence and commitment, which are hard to sustain. I find it handy to think of my laptop and cell phone with the same level of concern as I do my wallet. If I’m in a Starbucks or Kaldi’s Coffee and need to use the bathroom, I don’t leave my wallet on the table, and I wouldn’t leave my phone or laptop there, either. This general rule also applies to the car, the classroom, the office, etcetera–even if I’m pretty sure no one will take my belongings. The cost and inconvenience of dealing with their loss are undoubtedly worth avoiding. It’s a giant pain in the posterior when someone loses a device!
When driving somewhere in a car, put your devices in the trunk or other hidden location before you start, so you can avoid showing a thief where you are putting your valuables when you arrive. Whatever you do, please don’t leave them or any other valuables in your car where they can be seen. Again, I don’t leave my wallet in the passenger seat of my car when I park, so I don’t leave my devices there either.
These are just a few ideas about how to prevent your devices from being stolen, and it’s pretty easy to think of or search for other scenarios.
But what can we do to reduce the pain and trauma of a lost or stolen device?
WashU-managed devices usually have several defenses enabled, and there is an excellent list of the things you should do to secure your devices at https://informationsecurity.wustl.edu/guidance/. We have device-specific advice for the most popular devices:
- iOS/iPadOS – https://informationsecurity.wustl.edu/information-security-strategies-for-ios-ipados-devices/
- Android – https://informationsecurity.wustl.edu/information-security-strategies-for-android-devices/
- macOS – https://informationsecurity.wustl.edu/information-security-strategies-for-macos-devices/
- Windows 10 – https://informationsecurity.wustl.edu/information-security-strategies-for-windows-10-devices/
These guidelines are very good but don’t include instructions for setting up “Find My Device” services. Apple, Google, and Microsoft all provide these capabilities, and some pretty good instructions are available at:
- iOS/iPadOS – https://support.apple.com/find-my
- Android – https://www.google.com/android/find?u=0
- macOS – https://support.apple.com/en-us/HT204756
- Windows 10 – https://www.thewindowsclub.com/remote-wipe-windows-10.
If you set up these capabilities in advance, the police may be able to find and recover your device if stolen, and you can find your device when lost, whether that means you accidentally left it in a taxicab or it fell between the sofa cushions. I know a couple of people who were able to find their phones moments before going under the water in a washing machine. Phew!
Lastly, if you are unable to find your phone quickly, please be sure to report lost or stolen devices to WashU Information Security (email@example.com or wustl.service-now.com) if it is property of WashU or contains WashU information. Other lost or stolen personal devices should be reported to the police with jurisdiction for the area where it was lost or stolen.
As we work at home and other locations outside the office, our devices are often at greater risk than ever before, so I thank you again for your interest in information security and your participation in our ongoing fight against cybercrime.
-Chris Shull, CISO