IR&C Guidelines for Using Laptops

More and more employees use laptops for working offsite. Because the use of laptops poses inherent security risks, IR&C has developed the following guidelines to help laptop users stay secure.

Guidelines

1. Anyone who uses a University-issued laptop computer (or has a University-issued desktop computer at home), must use UCOP's secure VPN service: http://www.ucop.edu/irc/services/networksvcs.html#vpn.
2. Always launch the VPN connection whenever you access your UCOP e-mail or files. This ensures that your data communications are fully encrypted and secured, and that your laptop/desktop will receive all the security patches and fixes. IR&C recommends that you set the VPN to automatically launch when you log on. Contact the Technology Service Desk for assistance in setting this up.
3. Use a security cable to lock down your laptop, even when you are away from the office.
4. Do not install any software before discussing it with the IR&C Technology Service Desk. Do not install software from Internet sites you do not fully trust because you may expose your computer to viruses and malicious software.
5. Ensure that your laptop is updated with the latest security patches. Because IR&C automatically patches all Microsoft workstations monthly, you should physically plug your UCOP-owned laptop into a network connection in a UCOP building at least once a month to install the latest patches. The updates will happen faster than over VPN. Privately owned computers cannot be afforded this protection.
6. If you use a docking station, completely turn off your computer before removing it from the docking station. If you don't, the logoff script will not run properly and the laptop will be in a "confused" state, exposing it to security threats.
7. Purchase an additional power pack for traveling so you can access wired connections whenever available.
8. Disable or remove the laptop's wireless card when you are not using a public hotspot.
Internet Surfing
9. Only use public hotspots for surfing the Internet. Do not conduct private or sensitive work, such as financial transactions, over a public wireless connection.
10. If you do have to conduct transactions over a public hotspot, enter passwords only into Web sites that include an SSL key. This is a symbol that looks like a key and is located on the lower right-hand corner of your Web browser. It ensures that the Web site you are transacting with is legitimate and that data sent between you and it is encrypted with the current industry standard.

• Because they are portable and easily hidden, laptops are simply more prone to being stolen or lost.
• "Hotspot" wireless connections (sometimes called "wifi") are more and more prevalent. People use them in hotels, airports, coffee shops, and libraries. However, they are insecure; anyone can access your communications over a hotspot. Whenever you use a public hotspot, your data is unsecured and may be intercepted, unless your laptop has been encrypted.
• Computer attackers are always devising new and different ways to steal your information via public hotspots. Here are some examples of how they get you to connect to a fake wireless access point and then to log onto a bogus Web site.
  • They trick you into connecting to fake wireless access points. The attacker sets up a laptop to act as a wireless access point and gives it a legitimate-sounding name, such as Tmobile, Hilton, or Free Internet. The user then connects to what appears to be a legitimate hotspot.
  • They leverage the automatic promiscuous nature of your wireless network card to connect your laptop to their fake access point. The Windows XP and Mac OS X operating systems come with wireless cards that continually probe for wireless access points and networks they have connected to in the past. When the wireless card recognizes a legitimate SSID-the broadcast name of a wireless network-it automatically reconnects to that access point. But the attacker uses tools to pick up your wireless card probes and obtain the SSID information so that they can set up fake access points with that exact same SSID. Your laptop then may automatically establish a wireless connection to the fake access point.
  • They overpower legitimate access points. Wireless devices connect to the access point with the strongest signal strength available, even if it means abandoning a secure connection for an attacker's access point.

In all these cases, once the user connects to the attacker's fake access point, the attacker redirects the user to an authentic-looking but bogus Web page. When the user enters passwords or creates a new ID with credit card information over that page, the attacker steals the personal data.