Scope 

This document is intended for anyone using computing devices, accessing Georgia Tech data, or interacting with information systems, including IT and Security staff. Examples include smartphones, laptops, desktops, and remote connections to Georgia Tech systems.  

Understanding Security Responsibilities 

A common misconception is that user training, reporting security incidents, and adhering to policies equate to doing a cybersecurity specialist's job. Security is a shared responsibility. While cybersecurity professionals manage risk assessments, tool selection, incident resolution, and more, users play a crucial role in protecting themselves and others. Security specialists work to balance security and usability, but they cannot foresee every possible threat. Users are trained to be vigilant and report incidents to support overall security efforts.  

Social Engineering 

Social engineering exploits human psychology rather than technical vulnerabilities. Social engineering has many tactics. Here are a few: 

• Dumpster Diving: Retrieving discarded information. 
• Playing on Helpful Tendencies: Exploiting people's desire to assist. 
• Social media: Extracting personal details from social platforms or games. 
• Friendship: Convincing some they are friends or maybe a romantic interest. 
• Urgency and Fear: Creating a sense of immediate threat or repercussions. 
• Interrogation: Just talking and steering the conversation to what they need. 
• Impersonation: Pretending to be trusted entities like helpdesks or government agencies. 

Key takeaway: Always verify the source of requests for information and remain calm when approached. Report suspicious activities to appropriate authorities rather than confronting potential attackers directly.  

Bypassing Physical Controls 

Tailgating: Following someone into a secure area. 

Manipulating Trust: Convincing someone to grant access under false pretenses. 

Dumpster Diving: Retrieving discarded sensitive information. 

Key takeaways: 

• Ensure doors close behind individuals and verify access credentials. 
• Avoid granting access based on verbal assurances; verify identities through proper channels. 
• Report suspicious behavior to security or the police if needed.  

Phishing 

Phishing involves deceitful attempts to obtain sensitive information via electronic communication. This can occur through: 

• Emails 
• Texts 
• Phone Calls 

 Prevention Tips: 

• Never trust unexpected communications, even from known contacts. 
• Look for signs of phishing such as poor grammar, urgent requests, and unexpected links.  

Connecting to Networks 

Georgia Tech Networks: While Georgia Tech employs rigorous security measures, large networks are not immune to risks. Always connect only to authorized networks and follow IT guidelines.   

Non-Georgia Tech Networks: Often lack robust security measures and should be used cautiously. Be aware of the risks associated with public or unsecured networks. 

 Protection Methods: 

• Use VPNs: Ensure they are configured to encrypt all traffic. 
• Hotspots: Consider using personal hotspots for enhanced security.  

Other Connected Devices 

In a flat network environment (network devices are not separated with VLANs, subnetting, or other forms of segmentation for isolation purposes), devices are exposed to each other which can pose risks as some systems, such as smart home devices, are bare operating systems with no security: 

• Malware Distribution: Connected devices might spread malware. 
• Security Tools: Ensure all connected devices use up-to-date security measures. 
• Local Firewalls: Stops lateral movement inside the network.  

Malware 

Malware encompasses various types of malicious software, including: 

• Adware: Displays unwanted ads and may contain harmful components. 
• Ransomware: Encrypts data and demands payment for access. 
• Malware as a Service: Allows less technical individuals to deploy sophisticated malware. 

 Prevention Tips 

• Avoid connecting unknown removable media. 
• Keep security software updated and perform regular scans. 
• Do not click on email, text, or web page links unless verified. 

Web Pages and Sites 

Malicious sites can be used to spread malware or steal information. Be cautious of: 

• Typo-Squatting: Domains created that are like legitimate ones (twitter.com vs tw1tter.com). 
• Cross-Site Scripting (XSS): Injecting scripts into webpages. 
• Cross-Site Request Forgery (XSRF): Sending unauthorized commands from a user’s device. 
• DNS Poisoning: Redirecting users to malicious sites. 

 Protective Measures: 

• Use tools to block known malicious sites. 
• Be wary of unexpected prompts or links. 

Email 

Emails are a common phishing vector and can inadvertently share sensitive information: 

• Metadata: Documents often contain hidden data that could be sensitive. 

Phishing Emails: Be cautious of emails requesting urgent actions or containing suspicious links. 

Best Practices: 

• Avoid sending sensitive information via email. 
• Use encrypted communication methods when necessary.  

Software installation 

Software installations from untrusted sources can introduce malware and other risks. 

Best Practices: 

• Use authorized software lists. 
• Download software only from reputable sources and verify their integrity.  

Passwords 

Best Practices: 

• Use Multifactor Authentication: Adds an extra layer of security. 
• Create Strong Passwords: Use a mix of characters and avoid common sequences. 
• Manage Passwords: Use password managers and avoid sharing passwords. 

Note: Your password should remain confidential. Initial passwords should not be sent via insecure methods and must be changed immediately. Never share passwords with anyone including IT and management  

Sensitive and Protected Information 

Sensitive information includes personal details, health data, and financial information. Be aware of how combining seemingly innocuous data can lead to data becoming personally identifiable information. 

Best Practices: 

• Handle all sensitive information with care. 
• Be cautious about combining data that can be used to identify individuals.  

Conclusion 

Protecting data is very important at Georgia Tech and should be equally important to users when not at work or school. To be effective, security awareness must be made into a habit, so it becomes automatic. Georgia Tech offers various learning opportunities to support this and has professionals to answer questions. This document serves only as a primer and the beginning of that journey.