If I’m an individual student, staff, or otherwise someone doing research that isn’t in charge of projects or infrastructure, what are important security tips for me? Is security an issue when I’m using my campus resource, or otherwise conducting research? What things should I think or worry about?
For the individual researcher, your biggest concerns are understanding your data and where it goes, and getting some basic best practices in order for yourself personally.
Understand Your Data Needs
If you are part of a larger project, hopefully the project lead and their IT staff have your project’s data security needs covered. However, here are some things to think about on very small projects which may only have one researcher and a student or two.
Are you working with sensitive or regulated data?
If so, we recommend that you don’t try to go it alone. Reach out to your campus privacy office or information security office to ensure that all of the correct controls are in place to protect data with confidentiality concerns.
Are you working with open data?
Most science is fairly open, focused primarily on integrity and availability rather than confidentiality. In that case, consider the following:
- Ensure that your back-ups are adequate, and that you test them at least once per month. Lack of adequate back-ups that are in a different building from the research project are a leading cause of big disasters for small research projects. Without good off-site backups, a fire or flood in your building or a single piece of ransomware can wipe out your entire project. Don’t just back-up data: back up any tools you need to work with the data, and your notes and documentation.
- Record the version numbers (or, if version numbers aren’t available, the repository commit IDs) of software when you use it to process your research data, to ensure that any reproducibility studies are using the same software versions, and bugs that could cause data issues are easier to find.
Do you have any ICS/SCADA systems?
Control systems are all around the science world these days: in mass spectrometers, in telescopes, in atmospheric sensors, and more. If any tool or object you have can connect to a network, communicate over a cellular modem, or send or receive data or commands in a way you can’t pin down, consider this worthy of your attention. Most of these devices are extremely insecure, at least in the default or worst-case configuration.
If you have, or might have, any of these sorts of systems, ask someone from your campus IT office or information security office to help you make a plan to secure them. Having a $50,000 piece of equipment stop working because it got hit by ransomware is not good for your project’s future, and you probably don’t have $20,000-$100,000 on hand to pay the ransom. These risks are fairly easy to avoid with conscientious planning. Your IT office can probably put these machines on a separate subnet (network segment) for you, firewalled off from most sources of harm. This won’t reduce the risk to zero, but if you can get rid of the vast majority of risk for zero dollars, why wouldn’t you?
You should also carefully read the documentation that comes with this equipment and turn off any communication protocols you don’t plan to use, and ensure that someone has responsibility for updating firmware weekly in the case that any security updates have been released.
Be prepared to accept some risk.
Very small projects–those too small to have any dedicated IT staff–are highly reliant on their parent institutions for cybersecurity. Risk acceptance is a legitimate response to cybersecurity risks that are beyond your resources to mitigate. Just be prepared to document and communicate which risks you have considered and accepted, so that if something does happen you can show program officers and other stakeholders that you had your eye on the ball all along.
If lacking adequate backups is the first big mine in the field for very small research projects, the second is individual researchers’ personal cybersecurity. A researcher getting phished and giving up their credentials, picking up ransomware, or losing an unencrypted mobile device can easily cause a major incident. These things are also easy to prevent:
Use two-factor authentication (sometimes called 2FA, multi-factor auth, or MFA) everywhere it is available, and ask your campus to make it available anywhere it isn’t yet. MFA is by far the most effective phishing prevention we have so far.
- SMS (text message) based MFA is the least secure method possible, but it’s still much better than nothing.
- FIDO (a system by which you keep a special security key on your key ring, and plug it into your computer while logging in) is probably the best. I like Yubikeys for this, but there are other good brands around, too.
- TOTP, a system where a key is stored on your smartphone and used to generate temporary passcodes, is middle-of-the-line in terms of security and arguably the most user-friendly, because most people already carry smartphones. If you’ve ever used Google Authenticator, the two-factor auth systems for Steam or Blizzard games, or Duo Auth’s option to generate a passcode on your phone, you have already used TOTP.
Use a password manager, such as KeepassXC or Lastpass, to store passwords on your devices so that you can use strong passwords and aren’t tempted to recycle passwords (no one can remember all their passwords!). This is much safer than a text file or other un-encrypted password storage.
- If you prefer to go low-tech, passwords in a notebook in a locked drawer or safe are still safer than weak or re-used passwords.
Use screen locks on all of your devices, even if you will only be away from them for a moment.
Use disk encryption on all of your devices. Every major operating system–Linux, Windows, MacOSX, iOS, and Android–has this available built-in now. Without it, someone could read the disk on your locked device simply by accessing it from a different device.
If you use systems that authenticate via X.509 certificates, SSH keys, or other private keys, be careful how you store and back up those keys. Often, researchers have fairly public back-ups of software or research data, and accidentally include keys in those back-ups. Always store private keys separately from research data and software (in their own directory) to prevent these kinds of accidents.
Keep your work and personal computer usage separate. There’s no reason not to have your personal computer on your desk next to your work computer if you need to check Facebook at the same time you are working on your research. At the very least, use a separate browser or (if in a browser such as Chrome, Chromium, or Firefox which supports it) a separate browser identity for work and personal accounts.
Use an ad blocker such as the EFF’s Privacy Badger to reduce malicious ads loaded by your machine while browsing the web.
Keep good back-ups, and test them on some regular schedule. You can’t prevent all possible sources of ransomware, but you can restore from a good back-up instead of paying the ransom if you do get infected.
If you want to learn more…
…about cybersecurity, I highly recommend hanging out in this community and/or attending the annual NSF Cybersecurity Summit, which is focused specifically on the science community’s cybersecurity needs.