The underlying digital infrastructure of institutions has become an essential national resource. One of the main issues that affects all digital residents is cybercrime. We request all IITJ users to read the following cybersecurity advisory carefully to raise awareness. All IITJ users are expected to abide by the following guidelines.

1. Always download applications/ software from trusted sources.
2. Set Operating System updates to auto-update from a trusted source.
3. All IITJ users are recommended to use antivirus software on personal computers. If you have a Windows computer, you can use the built-in Windows Defender software for antivirus. Antivirus software will help keep your computer free of malicious software such as viruses, worms, and Trojan horses. You also need to protect yourself against spyware and adware, which can gather your personal information or create an opening for more serious threats.
4. Ensure that the Antivirus clients installed on systems/devices are updated with the latest virus definitions, signatures, and patches. Perform a full antivirus scan of the entire system at regular intervals after updating its signatures.
5. Computer systems must have genuine Windows OS licenses and applications. The activation key must be recorded and kept for OS license activation in case the system is formatted due to unavoidable situations. No unwanted applications or data must be stored or installed on the system.
6. Always lock/log off from the desktop when not in use.
7. Always keep the computer firewall “ON”.
8. Keep the printer's software updated with the latest updates/patches.
9. Set up unique pass codes for shared printers.
10. Internet access to the printer should not be allowed.
11. Keep the GPS, Bluetooth, Wi-fi, NFC, and other sensors disabled on the desktops/laptops. They may be enabled only when required.
12. Do not write passwords, IP addresses, network diagrams, or other sensitive information on any unsecured material (ex, sticky/post-it notes, plain paper pinned or posted on the user's table, etc.).
13. Do not use any external mobile app-based scanner services (ex, Cam scanner, etc) for scanning internal government documents.
14. Keep a regular backup of critical data.
15. Remove/delete applications that are not in use.
16. Users shall never share hard disks or folders with anyone. However, whenever necessary, only the required folders shall be shared with the specific user for a specific period.
17. Scan the USB device with Antivirus/ Endpoint Protection before its use.

1. 8 + 4 Rule: Use complex passwords with a minimum length of 8 characters, using a combination of capital letters, small letters, numbers, and special characters.
2. Change passwords at least once in 90 days.
3. Use Multi-Factor Authentication, wherever available.
4. Do not use the same password in multiple services/websites/apps.
5. Do not save passwords in the browser or any unprotected documents.
6. Do not share system passwords or printer pass codes, or Wi-Fi passwords with any unauthorized persons.
7. Common passwords such as admin@123, Password, admi,n or which contain words such as unit name, room no, telephone, mobile, or other things which are generally known to other colleagues must be avoided.
8. Do not use dictionary words as passwords. Do not use personal information such as DOB, roll number, name, etc in your password.

1. While accessing Government applications/services, email services, or banking/payment-related services or any other important application/services, always use Private Browsing/Incognito Mode in your browser.
2. While accessing sites where a user login is required, always type the site's domain name/URL manually on the browser's address bar, rather than clicking on any link.
3. Ensure that you respect copyright laws when using academic resources and materials online.
4. Do not use a proxy or other sites to bypass campus firewall security.
5. Use the latest version of the internet browser and ensure that the browser is updated with the latest updates/patches.
6. Do not store any usernames and passwords in the internet browser.
7. Do not store any payment-related information in your internet browser.
8. Do not use any 3rd party anonymization services (3rd party VPN, Tor, Proxies, etc). Avoid using unauthorized VPN services and remote desktop tools like AnyDesk and TeamViewer.
9. Do not use any 3rd party toolbars (ex, download manager, weather toolbar, ask me toolbar bar etc.) in your internet browser.
10. Do not download any unauthorized or pirated content /software from the internet (ex, pirated movies, songs, e-books, software).
11. Do not use your official systems for installing or playing any Games.
12. Cache and History should be deleted regularly from the browsers after every usage on internet-connected systems.
13. Enable genuine ad-blockers to protect from advertising.
14. Ensure the genuineness of SSL/TLS websites while performing online transactions.
15. Please be more cautious when clicking any TLD domain ending with .xyz, .top, .pw, .ru, .tk, .biz, etc.
16. Legitimate websites do not often have hyphens or symbols in their domain names. Scammers will use these elements along with known brands to try to trick you. For example, www.google.com is not the same as www.google-search.com.
17. Sometimes you will come across a domain that is shown just as an IP address (e.g., http://101.10.1.101). You should not click this type of URL unless you are familiar with the IP address and you know exactly where the link will take you.

1. Ensure that the mobile operating system is updated with the latest available updates/patches.
2. Do not root or jailbreak your mobile device. The rooting or jailbreaking process disables many built-in security protections and could leave your device vulnerable to security threats.
3. Keep the Wi-Fi, GPS, Bluetooth, NFC, and other sensors disabled on the mobile phones. They may be enabled only when required.
4. Download Apps from the official app stores of Google (for Android) and Apple (for iOS). Do not install apps from untrusted sources unless you are sure about the source of the app.
5. Before downloading an App, check the developer & popularity of the app and read the user reviews.
6. Observe caution before downloading any apps which has a bad reputation or a small user base, etc.
7. While participating in any sensitive discussions, switch off your mobile phone or leave the mobile in a secure area outside the discussion room.
8. Do not accept any unknown request for Bluetooth pairing or file sharing.
9. Before installing an App, carefully read and understand the device permissions required by the App along with the purpose of each permission.
10. In case of any disparity between the permissions requested and the functionality provided by an app, users are advised not to install the App (Ex, A calculator app requesting GPS and Bluetooth permission).
11. Note down the unique 15-digit IMEI number of the mobile device and keep it offline. It can be useful for reporting in case of physical loss of a mobile device.
12. Use auto lock to automatically lock the phone or keypad lock, protected by a pass code/ security patterns, to restrict access to your mobile phone.
13. Use the feature of Mobile Tracking, which automatically sends messages to two preselected phone numbers of your choice, which could help if the mobile phone is lost/ stolen.
14. Take regular offline backup of your phone and external/internal memory card.
15. Before transferring the data to the Mobile from the computer, the data should be scanned with an Antivirus having the latest updates.
16. Do not open any links shared through SMS or social media, etc., where the links are preceded by exciting offers/discounts, etc., or may claim to provide details about any latest news. Such links may lead to a phishing/malware webpage/app, which could compromise your device.
17. Report lost or stolen devices immediately to the nearest Police Station and the concerned service provider.
18. Disable automatic downloads on your phone.
19. Always keep an updated antivirus security solution installed.

1. Ensure that Multi-Factor Authentication is configured on the Email Account.
2. All unwanted and unsolicited emails are known as 'junk email' or 'spam'. Never reply to such emails.
3. Do not share the email password with any unauthorized persons.
4. Do not use any unauthorized/external email services for official communication.
5. Do not click/open any link or attachment contained in emails sent by unknown senders. Ensure the authenticity of the sender before opening the attachment in the email. Check for headers of the original mail to check the authenticity.
6. Reviewing your Gmail account activity regularly will provide you with helpful information about what's going on with your account. Click the Details link next to the Last account activity line at the bottom of any Gmail page to view your account activity.
7. Be cautious while opening emails with attachments and hyperlinks in your email. Observe extra caution with documents containing macros while downloading attachments, always select the "disable macros" option, and ensure that protected mode is enabled on your office productivity applications like MS Office.
8. Be aware of current social engineering attacks and do not install any files in computer systems based on the directions over the phone/mobile, wherein the caller would be pretending to be someone very important government official, and insisting on urgency to download the files sent over email.
9. Be cautious of unsolicited contact from a seemingly known associate, family member, or law enforcement agency. Scammers will often use similar emails and assume the receiver will not look closely. Example: xxxxxx.iitj.ac.in@gmail.com/ xxxxxx.iitj.ac.in@yahoo.com instead of xxxxxx@iitj.ac.in.

1. Perform a low format of the removable media before its first usage.
2. Perform a secure wipe to delete the contents of the removable media.
3. Scan the removable media with Antivirus software before accessing.
4. Secure the files/folders on the removable media by encryption.
5. Always protect your documents with a strong password.
6. Do not plug in the removable media on any unauthorized devices.
7. Disable auto-run functionality of the removable media while plugged into the computer system.
8. Do not use a removable disk in unsecured systems.

1. Limit and control the use/exposure of personal information while accessing social media and networking sites.
2. Always check the authenticity of the person before accepting a request as a friend/contact.
3. Use multi-factor authentication to secure social media accounts.
4. Do not click on the links or files sent by any unknown contact/user.
5. Do not publish or post, or share any internal government documents or information on social media.
6. Do not publish or post, or share any unverified information through social media.
7. Do not share any official documents through messaging apps like WhatsApp, Telegram, Signal, etc.
8. Avoid sharing private information such as home address, private pictures, phone number, Aadhaar Number, or any other private or official information publicly on social media.
9. Review the social media privacy settings to ensure the level of security for personal networking profiles.
10. Avoid clicking on Ads that promise free money, prizes, or discounts.
11. Ensure location services and geo-tagging features are off and switched on, only when required.
12. Do not use the Government emblem, insignia, etc. in your posts.
13. Do not unnecessarily post addresses, telephone numbers, bank details, etc, as these could make you, your friends, and family a target.
14. Do not reveal the exact posting and nature of work if you are posted in a sensitive department.

1. Enable password authentication to enter the meeting room.
2. Enable the waiting room feature in video conferencing software.
3. Lock the meeting once all the participants have joined.
4. Turn off the screen sharing functionality and remote monitoring features.
5. Be careful about clicking on links and opening documents.
6. Be careful what you show in the background.
7. Be careful what is on your screen before using the screen-sharing function.
8. Turn off anything that gives the app too many permissions.

1. Always set automatic updates for the Operating System, Anti-Virus, and Applications as envisaged in earlier points.
2. Configure web browsers to block pop-ups, disable unnecessary plugins, and enable secure browsing features.
3. Enable hidden file & system file view to find any unusual or hidden files.
4. Type %temp% in "Windows Run" and delete all entries after opening any suspicious attachments.
5. Open Command Prompt and type netstat -na. Check out the Foreign established connection with IP addresses and their ownership.
6. Type "msconfig" in "Windows Run" and check for any unusual executables running automatically.
7. Check the Network adapter for data/packets received and sent. If the outgoing / sent is unusually high, then it is very likely that the system is compromised.
8. Always be cautious while opening attachments, even from known sources. Try to use non-native applications for opening attachments (as an example, use WordPad to open a Word document).
9. When in doubt, better to format the Internet-connected computer instead of performing some "patchwork".
10. Prohibit any remote logon to the system (RDP, SMB, RPC) for local administrators.
11. Check regularly if any unusual applications are running from %appdata%, %tmp%, %temp%, %localappdata%, %programdata% directories. For Linux,  you can view Running Processes with the top command. The top command interactive mode starts, shows the process IDs, the users, the amount of memory and CPU power each process uses, the running time, etc. To terminate an unwanted process, a kill command can be used. The syntax is: kill [process ID].

1. When connecting to a Wi-Fi network, always connect to secure networks. Avoid using unsecured public Wi-Fi networks for sensitive tasks. When connecting to the institute network from outside, use the institute VPN (Virtual Private Network) services.
2. Do not share internet access credentials with others.
3. Do not enter your IITJ password in a non-IITJ domain website (URL not ending with the pattern iitj.ac.in). Usually, CC/DIA does not ask you to log in to any interface with an IP address as a URL
4. Do not install any network switches and Wi-Fi Access points/routers without informing Digital Infrastructure and Automation (DIA).
5. For security reasons, it is completely forbidden to use a personal Wi-Fi AP in a hostel and to connect to the campus LAN.
6. Avoid connecting personal devices to unsecured networks, such as unprotected public networks.
7. Avoid submitting sensitive information when using public Wi-Fi.

1. Be vigilant of suspicious/unsolicited communications from unknown individuals. Be particularly wary of individuals who seem to be overly interested in personal/professional life, or who ask for sensitive information. The beginning signs of these interactions may be such as liking every post, commenting/complementing almost every post..
2. Any content (post, picture, blog, profile info, etc) posted on social media should not reveal any sensitive information like Rank/Department/Unit/Current Project/Uniform/Tour Plan, etc., in the backdrop.
3. Clicking/opening advertisements or any downloadable content shared by the unknown should be avoided, as it may lead to installing malware on the systems.
4. Steer away from unknown dating sites and do not trust generous offers.
5. Do not meet any unknown or little-known person in any shady or lonely places like hotel rooms, etc.
6. Do not engage in video calls from unknown numbers on social media platforms like WhatsApp, Facebook, Telegram, Signal, etc.

1. Change default credentials for the wireless admin console and network.
2. Update wireless router firmware regularly.
3. Turn off remote management functionalities like WPS and Universal Plug and Play (UPnP).
4. Enable MAC address filtering and MAC binding to keep unauthorized devices away from wireless networks.
5. Keep wireless networks down when not in use.
6. For initial setup, it is recommended to contact the DIA support team.

1. Do ensure that no sensitive information is passed over on telephone.
2. Always check the identity of the Caller before entertaining the call.
3. Do not get nervous if a caller identifies himself/herself as a superior officer, especially if you cannot identify him/her. Do take the number and call back after informing your senior officer.
4. Bring to the notice of your senior officer and the DIA team if you find any infringement of instructions on the security of telephones.
5. Do not discuss official matters over the telephone and other social media platforms with friends/family members and unauthorized persons on any telephone, i.e, official/ residence/mobile.
6. Do not disclose the whereabouts/movements of officials of your setup, Senior officers/VIPs/VVIPs to unauthorized/ unidentified callers. Do not disclose important events/dates to anyone on the telephone, in case you are not sure about the person at the receiving end.

If you suspect a cybersecurity incident or data breach, report it by sending an email to Digital Infrastructure and Automation (DIA) immediately at (cybersec@iitj.ac.in).

Remember that cybersecurity is a shared responsibility, and your actions are crucial in maintaining a secure academic environment. Stay vigilant, stay informed, and help protect your institute's digital assets and personal information.

The following resources may be referred to for more details regarding the cybersecurity-related notifications/information published by the Government of India: