Transcript Information Security - Queensborough Community College

Why Are We Here Together
Introduce Myself
•
•
•
•
•
•
•
•
Because of the many incidents throughout the country and at universities in
particular of identity theft and security breaches CUNY has made a security
course available on line.
Because that course was commercially developed it was designed on a
corporate and factory model.
I was tasked to create a revised presentation which would be relevant to the
college and university environment in general, and QCC in specific.
he University wants everyone to become aware of the dangers of the
problem and how to protect yourself and your computers at home and at
work
CUNY wants to make sure that QCC and all colleges are taking this
seriously
By taking the course together we can answer questions that may arise for
you
Booklet
A little more than an hour – if anyone has to leave to make a class just do
so
Play Video CCNY – Open With VLC
1
Some Recent Headlines
• Computer Containing 7,000 CUNY Students Personal
Information Stolen Weeks Ago (City College, Daily News,
9/7/10)
Laptop Lost or Stolen
• U.S. Workers on Alert After Breach of Data (New York
Times, 11/6/10) 12,000 affected; 1-yr credit reporting;
$25,000 id theft insurance
• Security Breach Leaves 45,000 at Risk of Identity Theft
(Cornell, Cornell Daily Sun, 6/24/09
Stolen Laptop; college providing credit reporting
and id theft insurance
• University of Virginia victim of $996,000 cyber attack
(eweek.com 9/3/10)
• Saint Anselm College Alumni Mailing Exposed SSN
(9/17/10)
• Service members Face Identity Theft (New York Times,
12/7/10)
SSN Hijacked
2
Get Started on the Security Course
•
1. This course will help you in the office and especially with your home computer to help you from
becoming a victim of identity theft and cyber attacks on your computer.
•
About the film you just saw about City College: YOU MAY HAVE THOUGHT
THAT A PASSWORD PROTECTED COMPUTER WAS SAFE. BUT THE HARD DRIVE CAN BE
REMOVED AND INSTALLED IN ANOTHER COMPUTER AND THE DATA RETRIEVED.
•
Head of Office will be responsible to the students and public.
•
2. Go to the site:
–
•
•
•
•
•
http://security.cuny.edu
3. Click on the lock
You should be directed to the site:
http://www.enterprisetraining.com/cunycourse.htm
4.Enter Name, Email Address, for code, select “None”; from dropdown “Your Role at CUNY”
select from among Student, CUNY Faculty Member, or CUNY Employee; from dropdown select
Queensborough Comm College
5.Click on Proceed to CUNY Security Awareness Course
3
Identity Theft
• Fastest Growing Crime in America
• Avoid being a victim by adopting
safeguards while handling sensitive
personal information
Ask if anyone here has been a victim of identity theft
Skip “Understand Information” and go to “Identify the Need for
Cybersecurity after presenting Information Security Two Pages
4
NO SLIDE
Information Security
Safeguarding information from:
1.
2.
3.
4.
Misuse
Theft
Loss
Damage
ONE OF TWO PAGES RELATING TO SLIDE
CONTINUE NEXT PAGE
5
Information Security
• Safeguard Information – Insure:
• Confidentiality
(Transport data securely with
encryption)
• Integrity
• Availability to Authorized Users
(CUNY First passwords)
If your computer is compromised it can
compromise all linked computers
Why do we have Passwords?
6
GO TO IDENTIFY THE NEED FOR CYBER SECURITY
THERE ARE TWO CYBER SECURITY SLIDES AND A
PAGE OF COMMENTARY FOR EACH
Cyber Security
• Is the protection of data and systems
connected to the internet
• Deter – Detect – Defend Against
Information Theft Attacks
• Desktops, laptops, cell phones, wireless
gadgets, PDA’s’s
• Proliferation due to the increased use of
the internet
7
Cyber Security
How many of you are on Facebook? It makes its money by selling
your information
• Safeguards reduce the risks and minimize
the damage that can be caused by cyber
attacks
– Precautions must be taken in using social
networking, e.g., Facebook, YouTube, and
Twitter
HOLD THE NEXT SLIDE UNTIL AFTER CYBER
SECURITY AT QCC COMMENTARY
8
Computer Security is Everyone’s Job
Your QCC desktop attached to the
campus network has:
• McAfee VirusScan Enterprise software that guards
against threats
• Internal Firewall security
• Fireeye anti-spyware, a gateway appliance, to protect
computer from being taken over by external sources
• Barracuda, another gateway appliance, to remove
malware and virus coming from external websites
• McAfee software to remove external spam
• External Firewall wraparound security for campus wired
and wireless network
• Central Office has its own security in place
9
HOLD FOR 4 SLIDES TO FINISH
Social Engineering Exploits
• Can provide an end-run around the most
extensive security barriers
• Type of attack on sensitive information
• Targets individuals not equipment
• Requires individuals to take action for its
success
• Uses trickery and deceit
• Often presents a deceitful link
• No one connected with CUNY will ever ask
for your password
Show security headlines document
10
Phishing
• A social engineering exploit
• An internet scam
• Designed to gain access to
Social Security Numbers
Credit Card Numbers
Passwords
• Often asks you to respond to email to provide updated
information
• Do not respond to such request; do not click on any links
• Responding indicates that the email account they
located belongs to a real address and person
• Robocalls
READ EPSILON LETTER CHASE
11
Pharming
• The creation of a fraudulent website that
embodies real web pages to obtain confidential
information
-Study web address
-Legitimate secure sites should have “https” in
their web address and the icon of a lock on the
status bar N.B. OPEN IN A NEW TAB
-If you receive a message “This Connection is
Untrusted” from your browser do not proceed
12
Spoofing
• An email that pretends to come from a trusted source or one known
to you
• An email threat that seeks to gain confidential information for
fraudulent purposes
• Seeks information for identity theft
• Often in the guise of a PRIZE or AWARD that requires your social
security number or credit card information
• Can be the result of hijacking of one’s email address book
• At QCC a dean recently had to send out this message after her
email address book was hijacked: “Someone got into my password
and sent a message entitled ‘Hello, Friend’ – please disregard.
Sorry for the inconvenience.”
SECTION AT BACK OF BOOKLET WITH EXAMPLES
13
• After “Identify Social Engineering Exploits”
go to “Strengthen Desktop Security”.
• Present Guidelines for a Strong Password
• Present Password Protect Your Screen
Saver and Demonstrate at the Desktop
14
Guidelines for a Strong Password
• Use at least seven (7) characters
• Use combination of upper case and lower case
letters, numbers, and symbols
• Try to place a symbol after the first character
• A new password should be significantly different
from your current password
• Do not use common words, your name, or other
words that people associate with you
• Hackers know that users typically start a
password with a capital letter and end with the
number 1. Do not follow this pattern.
Paula = Daedelus = 1)@eXw3
15
.
Password Protect Your Screen
Saver
• If you step away from your desk while your computer is
on, your information will not be accessible to anyone
• To password protect your computer right click an empty
space on the desktop, select properties, select screen
saver, check “on resume, password protect”
• You may select and adjust the number of minutes before
screen locks
• When locked you will see message “This Computer is in
Use and has been locked”
• Control + ALT + Delete
• Enter your desktop password
GO TO DESKTOP and RIGHT CLICK PERSONALIZE
16
Password Protect Your Smart
Phone
• You can and should password protect your
smart phone in which you can send and receive
email and surf the internet.
• In which you have contact information
• The Iphone, Android, and Blackberry phones
have this feature.
• If the phone is lost a third party cannot readily
access your data.
17
Downloading Software Guidelines
•
•
•
•
•
•
•
Downloading copyright protected files off the internet is an infringement of
the copyright owner’s exclusive rights of reproduction and/or distribution and
is very dangerous to your computer
Files which can be downloaded over peer-to-peer networks, e.g., BitTorrent,
are primarily copyrighted works
Authorized services that allow copyrighted works to be purchased online,
e.g., ITunes, eliminate the risk of infringement
Authorized services can also limit the exposure to other potential risks like
viruses and spyware
If the use is business related, a college or university software agreement
may exist
We recommend that you do not download to your college computer
software that is not work related. The only software on your office
computer should be supplied by QCC
Be very careful in deciding to download software to your home
computer
18
Encryption/Decryption
A type of file protection that
disguises the file contents
•
•
•
•
•
•
•
•
•
File cannot be read by unauthorized users who have not been given the key used to
encrypt or disguise the contents
Sensitive material or private information includes, but is not limited to, social security
numbers, driver’s license or non-driver identification card numbers, credit, debit, or
other financial account numbers.
Sensitive material should never be emailed
Sensitive material should never be stored in “the cloud” or with other third party
storage systems.
If you have need to transmit or receive sensitive material to or from others on
campus, IT will install Webdrive encryption software on your computer.
If you have need to transmit sensitive material outside of QCC to other CUNY units ,
or outside of CUNY to other colleges or entities, Tumbleweed software must be used.
You can open a Tumbleweed account at the CUNY portal/.
Sensitive material may not be taken between campus and home without expressed
approval of the Vice President of Finance and Administration
Sensitive material may only be transported between campus and home if encrypted.
IT will supply encrypted flash drives for the approved use of faculty and
administration
19
Disposing and Deleting Sensitive
Files
(Student Personal Data)
• Safe Disposal: Erase floppy disks, hard drives, flash
drives, and tapes; Shred paper documents; Break CD’s
in half.
• Deleting a file does not erase the data from the
computer. It is still retrievable by others.
• Deleting a file deletes the pointer to the data and not the
data itself.
• To safeguard deleted data from others be sure to empty
your cache, and trash or recycle bin.
• When IT removes your old computer and it is readied for
disposal utilities are applied to the computer to totally
wipe out data.
Go from outline of “Implementing File Security” and discussion
of Encyption and Decryption to “Guarding Against Attacks”
20
Defend Against Email Attacks
• Most security breaches occur via email
attachments and surfing websites
• Almost everyone uses their computer for
some form of personal, professional, or
institutional email
• Email attacks can affect one computer or
all linked computers
21
Malware
Malicious Code
•
•
•
•
•
Crashes program or computer
Loss of data
Computer can be controlled by attackers
Unauthorized access to sensitive data
Internet browser redirected to harmful or
dangerous websites
22
Virus
•
•
•
A computer program that attaches itself
to your computer and replicates itself
It may run or lurk in the background
Will be on executable files, e.g.,:
.Bat
.Com
.Exe
.Scr
.Shs
23
Trojan (as in Horse)
• Malicious program masquerading as
harmless
• Does things user does not expect
• May locate passwords
• May destroy programs or data
• Sneak in with illegal downloads of games,
utilities, software, or music
24
SPAM
• Unsolicited and Unwanted email
• Can overload mailbox or mail servers
• May contain viruses, pharming, phishing,
or spoofing
• May direct you to another site
• Due to filters applied by IT to incoming
email to QCC, only a fraction of the spam
that you are sent reaches your inbox
25
Virus Hoaxes
• Never act on emails, even from friends,
urging you to delete files or forward emails
regarding hoaxes except from QCC IT
Security.
26
Hacking
Stieg Larsson and Lisbeth Salander 35 million copies
• Illegal creating or altering hardware and
software
• Illegal hacking destroys or disrupts data
• May engage in illegal activities on your
computer and in your name
• Vital information falls into the wrong hands
27
4 SLIDES – HOLD COMMENTARY UNTIL AFTER VIRUS SCANS
Virus Protection Software
•
•
•
•
•
•
•
•
*
Your office computer is protected by virus protection software and updates
are applied automatically
Computer program that identifies and removes malware from your computer
Software Engine
Virus Definition Files
Download Updates
Virus Scans check computer for malware
Your office computer scans for viruses upon start up
Your home computer must be continuously or regularly updated by
downloads
Free virus protection software is available to you from the CUNY Portal emall.
Symantec Antivirus Software
28
GO FROM VIRUS SCANS TO BLOCK SPYWARE
Spyware
• Intercepts or takes control of computer
• Tracks surfing and activities for commercial use
• Infected computer will be:
slow
crashes often
• See pop-ups when not on internet
• Changes internet sites without your control
• Often attached to free-to-download “cute” utilities
and applications.
29
Block Spyware
• Use Anti-Spyware Programs
• Use Pop-Up Blockers
• Adjust Security Settings for maximum
control
30
If your office computer is infected
• Call the Help Desk – x 6348
31