Transcript Slide 1

A secure environment for digital
information begins with you, and
quite possibly ends with you.
Learn how you can practice good
security principles to protect
sensitive information both at home
and work
• We use computers in virtually every aspect of our lives.
• With the onslaught of online threats such as identity
theft and spyware, engaging in safe online behavior is
crucial.
• When the information exists in a digital or electronic
format, additional steps must be taken to ensure the
protection of the information.
• We must understand the risks, along with the steps we
can take to help protect ourselves, our information and
the information of others entrusted to us.
Information that can be used to identify, locate or
contact someone such as:
• Social Security Number
• Driver’s License Number
• Legal Name
• Credit Card Number
• Full Address
• Phone Number
• Medical Information
This Personally Identifying Information that exists in a digital or
electronic format could be stored on your pc:
• In a database
• In an application
• While being transmitted over a network (web, ftp, email attachment)
• In a report or document
Volunteered by you while:
• Applying for online services
• Making online purchases
• Applying for Federal Financial Aid
Traded by your servicers or vendors for:
• Research
• Other 3rd Party Vendors
• Affiliated Organizations
Can potentially cause:
• Physical, or reputational harm to your and/or your family members
• Embarrassment and liability to the university or to its faculty members,
staff members, students, alumni, friends, or business partners
Or financial fraud by:
• The use of stolen identities to open credit cards and charge items in the
victim's name
• The use of stolen identities for phone or utilities fraud to obtain wireless
phones, wireless service or other utility services
• The use of stolen identities to create counterfeit checks from the victim's
bank, take out a loan or even obtain medical benefits
Identity theft numbers reported issued by the
Federal Trade Commission in 2007:
• Over 8 million U.S. residents were victims of
identify theft.
• On average, victims spent $531 repairing the
damage and 25 hours clearing up the situation with
financial institutions.
• The total cost of identity theft in the U.S. was $49
billion.
• Information Protection through the Legal System
and UNCSA Policies
• Data Security and UNCSA’s Office of Information
Technologies
• The Role of the End-User
• Family Education Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Graham-Leach-Bliley Act (GLBA)
• Payment Card Industry Standards (PCI)
• North Carolina Identity Theft Act
• Federal Privacy Act
• www.uncsa.edu/informationtechnologies/policylist.htm
Deter malicious intent by:
• Maintaining a campus Firewall
• Segmenting network traffic
• Update operating systems with patches
Detect malicious activities by:
• Running baseline security scans
• Monitoring unusual network traffic
• Virus detection
• Malware detection
Defend resources by:
• Secure and Authenticated challenges to access sensitive data
• Physical security of network and servers
To ensure the protection of the information from loss,
corruption, or inappropriate disclosure, you should:
• Understand the risks involved in handling information in
digital form.
• Appreciate the greatly increased vulnerability made possible
by technological conveniences that offer portability, easy
copying, and wide—potentially global—distribution.
• Practice safe computing with password management,
Internet security and dealing with malicious software.
For the purpose of Identification and Authentication
• A combination of a unique user ID and a process of
proving that you are who you claim to be.
A strong password has the following features:
• At least eight characters in length
• Includes at least three of the four character types,
lowercase, uppercase, numbers or special characters
• Not found in any dictionary
• Not based on personal information
• Known only to you
• Base it on a phrase to make it easier to remember
• Used for only one account
Treat your passwords with as much care as the
information that they protect
• Don't reveal them to others
• Protect any recorded passwords
• Never provide your password over e-mail or based
on an e-mail request
• Change your passwords regularly
A compromised password can allow direct access to
information or give an attacker a foothold to break into
other, more privileged accounts.
How an attacker can get your password:
• Finding your password written on paper near your
computer
• Stored on your computer in plain text
• Simply guessing your password based on personal
information
• Social engineering to trick you
• Cracking passwords with software
• Email
• Web Browsing
• Instant messaging
• File Sharing (ftp, peer-to-peer)
• Email can host attachments which are actually
viruses
• Stay away from .bat, .com, .exe, .vbs
• UNCSA runs a virus scan on your email before you
receive it
• Email systems such as gmail, hotmail, and others
pose security risks which cause them to be unsafe
for sending secure information
• You choose to connect to a server and ask it to send
files to your computer
• Think before you click on a link
• Only go to trusted sites
• Read all dialogue boxes well
• If you do not need cookies for a web site then make
sure your browser does not automatically accept
them
• Block Pop-up windows
Can be a valid tool, however there are security
concerns:
• They require opening a port to the Internet,
creating a route of attack
• Messages are not encrypted, so no confidential
information
• It can create an opportunity for phishing attacks
and viruses
File Transfer Protocol (ftp) is an application which moves
large files over the network.
• Standard ftp is unencrypted, so confidential information
should not be sent via this method.
Peer-to-peer (P2P) applications allow file transfers between
computers over a network.
• P2P applications are vulnerable to malicious software and
spam.
• These applications are well known for being used to illegally
share copyrighted material.
Network File Sharing via Windows and other operating
systems allow placement of viruses and removal of data from
remote hard drives.
Malware is a general term for any software which
can cause damage, misuse a resource or steal
information from a pc, server or network device.
The major types of malware are:
• Viruses
• Trojan Horse
• Worms
• Spyware
Are sections of malicious code which are typically
hidden in other valid code like:
• Application software
• Macros in documents
• Booting code for a pc or server
They are usually activated by opening:
• A file
• A web page
• An email
Are similar to viruses, sections of malicious code
which are typically hidden in other valid code, but:
• They do not require an action to activate
• They seek other vulnerable machines to infect
• Their new instances then seek more computers
Are sections of malicious code which are typically
hidden in other valid free code like:
• Media Files
• Games
• Application Software
• File Sharing Software
Once activated, they usually allow:
• Additional access for the attacker
• File manipulation
A category of malicious software which harvests a wide range of
information, including personal and confidential data from a host.
You can become infected with spyware when it is bundled with other
software.
It is not a virus and does not replicate itself once on your system.
This software can gather:
• Keystrokes of the user
• Screen images
• All types of data such as usernames/passwords, credit card information
and other PII.
They also can display advertising banners or multiple clickable windows of
third party products and services, which can slow down your computer.
To summarize, malicious software can attack you at
home or at work through:
• Email links
• Email attachments
• Email with malicious scripts
• Software vulnerabilities
• Instant messaging
• Pop-up Windows
• Web pages with malicious scripts
To minimize the possibility of sensitive data loss
and to prevent infections, follow these guidelines
with:
• Antivirus Software
• Anti-Spyware Software
• Firewall Software
• Updating Patches
• File Backups
• Locking Screen Savers
Each PC should have some type of antivirus software
installed on it.
McAfee is the software of choice for UNCSA.
Information Technologies has a software library which
allows you to check out a copy of McAfee to install on
your personal machine.
It is crucial that any antivirus software is consistently
being updated with the latest virus definitions so that as
new viruses are discovered, your PC will be on the
lookout for them and that a full system scan is
scheduled weekly.
Anti-Spyware software detects spyware and adware
on PC and attempts to remove it.
Sometimes it can be difficult to remove and can
require a reinstallation of the operating system.
The new software of choice is Malware Bytes and
Super Anti-Spyware, which can be downloaded at
Download.com.
A Firewall can protect a pc from the Internet by
hiding it, filtering unwanted traffic, and limiting
access of others outside of the Firewall.
Firewall software and network devices can monitor
and report on who is trying to gain access and what
types of communication are being blocked.
Information Technologies maintains a firewall
device at our network ‘front door’ so local firewall
software is deactivated on each PC on campus.
Updating operating system software and application
software is critical in this ever changing
environment.
Vulnerabilities are constantly being discovered and
attackers quickly move to exploit those holes until
software vendors supply patches.
Most of the machines on campus are set to
automatically download and install updates, does
your machine at home do the same?
If you have ever lost critical information, you probably now
have a way that you periodically copy your information to
another secure environment for archiving.
Why wait? Users on campus have their ‘z – drives’, which is
server storage that is then additionally backed up and stored
in an off-site secure location.
Is your important, sensitive, nostalgic data at home being
burned to a cd, dvd, thumb drive, portable backup device, etc.
AND, is that media on which you have stored that
information, treated with the same security concerns?
As part of physical security, a simple way to protect
your machine from unauthorized access is to set the
screen saver to engage within a short time period,
such as ten minutes and have it require your
password upon exiting.
This feature can also be manually set by holding
down the Windows key and press L.
Security of sensitive information is critical whether
at home or at work. When working on University
business at home, your pc should have the necessary
tools to ensure the confidentiality and control of
that data. To be aware of the vulnerabilities is the
first step. The next step requires you to do your part
in closing off those vulnerabilities.
So, it is up to me, and you.
Time for Questions….