Transcript Document
Information Security
2013 Roadshow
Roadshow Outline
Why We Care About Information Security
Safe Computing
•
•
•
•
Recognize a Secure Web Site (HTTPS)
How to Spot a Spoofed Web Site
Recognize a Phishing Attempt
What is Social Engineering
Privacy and Compliance
•
•
•
PCI/HIPAA/FERPA
Policy
Privacy and Best Practice
Why We Care About Information Security
Personal Reasons:
Identity Theft
Loss of Data
Financial Loss
Poor Computer Performance
Institutional Reasons:
Protect Middlebury College
Compliance with Laws and Standards
Prevent Reputational Damage
Reduce Legal Liability for the College
As Well As the Personal Reasons Listed Above
How do I Know a Web Site is Secure?
• HTTPS in the Address bar
is an indicator of a secure
web site.
• A web site encrypted with
SSL should display a near the
address bar.
• Not all devices or
browsers
display the
same.
What is a Spoofed Web Site
• Just because the site
looks like Middlebury
does not mean it is
•
Check the address or URL
•
Never enter login information unless the site is secure and you have checked the URL
How to Spot Phishing
•
•
Forward all suspected Phishing messages to [email protected] before deleting the
message.
If you fall victim to a phishing attack RESET your password immediately and then call the
Helpdesk.
What is FakeAV
•
Tries to look like regular AV
•
Clicking on the warning will download a virus
•
Often the best bet is a hard shutdown of the
system
•
Know what your AV warnings look like
•
Sophos anti-virus does offer some web
protections which help to prevent the download
activity of FakeAV.
Social Engineering
• Social engineering, in the context of
security, is understood to mean the art of manipulating people
into performing actions or divulging confidential information. While it is similar to a confidence trick or
simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never comes face-to-face with the victims.
(From Wikipedia)
Examples:
•
You are in a hotel and receive a call from the front desk to confirm your credit card details.
•
You receive a call at work from support services asking for your password to fix a problem on your
computer.
•
You are at home and get a call from the College help desk asking for your login information to reset your
email account.
What Laws Protect Information Here at Middlebury
•
Family Education Rights and Privacy Act (FERPA) = Student Data
•
Health Information Portability and Accountability Act (HIPAA) = Health Data
•
Sarbanes – Oxley Act (SOX) = Financial Data for Businesses
•
Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions
•
VT Act 162 = Data Breach Notification & SSN Handling
•
Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data
What Policies Protect Information Here at Middlebury
•
Privacy Policy = Confidentiality of Data
•
Network Monitoring Policy = Protection of College Technology Resources
•
Incident Response Policy = Response to Information Security Events
•
Data Classification Policy = Defines Data Types
•
Red Flags Policy = Identity Theft Protection
•
PCI Policy = Payment Card Data Handling
College Policies Live Here: http://go.middlebury.edu/handbook
What are Some Best Practices
Do
•
Look for HTTPS and other key address
indicators when you are going to different web
sites.
•
Use a strong challenge question in Banner SSB
•
Redaction – remove or mask (block out)
personally identifiable information when sharing
data
•
Be suspicious of unsolicited email or phone calls.
Do
•Lock your computer or secure information when
you leave your work space.
•Use Anti-Virus on both your work and home
systems
•Use secure passwords which you change often.
This also applies to mobile devices.
What are Some Best Practices
Do Not
•
DO NOT write down or share your passwords
•
DO NOT store confidential data on unencrypted
thumb drives or other unsecured media
-if you need to transfer the data encrypt the
file or password protect the file and keep
a master copy on the server.
Do Not
•
DO NOT place confidential data in email
-email a link to where the file is stored. While file
links may not be as easy as a web link to add to
an email or document they are much more secure
then attaching a document. Windows Explorer
can show you the path to the location of the file.
•
DO NOT record sensitive data on the College
web site, blog or Wiki
Discussion and Links
Please share your thoughts!
Information Security Resources:
http://go.middlebury.edu/infosec
http://go.miis.edu/infosec
Report Information Security Events To: [email protected]