Introduction to Information Security Office of the Vice President for Information Technology Mr.
Download
Report
Transcript Introduction to Information Security Office of the Vice President for Information Technology Mr.
Introduction to
Information Security
Office of the Vice President for Information Technology
Mr. Corbett Consolvo, IT Security Analyst
Ms. Lori McElroy, IT Security Officer
Agenda
Introduction
The State of Texas State’s
Information Security program
Appropriate Use Policy
Confidential Information
Identity Finder demo
Current Threats and Protections
Best Practices
Q&A
http://security.vpit.txstate.edu
[email protected]
Information Security
What’s Information Security?
The protection of data against
unauthorized access. This
includes:
– How we access, process, transmit, and
store information
– How we protect devices used to access
information
– How we secure paper records, telephone
conversations, and various types of
digital media
http://security.vpit.txstate.edu
[email protected]
The State of Texas State’s
Information Security Program
Comprehensive Set of Security
Policies, Practices, and Services for:
–
–
–
–
Network Access Management
Threat Management
Incident Management and Response
http://security.vpit.txstate.edu/services.html
http://security.vpit.txstate.edu
[email protected]
Information Security Program
Compliance
Texas State University Policies
–
–
–
Appropriate Use of Information Resources (UPPS 04.01.07)
• http://www.txstate.edu/effective/upps/upps-04-01-07.html
Security of Texas State Information Resources (UPPS 04.01.01)
• http://www.txstate.edu/effective/upps/upps-04-01-01.html
Appropriate Release of Information (UPPS 01.04.00)
• http://www.txstate.edu/effective/upps/upps-01-04-00.html
Other federal and state laws
–
–
–
–
–
Texas Administrative Code, Chapter 202 (TAC 202)
TPIA – Texas Public Information Act
FERPA - Federal Educational Rights & Privacy Act
HIPPA - Health Insurance Portability & Accountability Act
GLBA - Gramm-Leach-Bliley Act
http://security.vpit.txstate.edu
[email protected]
Information Security Program
Awareness
Annual Cyber Security Awareness Month-October
–
October 22nd, LBJ Student Center 10am-3pm
Introductory and technical security classes
TXState security discussion lists:
[email protected]
[email protected]
File sharing risks outreach
–
–
–
–
–
H.R. 4137, the Higher Education Opportunity Act
http://security.vpit.txstate.edu/awareness/digital_copyri
ght-p2p-filesharing.html
University Seminar
CSAD
Notice to students and parents
http://security.vpit.txstate.edu
[email protected]
Appropriate Use Policy
UPPS 04.01.07
Applies to all faculty, staff, and students
Acceptance when you change your
password
http://security.vpit.txstate.edu
[email protected]
Appropriate Use Policy
Highlights
Illegal, threatening or deliberately
destructive use
Authorized use only
Email use
Circumventing security procedures
Protect your identity
Copyright infringement
Protect confidentiality
http://security.vpit.txstate.edu
[email protected]
Confidential Information
Classes of Information
http://security.vpit.txstate.edu/policies/data_classification.html
Public
information
• e.g., job postings, service offerings,
published research, directory
information, degree programs.
Sensitive
information
• e.g., performance appraisals, dates
of birth, and email addresses), donor
information.
Restricted
information
• e.g., SSN, credit card info, personal
health info.
http://security.vpit.txstate.edu
[email protected]
Confidential Information
Release Precautions
FACT 1
FACT 2
FACT 3
Texas State is a
public
institution
Texas State is
subject to the
Texas Public
Information Act
TPIA does not make
all Texas State
information freely
available to the public
IMPORTANT NOTE: If you receive a request for information
from any external party, and you aren’t certain that the
information can be released, consult the Office of the
University Attorney before releasing
the information.
http://security.vpit.txstate.edu
[email protected]
Confidential Information
Protections
What should you do about phone
conversations?
What should you do with printed, scanned,
copied, or faxed copies?
Where should you store media or hard copies?
What should you do before disposing of or
transferring media (including cell phones)?
–
http://www.tr.txstate.edu/itac/repair/hardware-disposal
What about your monitor screen?
http://security.vpit.txstate.edu
[email protected]
Confidential Information
Protections
What should you do before disposing of
records?
What should you do if you receive a phone call
asking you to disclose information?
What should you do when you walk away from
your workstation?
How should you protect your password?
http://security.vpit.txstate.edu
[email protected]
Confidential Information
Discovery
Identity Finder Demonstration
http://security.vpit.txstate.edu
[email protected]
Information Security
Current Trends
Symantec – Last six months of 2007
“Professional” hackers are commercializing
– $ is the motivator
– They are selling our information (medical, credit card,
identities)
The Web as the focal point
– Where we spend our time and divulge our information
End-users are the primary target
– Phishing, web browsers (plug ins), malware, spam, botnets
– Mobile device security (clever ploys)
Increasing privacy data breaches
– http://www.privacyrights.org/identity.htm
– https://www.ssnbreach.org/
http://security.vpit.txstate.edu
[email protected]
Information Security
Current Threats and Protections
Phishing – what is it and how do I
protect myself from it?
– See IT Security Awareness pages for detailed
information:
–
http://security.vpit.txstate.edu/awareness/phishing.html
View a video from Microsoft on Phishing:
http://www.microsoft.com/protect/videos/Phishing/Phishi
ngMSHi.html
– Protections:
• Do not submit personal information in
response to an email
• Verify the authenticity and security of web
sites before entering your personal
information (https, certificates)
http://security.vpit.txstate.edu
[email protected]
http://security.vpit.txstate.edu
[email protected]
Information Security
Current Threats and Protections
SPAM – what is it and how do I
protect myself from it?
– Protections:
• Don’t open emails or attachments from an
unknown source
• Use available filtering/blocking tools
http://www.tr.txstate.edu/getconnected/computerservices/e-mailsetup/spam-filter-faq.html)
• Don’t click on any links in spam
• Don’t forward spam on to your friends
• Validate hoax email: www.snopes.com,
www.hoax-slayer.com
http://security.vpit.txstate.edu
[email protected]
Information Security
Current Threats and Protections
Spyware – what is it and how do I
protect myself from it?
– View a video from Microsoft on Spyware:
http://www.microsoft.com/protect/videos/Spyware
/SpywareMSHi.html
– Protections:
• Do not download or install untrusted or unknown
programs
• Use anti-spyware software, such as Ad-Aware
(www.lavasoftusa.com) or Windows Defender
http://www.microsoft.com/windows/products/wi
nfamily/defender/default.mspx
• Demo Windows Defender
http://security.vpit.txstate.edu
[email protected]
http://security.vpit.txstate.edu
[email protected]
Information Security
Download Security Video
EDUCAUSE Computer Security Awareness Video
Contest 2006 honorable mention, Act Now - Know
Your Sources by Stephen Hockman, Christina
Manikus, John Sease, & Erin Shulsinger, James
Madison University
http://www.educause.edu/SecurityVideoContest200
6/7103
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
Data Backup
– Regular or automatic backups
– Protect backup media
– Protect sensitive information stored on backup
media
– Critical data should be backed up frequently
– Test your recovery
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
System, Software, & Anti-Malware
Updates
–
–
–
–
Operating system patches
Anti-Virus and anti-spyware
Host-based firewalls
Application software
Automatic or regularly scheduled
updates are best
– Demo McAfee
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
User Accounts and Passwords
– Use separate user accounts
• Administrator accounts for installing software,
etc.
• User accounts for normal usage
– Use strong passwords
• Mix upper case, lower case, and numeric
characters
• The longer the better, but a minimum of 8
characters
• Use passphrases
• Avoid valid dictionary words and proper names
• Avoid re-using passwords
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
Create strong passwords that are
easy to remember
Strong password checker websites
– http://www.microsoft.com/protect/yourself/pass
word/checker.mspx
– http://strongpasswordgenerator.com/
Use different passwords for
different functions
– Banking
– Purchasing
– Email
Password management tools
– Password safe
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
Mobile computing and portable media
– Confidential or Personally Identifiable Information (PII) is
your responsibility to protect
• Use Passwords, preferably “power on” passwords
• Use an additional authentication factor, such as a
fingerprint reader on a laptop
- Remove or “shred” all data before disposing or transferring
- Always keep the device with you when you are away from the
office (e.g. do not leave it unattended in a hotel room,
conference, or your vehicle
- Laptop theft tracker http://adeona.cs.washington.edu/
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
Wireless network security
– Texas State University's wireless
networks
• Open network
• Encrypted wireless network setup:
http://www.tr.txstate.edu/getconnected/computerservices.html
– Wireless security at home
• Change the router’s default password
• Use strongest available encryption
• Use MAC address restrictions
– Use public wireless networks only for riskfree activities
http://security.vpit.txstate.edu
[email protected]
Information Security
Wireless Security Video
EDUCAUSE Computer Security Awareness Video
Contest 2007 bronze award, When You Least Expect
It, by Nolan Portillo, California State University –
Bakersfield
http://www.educause.edu/SecurityVideoContest2007
/713549
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
Identity Theft and Credit Card Fraud
–
–
–
–
–
–
–
http://security.vpit.txstate.edu/awareness/idtheft.html
View a video from the Federal Trade Commission
http://www.ftc.gov/bcp/edu/microsites/idtheft/video/avoid
-identity-theft-video.html
Do not give out your personal information unnecessarily
Limit use on public computers or networks
Check your receipts for credit card numbers
Apply for your free annual credit report from all 3 agencies
Identity Theft IQ Test
http://security.vpit.txstate.edu
[email protected]
Information Security
Identity Theft Video
EDUCAUSE Computer Security Awareness Video
Contest 2007, Out in the Open, Mark Lancaster,
Texas A&M University
http://www.researchchannel.org/securityvideo2007/
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices
MySpace and Facebook – most
popular
– http://security.vpit.txstate.edu/awareness/socia
l_networking.html
– Use caution when posting personal information
– Photos can be used by a stalker to gather
information about you or your family
– Talk about social networking protections with
your family and friends
– Limit access to your personal site
– Remember that pages are cached
http://security.vpit.txstate.edu
[email protected]
Information Security
Best Practices – Useful Links
Use secure (https) for Gmail -- DEMO
Top 20 Vulnerabilities http://www.sans.org/top20/
Identity Theft
–
–
http://onguardonline.gov/idtheft.html
http://www.vpit.txstate.edu/security/items_interest/ide
ntity.html
Annual Credit Report
–
https://www.annualcreditreport.com/cra/index.jsp
Best Practices
–
http://security.vpit.txstate.edu/awareness/best_practice
s.html
http://security.vpit.txstate.edu
[email protected]
Information Security
How Do I Find Out More?
Texas State Sites
–
–
–
–
IT Security - http://www.vpit.txstate.edu/security
Privacy Rights Notice http://www.tr.txstate.edu/privacy-notice.html
Identity theft http://webapps.tr.txstate.edu/security/identity.html
FERPA at Texas State http://www.registrar.txstate.edu/persistentlinks/ferpa.html
Contacts
–
–
Information Technology Security
512-245-HACK(4225), [email protected]
Information Technology Assistance Center (Help Desk)
512-245-ITAC(4822) or 512-245-HELP, [email protected]
http://security.vpit.txstate.edu
[email protected]
Q & A