Introduction to Information Security Office of the Vice President for Information Technology Mr.
Download ReportTranscript Introduction to Information Security Office of the Vice President for Information Technology Mr.
Introduction to Information Security Office of the Vice President for Information Technology Mr. Corbett Consolvo, IT Security Analyst Ms. Lori McElroy, IT Security Officer Agenda Introduction The State of Texas State’s Information Security program Appropriate Use Policy Confidential Information Identity Finder demo Current Threats and Protections Best Practices Q&A http://security.vpit.txstate.edu [email protected] Information Security What’s Information Security? The protection of data against unauthorized access. This includes: – How we access, process, transmit, and store information – How we protect devices used to access information – How we secure paper records, telephone conversations, and various types of digital media http://security.vpit.txstate.edu [email protected] The State of Texas State’s Information Security Program Comprehensive Set of Security Policies, Practices, and Services for: – – – – Network Access Management Threat Management Incident Management and Response http://security.vpit.txstate.edu/services.html http://security.vpit.txstate.edu [email protected] Information Security Program Compliance Texas State University Policies – – – Appropriate Use of Information Resources (UPPS 04.01.07) • http://www.txstate.edu/effective/upps/upps-04-01-07.html Security of Texas State Information Resources (UPPS 04.01.01) • http://www.txstate.edu/effective/upps/upps-04-01-01.html Appropriate Release of Information (UPPS 01.04.00) • http://www.txstate.edu/effective/upps/upps-01-04-00.html Other federal and state laws – – – – – Texas Administrative Code, Chapter 202 (TAC 202) TPIA – Texas Public Information Act FERPA - Federal Educational Rights & Privacy Act HIPPA - Health Insurance Portability & Accountability Act GLBA - Gramm-Leach-Bliley Act http://security.vpit.txstate.edu [email protected] Information Security Program Awareness Annual Cyber Security Awareness Month-October – October 22nd, LBJ Student Center 10am-3pm Introductory and technical security classes TXState security discussion lists: [email protected] [email protected] File sharing risks outreach – – – – – H.R. 4137, the Higher Education Opportunity Act http://security.vpit.txstate.edu/awareness/digital_copyri ght-p2p-filesharing.html University Seminar CSAD Notice to students and parents http://security.vpit.txstate.edu [email protected] Appropriate Use Policy UPPS 04.01.07 Applies to all faculty, staff, and students Acceptance when you change your password http://security.vpit.txstate.edu [email protected] Appropriate Use Policy Highlights Illegal, threatening or deliberately destructive use Authorized use only Email use Circumventing security procedures Protect your identity Copyright infringement Protect confidentiality http://security.vpit.txstate.edu [email protected] Confidential Information Classes of Information http://security.vpit.txstate.edu/policies/data_classification.html Public information • e.g., job postings, service offerings, published research, directory information, degree programs. Sensitive information • e.g., performance appraisals, dates of birth, and email addresses), donor information. Restricted information • e.g., SSN, credit card info, personal health info. http://security.vpit.txstate.edu [email protected] Confidential Information Release Precautions FACT 1 FACT 2 FACT 3 Texas State is a public institution Texas State is subject to the Texas Public Information Act TPIA does not make all Texas State information freely available to the public IMPORTANT NOTE: If you receive a request for information from any external party, and you aren’t certain that the information can be released, consult the Office of the University Attorney before releasing the information. http://security.vpit.txstate.edu [email protected] Confidential Information Protections What should you do about phone conversations? What should you do with printed, scanned, copied, or faxed copies? Where should you store media or hard copies? What should you do before disposing of or transferring media (including cell phones)? – http://www.tr.txstate.edu/itac/repair/hardware-disposal What about your monitor screen? http://security.vpit.txstate.edu [email protected] Confidential Information Protections What should you do before disposing of records? What should you do if you receive a phone call asking you to disclose information? What should you do when you walk away from your workstation? How should you protect your password? http://security.vpit.txstate.edu [email protected] Confidential Information Discovery Identity Finder Demonstration http://security.vpit.txstate.edu [email protected] Information Security Current Trends Symantec – Last six months of 2007 “Professional” hackers are commercializing – $ is the motivator – They are selling our information (medical, credit card, identities) The Web as the focal point – Where we spend our time and divulge our information End-users are the primary target – Phishing, web browsers (plug ins), malware, spam, botnets – Mobile device security (clever ploys) Increasing privacy data breaches – http://www.privacyrights.org/identity.htm – https://www.ssnbreach.org/ http://security.vpit.txstate.edu [email protected] Information Security Current Threats and Protections Phishing – what is it and how do I protect myself from it? – See IT Security Awareness pages for detailed information: – http://security.vpit.txstate.edu/awareness/phishing.html View a video from Microsoft on Phishing: http://www.microsoft.com/protect/videos/Phishing/Phishi ngMSHi.html – Protections: • Do not submit personal information in response to an email • Verify the authenticity and security of web sites before entering your personal information (https, certificates) http://security.vpit.txstate.edu [email protected] http://security.vpit.txstate.edu [email protected] Information Security Current Threats and Protections SPAM – what is it and how do I protect myself from it? – Protections: • Don’t open emails or attachments from an unknown source • Use available filtering/blocking tools http://www.tr.txstate.edu/getconnected/computerservices/e-mailsetup/spam-filter-faq.html) • Don’t click on any links in spam • Don’t forward spam on to your friends • Validate hoax email: www.snopes.com, www.hoax-slayer.com http://security.vpit.txstate.edu [email protected] Information Security Current Threats and Protections Spyware – what is it and how do I protect myself from it? – View a video from Microsoft on Spyware: http://www.microsoft.com/protect/videos/Spyware /SpywareMSHi.html – Protections: • Do not download or install untrusted or unknown programs • Use anti-spyware software, such as Ad-Aware (www.lavasoftusa.com) or Windows Defender http://www.microsoft.com/windows/products/wi nfamily/defender/default.mspx • Demo Windows Defender http://security.vpit.txstate.edu [email protected] http://security.vpit.txstate.edu [email protected] Information Security Download Security Video EDUCAUSE Computer Security Awareness Video Contest 2006 honorable mention, Act Now - Know Your Sources by Stephen Hockman, Christina Manikus, John Sease, & Erin Shulsinger, James Madison University http://www.educause.edu/SecurityVideoContest200 6/7103 http://security.vpit.txstate.edu [email protected] Information Security Best Practices Data Backup – Regular or automatic backups – Protect backup media – Protect sensitive information stored on backup media – Critical data should be backed up frequently – Test your recovery http://security.vpit.txstate.edu [email protected] Information Security Best Practices System, Software, & Anti-Malware Updates – – – – Operating system patches Anti-Virus and anti-spyware Host-based firewalls Application software Automatic or regularly scheduled updates are best – Demo McAfee http://security.vpit.txstate.edu [email protected] Information Security Best Practices User Accounts and Passwords – Use separate user accounts • Administrator accounts for installing software, etc. • User accounts for normal usage – Use strong passwords • Mix upper case, lower case, and numeric characters • The longer the better, but a minimum of 8 characters • Use passphrases • Avoid valid dictionary words and proper names • Avoid re-using passwords http://security.vpit.txstate.edu [email protected] Information Security Best Practices Create strong passwords that are easy to remember Strong password checker websites – http://www.microsoft.com/protect/yourself/pass word/checker.mspx – http://strongpasswordgenerator.com/ Use different passwords for different functions – Banking – Purchasing – Email Password management tools – Password safe http://security.vpit.txstate.edu [email protected] Information Security Best Practices Mobile computing and portable media – Confidential or Personally Identifiable Information (PII) is your responsibility to protect • Use Passwords, preferably “power on” passwords • Use an additional authentication factor, such as a fingerprint reader on a laptop - Remove or “shred” all data before disposing or transferring - Always keep the device with you when you are away from the office (e.g. do not leave it unattended in a hotel room, conference, or your vehicle - Laptop theft tracker http://adeona.cs.washington.edu/ http://security.vpit.txstate.edu [email protected] Information Security Best Practices Wireless network security – Texas State University's wireless networks • Open network • Encrypted wireless network setup: http://www.tr.txstate.edu/getconnected/computerservices.html – Wireless security at home • Change the router’s default password • Use strongest available encryption • Use MAC address restrictions – Use public wireless networks only for riskfree activities http://security.vpit.txstate.edu [email protected] Information Security Wireless Security Video EDUCAUSE Computer Security Awareness Video Contest 2007 bronze award, When You Least Expect It, by Nolan Portillo, California State University – Bakersfield http://www.educause.edu/SecurityVideoContest2007 /713549 http://security.vpit.txstate.edu [email protected] Information Security Best Practices Identity Theft and Credit Card Fraud – – – – – – – http://security.vpit.txstate.edu/awareness/idtheft.html View a video from the Federal Trade Commission http://www.ftc.gov/bcp/edu/microsites/idtheft/video/avoid -identity-theft-video.html Do not give out your personal information unnecessarily Limit use on public computers or networks Check your receipts for credit card numbers Apply for your free annual credit report from all 3 agencies Identity Theft IQ Test http://security.vpit.txstate.edu [email protected] Information Security Identity Theft Video EDUCAUSE Computer Security Awareness Video Contest 2007, Out in the Open, Mark Lancaster, Texas A&M University http://www.researchchannel.org/securityvideo2007/ http://security.vpit.txstate.edu [email protected] Information Security Best Practices MySpace and Facebook – most popular – http://security.vpit.txstate.edu/awareness/socia l_networking.html – Use caution when posting personal information – Photos can be used by a stalker to gather information about you or your family – Talk about social networking protections with your family and friends – Limit access to your personal site – Remember that pages are cached http://security.vpit.txstate.edu [email protected] Information Security Best Practices – Useful Links Use secure (https) for Gmail -- DEMO Top 20 Vulnerabilities http://www.sans.org/top20/ Identity Theft – – http://onguardonline.gov/idtheft.html http://www.vpit.txstate.edu/security/items_interest/ide ntity.html Annual Credit Report – https://www.annualcreditreport.com/cra/index.jsp Best Practices – http://security.vpit.txstate.edu/awareness/best_practice s.html http://security.vpit.txstate.edu [email protected] Information Security How Do I Find Out More? Texas State Sites – – – – IT Security - http://www.vpit.txstate.edu/security Privacy Rights Notice http://www.tr.txstate.edu/privacy-notice.html Identity theft http://webapps.tr.txstate.edu/security/identity.html FERPA at Texas State http://www.registrar.txstate.edu/persistentlinks/ferpa.html Contacts – – Information Technology Security 512-245-HACK(4225), [email protected] Information Technology Assistance Center (Help Desk) 512-245-ITAC(4822) or 512-245-HELP, [email protected] http://security.vpit.txstate.edu [email protected] Q & A