Transcript University of California, Irvine Computer Security: What do I really need to know NOW! Marina Arseniev - Associate Director, Administrative Computing Services Stephen Franklin.

University of California, Irvine
Computer Security: What do I
really need to know NOW!
Marina Arseniev - Associate Director, Administrative Computing Services
Stephen Franklin - Director, Network and Academic Computing Services
TechnoExpo, 2006
1
University of California, Irvine
Agenda
Why care about
security?
How to deal with Secret Stuff?
How do I…
protect
my password?
use Email and Instant Messenger securely?
use the Internet securely?
use my laptop securely?
backup my computer?
….
TechnoExpo, 2006
2
University of California, Irvine
Security Depends on Everyone
IT staff uses the latest technology and techniques
to maintain the highest level of security possible,
but much still depends on individual users.
Every user plays a critical role in maintaining the
security of UCI’s network and the systems
connected to it.
TechnoExpo, 2006
3
University of California, Irvine
Security is a real problem!
 Increasing
number of attacks
 Security exploits spread in minutes and hours rather
than days or weeks
 “Script Kiddies” have access to sophisticated tools
 Serious hackers have even better tools
 More legislation regarding security management
practices and notifications
TechnoExpo, 2006
4
University of California, Irvine
Why bother with security?
 Your
personal information and privacy may be compromised.
 Student or employee personal information and privacy may be
compromised.
 Legal responsibilities – Federal and State Laws
 University
 Reputation
is liable for breach of security
and Trust
 Costliness
 Notification
of individuals whose personal information may have been
compromised due to unauthorized access can (“easily”) cost the University
tens (and even hundreds) of thousands of dollars
TechnoExpo, 2006
5
University of California, Irvine
People notified in response to
personal identity incidents
178,000
April
San Diego State
380,000
May
UC San Diego
145,000
June
UCLA
62,000
June
UCLA
TechnoExpo, 2006
6
University of California, Irvine
What should be kept secure?
Obvious examples






Less obvious examples
All portable devices, including
PDAs, Laptops
Passwords
Research and development data
Human resources personnel files
Student information
Any business information
marked Confidential







TechnoExpo, 2006
A professor’s contact list
E-mail messages
Personal telephone numbers
Home address
Birth date
Ethnicity
Gender
7
University of California, Irvine
What is Personal Information?
Senate Bill 1386 (State Law)
“Personal information" = Name and
any of the following :
 Social
security number
 Driver's license number or California Identification Card
number.
 Account number, credit or debit card number, in
combination with any required security code, access code,
or password that would permit access to an individual's
financial account.
TechnoExpo, 2006
8
University of California, Irvine
Federal Laws on Privacy Regulation
Family Educational Rights
and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act
(HIPAA)
Digital Millennium Copyright Act
Federal Trade Commission - Gramm-Leach-Bliley
Act on Customer Privacy
USA Patriot Act of 2002
TechnoExpo, 2006
9
University of California, Irvine
FERPA
Family
Educational Rights and Privacy Act
Federal law that protects the privacy of
student education records.
Allows students to block access to their
information or even existence.
Contact the Registrar for info and
procedures.
TechnoExpo, 2006
10
University of California, Irvine
HIPAA
 Health
Insurance Portability and Accountability Act
 “Individually identifiable health information” is private
and must be protected in any form or media,
whether electronic, paper, or oral.
 Protect demographic data (ie name, address, birth
date, Social Security Number) related to:
 the
individual’s past, present or future physical or mental
health or condition
 the provision of health care to the individual
 the past, present, or future payment for the provision of
health care to the individual
TechnoExpo, 2006
11
University of California, Irvine
Relevant Campus Policies
 Computing
Policy and Information Systems 714-11Guidelines for
NACS Computer Usage
 714-12 Office of Academic Computing Policy on
Ownership and Rights of Access to Software and Data
 714-14Copying Computer Programs
 714-15 Policy on Access to University Administrative
Information Systems
 714-16Procedures for Accessing University
Administrative Information Systems
 714-17Using University Administrative Information
Systems
 714-18 Computer and Network Use Policy
TechnoExpo, 2006
12
University of California, Irvine
Protect your passwords

Choose your passwords carefully.




Don’t use known personal information.
Don’t use the same password on different
systems.
Never share personal passwords.
Do not write passwords down.
They will be found by others. 
TechnoExpo, 2006
13
University of California, Irvine
A good password will:
Be
six to 10 characters in length.
Have one or more capital letters (A…Z).
Have one or more lower case letters (a…z).
Include one or more numbers (0-9).
Include one or more special characters
(!, *, &, %, $, #,@).
Be a short phrase (such as Up&AtM@7!).
TechnoExpo, 2006
14
University of California, Irvine
Email is NOT SECURE!
 Because
email passes through many computers and networks,
there are many opportunities for it to be read - despite rules and
policies to the contrary.
 Confidential
information can easily be accidentally and/or intentionally
compromised
 Administrators and hackers can access all incoming and outgoing email messages.
 Viruses
are most commonly spread through e-mail attachments.
 HTML Email is really an insecure Web Page.
TechnoExpo, 2006
15
University of California, Irvine
Here is what you should do:



Never send passwords, social security numbers,
credit card numbers, or other access information via
e-mail.
Do not open unexpected attachments, even from
coworkers or other trusted sources.
Disable macros on questionable documents.
TechnoExpo, 2006
16
University of California, Irvine
More of what you should do:
Ask your Computer
Support Coordinator about how to
store encrypted email securely.
When deleting sensitive email, make sure your clean
“Junk” and “Trash” folders too! Simply deleting your
sensitive email may not remove the file.
TechnoExpo, 2006
17
University of California, Irvine
What about Instant Messaging?
Everything that applies to
Email vulnerabilities
applies to IM.
Never use IM to send any confidential or private
information!
TechnoExpo, 2006
18
University of California, Irvine
How do I use the Web securely?
 Use
SSL Encryption (https://…)
 Check
for the “encryption” key on your browser when entering
sensitive information – such as a credit card number.
 Never
enter secret stuff into Web forms unless instructed to
do so by the IT department.
 Many
self-service Web forms use email to automatically notify and
disseminate information –we know email is insecure…
 Never
download freeware or shareware from the Internet
without express permission from the IT department.
TechnoExpo, 2006
19
University of California, Irvine
Viruses can come from:
E-mail,
WWW, and instant messaging
attachments.
Infected files shared via removable storage
(diskettes, CDs, Zip disks, and other media) or
over the network.
Software downloaded from the Internet, Pop-ups.
TechnoExpo, 2006
20
University of California, Irvine
How do I secure my Computer or Laptop?
 Laptop
or portable devices are largest security threat!
 Portable
devices include PDA, USB Drive, Key Disk, and iPod.
 Subject to theft or loss. Social Security Numbers? Ouch!
 Install
latest patches and anti-virus software, Windows Update.
 Use a good password and change it regularly.
 Enable screen-saver password control – timer for auto-logout.
 Use VPN to access your system from outside UCI
 Use
UCI’s Virtual Private Network (VPN)
<http://www.nacs.uci.edu/security/vpn.html>
TechnoExpo, 2006
21
University of California, Irvine
How do I secure confidential information?
 Store
only confidential information with immediate needs.
 Delete
 Encrypt
confidential information with no immediate need.
all confidential information
 Microsoft
Windows XP and Apple's Mac OS X provide built-in file and
and folder encryption. Linux/UNIX has encryption technologies.
 Use
encrypted transmission of confidential information
 HTTPs,
 Arrange
Secure File Transfer FTPs, SSH, VPN, PGP for email
professionally administered and regular backups.
 Backups
must be secured too.
 If stolen, the backup will be used to verify the existence of personal
information on a computer and, per California Law 1386, used to notify
individuals whose information was compromised.
TechnoExpo, 2006
22
University of California, Irvine
If distributing Personal Information…
 Delete
personal information not critical to the task when
distributing full data sets.
 Provide staff access to restricted data only as needed to
perform assigned duties.
 When personally identifying information is distributed to users,
include notification that the data is restricted and requires
security protection. Include reference to applicable policies and
regulations.
 Ensure secure transmission, storage and removal of personal
data.
TechnoExpo, 2006
23
University of California, Irvine
Protect Paper Documents
Don't
leave sensitive documents in clear sight in
work areas. Store confidential material in locked
drawers.
Shred sensitive documents when they are no longer
needed.
Protect sensitive materials when using photocopiers,
fax machines, etc. Don't leave the originals behind
when you walk away.
TechnoExpo, 2006
24
University of California, Irvine
How do I discard my computer or media?
Contact your IT department for
proper procedures.
Be sure to delete all information from your old
computer or media when you dispose of it.
Be aware that "erased" data often may be recovered
from your computer unless you take explicit
measures to remove it.
TechnoExpo, 2006
25
University of California, Irvine
Supervisors:

Good practices:



Conduct periodic security assessments and training at staff
meetings
Regularly review your practices and security measures.
Vital:



Ensure that you, your staff, and those to whom you provide
information are familiar with the privacy and confidentiality
policy and laws applicable to activities within your unit.
Inventory and classify the types of information handled by your
staff. Inventory “personal” information.
Make sure software (and equipment) are up to date.
TechnoExpo, 2006
26
University of California, Irvine
What to report – who to report to
Report to your Supervisor, Computer Support Coordinator, or
Helpdesk:




If you think you have a virus.
If someone has stolen your password or illicitly accessed your
computer.
If you forget your password or need to have a temporary account
created.
Help Desk:
•
(949) 824-8500 for the AdCom Services Help Desk
•
•
EMAIL: [email protected]
(949) 824-2222 for NACS Help Desk
•
EMAIL: [email protected]
TechnoExpo, 2006
27
University of California, Irvine
http://security.uci.edu/
Questions?
TechnoExpo, 2006
28