Boston University Computing Security Awareness What you need to know about keeping information safe and secure. IS&T | Information Security.
Download ReportTranscript Boston University Computing Security Awareness What you need to know about keeping information safe and secure. IS&T | Information Security.
Boston University Computing Security Awareness What you need to know about keeping information safe and secure. IS&T | Information Security Background Why be concerned? • Think about everything you use your computer for: banking, shopping, paying your bills, etc. • Then consider how much of your personal information is involved in those transactions: social security number, name, address, medical information, etc. • Now imagine the amount of personal information, sensitive information, Boston University collects on students, faculty, and staff. What can you do? •Three simple steps can help us ensure University information is not compromised • Confidentiality – protecting information from unauthorized disclosure • Integrity – protecting information from unauthorized modification and ensuring it is accurate and complete • Availability – ensuring information is available when needed How are we threatened? • The severity and range of threats to information security are increasing every day. The most prevalent include: • Viruses - small pieces of malicious software which “infect” • • • • your computer. Spyware - software that collects information from your computer which can be used to exploit your system. Operating System Holes - weaknesses in the operating system which may or may not be known to the manufacturer. Weak Passwords - simple passwords which can be guessed or cracked. Social Engineering – non-technical schemes used to obtain sensitive information from a user or system. Viruses • Computer viruses are designed to be destructive by destroying files or systems or creating widespread mayhem across the larger network. • As with biological viruses, the simplest way to avoid a computer virus is prevention. This means properly installed and updated anti-virus software and following a few steps. • Boston University has free anti-virus software available for download at: http://www.bu.edu/tech/help/virus/ • Don’t open email attachments you don’t recognize. Email from unknown senders frequently contains viruses. • Don’t load compact discs or any form of external memory on your work system from untrusted sources, or even from your own home computer, unless you know they’re clean of viruses. • Steer clear of “questionable” websites. Spyware • Though spyware is less obvious in its impact on your system, it has become a greater threat than viruses in recent years. • Unlike viruses, spyware does not necessarily adversely affect your computer’s performance. • It is designed to collect information about you or your system and send it to someone who can then use the information to attack your system or break into accounts you might have on other system. • Boston University has free anti-spyware software available for download at: http://www.bu.edu/tech/help/spyware/index.html • When properly installed and updated, anti-spyware software will greatly reduce the risk of vulnerability to spyware. Operating System Holes • Making a perfect piece of software is almost impossible. Sometimes, there may be holes in how software functions and these holes can be utilized in an attack on your system. • When manufacturers become aware of security holes, they will release patches to fix them. Most systems have an automated method for downloading and installing such updates. • Whether you do it manually or automatically, you need to keep your software updated with the latest patches. Weak Passwords Even if your system does not enforce strong passwords, make certain not to create weak passwords. Weak passwords are non-complex and easy to guess. Good rules for creating passwords are: •Use upper and lowercase letters •Use numbers and special characters •Have a minimum of 10 characters •Use “passphrases” which are harder to break but easy to remember, such as “My password is hard times 1000!” •Change your password at least every 180 days •Avoid birthdays and pet names examples of strong passwords: Happy Days = H4PPY**d4y5 (11 characters) Bad Rabbit = b4d@@R4BBI+ (11 characters) You break it, you buy it = Ubrke1tUbuy1t! (13 characters) Hack this = HACK*+h15! (10 characters) Social Engineering Social Engineering is the term used to describe non-technical methods used to learn sensitive information about a user or system. Some examples of social engineering include: FREE!! Websites offer a special deal in exchange for an account you create. Spyware attaches to this free offer and tracks your website use and login information. To avoid this problem, use different usernames and passwords on all your online accounts. NEVER use your work username and password for personal accounts. Phone calls: Someone posing as a representative of a company calls and asks you for personal information. Ask for the representative’s name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold. If someone you do business with calls you, look up their official number and call them back. E-mail requests: If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Our Environment In the University environment, there are additional steps necessary to effectively reduce security threats. We should focus on several factors to help us better determine what we can do to secure our data: What are the systems used for? Security solutions need to be appropriate to both the sensitivity of the data and its level of exposure. Sensitive data should not be transported or stored unencrypted. Who is supposed to have access to what, and why? Access to information should be given only to those people who have a business need for it. Often people are granted more access than is necessary; therefore, access should be granted only after it is confirmed as appropriate for the specific person. Potential Hazards Once we have answered for what and by whom systems are being used, we will be better able to identify when there has been a potential security incident. EXAMPLES OF SECURITY INCIDENTS: 1. 2. 3. 4. 5. 6. 7. An account password is compromised either through guessing or being cracked. There is a hacking attempt made against your system; some attempt to force entry or exploit a vulnerability. Computer files go missing. There are unexplained changes to system data or your configurations. Your system becomes infected by a virus. Your workstation/laptop is stolen. An unauthorized user attempts to access your system. Security Tips Email Attachments Only open an email attachment if you can answer YES to the following 3 questions: 1. I know exactly what the file is. 2. I have ensured that my virus scan program is fully updated AND I have used the program to scan the attachment for viruses. 3. I have verified the identity of the sender and their intentions via telephone or email. Physical Security Always log out when stepping away from your computer for ANY period of time, and always at the end of the day. Consider using a password-protected screensaver as an extra layer of security Be aware of those that have keys to the office and access to your physical workspace. Shred documents that contain sensitive information. Back up your data on a daily basis. Firewalls A firewall is a piece of software or hardware which acts as a protective barrier between your computer and potentially harmful content on the Internet. They help guard computers against hackers along with many computer viruses and worms, by only allowing necessary traffic to reach the computer. If your operating system has a built-in firewall, be sure it is enabled. B.U. Linux, Apple OS X, and Microsoft Windows XP sp2 all have their own firewalls. Visit: http://www.bu.edu/tech/help/desktop/windows/firewall/ for more information. Regulatory Compliance Federal and State Regulations Boston University must comply with certain Federal and State regulations. Here are some examples of the laws, which will be explained in further detail: Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00) Federal and State Regulations Family Educational Rights and Privacy Act (FERPA) FERPA is a federal law that protects the privacy of a student’s education records. In compliance with FERPA, Boston University does not disclose personally identifiable information contained in student education records, except as authorized by law. Please visit the Registrar's website for more information: http://www.bu.edu/reg/informatio n/ferpainformation.html Health Insurance Portability and Accountability Act (HIPAA) The main goal of HIPAA is to ensure the portability of health insurance benefits particularly as individuals move from job to job. Moreover, HIPAA provides regulations for protecting the security of health information that is stored or transmitted electronically. Federal and State Regulations Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00) This regulation establishes minimum standards to be met in connection with the protection of personal information (contained in both paper and electronic records) of the residents of the Commonwealth. The objectives of this regulation are: To ensure the security and confidentiality of customer information in a manner fully consistent with industry standards Protect against anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer Under this regulation personal information is defined as a combination of First-name / last-name, or first-initial / last-name, AND Social Security Number, driver’s license number (or state-issued ID), financial account number or credit / debit card number (with or without PIN or password), and effective date. Boston University Contacts IT Help Center -can answer most personal computing support and network connectivity questions. Network Systems Engineering Group - can help with getting or repairing a network connection in an academic or administrative department. BU Security Team - can answer your computer security related questions. Unix Systems Support -for Unix support at Boston University BU Linux website- has information about using Linux at Boston University Operations group -provides file-backup service for departmental servers and individual workstations. Residential Computing Services group can assist with problems related to ResNet Computer Labs We have Active Directory support for departments interested in joining or have already joined.