gadoe information security it’s up to you! brad bryant, state superintendent of schools “we will...

GaDOE Information Security

It’s Up To You!

Brad Bryant, State Superintendent of Schools“We will lead the nation in improving student achievement.”

Information Security Awareness:

• Is essential in protecting our information and data

• Users of the data are the first and last line of defense

• Most data breaches are caused by legitimate users

• Not hackers, criminals, or malware

Information Security Awareness:

We are all responsible and play a vital role in securing the information and data we work with everyday…

• Everyone - no matter your position• Position title• Position title• Position title

FERPA• Family Education Rights and Privacy Act

(20 U.S.C. § 1232g; 34 CFR Part 99)

• Federal law that protects the privacy of student education records

• Applies to all schools that receive funds under an applicable program of US Department of Education

FERPA

• Gives parents certain rights to their children’s education records

• These rights transfer to the student when he or she reaches age 18 or attends school beyond the level of highschool

FERPA

• Gives parents certain rights to their children’s education records

• These rights transfer to the student when he or she reaches age 18 or attends school beyond the level of high school

Other examples:

• Health Insurance Portability and Accountability Act (HIPAA)

• Graham-Leach-Bliley Act (GLBA)

• International Standards Organization 17799

• Georgia Open Records Act (O.C.G.A. 50-1 8-70 et. seq)

Certain types of information have levels of sensitivity that require specific protective measures.

Examples are:

• Electronic Personnel Health Information (ePHI)

• Personal Identity Information (PII)

• Personnel Files

• Education Records

Security Awareness - the best defense against:

• User Mistakes

• Criminal Activities

• Hackers

Mistakes:

Mistakes and errors in judgment occur everyday in business as it pertains to information security breaches. Most of the time it’s just a lack of awareness.

• Laptop in an unlocked car, in plain view - an invitation for theft

• Sensitive information left lying unsecured on a desk

• Sharing your logon credentials with a co-worker or others

• Emailing sensitive or confidential information unencrypted

Crime:

Criminal activity being directed at communications networks and other assets is steadily on the rise. Criminals today are in it for financial gain, not just for fun.

• Theft of laptops, paper files, portable storage, back-up tapes• Industrial espionage, criminal trespass, and stolen trade secrets• Cyber criminals spamming, phishing, and soliciting for information• Criminal blackmail or bribery payments for sensitive information• ‘Dumpster Diving’ for information

Hackers, Attackers, and Crackers:

The increased use of internet technology and connectivity has made cyber attacks and hacking easier for a larger number of perpetrators. The number of attackers is growing everyday.

• DoS attacks, viruses, worms, Botnets, logic bombs, Trojan horses

• Web site attacks, vandalism, financial fraud, privileged access

• Database attacks, transaction theft, intellectual property theft

2009 Stats:

The Privacy Rights Clearing House reports more than 103 million records containing personally identifiable information (PII) have been exposed since 2005

Total number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 - 262,443,756• That’s an increase of 159 million records in one year!

2010 Stats:

Security Breaches

Mar. 12, 2009

An Army database that contains personal information about nearly 1,600 soldiers was penetrated by unauthorized users. The information that may have been breached includes the service members' names, e-mail messages, phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment.

Number of records: 1,600

Take away…

Always use the best practice of ‘least privilege’.

•Workers should be granted the least amount of privileges

required to perform assigned duties

•Review user access when duties change

•Previously held access may not be needed in new job

Nov. 24, 2008

Starbucks Corp.(Seattle, WA)

A laptop containing employee private information was stolen from an unsecured vehicle. The information included names, addresses and Social Security numbers, and was unencrypted.


Take away…

Lock It Up!

•Lock laptops in docking stations

•Use cable locks to secure laptops to furniture

•Lock filing cabinets containing sensitive information

•Secure sensitive documents in lockable safe

Mar. 18, 2009

Walgreens Health Initiative/KRS(Deerfield, IL)

Names, dates of birth, and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky Retirement Systems, without being properly encrypted for security purposes. The e-mail contained health insurance claim numbers but no personal health information.


Take away…

•Do Not Send Sensitive Information Unencrypted!

• Text in body of email message

• Text contained in attached files

• ‘Just Don’t Do IT’ - Nike not

Mar. 4, 2009

A civilian employee of the department's pension fund stole tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension fund's director of communications, has been charged with computer trespass, burglary and grand larceny. He removed the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the missing tapes at his home before arresting him.


Take away…

The insider threat is real.

•80% of attacks are perpetrated by insiders

•Insiders are trusted and know the landscape

•Knowledge of organization’s weaknesses

March 11, 2005

A disgruntled employee posted information on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web.

UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information.


Take away…

Mistakes happen!

•Use controls and procedures to check and double check

•Quality control testing and review

•Breaches can cost $$$

Jan. 27, 2009

Department of StateU.S. Consulate - Israel

Hundreds of files — with Social Security numbers, bank account numbers and other sensitive U.S. government information, were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

Number of records: Unknown (thousands)

Take away…

Object Reuse/Disposal procedures must be followed.

•Degauss or destroy old hard drives

•Shred retired paper documents

•Fully inspect surplus equipment

April 14, 2005

Polo Ralph Lauren/HSBC(New York, NY)

Hacking

UPDATE - 4/10/09: U.S. Secret Service agents found Ralph Polo Lauren customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places. Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.


Take away…

Hackers are continuously working their craft.

•Many Hackers are very good at what they do

•Security and network monitoring will help

•Keep servers and desktops patched and updated

Security Awareness

Make Security a daily routine…

Simple things you do every day play a role in the big picture of security

•Follow agency’s policies & procedures•Proper Log-in•Strong Passwords•E-mail policy•Protect Information/Data•Internet Use•Reporting of Security Incidents

Log-in Procedures

Access Control is achieved through your log-in.

• User-id is unique to you and only you

• Access should be role-based, derived from business needs

• Access to sensitive information may often be recorded to provide audit logs used to identify access violations

Passwords – State (GTA) Standard

• Passwords are unique to you• 8 characters in length• Lower case letters (a-z)• Upper case letters (A-Z)• Numeric (0-9)• Special characters (!@#$%*&)

Try to use a pass-phrase ”Mary had a little lamb and three goats...” with letters extracted, i.e., RaLlbdr3#: every third letter and the number with the special character added.

Passwords

Avoid these pitfalls:

• Can be easily found in a dictionary

• Allowing the browser to remember your passwords

• Embedding passwords in applications

• Taping your passwords around your workstation

• Sharing your password with anyone including your boss

Passwords

Store passwords securely:

http://passwordsafe.sourceforge.net

http://www.iliumsoft.com/site/ew/ewallet.php

http://passwordsafe.sourceforge.net/

http://www.iliumsoft.com/site/ew/ewallet.php

E-mail

E-mail is a very convenient way to share information, but also has its drawbacks.

•When you click send, there is no control over where email travels

•Unencrypted email may be viewed along the way to its destination.

•It is not uncommon to have sensitive information contained in the body of the email or as an attachment

E-mail

Suspicious e-mails from unknown or unfamiliar addresses

• Beware of ‘catchy’ subject lines: ‘I love You, Need Business Representatives, You have Won the Lottery’

• Don’t open attachments with suspicious file extensions: .exe, .bin, .com, .scr, .vbs, .pif

• Don’t open embedded web links found in the message

E-mail

HIPAA, (ePHI) and PII requires higher security

• Use secure, encrypted e-mail software

• Use VPN remote access to share e-mail with GaDOE workers

• Do not forward e-mails containing ePHI to non-secure accounts, e.g., Hotmail, AOL; unless permission is given

• Avoid using individual names, medical account and medical record numbers in unencrypted e-mails

• If email encryption is NOT available, obtain consent form or agency agreement that outlines the risks of unencrypted e-mail messages

E-mail

Private Information should be protected from public disclosure.

Items of information that should be protected are:• Name• Social Security number• Home address• Date of birth• Home phone number

Private information should only be used in the conduct of official state business and should never be e-mailed by unencrypted means.

Information and Data Security

The importance of maintaining the protection of the State’s information and data cannot be expressed strongly enough.

• Confidentiality

• Integrity

• Availability

Three main goals and objectives of information security programs


Confidentiality - is achieved by ensuring that only authorized individuals collect, access, process and disseminate informationand data pertaining to job functions

Integrity - is achieved through business and technical processes that ensure authorized updates are made

Availability - is achieved by having resilient IT infrastructure and data back-ups


Role Example Basic Responsibilities

Data owner Deputy Superintendent • Determine classification• Specify controls• Appoint custodian

Data user Internal business userBusiness partnerBusiness client (web)

• Follow acceptable usage policies• Maintain Security• Report violations

Data custodian


Threat: Social Engineering - the act of manipulating people into performing actions or divulging confidential information.

One of the greatest threats to the protection of our information and data is through Social Engineering.

A common example of this is someone calls you posing as ‘Help Desk’ or ‘Systems Support’ and has you provide your User ID and password to validate operational checks.

The real question is whether the person on the phone is really who they say they are – authentication. If you aren’t sure – just ask for them to come down or send you an e-mail for verification.

Information and Data

Threat: Social Engineering

Phishing – is a type of Social Engineering with the goal of obtaining personal information:

• Log-on credentials

• Credit Card numbers

• Financial account data



Phishing Techniques:

• E-mail Messages• Fake web sites• Fake site address URLs

Example: www.amazon.com becomes www.amazaon.com

http://www.amazon.com/

http://www.amazaon.com/



Phishing by the numbers - Gartner Reports

• Cost to businesses and consumers in 2006

• An estimated 57 million people received phishing e-mail

• 1.8 million people actually responded to e-mail requests


Countermeasures to Phishing attacks include:

• Be skeptical of e-mails indicating you must make changesto your accounts, or warnings stating an account will be terminated if you don’t perform

some online activity

• Review the address bar to see if the domain name is correct

• When submitting any type of financial or credential data, an SSL connection should be set up, and is indicated in the address bar (https://) and a closed-padlock icon in the browser

Phishing - countermeasures


Countermeasures to Phishing attacks cont.

• Call the legitimate company to find out if this is a fraudulent e-mail

• Don’t click HTML links contained within e-mail messages, type them manually instead

• Do not accept e-mail in HTML format


There are 3 areas of concern:

• Health

• Educational

• Administrative


Health Information

Health information and data will come under the federal regulations of the Health Information Portability Accountability Act (HIPAA)

Key points to remember about HIPAA:

• Electronic Protected Health Information must be protected from unauthorized disclosure

• Access to data bases, applications and specific patient information must be recorded

• When transmitting ePHI, you must ensure protective administrative and technical steps are followed


Educational Information

Comes under the Family Education Rights & Privacy Act (FERPA)

Keys points to remember about FERPA:

• Privacy Set information • Written permission for access • Student grades and disciplinary records • Specific identifiers associated with student names

– GTIDs– Future ID sets


Administrative Information

Includes items such as:

• HR personnel records

• Vendor contracts

• Contract bids

• Facilities Information


Recycling and Surplus – Object Reuse

Recycling, Surplus, and Media Sanitation of computing equipment and storage media should be performed in accordance with the Georgia Dept of Administrative Services Policy: Electronic Equipment Disposal, Sep 2005.

The burden is on the worker and the agency to ensure that all sensitive information and data is removed from computing devices and media before recycling, turn-in, or disposal.

Internet Use

The State Enterprise Security policy, 3.1.3 establishes basic parameters of use for State IT assets. Your agency may have more stringent policies. Check with your Human Resource Office or Information Security Officer

To comply with the Enterprise policy, Users shall refrain from inappropriate use of State of Georgia information technology resources at all times, including during breaks or outside of regular business hours.

Internet Use

Inappropriate usage includes (but is not limited to) actual or attempted usage of information technology resources for:

Conducting private or personal for-profit activities. This includes use for private purposes such as business transactions, private advertising of products or services, and any activity meant to foster personal gain;

Internet Use

• Conducting unauthorized not-for-profit business activities;

• Conducting any illegal activities as defined by federal, state, and local laws or regulations;

• Creation, accessing or transmitting sexually explicit, obscene, or pornographic material;

• Creation, accessing or transmitting material that could be considered discriminatory, offensive, threatening, harassing, or intimidating;

Internet Use

• Creation, accessing, or participation in online gambling;

• Infringement of any copyright, trademark, patent or other intellectual property rights;

• Performing any activity that could cause the loss, corruption of or prevention of rightful access to data or the degradation of system/network performance;

• Conducting any activity or solicitation for political or religious causes;

• Unauthorized distribution of state data and information;

Internet Use

• Attempts to subvert the security of any state or other network or network resources;

• Use of another employee’s access for any reason unless explicitly authorized; or,

• Attempts to modify or remove computer equipment, software, or peripherals without proper authorization.

• Attempts to libel or otherwise defame any person

Reporting of Security Incidents

Policy violations, security breaches, inappropriate use should be immediately reported to your supervisor and/or InformationSecurity Officer.

Delay in reporting may cause further damage, theft or exposure to harm.

Thank You – Stay Secure

Notes: Talking Points…

1. Social Networking ills 2. E-cards – a no no3. Ever click on a link and nothing happens? That’s what you think anyway.4. Windows updates5. Encryption of your data6. Public computers/kiosks – latent personal data – beware!7. Remind users not to put PII on ‘S’ drive. It is PUBLIC!!8. You need a blurb on business continuity son!!9. Make mention of “Scareware” – programs that try to entice users into paying for AV

software

63Brad Bryant, State Superintendent of Schools“We will lead the nation in improving student achievement.”

gadoe information security it’s up to you! brad bryant, state superintendent of schools “we will...

Documents