introduction to information security office of the vice president for information technology mr....
TRANSCRIPT
Introduction toInformation Security
Office of the Vice President for Information TechnologyMr. Corbett Consolvo, IT Security AnalystMs. Lori McElroy, IT Security Officer
[email protected]://security.vpit.txstate.edu
Agenda
Introduction The State of Texas State’s
Information Security program Appropriate Use Policy Confidential Information Identity Finder demo Current Threats and Protections Best Practices Q&A
[email protected]://security.vpit.txstate.edu
Information SecurityWhat’s Information Security?
The protection of data against unauthorized access. This includes: – How we access, process, transmit,
and store information– How we protect devices used to
access information – How we secure paper records,
telephone conversations, and various types of digital media
[email protected]://security.vpit.txstate.edu
The State of Texas State’s Information Security Program
Comprehensive Set of Security Policies, Practices, and Services for:– Network Access Management– Threat Management– Incident Management and Response– http://security.vpit.txstate.edu/services.html
[email protected]://security.vpit.txstate.edu
Information Security Program Compliance
Texas State University Policies– Appropriate Use of Information Resources (UPPS
04.01.07)• http://www.txstate.edu/effective/upps/upps-04-01-
07.html
– Security of Texas State Information Resources (UPPS 04.01.01)
• http://www.txstate.edu/effective/upps/upps-04-01-01.html
– Appropriate Release of Information (UPPS 01.04.00)• http://www.txstate.edu/effective/upps/upps-01-04-
00.html
Other federal and state laws– Texas Administrative Code, Chapter 202 (TAC 202)– TPIA – Texas Public Information Act– FERPA - Federal Educational Rights & Privacy Act– HIPPA - Health Insurance Portability & Accountability Act– GLBA - Gramm-Leach-Bliley Act
[email protected]://security.vpit.txstate.edu
Information Security ProgramAwareness
Annual Cyber Security Awareness Month-October– October 22nd, LBJ Student Center 10am-3pm
Introductory and technical security classes TXState security discussion lists:
[email protected] [email protected]
File sharing risks outreach – H.R. 4137, the Higher Education Opportunity Act – http://
security.vpit.txstate.edu/awareness/digital_copyright-p2p-filesharing.html
– University Seminar– CSAD– Notice to students and parents
[email protected]://security.vpit.txstate.edu
Appropriate Use Policy
UPPS 04.01.07 Applies to all faculty, staff, and
students Acceptance when you change your
password
[email protected]://security.vpit.txstate.edu
Appropriate Use PolicyHighlights
Illegal, threatening or deliberately destructive use
Authorized use only Email use Circumventing security procedures Protect your identity Copyright infringement Protect confidentiality
[email protected]://security.vpit.txstate.edu
Confidential InformationClasses of Information
• e.g., job postings, service offerings, published research, directory information, degree programs.
Public information
• e.g., performance appraisals, dates of birth, and email addresses), donor information.
Sensitive information
• e.g., SSN, credit card info, personal health info.
Restricted information
http://security.vpit.txstate.edu/policies/data_classification.html
[email protected]://security.vpit.txstate.edu
Confidential InformationRelease Precautions
FACT 1 Texas
State is a public institut
ion
FACT 2Texas
State is subject to the Texas Public
Information Act
FACT 3TPIA does not make all Texas State
information freely
available to the public
IMPORTANT NOTE: If you receive a request for information from any external party, and you aren’t certain that the information can be released, consult the Office of the University Attorney before releasingthe information.
[email protected]://security.vpit.txstate.edu
Confidential InformationProtections
What should you do about phone conversations?
What should you do with printed, scanned, copied, or faxed copies?
Where should you store media or hard copies?
What should you do before disposing of or transferring media (including cell phones)? – http://www.tr.txstate.edu/itac/repair/hardware-disposal
What about your monitor screen?
[email protected]://security.vpit.txstate.edu
Confidential InformationProtections
What should you do before disposing of records?
What should you do if you receive a phone call asking you to disclose information?
What should you do when you walk away from your workstation?
How should you protect your password?
[email protected]://security.vpit.txstate.edu
Confidential InformationDiscovery
Identity Finder Demonstration
[email protected]://security.vpit.txstate.edu
Information SecurityCurrent Trends
Symantec – Last six months of 2007
“Professional” hackers are commercializing– $ is the motivator– They are selling our information (medical, credit card,
identities) The Web as the focal point
– Where we spend our time and divulge our information End-users are the primary target
– Phishing, web browsers (plug ins), malware, spam, botnets
– Mobile device security (clever ploys) Increasing privacy data breaches
– http://www.privacyrights.org/identity.htm– https://www.ssnbreach.org/
[email protected]://security.vpit.txstate.edu
Information SecurityCurrent Threats and Protections
Phishing – what is it and how do I protect myself from it?– See IT Security Awareness pages for
detailed information: http://security.vpit.txstate.edu/awareness/phishing.html
– View a video from Microsoft on Phishing: http://www.microsoft.com/protect/videos/Phishing/PhishingMSHi.html
– Protections:• Do not submit personal information in response to an email
• Verify the authenticity and security of web sites before entering your personal information (https, certificates)
[email protected]://security.vpit.txstate.edu
[email protected]://security.vpit.txstate.edu
Information SecurityCurrent Threats and Protections
SPAM – what is it and how do I protect myself from it? – Protections:
• Don’t open emails or attachments from an unknown source
• Use available filtering/blocking tools http://www.tr.txstate.edu/get-connected/computerservices/e-mail-setup/spam-filter-faq.html)
• Don’t click on any links in spam• Don’t forward spam on to your friends• Validate hoax email:
www.snopes.com, www.hoax-slayer.com
[email protected]://security.vpit.txstate.edu
Information SecurityCurrent Threats and Protections
Spyware – what is it and how do I protect myself from it?– View a video from Microsoft on Spyware:
http://www.microsoft.com/protect/videos/Spyware/SpywareMSHi.html
– Protections: • Do not download or install untrusted or unknown programs
• Use anti-spyware software, such as Ad-Aware (www.lavasoftusa.com) or Windows Defender http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
• Demo Windows Defender
[email protected]://security.vpit.txstate.edu
[email protected]://security.vpit.txstate.edu
Information SecurityDownload Security Video
EDUCAUSE Computer Security Awareness Video Contest 2006 honorable mention, Act Now - Know Your Sources by Stephen Hockman, Christina Manikus, John Sease, & Erin Shulsinger, James Madison Universityhttp://www.educause.edu/SecurityVideoContest2006/7103
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
Data Backup– Regular or automatic backups– Protect backup media– Protect sensitive information stored on
backup media– Critical data should be backed up frequently – Test your recovery
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
System, Software, & Anti-Malware Updates– Operating system patches– Anti-Virus and anti-spyware– Host-based firewalls– Application software
Automatic or regularly scheduled updates are best – Demo McAfee
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
User Accounts and Passwords– Use separate user accounts
• Administrator accounts for installing software, etc.
• User accounts for normal usage
– Use strong passwords• Mix upper case, lower case, and numeric
characters• The longer the better, but a minimum of 8
characters• Use passphrases• Avoid valid dictionary words and proper
names• Avoid re-using passwords
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
Create strong passwords that are easy to remember
Strong password checker websites– http://www.microsoft.com/protect/yourself/pass
word/checker.mspx– http://strongpasswordgenerator.com/
Use different passwords for different functions– Banking– Purchasing– Email
Password management tools– Password safe
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
Mobile computing and portable media– Confidential or Personally Identifiable Information (PII) is
your responsibility to protect • Use Passwords, preferably “power on” passwords• Use an additional authentication factor, such as a
fingerprint reader on a laptop- Remove or “shred” all data before disposing or
transferring- Always keep the device with you when you are away
from the office (e.g. do not leave it unattended in a hotel room, conference, or your vehicle
- Laptop theft tracker http://adeona.cs.washington.edu/
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
Wireless network security– Texas State University's wireless
networks• Open network• Encrypted wireless network setup:
http://www.tr.txstate.edu/get-connected/computerservices.html
– Wireless security at home• Change the router’s default password• Use strongest available encryption• Use MAC address restrictions
– Use public wireless networks only for risk-free activities
[email protected]://security.vpit.txstate.edu
Information Security Wireless Security Video
EDUCAUSE Computer Security Awareness Video Contest 2007 bronze award, When You Least Expect It, by Nolan Portillo, California State University – Bakersfieldhttp://www.educause.edu/SecurityVideoContest2007/713549
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
Identity Theft and Credit Card Fraud– http://security.vpit.txstate.edu/awareness/idtheft.html– View a video from the Federal Trade Commission
http://www.ftc.gov/bcp/edu/microsites/idtheft/video/avoid-identity-theft-video.html
– Do not give out your personal information unnecessarily– Limit use on public computers or networks– Check your receipts for credit card numbers– Apply for your free annual credit report from all 3
agencies– Identity Theft IQ Test
[email protected]://security.vpit.txstate.edu
Information Security Identity Theft Video
EDUCAUSE Computer Security Awareness Video Contest 2007, Out in the Open, Mark Lancaster, Texas A&M University http://www.researchchannel.org/securityvideo2007/
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices
MySpace and Facebook – most popular– http://security.vpit.txstate.edu/awareness/soci
al_networking.html
– Use caution when posting personal information
– Photos can be used by a stalker to gather information about you or your family
– Talk about social networking protections with your family and friends
– Limit access to your personal site– Remember that pages are cached
[email protected]://security.vpit.txstate.edu
Information SecurityBest Practices – Useful Links
Use secure (https) for Gmail -- DEMO Top 20 Vulnerabilities http://www.sans.org/top20/ Identity Theft
– http://onguardonline.gov/idtheft.html – http://www.vpit.txstate.edu/security/items_interest/id
entity.html Annual Credit Report
– https://www.annualcreditreport.com/cra/index.jsp Best Practices
– http://security.vpit.txstate.edu/awareness/best_practices.html
[email protected]://security.vpit.txstate.edu
Information SecurityHow Do I Find Out More?
Texas State Sites– IT Security - http://www.vpit.txstate.edu/security – Privacy Rights Notice -
http://www.tr.txstate.edu/privacy-notice.html – Identity theft -
http://webapps.tr.txstate.edu/security/identity.html – FERPA at Texas State -
http://www.registrar.txstate.edu/persistent-links/ferpa.html
Contacts– Information Technology Security
512-245-HACK(4225), [email protected] – Information Technology Assistance Center (Help Desk)
512-245-ITAC(4822) or 512-245-HELP, [email protected]
Q & A