Protecting Sensitive Information and Keeping Your Identity Your Own

Cyberethics, Cybersafety, and Cybersecurity Conference

October 7, 2005

Amy Ginther, Project NEThics Coordinator

Office of Information Technology

Types of Data Compromise

Data loss

Data theft

Identity theft

CIFAC Project

Computer Incident Factor Analysis and Categorization Project

Examined perceptions of the importance of 80 variables in causing computer-related incidents involving systems, data, or people

Lack of sufficient training and education identified as most frequent cause of incidents.

Analysis of best practice recommendations for incident prevention, mitigation and management yielded conclusion:

“Having policies in place, enforcing policies, and providing user awareness training was considered the most important factor in preventing the incidents from happening.” Rezmierski, Rothschild, Kazanis, Rivas (2005).

Personal Identification Initiative

• Policy on the Collection, Use and Protection of ID numbers• Limit use of social security numbers• Promote the use of alternate identifiers: U ID

(number) and Directory ID (alpha-numeric ID)• Increase protection of ssn

• For more information, see http://www.oit.umd.edu/dataadmin/PersonalIdentification/and http://www.oit.umd.edu/units/dataadmin/Policies/Policy_on_Collection_Use_Protection_of_ID_Numbers.pdf

State Privacy Law

• Privacy policy: www.umd.edu/privacyIf you are asked to provide personal information on an official

university web site, university policy provides that you should be notified of the following:

• The purpose for which the personal information is collected;• Any specific consequences for refusing to provide the

information; • Your right to inspect, amend, or correct personal records, if

any; • Whether the personal information is generally available for

public inspection; and • Whether the personal information is made available or

transferred to or shared with any entity.

Potential ID Theft at Universities

• “Universities have accounted for 28% of the 50 securities breaches of personal information recorded by California since 2003… …that’s more than any other group…” - San Francisco Chronicle March 29th 2005

• And this is just California!

Shadow Databases

• “A thief recently walked into a Berkeley office and swiped a laptop containing personal information about nearly 100,000 alumni…” - San Francisco Chronicle March 29th 2005

Universities with ID Theft Incidents

• UC, Berkeley• Carnegie Mellon University• UTexas, Austin• George Mason University• and several more…

What can be done?

• Stop using shadow databases• Limit who has/has access to sensitive data• Encryption• Ensure the computer it’s stored on is

protected (both physically and electronically)

Shadow Databases

• Shadow databases are copies of a master database (ex: a copy of the Alumni database made for a professor for research purposes)

Shadow Databases

• Shadow databases on laptops and desktops are often unprotected. • This leaves them vulnerable to theft, viruses,

worms, bots, hackers, etc.

Limiting Access to Sensitive Data

• Why does someone need a copy of a database?• Why does there need to be a full SSN? Use

the last 5-6 numbers• Once the data is no longer needed – delete

it!

Encryption

• Encryption is a way to convert a document into an unreadable format by way of an algorithm• You need a key (a password or passphrase)

to convert the encrypted version back to the original document• If an encrypted DB is stolen and the thief

doesn’t have the key they can’t read it

Protecting computers

• Physical security: laptop/desktop cables and locks (like a bicycle lock), STOP Tag• Up-to-date anti-virus software (

http://www.helpdesk.umd.edu)• Up-to-date on patches (Windows Update)• Personal firewall (XP Service Pack 2 or

ZoneAlarm)

Better Password Practices

• Use strong passwords! (ex: ‘tIaHrdPa$s2Crk’, not ‘password’)

• Store passwords safely. Do not store your passwords on your computer, keep a list of them next to your computer, or put them in your top drawer where a snooping visitor can find them.

• Use different passwords for different accounts.

• Change passwords with some regularity.

UMD’s push to minimize SSN use

• Creation of the UID – a unique number not tied to SSNs; needed for variety of purposes

• Move to U ID from SSN:• Policy approval by President • Inventory where SSN is used to plan conversion• Print U ID NOT SSN on ID cards• Remove SSN from display on information system

screens and on printed reports• Remove SSN option from login screens• Continue education of all• Password self-service

UMD’s push to minimize SSN use

• OIT is currently auditing every department on campus to minimize the number of computers that have sensitive data on them, and to lock down those computers that MUST have sensitive data

UMD’s push to minimize SSN use

We will lock down these computers by:• Encrypt the database containing sensitive

info• Up-to-date on patches• Personal firewall• Use of strong passwords• Services that aren’t needed are turned off

The Range of Dangers

Fee fraud hoax

ShareYourExperiences.com and Word-of-Mouth.org

Work from home scam

Phishing

Pharming

Evil Twins

Legit?

PayPal notice•“…and we have reasons to belive

that your account was hijacked by a third party”

•“If you choose to ignore our request, you leave us no choise but to

temporaly suspend your account.”

PayPal logo on legitimate Web site (http://www.paypal.com/)

always appears with trademark

http://www.citibank.com/us/index.htm

How to Identify Scam Messages

Fraudulent messages only offer one means of communication with the company.

Look for awkward writing, grammatical and spelling errors in messages—they abound!

Fraudulent messages begin with a general greeting; you are not identified by name

Dangerous messages may contain attachments that load software to enable thieves to record your keystrokes

Additional Tips to Avoid Victimization

Don’t react to the urgent or obligatory nature of the message

Don’t click on links to reach a company…they can take you to an illegitimate site. Instead, type the URL into a browser window to go to a secure (https) site.

Your legitimate service provider should be requiring you to authenticate using an established user ID and password to login

Checking legitimacy of Web host

Steps to Take if You Become a Victim

1.  Contact your creditors and banks immediately.

2.  Begin keeping records

3.  Flag your credit file for fraud. For more information, go tohttp://www.consumer.gov/idtheft_old/index.html

4.  Review your credit reports

5.  Report the crime

6.  Address public record errors

What Compromised Agency Should Do

• Communicate with you• Explain the nature of compromise and the likelihood of data

theft• Advise you of steps to take (fraud alert)• Provide Web site for more information and other resources• Tell you how to expect that you will be contacted with

additional information• Do not release personal information in response to contacts

which you have not initiated• Tell you the steps that have been taken to mitigate the

situation, protect information

Other Self-Protection Strategies

• Next time you have checks printed, have only your initials and last name printed on them

• Do not sign the back of your credit cards; instead, write “Photo ID Required”

• Do not put the full account number on the “for” line of your checks when paying bills, just use the last four numbers

• Do put your work phone on your checks instead of home phone

• Do photocopy the contents of your wallet

Contact information

Amy Ginther, Project NEThics Coordinator, aginther@umd.edu, x52619

Gerry Sneeringer, IT Security Director, sneeri@umd.edu, x52996

Project NEThics, nethics@umd.edu, x58787

Thanks to: Kevin Shivers, Lead Security Analyst (former), for input to this session.