750 likes | 919 Views
Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington. Security 101:. Information Security Basics for IT Staff.
E N D
Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington Security 101: Information Security Basics for IT Staff
Cliff Cunningham & Braden Bruington • Technology Instructor & Consultant • DoIT security staff GREETINGS & Introductions
Why are you here? Let’s be honest…
To communicate… • … healthy data management practices. • To demonstrate… • … how to locate sensitive data. • To educate you… • … in the event of a data security incident. • To encourage you • … to take some preemptive steps. goalS for this course
Defining our scope: Why is this important? • Defining sensitive data. ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident. ---------- BREAK ---------- • Resources & Next steps agenda
Sign-up sheet (blue) Copy of this presentation Resources page (green) Next Steps (yellow) Evaluation form (pink) Hand-outs cream
Titles? • Roles? • Operating systems? • Show of hands… • Financial information • Health information • Grades • Credit cards • Other unique information types Who are you?
Defining our scope: Why is this important? • Defining sensitive data. ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident. ---------- BREAK ---------- • Resources & Next steps agenda
Why is this important? Did you know…? • Within UW system… • 2 out of 3 IT professionals work outside of DoIT • How many different UW entities have their own IT staff?
80% of campus-wide IT budget is for specified work Decentralized funding = decentralized IT Why is this important? Show me the money
This is a campus-wide initiative to… • To standardize our approach to campus-wide information security • Establish expectations • Generate a sense of ownership • Our own little “E Pluribus Unum” • “From many, one” Why is this important? Thus, this course…
Why is this important? Tip of the training iceberg You are here! • Other…?
Why is this important? Tell us your stories…
Wisconsin’s Data Breach Notification Law • Statute 895.507 (2006) • Formerly, Act 138 • Any unauthorized access to personal info… • … must notify individual(s) within 45 days • Data includes • SSN • Driver’s license or state ID • Account number, code, password, PIN • DNA or biometric info Why is this important? It’s the law…
Why is this important? Analysis of data loss incidents http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
Why is this important? Analysis of data loss incidents http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.” Fallout from data loss at OU “I will never donate another penny to you.” “It was my intention to leave a sizable endowment to OU, but not any longer” Quotes taken from article “OU has been getting an earful about huge data theft” by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12
On the victim • Personal credit info can be destroyed • Bank accounts can be exploited • Private information can be made public • Intellectual property can be compromised • Patent opportunities can be lost Why is this important? Effects of data loss - victim
On the university • Loss of grant money, contracts, research opp. • National Institute of Health won’t grant funds until… • Loss of reputation • Lawsuits • Intellectual property & patents Why is this important? effects of data loss - university
Lending Tree, May ‘08 • TJ Maxx, Jan ’07 ($24 million) • Fidelity Nat’l Information Services, Aug ‘07 • Davidson Companies, Apr ’08 • Hannaford Bros. Co, Mar ‘08 • TSA, May ‘07 Why is this important? Lawsuits…
Don’t overestimate… • … the awareness of managers. • Don’t underestimate… • … the value that you can add. • Use your educated eyes and ears. • Help data custodians realize that they (we?) may be in violation of certain laws or policies. Why is this important? What can you do to help?
It’s the law. 1/5th of data loss episodes result from human error or software misconfiguration. Lost data causes damage to individuals. Lost data causes damage to the university. You are in a great position to help. Why is this important? Why is this important? - recap
Defining our scope: Why is this important? • What is sensitive data? ---------- BREAK ---------- • How do I find sensitive data? • What do I do with a data security incident? ---------- BREAK ---------- • Resources & Next steps agenda
What is sensitive information? personal information • SSN • Drivers License Number • Name & Address • Biometric data • Finger prints • DNA Maps • Voice patterns
What is sensitive information? health & medical information • Physical diagnoses • Psychological diagnoses & treatment • Prescriptions
What is sensitive information? Financial information • Account numbers • Account passcodes • Debt balances • Net worth • Payroll • Expense report
What is sensitive information? Academic information • Students • Grades • Transcripts • Communications w/faculty • Faculty/Staff • Intellectual property • Research data
Wisconsin’s “Breach Notification” law • FERPA – academic • Family Education Rights and Privacy Act • HIPAA – health & medical • Health Insurance Portability and Accountability Act What is sensitive information? Laws
What is sensitive information? FERPA: TWO TYPES OF INFO Public Information • Considered public • Student must request to have it suppressed • Includes • Name, address, phone • Email address • Dates of attendance • Degrees awarded • Enrollment status • Major field of study (this is a partial list) Private Information • Tightly restricted • Includes • SSN • Student ID number • Race, ethnicity, nationality • Gender • Transcripts & grades (this is a partial list) Information provided by Office of Registrar UW-Madison Student Privacy Rights and Responsibilities
Lesser-known items within FERPA’s reach • Educational records • Personal notes between faculty and students • Communications with parents/guardians • How to post grades • Letters of recommendations What is sensitive information? FERPA and its tentacles
For more info, Office of the Registrar • Brochures • FAQs • On-line tutorials • Onsite training • One-on-one consultation What is sensitive information? www.registrar.wisc.edu
Campus IT Policies • Appropriate Use Policies • Electronic Devices • Payment Card Industry Data Security Standard • a.k.a. PCIDSS • List of specific suggestions • Used by OCIS What is sensitive information? Policies & guidelines
DoIT Store website Collecting data from hits This collected data was being analyzed by the web hosting service Web hosting service posted its findings What is sensitive information? Case study…
The data that was being captured included… • campus ID’s and • NetIDs • Old Campus ID’s used to include SSN’s • Web hosting service didn’t know • Web hosting service made its finding available to too many people • Web hosting service included captured data What is sensitive information? The rest of the story…
All were capable, professional entities They didn’t know They didn’t anticipate What is sensitive information? The Analysis
Multiple parties involved SSNs were still in some University IDs Website collected too much info Findings were publicly available What is sensitive information? Some red flags
Defining our scope: Why is this important? • What is sensitive data? ---------- BREAK ---------- • How do I find sensitive data? • What do I do with a data security incident? ---------- BREAK ---------- • Resources & Next steps agenda
Defining our scope: Why is this important? • What is sensitive data? ---------- BREAK ---------- • How do I find sensitive data? • What do I do with a data security incident? ---------- BREAK ---------- • Resources & Next steps agenda
These scans will produce unusual net-traffic ! How do I find sensitive information? Before running a scan!! GET INFORMED PERMISSION!!!
PII = Personally identifiable information • Numerous applications, called “PII finders” • They scan drives • They locate recognizable patterns • They produce reports • You don’t always know what is on your machine How do I find sensitive information? Finding sensitive information?
Question: How might sensitive data find its way onto a piece of hardware? How do I find sensitive information? How?
Cornell Spider • Free, simplistic • Identity Finder • Being considered by UW DoIT Security group • More costly, but more robust • Free edition is now available, so it’s worth a try • Let’s see how they work How do I find sensitive information? Two PII finders
How do I find sensitive information? Compare / contrast
OCIS provides access to a few scanning tools • These tools test the security of network & workstation • This will tell you whether you are “at risk”. How do I find sensitive information? Are you at risk?
These scans will produce unusual net-traffic ! How do I find sensitive information? Before running a scan!! GET INFORMED PERMISSION!!!
Defining our scope: Why is this important? • What is sensitive data? ---------- BREAK ---------- • How do I find sensitive data? • What do I do with a data security incident? ---------- BREAK ---------- • Resources & Next steps agenda
Define “incident” • Undetermined whether data has been lost • Any number of scenarios… • Losing a laptop • Firewall down • Critical patches are out-of-date • Hacked, or infected with malware What to do with an incident? Incident vs. breach
Define “breach” • We know data has been acquired by unauthorized person What to do with an incident? Incident vs. breach
All breaches are incidents. Not all incidents are breaches. What to do with an incident? Incident vs. breach
Well-handled incidents will reduce… • … your exposure, • … the university’s exposure. What to do with an incident? Well-handled incidents