Security 101:

1. Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington Security 101: Information Security Basics

2. Cliff Cunningham - DoIT • Braden Bruington - DoIT • Rick Keir - OCIS (Office of Campus Information Security) GREETINGS & Introductions

3. Did you know…? • Approx 1,200 IT professionals in UW schools • 2/3 of them are not affiliated with DoIT

4. Campus IT Policies • Appropriate Use Policies • Electronic Devices • Payment Card Industry Data Security Standard • a.k.a. PCIDSS • List of specific suggestions • Used by OCIS Policies & guidelines

5. Security training – in the beginning

6. Security training – winter ‘08 You are here!

7. Security training – SPR/sum ‘09

8. Security training – sum/FAll ’09 • Other…?

9. To continue the campus-wide conversation • Advertise OCIS training resources • Increase networking (social) within IT community on UW campuses • Share war stories • lessons learned, scars received. goalS for these courses

10. General discussion • Defining sensitive data ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident ---------- BREAK ---------- • Closing remarks & next steps agenda

11. Titles? • Roles? • Operating systems? • What kinds of data? • Financial information • Health information • Grades • Credit cards • Other sensitive types of information Who are you?

12. Packet of handouts Sign-up sheet Hand-outs

13. General discussion • Defining sensitive data ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident ---------- BREAK ---------- • Closing remarks & next steps agenda

14. June 4, 2009 Maine Office of Information Technology(Augusta, ME) Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. "We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person. Number effected: 597 Data breach, June 4

15. June 5, 2009 Virginia Commonwealth University(Richmond, VA) A desktop computer was stolen from a secured area. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been. Number effected: 17,214 Data breach, June 5

16. Ohio State University Dining Services (Columbus, OH) Student employees’ SSNs accidentally leaked in an e-mail. OSU employee received an e-mail with an attachment that included students' names and social security numbers. He unwittingly forwarded with attachment to his student employees. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent. Number effected: 350 Data breach, June 6

17. What keeps you awake at night? (Please restrict your answers to IT security-related topics.) Discuss

18. Analysis of data loss incidents http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

19. Analysis of data loss incidents http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

20. Why should we be concerned about the handling of sensitive data? Who cares?

21. On the individual • Personal credit info can be destroyed • Embarrassment • Patents & intellectual property rights • On the university • Reputation • Grants • Patents & intellectual property rights Effects of data loss

22. “If there is any financial damage… I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.” Fallout from data loss at OU “I will never donate another penny to you.” “It was my intention to leave a sizable endowment to OU, but not any longer” Quotes taken from article “OU has been getting an earful about huge data theft” by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12

23. IT professionals are scattered on campus. • Data security presents a huge financial, ethical and reputational exposure. • We need to unify our efforts. E pluribus unum: • Out of many, one. That is why…

24. General discussion • Defining sensitive data ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident ---------- BREAK ---------- • Closing remarks & next steps agenda

25. Classes of information Personal information Health & medical information Financial information Academic information

26. personal information • Social Security Numbers • Drivers License Number • Name & Address • Biometric data • Finger prints • DNA Maps • Voice patterns

27. health & medical information • Physical diagnoses • Mental health • Psychological diagnoses • Treatment • Prescriptions

28. Financial information • Account numbers • Account pass codes • Credit card numbers (NOTE: All financial informationtends to be sensitive.)

29. Academic information • Students • Grades • Transcripts • Communications w/faculty • Faculty/Staff • Intellectual property • Research data

30. Wisconsin’s Data Breach Notification Law • Statute 895.507 (2006) • Formerly, Act 138 • Any unauthorized access to personal info… • … must notify individual(s) within 45 days • Data includes • SSN • Driver’s license or state ID • Account number, code, password, PIN • DNA or biometric info Wisconsin state law

31. Restricted: explicitly protected under Wisconsin State Law. Must notify if lost. Sensitive: still needs to be guarded with great care, but notification not required. All restricted data is sensitive. Not all sensitive data is restricted. Restricted vs. sensitive

32. FERPA – academic • Family Education Rights and Privacy Act • HIPAA – health & medical • Health Insurance Portability and Accountability Act Federal Law

33. From just this past June (2009). Cliff’s Personal anecdote

34. FERPA: TWO TYPES OF INFO Public Information • Considered public * • Examples includes • Name, address, phone • Email address • Dates of attendance • Degrees awarded • Enrollment status • Major field of study * Students can request this information be suppressed Private Information • Tightly restricted • Examples includes • SSN • Student ID number • Race, ethnicity, nationality • Gender • Transcripts & grades (partial list) (partial list) Information provided by Office of Registrar UW-Madison Student Privacy Rights and Responsibilities

35. Lesser-known items within FERPA’s reach • Educational records • Personal notes between faculty and students • Communications with parents/guardians • How to post grades • Letters of recommendations FERPA and its tentacles

36. For more info, Office of the Registrar • Brochures • FAQs • On-line tutorials • On-site training • One-on-one consultation www.registrar.wisc.edu

37. A data security case study… Now for something entirely different

38. On an unnamed Big 10 university campus DoIT Store website collecting data from hits This data was being analyzed by the web hosting service Web hosting service posted its findings The facts Any warning signs?

39. The data being captured included… • campus ID’s and NetIDs • Old Campus ID’s used to contain SSN’s • Web hosting service didn’t know about SSN’s • Captured data posted on semi-public site The rest of the story…

40. All were capable, professional entities They didn’t know They didn’t anticipate Therefore… The Analysis

41. Don’t overestimate… other folks’ knowledge or motivation. • Don’t underestimate… the value that you can add. The Moral of the story

42. General discussion • Defining sensitive data ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident ---------- BREAK ---------- • Closing remarks & next steps agenda

44. General discussion • Defining sensitive data ---------- BREAK ---------- • How do I find sensitive data? • Handling a data security incident ---------- BREAK ---------- • Closing remarks & next steps agenda

45. These scans will produce unusual net-traffic ! Before running a scan!! GET INFORMED PERMISSION!!!

46. PII = Personally identifiable information • Numerous applications, called “PII finders” • They scan drives • They locate recognizable patterns • They produce reports • You don’t always know what is on your machine Finding sensitive information?

47. Question: How might sensitive data find its way onto a piece of hardware? How?

48. Identity Finder • Being considered by UW DoIT Security group • More costly, but more robust • Free edition is now available, so it’s worth a try • Let’s see how it works. PII finder

49. OCIS provides access to a few scanning tools • These tools test the security of network & workstation • This will tell you whether you are “at risk”. Are you at risk?

50. These scans will produce unusual net-traffic ! Before running a scan!! GET INFORMED PERMISSION!!!