1 / 36

Computer viruses you don't wish to have

Learn about information security basics, recent incidents, consequences of disclosure, response procedures, types of breaches, and security challenges at the University of Central Florida.

gwendolync
Download Presentation

Computer viruses you don't wish to have

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer viruses you don't wish to have Ellen Degeneres virus.....Your IBM suddenly claims it's a MAC Titanic virus.....Makes your whole computer go down Disney virus.....Everything in the computer goes Goofy Mike Tyson virus.....Quits after one byte Lorena Bobbit virus.....Turns your hard disk into a 3.5-inch floppy Ronald Reagan virus.....Saves your data, but forgets where it is stored Dr. Jack Kevorkian virus.....Deletes your old files

  2. Protecting Sensitive Information Chris Vakhordjian Information Security Officer

  3. Agenda • What is Information Security? • What are we protecting? • Why do we need to protect it? • What are the threats? • Information Security basics • Some recent incidents • What are the consequences of disclosure? • Response procedures

  4. Information Security @ UCF Mission • The mission of Information Security is to provide a secure infrastructure that protects the confidentiality, integrity, and availability (CIA) of information resources. Vision • Have all departments consistently adhere to a shared vision for information security • Collaboratively develop security policies, standards, and procedures to help protect assets of the University • Dedication to security planning, education, and awareness

  5. What type of informatino must we protect? • Restricted Data • Personal Restricted Data • Employee ID / PID • Social Security Numbers (SSN) • Academic Records (PeopleSoft, RDS, etc.) • Income and credit histories • Health information • Bank and credit card account numbers • Other financial and tax information • Non-Personal Restricted Data • Infrastructure information, server configuration, etc. • Unrestricted Data • Not protected by Law or Contract Regardless of whether it is in paper or electronic form

  6. Whose information must we protect? • Students • Employees • Applicants • Prospects • Third parties

  7. Driving Factors for On-going Security Planning Compliance with local, state, and federal laws and regulations: FERPA - Family Educational Rights and Privacy Act of 1974, as Amended • Purpose is to protect the privacy of student educational and personal records • GLBA - Gramm-Leach-Bliley Act • GLBA protects consumers’ personal financial information held by financial institutions. • HIPAA - Health Insurance Portability and Accountability Act of 1996 • Provides guidelines on how protected personal health information may be used and disclosed

  8. Driving Factors for On-going Security Planning (Cont.) • PCI DSS - Payment Card Industry (PCI) Data Security Standards (DSS) created by Visa, MasterCard, American Express and Discover Card • All merchants who process transmit or store credit card data are required to be compliant with PCI DSS • Florida Statutes • All state, county, and municipal records are open for personal inspection and copying by any person. Providing access to public records is a duty of each agency. However, there are general exemptions…F.S. 119.07 (4)(d)1-7 • UCF Policies(http://policies.ucf.edu • Data Classification and Protection Policy (Policy 4-008) • Security of Mobile Computing, Data Storage, and Communication Devices (Policy 4-007) • Use of Information Technologies and Resources (Policy 4-002)

  9. Security Challanges • Commitment to open networks • “Academic freedom” • Facilitate the free exchange of ideas • Sensitive data easy to obtain • Sensitive data spread around campus • Multiple IT departments • No central management of IT • No central management of security • Budget

  10. Threats to Sensitive Information • Hacked web servers due to poorly written code, or un-patched software • Missing or stolen portable devices • Social Engineering • Phishing • Spear Phishing • Viruses, Worms, Trojans, Key loggers, etc. • Inadvertent disclosure

  11. Threats to Sensitive InformationTypes of Breaches in H.E. Source: Privacy Rights Clearinghouse

  12. In The News… • University of Miami, April • 2,100,000 records • Oklahoma State University, May • 70,000 records • University of Florida, COM, May • 1,900 records • Stanford University, June • 72,000 records • University of Utah Hospitals • 2,200,000 records • University of Florida, June • 11,300 records • University of Maryland, July • 23,000 records • University of Texas, July • 9,100 records • UND Alumni Association, Oct • 84,000 records • University of Florida, COD, Nov • 330,000 records 2008 Headlines! UCF ?

  13. Information Security Basics • Software Security • E-mail • Encryption • Password Security • Physical Security

  14. Software Security • Should you install the latest “free” flashy screen saver? • Download the screensaver… • Computer is remotely controlled • How about the next coolest “free” holiday game? • Download it and … • Computer is sending your keystrokes

  15. Software Security (Cont.) Beware of “free” games, screen savers, or tempting graphics Only use/install necessary and trusted applications Run and keep up-to-date anti-virus and anti-malware software!! Only login as “Administrator” when necessary

  16. Email Security • E-mail is NOT secure • E-mail is analogous to a postcard • Encryption is the only way to prevent others from reading your email. • 

  17. Email Security (Cont.) • Question ALL unsolicited email. • Question ALL executable programs (exe, com, bat, scr, etc.) received via email. • Beware of Phishing • E.g., Your account information needs to be verified, please submit your username and password or the account will be terminated.

  18. Encryption(Protecting Sensitive Information) • Is someone eavesdropping on the network? • Should email be used to send grades/rosters/etc. between work and home? • Email grades to students? Could someone capture/view this information?

  19. Encryption (Cont.) (Protecting Sensitive Information) • Common applications offer protection through encryption • E.g., Word, Excel, Adobe PDF writer, etc. • To absolutely keep data confidential • USE ENCRYPTION • NEVER send SENSITIVE information through email without ENCRYPTION • Email should NEVER be considered secure! • When submitting sensitive information on-line, always check to make sure it is SSL protected (e.g., https://....)

  20. Password Security • Key component to protecting encrypted data or access to your account is a strong password

  21. Password Security (Cont.) • Do not post or store your password near your computer • Maintain zero tolerance for password sharing • Urge users to change passwords frequently • Use non-alpha characters and capital letters • Iam@248 Ge+>Smar+ Ch@rl1e’sAngels • Do not use easy to guess passwords • password 123456 computer hello love • Constantly reinforce the importance of password security

  22. Physical Security • Is there sensitive information on your laptop? • Laptop went missing or stolen • Drive crashed… • What do you do? • Should unprotected confidential information be on the laptop?

  23. Physical Security (Cont.) • Always store sensitive information on secure servers • Do not leave your computers unlocked when not at your desk • CTRL+ALT+DEL, then “Lock Computer” • Lock laptops when not in use • Password protect your Smartphone/PDA • Clearly label documents and files, especially if confidential

  24. Physical Security (Cont.) • Limit access to sensitive information to employees with a legitimate business reason to know • Do not leave sensitive information laying about • Avoid placing filing cabinets and other storage devices in easily accessible places; e.g. common hallways When disposing documents, always shred those with sensitive information, rather than just placing them in the trash or recycle bin • Properly dispose of electronic hardware • Continuously train and remind employees on how to safeguard sensitive information • Have employees sign confidentiality agreement forms (e.g., HR form) • Google “confidentiality agreement site:ucf.edu”

  25. Information Security • For more information on IT Security please contact the Information Security Office at security@mail.ucf.edu • IT Staff or the Departmental Security Coordinator (DSC) is also a resource for IT security information • www.infosec.ucf.edu/dsc • Don’t neglect the Information Security Brochure • www.infosec.ucf.edu • Information Security Video • http://cst.ucf.edu/video

  26. Some Recent Security Breaches

  27. FERPA Security Breach, Case #1 • Loss of personally identifiable information (including Names, SSN, PIDs, GPA, test scores, etc.) • Personal information of ~ 100 students stored on portable device • Flash drive • Data unencrypted • Should always encrypt data on portable devices.

  28. FERPA Security Breach, Case #2 • Disclosure of personally identifiable information (Names, PIDs, email, GPA, etc.) • Personal information downloaded into Excel • contained 5,200 + records • contained more data than necessary to meet objective (only email addresses might have sufficed) • inadvertently sent to ~1500 students via email

  29. Security Breach, Case #3 • Potential disclosure of personally identifiable information (Names, some SSN, some health information, PIDs, email, etc.) • Web server with missing application and/or OS updates, weak application code. • Over 18K records could potentially be compromised • Use sensitive data finder on your systems and question the need for such data elements

  30. Consequences of Security Breaches • FERPA security breaches could result in the termination of UCF’s eligibility to receive funding under any applicable federal programs, including the Pell Grant and Guaranteed Student Loan Programs • Individual students or parents may take legal action against the University • UCF’s reputation being tarnished • Time and resources spent on incident response and corrective measures

  31. Why should we care? • FL State Notification Law, 817.5681 • Requires individuals to be notified within 45 days of discovery of a breach, subject to measures necessary to determine nature and scope. • Failure to notify within 45 days may mean an administrative fine of up to $500,000 • Notification may be by letter, e-mail, telephone, public notice, etc. => $$$$$

  32. What Should Departments/Individuals do? • Always question the need for requesting or storing sensitive personal information • Delete sensitive personal information if no longer needed • Archive personal information to a secure encrypted archive media • Redact sensitive personal information • Remove SSNs (use last 4 if you must) • Encrypt sensitive personal information • EFS on Windows XP • FileVault on Mac OS X • BitLOcker on Windows Vista

  33. What Should Departments/Individuals do in the event of a breach? • Follow UCF Information Security Incident Response Plan • www.infosec.ucf.edu • www.infosec.ucf.edu/iso_sop_605.pdf • Notify your Department Head and the Security Incident Response Team at sirt@mail.ucf.edu or security@mail.ucf.edu

  34. Q &A • Information Security Office • www.infosec.ucf.edu • security@mail.ucf.edu • chrisv@mail.ucf.edu • 407-823-3863 • Security Incident Response Team • SIRT@mail.ucf.edu

More Related