550 likes | 717 Views
Personal Information Security and Malware Awareness Workshop. Bard College at Simon’s Rock Information Technology Services (ITS) Summer 2012. (Please sign in on the attendance sheet so we know you’ve been here!). What are we doing here?.
E N D
Personal Information Securityand Malware Awareness Workshop Bard College at Simon’s Rock Information Technology Services (ITS) Summer 2012 (Please sign in on the attendance sheet so we know you’ve been here!)
What are we doing here? • Brief intro to (some of) the information protection laws that apply to Simon’s Rock • Especially the 2010 “Mass. Privacy Law”, which is the reason you have to attend this session. • Strategies for protecting the private data we work with. • Needs to be a college-wide effort. • Reduce the amount of private data we store, Restrict access to what we do store, and Encrypt any that leaves campus. • Defenses against individual attacks on our personal accounts and computers. • Unique passwords, required to wake system • Software updates • Recognizing fraudulent emails and websites
Warm Up:If Nothing Else, Remember This: • Legitimate online service providers, including ITS staff and your bank, will never, ever ask you for your password by e-mail. (Watch out for fake login links by email, too.)
What is ProtectedPersonal Information? Depends which law is defining it! (We have to comply with lots of ‘em!) Assume financial, academic, and health data need to be protected. • FERPA— Family Education Right to Privacy Act • PCI — Payment Card Industry regulations • HIPAA — Health Insurance Portability and Accountability Act • MA CMR 201 17 — “Standards for the Protection of Personal Information of Residents of the Commonwealth” (aka the “Massachusetts Privacy Law”) This is the big one… • IANAL—I Am Not A Lawyer : This is a very brief overview, and I don’t really know what I’m talking about.
FERPA* • FERPA covers living students and alumni, and protects their academic records. • Also, each institution defines “student directory information” (Ours is in our Student Handbook) • Everything else is “non-directory information” • Simon’s Rock may release directory information • We may not release non-directory information without prior consent of the student, except in specific circumstances (such as a subpoena) • A student may request that even their directory information not be published *(ask Heidi and Moira if you desire more details)
FERPA (more) • In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know." • Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal. • Directory Information @ Simon’s Rock • student’s name; • addresses (home, campus, and email); • telephone numbers (home and campus); • major or field of study; • date and place of birth; • full- or part-time status; • enrollment dates; • date of graduation (past or anticipated); • current grade level (first-year, sophomore, junior, or senior); • graduation information as published in the commencement program.
PCI*: Credit Card Transactions • Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. • The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. • Failure to comply can result in withholding of credit card revenue to pay fines & penalties. • See https://www.pcisecuritystandards.org *I’m not sure if we have a resident expert on PCI. (I’m not it.)
PCI (more) : Credit Cards at Simon’s Rock • Kilpatrick Athletic Center • Admissions • Development and Alumni Relations • Phone-a-thons? • Business Office • Chartwells and Bookstore • Others?
HIPAA* • Protect Personal Health Information • Personal Health Information (PHI) must be protected, including information about: • Health Status • Provision of Health Care • Payment for Health Care • In general, any information about a patient’s medical record or medical payment history is protected. • HIPAA defines administrative, physical, and technical safeguards for protecting PHI • HIPAA applies to faculty, staff, and student information • (FERPA also covers student health information, since it is non-directory information) • *We pretty much depend on Health Services staff to deal with HIPAA.
MA CMR 201 17* (Mass Privacy Law) • Protects Personal Financial Information (PFI) • Mass. definition: A person’s name with their: • Social Security Number (SSN) • Driver’s License or State-issued ID Number • Financial Account Number • Credit Card Number • Information in any format: paper or digital • Protection applies to all Mass. residents: • Students, Alumni, Employees, Guest speakers, contractors,…and everybody else. *Janice is probably our best resource on this, plus there is lots of data on-line, because it is a recent law and all MA businesses have been scrambling to comply.
MA CMR 201 17 (more) • Mass. businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to… • Designate “one or more employees to design, implement and coordinate” the program • Put in place processes for “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.” • Put in place “administrative, technical, and physical safeguards to ensure the security and confidentiality of such records”
MA CMR 201 17 (still more) • WISP requirements continued… • “Verify that third-party service providers with access to personal information have the capacity to protect such personal information” • Provide “Education and training of employees on the proper use of the computer security system and the importance of personal information security” • But, having the WISP written down is one thing, making it work to actually protect data depends on all of us.
MA CMR 201 17 (omg, more) The law has regulations about Information Security Breaches, defined as unauthorized use or acquisition of personal information that “creates a substantial risk of identity theft or fraud.” So, a breach means the release (or potential release) of either: • Unencrypted personal financial information • Unencrypted data capable of compromising personal financial information (e.g. usernames & passwords)
MA CMR 201 17 (more, more, more!) Information Security Breach If a breach or possible breach occurs in Massachusetts: Business and other organizations in MA must notify • MA Office of Consumer Affairs and Business Regulation • The Massachusetts Attorney General • The individuals whose information is at risk The notification to the State must include: • The nature and circumstances of the breach • The number of Mass residents involved • Steps that have been taken to deal with the breach The notification to involved individuals must include • Consumers’ right to obtain a police report • Instructions for requesting a credit report security freeze • BUT, should not include the nature of the breach or number of MA residents involved.
Williams Breach: October, 2009 Data loss occurred when a college-owned laptop computer was stolen from user’s car. Steps necessary to respond to this breach: • Interviewed laptop owner about information on laptop • Scanned laptop backup files for protected financial information and health data • Protected data was found (Names w/ SSN’s), so laws in 39 states and many foreign countries probably apply, depending on residency of leaked individuals • Williams obtained legal assistance and contracted for breach counseling services
Where did the Williams’ SSN’s come from? • Excel files of pre-2006 class rosters from the old Student System (SIS) • E-mail messages related to paying individuals such as guest speakers, performers, referees • Unsolicited e-mail messages that contained protected personal data.
Williams Breach: Cleanup Process • Compiled list of residential and e-mail addresses for approximately 750 potential victims • Notified potential victims by mail and by e-mail, sent all-campus e-mail notice • Responded to phone calls and e-mails • Financial costs to handle this breach included staff time, legal assistance and breach counseling services. Costs exceeded $50,000. • Note: If the laptop had been encrypted, the only loss would have been the cost of the laptop. (Hint: Do not store Simon’s Rock PPI on an unencrypted portable device!)
(Aside) Fun Fact: if your personal data is involved in a data breach, you get aFree Credit Report Security Freeze Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail, to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion). There’s no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove you’re a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee. See the Consumers Union web site for more information: www.consumersunion.org
Discussion break (pop quiz?) • You are the advisor to a first-year student. Their parent emails you and is concerned that the student is not doing well in classes, and asks if you can check with the student’s professors and let the parent know. Can you do this? What regulations might apply?
Part II: Okay, so what do we do? • How do we comply with all these laws? • We need to determine what “Protected” data we really need to have, and then figure out how to actually protect it. • (Disclaimer: This data protection is not something ITS can magically make happen!)
Data Security Guiding Principles • Reduce! • Don’t collect personal data you don’t need • Don’t store data you won’t need again • Restrict! • Keep protected data in secure locations • Paper docs in locked drawers or closets • Electronic docs stay on central servers • Password required to see your screen! • Encrypt! • Protected electronic data that leaves Simon’s Rock must be encrypted. (Also: Why is it leaving? Is it going to someone with a legitimate need for it?)
Shared Responsibility for Data Security Responsibility of Staff Departments Each department head is responsible for ensuring the appropriate protection of information within his or her area. Every employee is responsible for protecting the data they use and store, both electronic and on paper. Responsibility of Faculty Every faculty member is responsible for ensuring the confidentiality of any information they collect or use, both electronic and on paper. The Dean of Academic Affairs and Division heads should be aware of protected information handled by their divisions.
What about your office? • Goal: Minimize the potential risks from information leaks • If you don’t need it, get rid of it (use a shredder if it’s paper) • Be skeptical of requests for information • Don’t disclose protected information to just anyone!
What about your office? • Does your office handle legally-protected or confidential information? • Do you know what protected data you have? • Workgroups should audit their stored data to confirm that old confidential docs are still required. • If you’re not sure what’s protected, ask! • Photocopies of checks? • Credit card info on scrap paper until it is processed? • Does your office or department have policies and procedures for protecting confidential information?
What about your office? • Does your office send or receive confidential information via e-mail? • Encrypt them when you send (details later) • Delete them from email when you receive them • Does your office use a shredder? • Or the secure document disposal can at Business Office. • Do you lock up your files when the office is closed? • Does your computer need a password to wake from sleep? • Do you lock the screen when you are away from your desk?
Goal: Each department that handles PPI has an Information Usage Policy • An information usage policy explains • What information is confidential • How to protect confidential information • How to handle requests for information, both internal and external • When and how to dispose of confidential information • What the consequences are if the policy isn’t followed
ITS can help (somewhat) • Locate data with PPI (part of your office audit!) • We have software called Identity Finder which will search documents (Word, Excel, pdfs) and email for things that look like PPI • Often finds SS#s, Credit Card #s, Bank Account #s and passwords in clear text. • Such data should be removed from your computer: • Delete if not needed • Store only on the server if possible. • Install Full-Disk encryption on all college laptops • Truecrypt on Windows, File Vault on Macs • Requires extra password to decrypt for boot • Hard disk unreadable without decryption
Part III: Getting Personal —Securing PCs (including home PCs) • Some elements are software based, e.g. system updates, secure password storage. • Mostly human based: Learn to recognize fake emails and bogus websites • BUT: The bad guys are getting better and better. Malware and web-based attacks get more sophisticated and more effective.
How is data is lost or stolen? Via Physical Access: • Theft of computer, external drives, flash drives, CDs, smartphones • Carelessness with passwords: Written in obvious places, passwords or hints too simple, home wifi router passwords left at default value. • It just takes seconds to read saved Firefox passwords, or to install monitoring software. Via the Network: • E-mail phishing scams – users reply with passwords • Server hacks: Password files stolen and decrypted via “brute force”, then any recovered usernames/passwords are tried on other services. • Viruses / spyware used to install key-loggers or other monitoring software remotely • Includes “Drive by” web hacks. Malware code hacked into legit website infects your computer when you visit. • Wireless data sniffing
Install ALL updates to key software • Updates come out so frequently, because new exploits of bugs & security flaws are discovered all the time. • (Can you get the fixes installed before you get hacked by the new malware?) • Important Software to Update: • Windows or Mac OS • AntiVirus definitions • Java • Adobe Reader • Adobe Flash player • Firefox (and all browsers) Or: http://ninite.com : Select, install, and update software
Simple computer security • Don’t use post-its to manage your passwords • Use a program with strong encryption to store passwords • http://keepass.info • https://lastpass.com • Don’t store passwords in Firefox (no encryption) • If you must write passwords down, keep them in your wallet. • If you have your own office: keep the door locked when away • If you work in a public area, lock your screen when you leave • Windows: Press Windows-key + L to lock without logging out. • Macintosh: Apple Menu > Sleep. (Also, see next point!) • Require a password when your computer wakes from sleep • Laptop security cable: Cheap, prevents opportunistic theft.
E-mail and PPI E-mail & files sent over the Internet containing PPI must be encrypted. E-mail may pass through many servers en-route to its destination Our users often read email on small devices that are not encrypted and that can be easily lost. Most computer email clients keep local copies of e-mails that can be read by anyone with access to the system For these reasons, any un-encrypted PPI in an email counts as a potential data breach.
Received email with PPI • Some bozo un-aware parent sends you an email with an unencrypted PDF of their tax return attached. What do you? • Get this document out of your email box! • Download the document if you need it • Delete the message, and Empty your trash. • If you need to forward it to another staff member, encrypt the file you downloaded, email the encrypted version, and delete the file.
Sending PPI (Encryption basics) • Encryption is scrambling a file using complex mathematics and a password. • Without the password, the file is random gibberish. • The password allows the file to be decrypted back to the original readable form, using similar complex math • Some encryption schemes are “weak” and can’t be used. • Choose a password, encrypt the file of PPI, and attach the encrypted version to an email • Don’t send the password via email! (Call or skype or something to get it to the recipient) • Don’t use your regular system password! • If you send many files to this recipient, you can use the same password for all of them
Encrypting Microsoft Office files • MS Office (since 2007) has strong encryption. So, password protect Word and Excel files of PPI directly in Office. • Must use the new .docxor .xlsxfile fomats —encryption of the older .DOC or .XLS versions is weak, and there are free websites that can decrypt these files without the password. • (Recipient must have Office 2007 or later to read such files.) • To encrypt: File menu > Info. Click “Protect…” button, then select “Encrypt with password.”
Encryption for other files (PDF, etc.) • Zip files have adequate encryption. So, put the file or files you need to send into a zip file, and then add a password. • Use a long passphrase, as zip encryption is weaker with short passwords. • Older Macs will not open password-protected zip files without additional (free) software. • The password scheme built-in to PDF files is very weak. Use password protected zip files instead
Traveling with a computer • Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip? • Consider a loaner with no personal data. • If you just need to check email you can use a smart phone. • Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen • Don’t check your laptop when flying – in general don’t let your computer out of your sight. • If using a public wireless network, use https sites to prevent data sniffing If your laptop is stolen, contact ITS immediately and change your Simon’s Rock password (consider it compromised)
Web Security We are often required to log into web sites. How can you tell if the site is legitimate? First, any site with a login must be https://, not http:// Next, check the “domain” – which of these could be Simon’s Rock sites: https://www.simons-rockrewards.com/ https://simons-rock.edu.technical-support.com/ https://technical-support.simons-rock.edu/ The domain is the last two words between the “http://” or “https://” and the next “/” Same format as email addresses: xyz@simons-rock.edu or xyz@aol.com Any Simon’s Rock site will be //xyz.simons-rock.edu/ Any American Express site will be //xyz.americanexpress.com/ https://www.simons-rock.edu/go/x is legitimate because the domain is correct
Email Security + Phishing Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. • NEVER FORGET: It is easy to spoof the From: address in an email. • Does the From: address match the Reply-to: address (if not, beware) • Phishing emails often start out “your account has been used to send spam” or “we are doing maintenance on our webmail system” – then they ask that you reply with your username and password • There will never be a reason to give anyone your password by email – honestly. (Also, be careful of email links to login sites.) • Note: E-mail notifications to the community from Simon’s Rock ITS will always be from an individual listed at ITS in the campus staff directory, not from a generic name like “Help Desk”. (But, the directory is on-line, so a smart spammer could use it to find a good from address.)
Find the “phishing” clues From: ”Bard College at Simon’s Rock" <webmaster@simons-rock.edu>Date: February 13, 2009 11:25:45 AM ESTSubject: Webmail SubscriberReply-To: supportss@live.com Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name:E-mail ID:E-mail Password:Date of birth: Your account shall remain active after you have successfully confirmedyour account details. Thanks Bard College at Simon’s RockWebmail Support Team
“Phishing” clues shown in yellow From: ”Bard College at Simon’s Rock" <webmaster@simons-rock.edu>Date: February 13, 2009 11:25:45 AM ESTSubject: Webmail Subscriber (Missing email list “tag”, e.g [Faculty] )Reply-To: supportss@live.com Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name:E-mail ID:E-mail Password:Date of birth: Your account shall remain active after you have successfully confirmedyour account details. Thanks Bard College at Simon’s RockWebmail Support Team
Phishing Detection: Check the links! • HTML format emails let the sender “hide” the target URL address of a link behind descriptive text, which can be set to look like a different URL. Hold the cursor over the link text to see the actual link address. (Mac Mail shown.) Note that it is simple to copy graphics from the web…
More Check the Links! • With Webmail (and Thunderbird), the actual link is shown in the “Status Bar” at the bottom of the window.
A Phish that Worked at Simon’s Rock • The following spam went to some faculty and staff: This is not a particularly strong effort: hrdept@-t-com.me ? tech.support@admin.in.th ?! Undisclosed recipients?!? Helpdesk.4-all.org ??!! But, it did the trick! Aside: Sophos missed this. Forward it as an attachment to: is-spam@labs.sophos.com False positives to: not-spam@labs.sophos.com
Here’s the Web Site linked to in that spam: Although this page does not seem much like a Simon’s Rock website, one employee logged in to this site. The attackers used the stolen credentials to send spam via our webmail server, a few per second. Unhappily, it was the 4th of July weekend…
Another successful attack: WilliamsWebmail site copy • On Monday Sept. 29, 2009, a bogus email was sent with the subject line “Read Email Security Message” to many hundreds of Williams employees and students. The email had an attachment with a link to a bogus Williams webmail site. • The email itself was not particularly believable, but the fake webmail site was a perfect copy of Williams’ real site. The only way to tell it was fake was to look at the domain information, which was: http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/
Preventing Malware, Viruses, Spyware Malware, short for malicious software, is designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc. • Spyware is like a virus specifically designed to steal information. • Worst-case Malware allows attacker to remotely control your computer: • Send spam from hosts with no direct link to actual source • Use clusters of compromised hosts for mass attacks on other web targets • Record keystrokes and web traffic to obtain user’s financial account logins, etc. • Keep up to date with OS, Browser, Java, and Adobe patches. • Keep your Sophos antivirus on, and up-to-date • Tools for home use: • Microsoft Security Essentials : Simple, lightweight AV free from Microsoft. • Malwarebytes.org : Free removal tool – MalwareBytes AntiMalware
Common ways to get Malware: • Beware of online pop-up ads pretending to be a malware scanner. • Beware of online videos that claim you need to install special software to play the video. • Email attachments – Don’t open it unless you are sure. Check with the sender. This includes e-cards, Word documents and PDFs. • Web links in email – Don’t follow it unless you know for sure where it goes. (Check the actual link address, not the “pretty” version.) • Don’t download hacked versions of expensive software — who knows what else the hacker might have added? • Don’t add random software to your system if you can live without it • E.g. WeatherBug, popup Smiley-face tools, fancy screen savers, etc. • However, some malware can get you if you merely visit an infected website. Sorry.
Rogue Security Software • Rogue security software (“Fake Anti-Virus”) is software that misleads users into paying for the fake removal of malware. • Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a “professional version” – which does nothing, except maybe remove itself. • Sometimes these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. • One program that does very well at removing this type of software is MalwarebytesAntiMalware (MBAM) from malwarebytes.org. A partial list of know rogue security software. Just the a’s!! Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola