07fa-computer-security.ppt

14,492 views

Published on

Published in: Technology, Education
3 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
14,492
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
451
Comments
3
Likes
1
Embeds 0
No embeds

No notes for slide
  • Hello; Thank you Overview of computer security and good computing practices. This is kind-of a whirlwind overview, so the handout that you have has additional information and details about any of the things that I will be talking about.
  • The general topics I will be covering are <Read Topics> My expectation is that much of what I cover will be familiar to you, and that’s a good thing. One goal of computer security training is to reinforce and confirm and update good computing practices that people already know about, so they remain in the front of your mind. And then hopefully through the course of this overview there will be a couple of gems or new things that you can take away, as well.
  • The definition of computer security is pretty straightforward <Read definition> This may lead you to the question: <next slide>
  • <Read slide> And the answer is: Well, not really…
  • Computing security, like any other kind or security, tends to follow the 90/10 rule: 10% of the protection is the technology, and the other 90% relies on people to know what to do and what not to do to so that the technology can do its job. Bolt lock example: This is kind-of like the bolt lock on a door. The lock, itself, is the technology - the 10%. Making sure the lock is locked and the keys aren’t sticking out of the lock are examples of the 90%.
  • Embarrassment to the University – Breach information on the front page of the Chronicle etc Risk to security and integrity of personal or confidential information  e.g. identity theft, data corruption or destruction, unavailability of critical information in an emergency, etc. Loss of valuable business information Loss of employee and public trust, embarrassment, bad publicity, media coverage, news reports Costly reporting requirements in the case of a compromise of certain types of personal, financial and health information Internal disciplinary action(s) up to and including termination of employment, as well as possible penalties, prosecution and the potential for sanctions / lawsuits
  • So that’s what computer security is and why it is important to know about good computing practices. Next I will quickly go through some basic good computing practices. I’d like to call your attention to the “Top 10 list” of good computing practices” on the handout that I gave you. The handout is meant as a reference for you to take with you, and what I’ll be doing is highlighting some key points.
  • Restricted data discussed on slides 27 and 28. Maybe say something here about what portable devices are? Namely laptops, flash drives/memory sticks. Portable Devices: These include laptops, CDs/floppy disks, memory sticks, PDAs, phones, etc. These items are extra vulnerable to theft and loss. If you have to, keep these items extra secure. 1. Need info for back up your data.
  • Passwords: Passwords are a fundamental line of defense against unauthorized access of our computers or data, so it is important to have good passwords that are hard for hackers to guess or crack, and it’s also important to protect your passwords - keep them secure. They really need to be treated like other confidential info such as SSN or other identity theft information. The handout has some general pointers for creating good, cryptic passwords. Protecting your password means never share it and try to create passwords that are easy for you to remember so you don’t have to write them down. If you DO have to write a password down, be sure you store it securely - lock it up in a place where others wouldn’t think to look.
  • Patches: Ask your computing coordinator if you aren’t sure how to do this. (It’s not your job to figure it out.) Also find out what you need to do (if anything) to keep them current. Unknown programs: These can harbor computer viruses or open a “back door” giving others access to your computer.
  • Talk about the secure solution 3 main points: We already talked a bit about not clicking on web links unless you really know where you are going. This is especially true for unsolicited web links in email. Regarding attachments, only open attachments if you are positive you know what you’re opening 3 checks: you were expecting it, it is addressed specifically to you, and the file name is what you were expecting. Checks are important because email can look like it is from a known person but really be sent by an infected machine. See handout: “Should you open that email attachment?” 3. Don’t open, reply to or forward spam or suspicious e-mails - Just delete them. Some warning signs that you’re dealing with suspect email on handout.
  • Internet: With respect to using the Internet, it is important to keep 2 things in mind: The internet is not private. Don’t provide personal or sensitive information to internet sites, surveys or forms unless you are using a trusted, secure web page. Just opening a malicious web page can infect a poorly protected computer. Make sure you know where you’re going before clicking on a link Instead of clicking on a link, look up the company and go there directly.
  • Lock Up; Close Up: Check windows, doors and drawers (take keys out of drawers). Lock up any sensitive materials before you leave your area. It’s OK to question people if you think they may be somewhere that they don’t belong. SAY MORE ABOUT AXIOM CARDS Laptops: Lock up your laptop wherever you take it, including at meetings, conferences, coffee shops, etc. Make sure it is locked to something permanent. Lockdown cables are available at The Source Bookstore.
  • Get directions from sean about how to log off a Mac Basic theme: Secure your computer when it is unattended. And make sure a password is required to get back on or to start up. For additional protection, have your computer set to “auto-lock” if it is left unattended.
  • Show how to disconnect the network cable. Say more about what security incidents might be. Tell them to do something rather than nothing at all if even to just tell suupervisor?
  • In addition to going over these general good computing practices, I want to include a few words about restricted data.
  • Restricted data is basically anything that would be considered sensitive that shouldn’t be available to the general public for one reason or another. These are a few examples. Some of the classic ones are SSN, health info, financial info, intellectual property, but most of us have a general sense of what is and isn’t sensitive or private, and you can always look it up or ask if you’re not sure. Because of its nature, restricted data needs to be specially protected. Given this, I have 3 relatively simple steps for you for protecting restricted data. <Next slide>
  • Inventory: The first step toward protecting restricted data is making sure it is stored in the fewest places necessary. PII & other restricted data can be in current or old files, including archives. Disposal/re-use: You can’t just get rid of sensitive data, you have to completely destroy it so others can’t get to it. Shred it (dumpster diving) or work with your computing person to erase it completely so that hackers can’t retrieve it. Including hard-drives, CDs, zip disks, flash drives, back-up tapes, etc. If you don’t know where to start, call the ITS Helpdesk: 459-HELP Protecting RD that you keep: Work with your computing coordinator to protect any restricted data that you need to keep. If there’s time, which there won’t be: Know who has access to folders before you put restricted data there! Do not leave sensitive information on printers, fax machines, or copiers. Set up your workstation so that unauthorized people and passers-by cannot see the information on your monitor. Avoid using email to send restricted data; it’s not secure.
  • And finally, reporting security incidents. A security incident is essentially any compromise of computing systems or data. Sometimes you can do everything right and something still happens, so it is important to know what to do if you suspect a security breach, such as your computer being infected or confidential information being released accidentally.
  • On the handout. If it sets off a warning in your mind, it just may be a problem. Don’t ignore it!
  • Additional resources for general computing information and for computer security information - Also on the handout.
  • 07fa-computer-security.ppt

    1. 1. Good Computer Security Practices Basic Security Awareness September 10, 2007 School of Nursing Office of Academic and Administrative Information Systems (OAAIS) EIS Security Awareness Training and Education (SATE) Program
    2. 2. Overview <ul><li>What is Information and Computer Security? </li></ul><ul><li>“ Top 10 List” of Good Computer Security Practices </li></ul><ul><li>Protecting Restricted Data </li></ul><ul><li>Reporting Security Incidents </li></ul><ul><li>Additional Resources </li></ul>
    3. 3. <ul><li>What is Information and </li></ul><ul><li>Computer Security ? </li></ul>
    4. 4. <ul><li>… the protection of computing systems and the data that they store or access. </li></ul><ul><li>Desktop computers Confidential data </li></ul><ul><li>Laptop computers Restricted data </li></ul><ul><li>Servers Personal information </li></ul><ul><li>Blackberries Archives </li></ul><ul><li>Flash drives Databases </li></ul>
    5. 5. <ul><li>Isn’t this just an IT Problem? </li></ul>Why do I need to learn about computer security? Everyone who uses a computer needs to understand how to keep his or her computer and data secure.
    6. 6. Good security practices follow the “90/10” rule <ul><li>10% of security safeguards are technical </li></ul><ul><li>90% of security safeguards rely on us – the user - to adhere to good computing practices </li></ul>
    7. 7. <ul><li>Embarrassment to yourself and/or the University </li></ul><ul><li>Having to recreate lost data </li></ul><ul><li>Identity theft </li></ul><ul><li>Data corruption or destruction </li></ul><ul><li>Loss of patient, employee, and public trust </li></ul><ul><li>Costly reporting requirements and penalties </li></ul><ul><li>Disciplinary action (up to expulsion or termination) </li></ul><ul><li>Unavailability of vital data </li></ul>What are the consequences of security violations?
    8. 8. <ul><li>“ Top Ten List” </li></ul><ul><li>Good Computer Security Practices </li></ul>
    9. 9. <ul><ul><li>Don’t keep restricted data on portable devices. </li></ul></ul><ul><ul><li>2 . Back-up your data. </li></ul></ul><ul><ul><ul><li>Make backups a regular task, ideally at least once a day. </li></ul></ul></ul><ul><ul><ul><li>Backup data to removable media such as portable hard drives, CDs, DVDs, or a USB memory stick. </li></ul></ul></ul><ul><ul><ul><li>Store backup media safely and separately from the equipment. Remember, your data is valuable… don’t keep your backups in the same physical location as your computer! </li></ul></ul></ul>
    10. 10. Data Backups <ul><li>How effective would you be if your email, word processing documents, excel spreadsheets and contact database were wiped out? </li></ul><ul><li>How many hours would it take to rebuild that information from scratch? </li></ul>
    11. 11. <ul><ul><li>3. Use cryptic passwords that can’t be easily guessed and protect your passwords - don’t write them down and don’t share them! </li></ul></ul>
    12. 12. <ul><li>4. Make sure your computer has anti-virus, anti-spyware and firewall protection as well as all necessary security patches. </li></ul><ul><li>5. Don’t install unknown or unsolicited programs on your computer. </li></ul>“ I’ll just keep finding new ways to break in!”
    13. 13. <ul><li>6 . Practice safe e-mailing ~ </li></ul><ul><li>Don’t open, forward, or reply to suspicious e-mails </li></ul><ul><li>Don’t open e-mail attachments or click on website addresses </li></ul><ul><li>Delete spam </li></ul><ul><li>Use UCSF’s secure e-mail system to send confidential information ~ </li></ul><ul><ul><li>Subject: Secure:_ </li></ul></ul><ul><ul><li>( http://its.ucsf.edu/information/applications/exchange/secure_email.jsp ) </li></ul></ul>
    14. 14. <ul><li>You receive an e-mail with an attachment from “IT Security” stating that you need to open the attachment. What should you do? </li></ul><ul><li>a) Follow the instructions </li></ul><ul><li>b) Open the e-mail attachment </li></ul><ul><li>c) Reply and say “take me off this list” </li></ul><ul><li>d) Delete the message </li></ul><ul><li>e) Contact OAAIS Customer Support </li></ul>
    15. 15. <ul><li>You receive an e-mail with an attachment from “IT Security” stating that you need to open the attachment . What should you do? </li></ul><ul><li>a) Follow the instructions </li></ul><ul><li>b) Open the e-mail attachment </li></ul><ul><li>c) Reply and say “take me off this list” </li></ul><ul><li>d) Delete the message </li></ul><ul><li>e) Contact OAAIS Customer Support </li></ul><ul><li>d) Delete the e-mail message! </li></ul><ul><li>e) Contact OAAIS Customer Support for further instructions – but do not open, reply to, or forward any suspicious e-mails! </li></ul>
    16. 16. <ul><li>Your sister sends you an e-mail at school with a screen saver attachment. </li></ul><ul><li>What should you do? </li></ul><ul><li>a) Download it </li></ul><ul><li>b) Forward the message </li></ul><ul><li>c) Call a tech-savvy friend to help install it </li></ul><ul><li>d) Delete the message </li></ul>
    17. 17. <ul><li>Your sister sends you an e-mail at school with a screen saver attachment. </li></ul><ul><li>What should you do? </li></ul><ul><li>a) Download it </li></ul><ul><li>b) Forward the message to a friend </li></ul><ul><li>c) Call a tech-savvy friend to help install it </li></ul><ul><li>d) Delete the message </li></ul><ul><li>d) Delete it! Never put unknown or unsolicited programs or software on your computer. Screen savers may contain viruses. </li></ul>
    18. 18. <ul><li>7. Practice safe Internet use ~ </li></ul><ul><li>Accessing any site on the internet could be tracked back to your name and location. </li></ul><ul><li>Accessing sites with questionable content often results in spam or release of viruses. </li></ul><ul><li>And it bears repeating… </li></ul><ul><li>Don’t download unknown or unsolicited programs! </li></ul>
    19. 19. <ul><li>8. & 9. Physically secure your area and data when unattended ~ </li></ul><ul><ul><li>Secure your files and portable equipment - including memory sticks. </li></ul></ul><ul><ul><li>Secure laptop computers with a lockdown cable. </li></ul></ul><ul><ul><li>Never share your ID badge, access codes, cards, or key devices (e.g. Axiom card) </li></ul></ul>
    20. 20. <ul><li>10. Lock your screen </li></ul><ul><ul><li>For a PC ~ </li></ul></ul><ul><ul><li><ctrl> <alt> <delete> <enter> OR </li></ul></ul><ul><ul><li><  > <L> </li></ul></ul><ul><ul><li>For a Mac ~ </li></ul></ul><ul><ul><li>Configure screensaver with your password Create a shortcut to activate screensaver </li></ul></ul><ul><ul><li>Use a password to start up or wake-up your computer . </li></ul></ul>
    21. 21. <ul><li>Which workstation security safeguards are YOU responsible </li></ul><ul><li>for following and/or protecting? </li></ul><ul><li>a) User ID </li></ul><ul><li>b) Password </li></ul><ul><li>c) Log-off programs </li></ul><ul><li>d) Lock up office or work area (doors, windows) </li></ul><ul><li>e) All of the above </li></ul>
    22. 22. <ul><li>Which workstation security safeguards are YOU responsible </li></ul><ul><li>for following and/or protecting? </li></ul><ul><li>a) User ID </li></ul><ul><li>b) Password </li></ul><ul><li>c) Log-off programs </li></ul><ul><li>d) Lock-up office or work area (doors, windows) </li></ul><ul><li>e) All of the above </li></ul><ul><li>ALL OF THE ABOVE! </li></ul>
    23. 23. <ul><li>The mouse on your computer screen starts to move around on its own and click on things on your desktop. </li></ul><ul><li>What do you do? </li></ul><ul><li>a) Show a faculty member or other students </li></ul><ul><li>b) Unplug network cable </li></ul><ul><li>c) Unplug your mouse </li></ul><ul><li>d) Report the incident to whomever supports your computer and [email_address] if it happens while you’re on campus </li></ul><ul><li>e) Turn your computer off </li></ul><ul><li>f) Run anti-virus software </li></ul><ul><li>g) All of the above </li></ul>
    24. 24. <ul><li>The mouse on your computer screen starts to move around on its own and click on things on Your desktop. What do you do? </li></ul><ul><li>This is a security incident! </li></ul><ul><li>Immediately report the problem to whomever supports your computer, and to [email_address] if the incident occurs while you are on the UCSF campus or on a UCSF system. </li></ul><ul><li>Since it is possible that someone is controlling the computer remotely, it is best if you can unplug the network cable until you can get help. </li></ul>
    25. 25. <ul><li>What can an attacker do to your </li></ul><ul><li>computer? </li></ul><ul><li>a) Hide programs that launch attacks </li></ul><ul><li>b) Generate large volumes of unwanted traffic, slowing down the entire system </li></ul><ul><li>c) Distribute illegal software from your computer </li></ul><ul><li>d) Access restricted information (e.g. identity theft) </li></ul><ul><li>e) Record all of your keystrokes and get your passwords </li></ul>
    26. 26. <ul><li>What can an attacker do to your computer? </li></ul><ul><li>a) Hide programs that launch attacks </li></ul><ul><li>b) Generate large volumes of unwanted traffic, slowing down the entire system </li></ul><ul><li>c) Distribute illegal software from your computer </li></ul><ul><li>d) Access restricted information (e.g. identity theft) </li></ul><ul><li>e) Record all of your keystrokes and get your passwords </li></ul><ul><li>ALL OF THE ABOVE! </li></ul><ul><li>A compromised computer can be used for all kinds of surprising things. </li></ul>
    27. 27. <ul><li>Protecting Restricted Data </li></ul>
    28. 28. <ul><li>Restricted data includes, but is not limited to: </li></ul><ul><ul><li>Name or first initial and last name </li></ul></ul><ul><ul><li>Health or medical information </li></ul></ul><ul><ul><li>Social security numbers </li></ul></ul><ul><ul><li>Ethnicity or gender </li></ul></ul><ul><ul><li>Date of birth </li></ul></ul><ul><ul><li>Financial information (credit card number, bank account number) </li></ul></ul><ul><ul><li>Proprietary data and copyrighted information </li></ul></ul><ul><ul><li>Student records protected by FERPA </li></ul></ul><ul><ul><li>Information subject to a non-disclosure agreement </li></ul></ul>
    29. 29. <ul><li>Managing Restricted Data </li></ul><ul><li>Know where this data is stored. </li></ul><ul><li>Destroy restricted data which is no longer needed ~ </li></ul><ul><ul><li>shred or otherwise destroy restricted data before throwing it away </li></ul></ul><ul><ul><li>erase/degauss information before disposing of or re-using drives </li></ul></ul><ul><li>Protect restricted data that you keep ~ </li></ul><ul><ul><li>back-up your data regularly </li></ul></ul>
    30. 30. <ul><li>Reporting Security Incidents </li></ul>
    31. 31. <ul><li>Immediately report anything unusual, suspected security incidents, or breaches to whomever supports your computer, or OAAIS if it involves a UCSF system. </li></ul><ul><li>If you need to contact OAAIS Customer Support: </li></ul><ul><li>Dial 1-415-514-4100 </li></ul><ul><li>(Option 1 for Medical Center, Option 2 for Campus) </li></ul><ul><li>web: http:// help.ucsf.edu / email: [email_address] </li></ul><ul><li>Loss or theft of any computing device at UCSF MUST be reported immediately to the UCSF Police Department. Dial 1-415-476-1414. Report lost or stolen laptops, blackberries, PDAs, cell </li></ul><ul><li>phones, flash drives, etc. </li></ul>
    32. 32. <ul><ul><li>ADDITIONAL RESOURCES </li></ul></ul><ul><ul><li>OAAIS Enterprise Information Security </li></ul></ul><ul><ul><li>Security Awareness, Training, and Education </li></ul></ul><ul><ul><li>Security Policies and Guidelines </li></ul></ul><ul><ul><li>415-514-3333 </li></ul></ul><ul><ul><li>http:// isecurity.ucsf.edu / </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>To schedule a training session contact </li></ul></ul><ul><ul><li>Tiki Maxwell, SATE Manager </li></ul></ul><ul><ul><li>415-514-1363 or 415-502-3982 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>Customer Support </li></ul></ul><ul><ul><li>for general questions and information </li></ul></ul><ul><ul><li>415-514-4100 (Option 1 for Medical Center, Option 2 for Campus) web: http:// help.ucsf.edu/ email: [email_address] </li></ul></ul>

    ×