If you use central university data marts (e.g., ADW, Student, Bursar, HR), change your NetID password now if it does not meet the new requirements!
Managing the complexity…
Use a “pass phrase” (the first letter of each word in a phrase or a song lyric) for an easy to remember but secure password:
Invent your own secret password, like this: s3cReT pAs5w*rD
mixing in numbers, symbols, and uppercase
How to Change Passwords
Each system can be different. Ask if you’re unsure.
Use anti-virus software and keep it current
Apply Windows updates (choose ‘Install Updates and Shutdown’ option at Shutdown)
Don’t install software (unless assisted by tech staff)
Don’t open email attachments that are not expected and trusted
Use 5 minute password protected screen saver (exception available if not accessing confidential data)
If that’s not soon enough, use ‘ctrl-alt-del’ to lock screen that password protects immediately
Workstation Requirements (Cont.)
Use privacy panel where appropriate
Log off if workstation if it will be unattended for more than ½ hour
Be especially careful with physical security of laptops and tablets
Use extreme caution with attachments. They can contain viruses.
Don’t open attachments unless you were expecting them - e ven if they are from someone you know!
The ‘from:’ address can be forged (spoofed).
Suspicious attachments should be verified with the sender before opening
Email Attachment Example
Email Security (Cont.)
Don’t send attachments containing confidential or sensitive information (e.g. SSNs, salaries, performance dialogues). Use the Dropbox instead. http://dropbox.cornell.edu
Email Security (Cont.)
Beware of ‘phishing’ messages
phishing (fish´ing) (n.) The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identify theft.
Security Incident Reporting
Submit at TechTicket to report document security incidents
Access data on a need to know basis only!
Data Stewardship Requirements
Identify the data on your system – You are responsible for the data!
Limit creation/retention of documents containing confidential information (e.g. ssns, CC#)
If you must create such documents, store them on the server. SAS Tech can help with this.
Delete such documents when no longer needed.
Do not store confidential information on removable media (e.g. floppies, CDs, flash drives)
Securing your home computer
If you work from home, follow these guidelines:
Never store confidential data on home computers!
The good news:
CIT will be rolling out a new service known as ActiveDirectory to help manage computers, printers, and users.
The bad news:
Computer compromises are on the rise both nationally and at Cornell...
Attacks are targeting identify theft
Not just universities
U.S. Department of Veterans Affairs Disclosed: May 2006 Number of records: 26.5 million How: A burglar stole electronic data on veterans from the home of a federal employee.
DSW Shoe Warehouse Disclosed: April 2005 Number of records: 1.4 million How: Hackers accessed a database of customers and credit card numbers .
Sobering Stats from CIT’s Security Office …
60% of Cornell computers have social security numbers on them (2006)
Cornell averaged 1 significant compromise per month in the last year
Laptops containing SSNs were stolen last year
Cornell sent 2500 notification letters due to compromises last year
All were preventable if the 12 steps had been followed…
Process for Handling Confidential data on your PC
SAS Tech runs Spider on your PC
A log file is created
Log file distributed to user via DropBox
User verifies each file that Spider finds
User makes determination
Delete the offending file(s)
Make provisions with SAS Tech to store the file(s) on server
User deletes the Spider log file
Cleanse PC using Spider. Create Foundation
Change practices for storing confidential data on PC
Awareness of your responsibility regarding data stewardship
Random Spider Audits
New Security Tools Demo…
Secure electronic file delivery
Tool developed by Cornell Office of IT Security (Wyman Miles)
Identifies the presence of confidential data
Widely used by many Universities today
Software that encrypts data when accessing University data from off campus