Roadshow Outline Why We Care About Information Security Safe Computing• Recognize a Secure Web Site (HTTPS)• How to Spot a Spoofed Web Site• Recognize a Phishing Attempt• What is Social Engineering Privacy and Compliance• PCI/HIPAA/FERPA• Policy• Privacy and Best Practice
Why We Care About Information SecurityPersonal Reasons:Identity TheftLoss of DataFinancial LossPoor Computer PerformanceInstitutional Reasons:Protect Middlebury College and The Monterey Institute of International StudiesCompliance with Laws and StandardsPrevent Reputational DamageReduce Legal Liability for the CollegeAs Well As the Personal Reasons Listed Above
How do I Know a Web Site is Secure?• HTTPS in the Address baris an indicator of a secureweb site.• A web site encrypted withSSL should display a near theaddress bar.• Not all devices orbrowsersdisplay thesame.
What is a Spoofed Web Site• Just because the sitelooks like MIISdoes not mean it is• Check the address or URL• Never enter login information unless the site is secure and you have checked the URL
How to Spot Phishing • Forward all suspected Phishing messages to firstname.lastname@example.org before deleting themessage.• If you fall victim to a phishing attack RESET your password immediately and then call theHelpdesk.
What is FakeAV• Tries to look like regular AV• Clicking on the warning will download a virus• Often the best bet is a hard shutdown of thesystem• Know what your AV warnings look like • Sophos anti-virus does offer some webprotections which help to prevent the downloadactivity of FakeAV.
Social Engineering• Social engineering, in the context of security, is understood to mean the art of manipulating peopleinto performing actions or divulging confidential information. While it is similar to a confidence trick orsimple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, orcomputer system access; in most cases the attacker never comes face-to-face with the victims.(From Wikipedia)Examples:• You are in a hotel and receive a call from the front desk to confirm your credit card details.• You receive a call at work from support services asking for your password to fix a problem on yourcomputer.• You are at home and get a call from the help desk asking for your login information to reset your emailaccount.
What Laws Protect Information Here at Monterey• Family Education Rights and Privacy Act (FERPA) = Student Data• Health Information Portability and Accountability Act (HIPAA) = Health Data• Sarbanes – Oxley Act (SOX) = Financial Data for Businesses• Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions• California Law SB 1386 / VT Act 162 = State Breach Notification laws• Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data
What are Some Best PracticesDo• Look for HTTPS and other key addressindicators when you are going to different websites.• Use a strong challenge question in Banner SSB• Redaction – remove or mask (block out)personally identifiable information when sharingdata• Be suspicious of unsolicited email or phone calls.•Lock your computer or secure information whenyou leave your work space.•Use Anti-Virus on both your work and homesystems•Use secure passwords which you change often.This also applies to mobile devices.Do
What are Some Best PracticesDo Not• DO NOT write down or share your passwords- tools such as eWallet or 1Password workwell as secure password storage alternatives.• DO NOT store confidential data on unencryptedthumb drives or other unsecured media-if you need to transfer the data encrypt thefile or password protect the file and keep amaster copy on the server.Do Not• DO NOT place confidential data in email-email a link to where the file is stored.This may add complexity but increasessecurity. Windows Explorer can showyou the path to the location of the file.• DO NOT record sensitive data on the Collegeweb site, blog or Wiki
Discussion and LinksPlease share your thoughts!Information Security Resources:http://go.middlebury.edu/infosechttp://go.miis.edu/infosecReport Information Security Events To: email@example.com