Information Security Day for Penn State Ag Sciences


Published on

Too often faculty and staff fail to realize how important individual actions are to the security of computing systems. What each person does (or doesn't do) makes a significant difference with regards to both their individual privacy and the greater security of the institution.

To reinforce the idea that everyone must work together to ensure a secure computing environment, an Information Security Day was held within our College. This session will relate the concept behind the day and how it was held.

Information security and security awareness topics were discussed via short, "bite-sized" Adobe Connect sessions and included:

• Dangers of Social Networking
• Computer Best Practices to Prevent Malware
• How to Respond to an ‘Antivirus’ Pop-Up Ad
• Better Passwords and Pass Phrases
• Protecting Your Data

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There's a positive side to each of these negative principles: Design security controls that account for human behavior. Study cognitive science and practical psychology to support your decisions. This is also critical for gaining support for security initiatives, not just design of individual controls. Engage in intelligence and counter-threat operations to the best of your ability. Once an attack has started, your first line of security has already failed. Use checklists to remember the simple stuff, but any real security must be designed using a risk-based approach. As a corollary, you can't implement risk-based security if you don't really understand the risks; and most people don't understand the risks. Be the expert. Adopt anti-exploitation wherever possible. Vulnerability-driven security is always behind the threat. React faster and better . Incident response is more important than any other single security control.
  • Usually admin and admin
  • A USB drive belonging to the Army was found for sale at a bazaar just outside of Afghanistan. According to an email from Lt. Col. Thomas Collins, the Army does not know how the flash drive was lost in the first place. 120,000 patients of Wilcox Memorial Hospital in Lihue, Hawaii are still looking for a USB drive containing sensitive information such as their names, addresses, Social Security numbers and medical record numbers. Since its disappearance, the use of USB drives has been banned in the hospital. 6,500 former and current students at the University of Kentucky are waiting for a professor’s USB drive, which contained Social Security numbers and grades, to be recovered. The university is reportedly "reevaluating" the use of these drives.
  • Encryption software when properly installed, configured and used can help protect sensitive information at rest and greatly limit the number of reportable data breaches requiring victim notification. Once encrypted with a strong passphrase, if your computer does get stolen, the thieves can access only the meaningless encrypted data, and not your sensitive files.
  • Information Security Day for Penn State Ag Sciences

    1. 1. Vince Verbeke
    2. 2. <ul><li>Dangers of Social Networking 9:00 am to 10:00 am </li></ul><ul><li>Computer Best Practices to Prevent Malware 10:30 am to 11:30 am </li></ul><ul><li>How to Respond to an ‘Antivirus’ Pop-Up Ad 12:00 pm to 1:00 pm </li></ul><ul><li>Better Passwords and Pass Phrases 1:30 pm to 2:30 pm </li></ul><ul><li>Protecting Your Data 3:00 pm to 4:00 pm </li></ul>
    3. 3. <ul><li>Dangers of Social Networking Who are your friends really? </li></ul><ul><li>Computer Best Practices to Prevent Malware Update! Update! Update! </li></ul><ul><li>How to Respond to an ‘Antivirus’ Pop-Up Ad Warning! Warning! Warning! </li></ul><ul><li>Better Passwords and Pass Phrases Who would want my information? </li></ul><ul><li>Protecting Your Data Let’s be safe out there! </li></ul>
    4. 4. <ul><li>All the IT groups within the College work to make a safe computing environment </li></ul><ul><ul><li>Install Antivirus Software </li></ul></ul><ul><ul><li>Network Threat Protection </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><li>Individual’s actions are of great importance to the security of computing systems </li></ul><ul><li>What you do (or don’t do) matters as well </li></ul><ul><li>We need your help and support </li></ul>
    5. 5. <ul><li>Don't expect human behavior to change. Ever </li></ul><ul><li>You cannot survive with defense alone </li></ul><ul><li>Not all threats are equal, and all checklists are wrong </li></ul><ul><li>You cannot eliminate all vulnerabilities </li></ul><ul><li>You will be breached </li></ul><ul><li>Source: </li></ul>
    6. 6. <ul><li>What threats are out there </li></ul><ul><li>How can we minimize our risk </li></ul>
    7. 7. <ul><li>Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010) </li></ul><ul><li>Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010) </li></ul><ul><li>Google Asking Buzz Users to Confirm Contacts (April 6, 2010) </li></ul><ul><li>Foursquare's privacy loopholes (March 25, 2010) </li></ul>
    8. 8. <ul><li>Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010) </li></ul><ul><li>Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010) </li></ul><ul><li>Google Asking Buzz Users to Confirm Contacts (April 6, 2010) </li></ul><ul><li>Foursquare's privacy loopholes (March 25, 2010) </li></ul>
    9. 9. <ul><li>Facebook Safety Center </li></ul><ul><li>Sophos's recommendations for Facebook settings </li></ul><ul><li>Facebook Newbie | Good Practices </li></ul><ul><ul><li>Be careful of stuff sent to you, even by people you respect (their Facebook account may have been hacked) </li></ul></ul><ul><ul><li>Limit or eliminate access to games and plugins </li></ul></ul><ul><ul><li>Think before you click </li></ul></ul><ul><li>Let’s look at my FB page... </li></ul>
    10. 10. <ul><li>The Internet is fun but also dangerous </li></ul><ul><li>People don’t know what they do and can easily be duped </li></ul><ul><li>The more cool stuff, the more risks </li></ul><ul><li>Updates should be applied religiously </li></ul><ul><li>Browsing to a site (ANY site) can infect your computer </li></ul><ul><li>Source: Safe Computing Tips For All </li></ul>
    11. 11. <ul><li>You need to review and look at your various social media account settings </li></ul><ul><li>Be aware that what you post is there for everyone to see </li></ul><ul><ul><li>bad folks to gather and sell </li></ul></ul><ul><ul><li>Google to cache </li></ul></ul><ul><ul><li>Library of Congress to archive (April 28, 2010) </li></ul></ul><ul><li>Walk away from Social Media </li></ul>
    12. 12. <ul><li>Where are the threats coming from </li></ul><ul><li>What can we do to shield ourselves </li></ul><ul><li>What to do if infected </li></ul>
    13. 14. <ul><li>Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors </li></ul><ul><li>More than 126 million malicious samples were detected in the wild in 2 nd half of 2009 </li></ul><ul><li>Misc. Potentially Unwanted Software 1 st Half 09 2 nd Half 09 Diff 2,753,008 4,674,336 69.8% </li></ul><ul><li>Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010) </li></ul>
    14. 15. <ul><li>Infection rates for more recently released operating systems are consistently lower than previous ones </li></ul><ul><li>For operating systems with service packs, each successive service pack has a lower infection rate than the one before it. </li></ul><ul><li>The infection rate for Windows XP with SP3 is less than half of that for SP2, and less than a third of that for SP1. </li></ul><ul><li>Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010) </li></ul>
    15. 16. <ul><li>QuickTime (and iTunes) </li></ul><ul><li>Sun Java (and remove old versions) </li></ul><ul><li>Adobe Flash Player </li></ul><ul><li>Firefox </li></ul><ul><li>Real Player </li></ul><ul><li>See How To Download Latest Updates for Enterprise Dell Computers for a list </li></ul><ul><li>YOU NEED TO FIND THE TIME!! </li></ul>
    16. 17. <ul><li>Don’t click on, or attempt to close, any of the malware windows </li></ul><ul><li>SHUT DOWN </li></ul><ul><li>Contact Ag IT Support at 814-865-1229 or submit a Help Request from another machine </li></ul><ul><li>Ag IT will ... </li></ul><ul><ul><li>Attempt to clean the infection </li></ul></ul><ul><ul><li>Will back up the data and re-image the machine </li></ul></ul>
    17. 18. <ul><li>Computers can be infected from any website </li></ul><ul><li>THINK, THINK, THINK ... BEFORE YOU CLICK, especially in search results </li></ul><ul><li>If you receive a message from unrecognized or unsolicited source, be wary </li></ul><ul><li>Apply Windows updates and apply your 3 rd party updates </li></ul><ul><ul><li>Subscribe to AgSci IT Tech Alerts </li></ul></ul><ul><ul><li>Read AgSci IT eNews </li></ul></ul><ul><li>If infected, shut down, and contact Ag IT </li></ul>
    18. 19. <ul><li>What just happened </li></ul><ul><li>What if the computer is infected </li></ul>
    19. 21. <ul><li>Don't panic </li></ul><ul><li>Go to another computer and print How To Respond to an &quot;Antivirus&quot; Pop-Up Ad </li></ul><ul><li>Let’s review the steps </li></ul>
    20. 22. <ul><li>Computers can be infected from any website </li></ul><ul><li>THINK, THINK, THINK ... BEFORE YOU CLICK </li></ul><ul><li>Apply Windows updates and apply your 3 rd party updates </li></ul><ul><ul><li>Subscribe to AgSci IT Tech Alerts </li></ul></ul><ul><ul><li>Read AgSci IT eNews </li></ul></ul><ul><li>If infected, you can try these steps (or shut down, and contact Ag IT straightaway) </li></ul>
    21. 23. <ul><li>What are password rules for the College </li></ul><ul><li>What are Penn State’s guidelines </li></ul><ul><li>What are good passwords </li></ul><ul><li>What are bad passwords </li></ul><ul><li>How can you protect your passwords </li></ul><ul><li>How can you remember your passwords </li></ul><ul><li>What other tech hardware uses passwords </li></ul><ul><li>Questions ... Questions .... Questions </li></ul>
    22. 24. <ul><li>Use two numbers in the first eight characters. </li></ul><ul><li>Pick long passwords, at least 8 characters in length if the system allows it. </li></ul><ul><li>Don't use a common dictionary word, a name, a string of numbers, or your User ID. </li></ul><ul><li>Certain special characters may be used. Examples of permitted special characters are $ . , ! % ^ * </li></ul><ul><li>Source: </li></ul>
    23. 25. <ul><li>Use a password based on a phrase </li></ul><ul><li>phrase: &quot;It was a dark and stormy night...&quot;. password : iWadasn7 method: Chose first letter from each word, followed by the age of nephew. </li></ul><ul><li>phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3) password : mbbi4tt19s3 method: Chose first letter from most words, and substitute numbers for letters </li></ul>
    24. 26. <ul><li>Anything so complicated you have to write it down </li></ul><ul><li>Anything in all upper case or lower case </li></ul><ul><li>Anything with the first or last character uppercase and the rest lower case </li></ul><ul><li>Anything you've come across as a textbook example </li></ul><ul><li>Anything containing letters of the alphabet only </li></ul>
    25. 27. <ul><li>Interleave two words e.g. Penn State = PsEtNaNte </li></ul><ul><li>Interleave a word with a numeric string e.g. flash 978 = f9L7a0s8H </li></ul><ul><li>Concatenate two words, possibly with a symbol as delimiter e.g. egG^rIbBoN (read: egg^ribbon) </li></ul><ul><li>Source: Choosing Your Password (PDF) </li></ul>
    26. 28. <ul><li>Embed special characters or non-alphanumeric symbols ($ . , ! % ^ *) </li></ul><ul><li>Misspell (but consistently!) </li></ul><ul><li>Unorthodox caPitaliZation </li></ul><ul><li>Use a personally significant acronym e.g. WaPSftG (We Are Penn State For The Glory) </li></ul><ul><li>Replace letters with digits or equivalent characters, and words with abbreviations e.g. $h0wprg^m or Eag!RnPH*LL </li></ul><ul><li>Don't re-use same password </li></ul>
    27. 29. <ul><li>Do not let anyone else know or use your password; this is a violation of University policy </li></ul><ul><li>For optimum security, don't write your password down. Don’t post it on your computer or anywhere around your desk. </li></ul><ul><li>If the URL does not begin with &quot;https&quot; then you should not use your Penn State Access Account password. </li></ul><ul><li>Source: </li></ul>
    28. 30. <ul><li>Both Penn State and the College require that you update passwords at least once a year </li></ul><ul><li>For security reasons, it is recommended that you change these passwords every 6 months </li></ul><ul><li>Neither Penn State or the College will ever send you an E-mail asking for your password </li></ul>
    29. 31. <ul><li>Software allows you to create a “master” password to store passwords for all your other accounts </li></ul><ul><li>Encrypts your passwords </li></ul><ul><li>Fill in remembers online forms </li></ul><ul><li>Examples: KeePass - LastPass - RoboForm - </li></ul>
    30. 32. <ul><li>Home Routers with default password </li></ul><ul><li>Multifunction devices with default passwords </li></ul><ul><li>Multifunction print, scan and fax devices have the ability to store faxes, scans & print jobs to memory, and can archive to hard disk A Security Assessment of the Ricoh Afcio 450E Multifunction Device (2003) </li></ul>
    31. 33. <ul><li>Password should be at least 8 characters </li></ul><ul><li>Use a pass-phrase </li></ul><ul><li>Use mixed case, embed at least 2 numbers and one special character in your passwords </li></ul><ul><li>Change your Penn State and Ag passwords every 6 months </li></ul><ul><li>Don’t share your passwords (or write down) </li></ul><ul><li>Don’t use your Penn State or Ag password for any other purpose (like Facebook) </li></ul>
    32. 34. <ul><ul><li>What if an EN computer was stolen </li></ul></ul><ul><ul><li>What if you misplaced a USB drive with research or sensitive information </li></ul></ul><ul><ul><li>What does the future hold for data safety on University machines </li></ul></ul><ul><ul><li>Can you check your online identity </li></ul></ul>
    33. 35. <ul><li>Report theft to local authorities </li></ul><ul><li>Change Passwords IMMEDIATELY </li></ul><ul><li>Report the theft to Ag IT </li></ul><ul><li>Report the theft to Penn State Security </li></ul><ul><li>Report the theft to Dell (if applicable) </li></ul><ul><li>Source: </li></ul>
    34. 36. <ul><li>If thief has physical access, they can gain access to the drive contents ... PERIOD </li></ul><ul><li>Reboot from a CD and reset the local Windows password on that machine </li></ul><ul><li>Reboot from a Linux CD (Ultimate Boot CD) and gain access to entire hard drive </li></ul><ul><li>Spend less than $50 on a hard drive caddy to mount your drive as an external device </li></ul>
    35. 37. <ul><li>Upside - small size, easy portability, durability, and low cost make them very popular </li></ul><ul><li>Downside – they are just as easy to swipe and to conceal as well as misplace or lose </li></ul><ul><li>Many horror stories involving missing USB drives </li></ul>
    36. 38. <ul><li>Record your EN computer’s Service Tag and Express Service Code (other computers record the serial number) </li></ul><ul><li>Physically secure the machine </li></ul><ul><li>Do not leave laptops unattended in public </li></ul><ul><li>Label your computer (laptops at least) with name and contact information (but not your password) </li></ul><ul><li>More: How to deal with a lost or stolen laptop </li></ul>
    37. 39. <ul><li>Label the drive with “If Found” and a phone number </li></ul><ul><li>Create Rohos Mini Drive allows you to create a password-protected partition on USB drives </li></ul><ul><li>Demonstration </li></ul>
    38. 40. <ul><li>Operate computers in ‘least privilege’ mode </li></ul><ul><ul><li>Better system security </li></ul></ul><ul><ul><li>Less obtrusive in Windows 7 </li></ul></ul><ul><li>Enable full disk encryption to protect data from thieves </li></ul><ul><ul><li>Feature is built-in to Windows 7 Enterprise </li></ul></ul>
    39. 41. <ul><li>Think security all the time </li></ul><ul><li>With Windows 7 on EN machines, security will be more stringent </li></ul><ul><li>Check your online identity </li></ul>
    40. 42. <ul><li>202 total participants across all 5 sessions </li></ul><ul><ul><li>56 – Dangers of Social Networking </li></ul></ul><ul><ul><li>56 - Best Practices to Prevent Malware </li></ul></ul><ul><ul><li>31 - Respond to an 'Antivirus' Pop-Up </li></ul></ul><ul><ul><li>26 - Better Passwords and Pass Phrases </li></ul></ul><ul><ul><li>31 - Protecting Your Data </li></ul></ul><ul><li>85 unique participants </li></ul><ul><li>34 (16 %) attended single session </li></ul><ul><li>51 (25%) attended more than one session </li></ul><ul><li>14 attended each of the sessions </li></ul>
    41. 43. <ul><li>Views of Recorded Sessions </li></ul><ul><ul><li>20 – Dangers of Social Networking </li></ul></ul><ul><ul><li>10 - Best Practices to Prevent Malware </li></ul></ul><ul><ul><li>4 - Respond to an 'Antivirus' Pop-Up </li></ul></ul><ul><ul><li>11 - Better Passwords and Pass Phrases </li></ul></ul><ul><ul><li>3 - Protecting Your Data </li></ul></ul><ul><li>48 &quot;additional&quot; participants </li></ul><ul><li>Overall impact: 202 + 48 = 250 </li></ul>
    42. 44. <ul><li>85 unique out of 202 is 42% </li></ul><ul><li>42% of 48 recorded watchers is 20 </li></ul><ul><li>105 total unique </li></ul><ul><li>~ 1400 full time faculty, staff, educators, and tech service staff in College of Ag Sciences </li></ul><ul><li>Reached 7.5% of the College </li></ul><ul><li>We DID ASK these people to carry the message to co-workers </li></ul>
    43. 45. <ul><li>September 21 during ITChatter </li></ul><ul><li>ITChatter Series is a monthly lunch conversation about technologies </li></ul><ul><li>ITChatter runs from 12:15 to12:50 </li></ul><ul><li>We’ll do follow-up on all 5 topics </li></ul><ul><li>Check out our Training Page </li></ul>
    44. 46. <ul><li>Security and security awareness is NOT a once and done deal </li></ul><ul><li>We will continue to use eNews and Tech Alerts to keep awareness &quot;in the face&quot; of college faculty and staff </li></ul><ul><li>We must be vigilant and aware in our technology use each and every day </li></ul><ul><li>This message MUST be delivered .... each and every day if necessary </li></ul><ul><li>SECURITY DAY AS ONGOING SERIES </li></ul>