Security Training 2008


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Training 2008

  1. 1. Computer Security
  2. 2. Computer Security <ul><li>The old… </li></ul><ul><ul><li>Federal, State, and Local Policies </li></ul></ul><ul><ul><li>SAS Requirements </li></ul></ul><ul><ul><ul><li>Passwords </li></ul></ul></ul><ul><ul><ul><li>Workstation Use </li></ul></ul></ul><ul><ul><ul><li>Email </li></ul></ul></ul><ul><ul><ul><li>Incident Reporting </li></ul></ul></ul><ul><ul><ul><li>Data Use </li></ul></ul></ul><ul><ul><ul><li>Home Computers </li></ul></ul></ul><ul><li>And the new… </li></ul><ul><ul><li>DropBox </li></ul></ul><ul><ul><li>Spider </li></ul></ul><ul><ul><li>VPN </li></ul></ul>
  3. 3. Security Regulations <ul><ul><li>The Family Educational Rights and Privacy Act (FERPA) – protection of student records </li></ul></ul><ul><ul><li>Gramm-Leach-Bliley Act (GLBA) – protection of financial records </li></ul></ul><ul><ul><li>The Health Insurance Portability and Accountability Act (HIPAA) – protection of health care records </li></ul></ul><ul><ul><li>California’s Personal Information Privacy Bill – notification of computer security breach for California residents. </li></ul></ul><ul><ul><li>New York Information Security Breech and Notification Act – required notification if there is reasonable belief that data were inappropriately acquired. </li></ul></ul>
  4. 4. Types of Confidential Data <ul><li>Personally identifiable information </li></ul><ul><ul><li>Social Security number </li></ul></ul><ul><ul><li>Driver’s license number </li></ul></ul><ul><ul><li>Credit card numbers or bank account numbers with associated PIN. </li></ul></ul><ul><li>Legislatively protected data </li></ul><ul><ul><li>FERPA (student records) </li></ul></ul><ul><ul><li>HIPAA (medical records) </li></ul></ul><ul><ul><li>GLBA (financial records) </li></ul></ul><ul><li>Other sensitive data where unauthorized disclosure of which could lead to a business, financial and/or reputation loss </li></ul><ul><ul><li>payroll information or other benefit information </li></ul></ul><ul><ul><li>work history and other personnel information </li></ul></ul><ul><ul><li>alumni contributions </li></ul></ul><ul><ul><li>budget information </li></ul></ul><ul><ul><li>research data </li></ul></ul><ul><ul><li>Pricing / Vendor data </li></ul></ul>
  5. 5. Consequences of Non-compliance <ul><li>NYS can sue for damages on behalf of individual </li></ul><ul><li>Civil suites up to $150,000 </li></ul><ul><li>Includes criminal liability for individuals who knowingly violate regulations </li></ul>
  6. 6. Local Security Policies <ul><li>University Policies: </li></ul><ul><ul><li>Data Stewardship and Custodianship </li></ul></ul><ul><ul><li>Security of Information Technology Resources </li></ul></ul><ul><ul><li>Responsible Use of Electronic Communications </li></ul></ul><ul><ul><li>More coming! </li></ul></ul>
  7. 7. Passwords <ul><li>Your password is your key to Cornell services. It safeguards your personal information and university data. </li></ul><ul><li>Keep the door locked by choosing a secure password! </li></ul>
  8. 8. Password Requirements <ul><li>Passwords must be ‘complex’ </li></ul><ul><li>Passwords must be at least 8 characters in length </li></ul><ul><li>Passwords should be changed every 6 months </li></ul><ul><li>Passwords cannot be reused </li></ul>
  9. 9. Co//p1eX pAs5w*rDs <ul><li>Complex passwords contain characters from 3 of the following 4 character classes: </li></ul><ul><ul><ul><li>Uppercase letters (A,B,C…Z) </li></ul></ul></ul><ul><ul><ul><li>Lowercase letters (a,b,c…z) </li></ul></ul></ul><ul><ul><ul><li>Symbols (!@#$%^&*...) </li></ul></ul></ul><ul><ul><ul><li>Numbers (0,1,2…9) </li></ul></ul></ul>
  10. 10. Additional Password Requirements <ul><li>Don’t include dictionary words or proper nouns </li></ul><ul><li>Don’t use personal information about yourself </li></ul><ul><li>Don’t use common sequences (like ABC, 123, qwerty) or repeated characters (like AAA, 999) </li></ul><ul><li>Don’t simply put numbers on the end of a word (e.g. Hockey04) </li></ul>
  11. 11. Password Requirements (Cont.) <ul><li>Never share your password with anyone </li></ul><ul><li>If you must write it down, store it in a secure place </li></ul><ul><li>Test your password using CIT’s new password strength checker </li></ul><ul><li>* Remember its against University policy to share your NetID password with anyone. </li></ul>
  12. 13. Other Password Requirements (Cont.) <ul><li>Use of PeopleSoft, FileMaker, Oracle Calendar, R25, etc – should all have passwords that are different from your Cornell email (NetID) password </li></ul>
  13. 14. Cornell NetID Password (e.g. Webmail, Colts, etc.)
  14. 15. CIT’s NetID Password Requirements <ul><li>Applies to new or changed passwords only </li></ul><ul><li>Passwords must be at least 8 characters in length </li></ul><ul><li>Passwords must be complex </li></ul>If you use central university data marts (e.g., ADW, Student, Bursar, HR), change your NetID password now if it does not meet the new requirements!
  15. 16. Managing the complexity… <ul><li>Use a “pass phrase” (the first letter of each word in a phrase or a song lyric) for an easy to remember but secure password: </li></ul><ul><li>Awas,igpac </li></ul><ul><li>Invent your own secret password, like this: s3cReT pAs5w*rD </li></ul><ul><li>mixing in numbers, symbols, and uppercase </li></ul>
  16. 17. How to Change Passwords <ul><li>Each system can be different. Ask if you’re unsure. </li></ul>
  17. 18. Workstation Requirements <ul><li>Use anti-virus software and keep it current </li></ul><ul><li>Apply Windows updates (choose ‘Install Updates and Shutdown’ option at Shutdown) </li></ul><ul><li>Don’t install software (unless assisted by tech staff) </li></ul><ul><li>Don’t open email attachments that are not expected and trusted </li></ul><ul><li>Use 5 minute password protected screen saver (exception available if not accessing confidential data) </li></ul><ul><ul><li>If that’s not soon enough, use ‘ctrl-alt-del’ to lock screen that password protects immediately </li></ul></ul>
  18. 19. Workstation Requirements (Cont.) <ul><li>Use privacy panel where appropriate </li></ul><ul><li>Log off if workstation if it will be unattended for more than ½ hour </li></ul><ul><li>Be especially careful with physical security of laptops and tablets </li></ul>
  19. 20. Email Security <ul><li>Use extreme caution with attachments. They can contain viruses. </li></ul><ul><ul><li>Don’t open attachments unless you were expecting them - e ven if they are from someone you know! </li></ul></ul><ul><ul><li>The ‘from:’ address can be forged (spoofed). </li></ul></ul><ul><ul><li>Suspicious attachments should be verified with the sender before opening </li></ul></ul>
  20. 21. Email Attachment Example
  21. 22. Email Security (Cont.) <ul><li>Don’t send attachments containing confidential or sensitive information (e.g. SSNs, salaries, performance dialogues). Use the Dropbox instead. </li></ul>
  22. 23. Email Security (Cont.) <ul><li>Beware of ‘phishing’ messages </li></ul>phishing   (fish´ing) (n.) The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identify theft.
  23. 24. Phishing Example
  24. 25. Security Incident Reporting <ul><li>Submit at TechTicket to report document security incidents </li></ul>Access data on a need to know basis only!
  25. 26. Data Stewardship Requirements <ul><li>Identify the data on your system – You are responsible for the data! </li></ul><ul><li>Limit creation/retention of documents containing confidential information (e.g. ssns, CC#) </li></ul><ul><li>If you must create such documents, store them on the server. SAS Tech can help with this. </li></ul><ul><li>Delete such documents when no longer needed. </li></ul><ul><li>Do not store confidential information on removable media (e.g. floppies, CDs, flash drives) </li></ul>
  26. 27. Securing your home computer <ul><li>If you work from home, follow these guidelines: </li></ul><ul><li> </li></ul><ul><ul><li>Never store confidential data on home computers! </li></ul></ul>
  27. 28. Security Trends <ul><li>The good news: </li></ul><ul><ul><li>CIT will be rolling out a new service known as ActiveDirectory to help manage computers, printers, and users. </li></ul></ul>
  28. 29. Security Trends <ul><li>The bad news: </li></ul><ul><ul><li>Computer compromises are on the rise both nationally and at Cornell... </li></ul></ul><ul><ul><li>Attacks are targeting identify theft </li></ul></ul>
  29. 30. Computer Compromises
  30. 31. Not just universities <ul><li>U.S. Department of Veterans Affairs Disclosed: May 2006 Number of records: 26.5 million How: A burglar stole electronic data on veterans from the home of a federal employee. </li></ul><ul><li>DSW Shoe Warehouse Disclosed: April 2005 Number of records: 1.4 million How: Hackers accessed a database of customers and credit card numbers . </li></ul>
  31. 32. Sobering Stats from CIT’s Security Office … <ul><li>60% of Cornell computers have social security numbers on them (2006) </li></ul><ul><li>Cornell averaged 1 significant compromise per month in the last year </li></ul><ul><li>Laptops containing SSNs were stolen last year </li></ul><ul><li>Cornell sent 2500 notification letters due to compromises last year </li></ul><ul><ul><li>All were preventable if the 12 steps had been followed… </li></ul></ul>
  32. 33. Process for Handling Confidential data on your PC <ul><li>SAS Tech runs Spider on your PC </li></ul><ul><li>A log file is created </li></ul><ul><li>Log file distributed to user via DropBox </li></ul><ul><li>User verifies each file that Spider finds </li></ul><ul><li>User makes determination </li></ul><ul><ul><li>Delete the offending file(s) </li></ul></ul><ul><ul><li>Make provisions with SAS Tech to store the file(s) on server </li></ul></ul><ul><li>User deletes the Spider log file </li></ul><ul><li>Awareness…Awareness…Awareness </li></ul>
  33. 34. On-Going Process <ul><li>Cleanse PC using Spider. Create Foundation </li></ul><ul><li>Change practices for storing confidential data on PC </li></ul><ul><li>Awareness of your responsibility regarding data stewardship </li></ul><ul><li>Random Spider Audits </li></ul>
  34. 35. New Security Tools Demo… <ul><li>DropBox </li></ul><ul><ul><li>Secure electronic file delivery </li></ul></ul><ul><li>Spider </li></ul><ul><ul><li>Tool developed by Cornell Office of IT Security (Wyman Miles) </li></ul></ul><ul><ul><li>Identifies the presence of confidential data </li></ul></ul><ul><ul><li>Widely used by many Universities today </li></ul></ul><ul><li>VPN </li></ul><ul><ul><li>Software that encrypts data when accessing University data from off campus </li></ul></ul>