Roadshow2013 revised 2 - miis


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • What is HTTPS and how does HTTPS/SSL protect you. What is the significance of the Lock and how can one use the lock to help themself.
  • I am on an HTTPS site why is that not enough. The site looks like Middlebury how can I tell it is not. What is an address bar in the first place. What if I am on my phone. How do I check the URLL in an email link?
  • What is phishing? Why do people do this stuff in the first place? What is the risk of a phishing attack or those spoofed web sites
  • Roadshow2013 revised 2 - miis

    1. 1. Information Security2013 Roadshow
    2. 2. Roadshow Outline Why We Care About Information Security Safe Computing• Recognize a Secure Web Site (HTTPS)• How to Spot a Spoofed Web Site• Recognize a Phishing Attempt• What is Social Engineering Privacy and Compliance• PCI/HIPAA/FERPA• Policy• Privacy and Best Practice
    3. 3. Why We Care About Information SecurityPersonal Reasons:Identity TheftLoss of DataFinancial LossPoor Computer PerformanceInstitutional Reasons:Protect Middlebury College and The Monterey Institute of International StudiesCompliance with Laws and StandardsPrevent Reputational DamageReduce Legal Liability for the CollegeAs Well As the Personal Reasons Listed Above
    4. 4. How do I Know a Web Site is Secure?• HTTPS in the Address baris an indicator of a secureweb site.• A web site encrypted withSSL should display a near theaddress bar.• Not all devices orbrowsersdisplay thesame.
    5. 5. What is a Spoofed Web Site• Just because the sitelooks like MIISdoes not mean it is• Check the address or URL• Never enter login information unless the site is secure and you have checked the URL
    6. 6. How to Spot Phishing    • Forward all suspected Phishing messages to before deleting themessage.• If you fall victim to a phishing attack RESET your password immediately and then call theHelpdesk.
    7. 7. What is FakeAV• Tries to look like regular AV• Clicking on the warning will download a virus• Often the best bet is a hard shutdown of thesystem• Know what your AV warnings look like • Sophos anti-virus does offer some webprotections which help to prevent the downloadactivity of FakeAV.
    8. 8. Social Engineering• Social engineering, in the context of security, is understood to mean the art of manipulating peopleinto performing actions or divulging confidential information. While it is similar to a confidence trick orsimple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, orcomputer system access; in most cases the attacker never comes face-to-face with the victims.(From Wikipedia)Examples:• You are in a hotel and receive a call from the front desk to confirm your credit card details.• You receive a call at work from support services asking for your password to fix a problem on yourcomputer.• You are at home and get a call from the help desk asking for your login information to reset your emailaccount.
    9. 9. What Laws Protect Information Here at Monterey• Family Education Rights and Privacy Act (FERPA) = Student Data• Health Information Portability and Accountability Act (HIPAA) = Health Data• Sarbanes – Oxley Act (SOX) = Financial Data for Businesses• Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions• California Law SB 1386 / VT Act 162 = State Breach Notification laws• Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data
    10. 10. What Policies Protect Information Here at Monterey• Privacy Policy = Confidentiality of Data• Network Monitoring Policy = Protection of College Technology Resources• Technical Incident Response Policy = Response to Information Security Events• Data Classification Policy = Defines Data TypesNot in handbook as of yet• Red Flags Policy = Identity Theft ProtectionNot presently in hand book• PCI Policy = Payment Card Data Handling Policies Live Here:
    11. 11. What are Some Best PracticesDo• Look for HTTPS and other key addressindicators when you are going to different websites.• Use a strong challenge question in Banner SSB• Redaction – remove or mask (block out)personally identifiable information when sharingdata• Be suspicious of unsolicited email or phone calls.•Lock your computer or secure information whenyou leave your work space.•Use Anti-Virus on both your work and homesystems•Use secure passwords which you change often.This also applies to mobile devices.Do
    12. 12. What are Some Best PracticesDo Not• DO NOT write down or share your passwords- tools such as eWallet or 1Password workwell as secure password storage alternatives.• DO NOT store confidential data on unencryptedthumb drives or other unsecured media-if you need to transfer the data encrypt thefile or password protect the file and keep amaster copy on the server.Do Not• DO NOT place confidential data in email-email a link to where the file is stored.This may add complexity but increasessecurity. Windows Explorer can showyou the path to the location of the file.• DO NOT record sensitive data on the Collegeweb site, blog or Wiki
    13. 13. Discussion and LinksPlease share your thoughts!Information Security Resources: Information Security Events To: