An Educational Computer Based Training Program CBTCBT.
-
Upload
alexandre-phinney -
Category
Documents
-
view
220 -
download
0
Transcript of An Educational Computer Based Training Program CBTCBT.
An EducationalComputer Based Training Program
CBT
UTPA Information Security Awareness Course
The University of Texas - Pan American
Information Security Office
General Information Security Training
Information Security Awareness Training Objectives How UTPA protects its systems, data, and research Acceptable use of UTPA Information Technology
resources Recognition of different types of sensitive information Access control and how to ensure login credentials are
secure Staying safe while visiting the World Wide Web Heighten awareness of physical security measures and
illustrate the value of backing up work Evaluate what can be done to increase workstation
security
UTPA User Acknowledgement
Please be aware that by viewing this presentation, you agree to follow UTPA’s policies and requirements regarding the use and protection of state resources.
UTPA User Acknowledgement, cont.
UTPA HOP 8.9.1 – Policy for the Use and Protection of Information Resources– http://www.utpa.edu/newhop/files/pdf/J5234461.pdf
UTPA HOP 8.9.2 – Computer and Information Technology Use Policy– http://www.utpa.edu/newhop/files/pdf/F9165952.pdf
UTPA HOP 8.9.4 – Server Management Policy– http://www.utpa.edu/newhop/files/pdf/V4519997.pdf
UTS165 – Information Resources Use and Security Policy– http://www.utsystem.edu/policy/ov/uts165.html
Section 1: Security Overview
How does UTPA protect its systems?
Spam Filter for email Firewalls Intrusion detection (from
outside the UTPA campus) 24-7 Network monitoring Anti-virus software for
servers, workstations and e-mail
Main Goals of I.T. Security
Confidentiality – the requirement that sensitive information is protected from unauthorized disclosure
Availability – automated systems are available when needed
Main Goals of I.T. Security (cont.)
Integrity – electronic information that is not corruptedAuthenticity - the ability to verify that data
has not changed in transitNon-repudiation – the origin and receipt of
a message can be verifiedAccountability – the actions of a person
can be traced to that individual
What Can You Do to Help?
Follow the technical, personnel, administrative, and telecommunication safeguards for computer systems you use.
Follow the UTPA and UT-System information resource policies.
Report computer incidents or any incidents of suspected fraud, waste, or misuse.
Obtain a Verisign Digital Certificate by contacting the I.T. Help Desk– Allows an email sender to use a “digital signature” to verify
their identity in email as well as encrypt messages deemed “security sensitive”
Where can you find more information?
The UTPA Information Technology web page (http://www.utpa.edu/it)
Section 2: Using Resources
Using I.T. Resources
Why do we have rules?– Knowledgeable users are the foundation of
a successful security program.– People behave best when they know their
responsibilities and boundaries.
Using I.T. Resources
The UTPA general rules for the staff use of I.T. resources– Limit personal use on the Internet, as it is primarily
for business purposes– Be careful when navigating to sites of unknown
security– Be aware that sensitive information can be
intercepted on the Internet and over e-mail unless encrypted.
– No downloading of videos, music, or other software that uses large amounts of network resources and that can be subject to copyright laws
Questions to ask before opening suspicious E-mail attachments
Is the subject line strange? Do I recognize the sender? Is it work-related? Does the filename and/or extension seem to
be suspicious? Was I expecting an attachment in the reply? Does the received message ask for personal
data? If you’re still in doubt, DO NOT OPEN!
UTPA Acceptable Use Policy with regards to personal use of equipment
UTPA policy does allow for limited personal use if…– The use is incidental and does not interfere with
staff productivity or operations– It’s not used to potentially embarrass UTPA– It does not compromise UTPA systems or security
safeguards– It does not violate applicable laws or UTPA
policies
Section 3: Internet Safety
Internet Safety
What can Internet intruders do?– infect machines – steal information– Turn your machine into a zombie to launch attacks
on other machines and networks– Can deface UTPA’s websites, bring E-mail and
Internet services to a crawl, disrupt operations, and cause financial and productive chaos
– They can also learn about YOU
Internet Safety
Where do intruders come from?– Teenage pranksters– Hackers (both foreign and domestic)– Disgruntled former employees– Terrorists and/or criminals– Foreign intelligence agents– Spyware
Internet Safety What to do to reduce your machine’s
vulnerability– Scan machine for viruses and other malware on a
regular basis– Avoid Phishing scams in E-mail and on Internet
• Phishing – term coined by hackers who imitate legitimate companies in e-mails to entice people to share personal information. Do not provide personal information, such as passwords, credit card numbers or any data that can be used to grant access to your information, in reply to an e-mail message.
– Use good judgment when visiting websites and opening messages from people you don’t know
Internet Safety, cont.
What to do to reduce your machine’s vulnerability– Keep your machine up to date with any patches
and critical updates that are released with regards to new and existing vulnerabilities
– Contact the UTPA Help Desk to have your computer centrally managed… all essential updates and antivirus definitions will be automatically pushed out to your machine
Section 4: Office, Personal, and Workstation Basics
Office Considerations As you look at the entrance to your
office, ask yourself:– Is it easy for people to walk up and get
access to my workstation?– Is my paperwork hidden from view or easily
accessible to anyone that walks in?– Is the fax machine access limited only to
UTPA employees and are the printouts picked up in a timely manner?
– Do we shred documents regularly?
Office Consideration
When leaving the office at the end of the day, ask yourself:– Do I log off and shut down when leaving for the
day?– Do I regularly back-up important files in case my
computer crashes and isn’t recoverable?– Is my laptop locked away or secured with a
security cable to prevent theft?– Do I lock my door when I leave the office?– Is my screensaver set to activate after 5 or 10
minutes of inactivity?
Password Basics
One of the most effective ways to protect access to a computer system is password protection.
Unfortunately, people often create weak passwords. A name, a pet’s name, a dictionary word… all can be guessed, generally within seconds.
Take time to create a strong password.– Strong password: Consists of at least 10 characters (uppercase
and lowercase letters, numbers, and any of the following special characters:
• !#%^*()-=+/;:,.`~ – Example: tolmerr12!
Never post or share your password, or store it in your workstation. Memorize it and do not have it written down where it can be compromised.
Change it frequently.
Workstation Basics
Final housekeeping advice:– Periodically clean up your workstation by
deleting files you no longer need. They take up space and use network resources unnecessarily.
– Dispose of old disks and workstations by contacting the I.T. Help Desk @ x2020.
– Clear out your Internet browser cache on a regular basis.
Section 5: Access Controls
Access Controls
What do access controls do?– Keeps out unauthorized users and limit
what authorized uses can do.– Helps stop people with various motives
from reading, copying, stealing, deleting, disclosing, or modifying sensitive information.
– Also helps prevent access that is above and beyond a person’s span of authority.
Access Controls
Understanding your access responsibility is important because you play a significant role in preventing unauthorized access. So that everyone understands what it means to use State Agency computers, UTPA uses a Warning Banner that appears when you logon.
Access controls
The Warning Banner tells you that:– State Agency computers are to be used by
authorized users for authorized purposes only.
– Failure to follow this restriction can lead to disciplinary action, which can include criminal prosecution.
– You could be monitored at any time.– You should have no expectation of privacy.
Section 6: Sensitive Data
Sensitive Data
One may think that E-mail is a secure medium in which to send sensitive data, but the reality is, it’s not. Because it’s clear text, a person monitoring the network can see the message going across and easily steal the information it contains.
Sensitive Data
Portable Devices – Storing sensitive data on portable devices
must be approved by both the Data Owner and Supervisor before an individual can place any sensitive data on a portable device… if approval is given, the device MUST BE encrypted.
What is considered sensitive data? Credit Card Numbers Social Security Numbers Driver’s License Numbers Automatic Clearing House information (i.e., bank
account numbers) Certificate/License Numbers Credit Reports/Histories Electronic Signatures Passwords PIN Numbers FERPA and or HIPAA protected information would
also be included.
Sensitive Data
As per UTS 165:– “Except in those instances in which an
Entity is legally required to collect a social security number, an individual shall not be required to disclose his or her social security number, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her social security number”
Sensitive Data
What can you do to make sure sensitive data is kept safe?– Do not send it over email. If you absolutely must send
sensitive data via email, it’s recommended that you obtain a Verisign Digital ID by contacting the I.T. Help Desk.
– The Digital ID allows the sender to use encryption to keep the information secure… however, the receiver must also have a Digital ID for the encryption to be successful.
• Encryption is a way of coding the information in a file or e-mail message so that if it is intercepted by a third party as it travels over a network it cannot be read. Only the persons sending and receiving the information have the key and this makes it unreadable to anyone except the intended persons.
Sensitive Data, cont. What can you do to make sure sensitive data
is safe?– Do not place any sensitive data on any publicly
accessible medium, including web servers, FTP servers, or public shares.
– Keep your workstation secure, and shred any documents that contain sensitive data on a regular basis. Also, make sure to properly dispose of any media (CDs, floppy disks, flash drives, ZIP drives) that contains sensitive data by contacting Environmental Health and Safety.
– If you absolutely have to deal with sensitive data, please contact the Help Desk for encryption software for your workstation.
Sensitive Data For further information:
– UT System Security Bulletin on Encrypting and Storing Sensitive Data• http://www.utsystem.edu/ciso/SPB1.pdf
– TAC 202 – Information Security Standards• http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?
tac_view=4&ti=1&pt=10&ch=202&rl=Y– UTS 165 (UT System Information Resources Use
and Security Policy)• http://www.utsystem.edu/policy/policies/uts165.html
– UTPA HOP 4.11.1 (Privacy and Security of Personal Information)• http://www.utpa.edu/newhop/files/pdf/Q7276862.pdf
Review Questions
Test Your Knowledge
Following are several questions to test your knowledge of the information presented.
Answer all questions correctly to receive credit for the training.
Question #1Which of the following is TRUE?
One of the most effective ways to protect access to a computersystem is password protection.
Access controls keep out unauthorized users and limit what authorized users can do.
Both of the above statements are true.
Retry
Question #2
You have an expectation of privacy when using a UTPA-owned computer.
TRUE FALSE
Retry
Question #3
What can Internet intruders do?
Steal information
Infect machines
Deface websites
All of the above
Retry
Question #4
Which of the following can be considered “sensitive data”?
Credit Card Numbers
Social Security Numbers
Passwords
All of the above
Retry
Question #5
Clear text information going across a network in an email message can be read and/or stolen by a hacker who’s monitoring the network.
TRUE FALSE
Retry
Question #6
A portable device that has been authorized to carry sensitive data does not have to be encrypted.
TRUE FALSE
Retry
Question #7
It is safe to download a file or click on a link in a message from an unknown sender.
TRUE FALSE
Retry
Question #8
It is a good idea to forward chain letters to everyone you know that has a UTPA e-mail address.
TRUE FALSE
Retry
Congratulations… you have completed your training for Information Security Awareness.
General Information Security Training
The University of Texas - Pan American
Information Security Office
The Training Post An Educational Computer Based Training Program
CBT