Boston University Computing Security Awareness What you need to know about keeping information safe...
-
Upload
derick-walsh -
Category
Documents
-
view
215 -
download
1
Transcript of Boston University Computing Security Awareness What you need to know about keeping information safe...
Boston UniversityBoston UniversityComputing Security AwarenessComputing Security Awareness
What you need to What you need to know about keeping know about keeping information safe and information safe and
secure.secure.
IS&T | Information Security
Why be concerned?Why be concerned?
• Think about everything you use your computer for:
banking, shopping, paying your bills, etc.
• Then consider how much of your personal information
is involved in those transactions: social security
number, name, address, medical information, etc.
• Now imagine the amount of personal information,
sensitive information, Boston University collects on
students, faculty, and staff.
What can you do?What can you do?
• Confidentiality – protecting information
from unauthorized disclosure
• Integrity – protecting information from
unauthorized modification and ensuring it
is accurate and complete
• Availability – ensuring information is
available when needed
•Three simple steps can help us ensure University information is not compromised
How are we threatened?How are we threatened?
• The severity and range of threats to information security are increasing every day. The most prevalent include:
• Viruses - small pieces of malicious software which “infect” your computer.
• Spyware - software that collects information from your computer which can be used to exploit your system.
• Operating System Holes - weaknesses in the operating system which may or may not be known to the manufacturer.
• Weak Passwords - simple passwords which can be guessed or cracked.
• Social Engineering – non-technical schemes used to obtain sensitive information from a user or system.
VirusesViruses• Computer viruses are designed to be destructive by destroying files or systems or creating widespread mayhem across the larger network.
• As with biological viruses, the simplest way to avoid a computer virus is prevention. This means properly installed and updated anti-virus software and following a few steps.
• Boston University has free anti-virus software available for download at: http://www.bu.edu/tech/help/virus/
• Don’t open email attachments you don’t recognize. Email from unknown senders frequently contains viruses.
• Don’t load compact discs or any form of external memory on your work system from untrusted sources, or even from your own home computer, unless you know they’re clean of viruses.
• Steer clear of “questionable” websites.
SpywareSpyware• Though spyware is less obvious in its impact on your system, it has become a greater threat than viruses in recent years.
• Unlike viruses, spyware does not necessarily adversely affect your computer’s performance.
• It is designed to collect information about you or your system and send it to someone who can then use the information to attack your system or break into accounts you might have on other system.
• Boston University has free anti-spyware software available for download at: http://www.bu.edu/tech/help/spyware/index.html
• When properly installed and updated, anti-spyware software will greatly reduce the risk of vulnerability to spyware.
Operating System HolesOperating System Holes
• Making a perfect piece of software is almost impossible. Sometimes, there may be holes in how software functions and these holes can be utilized in an attack on your system.
• When manufacturers become aware of security holes, they will release patches to fix them. Most systems have an automated method for downloading and installing such updates.
• Whether you do it manually or automatically, you need to keep your software updated with the latest patches.
Weak PasswordsWeak Passwords Even if your system does not enforce strong passwords, make certain not to create weak
passwords. Weak passwords are non-complex and easy to guess. Good rules for creating
passwords are:•Use upper and lowercase letters
•Use numbers and special characters
•Have a minimum of 10 characters•Use “passphrases” which are
harder to break but easy to remember, such as “My password
is hard times 1000!”•Change your password at least
every 180 days•Avoid birthdays and pet names
examples of strong passwords:Happy Days = H4PPY**d4y5 (11 characters)Bad Rabbit = b4d@@R4BBI+ (11 characters)You break it, you buy it = Ubrke1tUbuy1t! (13 characters)Hack this = HACK*+h15! (10 characters)
Social EngineeringSocial Engineering
Social Engineering is the
term used to describe
non-technical methods
used to learn sensitive
information about a user
or system. Some
examples of social
engineering include:
FREE!! Websites offer a special deal in exchange for an account you create. Spyware attaches to this free offer and tracks your website use and login information. To avoid this problem, use different usernames and passwords on all your online accounts. NEVER use your work username and password for personal accounts.
Phone calls: Someone posing as a representative of a company calls and asks you for personal information. Ask for the representative’s name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold. If someone you do business with calls you, look up their official number and call them back.
E-mail requests: If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.
In the University environment, there are In the University environment, there are additional steps necessary to effectively reduce additional steps necessary to effectively reduce
security threats.security threats.We should focus on several factors to help us We should focus on several factors to help us
better determine what we can do to secure our better determine what we can do to secure our data:data:
What are the systems used for?
Security solutions need to be appropriate to both the
sensitivity of the data and its level of exposure. Sensitive
data should not be transported or stored unencrypted.
Who is supposed to have access to what, and
why?
Access to information should be given only to those people who
have a business need for it. Often people are granted more
access than is necessary; therefore, access should be
granted only after it is confirmed as appropriate for
the specific person.
Once we have answered for what and by whom systems are being used, we will be better able to identify when there has been a potential
security incident.
EXAMPLES OF SECURITY INCIDENTS:EXAMPLES OF SECURITY INCIDENTS:1.1. An account password is compromised either through guessing or An account password is compromised either through guessing or
being cracked. being cracked.
2.2. There is a hacking attempt made against your system; some There is a hacking attempt made against your system; some attempt to force entry or exploit a vulnerability.attempt to force entry or exploit a vulnerability.
3.3. Computer files go missing.Computer files go missing.
4.4. There are unexplained changes to system data or your There are unexplained changes to system data or your configurations.configurations.
5.5. Your system becomes infected by a virus.Your system becomes infected by a virus.
6.6. Your workstation/laptop is stolen.Your workstation/laptop is stolen.
7.7. An unauthorized user attempts to access your system.An unauthorized user attempts to access your system.
Potential Hazards
Only open an email attachment if Only open an email attachment if
you can answer YES to the following 3 you can answer YES to the following 3 questions:questions:
1.1. I know exactly what the file is.I know exactly what the file is.
2.2. I have ensured that my virus scan program I have ensured that my virus scan program is fully updated AND I have used the is fully updated AND I have used the program to scan the attachment for viruses.program to scan the attachment for viruses.
3.3. I have verified the identity of the sender and I have verified the identity of the sender and their intentions via telephone or email.their intentions via telephone or email.
Email Attachments
Always log out when stepping away from your Always log out when stepping away from your computer for ANY period of time, and always at computer for ANY period of time, and always at the end of the day.the end of the day.
Consider using a password-protected Consider using a password-protected screensaver as an extra layer of securityscreensaver as an extra layer of security
Be aware of those that have keys to the office Be aware of those that have keys to the office and access to your physical workspace.and access to your physical workspace.
Shred documents that contain sensitive Shred documents that contain sensitive information. information.
Back up your data on a daily basis.Back up your data on a daily basis.
Physical Security
A firewall is a piece of software or hardware which acts as a protective barrier
between your computer and potentially harmful content on the Internet.
They help guard computers against hackers along with many computer
viruses and worms, by only allowing necessary traffic to reach the computer.
Firewalls
If your operating system has a built-in firewall, be sure it is enabled. B.U. Linux, Apple OS X, and Microsoft Windows XP sp2 all have their own
firewalls.
Visit: http://www.bu.edu/tech/help/desktop/windows/firewall/ for more information.
Boston University must comply with certain Federal and State regulations. Here are some examples of the laws, which will be
explained in further detail:
Federal and State Regulations
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00)
Family Educational Rights Family Educational Rights and Privacy Act (FERPA)and Privacy Act (FERPA)
FERPA is a federal law that FERPA is a federal law that protects the privacy of a protects the privacy of a student’s education records. In student’s education records. In compliance with FERPA, Boston compliance with FERPA, Boston University does not disclose University does not disclose personally identifiable personally identifiable information contained in student information contained in student education records, except as education records, except as authorized by law.authorized by law.Please visit the Registrar's Please visit the Registrar's website for more information: website for more information: http://www.bu.edu/reg/informatiohttp://www.bu.edu/reg/information/ferpainformation.htmln/ferpainformation.html
Health Insurance Portability Health Insurance Portability and Accountability Act and Accountability Act
(HIPAA)(HIPAA)
The main goal of HIPAA is to The main goal of HIPAA is to ensure the portability of health ensure the portability of health insurance benefits particularly insurance benefits particularly as individuals move from job to as individuals move from job to job. Moreover, HIPAA provides job. Moreover, HIPAA provides regulations for protecting the regulations for protecting the security of health information security of health information that is stored or transmitted that is stored or transmitted electronically.electronically.
Federal and State Regulations
This regulation establishes minimum standards to be met in connection This regulation establishes minimum standards to be met in connection with the protection of personal information (contained in both paper and with the protection of personal information (contained in both paper and
electronic records) of the residents of the Commonwealth. The electronic records) of the residents of the Commonwealth. The objectives of this regulation are:objectives of this regulation are:
To ensure the security and confidentiality of customer information in a To ensure the security and confidentiality of customer information in a manner fully consistent with industry standardsmanner fully consistent with industry standards
Protect against anticipated threats or hazards to the security or integrity of Protect against anticipated threats or hazards to the security or integrity of such informationsuch information
Protect against unauthorized access to or use of such information that may Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumerresult in substantial harm or inconvenience to any consumer
Under this regulation personal information is defined as a combination ofUnder this regulation personal information is defined as a combination of First-name / last-name, or first-initial / last-name, ANDFirst-name / last-name, or first-initial / last-name, AND
Social Security Number, driver’s license number (or state-issued ID), Social Security Number, driver’s license number (or state-issued ID), financial account number or credit / debit card number (with or without PIN financial account number or credit / debit card number (with or without PIN
or password), and effective date. or password), and effective date.
Federal and State RegulationsMassachusetts Standards for the Protection of Massachusetts Standards for the Protection of
Personal Information (201 CMR 17.00)Personal Information (201 CMR 17.00)
IT Help Center -can answer most personal computing support and network connectivity questions.
Network Systems Engineering Group - can help with getting or repairing a network connection in an academic or administrative department.
BU Security Team - can answer your computer security related questions.
Unix Systems Support -for Unix support at Boston University
BU Linux website- has information about using Linux at Boston University
Operations group -provides file-backup service for departmental servers and individual workstations.
Residential Computing Services group can assist with problems related to ResNet Computer Labs
We have Active Directory support for departments interested in joining or have already joined.
Boston University Contacts