Boston UniversityBoston UniversityComputing Security AwarenessComputing Security Awareness

What you need to What you need to know about keeping know about keeping information safe and information safe and

secure.secure.

IS&T | Information Security

BackgroundBackground

Why be concerned?Why be concerned?

• Think about everything you use your computer for:

banking, shopping, paying your bills, etc.

• Then consider how much of your personal information

is involved in those transactions: social security

number, name, address, medical information, etc.

• Now imagine the amount of personal information,

sensitive information, Boston University collects on

students, faculty, and staff.

What can you do?What can you do?

• Confidentiality – protecting information

from unauthorized disclosure

• Integrity – protecting information from

unauthorized modification and ensuring it

is accurate and complete

• Availability – ensuring information is

available when needed

•Three simple steps can help us ensure University information is not compromised

How are we threatened?How are we threatened?

• The severity and range of threats to information security are increasing every day. The most prevalent include:

• Viruses - small pieces of malicious software which “infect” your computer.

• Spyware - software that collects information from your computer which can be used to exploit your system.

• Operating System Holes - weaknesses in the operating system which may or may not be known to the manufacturer.

• Weak Passwords - simple passwords which can be guessed or cracked.

• Social Engineering – non-technical schemes used to obtain sensitive information from a user or system.

VirusesViruses• Computer viruses are designed to be destructive by destroying files or systems or creating widespread mayhem across the larger network.

• As with biological viruses, the simplest way to avoid a computer virus is prevention. This means properly installed and updated anti-virus software and following a few steps.

• Boston University has free anti-virus software available for download at: http://www.bu.edu/tech/help/virus/

• Don’t open email attachments you don’t recognize. Email from unknown senders frequently contains viruses.

• Don’t load compact discs or any form of external memory on your work system from untrusted sources, or even from your own home computer, unless you know they’re clean of viruses.

• Steer clear of “questionable” websites.

SpywareSpyware• Though spyware is less obvious in its impact on your system, it has become a greater threat than viruses in recent years.

• Unlike viruses, spyware does not necessarily adversely affect your computer’s performance.

• It is designed to collect information about you or your system and send it to someone who can then use the information to attack your system or break into accounts you might have on other system.

• Boston University has free anti-spyware software available for download at: http://www.bu.edu/tech/help/spyware/index.html

• When properly installed and updated, anti-spyware software will greatly reduce the risk of vulnerability to spyware.

Operating System HolesOperating System Holes

• Making a perfect piece of software is almost impossible. Sometimes, there may be holes in how software functions and these holes can be utilized in an attack on your system.

• When manufacturers become aware of security holes, they will release patches to fix them. Most systems have an automated method for downloading and installing such updates.

• Whether you do it manually or automatically, you need to keep your software updated with the latest patches.

Weak PasswordsWeak Passwords Even if your system does not enforce strong passwords, make certain not to create weak

passwords. Weak passwords are non-complex and easy to guess. Good rules for creating

passwords are:•Use upper and lowercase letters

•Use numbers and special characters

•Have a minimum of 10 characters•Use “passphrases” which are

harder to break but easy to remember, such as “My password

is hard times 1000!”•Change your password at least

every 180 days•Avoid birthdays and pet names

examples of strong passwords:Happy Days = H4PPY**d4y5 (11 characters)Bad Rabbit = b4d@@R4BBI+ (11 characters)You break it, you buy it = Ubrke1tUbuy1t! (13 characters)Hack this = HACK*+h15! (10 characters)

Social EngineeringSocial Engineering

Social Engineering is the

term used to describe

non-technical methods

used to learn sensitive

information about a user

or system. Some

examples of social

engineering include:

FREE!! Websites offer a special deal in exchange for an account you create. Spyware attaches to this free offer and tracks your website use and login information. To avoid this problem, use different usernames and passwords on all your online accounts. NEVER use your work username and password for personal accounts.

Phone calls: Someone posing as a representative of a company calls and asks you for personal information. Ask for the representative’s name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold. If someone you do business with calls you, look up their official number and call them back.

E-mail requests: If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.

Our EnvironmentOur Environment

In the University environment, there are In the University environment, there are additional steps necessary to effectively reduce additional steps necessary to effectively reduce

security threats.security threats.We should focus on several factors to help us We should focus on several factors to help us

better determine what we can do to secure our better determine what we can do to secure our data:data:

What are the systems used for?

Security solutions need to be appropriate to both the

sensitivity of the data and its level of exposure. Sensitive

data should not be transported or stored unencrypted.

Who is supposed to have access to what, and

why?

Access to information should be given only to those people who

have a business need for it. Often people are granted more

access than is necessary; therefore, access should be

granted only after it is confirmed as appropriate for

the specific person.

Once we have answered for what and by whom systems are being used, we will be better able to identify when there has been a potential

security incident.

EXAMPLES OF SECURITY INCIDENTS:EXAMPLES OF SECURITY INCIDENTS:1.1. An account password is compromised either through guessing or An account password is compromised either through guessing or

being cracked. being cracked.

2.2. There is a hacking attempt made against your system; some There is a hacking attempt made against your system; some attempt to force entry or exploit a vulnerability.attempt to force entry or exploit a vulnerability.

3.3. Computer files go missing.Computer files go missing.

4.4. There are unexplained changes to system data or your There are unexplained changes to system data or your configurations.configurations.

5.5. Your system becomes infected by a virus.Your system becomes infected by a virus.

6.6. Your workstation/laptop is stolen.Your workstation/laptop is stolen.

7.7. An unauthorized user attempts to access your system.An unauthorized user attempts to access your system.

Potential Hazards

Security TipsSecurity Tips

Only open an email attachment if Only open an email attachment if

you can answer YES to the following 3 you can answer YES to the following 3 questions:questions:

1.1. I know exactly what the file is.I know exactly what the file is.

2.2. I have ensured that my virus scan program I have ensured that my virus scan program is fully updated AND I have used the is fully updated AND I have used the program to scan the attachment for viruses.program to scan the attachment for viruses.

3.3. I have verified the identity of the sender and I have verified the identity of the sender and their intentions via telephone or email.their intentions via telephone or email.

Email Attachments

Always log out when stepping away from your Always log out when stepping away from your computer for ANY period of time, and always at computer for ANY period of time, and always at the end of the day.the end of the day.

Consider using a password-protected Consider using a password-protected screensaver as an extra layer of securityscreensaver as an extra layer of security

Be aware of those that have keys to the office Be aware of those that have keys to the office and access to your physical workspace.and access to your physical workspace.

Shred documents that contain sensitive Shred documents that contain sensitive information. information.

Back up your data on a daily basis.Back up your data on a daily basis.

Physical Security

A firewall is a piece of software or hardware which acts as a protective barrier

between your computer and potentially harmful content on the Internet.

They help guard computers against hackers along with many computer

viruses and worms, by only allowing necessary traffic to reach the computer.

Firewalls

If your operating system has a built-in firewall, be sure it is enabled. B.U. Linux, Apple OS X, and Microsoft Windows XP sp2 all have their own

firewalls.

Visit: http://www.bu.edu/tech/help/desktop/windows/firewall/ for more information.

Regulatory ComplianceRegulatory Compliance

Boston University must comply with certain Federal and State regulations. Here are some examples of the laws, which will be

explained in further detail:

Federal and State Regulations

Family Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act (HIPAA)

Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00)

Family Educational Rights Family Educational Rights and Privacy Act (FERPA)and Privacy Act (FERPA)

FERPA is a federal law that FERPA is a federal law that protects the privacy of a protects the privacy of a student’s education records. In student’s education records. In compliance with FERPA, Boston compliance with FERPA, Boston University does not disclose University does not disclose personally identifiable personally identifiable information contained in student information contained in student education records, except as education records, except as authorized by law.authorized by law.Please visit the Registrar's Please visit the Registrar's website for more information: website for more information: http://www.bu.edu/reg/informatiohttp://www.bu.edu/reg/information/ferpainformation.htmln/ferpainformation.html

Health Insurance Portability Health Insurance Portability and Accountability Act and Accountability Act

(HIPAA)(HIPAA)

The main goal of HIPAA is to The main goal of HIPAA is to ensure the portability of health ensure the portability of health insurance benefits particularly insurance benefits particularly as individuals move from job to as individuals move from job to job. Moreover, HIPAA provides job. Moreover, HIPAA provides regulations for protecting the regulations for protecting the security of health information security of health information that is stored or transmitted that is stored or transmitted electronically.electronically.

Federal and State Regulations

This regulation establishes minimum standards to be met in connection This regulation establishes minimum standards to be met in connection with the protection of personal information (contained in both paper and with the protection of personal information (contained in both paper and

electronic records) of the residents of the Commonwealth. The electronic records) of the residents of the Commonwealth. The objectives of this regulation are:objectives of this regulation are:

To ensure the security and confidentiality of customer information in a To ensure the security and confidentiality of customer information in a manner fully consistent with industry standardsmanner fully consistent with industry standards

Protect against anticipated threats or hazards to the security or integrity of Protect against anticipated threats or hazards to the security or integrity of such informationsuch information

Protect against unauthorized access to or use of such information that may Protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumerresult in substantial harm or inconvenience to any consumer

Under this regulation personal information is defined as a combination ofUnder this regulation personal information is defined as a combination of First-name / last-name, or first-initial / last-name, ANDFirst-name / last-name, or first-initial / last-name, AND

Social Security Number, driver’s license number (or state-issued ID), Social Security Number, driver’s license number (or state-issued ID), financial account number or credit / debit card number (with or without PIN financial account number or credit / debit card number (with or without PIN

or password), and effective date. or password), and effective date.

Federal and State RegulationsMassachusetts Standards for the Protection of Massachusetts Standards for the Protection of

Personal Information (201 CMR 17.00)Personal Information (201 CMR 17.00)

IT Help Center -can answer most personal computing support and network connectivity questions.

Network Systems Engineering Group - can help with getting or repairing a network connection in an academic or administrative department.

BU Security Team - can answer your computer security related questions.

Unix Systems Support -for Unix support at Boston University

BU Linux website- has information about using Linux at Boston University

Operations group -provides file-backup service for departmental servers and individual workstations.

Residential Computing Services group can assist with problems related to ResNet Computer Labs

We have Active Directory support for departments interested in joining or have already joined.

Boston University Contacts