Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and...
-
Upload
melina-campbell -
Category
Documents
-
view
218 -
download
1
Transcript of Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and...
![Page 1: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/1.jpg)
Protecting Sensitive Information and Keeping Your Identity Your Own
Cyberethics, Cybersafety, and Cybersecurity Conference
October 7, 2005
Amy Ginther, Project NEThics Coordinator
Office of Information Technology
![Page 2: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/2.jpg)
Types of Data Compromise
Data loss
Data theft
Identity theft
![Page 3: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/3.jpg)
CIFAC Project
Computer Incident Factor Analysis and Categorization Project
Examined perceptions of the importance of 80 variables in causing computer-related incidents involving systems, data, or people
Lack of sufficient training and education identified as most frequent cause of incidents.
Analysis of best practice recommendations for incident prevention, mitigation and management yielded conclusion:
“Having policies in place, enforcing policies, and providing user awareness training was considered the most important factor in preventing the incidents from happening.” Rezmierski, Rothschild, Kazanis, Rivas (2005).
![Page 4: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/4.jpg)
Personal Identification Initiative
• Policy on the Collection, Use and Protection of ID numbers• Limit use of social security numbers• Promote the use of alternate identifiers: U ID
(number) and Directory ID (alpha-numeric ID)• Increase protection of ssn
• For more information, see http://www.oit.umd.edu/dataadmin/PersonalIdentification/and http://www.oit.umd.edu/units/dataadmin/Policies/Policy_on_Collection_Use_Protection_of_ID_Numbers.pdf
![Page 5: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/5.jpg)
State Privacy Law
• Privacy policy: www.umd.edu/privacyIf you are asked to provide personal information on an official
university web site, university policy provides that you should be notified of the following:
• The purpose for which the personal information is collected;• Any specific consequences for refusing to provide the
information; • Your right to inspect, amend, or correct personal records, if
any; • Whether the personal information is generally available for
public inspection; and • Whether the personal information is made available or
transferred to or shared with any entity.
![Page 6: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/6.jpg)
Potential ID Theft at Universities
• “Universities have accounted for 28% of the 50 securities breaches of personal information recorded by California since 2003… …that’s more than any other group…” - San Francisco Chronicle March 29th 2005
• And this is just California!
![Page 7: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/7.jpg)
Shadow Databases
• “A thief recently walked into a Berkeley office and swiped a laptop containing personal information about nearly 100,000 alumni…” - San Francisco Chronicle March 29th 2005
![Page 8: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/8.jpg)
Universities with ID Theft Incidents
• UC, Berkeley• Carnegie Mellon University• UTexas, Austin• George Mason University• and several more…
![Page 9: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/9.jpg)
What can be done?
• Stop using shadow databases• Limit who has/has access to sensitive data• Encryption• Ensure the computer it’s stored on is
protected (both physically and electronically)
![Page 10: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/10.jpg)
Shadow Databases
• Shadow databases are copies of a master database (ex: a copy of the Alumni database made for a professor for research purposes)
![Page 11: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/11.jpg)
Shadow Databases
• Shadow databases on laptops and desktops are often unprotected. • This leaves them vulnerable to theft, viruses,
worms, bots, hackers, etc.
![Page 12: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/12.jpg)
Limiting Access to Sensitive Data
• Why does someone need a copy of a database?• Why does there need to be a full SSN? Use
the last 5-6 numbers• Once the data is no longer needed – delete
it!
![Page 13: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/13.jpg)
Encryption
• Encryption is a way to convert a document into an unreadable format by way of an algorithm• You need a key (a password or passphrase)
to convert the encrypted version back to the original document• If an encrypted DB is stolen and the thief
doesn’t have the key they can’t read it
![Page 14: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/14.jpg)
Protecting computers
• Physical security: laptop/desktop cables and locks (like a bicycle lock), STOP Tag• Up-to-date anti-virus software (
http://www.helpdesk.umd.edu)• Up-to-date on patches (Windows Update)• Personal firewall (XP Service Pack 2 or
ZoneAlarm)
![Page 15: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/15.jpg)
Better Password Practices
• Use strong passwords! (ex: ‘tIaHrdPa$s2Crk’, not ‘password’)
• Store passwords safely. Do not store your passwords on your computer, keep a list of them next to your computer, or put them in your top drawer where a snooping visitor can find them.
• Use different passwords for different accounts.
• Change passwords with some regularity.
![Page 16: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/16.jpg)
UMD’s push to minimize SSN use
• Creation of the UID – a unique number not tied to SSNs; needed for variety of purposes
• Move to U ID from SSN:• Policy approval by President • Inventory where SSN is used to plan conversion• Print U ID NOT SSN on ID cards• Remove SSN from display on information system
screens and on printed reports• Remove SSN option from login screens• Continue education of all• Password self-service
![Page 17: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/17.jpg)
UMD’s push to minimize SSN use
• OIT is currently auditing every department on campus to minimize the number of computers that have sensitive data on them, and to lock down those computers that MUST have sensitive data
![Page 18: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/18.jpg)
UMD’s push to minimize SSN use
We will lock down these computers by:• Encrypt the database containing sensitive
info• Up-to-date on patches• Personal firewall• Use of strong passwords• Services that aren’t needed are turned off
![Page 19: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/19.jpg)
The Range of Dangers
Fee fraud hoax
ShareYourExperiences.com and Word-of-Mouth.org
Work from home scam
Phishing
Pharming
Evil Twins
![Page 20: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/20.jpg)
Legit?
PayPal notice•“…and we have reasons to belive
that your account was hijacked by a third party”
•“If you choose to ignore our request, you leave us no choise but to
temporaly suspend your account.”
PayPal logo on legitimate Web site (http://www.paypal.com/)
always appears with trademark
http://www.citibank.com/us/index.htm
![Page 21: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/21.jpg)
How to Identify Scam Messages
Fraudulent messages only offer one means of communication with the company.
Look for awkward writing, grammatical and spelling errors in messages—they abound!
Fraudulent messages begin with a general greeting; you are not identified by name
Dangerous messages may contain attachments that load software to enable thieves to record your keystrokes
![Page 22: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/22.jpg)
Additional Tips to Avoid Victimization
Don’t react to the urgent or obligatory nature of the message
Don’t click on links to reach a company…they can take you to an illegitimate site. Instead, type the URL into a browser window to go to a secure (https) site.
Your legitimate service provider should be requiring you to authenticate using an established user ID and password to login
Checking legitimacy of Web host
![Page 23: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/23.jpg)
Steps to Take if You Become a Victim
1. Contact your creditors and banks immediately.
2. Begin keeping records
3. Flag your credit file for fraud. For more information, go tohttp://www.consumer.gov/idtheft_old/index.html
4. Review your credit reports
5. Report the crime
6. Address public record errors
![Page 24: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/24.jpg)
What Compromised Agency Should Do
• Communicate with you• Explain the nature of compromise and the likelihood of data
theft• Advise you of steps to take (fraud alert)• Provide Web site for more information and other resources• Tell you how to expect that you will be contacted with
additional information• Do not release personal information in response to contacts
which you have not initiated• Tell you the steps that have been taken to mitigate the
situation, protect information
![Page 25: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/25.jpg)
Other Self-Protection Strategies
• Next time you have checks printed, have only your initials and last name printed on them
• Do not sign the back of your credit cards; instead, write “Photo ID Required”
• Do not put the full account number on the “for” line of your checks when paying bills, just use the last four numbers
• Do put your work phone on your checks instead of home phone
• Do photocopy the contents of your wallet
![Page 26: Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther,](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea45503460f94ba89e2/html5/thumbnails/26.jpg)
Contact information
Amy Ginther, Project NEThics Coordinator, [email protected], x52619
Gerry Sneeringer, IT Security Director, [email protected], x52996
Project NEThics, [email protected], x58787
Thanks to: Kevin Shivers, Lead Security Analyst (former), for input to this session.