Security Awareness - memphis.edu
Transcript of Security Awareness - memphis.edu
WhyisSecuritysoImportant?• Technologycanaddressonlyafractionofsecurityrisks.
• Youareaprimarytarget,orrather,yourdataandaccesstodataareatarget.
• Gainingaccesstoyourpersonaldataallowscriminalstotakeyourresearchoryourpersonalinformation.Italsoallowsthemtoimpersonateyou,oryourcomputer,togainaccesstoothersystemsanddata.
SecurityBasics• UniversityPolicies• Passwords• Browsing• Email• DesktopandMobileDeviceSecurity• DataSecurityandEncryption• RemoteAccess/VPN• SecuringTheHumanTraining• Reportinganincident• Reminders• OtherResources
UniversityPolicies• UM1337– DataAccess• UM1535– AcceptableUseofITResources• UM1691– CampusDataSecurity• FERPA– FederalEducationalRightsandPrivacyAct
• http://www.memphis.edu/registrar/faculty/ferpa.htm
UniversityPoliciesSite– http://policies.memphis.edu
Passwords• PasswordComplexity
• Hackersandtoolkitsanticipatepatternsandcontext,soavoidwords like“memphis”inyourUofMpasswordor“credit”onyourcreditcardaccount.
• Usingpersonallyidentifiableinformationwillalsobeanticipated,soavoidpasswordscontainingwordsornamesfromyourfamilyandpublicrecord.
• TheUniversityofMemphisenforcesastandardsetofcomplexityrequirements.• PasswordChangeFrequency
• Frequencycanbeasimportantascomplexity.Expiredpasswordsareuseless.• TheUniversityofMemphiscurrentlyenforcesa6monthexpirationpolicy.
• PasswordReuse• Maintaindifferentcredentialsperservice.Hackersknowit’shardtokeepup
withmultiplepasswords. Iftheygetone,theywilluseitagainstotherserviceshopingtogainadditionalaccess.NeveruseyourUniversityofMemphiscredentialswithanotherservice.
PasswordManagement• PasswordManagement/IdentityVault
• ITSwillneveraskyouforyourpassword.• Avoidwritingpasswordsdownorkeepingtheminatextfileor
document.• Emailisnotapasswordmanagementsystem.Neveremailyour
passwordtoanyone(includingyourself).• Apasswordmanagementutilityisoneoptionforstoringpersonal
passwords.Manyexistthatworkondesktopsandmobiledevices.Theseencryptyourpasswordsandmanywillalsohelpyougeneratenicelycomplexpasswords.• 1PasswordandLastPass areexamplesofpasswordmanagementutilities.
BrowsingSafeBrowsing• Keepyourbrowsersoftwareversionup-to-date.• Keepanybrowserplug-insup-to-date;especially AdobeFlashand
Java,asthesearetargetedfrequently.• HoveroverURLsandlinks.• Makeuseofpop-upandadblockers.• Becarefulwhendownloadingsoftwarefromtheinternet.• Socialnetworkingsites,bydefinition,collect,maintain,andshare
personalidentification. Bemindfulofthiswheninteractingwiththesesitesbothonandoff campus.
• Ifawebsiterequestsuserinformationofanykind,makesurethatwebsite isusingHTTPS.• HTTPSisthesecurewebprotocol.Thiscanbeseeninawebaddresssuch
ashttps://www.google.com.Thisensuresthatthespecificwebsessionbetweenyourbrowserandthehttpswebsiteisalltransmittedinanencryptedmanner.
Email• Keepyouremailprogramup-to-date.• Mostemailprogramsdonotencryptyourmessages,
subjectingthemtopossibleinterceptionbyothers.• EmailMessagescancontainavirusorothermalicious
softwarethatcouldinfectyourcomputerordevice• Neverclickonalinksenttoyouinanemailunlessyou
areabsolutelysureitissafe.• Neverclickonordownloadanattachmentfroman
emailunlessyouareabsolutelysureitissafe.• Bewaryofemailfromanunknownsender.• Usethe“ReportJunk”optiontomarkspam.
Review/Emptyyour“JunkE-Mail”folderperiodically.• TheUniversityofMemphisemailservice(UMMail)
includesspecialservertoolstohelprecognizeandquarantinesuspiciousemail.
Email• Phishing• Aphishingemailattemptstofoolauserintothinkingitoriginatedfromatrustedpersonorbusiness.Theseoftencontainweblinksorattachmentsaskingforpersonalinformationorleadingtoaquestionablewebsitethatattemptstocollectsensitiveinformation.
• Typically,phishingemailsappeartocomefrom:• A trustedsource,suchastheUniversityofMemphis• Co-workers,friends,orfamily• A“helpdesk”or“servicedesk”• Financialinstitutions• Socialmediasites
DesktopandMobileDeviceSecurity• Neverleaveyour laptopordeviceunattended.Theftsdohappen.• YourPC/deviceshouldbesettoautomaticallyinstallsecurityupdates.• Haveanti-virusandanti-spywaresoftwareinstalledandenabled.• Ensureyourfirewallisturnedonandsettoblockallincoming traffic,
allowingonly thespecificservicesyouneed.• TheSafeConnect NAC(NetworkAccessControl) requiresuserstologin
beforeaccessingthecampusnetwork,andalsoensuresyourPChasthelatestsecurityupdatesandanti-virusprotection.
• Ensureaccesstoyourmobiledeviceisprotectedwithapasscode.• Considerusingaremotetracking/wipefunction ifsupported. ForiOS
devices,iCloudprovides the“FindmyiPhone”serviceforfree.Android andothermobileoperatingsystemsalsohavesimilarfunctionality.
DataSecurityandEncryption• Sensitivedatashouldbeencryptedwheneverpossible.
Herearesomeexamples:• Researchdata• Studentdata(FERPA)• PersonallyIdentifiableInformation• FinancialInformation
• Thereareavarietyofdiskencryptionmethodsavailable:• MicrosoftBitlocker (Windows)• AppleFileVault (MacOSX)
• Keepingsensitivedataoncampusserversalleviatestheriskofastolenmobiledeviceorcompromisedhomecomputer.
• Whendisposingofolddevices(desktops,laptops,flashdrives,phones),ensureallsensitivedatahasbeensecurelydeleted.
RemoteAccess/VPN• VPNsprovidesecure,encrypted
communicationbetweenoff-campusdevicesandon-campusresources.
• TheVPNapplicationisfreelyavailableandfullysupportedonWindows,MacOSX,andiOS(iPhone,iPad)devices.
• SomeofthetypicalcampusresourcesaccessedviatheVPNareRemoteDesktop,BannerINBanddepartmentalfileshares.
• RemoteDesktopapplicationsallowyoutocontrolyourdesktopPCfromoff-campus.Thisallowssensitivedatatoremainoncampus.
RemoteAccess/VPNThefollowingdiagramillustrateshowtheVPNencryptsyournetworktraffic.Notethatonlyspecificconnectionstoon-campusresourcesareprotectedbytheVPNtunnel.
SANSSecuringTheHuman• NewtraininginSummer2015ismandatoryforallBannerFinance/BannerHRusers.
• Trainingmustbetakenonceayearandconsistsofagroupofshortvideosfollowedbyshortquizzes.
• Certificateofcompletioncanbeprintedatendofassessments.
• http://www.memphis.edu/its/security/security-awareness.php
ReportingIncidents• Phishing/[email protected].
• Realsecurityincidents,suchascompromisedcredentials,compromisedsystemorevidenceofdataexposure/release,canbereportedusinganonlineformathttps://www.memphis.edu/its/security/incident-report.php.
Reminders…• ITSwillneverask…• …foryourpasswordviaemailoroverthephone.
• …foryouto“confirm”youraccountviaemail.• …foryoutofollowalinktocleanavirusfromyouremailmailbox.
• …foryou toupdateorincreaseyouremailquota.
• Whenindoubt,[email protected].
OtherResources• ITSSecuritywebsite– http://www.memphis.edu/its/security
• CIOblog– http://blogs.memphis.edu/cio
• StaySafeOnline– NationalCyberSecurityAlliance– https://www.staysafeonline.org
• SANSCyberSecurityAwareness– http://cyberaware.securingthehuman.org