Security Awareness Protecting Sensitive Information
description
Transcript of Security Awareness Protecting Sensitive Information
![Page 1: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/1.jpg)
Security Awareness
Protecting Sensitive Information
East Carolina University ITCS/IT Security
![Page 2: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/2.jpg)
Objectives
Why protecting data is important
How data can be compromised
Describe some “best practices” for keeping the data entrusted to us secure
![Page 3: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/3.jpg)
Why Should You Care?
Universities hold massive quantities of sensitive data
Universities are traditionally seen as easy targets
We must understand the types of data that we hold, and the business processes that surround it
![Page 4: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/4.jpg)
Sensitive Data Social Security Number (SSN) credit card number drivers license number personally identifiable patient information personally identifiable student information proprietary research data confidential legal data proprietary data that should not be shared
with the public
![Page 5: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/5.jpg)
Compliance
The University is required to comply with Federal and State Legislations regarding the way we use and store sensitive information
• HIPAA- Health Insurance Portability and Accountability Act
• GBLA- Gramm-Leach Bliley Act
• FERPA- Family Rights to Privacy Act
• NC Identity Theft Protection Act
![Page 6: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/6.jpg)
NC Identity Theft Protection Act
The Identity Theft Protection Act is designed to protect individuals from identity theft by mandating that businesses and government agencies take steps to safeguard social security numbers and other personal information
![Page 7: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/7.jpg)
Identity Theft
Approximately 10 million ID theft victims nationally per year – 19 people per minute
Identity Theft is now passing drug trafficking as the number one crime in the nation-DOJ
In NC, identity theft reported to the FTC jumped from 1,656 cases in 2001, to 5,830 in 2005
![Page 8: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/8.jpg)
The NC ID Theft Act and ECU Effective: December 1, 2005 § 132‑1.8. Social security numbers and other personal identifying information.
Unless disclosure is necessary to perform clearly defined duties and responsibilities or required by law the following is prohibited:
1. Collection of social security numbers 2. Failing to segregate social security numbers from the rest of the
record 3. Failing to provide Statement of Purpose when collecting social
security number 4. Use of social security number for other purpose not stated 5. Intentionally disclose to public
![Page 9: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/9.jpg)
The NC ID Theft Act and ECU Effective: July 1, 2007 § 132‑1.8. Social security numbers and other personal identifying information.
State and local government agencies should minimize the instances where social security numbers and personal identifying information is disseminated internally or externally.
No Agency of the State, or any agent or employee shall: (unless exception is made)
6. Print or imbed social security numbers in a card required for access to services
7. Require a person to transmit their social security number over the Internet unless the internet is secured or the number is encrypted.
8. Require social security number to access and Internet Web site without other authentication
9. Print and mail social security number, unless required by law
![Page 10: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/10.jpg)
How is Information Stolen?
Phishing Malware Hacking Stolen/Lost Computers Social Engineering
![Page 11: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/11.jpg)
A type of Social Engineering
The practice of acquiring personal information on the internet by masquerading as a trustworthy business
Phishing
![Page 12: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/12.jpg)
![Page 14: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/14.jpg)
Malware
Usually installed onto a computer by downloading other programs such as screensavers, games, and “free” software
Trojans –malicious programs disguised or embedded within legitimate software
![Page 15: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/15.jpg)
What Can Malware Do?
Download other malware
Crash your workstation
Capture and send sensitive information from your workstation to the hacker
Be used to perform attacks from inside our network
![Page 16: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/16.jpg)
Social Engineering
A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer
Coercing people to give out information is known as “social engineering” and is one of the greatest security threats out there
![Page 17: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/17.jpg)
Social Engineering
Social engineers prey on some basic human tendencies….
• The desire to be HELPFUL
• The tendency to TRUST people
• The FEAR of getting into trouble
![Page 18: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/18.jpg)
Social Engineering
Despite all our security controls, we are wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or failing to ask the right questions
![Page 19: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/19.jpg)
Hacking
Compromising a computer, server, or network by means of software exploits or operator negligence/ignorance
![Page 20: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/20.jpg)
Lost/Stolen Computers
What could the loss of one laptop containing sensitive information cost?
Thousands, maybe millions-WHY?
• Fines
• Public Relations Damage Control
• Class Action Litigation
![Page 21: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/21.jpg)
Which Way did it Go?
Licensed cab drivers in London, reported that 4973 laptops, 5939 Pocket PCs, and 63135 mobile phones were left in cabs over a 6 month period
![Page 22: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/22.jpg)
What Can I Do?
![Page 23: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/23.jpg)
Examine Your Business Processes
WHAT-data
WHO-has access to the data
WHERE- it originates, resides, goes
HOW-it gets where its going
![Page 24: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/24.jpg)
What data, Where is it?
Search your workstation for sensitive data
• Can it be deleted?
• Can it be moved to PirateDrive?
If you MUST store sensitive information locally ENCRYPT it
![Page 25: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/25.jpg)
Data Security
Data should not be copied or downloaded from the university’s administrative systems to a PC, PDA, Laptop, etc unless required by your department
Piratedrive is a secure storage location which meets the requirements for storing sensitive
information, it is available to individuals and departments
![Page 26: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/26.jpg)
Data Security
Sensitive information should never be located on a web server
Use a secure server to store sensitive data
Use an encrypted database, such as SQL or Oracle to store sensitive information
Remove the confidential part of the information
from the data if this is possible (e.g., SSN)
![Page 27: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/27.jpg)
Data Security
Be careful to whom you give sensitive information.
Do you know who they are?
Do they have a need to know?
Do they have the proper authorization?
![Page 28: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/28.jpg)
Your PirateID and Passphrase
Never allow others to use your PirateID or other logins –this includes your supervisor!
Use a strong passphrase on all your computer systems and change them regularly
Never give your passphrase out to anyone
![Page 29: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/29.jpg)
Passphrase Security
Use a different passphrase on your university and home workstations or programs
Avoid using the “auto complete” option to remember your passphrase
![Page 30: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/30.jpg)
Securing Your Workstation
Log off or lock your workstation when you leave (ALT-CTRL-DEL)
Use a screensaver with a password enabled
When you go home, turn the computer off
![Page 31: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/31.jpg)
Steer Clear of Malware
Avoid using Instant Messaging and Chat Software
Avoid using Peer to Peer file sharing software
Don’t download or install unauthorized programs
Keep your computer up to date with the latest A/V definitions and security patches
![Page 32: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/32.jpg)
Safe Email Practices
Don’t open unscanned, unknown or unexpected email attachments
If you receive an email with a hyperlink, don’t open it in the email –open a web browser and type the link in manually
Email is not secure and should not be used to send sensitive information. If you must use email ALWAYS encrypt sensitive data
![Page 33: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/33.jpg)
Practice a “Clean Desk” policy
Don’t leave unattended sensitive data on your desk, FAX, printers or copiers
Keep sensitive data stored in a locked desk, drawer or cabinet
Shred sensitive data for disposal
![Page 34: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/34.jpg)
Basic Business Rules If you don’t need it, don’t collect it
If you need it only once, don’t save it
If you don’t need to save it, dispose of it properly
If you have to save it, encrypt it, or lock it
Don’t give out information without positive conformation
![Page 35: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/35.jpg)
If You Suspect a Problem
Notify the ITCS Help Desk at 328-9866
IF you’ve been hacked, or think you have, change the passphrase to ALL systems you have access to (and
not from the hacked workstation either)
If you have received a threat notify the ECU Campus Police
![Page 36: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/36.jpg)
Security Awareness mindset :
“I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our University. Therefore, it would be prudent for me to stop that from happening.”
SEC Y
![Page 37: Security Awareness Protecting Sensitive Information](https://reader036.fdocuments.in/reader036/viewer/2022062323/56815420550346895dc21c57/html5/thumbnails/37.jpg)
For More Information
Please visit the IT Security website at
WWW.ECU.EDU/ ITSecurity