roadshow2013-revised

advertisement
Information Security
2013 Roadshow
Roadshow Outline
 Why We Care About Information Security
 Safe Computing
•
•
•
•
Recognize a Secure Web Site (HTTPS)
How to Spot a Spoofed Web Site
Recognize a Phishing Attempt
What is Social Engineering
 Privacy and Compliance
•
•
•
PCI/HIPAA/FERPA
Policy
Privacy and Best Practice
Why We Care About Information Security
Personal Reasons:
Identity Theft
Loss of Data
Financial Loss
Poor Computer Performance
Institutional Reasons:
Protect Middlebury College
Compliance with Laws and Standards
Prevent Reputational Damage
Reduce Legal Liability for the College
As Well As the Personal Reasons Listed Above
How do I Know a Web Site is Secure?
• HTTPS in the Address bar
is an indicator of a secure
web site.
• A web site encrypted with
SSL should display a near the
address bar.
• Not all devices or
browsers
display the
same.
What is a Spoofed Web Site
• Just because the site
looks like Middlebury
does not mean it is
•
Check the address or URL
•
Never enter login information unless the site is secure and you have checked the URL
How to Spot Phishing
•
•
•
Do NOT click on links or open attachments in suspicious emails!
Forward all suspected Phishing messages to phishing@middlebury.edu before deleting the
message.
If you fall victim to a phishing attack RESET your password immediately and then call the
Helpdesk!
What Phishing Can Do
•
Infect a system with malware
•
Mislead a user into giving up
credentials
•
Compromise email with
rules and scripts
•
Stet the stage for a larger
attack
•
•
•
Do NOT click on links or open attachments in suspicious emails!
Forward all suspected Phishing messages to phishing@middlebury.edu before deleting the
message.
If you fall victim to a phishing attack RESET your password immediately and then call the
Helpdesk!
What is FakeAV
•
Tries to look like regular AV
•
Clicking on the warning will download a virus
•
Often the best bet is a hard shutdown of the
system
•
Know what your AV warnings look like
•
Sophos anti-virus does offer some web
protections which help to prevent the download
activity of FakeAV.
Social Engineering
• Social engineering, in the context of
security, is understood to mean the art of manipulating people
into performing actions or divulging confidential information. While it is similar to a confidence trick or
simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never comes face-to-face with the victims.
(From Wikipedia)
Examples:
•
You are in a hotel and receive a call from the front desk to confirm your credit card details.
•
You receive a call at work from support services asking for your password to fix a problem on your
computer.
•
You are at home and get a call from the help desk asking for your login information to reset your email
account.
What Laws Protect Information Here at Middlebury
•
Family Education Rights and Privacy Act (FERPA) = Student Data
•
Health Information Portability and Accountability Act (HIPAA) = Health Data
•
Sarbanes – Oxley Act (SOX) = Financial Data for Businesses
•
Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions
•
VT Act 162 = Data Breach Notification & SSN Handling
•
Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data
What Policies Protect Information Here at Middlebury
•
Privacy Policy = Confidentiality of Data
http://go.middlebury.edu/privacy
•
Network Monitoring Policy = Protection of College Technology Resources
http://go.middlebury.edu/netmon
•
Technical Incident Response Policy = Response to Information Security Events
http://go.middlebury.edu/tirp
•
Data Classification Policy = Defines Data Types
Not in handbook as of yet
•
Red Flags Policy = Identity Theft Protection
Not presently in hand book
•
PCI Policy = Payment Card Data Handling
http://go.middlebury.edu/policy?pci
Other Policies Live Here: http://go.middlebury.edu/handbook
What are Some Best Practices
Do
•
Look for HTTPS and other key address
indicators when you are going to different web
sites.
•
Use a strong challenge question in Banner SSB
•
Redaction – remove or mask (block out)
personally identifiable information when sharing
data
•
Be suspicious of unsolicited email or phone calls.
Do
•Lock your computer or secure information when
you leave your work space.
•Use Anti-Virus on both your work and home
systems
•Use secure passwords which you change often.
This also applies to mobile devices.
What are Some Best Practices
Do Not
•
DO NOT write down or share your passwords
- tools such as eWallet or 1Password work
well as secure password storage alternatives.
•
DO NOT store confidential data on unencrypted
thumb drives or other unsecured media
-if you need to transfer the data encrypt the
file or password protect the file and keep a
master copy on the server.
Do Not
•
DO NOT place confidential data in email
-email a link to where the file is
stored. This may add complexity
but increases security. Windows
Explorer can show you the path to
the location of the file.
•
DO NOT record sensitive data on the College
web site, blog or Wiki
Discussion and Links
Please share your thoughts!
Information Security Resources:
http://go.middlebury.edu/infosec
http://go.miis.edu/infosec
Report Information Security Events To: infosec@middlebury.edu
Download