BU Security Awareness Presentation

advertisement
Boston University
Computing Security Awareness
What you need to
know about keeping
information safe and
secure.
IS&T | Information Security
Background
Why be concerned?
• Think about everything you use your computer for:
banking, shopping, paying your bills, etc.
• Then consider how much of your personal information
is involved in those transactions: social security
number, name, address, medical information, etc.
• Now imagine the amount of personal information,
sensitive information, Boston University collects on
students, faculty, and staff.
What can you do?
•Three simple steps can help us ensure University
information is not compromised
• Confidentiality – protecting information
from unauthorized disclosure
• Integrity – protecting information from
unauthorized modification and ensuring it
is accurate and complete
• Availability – ensuring information is
available when needed
How are we threatened?
• The severity and range of threats to information
security are increasing every day. The most
prevalent include:
• Viruses - small pieces of malicious software which “infect”
•
•
•
•
your computer.
Spyware - software that collects information from your
computer which can be used to exploit your system.
Operating System Holes - weaknesses in the operating
system which may or may not be known to the manufacturer.
Weak Passwords - simple passwords which can be guessed
or cracked.
Social Engineering – non-technical schemes used to obtain
sensitive information from a user or system.
Viruses
• Computer viruses are designed to be destructive by destroying files or
systems or creating widespread mayhem across the larger network.
• As with biological viruses, the simplest way to avoid a computer virus
is prevention. This means properly installed and updated anti-virus
software and following a few steps.
• Boston University has free anti-virus software available for
download at: http://www.bu.edu/tech/help/virus/
• Don’t open email attachments you don’t recognize. Email from
unknown senders frequently contains viruses.
• Don’t load compact discs or any form of external memory on your
work system from untrusted sources, or even from your own home
computer, unless you know they’re clean of viruses.
• Steer clear of “questionable” websites.
Spyware
• Though spyware is less obvious in its impact on your system, it
has become a greater threat than viruses in recent years.
• Unlike viruses, spyware does not necessarily adversely affect
your computer’s performance.
• It is designed to collect information about you or your system
and send it to someone who can then use the information to
attack your system or break into accounts you might have on
other system.
• Boston University has free anti-spyware software available for
download at: http://www.bu.edu/tech/help/spyware/index.html
• When properly installed and updated, anti-spyware software
will greatly reduce the risk of vulnerability to spyware.
Operating System Holes
• Making a perfect piece of software is
almost impossible. Sometimes, there may be
holes in how software functions and these
holes can be utilized in an attack on your
system.
• When manufacturers become aware of
security holes, they will release patches to
fix them. Most systems have an automated
method for downloading and installing such
updates.
• Whether you do it manually or
automatically, you need to keep your
software updated with the latest patches.
Weak Passwords
Even if your system does not enforce strong
passwords, make certain not to create weak
passwords. Weak passwords are non-complex and
easy to guess. Good rules for creating passwords are:
•Use upper and lowercase letters
•Use numbers and special
characters
•Have a minimum of 10 characters
•Use “passphrases” which are
harder to break but easy to
remember, such as “My password
is hard times 1000!”
•Change your password at least
every 180 days
•Avoid birthdays and pet names
examples of strong passwords:
Happy Days = H4PPY**d4y5 (11 characters)
Bad Rabbit = b4d@@R4BBI+ (11 characters)
You break it, you buy it = Ubrke1tUbuy1t! (13
characters)
Hack this = HACK*+h15! (10 characters)
Social Engineering
Social Engineering is the
term used to describe
non-technical methods
used to learn sensitive
information about a user
or system. Some
examples of social
engineering include:
FREE!! Websites offer a special deal in exchange for
an account you create. Spyware attaches to this free
offer and tracks your website use and login information.
To avoid this problem, use different usernames and
passwords on all your online accounts. NEVER use
your work username and password for personal
accounts.
Phone calls: Someone posing as a representative of a
company calls and asks you for personal information.
Ask for the representative’s name, company and phone
number. In almost every case, the caller will disconnect
when asked questions or placed on hold. If someone
you do business with calls you, look up their official
number and call them back.
E-mail requests: If you are unsure whether an
email request is legitimate, try to verify it by
contacting the company directly.
Our Environment
In the University environment, there are additional steps
necessary to effectively reduce security threats.
We should focus on several factors to help us better
determine what we can do to secure our data:
What are the systems
used for?
Security solutions need to be
appropriate to both the
sensitivity of the data and its
level of exposure. Sensitive
data should not be transported
or stored unencrypted.
Who is supposed to have
access to what, and
why?
Access to information should be
given only to those people who
have a business need for it.
Often people are granted more
access than is necessary;
therefore, access should be
granted only after it is
confirmed as appropriate for
the specific person.
Potential Hazards
Once we have answered for what and by whom systems are being
used, we will be better able to identify when there has been a
potential security incident.
EXAMPLES OF SECURITY INCIDENTS:
1.
2.
3.
4.
5.
6.
7.
An account password is compromised either through guessing or
being cracked.
There is a hacking attempt made against your system; some attempt
to force entry or exploit a vulnerability.
Computer files go missing.
There are unexplained changes to system data or your
configurations.
Your system becomes infected by a virus.
Your workstation/laptop is stolen.
An unauthorized user attempts to access your system.
Security Tips
Email Attachments
Only open an email attachment if
you can answer YES to the following 3
questions:
1. I know exactly what the file is.
2. I have ensured that my virus scan program
is fully updated AND I have used the
program to scan the attachment for viruses.
3. I have verified the identity of the sender and
their intentions via telephone or email.
Physical Security
 Always log out when stepping away from your




computer for ANY period of time, and always at
the end of the day.
Consider using a password-protected
screensaver as an extra layer of security
Be aware of those that have keys to the office
and access to your physical workspace.
Shred documents that contain sensitive
information.
Back up your data on a daily basis.
Firewalls
A firewall is a piece of software or hardware which acts as a
protective barrier between your computer and potentially
harmful content on the Internet. They help guard computers
against hackers along with many computer viruses and
worms, by only allowing necessary traffic to reach the
computer.
If your operating system has a built-in firewall, be sure it is enabled. B.U.
Linux, Apple OS X, and Microsoft Windows XP sp2 all have their own
firewalls.
Visit: http://www.bu.edu/tech/help/desktop/windows/firewall/ for more
information.
Regulatory Compliance
Federal and State Regulations
Boston University must comply with certain
Federal and State regulations. Here are some
examples of the laws, which will be explained in
further detail:
Family Educational Rights and Privacy Act
(FERPA)
Health Insurance Portability and
Accountability Act (HIPAA)
Massachusetts Standards for the Protection
of Personal Information (201 CMR 17.00)
Federal and State Regulations
 Family Educational Rights
and Privacy Act (FERPA)
FERPA is a federal law that
protects the privacy of a
student’s education records. In
compliance with FERPA, Boston
University does not disclose
personally identifiable
information contained in student
education records, except as
authorized by law.
Please visit the Registrar's
website for more information:
http://www.bu.edu/reg/informatio
n/ferpainformation.html
 Health Insurance Portability
and Accountability Act
(HIPAA)
The main goal of HIPAA is to
ensure the portability of health
insurance benefits particularly
as individuals move from job to
job. Moreover, HIPAA provides
regulations for protecting the
security of health information
that is stored or transmitted
electronically.
Federal and State Regulations
Massachusetts Standards for the Protection of
Personal Information (201 CMR 17.00)
This regulation establishes minimum standards to be met in connection
with the protection of personal information (contained in both paper and
electronic records) of the residents of the Commonwealth. The
objectives of this regulation are:
 To ensure the security and confidentiality of customer information in a
manner fully consistent with industry standards
 Protect against anticipated threats or hazards to the security or integrity of
such information
 Protect against unauthorized access to or use of such information that may
result in substantial harm or inconvenience to any consumer
Under this regulation personal information is defined as a combination of
 First-name / last-name, or first-initial / last-name, AND
 Social Security Number, driver’s license number (or state-issued ID),
financial account number or credit / debit card number (with or without PIN
or password), and effective date.
Boston University Contacts

IT Help Center -can answer most personal computing support and network connectivity questions.

Network Systems Engineering Group - can help with getting or repairing a network connection in an
academic or administrative department.

BU Security Team - can answer your computer security related questions.

Unix Systems Support -for Unix support at Boston University

BU Linux website- has information about using Linux at Boston University

Operations group -provides file-backup service for departmental servers and individual workstations.

Residential Computing Services group can assist with problems related to ResNet Computer Labs

We have Active Directory support for departments interested in joining or have already joined.
Download