Information Technology Security at Virginia Tech Wayne Donald IT Security Officer Randy Marchany Director, IT Security Lab Nick Pachis IT Security Why Discuss IT Security? Confidential Data Exposures Identity Theft Physical property Theft It does happen here! Need more? “It won’t happen to me!” An “open” network environment to foster collaboration and free exchange of information “There is nothing on my machine anyone would want.” Too much confidential data, too many questions Usually a wide range of hardware/software to support – and it often moves between home, campus, and other environments Too few security experts and weak tools – often assign untrained personnel to maintain system security University Policy 7010 This policy will help ensure that all technology resources and services are as stable, secure and trustworthy as possible to help ensure security for individuals, departments, and the university. Departments and individual users must adhere to security standards, including, but not limited to: – Updating your operating system and software – Installing Antivirus software and keep it updated – Installing and maintaining access controls (e.g. passwords, permissions, firewalls, etc.) – Using strong passwords – Maintaining adequate physical security for critical, confidential/sensitive resources – Ensuring adequate back-up – Limiting permission and access to those that need it – Contacting the appropriate personnel in case of problems Important Policies http://www.policies.vt.edu Compliance With Regulations FERPA - individuals access to their academic record, as well as third party access and the appropriate security of the education record HIPAA - privacy protection for health records G-L-B - the security and confidentiality of customer nonpublic financial information records PCI - Payment Card Industry (PCI) Data Security Standard for credit card usage SOX - Sarbanes-Oxley Act dealing with financial applications Patriot Act – gives the federal government the ability to investigate threats to the national security Copyright laws – legal right to exclusive publication, production, sale, or distribution of literary, musical or artistic work – Software; Publications; Music/Movies Additional Federal and State regulations – dealing with day-to-day activities from purchasing items to personnel issues to reporting structures to what’s legal to access Protect Your Data Know your data! What is sensitive data? – Social Security Numbers, Medical Records, Student Grades, Human Research material (IRB approved), Credit Card Numbers, etc. What are the risks to my data? – Information theft and fraud – Deletion and changing of information – Unintentional exposures and misuses Data Protection Solutions Encryption – One of the safest ways to protect your data both in transit and at rest – GPG – command line only - http://www.gnupg.org/ – TrueCrypt – http://www.truecrypt.org/ – Commercial Encryption options SSL – Make certain all sensitive data is submitted over a secure connection (https) Store on a removable media (thumbdrive, CD/DVD, etc.) – if there is concern that the data is on a laptop store it elsewhere Know where your data is! Find SSNs and CCNs - http://www.security.vt.edu/findssnccn.html – Virginia Tech written tool IT Technology Security Reviews – Security reviews can be requested by any university departments – The purpose is to review systems and applications within a department to: identify potential disclosure or integrity problems with hardware, applications, and critical data help departments recognize their vulnerabilities and offer alternatives prepare a security review report for distribution to appropriate individuals – The reviews will help prevent data disclosures and possible manipulations that might embarrass the university, department, or individuals Protect Your Machine Your First Line of Defense The VTnet CD should be your first line of defense, it will make certain your: – Firewall is turned on – Turns on Windows Update if it is off – Installs Antivirus if it isn’t installed – Installs the root certificates – Etc. – http://antivirus.vt.edu/proactive/vtnet2007.asp Physical Security Don’t assume physical security!! Key component is location and accessibility of computers – Just the position/location of monitor and keyboard is key – Even more critical if used with sensitive data Keep areas locked when necessary and consider restricted access (physically and on systems) Know who you are working with and why they would be seeking physical access – Don’t stay logged on and leave your system Laptops and PDAs require additional security measures – especially if those devices contain confidential data Disable Auto-Logon on any computers Wireless Security Always use encryption when transmitting sensitive data – Use secure web sites (https://) – Use Webmail, Outlook Exchange, Eudora for email transmissions – http://www.computing.vt.edu/email_and_calendaring/vt_mail/ssl.html gives information for secure email Use an encryption tool to encrypt sensitive files (or folders) – GPG – command line only - http://www.gnupg.org/ – TrueCrypt – http://www.truecrypt.org/ – Commercial Encryption options Consider using a memory stick to store the data encrypted rather than storing it on the laptop Protect Yourself Password Management DON’T SHARE YOUR PASSWORD! If a person does something malicious while logged on as you, it will likely be blamed on you – If I had your PID/Password I could: Change your benefits, request your W2, read and send your email, change grades, etc If you think someone knows your password – CHANGE IT! Selecting Good Passwords Don’t use any actual word or name in ANY language Don’t use consecutive letters or numbers (abcdefg) or adjacent keys on the keyboard (qwerty) Using the first letter: “Pay no attention to the man behind the curtain,” becomes the password – PnAttMBtC – A special event: “I went to Ft. Lauderdale in 85!” becomes IwtF.Li85! or use the last letter and reverse caps for iTOT.eN85! Football might become F00t8a77 or sneakers might be 5n3ak3r5 Using something common like a child’s name and birthdate: RLS87&ds Maybe a special event: SB85Vt&Tx Using/Creating Secure Websites Ensure that you are using a secure website when transmitting any sensitive or confidential data over the web Simply put, you don’t want your personal or confidential information broadcast to the world for all to see, especially important on wireless. Social Networking Social Networking – Facebook, Myspace, Second Life, etc. Social Networking isn’t “bad” The good things: – Keep in touch with colleagues at a distance – Useful in distance classes – Find others with your interests or peers in your field The bad things: – Can be used to harvest personal information – Difficult to remove the information when you no longer want it displayed – Employers are using it for references more frequently Social Engineering Social engineering is the practice of obtaining confidential information by manipulation of legitimate users – Impersonation of an important user to gain physical access to a machine or data. References and Contact Information Helpful Sites Helpful Sites Computing site: http://computing.vt.edu Contact Information 4Help: http://4help.vt.edu – 231-HELP Security web site: http://security.vt.edu VT Computing site: http://computing.vt.edu IT Security Office and IT Security Lab 1300 Torgersen Hall Wayne Donald – wdonald@vt.edu Randy Marchany – marchany@vt.edu Brad Tilley – rtilley@vt.edu Nick Pachis – npachis@vt.edu