Information Technology
Security at Virginia Tech
Wayne Donald
IT Security Officer
Randy Marchany
Director, IT Security Lab
Nick Pachis
IT Security
Why Discuss IT Security?

Confidential Data Exposures
Identity Theft
Physical property Theft
It does happen here!

Need more?



“It won’t happen to me!”





An “open” network environment to foster
collaboration and free exchange of information
“There is nothing on my machine anyone would
want.”
Too much confidential data, too many questions
Usually a wide range of hardware/software to
support – and it often moves between home,
campus, and other environments
Too few security experts and weak tools – often
assign untrained personnel to maintain system
security
University Policy 7010


This policy will help ensure that all technology resources and
services are as stable, secure and trustworthy as possible to help
ensure security for individuals, departments, and the university.
Departments and individual users must adhere to security
standards, including, but not limited to:
– Updating your operating system and software
– Installing Antivirus software and keep it updated
– Installing and maintaining access controls (e.g. passwords, permissions,
firewalls, etc.)
– Using strong passwords
– Maintaining adequate physical security for critical, confidential/sensitive
resources
– Ensuring adequate back-up
– Limiting permission and access to those that need it
– Contacting the appropriate personnel in case of problems
Important Policies

http://www.policies.vt.edu
Compliance With Regulations







FERPA - individuals access to their academic record, as well as third
party access and the appropriate security of the education record
HIPAA - privacy protection for health records
G-L-B - the security and confidentiality of customer nonpublic
financial information records
PCI - Payment Card Industry (PCI) Data Security Standard for credit
card usage
SOX - Sarbanes-Oxley Act dealing with financial applications
Patriot Act – gives the federal government the ability to investigate
threats to the national security
Copyright laws – legal right to exclusive publication, production,
sale, or distribution of literary, musical or artistic work
– Software; Publications; Music/Movies

Additional Federal and State regulations – dealing with day-to-day
activities from purchasing items to personnel issues to reporting
structures to what’s legal to access
Protect Your Data
Know your data!

What is sensitive data?
– Social Security Numbers, Medical Records,
Student Grades, Human Research material
(IRB approved), Credit Card Numbers, etc.

What are the risks to my data?
– Information theft and fraud
– Deletion and changing of information
– Unintentional exposures and misuses
Data Protection Solutions

Encryption – One of the safest ways to protect
your data both in transit and at rest
– GPG – command line only - http://www.gnupg.org/
– TrueCrypt – http://www.truecrypt.org/
– Commercial Encryption options
SSL – Make certain all sensitive data is
submitted over a secure connection (https)
 Store on a removable media (thumbdrive,
CD/DVD, etc.) – if there is concern that the data
is on a laptop store it elsewhere

Know where your data is!

Find SSNs and CCNs - http://www.security.vt.edu/findssnccn.html
– Virginia Tech written tool

IT Technology Security Reviews
– Security reviews can be requested by any university departments
– The purpose is to review systems and applications within a department
to:
 identify potential disclosure or integrity problems with hardware,
applications, and critical data
 help departments recognize their vulnerabilities and offer alternatives
 prepare a security review report for distribution to appropriate individuals
– The reviews will help prevent data disclosures and possible
manipulations that might embarrass the university, department, or
individuals
Protect Your Machine
Your First Line of Defense

The VTnet CD should be your first line of
defense, it will make certain your:
– Firewall is turned on
– Turns on Windows Update if it is off
– Installs Antivirus if it isn’t installed
– Installs the root certificates
– Etc.
– http://antivirus.vt.edu/proactive/vtnet2007.asp
Physical Security


Don’t assume physical security!!
Key component is location and accessibility of computers
– Just the position/location of monitor and keyboard is key
– Even more critical if used with sensitive data


Keep areas locked when necessary and consider
restricted access (physically and on systems)
Know who you are working with and why they would be
seeking physical access
– Don’t stay logged on and leave your system


Laptops and PDAs require additional security measures –
especially if those devices contain confidential data
Disable Auto-Logon on any computers
Wireless Security

Always use encryption when transmitting sensitive data
– Use secure web sites (https://)
– Use Webmail, Outlook Exchange, Eudora for email transmissions
– http://www.computing.vt.edu/email_and_calendaring/vt_mail/ssl.html
gives information for secure email

Use an encryption tool to encrypt sensitive files (or
folders)
– GPG – command line only - http://www.gnupg.org/
– TrueCrypt – http://www.truecrypt.org/
– Commercial Encryption options

Consider using a memory stick to store the data
encrypted rather than storing it on the laptop
Protect Yourself
Password Management
DON’T SHARE YOUR PASSWORD!
 If a person does something malicious
while logged on as you, it will likely be
blamed on you

– If I had your PID/Password I could:
 Change your benefits, request your W2, read and
send your email, change grades, etc

If you think someone knows your
password – CHANGE IT!
Selecting Good Passwords



Don’t use any actual word or name in ANY language
Don’t use consecutive letters or numbers (abcdefg) or
adjacent keys on the keyboard (qwerty)
Using the first letter: “Pay no attention to the man
behind the curtain,” becomes the password – PnAttMBtC
– A special event: “I went to Ft. Lauderdale in 85!” becomes
IwtF.Li85! or use the last letter and reverse caps for iTOT.eN85!



Football might become F00t8a77 or sneakers might be
5n3ak3r5
Using something common like a child’s name and
birthdate: RLS87&ds
Maybe a special event: SB85Vt&Tx
Using/Creating Secure Websites

Ensure that you are using a secure website when transmitting any sensitive or
confidential data over the web

Simply put, you don’t want your personal or confidential information broadcast to the
world for all to see, especially important on wireless.
Social Networking
Social Networking – Facebook, Myspace, Second
Life, etc.
 Social Networking isn’t “bad”
 The good things:

– Keep in touch with colleagues at a distance
– Useful in distance classes
– Find others with your interests or peers in your field

The bad things:
– Can be used to harvest personal information
– Difficult to remove the information when you no
longer want it displayed
– Employers are using it for references more frequently
Social Engineering

Social engineering is the practice of
obtaining confidential information by
manipulation of legitimate users
– Impersonation of an important user to gain
physical access to a machine or data.
References and Contact
Information
Helpful Sites
Helpful Sites

Computing site: http://computing.vt.edu
Contact Information



4Help: http://4help.vt.edu – 231-HELP
Security web site: http://security.vt.edu
VT Computing site: http://computing.vt.edu
IT Security Office and IT Security Lab
1300 Torgersen Hall
Wayne Donald – wdonald@vt.edu
Randy Marchany – marchany@vt.edu
Brad Tilley – rtilley@vt.edu
Nick Pachis – npachis@vt.edu