Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Avoiding Identity Theft

advertisement 
Avoiding Identity
Theft
Benjamin Kirchmeier
Information Technology Services
Identity Theft
Protect University Employees
and Customers
Protecting UI Customers
•Take Stock
•Scale Down
•Lock It
•Destroy It
•Plan Ahead
• Source: Federal Trade Commission: Avoid ID Theft
• http://www.ftc.gov/bcp/edu/microsites/idtheft/
Take Stock
•
•
•
•
•
What Sensitive Personal Information (SPI)
data to you use?
Where is SPI?
Electronic
Physical
•
•
Who has access to SPI?
How is SPI used?
FERPA (Family Educational Rights and
Privacy Act)
Scale Down
•Ensure a business need exists.
•SPI data should only be maintained using
University sanctioned systems and
procedures
•Consider a retention policy for SPI
•Securing and Destroying SPI
• Administrative Procedures Manual: 30.12 UI Computer Use Policy
• http://www.uihome.uidaho.edu/default.aspx?pid=97510
Lock It
•
•
•
•
•
•
•
•
•
Physical Security
Electronic Security
Password Management
Laptop Security
Firewalls
Wireless and Remote Access Networking
Breach Detection
Employee Training
Security Practices of Contractors and Vendors
Physical Security
• Office security
• Access Controls/Restricted Spaces
• SPI document transfer policy
Electronic Security
• Store all SPI on the University’s
filesystem
• Antivirus software must be installed
• Encrypt SPI - EncryptOnClick
• Proactively peruse valid security
websites
• Disable unused services
Encrypt-On-Click
•Free!
•Military-grade encryption (256bit AES)
•No ‘backdoor’ to files in an .eoc
archive
Download:
http://www.2brightsparks.com/assets/software/EncryptOnClick_Setup.exe
Password Management
•
•
•
•
•
Longer passwords are safer
Ensure employees never share passwords with
anyone, including ITS
Require password-activated screen savers
Never use your University password with another
vendor
Save your passwords in a safe location
•
•
KeePass
E-Wallet - Not a Word or Excel file
Paper copy locked in safe - Not under the
keyboard
Laptop Security
• Restrict use of portable
devices
• Never save SPI on a
laptop
• Consider cords and
locks to secure laptops
• https://support.uidaho.ed
u/FAQ/Laptop Security/
Laptop Security – Task Manager
http://www.sans.org/top20/#s2
Service name
Display name
Enterprise Client desktop/laptop
Standalone desktop/laptop
Alerter
Alerter
Disabled
Disabled
ClipSrv
ClipBook
Disabled
Disabled
Browser
Computer Browser
Not Defined
Disabled
Fax
Fax
Not Defined
Disabled
MSFtpsvr
FTP Publishing
Disabled
Disabled
IISADMIN
IIS Admin
Disabled
Disabled
cisvc
Indexing Service
Not Defined
Disabled
Messenger
Messenger
Disabled
Disabled
mnmsrvc
NetMeeting® Remote Desktop Sharing
Disabled
Disabled
RDSessMgr
Remote Desktop Help Session Manager
Not Defined
Disabled
RemoteAccess
Routing and Remote Access
Disabled
Disabled
SNMP
SNMP Service
Disabled
Disabled
SNMPTRAP
SNMP Trap Service
Disabled
Disabled
SSDPSrv
SSDP Discovery Service
Disabled
Disabled
Schedule
Task Scheduler
Not Defined
Disabled
TlntSvr
Telnet
Disabled
Disabled
TermService
Terminal Services
Not Defined
Disabled
Upnphost
Universal Plug and Play Device Host
Not Defined
Disabled
W3SVC
World Wide Web Publishing
Disabled
Disabled
Laptop Security - Encryption
•
•
No official recommendation or support from ITS
Research products prior to using on production machines
•
•
•
•
TrueCrypt
http://www.truecrypt.org/
•
PGP Whole Disk Encryption
http://www.pgp.com/products/wholediskencryption/
•
BitLocker
http://technet.microsoft.com/en-us/windows/aa905065.aspx
•
FileVault
http://www.apple.com/macosx/security/
•
ITS Sophos Firewall
•
•
•
•
•
•
•
•
By default, installs only for AD bound machines
Server-based firewall exceptions
Set to allow only file sharing access to known ITS services (Netbios)
Remote Desktop only allowed from 129.101.0.0/16 addresses (e.g. VPN
required)
Temporary exceptions allowed for application installation; settings will reset
Permanent exceptions should be requested through ITS Help Desk
Custom firewall policies can be applied to a prefix group
Windows 7 will be supported in a forthcoming release
ITS Firewalls - Managed Security Network
•
•
Managed Security Network (MSN) - For all users who handle SPI
Firewall Policy Summary
•
•
•
•
•
Deny access to non-ITS managed Infrastructure services, such as File
sharing, Email, Database, and Directory services
Allow all other network communication initiated by hosts in the network
Allows select network communication initiated by ITS-Managed
Infrastructure and Application servers
Allows RDP access from other MSN Networks and ITS-Managed VPN
users
Deny all other network communication initiated from outside the
network
ITS Firewalls - MSN Lite (Proposed)
•
•
MSN Lite - For all academic and administrative user networks that do
not have servers
Firewall Policy Summary
•
•
•
•
Allow all network communication initiated by hosts in the network
Allow select network communication initiated by ITS-Mangaed
Infrastructure and Application servers
Allow RDP access from UI Networks
Deny all other network communication initiated from outside the
network
ITS Firewalls - Public
•
•
Public - For all residence and wireless access networks.
Firewall Policy Summary
•
•
•
Allow all network communication initiated by hosts in
the network
Allows select network communication initiated by ITSManaged Infrastructure and Application servers
Deny all network communication initiated from outside
the network
Wireless and Remote Access Networking
•
•
•
AirVandalGold v. AirVandal
ITS VPN Solution
•
•
The 64-bit quandary
Native functionality in Snow
Leopard
Remote Desktop Protocol (RDP)
•
Vulnerable to Man-in-the-Middle
Attacks (pre-v.6.0)
Employee Training
•
•
•
•
•
FERPA Training
Employee Separation restrict access
Keep employees up-todate on new vulnerabilities
Request sponsored
accounts for TH
employees
APM 30.16: Managing
Systems for Employee
Turnover
3rd Party Contractor and Vendor Security
• Identify what data is sent to
vendors
• Address all inconsistencies
• Require vendors notify the
University of any security
incidents
• Confirm any security incident on
campus with affected vendors
Destroy It
• University forms, CDs,
receipts, expired credit cards
• Use Shred-it bins
• Ensure employees apply
similar practices, at home and
elsewhere
• Surplus old technology -remove hard disks or properly
delete data
Plan Ahead
• Disconnect
compromised
computers immediately
• Report any security
incidents immediately
• Seek advice from ITS
• Consider developing a
Computer Lifecycle
Plan
Plan Ahead - ITS Services
•
•
Proofpoint Messaging Security Appliance
•
•
•
Monitoring email for credential breaches
BadAttachment rules
All University email (in or out) is scanned
University border firewall
•
•
•
DNS restrictions (Zlob)
SMTP Mail (Port 25)
MSSQL
Identity Theft
Protect Yourself
Secure Sensitive Documents
• Safeguard your
Social Security
card and birth
certificate
• Use these
documents only
when absolutely
necessary
• Consider using a
safe deposit box
for original
documents
Destroy Unused Information
•
•
•
Shred junk mail, personal documents, medical
records, or other data.
Use a post office box or mail slot for secure
mail delivery
Consider using Opt Out to reduce junk mail
•
•
https://www.optoutprescreen.com/
(888) 567-8688
Identify Frauds and Scams
• Do not reply to any electronic
communication asking for
personal information
• Enter URLs manually
• Use known phone numbers from
statements or valid phone
directory
• Verify vendor’s identity
Unique Passwords
• 15+ passphrases = 400
day expiration!
• Never use UI
credentials with an
external account
• Leverage unique
intricate passwords for
each account you hold
• Password management
software
Peer-to-Peer Filesharing (p2p)
• Default program settings can
be insecure
•
•
•
Files downloaded may include
a nefarious payload or be
mislabeled
Only download software from
trusted locations
Legal and Copyright violations
https://support.uidaho.edu/p2p/
Install [Sophos] Antivirus
• Symantec licenses have expired!
• Sophos available at no cost
• Lower overhead, more frequent
updates
• Keep the software current
• Support for major operating systems
• Auto updates
Uh-oh, you’ve been victimized!
• Review credit reports and
place Fraud Alerts on them
• Close all accounts in
question
• File a complaint with the
Federal Trade Commission
• File a police report in the
community the theft took
place
Fraud Alerts
•
•
•
•
•
90-day Alert (if you suspect you’re a victim)
Extended Alert (requires Identity Theft Report)
•
•
•
Seven year lifespan
Eligible for two free credit reports per year
Removed from prescreened marketing lists (5 years)
Businesses may still check your credit report
Businesses must contact you or use reasonable policies and
procedures to verify identity
Mainly effective against new credit accounts
Credit Freezes
• Prevents third parties from accessing your
credit report
• Useful if you have been, or believe to be, a
victim
• All existing
accounts still have
access
• Still eligible for your
annual credit report
Credit Freezes
• Enacted in Idaho - July 1, 2008
• All consumers eligible
• No fee for victims with a police report
• $6 fee (per agency) to place or lift a
freeze otherwise
•
•
$10 PIN replacement fee
Freeze is permanent until consumer
acts
Credit Freeze Caveats
• Does not
protect existing
accounts
• New accounts
created without
a credit check
are possible
Close Accounts
• Contact the Security or Fraud section of
each creditor
• Followup in writing (certified mail; return
receipt)
• Include copies of supporting documents
and fraudulent charges
File ID Theft Report
•
•
•
•
•
•
Assists the Federal Trade Commission (FTC) in
assessing nationwide scams
Helps to permanently block false information from
appearing on your credit report
Ensures debts do not reappear
Prevents companies from trying to collect
fraudulent debts
Required to file an Extended Fraud Alert
Details the incident(s) for local police
Identity Theft Insurance
• Will not deter identity thieves
• Aids in minimizing losses
• Research benefits of any plan
• Some may require a Limited Power of
Attorney
• Many only save time by acting on your
behalf (applying Credit Freezes, Fraud
Alerts, etc.)
Thank You
Questions?
Resources
•
•
•
•
•
•
•
•
•
•
Federal Trade Commission: http://www.ftc.gov/bcp/edu/microsites/idtheft/
University of Idaho APM 30.12: http://www.uiweb.uidaho.edu:80/policy/
Encrypt-On-Click:
http://www.2brightsparks.com/assets/software/EncryptOnClick_Setup.exe
SANS Institute - Windows Services: http://www.sans.org/top20/#s2
UI ITS Laptop Security: https://support.uidaho.edu/FAQ/Laptop Security/
University of Idaho APM 30.16: http://www.uihome.uidaho.edu/default.aspx?pid=97509
Splunk>: http://www.splunk.com/
Proofpoint: http://www.proofpoint.com/
Opt Out Coalition: https://www.optoutprescreen.com/
UI ITS Peer-to-peer FAQ: https://support.uidaho.edu/p2p/
Related documents
Social model vs medical model
Social model vs medical model
Early Intervention for mentally disabled infants
Early Intervention for mentally disabled infants
Course Outline (Word)
Course Outline (Word)
FAT City Study Guide
FAT City Study Guide
criteria
criteria
A7 Activities KS 2 3 & 4 Language and disabled people
A7 Activities KS 2 3 & 4 Language and disabled people
disabled conducting
disabled conducting
Download
advertisement