National Cyber Securtiy Awareness Month Presentation

advertisement
National Cyber Security Awareness Month
Information Technology Services, ITS
Christopher Bohlk, Information Security Officer - Office of
the VP/CIO
Cybersecurity is everyone's responsibility
How Aware Are You?
Hackers WANT YOU!!
They want your personal information such as credit card
numbers, social security, passwords to email/banking
accounts, etc. in order to get money or steal intellectual
property.
Security Breaches
 Target Breach – 110 million records compromised, 40 million credit
card numbers, 70 million customer records at a cost of at least $148
million
 1.2 billion usernames and passwords compromised by organized
Russian group.
 Home Depot – At least 56 million credit card numbers were
compromised.
Why Do We Care?
 Identity Theft – Potential fraudulent charges can be made against the
individuals whose information has been breached or stolen. New
accounts can also be opened or existing accounts can be taken over
by an attacker.
 Consequences to the University
 Financial Cost – in order to respond to a security breach, the institution
will have to fund a large amount of money in credit monitoring,
communication, internal/external resources to remediate the situation.
Potential legal fees could also apply.
 Loss of Reputation – if a breach occurs, the ramifications to a university’s
reputation is high affecting future enrollment and alumni donations which
all relate to financial implications as well.
Keep a clean machine

Keep security software current: Having the latest
security software, web browser, and operating system
are the best defenses against viruses, malware, and
other online threats.

Automate software updates: Many software programs
will automatically connect and update to defend against
known risks. Turn on automatic updates if that's an
available option.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice

Protect all devices that connect to the Internet:
Along with computers, smart phones, gaming systems,
and other web-enabled devices also need protection
from viruses and malware.

Plug & scan: "USBs" and other external devices can
be infected by viruses and malware. Use your security
software to scan them.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice
REDUCE YOUR RISK
Passwords
 What are some password best practices?

Secure your accounts: Ask for protection beyond
passwords. Many account providers now offer
additional ways for you verify who you are before you
conduct business on that site.

Make passwords long and strong: Combine capital
and lowercase letters with numbers and symbols to
create a more secure password.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice

Unique account, unique password: Separate
passwords for every account helps to thwart
cybercriminals.

Own your online presence: When available, set the
privacy and security settings on websites to your
comfort level for information sharing. It's ok to limit how
and with whom you share information.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice
CONNECT WITH CARE
Think before you click
When in doubt, throw it out
http://stopthinkconnect.org/tips-and-advice/
Phishing Emails
Example 1: Most Common
Dear Webmail User,
Your mailbox has exceeded the allocated storage limit as set
by the administrator, you may not be able to send or receive
new mail until you upgrade your allocated quota.
To upgrade your quota, CLICK HERE to verify your email
account.
Thank you for your anticipated cooperation.
System Administrator
IT Helpdesk
Example 2
To: Bohlk, Chris
Please view the document I uploaded for you using Google
docs.
Click here
Just sign in with your email to view the document its very
important.
Thank you
Example 3
Security Alerts:
Dear Citibank Customer,
All Citibank accounts access for online use are required to confirm their personal information due to a high
volume of fraud and unauthorized access from outside US Territories.
For your protection your account is temporarily limited. An account that is temporarily limited is required to
confirm the Account Information.
To successfully confirm your information we require your Citibank® Banking Card and Personal Identification
Number (PIN) so you can access your accounts at ATMs and online. Here’s how to confirm your account
information online:
Go to Citibank Online page and complete the Card Verification form.
Agree to site Terms & Conditions and confirm your personal information.
You’ll be successfully confirmed and your Citibank® Account is verified.
You may also want to view the Disclosures and Agreement that you agreed to when you applied, which you
can do for the next 90 days at Citibank Online.
Again, thank you for choosing Citibank.
IMPORTANT: Accounts are opened on Business Days only. If you apply on a Saturday, Sunday, or Bank
Holiday or on a Business Day at a time when the processing of your application cannot be completed that
same day, your account will be opened on the following Business Day. If this occurs, your account will
receive the interest rate and annual percentage yield in effect on the date it is opened.
Other Types of Phishing Emails
 Anticipate that you may receive fake UPS, Fedex,
Amazon, or other emails trying to get you to click on
links or provide personal information. Simply delete
these emails.
 Also anticipate Holiday greetings, birthday
messages, funny videos, or gossip headlines as
ways which attackers will try to steal your
information or send you to a malicious website.
Delete all such suspicious messages.

Get savvy about Wi-Fi hotspots: Limit the type of
business you conduct and adjust the security settings
on your device to limit who can access your machine.

Protect your $$: When banking and shopping, check
to be sure the sites is security enabled. Look for web
addresses with "https://" or "shttp://", which means the
site takes extra measures to help secure your
information. "Http://" is not secure.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice

Stay current. Keep pace with new ways to stay safe
online: Check trusted websites for the latest
information, and share with friends, family, and
colleagues and encourage them to be web wise.

Think before you act: Be wary of communications that
implores you to act immediately, offers something that
sounds too good to be true, or asks for personal
information.
http://www.staysafeonline.org/stop-think-connect/tips-and-advice
Web Browsing
Visit trusted websites that are needed to conduct Pace University
business.
 What happens when visiting a malicious website?
 An attacker may be able to take full control of your computer, log all key strokes
including your username and password and all information you type, may be able to
access all the information you are authorized to view, an attacker can impersonate
you by sending messages from your account, they can access everything on your
computer without you knowing
 Aimless surfing to non-work related sites increases the chances that you will be
comprised.
 Although Antivirus software is an important tool, it is only 60%-75% effective in
detecting malware.
What is PII?
Properly Handle Personally
Identifiable Information (PII)
When there is a business process that
 Should never be uploaded to a publically
requires the handling of PII, extreme care
accessible web server
should be taken to protect the information.  Pace PII should not be stored to cloud
Examples of PII type information:
services, such as Dropbox
 Social security numbers
 Data that is needed by the University should
never be downloaded and stored on
 Credit card numbers
workstations, personal (home) computers,
 Bank account numbers
USB drives, mobile devices, or laptops.
 Health information
 Should be kept confidential and never shared
Requirements for handling PII:
with third parties or individuals not authorized
to handle this data
 Should only be accessed if there is a
business need to perform one’s job
function through the authorized
server/database
 Printed documents containing PII should be
locked in a cabinet in a secure location - it
must not be in plain sight or easily accessible
 Data that does not need to be maintained by
the University should never be stored
Physical Security
If an attacker gains physical access to a device, then the attacker is very
easily able to gain access to all information on that system.

Keep track of and secure your devices.
 Use a cable and lock system to secure your laptop to a desk to reduce the chance of theft, or
 Lock equipment in a secure location

Secure other forms of sensitive information (including paper documents) by locking them in
a cabinet or safe.

Lock the office door when you are at meetings or away from your desk to better protect
Pace’s assets.

If you leave your desk, lock your computer screen to protect your system.

Ensure that no one is watching while you type your password or that others are not
eavesdropping if you are talking about confidential information.
When traveling, be vigilant and keep track of your mobile devices and/or laptop at all
times. Ensure that they are accounted for after going through security checkpoints.
Pace Policy Library
Review the Pace University Policy Library to ensure you
are up-to-date with the latest IT Security Policies such
as the IT Appropriate Use Policy and other university
policies. Pace credentials are required to access the
policies.
http://www.pace.edu/policies
Incident Notification
If you encounter or suspect an information security
incident, immediately report this information to the ITS
Help Desk at (914) 773-3333
(pacehelpdesk@pace.edu).
The Help Desk should always be the initial point of
contact. They will ensure that the event is documented
and handed off to the appropriate party.
Our Data Is In Your Hands!
Help Us Keep It Secure!
Questions?
Download