National Cyber Security Awareness Month Information Technology Services, ITS Christopher Bohlk, Information Security Officer - Office of the VP/CIO Cybersecurity is everyone's responsibility How Aware Are You? Hackers WANT YOU!! They want your personal information such as credit card numbers, social security, passwords to email/banking accounts, etc. in order to get money or steal intellectual property. Security Breaches Target Breach – 110 million records compromised, 40 million credit card numbers, 70 million customer records at a cost of at least $148 million 1.2 billion usernames and passwords compromised by organized Russian group. Home Depot – At least 56 million credit card numbers were compromised. Why Do We Care? Identity Theft – Potential fraudulent charges can be made against the individuals whose information has been breached or stolen. New accounts can also be opened or existing accounts can be taken over by an attacker. Consequences to the University Financial Cost – in order to respond to a security breach, the institution will have to fund a large amount of money in credit monitoring, communication, internal/external resources to remediate the situation. Potential legal fees could also apply. Loss of Reputation – if a breach occurs, the ramifications to a university’s reputation is high affecting future enrollment and alumni donations which all relate to financial implications as well. Keep a clean machine Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that's an available option. http://www.staysafeonline.org/stop-think-connect/tips-and-advice Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware. Plug & scan: "USBs" and other external devices can be infected by viruses and malware. Use your security software to scan them. http://www.staysafeonline.org/stop-think-connect/tips-and-advice REDUCE YOUR RISK Passwords What are some password best practices? Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site. Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. http://www.staysafeonline.org/stop-think-connect/tips-and-advice Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals. Own your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing. It's ok to limit how and with whom you share information. http://www.staysafeonline.org/stop-think-connect/tips-and-advice CONNECT WITH CARE Think before you click When in doubt, throw it out http://stopthinkconnect.org/tips-and-advice/ Phishing Emails Example 1: Most Common Dear Webmail User, Your mailbox has exceeded the allocated storage limit as set by the administrator, you may not be able to send or receive new mail until you upgrade your allocated quota. To upgrade your quota, CLICK HERE to verify your email account. Thank you for your anticipated cooperation. System Administrator IT Helpdesk Example 2 To: Bohlk, Chris Please view the document I uploaded for you using Google docs. Click here Just sign in with your email to view the document its very important. Thank you Example 3 Security Alerts: Dear Citibank Customer, All Citibank accounts access for online use are required to confirm their personal information due to a high volume of fraud and unauthorized access from outside US Territories. For your protection your account is temporarily limited. An account that is temporarily limited is required to confirm the Account Information. To successfully confirm your information we require your Citibank® Banking Card and Personal Identification Number (PIN) so you can access your accounts at ATMs and online. Here’s how to confirm your account information online: Go to Citibank Online page and complete the Card Verification form. Agree to site Terms & Conditions and confirm your personal information. You’ll be successfully confirmed and your Citibank® Account is verified. You may also want to view the Disclosures and Agreement that you agreed to when you applied, which you can do for the next 90 days at Citibank Online. Again, thank you for choosing Citibank. IMPORTANT: Accounts are opened on Business Days only. If you apply on a Saturday, Sunday, or Bank Holiday or on a Business Day at a time when the processing of your application cannot be completed that same day, your account will be opened on the following Business Day. If this occurs, your account will receive the interest rate and annual percentage yield in effect on the date it is opened. Other Types of Phishing Emails Anticipate that you may receive fake UPS, Fedex, Amazon, or other emails trying to get you to click on links or provide personal information. Simply delete these emails. Also anticipate Holiday greetings, birthday messages, funny videos, or gossip headlines as ways which attackers will try to steal your information or send you to a malicious website. Delete all such suspicious messages. Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine. Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with "https://" or "shttp://", which means the site takes extra measures to help secure your information. "Http://" is not secure. http://www.staysafeonline.org/stop-think-connect/tips-and-advice Stay current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise. Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information. http://www.staysafeonline.org/stop-think-connect/tips-and-advice Web Browsing Visit trusted websites that are needed to conduct Pace University business. What happens when visiting a malicious website? An attacker may be able to take full control of your computer, log all key strokes including your username and password and all information you type, may be able to access all the information you are authorized to view, an attacker can impersonate you by sending messages from your account, they can access everything on your computer without you knowing Aimless surfing to non-work related sites increases the chances that you will be comprised. Although Antivirus software is an important tool, it is only 60%-75% effective in detecting malware. What is PII? Properly Handle Personally Identifiable Information (PII) When there is a business process that Should never be uploaded to a publically requires the handling of PII, extreme care accessible web server should be taken to protect the information. Pace PII should not be stored to cloud Examples of PII type information: services, such as Dropbox Social security numbers Data that is needed by the University should never be downloaded and stored on Credit card numbers workstations, personal (home) computers, Bank account numbers USB drives, mobile devices, or laptops. Health information Should be kept confidential and never shared Requirements for handling PII: with third parties or individuals not authorized to handle this data Should only be accessed if there is a business need to perform one’s job function through the authorized server/database Printed documents containing PII should be locked in a cabinet in a secure location - it must not be in plain sight or easily accessible Data that does not need to be maintained by the University should never be stored Physical Security If an attacker gains physical access to a device, then the attacker is very easily able to gain access to all information on that system. Keep track of and secure your devices. Use a cable and lock system to secure your laptop to a desk to reduce the chance of theft, or Lock equipment in a secure location Secure other forms of sensitive information (including paper documents) by locking them in a cabinet or safe. Lock the office door when you are at meetings or away from your desk to better protect Pace’s assets. If you leave your desk, lock your computer screen to protect your system. Ensure that no one is watching while you type your password or that others are not eavesdropping if you are talking about confidential information. When traveling, be vigilant and keep track of your mobile devices and/or laptop at all times. Ensure that they are accounted for after going through security checkpoints. Pace Policy Library Review the Pace University Policy Library to ensure you are up-to-date with the latest IT Security Policies such as the IT Appropriate Use Policy and other university policies. Pace credentials are required to access the policies. http://www.pace.edu/policies Incident Notification If you encounter or suspect an information security incident, immediately report this information to the ITS Help Desk at (914) 773-3333 (pacehelpdesk@pace.edu). The Help Desk should always be the initial point of contact. They will ensure that the event is documented and handed off to the appropriate party. Our Data Is In Your Hands! Help Us Keep It Secure! Questions?