Winter 2010 Information Security Workshop Slides

Personal Information Security
Williams College Office for
Information Technology (OIT)
Winter 2010
What is
Personal Information?
If Nothing Else, Remember This:
• Legitimate online service providers,
including OIT staff, will never, ever ask
you for your password over the phone or
by e-mail.
It’s the Law
• Protect Student Educational Records
– Family Education Right to Privacy Act
(FERPA), enacted in 1974
It’s the Law: Protect Student
– FERPA covers living students and former students
(in other words, alumni)
– Each educational institution defines “student directory
– Everything else is “non-directory information”
– Williams may release directory information
– Williams may not release non-directory information
without prior consent of the student, except in
specific circumstances (such as a subpoena)
– A student may request that their directory information
not be published
It’s the Law: Protect Student
• Directory Information @Williams College
Permanent and College addresses
Campus electronic mail address
Permanent and Campus telephone numbers
Date and place of birth
Country of citizenship
Major field
Extra-curricular activities
Height and weight of members of athletic teams
Dates of attendance
Degrees, honors and awards
Other schools attended.
It’s the Law: Protect Student
In general, faculty and staff have access to personally
identifiable, non-directory information about students as
long as they have a legitimate educational interest in it,
in other words a "need to know."
Releasing personally identifiable non-directory information
to others without prior permission from the student or
alumnus/a is illegal. You cannot, for instance, provide
information about grades to others, even parents, unless
the student or alumnus/a has given you prior permission
to share the data. You cannot even share course
registration information with other students.
It’s the Law
• Protect Personal Health Information
– Regulated by Health Insurance Portability and
Accountability Act (HIPAA) and other laws
– Personal Health Information (PHI) must be protected,
• Health Status
• Provision of Health Care
• Payment for Health Care
• In general, any information about a patient’s medical record
or payment history
– Defines administrative, physical, and technical
safeguards for protecting PHI
– Some states require notification in case of a breach
It’s the Law: Protect Health
• HIPAA applies to faculty and staff
• HIPAA does not apply to student health
information at Williams, but FERPA does
cover it as non-directory information, and
so do some state laws
Credit Card Transactions
• Any entity which collects payments with credit
cards is contractually bound to follow the
Payment Card Industry (PCI) Standard to
protect information related to credit-card
The PCI standard provides very specific
guidelines on how to protect such information in
both paper and electronic formats.
Failure to comply can result in withholding of
credit card revenue to pay fines & penalties.
Credit Card Transactions
• Credit Cards at Williams
– Dining Services facilities (on-site)
– WTF Box Office (on-site)
– WCMA Museum Shop (on-site)
– Alumni Donations (off-site)
– PaperCut Printing (off-site)
– Student Bus Travel (future)
– Others?
It’s the Law
• Protect Personal Financial Information
– Gramm Leach Bliley Act (GLBA)
– FTC Red Flag Rules
– Massachusetts General Law
– 38 other state identity theft laws
It’s the Law: Protect Personal
Financial Information
• What is Personal Financial Information?
– Massachusetts definition: A person’s name in
combination with their
• Social Security Number (SSN)
• Driver’s License or State-issued ID Number
• Financial Account Number
• Credit Card Number
It’s the Law: Protect Personal
Financial Information
• “Protect” means preserve
– Confidentiality
– Integrity
– Availability
• Information in any format: paper or digital
• Protection applies to all Massachusetts residents
• Students
• Employees
• Alumni
• Guest speakers, contractors…and everybody else
It’s the Law: Protect Personal
Financial Information – MA WISP
Per MA CMR 201 17.00, Massachusetts businesses must
develop, implement and maintain a comprehensive
Written Information Security Program (WISP) to…
Put in place “administrative, technical, and physical
safeguards to ensure the security and confidentiality of
such records”
Designate “one or more employees to design,
implement and coordinate” the program
“Verify that third-party service providers with access
to personal information have the capacity to protect
such personal information”
It’s the Law: Protect Personal
Financial Information – MA WISP…
 Put in place processes for “Inventorying paper,
electronic and other records, computing systems, and
storage media, including laptops and portable devices
used to store personal information, to identify those
records containing personal information.”
 Provide “Education and training of employees on the
proper use of the computer security system and the
importance of personal information security”
It’s the Law: Protect Personal
Financial Information – MA WISP…
• Information on the Internet
– E-mail & files sent over the Internet
containing personal financial information must
be encrypted
• Information on portable devices
– By March 1st, 2010, all laptops and other
portable information devices (Smart Phones,
PDA’s, USB Drives) that store personal
financial information or store information that
may give access to it must be encrypted.
What is an
Information Security Breach?
The unauthorized use or acquisition of personal
information that “creates a substantial risk of
identity theft or fraud”
In Massachusetts, a breach means the
(potential) release of either
Unencrypted personal financial information
Unencrypted data capable of compromising
personal financial information
- In other words, usernames & passwords
Information Security Breach
If a breach or possible breach occurs (at least in Massachusetts):
Business must notify
- MA Office of Consumer Affairs and Business Regulation
- The Massachusetts Attorney General
- The individual(s) whose information is at risk
The notification must include:
– The date or approximate date of the breach
– Steps that have been taken to deal with the breach
– Consumers’ right to obtain a police report
– Instructions for requesting a credit report security freeze
The notification may not include:
– The number of MA residents affected
Credit Report Security Freeze
Any consumer in Massachusetts, New York, or Vermont
may place a security freeze on his or her credit report by
sending a request in writing, by mail to all 3 consumer
reporting agencies (EquiFax, Experian, TransUnion).
There’s no fee for victims or their spouses for placing or
removing a security freeze on a credit report. You can
prove you’re a victim by sending a copy of a police
report. All other consumers must pay a $5-$10 fee.
See the Consumers Union web site for more information:
Williams Breach: October, 2009
Cause was a stolen laptop computer
(3 college laptops have been stolen in past 8 months)
• Interviewed laptop owner about information on laptop
• Scanned laptop backup files for protected financial
information and health data
• Protected data found (SSN’s), so laws in 39 states and
many foreign countries might apply, depending on
• Obtained legal assistance and contracted for breach
counseling services
Williams Breach: October, 2009
• Compiled list of residential and e-mail addresses for
approximately 750 potential victims
• Notified potential victims by mail and by e-mail
• Sent all-campus e-mail notice
• Responded to phone calls and e-mails
• Financial costs to handle a breach included staff time,
legal assistance and breach counseling services. Final
cost has exceeded $50,000.
Where did the SSN’s come
• Excel files of pre-2006 class rosters from
the old Student System (SIS)
• E-mail messages related to paying
individuals such as guest speakers,
performers, referees
• Unsolicited e-mail messages
College Confidentiality Policy
• Published January, 2010
• Find it at
(you can also search for confidentiality
policy on the Williams web
College Confidentiality Policy
Responsibility of Administrative Departments
“Each department head is responsible for ensuring the
appropriate protection of information within his or her
Responsibility of Faculty
“Each faculty member is responsible for ensuring the
confidentiality of any information s/he collects or uses,
both electronic and on paper.”
What about your office?
• Does your office handle legally-protected
or confidential information?
– What kind?
– If you’re not sure what’s confidential, ask!
• Does your office or department have a
policies and procedures for protecting
confidential information?
What about your office?
• An information usage policy explains
– What information is confidential
– How to protect confidential information
– How to handle requests for information, both
internal and external
– When and how to dispose of confidential
– What the consequences are if the policy isn’t
What about your office?
• Goal: Minimize the potential risks from
information leaks
• If you don’t need it, get rid of it
(use a shredder if it’s paper)
• Be skeptical of requests for information
• Again: If you don’t need it, get rid of it!
What about your office?
• Does your office send or receive
confidential information via e-mail?
• Does your office use a shredder?
• Do you lock up your files when the office
is closed and turn off your computers at
the end of the day?
• What if your paper files were damaged
due to fire or flood?
Methods by which data is lost or stolen
• Theft of computer, external drives, usb flash drives, CDs, smartphones
• Carelessness with passwords (written in obvious places) or passwords are
too simple
E-mail (phishing scams – replying with passwords)
Web (phishing scams, website hijack)
Viruses / spyware (from email, web sites or downloads)
Rogue software (fake antivirus)
Wireless data sniffing
Simple computer security at work
• Don’t use post-its to manage your passwords (if you need to have a
file that stores your various passwords, keep it up on the network or
use an Excel file that is locked with a password).
If you have your own office: keep your door locked when away
If you work in a public area: consider a privacy screen
Require a password when your computer wakes from sleep
Laptop security cable? Cheap, prevents opportunistic theft. OIT will
give you one for free.
Traveling with a computer
Before you leave, think about what it would mean if your laptop were stolen or
lost – are you sure you need it on your trip?
Consider checking out a Library loaner – should be no personal data on those
If you just need to check email you can use a smart phone
Do not EVER leave a laptop in a parked car in a city – this is by far the most
common way that laptops are stolen
Don’t check your laptop when flying – in general don’t let your computer out of
your sight.
If using a foreign wireless network, run the VPN client to prevent data sniffing
If your laptop is stolen, contact OIT
immediately and change your password
(consider it compromised)
OIT initiatives for 2009 - 2010
To protect against data loss due to computer or device
theft OIT is starting initiatives for:
• Full disk encryption (TrueCrypt) on laptops
• Full data backup (Atempo Livebackup or USB external drive)
• Remediation and removal of PII from college computers*
* SS#s, Credit Card #s, Bank Account #s and
passwords in clear text are some of the many
things we commonly find
We have software called Identity Finder which will
search documents (word, excel, powerpoint, pdfs)
and email for this type of information
Email Security + Phishing
• NEVER FORGET: It is easy to spoof the From: address in an email.
• Does the From: address match the Reply-to: address (if not, beware)
• Phishing emails often start out “your account has been used to send spam”
or “we are doing maintenance on our webmail system” – then they ask that
you reply with your username and password
There will never be a reason to give anyone your password by email –
Note: E-mail notifications to the community from Williams OIT will always
have a subject line beginning with: “OIT Eph Notice {mm/dd/yy}
Phishing is the fraudulent process of attempting
to acquire sensitive information such as
usernames, passwords and credit card details
by masquerading as a trustworthy entity in an
electronic communication.
Find the “phishing” clues
From: "Williams College" <[email protected]>
Date: February 13, 2009 11:25:45 AM EST
Subject: Webmail Subscriber
Reply-To: [email protected]
Attn. Webmail User,
We regret to announce to you that we will be making some vital maintainance on our
webmail. During this process you might have login problems in signing into your
Online account, but to prevent this you have to confirm your account immediately
after you receive this notification.
Your Account Confirmation
E-mail ID:
E-mail Password:
Date of birth:
Your account shall remain active after you have successfully confirmed
your account details.
Williams College
Webmail Support Team
Web Security
We are often required to log into web sites. How can you tell if the site is
Check the “domain” – which of these could be a real Williams site?
Web Security
We are often required to log into web sites. How can you tell if the site is
Check the “domain” – which of these could be a real Williams site:
The domain is the last two words between the http:// and the first /
Same format as email addresses: [email protected] or [email protected]
Any Williams site will be //
Any American Express site will be // is legitimate because the domain is correct
Website copy
• On Monday Sept. 29, a bogus email was sent with the subject line
“Read Email Security Message” to many hundreds of college
employees and students. The email had an attachment with a link
to a bogus Williams webmail site.
• The email itself was not particularly believable, but the fake webmail
site was a perfect copy of our real site. The only way to tell it was
fake was to look at the domain information
Preventing Viruses
Common ways to get viruses:
• An e-card (Hallmark greeting, etc) - Don’t follow the link unless you
are sure. If you are asked to download or install something quit your
browser or ask OIT to check it out.
• Email attachment – Don’t open it unless you are sure. Check with
the sender. This includes Word documents and PDFs.
• Web link in an email – Don’t follow it unless you know for sure
where it goes.
• General browsing and downloading of things not work-related is the
cause of nearly all infections.
Keep your Anti-virus up to date – it’s worthwhile to know what you use.
Keep your computer up to date with Windows patches.
Preventing Spyware
• What is Spyware? The simplest explanation is that it is like a virus
specifically designed to steal information.
• Follow the same rules you follow when avoiding viruses.
• Don’t download “cool” applications: Bonzi Buddy, Weather Bug,
Kazaa, Limewire, CoolWebSearch (this one is bad), Comet Cursor
• For your home computer install Windows Defender from (Vista has it built in)
Malware, short for malicious software, is software designed to infiltrate or damage a
computer system without the owner's informed consent. The expression is a general
term used by computer professionals to mean a variety of forms of hostile, intrusive,
or annoying software or program code covering viruses, spyware, trojan horses,
worms, rogues, etc.
Rogue Security Software
Rogue security software is software that misleads users into paying for the fake
removal of malware.
Typically you get a pop-up window while on the web alerting you that you have
viruses or spyware on the computer and offering to clean it up. If you accept the offer
the program installs itself, then will continuously try to get you to pay for a
“professional version” – which does nothing, except maybe remove itself.
Generally these rogue programs will not be picked up by real anti-virus software
because you agreed to install the software.
One program that does very well at removing this type of software is called
A partial list of know rogue software.
Just the a’s!!
Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009,
AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins,
Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus
Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola
Security recap
1. Physical security can usually be attained by applying common sense and a
little care – treat your computer like a passport or your wallet or purse.
Avoiding viruses and spyware can usually be achieved by following a
simple rule: Your office computer is a business tool – don’t use it like a
home entertainment system.
Wireless is everywhere and incredibly convenient, but anyone can sniff
traffic (traffic generally meaning whatever you are typing). If you are doing
anything off-campus that requires a username and password, or requires
entry of confidential information run the VPN software.
Your username and password protect a lot more than just YOUR personal
info – you probably have access to many people’s personal info.
Quick Quizzes
You’re travelling without a computer and want to
see if you were paid on time. You find an
internet café, pay for access, and log in to your
online banking web site. You note that the
username/password page in the web browser on
the computer you’re using is encrypted (using
https://). Should you log in?
Quick Quizzes
Which of these web addresses (URL’s) are
legitimate Williams College addresses?
Quick Quizzes
You get an e-mail from the HR Benefits
Coordinator telling you about a new Williams
employee benefits program called
WilliamsRewards. The e-mail directs you to The web site has
the look of a typical Williams web page and
instructs you sign up for the program by logging
in with your Williams username & password.
What do you do?
How to check on links in e-mail
How to check on links in e-mail
If Nothing Else,
What should you remember?
Thanks to Dennis Devlin and Brandeis University for their assistance
WWII Posters from American Merchant Marine at War,