Personal Information Security Workshop Williams College Office for Information Technology (OIT) Winter 2010 What is Personal Information? If Nothing Else, Remember This: • Legitimate online service providers, including OIT staff, will never, ever ask you for your password over the phone or by e-mail. It’s the Law • Protect Student Educational Records – Family Education Right to Privacy Act (FERPA), enacted in 1974 It’s the Law: Protect Student Information – FERPA covers living students and former students (in other words, alumni) – Each educational institution defines “student directory information” – Everything else is “non-directory information” – Williams may release directory information – Williams may not release non-directory information without prior consent of the student, except in specific circumstances (such as a subpoena) – A student may request that their directory information not be published It’s the Law: Protect Student Information • Directory Information @Williams College – – – – – – – – – – – – Name Permanent and College addresses Campus electronic mail address Permanent and Campus telephone numbers Date and place of birth Country of citizenship Major field Extra-curricular activities Height and weight of members of athletic teams Dates of attendance Degrees, honors and awards Other schools attended. It’s the Law: Protect Student Information In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know." Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal. You cannot, for instance, provide information about grades to others, even parents, unless the student or alumnus/a has given you prior permission to share the data. You cannot even share course registration information with other students. It’s the Law • Protect Personal Health Information – Regulated by Health Insurance Portability and Accountability Act (HIPAA) and other laws – Personal Health Information (PHI) must be protected, including • Health Status • Provision of Health Care • Payment for Health Care • In general, any information about a patient’s medical record or payment history – Defines administrative, physical, and technical safeguards for protecting PHI – Some states require notification in case of a breach It’s the Law: Protect Health Information • HIPAA applies to faculty and staff information • HIPAA does not apply to student health information at Williams, but FERPA does cover it as non-directory information, and so do some state laws Credit Card Transactions • Any entity which collects payments with credit • • • cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. Failure to comply can result in withholding of credit card revenue to pay fines & penalties. See https://www.pcisecuritystandards.org Credit Card Transactions • Credit Cards at Williams – Dining Services facilities (on-site) – WTF Box Office (on-site) – WCMA Museum Shop (on-site) – Alumni Donations (off-site) – PaperCut Printing (off-site) – Student Bus Travel (future) – Others? It’s the Law • Protect Personal Financial Information – Gramm Leach Bliley Act (GLBA) – FTC Red Flag Rules – Massachusetts General Law – 38 other state identity theft laws It’s the Law: Protect Personal Financial Information • What is Personal Financial Information? – Massachusetts definition: A person’s name in combination with their • Social Security Number (SSN) • Driver’s License or State-issued ID Number • Financial Account Number • Credit Card Number It’s the Law: Protect Personal Financial Information • “Protect” means preserve – Confidentiality – Integrity – Availability • Information in any format: paper or digital • Protection applies to all Massachusetts residents • Students • Employees • Alumni • Guest speakers, contractors…and everybody else It’s the Law: Protect Personal Financial Information – MA WISP Per MA CMR 201 17.00, Massachusetts businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to… Put in place “administrative, technical, and physical safeguards to ensure the security and confidentiality of such records” Designate “one or more employees to design, implement and coordinate” the program “Verify that third-party service providers with access to personal information have the capacity to protect such personal information” It’s the Law: Protect Personal Financial Information – MA WISP… Put in place processes for “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.” Provide “Education and training of employees on the proper use of the computer security system and the importance of personal information security” It’s the Law: Protect Personal Financial Information – MA WISP… • Information on the Internet – E-mail & files sent over the Internet containing personal financial information must be encrypted • Information on portable devices – By March 1st, 2010, all laptops and other portable information devices (Smart Phones, PDA’s, USB Drives) that store personal financial information or store information that may give access to it must be encrypted. What is an Information Security Breach? The unauthorized use or acquisition of personal information that “creates a substantial risk of identity theft or fraud” - In Massachusetts, a breach means the (potential) release of either Unencrypted personal financial information Unencrypted data capable of compromising personal financial information - In other words, usernames & passwords Information Security Breach If a breach or possible breach occurs (at least in Massachusetts): Business must notify - MA Office of Consumer Affairs and Business Regulation - The Massachusetts Attorney General - The individual(s) whose information is at risk The notification must include: – The date or approximate date of the breach – Steps that have been taken to deal with the breach – Consumers’ right to obtain a police report – Instructions for requesting a credit report security freeze The notification may not include: – The number of MA residents affected Credit Report Security Freeze Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion). There’s no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove you’re a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee. See the Consumers Union web site for more information: www.consumersunion.org Williams Breach: October, 2009 Cause was a stolen laptop computer (3 college laptops have been stolen in past 8 months) • Interviewed laptop owner about information on laptop • Scanned laptop backup files for protected financial information and health data • Protected data found (SSN’s), so laws in 39 states and many foreign countries might apply, depending on residency • Obtained legal assistance and contracted for breach counseling services Williams Breach: October, 2009 • Compiled list of residential and e-mail addresses for approximately 750 potential victims • Notified potential victims by mail and by e-mail • Sent all-campus e-mail notice • Responded to phone calls and e-mails • Financial costs to handle a breach included staff time, legal assistance and breach counseling services. Final cost has exceeded $50,000. Where did the SSN’s come from? • Excel files of pre-2006 class rosters from the old Student System (SIS) • E-mail messages related to paying individuals such as guest speakers, performers, referees • Unsolicited e-mail messages College Confidentiality Policy • Published January, 2010 • Find it at http://wiki.williams.edu/display/handbooks/ Confidentiality (you can also search for confidentiality policy on the Williams web College Confidentiality Policy Responsibility of Administrative Departments “Each department head is responsible for ensuring the appropriate protection of information within his or her office.” Responsibility of Faculty “Each faculty member is responsible for ensuring the confidentiality of any information s/he collects or uses, both electronic and on paper.” What about your office? • Does your office handle legally-protected or confidential information? – What kind? – If you’re not sure what’s confidential, ask! • Does your office or department have a policies and procedures for protecting confidential information? What about your office? • An information usage policy explains – What information is confidential – How to protect confidential information – How to handle requests for information, both internal and external – When and how to dispose of confidential information – What the consequences are if the policy isn’t followed What about your office? • Goal: Minimize the potential risks from information leaks • If you don’t need it, get rid of it (use a shredder if it’s paper) • Be skeptical of requests for information • Again: If you don’t need it, get rid of it! What about your office? • Does your office send or receive confidential information via e-mail? • Does your office use a shredder? • Do you lock up your files when the office is closed and turn off your computers at the end of the day? • What if your paper files were damaged due to fire or flood? Methods by which data is lost or stolen Physical: • Theft of computer, external drives, usb flash drives, CDs, smartphones • Carelessness with passwords (written in obvious places) or passwords are too simple Electronic: • • • • • E-mail (phishing scams – replying with passwords) Web (phishing scams, website hijack) Viruses / spyware (from email, web sites or downloads) Rogue software (fake antivirus) Wireless data sniffing Simple computer security at work • Don’t use post-its to manage your passwords (if you need to have a • • • • file that stores your various passwords, keep it up on the network or use an Excel file that is locked with a password). If you have your own office: keep your door locked when away If you work in a public area: consider a privacy screen Require a password when your computer wakes from sleep Laptop security cable? Cheap, prevents opportunistic theft. OIT will give you one for free. Traveling with a computer Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip? Consider checking out a Library loaner – should be no personal data on those If you just need to check email you can use a smart phone Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen Don’t check your laptop when flying – in general don’t let your computer out of your sight. If using a foreign wireless network, run the VPN client to prevent data sniffing If your laptop is stolen, contact OIT immediately and change your password (consider it compromised) OIT initiatives for 2009 - 2010 To protect against data loss due to computer or device theft OIT is starting initiatives for: • Full disk encryption (TrueCrypt) on laptops • Full data backup (Atempo Livebackup or USB external drive) • Remediation and removal of PII from college computers* * SS#s, Credit Card #s, Bank Account #s and passwords in clear text are some of the many things we commonly find We have software called Identity Finder which will search documents (word, excel, powerpoint, pdfs) and email for this type of information Email Security + Phishing • NEVER FORGET: It is easy to spoof the From: address in an email. • Does the From: address match the Reply-to: address (if not, beware) • Phishing emails often start out “your account has been used to send spam” • • or “we are doing maintenance on our webmail system” – then they ask that you reply with your username and password There will never be a reason to give anyone your password by email – honestly. Note: E-mail notifications to the community from Williams OIT will always have a subject line beginning with: “OIT Eph Notice {mm/dd/yy} Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Find the “phishing” clues From: "Williams College" <webmaster@williams.edu> Date: February 13, 2009 11:25:45 AM EST Subject: Webmail Subscriber Reply-To: supportss@live.com Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your williams.edu Account Confirmation Name: E-mail ID: E-mail Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Williams College Webmail Support Team Web Security We are often required to log into web sites. How can you tell if the site is legitimate? Check the “domain” – which of these could be a real Williams site? http://www.williamsrewards.com/ http://williams.edu.technical-supports.com/ http://technical-supports.williams.edu/ Web Security We are often required to log into web sites. How can you tell if the site is legitimate? Check the “domain” – which of these could be a real Williams site: http://www.williamsrewards.com/ http://williams.edu.technical-supports.com/ http://technical-supports.williams.edu/ The domain is the last two words between the http:// and the first / Same format as email addresses: xyz@williams.edu or xyz@aol.com Any Williams site will be //xyz.williams.edu/ Any American Express site will be //xyz.americanexpress.com/ http://www.williams.edu/go/x is legitimate because the domain is correct Website copy • On Monday Sept. 29, a bogus email was sent with the subject line “Read Email Security Message” to many hundreds of college employees and students. The email had an attachment with a link to a bogus Williams webmail site. • The email itself was not particularly believable, but the fake webmail site was a perfect copy of our real site. The only way to tell it was fake was to look at the domain information • http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/ Preventing Viruses Common ways to get viruses: • An e-card (Hallmark greeting, etc) - Don’t follow the link unless you are sure. If you are asked to download or install something quit your browser or ask OIT to check it out. • Email attachment – Don’t open it unless you are sure. Check with the sender. This includes Word documents and PDFs. • Web link in an email – Don’t follow it unless you know for sure where it goes. • General browsing and downloading of things not work-related is the cause of nearly all infections. AT HOME: Keep your Anti-virus up to date – it’s worthwhile to know what you use. Keep your computer up to date with Windows patches. Preventing Spyware • What is Spyware? The simplest explanation is that it is like a virus specifically designed to steal information. • Follow the same rules you follow when avoiding viruses. • Don’t download “cool” applications: Bonzi Buddy, Weather Bug, Kazaa, Limewire, CoolWebSearch (this one is bad), Comet Cursor • For your home computer install Windows Defender from www.microsoft.com (Vista has it built in) Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc. Rogue Security Software • • • • Rogue security software is software that misleads users into paying for the fake removal of malware. Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a “professional version” – which does nothing, except maybe remove itself. Generally these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. One program that does very well at removing this type of software is called Malwarebytes. A partial list of know rogue software. Just the a’s!! Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola Security recap 1. Physical security can usually be attained by applying common sense and a 2. 3. 4. little care – treat your computer like a passport or your wallet or purse. Avoiding viruses and spyware can usually be achieved by following a simple rule: Your office computer is a business tool – don’t use it like a home entertainment system. Wireless is everywhere and incredibly convenient, but anyone can sniff traffic (traffic generally meaning whatever you are typing). If you are doing anything off-campus that requires a username and password, or requires entry of confidential information run the VPN software. Your username and password protect a lot more than just YOUR personal info – you probably have access to many people’s personal info. Quick Quizzes You’re travelling without a computer and want to see if you were paid on time. You find an internet café, pay for access, and log in to your online banking web site. You note that the username/password page in the web browser on the computer you’re using is encrypted (using https://). Should you log in? Quick Quizzes Which of these web addresses (URL’s) are legitimate Williams College addresses? http://williamscollege.techno.com/index.html http://collegeinfo.williams.edu/about.html http://system1.rewards.williams.edu.x.com/ https://webmail.williams.edu/ https://webmail.williams.collegebound.net/ Quick Quizzes You get an e-mail from the HR Benefits Coordinator telling you about a new Williams employee benefits program called WilliamsRewards. The e-mail directs you to www.williamsrewards.com. The web site has the look of a typical Williams web page and instructs you sign up for the program by logging in with your Williams username & password. What do you do? How to check on links in e-mail (Outlook) How to check on links in e-mail (WebMail) If Nothing Else, What should you remember? ? Questions? Thanks to Dennis Devlin and Brandeis University for their assistance WWII Posters from American Merchant Marine at War, www.usmm.org