UNC Pembroke
Security Education
Melanie Jacobs
Division of Information
Technology
Introduction/Purpose
This course is to provide users with
guidelines on safe computing practices,
evolving practices and standards
Roles and responsibilities of
users of technology and data
It is everyone’s responsibility to safeguard data and use technology
in the appropriate manner.
Everyone is responsible and must know their responsibilities and do
their part to protect the security of confidential information.
Regulations and Statutes
FERPA
North Carolina Identity Theft Act
Red Flag Rules
PCI (payment card industry data security
standard)
Graham-Leach-Bliley
HIPPA
North Carolina Identity Theft
Privacy Laws and Standards protecting PII
• North Carolina Identity Theft Act – restricts the collection and use
of Social Security numbers and other personally identifying
information.
•
•
Identifying information covers a wide range of data, including SSNs, bank
account numbers, driver’s license numbers, biometric data (fingerprints),
passwords, and parent’s legal surname prior to marriage (often used as a form of
authentication).
Individuals must be notified of security breaches when there’s a reasonable
likelihood that their “identifying information” was compromised.
• The Privacy Act – a U.S. federal law requiring protection of
individual privacy government agencies.
Red Flag Rule
Are you complying with the Red Flags Rule?
The Red Flags Rule requires many businesses and
organizations to implement a written Identity Theft
Prevention Program designed to detect the warning
signs or "red flags“ of identity theft in their day-to-day
operations.
Identification of Red Flags
"Red Flag" means a pattern, practice, alert or specific
activity that indicates the possible existence of Identity
Theft.
Identification of Red Flags
In order to identify relevant Red Flags, the University considers the
types of Covered Accounts it offers or maintains, the methods it
provides to open its Covered Accounts, the methods it provides to
access its Covered Accounts, and its previous experiences with
Identity Theft.
Red Flags may be detected while implementing existing account
opening and servicing procedures such as: individual identification,
caller authentication, third party authorization, and address changes.
Identification of Red Flags
The University identifies the following Red
Flags categories:
•
•
•
•
•
Notifications and Warnings from Consumer Reporting Agencies
Suspicious Documents
Suspicious Personal Identifying Information
Suspicious Covered Account Activity
Alerts from Others
http://www.uncp.edu/doit/policies/policy_ch01.html
PCI – Payment Card Industry Data
Security Standard
PCI compliance required by state contract
UNCP Network is not compliant
Never store credit or debit card data
electronically
Never save data on computer or shared drive
Never collect data online
Never send data in email
Contact DoIT to use uPay
Classification and protection of
data
UNCP policy on data classification
http://www.uncp.edu/doit/policies/policy0207.html
Electronic Data
University Electronic Data – Data in any electronic form collected,
processed, stored or distributed by the university or its employees.
Applies to data stored in information systems, and includes
administrative and academic data as well as documents such as
Web sites and email, regardless of the electronic media on which
the data is stored.
Policies
The university shall develop specific safeguards for all protected and
sensitive data. The university shall make information about data in
these classifications, and the relevant safeguards available, to all
faculty, staff, students, temporary employees, vendors, contactors,
etc., as necessary.
The university may develop additional policies to further manage or
secure subsets of University Data. In the case of conflicts between
this and such additional policies, the most restrictive policy shall
apply.
Scope
•This policy applies to all data, whether collected, processed or
stored in electronic or other forms (hereinafter “University Data”). It
applies to all documents, media, records, reports, files, messages,
etc.
•This policy does not to apply to creative works, including software,
art, music, etc., that are addressed by UNCP’s Copyright Policy
(UNCP Faculty Handbook, http://www.uncp.edu/aa/handbook)
unless said creative work includes or contains University Data. In
the latter case, this policy shall apply to the University Data included
or contained within the creative work, but not the remaining portions
of the creative work.
•This policy does apply to data collected, used, processed or stored
by UNCP under a grant or contractual agreement unless said grant
or agreement assigns ownership of the data to an entity other than
UNCP.
•This policy does not apply to data owned by a separate entity that
the university has purchased or leased the right to use.
Responsibilities
The Chancellor and his or her designees shall be responsible for the
implementation of this policy.
The vice chancellors and other members of the Executive Staff are
responsible for the procedures and processes within their respective
division or area to comply with this policy’s security directives
concerning University Data.
Each member of the campus community, including faculty, staff,
students, temporary workers, contactors, etc., has the responsibility
to report to his or her supervisor or to DoIT any attempt to gain
unauthorized access to protected or sensitive data.
Classification of Data
Protected Data – University Data to which access is limited by
federal or state law or regulation, or by university policy.
Sensitive Data – University Data which is not addressed by federal
or state law or regulation, or by other university policy, but which
should nevertheless have limited access due to its nature.
Public Data – University Data that is not classified as protected data
or sensitive data. Public data is available under state public records
laws. See, e.g., N.C.G.S. Sec. 132-1, et seq.
Data Management Roles and
Responsibilities
Chief Data Steward
The Associate Vice Chancellor for Information Resources and Chief
Information Officer shall serve as the Chief Data Steward (hereinafter “CDS”)
of UNCP. The CDS is ultimately responsible for the management of and
access to University Electronic Data, including definition and standards for
encoding of said data. The CDS is responsible for establishing guidelines for
the appointment and responsibilities of Data Stewards and Data Managers.
The CDS shall oversee the management of and access to University Electronic Data
and shall develop procedures necessary to complete this task.
The CDS shall approve standards for coding and entry of data in shared environments
and shall resolve any conflicts about these standards.
The CDS may audit the access authorized and actually granted to Data Users as well
as the accuracy and integrity of University Electronic Data as necessary.
Data Stewards
University employees who have delegated authority from the CDS for
the management of a particular set of University Electronic Data.
A Data Steward shall maintain knowledge of the University
Electronic Data assigned to his or her purview, and the manner in
which it is used, including any federal or state legislation governing
the use of this data.
A Data Steward shall be responsible for the accuracy and integrity of
the University Electronic Data assigned to him or her, and shall
develop procedures to ensure that data is entered correctly.
Data Stewards shall collectively develop standards for the coding
and entry of data in shared environments.
A Data Steward shall review the access granted to University
Electronic Data under his or her purview and make adjustments as
needed. Such a review must occur at least annually.
Data Managers
University employees who have delegated authority from a Data
Steward for the management of the University Electronic Data or a
portion of the data under the purview of the Data Steward. Data
managers shall not delegate these duties or responsibilities.
•Data Managers shall fulfill any of the duties and responsibilities
delegated by a Data Steward. This delegation shall not release the
Data Steward from these responsibilities.
Data Users
•Individuals who need and use University Electronic Data as part of
their assigned duties or in fulfillment of assigned roles or functions
within the university community.
•Data users shall observe all applicable federal legislations and
university policy when accessing Electronic Data.
•Data users shall review and follow any documents to information
management and security, including procedures and best practices, as
it is made.
Office of Institutional Effectiveness
DATA REQUEST & REPORTING:
CONFIDENTIALITY/SECURITY
CONSIDERATIONS
Office of Institutional
Effectiveness
The Office of Institutional Effectiveness at
UNCP serves as the central office for
maintenance of data regarding students,
faculty, and staff as well as institutional
programs, services, facilities, and operations.
Most of this data is maintained in the Banner
database and is input by a variety of
people/offices across campus. IE is
responsible for reporting on this data to the
system office.
Data requests
Anyone can request data from IE by completing a
request form at:
http://www.uncp.edu/ie/forms/request/
IE staff will evaluate the request and follow-up with
questions if necessary. Some general
considerations are:





Who? (Who is the requester?)
What? (What type of data is being requested? E.g.,
student, faculty, staff, facilities, etc.)
Why? (For what purpose will the data be used?)
Where? (Where will the data be stored, presented,
published, etc.?)
When? (In most circumstances, data requests will be
filled within 10 working days.)
In deciding what data can be released & to whom,
IE is guided by
The Association of Institutional Research
(AIR) Code of Ethics (www.airweb.org)
University, state, & federal policies & laws,
e.g.


Family Educational Rights and Privacy Act
(FERPA)
Open record laws
Consultations with others, e.g.,



University Counsel
Institutional Review Board (IRB)
DoIT
In general, data can most often be released if
it is in aggregate form; that is, in summary
categories describing groups rather than
individuals.
For individual student data, in keeping with
FERPA, directory information (e.g., name,
address, phone number, e-mail address,
major, dates of attendance, degree received)
is generally releasable to any requester. (See
http://www.uncp.edu/registrar/bulletin/FERPA.htm for
other directory information items. Students may “opt out”
of having their directory information available by
completing a form in the registrar’s office.)
Non-directory information may be
released to faculty and staff IF they have
a legitimate educational interest (i.e.,
they need the information to carry out
their official duties or implement policies
at UNCP).
Non-directory information will NOT be sent
via e-mail (unless encrypted), portable
storage devices, or in print format. In some
instances, it may be saved to a shared
folder on a UNCP server with restricted
access.
UNCP is a public agency, and therefore subject to
federal and state open record laws. This means
that many of UNCP’s records and documents are to
be made available for inspection by any interested
member of the public. Examples include





Meeting minutes
Financial reports
Student & employee directory information
Employee salary
Course information such as course schedules and grade
distributions
There are some specific exceptions to the open
record laws, including


Individual student records as defined in FERPA
Documents containing personally identifying information such as
social security numbers.
Publicly available data:
www.uncp.edu/ie
Before requesting
data, check IE’s
website for publicly
available
information about
UNCP’s faculty,
staff, and students.
Assessment
College Portrait
Common Data Set
Data Resources
FactBook
Strategic Planning
When in doubt about whether data can be released by virtue
of open record laws, IE consults with University Counsel.
Some data which is not addressed by federal or state law or
regulation, or by other university policy, is nonetheless
considered “sensitive” due to its potential use in identify theft.
IE follows the guidelines of our IT department when
determining if this data can be released.
Individuals requesting non-aggregated student or employee
data for the purposes of research are referred to the university
IRB.
FERPA
Federal Family Rights
and Privacy Act
of 1974
Never—use a social security number to identify a person…because:
Social Security Number + Date of Birth =CREDIT CARD APPROVAL!
+
XXX-XX-XXXX
A Banner Student Number is the best student identifier; however,
there are nine identifiers that are classified as Directory Information
at UNC Pembroke and that are releasable to parties other than the
student.
They are:
•Student’s Name
•Address
•Telephone listing
•Email address
•Major field of study
•Recognized school activities, i.e. sports, societies
•Previous institution(s) attended
•Degrees and awards received
•Dates of attendance / enrollment status
FERPA
Federal Family Educational Rights and Privacy Act of 1974
In short, once students becomes 18 or a student of a post-secondary
institution, they have the right to inspect their records and make
amendments, if plausible.
Additionally, with this ownership, comes the right to say to whom these
records can be released ….e.g. Parents.
This means that GRADES, GRADE POINT AVERAGES, and ACADEMIC
PROGRESS
Cannot be discussed without:
completing a
FERPA Consent Form
Available at the Office of the Registrar
Questions?
http://www.uncp.edu/registrar/bulletin/FERPA.htm
or Call:
521-6298
Or stop by:
The Registrar’s Office, first floor, Lumbee Hall
Safe Computing Practices
Safeguards to follow for maintaining a
secure data environment
Security is a process, not a product. Therefore, the
objective behind implementing good computing
practices is that good computing habits will develop
Why are password important?
Most computer systems rely on passwords for
authentication. If someone knows your user ID and can
obtain or guess your password…they’re in.
Consequences: A compromised password can result in
fraud; theft or destruction of valuable information; public
disclosure of private information and/or serious legal
liability.
How an attacker can get your
password
Password cracking software
Using “sniffer” software to read passwords from plain
text email or other network traffic
Social engineering (tricking you into divulging your
password)
Passwords stored on your computer in a plain text
(unencrypted) file
Simple guessing of a password based on personal
information
Finding a written down password on your desk, in a
drawer or in the trash
Strong Password
Contains at least 8-12 characters
Contains characters from at least 3 of the following 4
classes:




Upper case letters
Lower case letters
Numerals
Non-alphanumeric characters
Does not contain words in a dictionary and is not a name
Does not contain any part of the account name
Is not based on personal information
Known only to the user
Strong Passwords continued…
Do not use names, people, or places that are identifiable
to you
Never share your password with others
Don’t write it down, post it near your computer or include
it in a data file.
Don’t store passwords in an unencrypted file or send in
an unencrypted email
Don’t store passwords in web applications or software
Use a unique password for each
sensitive account
Hackers know that many people use the same password for different
services. If they manage to crack a password for one user account,
it will often give them access to other services for the same user.
Tip
Unique, strong passwords can be difficult to come up with and
remember. But you don’t need a strong password for all of your
accounts. The strength of your password should be based on the
sensitivity of the data that you are trying to protect.
•
•
Create strong passwords for your most sensitive accounts, such as your
corporate network account and personal financial accounts.
For non-critical accounts you can use a password that is easier to remember.
Change your passwords
regularly
If someone steals your password you probably will not know it until it
has been used, and perhaps not even then. Changing your password
regularly limits the damage, since the attacker will no longer be able to
use the compromised password.
How often you change your password depends on the sensitivity of the
information you are trying to protect. You should change passwords:
At least every 90 days for a normal network account
•Every 30 days for highly-sensitive accounts
•
Don’t reuse passwords, or significant portions of passwords
•Don’t change a password by incrementing a digit at the end or by
using easily guessed pattern.
•Pick an entirely new password each time you change it.
Privileged Accounts
For accounts with special privileges (system administrators,
managers, or anyone with high levels of access to applications
systems) protection of passwords is especially important.
Passwords for privileged accounts should be changed more
frequently than 30 days, or as specified by company policy), and
extra care should be given to the creation of strong passwords.
Temporary Passwords
Temporary passwords are assigned for one-time use to a new user, or
users who have forgotten their password or have been locked out of
the system.
Communicate the password securely. That means give the
password directly to the users-not passed along through a third
party, sent via clear text email or written on a post-it note stuck to
the user’s monitor.
Change the password immediately. Since the temporary password is
known to the system administrator who gave it to you, it must be
changed immediately after you log on.
Password re-set security
questions
BraveWeb provides a reset function for the users who have forgotten
their password. The system asks you to answer a question that you
filled in when you created your account. The questions and answers
are usually based on personal information.
Your answer to the reset question should not be easily guessable. If it
is, someone could reset your password and gain access to your
account.
Passwords are your
responsibility
Passwords are your responsibility and the
only tool that you have to gain information.

Give it away or don’t protect it and you are
responsible for what they do with it.
Web Browsing
The problems with web browsing are………..
Network security systems are good at stopping inbound attacks.
But when you browse the Web, you make an outbound connection to
an external web server and ask it to send files to your computer.
Technical security systems can help keep web browsing safe – but a
lot depends on your security awareness and the actions you
take.
Web browsing do’s and don’ts
Read all dialogue boxes – If a dialogue box pops up asking you to
say yes/No or OK/Cancel to a question, read the message and think
about what you would be agreeing to before you click.
Think before you click on a link – The actual destination of a link
may not be what it seems. Hold your mouse over the link before you
click. The actual destination (URL) should appear in the lower left
window of the browser. Does the destination make sense in the
context of where you are trying to go? If not, don’t click it.
Go only to trusted sites – Use common sense. Particularly when
using your business computer, don’t invite trouble by going to web
sites that are out of the mainstream. (websites directly related to
your work)
Block Pop-ups
Pop-up windows on web pages are not just annoying-they are
commonly used to download malicious software or direct you to a
malicious web site.
Set your browser to block pop-ups. (You can allow pop-ups for a
specific site if needed.)
• Internet Explorer: Go to Tools > Internet Options > Content.
Check the box labeled Turn on Pop-up Blocker.
• Firefox: Go to Tools > Options > Content. Check the box labeled
Block pop-up windows.
Email
Viruses are commonly spread by harmful email attachments. Other
types of viruses can infect your computer if you simply open or
preview an email.
Email Attachments
• Unsafe File types. Never open any email attachment with any of the
following file types: .bat, .com, .exe, .vbs
• Unknown file types. Never open any email attachment with a file
type extension that you do not recognize or are not expecting.
• Microsoft Office Documents. Can contain viruses as well as
malicious code. Never open an attached .doc, .xls or other Office
document without first scanning it for viruses. (which is setup to occur
automatically by our Virus software)
Email (continued)
Think before you click.
• If you receive an email that is obviously spam, don’t give in to
curiosity – DELETE IT!
• If you receive an email containing an attachment that you weren’t
expecting, be suspicious. Call the sender and find out if it is in fact a
legitimate email. Or call the helpdesk for guidance if you are not
sure.
• Don’t trust links in email. The link may not go where it appears to
go. Hold the cursor over the link for a few seconds without clicking.
Your email program should display the actual destination of the link.
Email (continued)
Active scripts
Scripts are small programs that are used to create interactive content in
a web page or in html email.
Email programs let you choose whether or not to allow scripts to run. If
you allow scripts, they can run as soon as you open or preview an
email.
It is dangerous to allow scripts to run in email, because hackers put
them in spam email to download malicious programs or for other
illegitimate purposes.
Email / Internet Scams
Aside from normal spam, be wary of messages or sites that are “too
good to be true”
Things to look for:

Messages asking for a username/password or credit card
information

Message claiming your computer is infected with a virus

Paypal, eBay, online auctions

Advance Fee – Most notably from Nigerian Central Bank
New variant preying on the patriotism of Post-9/11
Look at http://www.scambusters.org
http://www.lookstoogoodtobetrue.com/
Email / Internet cont…
Treat all e-mail and Instant Messaging attachments as suspicious
Do not open email from an unknown source
If you get an unexpected attachment from a familiar sender, call the
sender to verify the authenticity of the message
Never forward chain letters
Any protected or sensitive data should not be sent via email
because email is not encrypted and the data can be easily read
Email may be subject to North Carolina Public. The governor has
mandated a 10 year retention policy (currently this policy is under
review by UNC General Administration)
Third Party Webmail
Third party webmail is an email system other than the official UNCP
email. Examples are Yahoo, Gmail, and Hotmail. Third party email
systems are neither secure nor sanctioned by the University.
Avoid using third party email for University business.
Instant Messaging
• Instant Messaging services do not encrypt messages, so they are
not secure.
• Avoid sending protected and sensitive data via Instant Messaging
DoIT is working on secure Instant Messaging services as part of the
communication server.
Peer-to-Peer File Sharing
Peer-to-peer file sharing systems include
• BitTorrent
• Limewire
• KaZaa
• iMesh
• Gnutella
P2P file sharing converts the users desktops into a server which is a
violation of UNCP’s Appropriate Use Policy. P2P software is often
used to share copyrighted material and is a means of spreading
malware.
Avoid using Peer-to-peer software
What DoIT is doing for you…..
Password-protected screen savers
Windows patches
Windows firewall
McAfee Anti-virus
Clean access for residential and wireless systems
Perimeter firewall and internal virtual LANs
Rogue wireless access point detection
FTP over SSL from off campus via FileZilla and NetDrive
Safeguards for you
Reception computers should not be left unattended
Log off your workstation if you step away
Place monitors in such a way that only you can see the screen
Log out of websites that require authentication as well as close the
browser
Lock your office if possible when you leave the room
Lock down hardware
Secure your office when you are away
Label & protect your storage media
Safeguards…(continued)
Store disks, cassettes, and optical storage media securely
Safeguard hard copies
Do not store your password on your computer or anywhere except in
your memory
Do not share your password with anyone including DoIT staff.
Do not allow anyone else to use your network account nor should
you use someone else’s account
Do not allow someone that you do not know to use your workstation.
Confirm that any visitors in your work area are there for business
Safeguards - backups
There are many different ways to backup
data




CD and DVD burners
Zip Drives
Tape Drives
External Hard Drives
Make backing up your data a habit
Safeguards – Software Updates
Remember to run all security updates and patches
These are meant to protect your computer against attack
Never disable security updates
Most common is Microsoft Products
 Microsoft Windows updates
http://windowsupdate.microsoft.com
Microsoft Office (Outlook, Word, Excel, PowerPoint,
Access
http://office.microsoft.com/officeupdate
Remote Access
•Never store protected or sensitive university data off campus. If you
must take protected or sensitive data off campus encrypt it.
•Password protect mobile storage devices such as flash drives
**The Governor has mandated that all University-owned mobile devices be
encrypted
•Never allow a third party to access University resources or provide
equipment for personal use.
•Keep your computer updates up-to-date and anti-virus updated
Remote Access ….(continued)
•Disable file sharing on any device you use for remote access.
•Disable Bluetooth if you are not using it.
•Verify wireless networking for remote access is secure.
•Only use the VPN when accessing the University enterprise. If you are
not using it then log out.
Malicious Software
What is malicious software?
Malicious software (also called malware, hostile code) is a catch-all
term for any software designed to:
Cause damage to,
•
Steal information from, or
•
Otherwise misuse…..
……a single workstation, a server or a network.
•
There are many types of malware, and malware programs “in the wild” are often a
combination of two or more types.
Some of the major types are…….
Viruses
•A fragment of computer code that attached itself to other code,
including:
•Application software.
•Code used to boot the computer, or
•Macro instructions placed in documents.
•Usually requires some user action to initiate it, such as opening a file
•May run simply by opening an infected web page or html email
•May download a “payload” (another malware file)
Types
•File infecting virus
•Macro Virus
•Script Virus
Virus Protection
You should always have virus protection and
updated virus definitions
Never disable virus protection
Viruses can be transmitted through files
downloaded from the Internet, removable media,
insecure shared computers
Worms
• Similar to a virus, but spreads without any user action.
• Typically scans the Internet looking for other computers that have
vulnerabilities it can attack. Copies itself to vulnerable computers.
• May download a payload (other malware)
• Uses the newly-infected computer to attack other computers
Trojan Horse
Malware that is hidden within another seemingly innocent program or
file. The Trojan is installed without your knowledge when you install the
host file.
Trojans are often hidden in “free-ware” programs, such as:
•Games
•Music or video files
•Cell phone ringers
•File-sharing programs
•Or programs pretending to be anti-spyware tools.
Once installed, the Trojan may:
•Manipulate files on your computer – create, delete, rename, or
transfer files to or from your computer.
•Open a “back door” – a connection from your computer to the
outside, giving an attacker ongoing access.
Spyware
Spyware is class of malware that collects personal information from
your computer and transmits it to someone. Types of spyware
include:
• Adware – an application program that displays advertising banners
while the program is running. These programs often collect
information about you and pass it on to third parties. They also can
slow down your computer’s performance.
• System monitor – a program that copies information from your
computer and sends to an attacker. These include
•
•
Programs that copy screen images, and
“keyloggers” that capture your keystrokes.
System monitors can be used to gather information like user IDs,
passwords, credit card numbers and social security numbers.
Why is this important?
Malicious software is a serious problem for businesses. Some of the
effects that malicious software can have are:
• Slow system performance by using up capacity, possibly shutting
down a network
• Capture and transmit confidential information, such as credit card
numbers, user names and passwords, or sensitive information about
your business
• Change data
• Erase files
• Change software configurations
• Give the attacker a connection to your computer for further attacks
How malicious code spreads
Email links – Phishing emails can contain links to maintain web
sites that download malware to your computer.
Email attachments – Viruses can be executed by opening an
attachment.
.exe
.hta
.scr
.reg
.vbs
.bat
.pif
• CDs or flash drives – Malware can be spread from infected storage
media.
• Software vulnerabilities – a locally developled web application
might be vulnerable to malware attacks. Commercial software that
does not have security patches may also be vulnerable.
How malicious code spreads
….(continued)
Pop-up windows – A phony system message or pop-up ad may
trick you into clicking a link that downloads malicious software.
Instant Messaging (IM) – Links and files can be sent through
Instant Messaging. These can install viruses or trojans.
Software and files – Important-looking software or files can contain
trojans.
Email containing malicious scripts – Viruses can affect your
computer simply by viewing or previewing an email, if your email
settings permit the execution of scripts in HTML emails.
Web pages with malicious scripts – If you have active scripting
enabled on your browser, a web page can download malicious
software simply by connecting to the URL.
Guidelines for preventing
infections
Patches – Keep security patches up-to-date (ex: Microsoft updates)/
Most viruses work by exploiting known software flaws and can be
prevented by applying the latest patches.
Use an anti-virus program – And keep it up-to-date. Keep the virus
definition updated daily, and perform a complete system scan
weekly.
Use anti-spyware program – These programs also need to be
updated and scanned regularly to detect the latest spyware threats.
Back up your files – Back up your files regularly and store them on
the University network to ensure they are safe.
The only method for reliably clearing an infected machine is to
wipe the hard drive. You must assume that all of your data on
the hard drive will be lost if your computer is infected with a
virus. This is why its important to make backing up your data a
habit.
Guidelines for preventing
infection….(continued)
Downloads – Scan software from public sources (such as shareware) before you download and execute it.
Pop-ups – Enable pop-up blocking in Firefox or Internet Explorer.




Think before you click. A window that might look like an important system
message could be a fake that will download malicious software if you click on it.
Read all messages and understand what you are agreeing to before you click ok.
Do not trust the buttons in pop-up ads. The entire window could be a mailicious
link.
To close the pop-up, RIGHT-click on it to display a command menu, then select
close.
Guidelines for preventing
infection….(continued)
Email – Don’t trust email from known sources. Worms spread by
emailing themselves to everyone in the address book of an infected
computer, so they are very likely to come from someone you know.
Executable files – Never open an executable file received in email.
Don’t download email that is obviously spam. Even if your network is
protected by spam filtering software that catches most spam, some
will get through.
Email attachments – Don’t open an email attachment unless you
were expecting it and you are sure you know what it is.
Range of Disciplinary Sanctions
Persons in violation of this policy are subject to a full range of
sanctions, including, but not limited to, disciplinary action or dismissal
from The University of North Carolina at Pembroke. Any sanctions
against employees will be imposed through procedures consistent with
any applicable state regulations. Some violations may constitute
criminal or civil offenses, as defined by local, state and federal laws,
and the University may prosecute any such violations to the full extent
of the law.
What is Authentication?
Authentication is a means to control access to
information resources by verifying the identity of a user
logging into an account, or onto a computer or network.
Knowledge of the password is assumed to guarantee
that the user is authentic. The problem is that passwords
can often be guessed, stolen, accidentally revealed, or
forgotten. The information in this section can help you
mitigate the risks associated with password
authentication.
Unauthorized Access
Can be accomplished by any connection to a computer
or network using most services (Telnet, HTTP, FTP,
Email, Web, etc.)
Must somehow compromise authentication (password,
PIN, token, smart card) to gain access.
Once access is gained malicious activity can occur
Encryption
Protects data in transit or stored on disk
The act of ciphering and enciphering data through the
use of shared software keys, data cannot be accessed
without the appropriate software keys’
Common use of encryption includes the following
technologies:




Virtual Private Networking (VPN) – Used to secure data
transfer across the Internet
Secure Sockets Layer – Used to secure client to server webbased transactions
S-MIME – Used to secure e-mail transactions
Wireless Equivalency Privacy (WEP) protocol – Used to
secure wireless transactions
Will alleviate the following attacks:


Data sniffing and spoofing
Wireless attacks
Accountability
Computing accounts are created for each individual
allowing access through authentication.
Since computing accounts uniquely identify each user,
you are responsible for any activity generated by your
account.
Accountability
Disable any file sharing capabilities that you may have
enabled with a file sharing program (e.g., Limewire or
BitTorrent) to help prevent unintended access to your
computing files & to ensure your computer isn’t offering
copyrighted material.
Comply with UNCP rules and System policies, and all
relevant laws (local, state, and federal), license
agreements (e.g., copyright), & contracts.
Accountability
Use computing resources only for their intended
purposes or incidental personal use.
Act responsibly and ethically, and respect the rights of
other users in online forums.
Protect confidential information under your account, or to
that which your account has access.
Inappropriate Use
Computing accounts and other computing resources are
to be used according to the university-related activities
for which they are assigned. However, it is possible to
misuse your account and/or other computing resources.
Examples of Inappropriate Use
Allowing someone to use your account or using someone
else's account.
Using your account or computing resources for unauthorized
commercial purposes or personal gain.
Assuming the identity of someone else without his/her
permission.
Using your account or computing resources for illegal
activities.
Failure to fulfill these
responsibilities can lead to:
The restriction or denial of access to computing
resources or computing privileges
Other disciplinary action by the University
Law enforcement involvement
Confidentiality
Confidentiality is the guarantee that information is
disclosed only to those who are authorized to know it.
In some instances, federal funds can be withheld from
the entire university if breaches of confidential
information are identified as a problem. Therefore, it is
imperative that you know what information to protect and
how to protect it.
Confidentiality
Various types of information, such as student records
and patient health information, are defined as
confidential. As an employee of UNCP, you may have
access to confidential information, and you are obligated
to protect the privacy of that information.
All university employees are responsible for becoming
familiar with Federal and State laws, policies, and rules
regarding confidential information in order to ensure that
confidential information is appropriately protected and
not disclosed to unauthorized persons.
Policies are found at http://www.uncp.edu/doit/policies/
Social Engineering
What is social engineering?
• Social engineering is manipulating behavior
through psychology.
• A set of psychological tactics used by hackers to
gain access to restricted information.
• In more simple terms: conning someone into
giving out confidential information.
Searching for an easy way in..
Vulnerabilities are weaknesses in security that
an attacker uses to gain access to a computer
system or to confidential information.
 People – actions or inactions of users
 Processes – lack of defined policies, or failure
to follow them
 Technology – insufficient or improperly
configured technical systems.
People are the weakest link in security
Strategies of social engineering
The objective is to gain your trust.
Here are some examples the attacker might
employ.
• Friendliness/persuasion
• Impersonation
• Confusion/intimidation
Facebook and Tweeter are some examples of where
social engineering can take place.
Minimize the risks to your
wireless network
Restrict access - Only allow authorized users to access
your network. Each piece of hardware connected to a
network has a MAC (media access control) address. You
can restrict or allow access to your network by filtering
MAC addresses.
Wireless continued……….
Install a firewall - While it is a good security
practice to install a firewall on your network, you
should also install a firewall directly on your
wireless devices (a host-based firewall).
Attackers who can directly tap into your wireless
network may be able to circumvent your network
firewall—a host-based firewall will add a layer of
protection to the data on your computer
Mobile Computing
Mobile computing devices have become very common
92% of business travelers use a laptop on the road
63% carry mobile phones used for business
21% carry PDA’s
Approximately 30% of mobile devices carry “mission
critical” or highly confidential business information
Among those who use a PDA for business, 25%
have lost one.
Mobile Computing Security Risk
Easily lost or stolen because of their size.
Wireless capabilities pose a risk of unauthorized
connection to your device, or snooping of information
broadcast over a wireless network.
Users often download risk content, such as games or
ring tones that can contain viruses and spyware.
Computers outside the campus network are not
protected by the network firewall and other security
systems.
Consequences of a security breach involving a
mobile device……..
Disclosure of confidential information, through.....
……..someone accessing files on your laptop, PDA or
phone
……...an intruder intercepting messages sent over the
Internet or a wireless network
• Loss of important information…..
………….a lost, stolen, or damaged mobile device that you
did not save backup copies of the information.
• Malware infection…..
…………….which can be transmitted to the campus
network.
Business travel security tips
Store data on a network server
• Sensitive information should always be stored on a
network server, not on the computer’s hard drive where it
can be easily stolen or damaged.
This is especially true of mobile computing devices.
Business travel security tips
Backup your data before you leave
If you have data on a mobile device that isn’t stored
anywhere else, make sure you save a backup copy to
the network, a flash drive, or a disk before you leave.
Check your laptop for sensitive data
Always check your device to make sure you know
what data it contains.
Security Incidents
A security incident is an event, either accidental or
deliberate, which results in unauthorized access, loss,
disclosure, modification, disruption, or destruction of
computing information resources. If you think that a
security incident may have occurred, report it
immediately to the DoIT staff (Help Desk).
Refer to our website for additional security information
http://www.uncp.edu/doit/security
State Required Changes
Strong passwords with 90 day expiration
Password protected screen saver
Accounts inactive for 30 days must be disabled
Separate accounts for administrative privileges with a 30 day
expiration
Laptop and mobile device encryption
The state has an Internet security policy and the
entire UNC system is held to this policy