Information Security 2013 Roadshow Roadshow Outline Why We Care About Information Security Safe Computing • • • • Recognize a Secure Web Site (HTTPS) How to Spot a Spoofed Web Site Recognize a Phishing Attempt What is Social Engineering Privacy and Compliance • • • PCI/HIPAA/FERPA Policy Privacy and Best Practice Why We Care About Information Security Personal Reasons: Identity Theft Loss of Data Financial Loss Poor Computer Performance Institutional Reasons: Protect Middlebury College Compliance with Laws and Standards Prevent Reputational Damage Reduce Legal Liability for the College As Well As the Personal Reasons Listed Above How do I Know a Web Site is Secure? • HTTPS in the Address bar is an indicator of a secure web site. • A web site encrypted with SSL should display a near the address bar. • Not all devices or browsers display the same. What is a Spoofed Web Site • Just because the site looks like Middlebury does not mean it is • Check the address or URL • Never enter login information unless the site is secure and you have checked the URL How to Spot Phishing • • • Do NOT click on links or open attachments in suspicious emails! Forward all suspected Phishing messages to phishing@middlebury.edu before deleting the message. If you fall victim to a phishing attack RESET your password immediately and then call the Helpdesk! What Phishing Can Do • Infect a system with malware • Mislead a user into giving up credentials • Compromise email with rules and scripts • Stet the stage for a larger attack • • • Do NOT click on links or open attachments in suspicious emails! Forward all suspected Phishing messages to phishing@middlebury.edu before deleting the message. If you fall victim to a phishing attack RESET your password immediately and then call the Helpdesk! What is FakeAV • Tries to look like regular AV • Clicking on the warning will download a virus • Often the best bet is a hard shutdown of the system • Know what your AV warnings look like • Sophos anti-virus does offer some web protections which help to prevent the download activity of FakeAV. Social Engineering • Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims. (From Wikipedia) Examples: • You are in a hotel and receive a call from the front desk to confirm your credit card details. • You receive a call at work from support services asking for your password to fix a problem on your computer. • You are at home and get a call from the help desk asking for your login information to reset your email account. What Laws Protect Information Here at Middlebury • Family Education Rights and Privacy Act (FERPA) = Student Data • Health Information Portability and Accountability Act (HIPAA) = Health Data • Sarbanes – Oxley Act (SOX) = Financial Data for Businesses • Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions • VT Act 162 = Data Breach Notification & SSN Handling • Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data What Policies Protect Information Here at Middlebury • Privacy Policy = Confidentiality of Data http://go.middlebury.edu/privacy • Network Monitoring Policy = Protection of College Technology Resources http://go.middlebury.edu/netmon • Technical Incident Response Policy = Response to Information Security Events http://go.middlebury.edu/tirp • Data Classification Policy = Defines Data Types Not in handbook as of yet • Red Flags Policy = Identity Theft Protection Not presently in hand book • PCI Policy = Payment Card Data Handling http://go.middlebury.edu/policy?pci Other Policies Live Here: http://go.middlebury.edu/handbook What are Some Best Practices Do • Look for HTTPS and other key address indicators when you are going to different web sites. • Use a strong challenge question in Banner SSB • Redaction – remove or mask (block out) personally identifiable information when sharing data • Be suspicious of unsolicited email or phone calls. Do •Lock your computer or secure information when you leave your work space. •Use Anti-Virus on both your work and home systems •Use secure passwords which you change often. This also applies to mobile devices. What are Some Best Practices Do Not • DO NOT write down or share your passwords - tools such as eWallet or 1Password work well as secure password storage alternatives. • DO NOT store confidential data on unencrypted thumb drives or other unsecured media -if you need to transfer the data encrypt the file or password protect the file and keep a master copy on the server. Do Not • DO NOT place confidential data in email -email a link to where the file is stored. This may add complexity but increases security. Windows Explorer can show you the path to the location of the file. • DO NOT record sensitive data on the College web site, blog or Wiki Discussion and Links Please share your thoughts! Information Security Resources: http://go.middlebury.edu/infosec http://go.miis.edu/infosec Report Information Security Events To: infosec@middlebury.edu