A False Sense of Security

1
A False Sense ofSecurity
2
US Veterans Administration

• In May 2006, Personal data, including Social
  Security numbers of 26.5 million U.S. veterans,
  was stolen from a Veterans Affairs employee after
  he took the information home without
  authorization.

Source The Chronicle of Higher Education, May
6, 2005
3
University of Connecticut

• Last July (2005), a hacker breached a server at
  the University of Connecticut that stored the
  personal information of 72,000 students, faculty
  and staff.

Source The Chronicle of Higher Education, May
6, 2005
4
University of California at Berkeley

• A person walked into an office on the campus and
  stole an employee's laptop. The computer
  contained the names and Social Security numbers
  of 98,000 graduate students and other people.

Source The Chronicle of Higher Education, May
6, 2005
5
Closer to Home

• A clerical oversight in trying to back up
  student information was discovered at Ole Miss in
  the Spring of 2005 that made about 700 student
  names and Social Security numbers from August
  2003 accessible to Internet search engines such
  as Google.

6
Significant security incidents
Source www.privacyrights.org, August 23, 2006
7
Security Awareness

• Description
• Security awareness is the knowledge of potential
  threats and the ability to anticipate what types
  of security issues and incidents faculty, staff,
  and students may face in their day-to-day
  functions. Technology alone cannot provide
  adequate information security. Awareness and
  personal responsibility are critical to the
  success of any information security program.
• Krizi Trivisani, Chief Security Officer, The
  George Washington University

8
Why Protect this Data?

• Identity Theft
• Financial - Gramm-Leach-Bliley
• Personal Information
• Health related HIPAA
• Any other personal information
• Grades - FERPA

9
What are the Threats?

• Inadvertent
• Malicious
• Current Blocked External Hosts
• deny ip host 64.64.34.104 any
• deny ip host 218.176.148.92 any
• deny ip host 24.199.181.26 any
• deny ip host 70.84.222.242 any
• deny ip host 80.20.221.226 any
• deny ip host 81.169.173.88 any
• deny ip host 12.155.207.11 any
• deny ip host 82.79.240.188 any
• deny ip host 194.100.214.185 any
• deny ip host 195.226.228.3 any
• deny ip host 129.78.102.25 any
• deny ip host 69.93.156.68 any
• deny ip host 62.245.67.241 any
• deny ip host 200.40.224.162 any
• deny ip host 61.64.232.248 any
• deny ip 203.2.192.0 0.0.0.255 any

10
Inadvertent

• Viruses
• Spyware
• Security Holes in the Operating System
• Unsecured User accounts
• Improper storage and transmission of data
• Paper Documents
• Electronic Documents
• Hardware Failure

11
Malicious Attacks

• Trojans
• Worms
• Denial of Service Attacks
• Network Port Scans for available services
• Brute Force password hacking
• Social Engineering
• Phishing Attempts are increasing
• RootKits

12
Phishing Examples
13
More Phishing

14
General Tips on Phishing

• NEVER CLICK ON A LINK IN Email
• Phishing sites typically ask for your Credit Card
  or other confidential information directly from
  the link.
• Never respond to requests for personal
  information via e-mail.
• Only visit Web sites by typing the URL into your
  address bar or using your favorites.
• Check to make sure the Web site is using
  encryption.
• Routinely review your credit card and bank
  statements.
• Report suspected abuses to the proper
  authorities..

15
How Does IT Protect the Data
16
How do we Protect the Data?

• Ownership of Data
• If you have access and you dont need it, Let IT
  know
• If you dont need a local copy of data from the
  system, dont make it.
• Destroy local copies when they are no longer
  needed
• Install Desktop Firewall Software on ANY PC
  containing sensitive data.

17
How do we Protect the Data?

• Physical Security
• Laptops
• Backups
• Portable storage

18
How do we Protect the Data?

• Transmission or Transportation of Data
• Email
• File sharing
• Portable storage

19
How do we Protect the Data?

• Keep the tools Sharp
• Anti Virus Software and updates
• Anti Spyware Software and updates
• Windows Updates
• Desktop Firewall Software (Symantec Client 3 or
  ZoneAlarm)
• Strong Passwords
• Set them
• Use them
• Change them often

20
How do we Protect the Data?

• Disable any user accounts not necessary (Guest)
• Deactivate peer-to-peer file sharing when not in
  use or when not necessary for job function
• DO NOT RUN Server Software if not absolutely
  necessary
• FTP Server
• WEB Server
• SMTP (E-Mail_ Server
• IRC Server
• Run personal Firewalls (Symantec Client 3 or
  ZoneAlarm)
• Shutdown PC when not in use
• Wipe hard drives before salvaging

21
Security Checklist

• Assign a data security custodian
• Keep operating system patches up to date (daily)
• Install antivirus software and configure daily
  updates
• Install and configure anti-Spyware software
• Enable personal desktop firewall
• Secure PC user accounts and processes

22
Security Checklist

• Utilize good passwords and change them at least
  every 90 days
• NEVER use email to transmit Confidential data
• Exercise Extreme Caution Using Peer-to-Peer File
  Sharing
• Be very cautious with email attachments
• Perform regular scheduled backups
• Avoid Programs containing Spyware
• Shutdown your computer when not in use

23
Resources

• Ole Miss Security Web Site
• http//itsecurity.olemiss.edu
• Ole Miss Policy Directory
• http//www.olemiss.edu/policies
• How Secure Are You?
• http//www.staysafeonline.info/e-quiz.html

24
Resources

• David Drewrey
• davidd_at_olemiss.edu
• Phone 662.915-5210
• Complaints
• complaint_at_olemiss.edu
• Remember, the Hacker only has to be right once...

25
Questions