Defensive

Computing#2

Information Security

For . Banks, Faculty and Staff

Why do we need to practice Defensive Computing?

“In 2005, over 130 major intrusions exposed more than 55 million Americans to the growing variety of fraud as personal data like Social Security and credit card numbers

were left unprotected, according to USA Today”

“The Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an

estimated $105 billion in 2009”

Common Security Problems of Educational Institutes

• Constant attacks by Viruses, Worms, Keyloggers and Bots.• Hacking Software, Wireless Transmission Intercepts.• Email Scams (a.k.a. “Phishing”) targeting sensitive info.• Social Engineering Attempts. (Persons posing as staff)• Criminal and Illegal acts (Copyright Violations, Child Porn).• Computer Users who fail to protect passwords.• Employees who fail to Protect Sensitive Information.• Possible victims who fail to report security issues.

Viruses, Worms, Keyloggers and Computer Bot Networks

• Viruses are programs that are spread by infected email attachments, media (such as floppy disks, thumb drives, CD’s), and software internet downloads (a.k.a malware or spyware).

• Worms can infect other computers by using the infected machines email address book and sending itself to those listed.

• Keyloggers are often a payload of Viruses and Worms but can be installed manually on unsecured computers. They record keystrokes and can report user passwords back to the hacker. Be cautious of keyloggers when using non . computers (i.e. kiosks, computers at hotels, department stores, conferences)

• Bots are very sinister and allow hackers to remotely survey compromised computers for sensitive information. Bots even allow hackers to remotely turn off infected computers which could result in a wide spread system outages.

• To protect your computer use an anti-virus program and update it as needed. Also install the latest software patches. Contact your network manager to find out if all of the software running on your . computer is up to date with the latest patches. To insure compatibility and security, contact your network manager before installing or downloading any software.

Hacking Software and Wireless Transmission Intercepts

• Hacking Software can be used by hackers to access a network and record passwords by simply installing it on a machine that is connected to the network.

• Hacking software can also be used to intercept Wireless Transmissions during credit card or debit card transactions. The information is then used to access your bank acco.s or create fraudulent credit cards that are in your name.

• When shopping you may want to use a credit card instead of a debit card so if information is intercepted or the card is stolen it is not used to access your bank acco..

Email Scams (a.k.a. “Phishing”)

• Emails sent to computer users are sometimes disguised as a banking or financial institution in order to trick you into giving them sensitive information such as bank acco. numbers.

• They also ask for credit card numbers, date of birth, SSN’s, and other information that will help them create an identity in your name. With this they will rob you of your money or commit crimes with fraudulent ID based on your information.

• Another risk is that any link in the email may take you to a website that automatically installs a virus or a bot onto your computer. This will allow a hacker to monitor your activity on the computer in much the same way “cookies” allow retailers and internet sites to monitor your web browsing activity.

Social Engineering

• Not always limited to hackers, a person conducting a Social Engineering Attempt is trying to gain access to targeted information by pretending to be someone that they are not.

• They may do this by calling you on the phone, by visiting you in person, or even by staging events that make it appear that they are legitimate personnel responding to a crisis.

• Examples may be a person pretending to be a law enforcement agent, emergency services personnel, tech support staff, or even a family member or relative of their target. Anything to win your trust and give them access to sensitive information.

• Sometimes they may simply do a “walk through” in which they walk through an area and see what files or passwords they can find that are left out on office desks. Areas that may be especially targeted are reception areas, front desks, offices or server/switch closets that are unlocked or easily accessible.

Protect Your Password

• Your password is your first line of defense!• Never use common words that might be found in the dictionary. Hackers can easily crack these

passwords with specialized software, giving them full access to your computer.• Use a minimum of eight characters including lower case and upper case letters, and a

combination of numbers and symbols.• An easy way for you to remember your password is to create one based on a phrase or title of a

favorite book or song.• An example would be “Yellow Rose of .” (i.e. Y3!!0W*Tz)• Pass phrases provide additional security (i.e. I L!ke th4 s0ng Y3!!0W*Tz)• Never write down your password if possible, if you do then at least do not leave it in the open

such as stuck to the side of your computer monitor!• Change your password often!• Do not give your password to anyone, not even the Helpdesk!• Never use your EUID or password for non-. systems.• Avoid “save my password / remember my password” option.

Be Informed and Responsible about Sensitive Information

• Sensitive information may include SSN#, EUID, EMPLID, passwords, credit or debit card numbers, student directory information (address, phone numbers, student ID, email address, date and place of birth, major field of study, classification, participation in officially recognized activities and sports, dates of attendance, weight and height of members of athletic teams, enrollment status, degrees and awards received, most recent previous school attended, and photographs).

• In general, social security numbers are no longer needed to uniquely identify faculty, staff or Banks. The new EMPLID (Employee ID) is now the designated University ID Number. Replace social security numbers with the EMPLID in your databases and spreadsheets and delete any records that are no longer needed containing social security numbers.

Protect Sensitive Information

• Avoid sharing information with unauthorized or .rained staff.• Avoid non-work related disclosure of sensitive or confidential information. This

includes student and employee information.• Never store sensitive or confidential information on your office computer or

laptop. Instead, store it on a secured network drive. However, if you must store sensitive or confidential information on your computer for official business purposes, encrypt it. For instructions on how to store information on your network drive or to learn how to encrypt data, contact your network manager.

• Never send sensitive or confidential information by email or instant messenger. These methods of transfer can be intercepted and are not secure.

• Always secure sensitive documents. Never leave them in the open (i.e. on desks)

Physical Security

• Always shut down or log off of any system when not in use.• Protect your computer from power surges with surge protectors.• Use password-protected screensavers.• Make sure no one is looking over your shoulder when you enter your password.• Lock your doors when you leave your office.• Never lend your key to anyone.• Know who has access to your work area and computer.• Properly dispose of (shred, etc.) all documents that contain sensitive information when they are

no longer needed (social security numbers, grades, financial and medical information, etc.).• Never leave sensitive information (employee or student information, passwords, etc.) in plain

view.• Never leave valuables unattended (Laptops, PDA’s, books, etc.).• Store backup copies of important files in a safe location.• If one is in place know the disaster recovery plan for your work group.

Report Security Incidents

• Often when a suspected security incident occurs a person may be scared to report it because they may think it is their fault.

• Regardless of fault, the longer the incident goes unreported the more difficult it is to determine who may have stolen the information or if the information was actually stolen at all.

• Often forensic analysis of the computer finds that the computer was compromised but the sensitive information, that may be stored on the computer, was not accessed. This is because the intruder may not have known it was there or the information was not the intended target of the compromise.

• Another reason a person may be reluctant to report a suspected security incident is because they have themselves stored inappropriate or embarrassing material on their computer.

Understand Appropriate Computer Use Policy

• Use of . computing resources is subject to review and disclosure in accordance with the . Public Information Act.

• You have no reasonable expectation of privacy in regard to any communication or information stored on a . computer system.

• Use of . computing resources constitutes your consent to security monitoring and testing and administrative review.

• Use of . computing resources must be limited to justifiable computing support of . activities in accordance with . Policy 3.10: “Computer Use Policy” and . Policy 3.6.

Computer Use Policy 3.10 Responsibilities of . Faculty and Staff:

• A user shall use the University computer resources responsibly.• A user is responsible for any usage of his/her computer acco..• A user must report any misuse of computer resources or violations of this Policy to their

department head or to the Office of the Associate Vice President for Computing and Chief Technology Officer.

• A user must comply with all reasonable requests and instructions from the computer system operator/administrator.

• When communicating with others via the University computer system, a user's communications should reflect high ethical standards, mutual respect and civility.

• Users are responsible for obtaining and adhering to relevant network acceptable use policies.

Computer Use Policy 3.10 Misuse of Computing Resources Include:

• Criminal and illegal acts.• Failure to comply with laws, policies, procedures, license agreements, and contracts.• Abuse of computer resources.• Use of . computer resources for personal financial gain.• Failure to protect a password / acco. from unauthorized use.• Permitting someone to use another's computer acco., or using someone else's computer acco..• Unauthorized duplication and distribution of commercial software and other copyrighted digital

materials.• Attempting to circumvent, assisting someone else or requesting that someone else circumvent

any security measure or administrative access control.• Use of the University computer system in a manner that violates other University policies such as

racial, ethnic, religious, sexual or other forms of harassment.• Use of the University's computer system for the transmission of commercial or personal

advertisements, solicitations, promotions, or employees’ transmission of political material that is prohibited by . Ethics Policy 1.2.9.

Other Considerations Concerning ID Theft Prevention

• Use a credit card instead of a debit card.• Instead of signing your card write “Check ID”• Keep a list of your cards and contact numbers.• Carry one card, preferably with a low limit of credit.• Do not leave any credit receipts in the open.• Review your monthly bank and credit reports.• If a victim, have your credit and bank cards reissued.• Periodically check credit report for unusual activity.

Example of Network Compromise