Management and Storage of Sensitive Information

UH Information Security Team (InfoSec)

Who Are We?

• UH Information Security Team

– Jodi Ito - Information Security Officer

– Deanna Pasternak & Taylor Summers Information Security Specialists

INFOSEC@HAWAII.EDU

2

What Do We Do?

• Support the system-wide information security program– Provide oversight of IT security issues and concerns– Ensure compliance with policies– Perform security audits and risk assessments– Initiate and monitor the protection of sensitive

information– Review and revise Security Policies– Implement mandatory Information Security Training– Support the automatic monitoring of network and

technology resources

3

National Cyber Security Awareness Month (NCSAM) History

• Started in 2004

• Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA)

4

Cyber Security Awareness Month

• The National Cyber Security Alliance (NCSA) Initiated Cyber Security Month To:– Raise awareness about cyber security

and online safety precautions– Protect our national digital

infrastructure– Help prevent fraud and identity theft

5

Examples of Cyber Attacks

• Flame – Kaspersky dubbed it the most powerful computer virus in history. Primary target was Iran. Has the ability to steal audio, screen capture, transmit visual data, data behind input boxes (passwords), scan local Bluetooth devices.

• Stuxnet – A computer worm that destroyed centrifuges at the heart of Iran’s nuclear program.

• Slammer/Sapphire – Worm infected 200,000+ Microsoft SQL servers world wide with a denial of service attack. Infecting 75,000 in the first 10 minutes. Disrupting Internet services and some business processes. January 24, 2003

6

Yet Another Variant

7http://mashable.com/2012/08/09/gauss-virus/

STOP | THINK | CONNECT

8

Be Cyber Smart

• In conjunction with the STOP.THINK.CONNECT campaign

• InfoSec brings you

R U Cyber S.M.A.R.T.

9

UH Awareness Campaign for Cyber Security Month

• What’s in it for the UH community?– Prevent future breaches– Safeguard sensitive information– Educate the UH community on safe

personal computing practices

Be Cyber S.M.A.R.T

10

R U - S.M.A.R.T.

• Identified five topics for the five weeks in October– Secure Information Destruction– Management and Storage of Sensitive

Information – Avoid Identity Theft– Responsible Computing Practices– Think Before You Click

11

What Will We Cover?• Laws related to sensitive information

• Storage of sensitive information– Where to keep it– Where not to keep it

• Management of sensitive information– How to safely transfer to others– Encryption– Sensitive information best practices– Posting sensitive information online

12

Secure Information Destruction Review

• Keep paper locked up until you shred it

• Shred sensitive information on paper, DVD’s

• Physically destroy media• Securely delete both internal and

external hard drivesSlides available at http://www.hawaii.edu/infosec/ncsam.html. Rebroadcastavailable soon

13

Document Retention

• University of Hawai‘i – A8.450 Records Management Policy

• www.hawaii.edu/svpa/apm/recmgmt/a8450.pdf

One Objective: To eliminate the maintenance of unnecessary copies of records

• Personal records retention• www.shredit.com

14

UH is sponsoring another eWaste Disposal Days in October

Check the website for days and times

15

What is Sensitive Information?

• Information is considered sensitive if it can be used to cause an adverse effect on the organization or individual if disclosed to unauthorized individuals

• Some examples are:– Social Security Numbers, Student records, Health information, Drivers

license numbers, credit card numbers, dates of birth, job applicant records, etc.

• State, Federal and Regulatory requirements provide standards for protecting sensitive information

• UH Policy E2.214 has a detailed description of Sensitive information http://www.hawaii.edu/apis/ep/e2/e2214.pdf

16

Know What to Protect

• A partial list of data considered sensitive as outlined in UH Policy E2.214

• Student records (FERPA)• Health information (HIPAA)• Personal financial information • Social Security Numbers• Dates of birth• Access codes, passwords and PINs • Answers to "security questions" • Confidential salary information

17

Many Laws - Similar Requirements

FERPA, HIPAA, PCI-DSS, HRS-487, ITAR

Protect the Confidentiality, Integrity, and Availability of Sensitive Information

•Safeguards include– Access controls to limit access to persons with a need

to know– Encrypt data at rest & in transit– Auditing/Logging access & modifications– Develop Policies and Procedures – Conduct Training

•ITAR restrictions on the export of research data 18

19

Where is Data Stored?

20

Protect Sensitive Information

• The best way is to:– Be aware– Know what to protect– Know how to protect it– Know how it is being used

21

Be Aware

• Know where your information is stored

• Know what others are using your information for – privacy rights

• Know the laws protecting information

22

Your Privacy Rights

• There are several Federal and State laws that require businesses to provide their clients with an annual notice on what personal information is collected and how it is used

• Notices are also posted on websites and require you to acknowledge you agree before you are given access to their product

23

Read the Privacy Statement

24

The Allegations Against Google Are:

• Those litigants claim Google violated its previous policies that promised information provided by a user for one service would not be used by another service without the consumer's consent.

• The company is accused not only of combining the information but also of not providing an easy and efficient way for consumers to opt out.

• It allegedly violated the American Federal Wiretap Act (for willfully intercepting communications and aggregating personal information for financial benefit), breached the Stored Electronic Communications Act (for the way it accessed consumer communications stored on its systems), violated the Computer Fraud Abuse Act, and transgressed other statutes and state laws.

• http://www.vancouversun.com/technology/Google+legal+troubles+underscore+vulnerability+privacy+rights/7348685/story.html#ixzz28epyJdFT

25

Read Before You Click

Before you click Accept Terms of Agreement•Read what you are agreeing to•They may be sharing your information

26http://news.cnet.com/8301-1023_3-57524073-93/facebook-wants-like-button-to-be-exempt-from-child-privacy-laws/

How to Protect Information

• Know where it is stored• Safeguard it with physical security• Encrypt it• Use programs to store passwords

securely• Use password protection• Redact it• Delete it – securely wipe it

27

Scan Your Computer• Identity Finder – Windows and Macs

– Download at www.hawaii.edu/software– How to use: www.hawaii.edu/askus/1297

• Find SSN – Linux, Solaris and Legacy OS– www.hawaii.edu/askus/1323

• Scan for vulnerabilities– Scan a single machine:

http://openvas.hawaii.edu/cgi-bin/myopenvas– Batch scan:

http://openvas.hawaii.edu/batchopenvas/index.php

28

Register Any Servers Containing Sensitive Information

• All public file, web, and ftp servers must be registered & scanned for sensitive, personal information and vulnerabilities.– http://www.hawaii.edu/its/server/registration/

• The UH Personal Information System survey is designed to identify ALL personal information systems in the University of Hawaii as required by Hawaii State Law.– http://www.hawaii.edu/its/information/survey/

29

What Does An Encrypted File Look Like?

30

Encryption

• Encrypting a Windows file, folder, and entire disk– http://www.hawaii.edu/askus/1285

• Encrypted disk images and full disk encryption for a Mac– http://www.hawaii.edu/askus/676

31

DO NOT LOSE YOUR ENCRYPTION KEY

• When using encryption be careful to safeguard your encryption key. If lost ITS may not even be able to help you recover your data.

32

Ways To Securely Transfer Sensitive Information

33

Secure File Transfer

• www.hawaii.edu/filedrop– Secure file transfer up to 800MB– Can share with people not part of UH

community– Secure URL is available for five days

• Security ends at transmission, you will still need to secure information on your computer.

34

Secure Shell (SSH)

• What is SSH?– Secure channel that encrypts

information such as passwords over the internet

• Do not use telnet– Passwords are sent in the clear making

them vulnerable to cyber crime

35

Secure Socket Layer (SSL)

• What is SSL?– A protocol that establishes an

encrypted link between a web server and a browser ensuring all data passed between the web server and browsers remain private

• In other words:– “keeps your data safe”

36

How do I Know the Link is Secure?

Why is it important?•The S or the padlock means:

– That you have a secure (encrypted) link with this web site – That this web site is a valid and legitimate organization or an

accountable legal entity

Look for the httpS:// (the S means it is encrypted)

And/Or a padlock

37

Do Not Use The Following To Transfer Sensitive Information

• Unencrypted Email• Third party cloud applications such as

Dropbox• Google Drive• Unsecured USB drives or other

external devices

38

Where Should Sensitive Info Be Stored?

• Encrypted folders, partitions, or drives

• Secured servers• Encrypted external drives• Secure applications• Locked file cabinets

39

Where Not To Store Sensitive Information

• Your email• Unsecured paper files• Your hard drive unencrypted• Social networking sites

40

Know How it is Being Used

• Who has your information and how are they using it?– The Bank– Credit Card Companies– The University– Social Media– Health Care– Malicious Information Gathering

41

PenaltyMinimum 10 years in jail, $250,000 fine or BOTH

42

35,000 e-mail addresses, thousands of user names, and

other information compromised.

http://www.vancouversun.com/technology/Googles+legal+troubles+underscore+vulnerability+privacy+rights/7348685/story.html43

So What?

• Following policies and laws to protect sensitive information will not only protect the consumer, but it protects you from possible disciplinary action as stated in the University of Hawai‘i General Confidentiality Notice UH Form 92

44

Securing Your Password

• Password keepers– http://keepass.info/

• Do not store on your monitor or under keyboard• Use something easy to remember but hard to

guess• Follow password generation guidelines

– CAPITALS– lowercase– Numb3r5– $ymbols

45

46

The Cloud

• The Cloud is not secure• Do not store information in the

cloud unless it is encrypted

47

Keep Sensitive Information Secure From Social Engineers

• Verify callers

• Do not respond to email scams, phishing, or suspicious phone calls requesting confidential UH information or your own personal information.– Remember ITS will NEVER ask for your

password over email.

48

Don’t Fall For This

More on Phishing on Week 5 49

50

Back-Up?

• Regularly backing up your data is critical in case of a computer problem

BUT– Store your backup in a safe place– Preferably in a different location than the

host data– And secure it - lock it up, encrypt it– Regularly verify the backup can be restored

51

52

Key Points to Remember

• Handle sensitive information responsibly

• Protect sensitive information in paper form, electronic data at rest and in transit

• Follow policy – if in doubt ask• Bad things can happen if you do not

Think Before You Click

53

How Do I Get iTunes?• To be eligible for the weekly $15 iTunes cards drawing you must:

– Attend or watch a rebroadcast of this presentation– Have a Facebook Account– Like our page at www.facebook.com/uhinfosec– Answer the Security Question of the Week for October correctly (will be

posted after this session ends)– You will then be added to the drawing for an iTunes card

• I will contact you directly if you are the winner for delivery

• To be entered to win the $25 gift card at the end of October, you must sign up for a session at www.hawaii.edu/training

(no Facebook account required)

54

More PrizesRegister or sign in on-line (www.hawaii.edu/training)

to be eligible for a drawing each week for a UH Manoa Bookstore donated prize. Prizes will be mailed to outer island winners.

55

For More Information

• Visit the Cyber Security Month (NSCAM) website

– Link to all presentations (posted soon)– Link to FTC materials– Posters– Cyber security brochure– Think. Stop. Connect. brochures

56

http://www.hawaii.edu/infosec/ncsam.html

57

http://www.hawaii.edu/infosec

58

Email us at: infosec@hawaii.edu

Visit us at: www.hawaii.edu/infosec

Like us on Facebook: www.facebook.com/uhinfosec

Follow us on Twitter:www.twitter.com/ITSecurityUH

59