Security Awareness - memphis.edu

SecurityAwareness

ITSSecurityTrainingSpring2016

WhyisSecuritysoImportant?• Technologycanaddressonlyafractionofsecurityrisks.

• Youareaprimarytarget,orrather,yourdataandaccesstodataareatarget.

• Gainingaccesstoyourpersonaldataallowscriminalstotakeyourresearchoryourpersonalinformation.Italsoallowsthemtoimpersonateyou,oryourcomputer,togainaccesstoothersystemsanddata.

SecurityBasics• UniversityPolicies• Passwords• Browsing• Email• DesktopandMobileDeviceSecurity• DataSecurityandEncryption• RemoteAccess/VPN• SecuringTheHumanTraining• Reportinganincident• Reminders• OtherResources

UniversityPolicies• UM1337– DataAccess• UM1535– AcceptableUseofITResources• UM1691– CampusDataSecurity• FERPA– FederalEducationalRightsandPrivacyAct

• http://www.memphis.edu/registrar/faculty/ferpa.htm

UniversityPoliciesSite– http://policies.memphis.edu

Passwords• PasswordComplexity

• Hackersandtoolkitsanticipatepatternsandcontext,soavoidwords like“memphis”inyourUofMpasswordor“credit”onyourcreditcardaccount.

• Usingpersonallyidentifiableinformationwillalsobeanticipated,soavoidpasswordscontainingwordsornamesfromyourfamilyandpublicrecord.

• TheUniversityofMemphisenforcesastandardsetofcomplexityrequirements.• PasswordChangeFrequency

• Frequencycanbeasimportantascomplexity.Expiredpasswordsareuseless.• TheUniversityofMemphiscurrentlyenforcesa6monthexpirationpolicy.

• PasswordReuse• Maintaindifferentcredentialsperservice.Hackersknowit’shardtokeepup

withmultiplepasswords. Iftheygetone,theywilluseitagainstotherserviceshopingtogainadditionalaccess.NeveruseyourUniversityofMemphiscredentialswithanotherservice.

PasswordManagement• PasswordManagement/IdentityVault

• ITSwillneveraskyouforyourpassword.• Avoidwritingpasswordsdownorkeepingtheminatextfileor

document.• Emailisnotapasswordmanagementsystem.Neveremailyour

passwordtoanyone(includingyourself).• Apasswordmanagementutilityisoneoptionforstoringpersonal

passwords.Manyexistthatworkondesktopsandmobiledevices.Theseencryptyourpasswordsandmanywillalsohelpyougeneratenicelycomplexpasswords.• 1PasswordandLastPass areexamplesofpasswordmanagementutilities.

BrowsingSafeBrowsing• Keepyourbrowsersoftwareversionup-to-date.• Keepanybrowserplug-insup-to-date;especially AdobeFlashand

Java,asthesearetargetedfrequently.• HoveroverURLsandlinks.• Makeuseofpop-upandadblockers.• Becarefulwhendownloadingsoftwarefromtheinternet.• Socialnetworkingsites,bydefinition,collect,maintain,andshare

personalidentification. Bemindfulofthiswheninteractingwiththesesitesbothonandoff campus.

• Ifawebsiterequestsuserinformationofanykind,makesurethatwebsite isusingHTTPS.• HTTPSisthesecurewebprotocol.Thiscanbeseeninawebaddresssuch

ashttps://www.google.com.Thisensuresthatthespecificwebsessionbetweenyourbrowserandthehttpswebsiteisalltransmittedinanencryptedmanner.

SafeBrowsingConfirming asecureconnection (https)withInternetExplorer

SafeBrowsingConfirming asecureconnection (https)withFirefox

Email• Keepyouremailprogramup-to-date.• Mostemailprogramsdonotencryptyourmessages,

subjectingthemtopossibleinterceptionbyothers.• EmailMessagescancontainavirusorothermalicious

softwarethatcouldinfectyourcomputerordevice• Neverclickonalinksenttoyouinanemailunlessyou

areabsolutelysureitissafe.• Neverclickonordownloadanattachmentfroman

emailunlessyouareabsolutelysureitissafe.• Bewaryofemailfromanunknownsender.• Usethe“ReportJunk”optiontomarkspam.

Review/Emptyyour“JunkE-Mail”folderperiodically.• TheUniversityofMemphisemailservice(UMMail)

includesspecialservertoolstohelprecognizeandquarantinesuspiciousemail.

EmailBewaryofSPAMemail.HereisanexampleofSPAM:

Email• Phishing• Aphishingemailattemptstofoolauserintothinkingitoriginatedfromatrustedpersonorbusiness.Theseoftencontainweblinksorattachmentsaskingforpersonalinformationorleadingtoaquestionablewebsitethatattemptstocollectsensitiveinformation.

• Typically,phishingemailsappeartocomefrom:• A trustedsource,suchastheUniversityofMemphis• Co-workers,friends,orfamily• A“helpdesk”or“servicedesk”• Financialinstitutions• Socialmediasites

EmailExamplesofphishing emails:

DesktopandMobileDeviceSecurity• Neverleaveyour laptopordeviceunattended.Theftsdohappen.• YourPC/deviceshouldbesettoautomaticallyinstallsecurityupdates.• Haveanti-virusandanti-spywaresoftwareinstalledandenabled.• Ensureyourfirewallisturnedonandsettoblockallincoming traffic,

allowingonly thespecificservicesyouneed.• TheSafeConnect NAC(NetworkAccessControl) requiresuserstologin

beforeaccessingthecampusnetwork,andalsoensuresyourPChasthelatestsecurityupdatesandanti-virusprotection.

• Ensureaccesstoyourmobiledeviceisprotectedwithapasscode.• Considerusingaremotetracking/wipefunction ifsupported. ForiOS

devices,iCloudprovides the“FindmyiPhone”serviceforfree.Android andothermobileoperatingsystemsalsohavesimilarfunctionality.

DataSecurityandEncryption• Sensitivedatashouldbeencryptedwheneverpossible.

Herearesomeexamples:• Researchdata• Studentdata(FERPA)• PersonallyIdentifiableInformation• FinancialInformation

• Thereareavarietyofdiskencryptionmethodsavailable:• MicrosoftBitlocker (Windows)• AppleFileVault (MacOSX)

• Keepingsensitivedataoncampusserversalleviatestheriskofastolenmobiledeviceorcompromisedhomecomputer.

• Whendisposingofolddevices(desktops,laptops,flashdrives,phones),ensureallsensitivedatahasbeensecurelydeleted.

RemoteAccess/VPN• VPNsprovidesecure,encrypted

communicationbetweenoff-campusdevicesandon-campusresources.

• TheVPNapplicationisfreelyavailableandfullysupportedonWindows,MacOSX,andiOS(iPhone,iPad)devices.

• SomeofthetypicalcampusresourcesaccessedviatheVPNareRemoteDesktop,BannerINBanddepartmentalfileshares.

• RemoteDesktopapplicationsallowyoutocontrolyourdesktopPCfromoff-campus.Thisallowssensitivedatatoremainoncampus.

RemoteAccess/VPNThefollowingdiagramillustrateshowtheVPNencryptsyournetworktraffic.Notethatonlyspecificconnectionstoon-campusresourcesareprotectedbytheVPNtunnel.

SANSSecuringTheHuman• NewtraininginSummer2015ismandatoryforallBannerFinance/BannerHRusers.

• Trainingmustbetakenonceayearandconsistsofagroupofshortvideosfollowedbyshortquizzes.

• Certificateofcompletioncanbeprintedatendofassessments.

• http://www.memphis.edu/its/security/security-awareness.php

ReportingIncidents• Phishing/[email protected].

• Realsecurityincidents,suchascompromisedcredentials,compromisedsystemorevidenceofdataexposure/release,canbereportedusinganonlineformathttps://www.memphis.edu/its/security/incident-report.php.

Reminders…• ITSwillneverask…• …foryourpasswordviaemailoroverthephone.

• …foryouto“confirm”youraccountviaemail.• …foryoutofollowalinktocleanavirusfromyouremailmailbox.

• …foryou toupdateorincreaseyouremailquota.

• Whenindoubt,[email protected].

OtherResources• ITSSecuritywebsite– http://www.memphis.edu/its/security

• CIOblog– http://blogs.memphis.edu/cio

• StaySafeOnline– NationalCyberSecurityAlliance– https://www.staysafeonline.org

• SANSCyberSecurityAwareness– http://cyberaware.securingthehuman.org

OpenDiscussion

THANKYOU!

ITSSecurityhttp://www.memphis.edu/its/security/

Security Awareness - memphis.edu

Documents

Transcript of Security Awareness - memphis.edu