avoiding identity theft benjamin kirchmeier information technology services
TRANSCRIPT
Avoiding Identity Theft
Benjamin KirchmeierInformation Technology Services
Protect University Employees and
Customers
Identity Theft
Protecting UI Customers
•Take Stock
•Scale Down
•Lock It
•Destroy It
•Plan Ahead•Source: Federal Trade Commission: Avoid ID Theft•http://www.ftc.gov/bcp/edu/microsites/idtheft/
Take Stock
•What Sensitive Personal Information (SPI) data to you use?
•Where is SPI?•Electronic•Physical
•Who has access to SPI?
•How is SPI used?
• FERPA (Family Educational Rights and Privacy Act)
Scale Down
•Ensure a business need exists.
•SPI data should only be maintained using University sanctioned systems and procedures
•Consider a retention policy for SPI
•Securing and Destroying SPI•Administrative Procedures Manual: 30.12 UI Computer Use Policy
•http://www.uihome.uidaho.edu/default.aspx?pid=97510
Lock It
• Physical Security
• Electronic Security
• Password Management
• Laptop Security
• Firewalls
• Wireless and Remote Access Networking
• Breach Detection
• Employee Training
• Security Practices of Contractors and Vendors
Physical Security
•Office security
•Access Controls/Restricted Spaces
•SPI document transfer policy
Electronic Security•Store all SPI on the University’s
filesystem
•Antivirus software must be installed
•Encrypt SPI - EncryptOnClick
•Proactively peruse valid security websites
•Disable unused services
Encrypt-On-Click•Free!
•Military-grade encryption (256-bit AES)
•No ‘backdoor’ to files in an .eoc archive
Download:http://www.2brightsparks.com/assets/software/
EncryptOnClick_Setup.exe
Password Management• Longer passwords are safer
• Ensure employees never share passwords with anyone, including ITS
• Require password-activated screen savers
• Never use your University password with another vendor
• Save your passwords in a safe location
• KeePass E-Wallet - Not a Word or Excel file
• Paper copy locked in safe - Not under the keyboard
Laptop Security
•Restrict use of portable devices
•Never save SPI on a laptop
•Consider cords and locks to secure laptops
•https://support.uidaho.edu/FAQ/Laptop Security/
Laptop Security – Task Manager
Service name Display nameEnterprise Client desktop/laptop
Standalone desktop/laptop
Alerter Alerter Disabled Disabled
ClipSrv ClipBook Disabled Disabled
Browser Computer Browser Not Defined Disabled
Fax Fax Not Defined Disabled
MSFtpsvr FTP Publishing Disabled Disabled
IISADMIN IIS Admin Disabled Disabled
cisvc Indexing Service Not Defined Disabled
Messenger Messenger Disabled Disabled
mnmsrvc NetMeeting® Remote Desktop Sharing Disabled Disabled
RDSessMgr Remote Desktop Help Session Manager Not Defined Disabled
RemoteAccess Routing and Remote Access Disabled Disabled
SNMP SNMP Service Disabled Disabled
SNMPTRAP SNMP Trap Service Disabled Disabled
SSDPSrv SSDP Discovery Service Disabled Disabled
Schedule Task Scheduler Not Defined Disabled
TlntSvr Telnet Disabled Disabled
TermService Terminal Services Not Defined Disabled
Upnphost Universal Plug and Play Device Host Not Defined Disabled
W3SVC World Wide Web Publishing Disabled Disabled
http://www.sans.org/top20/#s2
Laptop Security - Encryption• No official recommendation or support from ITS
• Research products prior to using on production machines
• TrueCrypt•http://www.truecrypt.org/
• PGP Whole Disk Encryption•http://www.pgp.com/products/wholediskencryption/
• BitLocker•http://technet.microsoft.com/en-us/windows/aa905065.aspx
• FileVault•http://www.apple.com/macosx/security/
ITS Sophos Firewall• By default, installs only for AD bound machines
• Server-based firewall exceptions
• Set to allow only file sharing access to known ITS services (Netbios)
• Remote Desktop only allowed from 129.101.0.0/16 addresses (e.g. VPN required)
• Temporary exceptions allowed for application installation; settings will reset
• Permanent exceptions should be requested through ITS Help Desk
• Custom firewall policies can be applied to a prefix group
• Windows 7 will be supported in a forthcoming release
ITS Firewalls - Managed Security Network
• Managed Security Network (MSN) - For all users who handle SPI
• Firewall Policy Summary
• Deny access to non-ITS managed Infrastructure services, such as File sharing, Email, Database, and Directory services
• Allow all other network communication initiated by hosts in the network
• Allows select network communication initiated by ITS-Managed Infrastructure and Application servers
• Allows RDP access from other MSN Networks and ITS-Managed VPN users
• Deny all other network communication initiated from outside the network
ITS Firewalls - MSN Lite (Proposed)
• MSN Lite - For all academic and administrative user networks that do not have servers
• Firewall Policy Summary
• Allow all network communication initiated by hosts in the network
• Allow select network communication initiated by ITS-Mangaed Infrastructure and Application servers
• Allow RDP access from UI Networks
• Deny all other network communication initiated from outside the network
ITS Firewalls - Public• Public - For all residence and wireless access
networks.
• Firewall Policy Summary
• Allow all network communication initiated by hosts in the network
• Allows select network communication initiated by ITS-Managed Infrastructure and Application servers
• Deny all network communication initiated from outside the network
Wireless and Remote Access Networking
•AirVandalGold v. AirVandal
• ITS VPN Solution
•The 64-bit quandary
•Native functionality in Snow Leopard
•Remote Desktop Protocol (RDP)
•Vulnerable to Man-in-the-Middle Attacks (pre-v.6.0)
Employee Training• FERPA Training
• Employee Separation - restrict access
• Keep employees up-to-date on new vulnerabilities
• Request sponsored accounts for TH employees
• APM 30.16: Managing Systems for Employee Turnover
3rd Party Contractor and Vendor Security
•Identify what data is sent to vendors
•Address all inconsistencies
•Require vendors notify the University of any security incidents
•Confirm any security incident on campus with affected vendors
Destroy It•University forms, CDs,
receipts, expired credit cards
•Use Shred-it bins
•Ensure employees apply similar practices, at home and elsewhere
•Surplus old technology -- remove hard disks or properly delete data
Plan Ahead•Disconnect
compromised computers immediately
•Report any security incidents immediately
•Seek advice from ITS
•Consider developing a Computer Lifecycle Plan
Plan Ahead - ITS Services
• Proofpoint Messaging Security Appliance
• Monitoring email for credential breaches
• BadAttachment rules
• All University email (in or out) is scanned
• University border firewall
• DNS restrictions (Zlob)
• SMTP Mail (Port 25)
• MSSQL
Protect Yourself
Identity Theft
Secure Sensitive Documents•Safeguard your
Social Security card and birth certificate
•Use these documents only when absolutely necessary
•Consider using a safe deposit box for original documents
Destroy Unused Information•Shred junk mail, personal documents,
medical records, or other data.
•Use a post office box or mail slot for secure mail delivery
•Consider using Opt Out to reduce junk mail
•https://www.optoutprescreen.com/
• (888) 567-8688
Identify Frauds and Scams•Do not reply to any
electronic communication asking for personal information
•Enter URLs manually
•Use known phone numbers from statements or valid phone directory
•Verify vendor’s identity
Unique Passwords•15+ passphrases = 400 day expiration!
•Never use UI credentials with an external account
•Leverage unique intricate passwords for each account you hold
•Password management software
Peer-to-Peer Filesharing (p2p)•Default program settings
can be insecure
•Files downloaded may include a nefarious payload or be mislabeled
•Only download software from trusted locations
•Legal and Copyright violationshttps://support.uidaho.edu/
p2p/
Install [Sophos] Antivirus•Symantec licenses have expired!
•Sophos available at no cost
•Lower overhead, more frequent updates
•Keep the software current
•Support for major operating systems
•Auto updates
Uh-oh, you’ve been victimized!•Review credit reports and
place Fraud Alerts on them
•Close all accounts in question
•File a complaint with the Federal Trade Commission
•File a police report in the community the theft took place
Fraud Alerts• 90-day Alert (if you suspect you’re a victim)
• Extended Alert (requires Identity Theft Report)
• Seven year lifespan
• Eligible for two free credit reports per year
• Removed from prescreened marketing lists (5 years)
• Businesses may still check your credit report
• Businesses must contact you or use reasonable policies and procedures to verify identity
• Mainly effective against new credit accounts
Credit Freezes•Prevents third parties from accessing
your credit report
•Useful if you have been, or believe to be, a victim•All existing accounts still have access
•Still eligible for your annual credit report
Credit Freezes•Enacted in Idaho - July 1, 2008
•All consumers eligible
•No fee for victims with a police report
•$6 fee (per agency) to place or lift a freeze otherwise
•$10 PIN replacement fee
•Freeze is permanent until consumer acts
Credit Freeze Caveats
•Does not protect existing accounts
•New accounts created without a credit check are possible
Close Accounts•Contact the Security or Fraud
section of each creditor
•Followup in writing (certified mail; return receipt)
•Include copies of supporting documents and fraudulent charges
File ID Theft Report• Assists the Federal Trade Commission (FTC)
in assessing nationwide scams
• Helps to permanently block false information from appearing on your credit report
• Ensures debts do not reappear
• Prevents companies from trying to collect fraudulent debts
• Required to file an Extended Fraud Alert
• Details the incident(s) for local police
Identity Theft Insurance•Will not deter identity thieves
•Aids in minimizing losses
•Research benefits of any plan
•Some may require a Limited Power of Attorney
•Many only save time by acting on your behalf (applying Credit Freezes, Fraud Alerts, etc.)
Thank YouQuestions?
Resources• Federal Trade Commission: http://www.ftc.gov/bcp/edu/microsites/idtheft/
• University of Idaho APM 30.12: http://www.uiweb.uidaho.edu:80/policy/
• Encrypt-On-Click: http://www.2brightsparks.com/assets/software/EncryptOnClick_Setup.exe
• SANS Institute - Windows Services: http://www.sans.org/top20/#s2
• UI ITS Laptop Security: https://support.uidaho.edu/FAQ/Laptop Security/
• University of Idaho APM 30.16: http://www.uihome.uidaho.edu/default.aspx?pid=97509
• Splunk>: http://www.splunk.com/
• Proofpoint: http://www.proofpoint.com/
• Opt Out Coalition: https://www.optoutprescreen.com/
• UI ITS Peer-to-peer FAQ: https://support.uidaho.edu/p2p/