university of california, irvine technoexpo, 20061 computer security: what do i really need to know...
Post on 15-Jan-2016
215 views
TRANSCRIPT
TechnoExpo, 2006 1
University of California, Irvine
Computer Security: What do I really need to know NOW!
Marina Arseniev - Associate Director, Administrative Computing ServicesStephen Franklin - Director, Network and Academic Computing Services
TechnoExpo, 2006 2
University of California, Irvine
AgendaAgendaWhy care about security?How to deal with Secret Stuff?How do I…
protect my password? use Email and Instant Messenger securely?use the Internet securely?use my laptop securely?backup my computer?….
TechnoExpo, 2006 3
University of California, Irvine
Security Depends on Everyone
Security Depends on Everyone
IT staff uses the latest technology and techniques to maintain the highest level of security possible, but much still depends on individual users.Every user plays a critical role in maintaining the security of UCI’s network and the systems connected to it.
TechnoExpo, 2006 4
University of California, Irvine
Security is a real problem!Security is a real problem!Increasing number of attacksSecurity exploits spread in minutes and hours rather
than days or weeks“Script Kiddies” have access to sophisticated toolsSerious hackers have even better toolsMore legislation regarding security management
practices and notifications
TechnoExpo, 2006 5
University of California, Irvine
Why bother with security?Why bother with security?Your personal information and privacy may be compromised.Student or employee personal information and privacy may be
compromised. Legal responsibilities – Federal and State Laws
University is liable for breach of security Reputation and TrustCostliness
Notification of individuals whose personal information may have been compromised due to unauthorized access can (“easily”) cost the University tens (and even hundreds) of thousands of dollars
TechnoExpo, 2006 6
University of California, Irvine
People notified in response to personal identity
incidents
People notified in response to personal identity
incidents178,000 April San Diego State
380,000 May UC San Diego
145,000 June UCLA
62,000 June UCLA
TechnoExpo, 2006 7
University of California, Irvine
What should be kept secure?
What should be kept secure?
All portable devices, including PDAs, Laptops
Passwords Research and development data Human resources personnel files Student information Any business information marked
Confidential
A professor’s contact list E-mail messages Personal telephone numbers Home address Birth date Ethnicity Gender
Obvious examples Less obvious examples
TechnoExpo, 2006 8
University of California, Irvine
What is Personal Information?Senate Bill 1386 (State Law)
What is Personal Information?Senate Bill 1386 (State Law)
“Personal information" = Name and any of the following :
Social security numberDriver's license number or California Identification Card number.
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
TechnoExpo, 2006 9
University of California, Irvine
Federal Laws on Privacy Regulation
Federal Laws on Privacy Regulation
Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act
(HIPAA) Digital Millennium Copyright Act Federal Trade Commission - Gramm-Leach-Bliley
Act on Customer Privacy USA Patriot Act of 2002
TechnoExpo, 2006 10
University of California, Irvine
FERPAFERPA
Family Educational Rights and Privacy ActFederal law that protects the privacy of student education records.
Allows students to block access to their information or even existence.
Contact the Registrar for info and procedures.
TechnoExpo, 2006 11
University of California, Irvine
HIPAAHIPAAHealth Insurance Portability and Accountability Act “Individually identifiable health information” is
private and must be protected in any form or media, whether electronic, paper, or oral.
Protect demographic data (ie name, address, birth date, Social Security Number) related to:
the individual’s past, present or future physical or mental health or condition
the provision of health care to the individualthe past, present, or future payment for the provision of health care to the individual
TechnoExpo, 2006 12
University of California, Irvine
Relevant Campus PoliciesRelevant Campus PoliciesComputing Policy and Information Systems 714-11Guidelines for
NACS Computer Usage714-12 Office of Academic Computing Policy on Ownership
and Rights of Access to Software and Data714-14Copying Computer Programs714-15 Policy on Access to University Administrative
Information Systems714-16Procedures for Accessing University Administrative
Information Systems714-17Using University Administrative Information Systems714-18 Computer and Network Use Policy
TechnoExpo, 2006 13
University of California, Irvine
Protect your passwordsProtect your passwords Choose your passwords carefully.
Don’t use known personal information. Don’t use the same password on different
systems. Never share personal passwords. Do not write passwords down.
They will be found by others.
TechnoExpo, 2006 14
University of California, Irvine
A good password will:A good password will:Be six to 10 characters in length.Have one or more capital letters (A…Z).Have one or more lower case letters (a…z).Include one or more numbers (0-9).Include one or more special characters
(!, *, &, %, $, #,@).Be a short phrase (such as Up&AtM@7!).
TechnoExpo, 2006 15
University of California, Irvine
Email is NOT SECURE!Email is NOT SECURE!Because email passes through many computers and networks,
there are many opportunities for it to be read - despite rules and policies to the contrary.
Confidential information can easily be accidentally and/or intentionally compromised
Administrators and hackers can access all incoming and outgoing e-mail messages.
Viruses are most commonly spread through e-mail attachments.
HTML Email is really an insecure Web Page.
TechnoExpo, 2006 16
University of California, Irvine
Here is what you should do:
Here is what you should do:
Never send passwords, social security numbers, credit card numbers, or other access information via e-mail.
Do not open unexpected attachments, even from coworkers or other trusted sources.
Disable macros on questionable documents.
TechnoExpo, 2006 17
University of California, Irvine
More of what you should do:
More of what you should do:
Ask your Computer Support Coordinator about how to store encrypted email securely.
When deleting sensitive email, make sure your clean “Junk” and “Trash” folders too! Simply deleting your sensitive email may not remove the file.
TechnoExpo, 2006 18
University of California, Irvine
What about Instant Messaging?
What about Instant Messaging?
Everything that applies to Email vulnerabilities applies to IM.
Never use IM to send any confidential or private information!
TechnoExpo, 2006 19
University of California, Irvine
How do I use the Web securely?
How do I use the Web securely?
Use SSL Encryption (https://…)Check for the “encryption” key on your browser when entering
sensitive information – such as a credit card number.Never enter secret stuff into Web forms unless instructed to
do so by the IT department. Many self-service Web forms use email to automatically notify and
disseminate information –we know email is insecure…Never download freeware or shareware from the Internet
without express permission from the IT department.
TechnoExpo, 2006 20
University of California, Irvine
Viruses can come from:Viruses can come from:E-mail, WWW, and instant messaging
attachments.Infected files shared via removable storage
(diskettes, CDs, Zip disks, and other media) or over the network.
Software downloaded from the Internet, Pop-ups.
TechnoExpo, 2006 21
University of California, Irvine
How do I secure my Computer or Laptop?
How do I secure my Computer or Laptop?
Laptop or portable devices are largest security threat!Portable devices include PDA, USB Drive, Key Disk, and iPod.Subject to theft or loss. Social Security Numbers? Ouch!
Install latest patches and anti-virus software, Windows Update.Use a good password and change it regularly.Enable screen-saver password control – timer for auto-logout. Use VPN to access your system from outside UCI
Use UCI’s Virtual Private Network (VPN) <http://www.nacs.uci.edu/security/vpn.html>
TechnoExpo, 2006 22
University of California, Irvine
How do I secure confidential information?
How do I secure confidential information?Store only confidential information with immediate needs.
Delete confidential information with no immediate need. Encrypt all confidential information
Microsoft Windows XP and Apple's Mac OS X provide built-in file and and folder encryption. Linux/UNIX has encryption technologies.
Use encrypted transmission of confidential informationHTTPs, Secure File Transfer FTPs, SSH, VPN, PGP for email
Arrange professionally administered and regular backups.Backups must be secured too.If stolen, the backup will be used to verify the existence of personal information
on a computer and, per California Law 1386, used to notify individuals whose information was compromised.
TechnoExpo, 2006 23
University of California, Irvine
If distributing Personal Information…
If distributing Personal Information…
Delete personal information not critical to the task when distributing full data sets.
Provide staff access to restricted data only as needed to perform assigned duties.
When personally identifying information is distributed to users, include notification that the data is restricted and requires security protection. Include reference to applicable policies and regulations.
Ensure secure transmission, storage and removal of personal data.
TechnoExpo, 2006 24
University of California, Irvine
Protect Paper Documents Protect Paper Documents Don't leave sensitive documents in clear sight in work
areas. Store confidential material in locked drawers. Shred sensitive documents when they are no longer
needed.Protect sensitive materials when using photocopiers,
fax machines, etc. Don't leave the originals behind when you walk away.
TechnoExpo, 2006 25
University of California, Irvine
How do I discard my computer or media?
How do I discard my computer or media?
Contact your IT department for proper procedures.Be sure to delete all information from your old
computer or media when you dispose of it. Be aware that "erased" data often may be
recovered from your computer unless you take explicit measures to remove it.
TechnoExpo, 2006 26
University of California, Irvine
Supervisors: Supervisors: Good practices:
Conduct periodic security assessments and training at staff meetings
Regularly review your practices and security measures. Vital:
Ensure that you, your staff, and those to whom you provide information are familiar with the privacy and confidentiality policy and laws applicable to activities within your unit.
Inventory and classify the types of information handled by your staff. Inventory “personal” information.
Make sure software (and equipment) are up to date.
TechnoExpo, 2006 27
University of California, Irvine
What to report – who to report to
What to report – who to report to
Report to your Supervisor, Computer Support Coordinator, or Helpdesk:
If you think you have a virus. If someone has stolen your password or illicitly accessed your computer. If you forget your password or need to have a temporary account created. Help Desk:
• (949) 824-8500 for the AdCom Services Help Desk• EMAIL: [email protected]
• (949) 824-2222 for NACS Help Desk• EMAIL: [email protected]
TechnoExpo, 2006 28
University of California, Irvine
http://security.uci.edu/
Questions?
http://security.uci.edu/
Questions?