university of california, irvine technoexpo, 20061 computer security: what do i really need to know...

TechnoExpo, 2006 1

University of California, Irvine

Computer Security: What do I really need to know NOW!

Marina Arseniev - Associate Director, Administrative Computing ServicesStephen Franklin - Director, Network and Academic Computing Services

TechnoExpo, 2006 2


AgendaAgendaWhy care about security?How to deal with Secret Stuff?How do I…

protect my password? use Email and Instant Messenger securely?use the Internet securely?use my laptop securely?backup my computer?….

TechnoExpo, 2006 3


Security Depends on Everyone

Security Depends on Everyone

IT staff uses the latest technology and techniques to maintain the highest level of security possible, but much still depends on individual users.Every user plays a critical role in maintaining the security of UCI’s network and the systems connected to it.

TechnoExpo, 2006 4


Security is a real problem!Security is a real problem!Increasing number of attacksSecurity exploits spread in minutes and hours rather

than days or weeks“Script Kiddies” have access to sophisticated toolsSerious hackers have even better toolsMore legislation regarding security management

practices and notifications

TechnoExpo, 2006 5


Why bother with security?Why bother with security?Your personal information and privacy may be compromised.Student or employee personal information and privacy may be

compromised. Legal responsibilities – Federal and State Laws

University is liable for breach of security Reputation and TrustCostliness

Notification of individuals whose personal information may have been compromised due to unauthorized access can (“easily”) cost the University tens (and even hundreds) of thousands of dollars

TechnoExpo, 2006 6


People notified in response to personal identity

incidents

People notified in response to personal identity

incidents178,000 April San Diego State

380,000 May UC San Diego

145,000 June UCLA

62,000 June UCLA

TechnoExpo, 2006 7


What should be kept secure?

What should be kept secure?

All portable devices, including PDAs, Laptops

Passwords Research and development data Human resources personnel files Student information Any business information marked

Confidential

A professor’s contact list E-mail messages Personal telephone numbers Home address Birth date Ethnicity Gender

Obvious examples Less obvious examples

TechnoExpo, 2006 8


What is Personal Information?Senate Bill 1386 (State Law)

What is Personal Information?Senate Bill 1386 (State Law)

“Personal information" = Name and any of the following :

Social security numberDriver's license number or California Identification Card number.

Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

TechnoExpo, 2006 9


Federal Laws on Privacy Regulation

Federal Laws on Privacy Regulation

Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act

(HIPAA) Digital Millennium Copyright Act Federal Trade Commission - Gramm-Leach-Bliley

Act on Customer Privacy USA Patriot Act of 2002

TechnoExpo, 2006 10


FERPAFERPA

Family Educational Rights and Privacy ActFederal law that protects the privacy of student education records.

Allows students to block access to their information or even existence.

Contact the Registrar for info and procedures.

TechnoExpo, 2006 11


HIPAAHIPAAHealth Insurance Portability and Accountability Act “Individually identifiable health information” is

private and must be protected in any form or media, whether electronic, paper, or oral.

Protect demographic data (ie name, address, birth date, Social Security Number) related to:

the individual’s past, present or future physical or mental health or condition

the provision of health care to the individualthe past, present, or future payment for the provision of health care to the individual

TechnoExpo, 2006 12


Relevant Campus PoliciesRelevant Campus PoliciesComputing Policy and Information Systems 714-11Guidelines for

NACS Computer Usage714-12 Office of Academic Computing Policy on Ownership

and Rights of Access to Software and Data714-14Copying Computer Programs714-15 Policy on Access to University Administrative

Information Systems714-16Procedures for Accessing University Administrative

Information Systems714-17Using University Administrative Information Systems714-18 Computer and Network Use Policy

TechnoExpo, 2006 13


Protect your passwordsProtect your passwords Choose your passwords carefully.

Don’t use known personal information. Don’t use the same password on different

systems. Never share personal passwords. Do not write passwords down.

They will be found by others.

TechnoExpo, 2006 14


A good password will:A good password will:Be six to 10 characters in length.Have one or more capital letters (A…Z).Have one or more lower case letters (a…z).Include one or more numbers (0-9).Include one or more special characters

(!, *, &, %, $, #,@).Be a short phrase (such as Up&AtM@7!).

TechnoExpo, 2006 15


Email is NOT SECURE!Email is NOT SECURE!Because email passes through many computers and networks,

there are many opportunities for it to be read - despite rules and policies to the contrary.

Confidential information can easily be accidentally and/or intentionally compromised

Administrators and hackers can access all incoming and outgoing e-mail messages.

Viruses are most commonly spread through e-mail attachments.

HTML Email is really an insecure Web Page.

TechnoExpo, 2006 16


Here is what you should do:

Here is what you should do:

Never send passwords, social security numbers, credit card numbers, or other access information via e-mail.

Do not open unexpected attachments, even from coworkers or other trusted sources.

Disable macros on questionable documents.

TechnoExpo, 2006 17


More of what you should do:

More of what you should do:

Ask your Computer Support Coordinator about how to store encrypted email securely.

When deleting sensitive email, make sure your clean “Junk” and “Trash” folders too! Simply deleting your sensitive email may not remove the file.

TechnoExpo, 2006 18


What about Instant Messaging?

What about Instant Messaging?

Everything that applies to Email vulnerabilities applies to IM.

Never use IM to send any confidential or private information!

TechnoExpo, 2006 19


How do I use the Web securely?

How do I use the Web securely?

Use SSL Encryption (https://…)Check for the “encryption” key on your browser when entering

sensitive information – such as a credit card number.Never enter secret stuff into Web forms unless instructed to

do so by the IT department. Many self-service Web forms use email to automatically notify and

disseminate information –we know email is insecure…Never download freeware or shareware from the Internet

without express permission from the IT department.

TechnoExpo, 2006 20


Viruses can come from:Viruses can come from:E-mail, WWW, and instant messaging

attachments.Infected files shared via removable storage

(diskettes, CDs, Zip disks, and other media) or over the network.

Software downloaded from the Internet, Pop-ups.

TechnoExpo, 2006 21


How do I secure my Computer or Laptop?

How do I secure my Computer or Laptop?

Laptop or portable devices are largest security threat!Portable devices include PDA, USB Drive, Key Disk, and iPod.Subject to theft or loss. Social Security Numbers? Ouch!

Install latest patches and anti-virus software, Windows Update.Use a good password and change it regularly.Enable screen-saver password control – timer for auto-logout. Use VPN to access your system from outside UCI

Use UCI’s Virtual Private Network (VPN) <http://www.nacs.uci.edu/security/vpn.html>

TechnoExpo, 2006 22


How do I secure confidential information?

How do I secure confidential information?Store only confidential information with immediate needs.

Delete confidential information with no immediate need. Encrypt all confidential information

Microsoft Windows XP and Apple's Mac OS X provide built-in file and and folder encryption. Linux/UNIX has encryption technologies.

Use encrypted transmission of confidential informationHTTPs, Secure File Transfer FTPs, SSH, VPN, PGP for email

Arrange professionally administered and regular backups.Backups must be secured too.If stolen, the backup will be used to verify the existence of personal information

on a computer and, per California Law 1386, used to notify individuals whose information was compromised.

TechnoExpo, 2006 23


If distributing Personal Information…

If distributing Personal Information…

Delete personal information not critical to the task when distributing full data sets.

Provide staff access to restricted data only as needed to perform assigned duties.

When personally identifying information is distributed to users, include notification that the data is restricted and requires security protection. Include reference to applicable policies and regulations.

Ensure secure transmission, storage and removal of personal data.

TechnoExpo, 2006 24


Protect Paper Documents Protect Paper Documents Don't leave sensitive documents in clear sight in work

areas. Store confidential material in locked drawers. Shred sensitive documents when they are no longer

needed.Protect sensitive materials when using photocopiers,

fax machines, etc. Don't leave the originals behind when you walk away.

TechnoExpo, 2006 25


How do I discard my computer or media?

How do I discard my computer or media?

Contact your IT department for proper procedures.Be sure to delete all information from your old

computer or media when you dispose of it. Be aware that "erased" data often may be

recovered from your computer unless you take explicit measures to remove it.

TechnoExpo, 2006 26


Supervisors: Supervisors: Good practices:

Conduct periodic security assessments and training at staff meetings

Regularly review your practices and security measures. Vital:

Ensure that you, your staff, and those to whom you provide information are familiar with the privacy and confidentiality policy and laws applicable to activities within your unit.

Inventory and classify the types of information handled by your staff. Inventory “personal” information.

Make sure software (and equipment) are up to date.

TechnoExpo, 2006 27


What to report – who to report to

What to report – who to report to

Report to your Supervisor, Computer Support Coordinator, or Helpdesk:

If you think you have a virus. If someone has stolen your password or illicitly accessed your computer. If you forget your password or need to have a temporary account created. Help Desk:

• (949) 824-8500 for the AdCom Services Help Desk• EMAIL: [email protected]

• (949) 824-2222 for NACS Help Desk• EMAIL: [email protected]

TechnoExpo, 2006 28


http://security.uci.edu/

Questions?

http://security.uci.edu/

Questions?