Security Awareness Day:

How it can Work for You!

Susan McKibben, University of Akron and

Jay Flanagan, Emory University

22

The University of Akron

• Full-Time Employees– Faculty – 803– Staff/Contract Professionals - 1498

• Part-Time Employees– Faculty – 963– Staff/Contract Professionals – 410– Graduate Assistants – 1,163

A Preview ...

Security Training - Background

• No security training

• Security committee– Members from various departments– Interim security policies– HR – Policy training– Software Training -“Best Practices”

We had an idea!

• Security Videos

• Poster Campaign

• Security Awareness Day

Team Members

• Security Administrator

• Software Training Manager

• Web Graphics Designer

• Web Developer

• Senior Multi-media Producer (2)

Who is Emory University?

• Emory University is recognized internationally as an inquiry-driven, ethically engaged, and diverse community whose members work collaboratively for positive transformation in the world through courageous leadership in teaching, research, scholarship, health care, and social action. The University consists of an outstanding liberal arts college, highly ranked professional schools, and one of the largest and more comprehensive healthcare systems in the Southeast. Emory is enriched by the legacy and energy of Atlanta, whose downtown is located 15 minutes away. There are 12,134 students enrolled at Emory, about half pursuing undergraduate degrees in the liberal arts, nursing, or business and the rest enrolled in graduate and professional programs. A palpable sense of community and social connection exists on campus; and because of Emory’s size, students are nurtured in a way not possible at larger institutions.

• Emory has a long tradition of emphasizing fine teaching. It is the most ethnically and religiously diverse university of the top 20 national research universities and is the only one that remains religiously chartered. Emory was founded by the Methodist Church in 1836 at Oxford, Georgia, where Oxford College of Emory still operates.

The Emory Environment

• A very distributed environment– Multiple schools and departments that manage

their own IT– Extensive research ongoing in many schools and

departments – Multiple email servers (Over 40)– Multiple web and application servers

Why is Security Awareness Important?

• Understand the threats• Know what to do in the event an incident

occurs• How to protect yourself• Perimeter protection is good, but….• Desktop security tools are the final layer of

protection against threats

What has Emory Done?

• Brochures• Newspaper Articles / Ads• Email• Web Page• Conference• Posters• Presentations

Security Brochures

• Strategically placed across campus

• Part of new student packets– Student orientation sessions

• HR orientation

• Conferences

• Presentations

Newspaper Articles / Ads• AAIT Services Newspaper for staff and students• Security articles in Emory Report (Staff / Faculty

Newspaper)• Emory Wheel (Student Newspaper) Ads

– Virus Protection– Vulnerabilities

• Emory Wheel Articles– Peer-to-Peer file sharing– Network Registration on Resnet

Email

• New students– Welcoming email discussing security considerations

• Alert lists– New vulnerability and virus information sent out to the

Emory community

• Learnlink Conference– Students have the opportunity to send in security

questions

Welcome Email to New Students• Welcome to Emory! • Practicing safe computing is the responsibility of everyone who uses Emory’s shared resources, like

email and Internet connectivity. This means making sure the basics are covered, like securing all Emory accounts with strong passwords, keeping antivirus software and system patches up to date, immediately deleting unsolicited email attachments without opening them and backing-up important data frequently.

• Before you start classes, it’s essential that you know about Emory’s computing security guidelines, policies, standards and recommended practices. You’ll find this information at: http://it.emory.edu/security_policies

• Passwords are the keys to your computer. They help protect your information and Emory’s shared computing systems from attacks like viruses and hackers. If your password is in the dictionary, password-cracking software can guess it in seconds! Learn how to create strong passwords: http://www.it.emory.edu/showdoc.cfm?docid=2601. To change your password: https://password.service.emory.edu

• For tips on using antivirus software, installing Microsoft security patches or system updates and more, go to ITD’s “Basic PC Security” Web page: http://www.it.emory.edu/showdoc.cfm?docid=4588

• Join the “IT Security Q&A” conference on LearnLink, where you can post and get answers to your computing security questions: IT_Security_Q&A@learnlink.emory.edu

• Make computing security a priority! The security and availability of Emory’s shared computing systems depends on everyone working together to keep our resources safe.

• – The ITD Security Team• P.S. Don’t forget to bookmark the ITD Information Security homepage: http://security.it.emory.edu

Alert List Emails• Please send out this information on a new MAC Worm that has been found in the wild.

Definitions for this new worm should be available for Norton’s MAC client anti-virus software. Be sure you have definitions dated 2/16/06 or later for your client. For more information, please go to the following URL:

• OSX.Leap.A• Discovered on: February 16, 2006 • Last Updated on: February 18, 2006 01:15:52 PM• OSX.Leap.A is a worm that targets installs of Macintosh OS X and spreads via iChat

Instant Messenger program. Note: It infects files on the Macintosh OS X version 10.4. The worm will execute on Intel Macs, but cannot spread to other systems from these machines.

• Also Known As: OSX/Leap-A [Sophos], CME-4, OSX/Leap [McAfee], Leap.A [F-Secure]• Type: Worm• Systems Affected: Macintosh OS X

Learnlink Security Conference

Learnlink Security Conference

Web Page• http://security.it.emory.edu• What’s available

– Information on Phishing– Security How-To’s– Security News– Security Vulnerabilities and Viruses– Operating System Baselines– Vulnerability Scanning Self Service– Security Policy Information– Security Statistics– Links to other important Security sites

Security Mini-Conference• The Security Mini-Conference is held annually in the spring of each year

– Send out mailers– Web Page– Email– Require registration

• Different Themes each year– This year was identity theft and privacy– Speakers that speak to the themed issues

• For faculty, staff and students– This year included our Healthcare side

• Food provided– Continental Breakfast– Lunch

Security Awareness Day: ThemeUniversity of Akron

• Zack Geekis – the security analyst who transforms into ...

• “Super Zippy” – our hero

• Villains:– Password Patty– Phil the Phisher– Laptop Wizard

Cyber Security Awareness Day

“A daylong series of seminars and activities that will raise your cyber security awareness and help you become safer in the cyber world”

Cyber Security Awareness Day

• October 26, 2005• Vendor Fair in Student Union

– Door Prizes– Vendors– Departments– Handouts

• Presentations• Video Premiere

Presentations

FERPA and HIPAA (Legal) Viruses and Spyware (McAfee)

LoJack Software (Absolute Software)

The Amazing Truth About Wireless Security (Secure State)

Trustworthless Computing (ITS)

Protecting Yourself in the e-world (Chase)

Wireless Security (Cisco) Identity Theft (OIG)

Voice over IP Security (World Synergy)

Intrusion (FBI)

Buttons

Obstacles

• Limited Time

• Security Committee – Approval Process

• Rights to Zippy– Limited to on-campus use– No posters with Super Zippy Image

In Process

• Security Awareness Training– Web-based

• New Vice President of Information Technology– Open position for Security Administrator

Valuable Resources

• FTC Consumer Information Web site– http://ftc.gov/bcp/menu-internet.htm

• Vendors– Provided give-aways– Speakers– Coordinated with our on-campus computer store

Valuable Resources

• FBI– Speakers

• Chase Education Finance– Speakers

• U.S. Department of Education– Inspector General’s Office– Speakers

• University Legal Counsel– Speakers

Security Posters• Put up around campus during back to school• Themed

– Viruses– Vulnerabilities– Peer-to-Peer file sharing

• Security Incidents• Events

– Security Mini-Conference– Security Presentations

University of Akron Cyber Security Awareness Day: Posters

• The following posters were put up to promote the University of Akron’s Cyber Security Awareness Day– October 26, 2005– Put up around campus– Gathered interest in the event

Security Presentations• Done regularly

– IT Briefing• New security tools being deployed• Security architecture

– School and Department Presentations• Business School• Medical School• Student Orientations in the fall

– Tech Talks• Vendor products

– F5 Firepass SSL VPN

– Vendor Presentations• SpiDynamics

– Web application vulnerabilities

Videos

• Attachment Disorder

• The Trash Man

• Password Patty

Security Videos

• Premiered at Cyber Security Awareness Day

• Located within the University Portal for faculty, staff, and students

• Played on Zip-TV (residence halls and dorms)

Password Patty Video

Summary• Many different ways to get out

the message about security awareness

• Awareness should be fun

• Get everyone involved

Contact Information• Sue McKibben, University of Akron

– Email• smf@uakron.edu

– Phone• (330) 972-6391

• Jay Flanagan, Emory University– Email

• jflanag@emory.edu

• SecurityTeam-L@listserv.emory.edu

– Phone• (404) 727-4962

Questions?

Questions?

Questions?