Security AwarenessProtecting Sensitive Information

“Good but he that filches from me my good name, robs me of that which not enriches him,

and makes me poor indeed." 

- Shakespeare, Othello, act iii. Sc. 3.

Security Awareness mindset :

“I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our University. Therefore, it would be prudent for me to stop that from happening.”

SEC Y

We handle sensitive or confidential data in all types of formats

• Social Security number (SSN)• credit card number• drivers license number• personally identifiable patient information• personally identifiable student information• personnel information• proprietary research data• confidential legal data• proprietary data that should not be shared

with the public

Regulations, Regulations and Regulations !!!!

• Gramm-Leach Bliley Act (GLBA)

• Family Rights to Privacy Act (FERPA)

• North Carolina Identity Theft Protection Act

• Health Insurance Portability and Accountability Act (HIPAA)

And More !!

• A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recently

• The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees…..

• The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was not authorized to do.

• Over 26 MILLION veterans had their personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized.

• The VA is now implementing procedures to dismiss the employee.

And At Universities….

University of Colorado officials announced that 49,000 current and former students may have had theirprivacy compromised after the university found hackershad tapped into a database in the registrar's office The data contained names, Social Security numbers, addresses and phone numbers

“You feel violated. For the people whose data we are hereto protect, you just feel awful.'‘- Barbara Todd, CU-Boulder registrar.

How do Hackers get what they want?

Phishing

Fraudulent emails created by criminals to look like messages and websites from established businesses, financial institutions, or government agencies in order to gain personal information from unsuspecting users—YOU

Dear Laredo National Bank customer,

CONGRATULATIONS!

You have been chosen by the Laredo National Bank online department to take part in our quick and easy 5 question survey.

I n return we will credit $25 to your account - Just for your time! Helping us better understand how our customers feel benefits everyone.

With the information collected we can decide to direct a number of changes to improve the results and expand our online service. We kindly ask you to spare two minutes of your time in taking part with this unique offer!

SERVICE: Laredo National Bank $25 Reward Survey EXPI RATI ON: J une - 30 - 2006

Confirm Nowyour $25 Reward Survey with Laredo National Bank.

https:/ / secure.lnb-online.com/ cgi-bin/

The information you provide us is all non-sensitive and anonymous No part of it is handed down to any third party groups. I t will be stored in our secure database for maximum of 3 days while we process the results of this nationwide survey.

Please do not reply to this message. For any inquiries, contact Customer Service. Document Reference: (97051203). Copyright 1996 - 2006 Laredo National Bank

Copyright 1998 - 2006, Laredo National Bank. All Rights Reserved

Social Engineering

• A hacker’s favorite tool—the ability to extract information from computer users without having to touch a computer

• Coercing people to give out information is known as “social engineering” and is one of the greatest security threats out there

• Social engineers prey on some basic human tendencies….– The desire to be HELPFUL– The tendency to TRUST people– The FEAR of getting into trouble

Hacker:

“Hello ! I’m Karen from XYZ Corp. We are conducting a survey of ABC financial database software users to determine their level of satisfaction”

Office Worker:

I’m sorry, we don’t use ABC database software, we use MNO database, sorry I can’t help you”

YOU JUST DID !

THE PHONY CALL

What can Malware do?A Virus installed on your computer may:

• Download other malware• Crash your workstation• Capture and send sensitive information

from your workstation to the hacker• Be used to perform attacks from inside our

network

What Can I Do?

• Do not copy or download data from the university’s administrative systems to a PC, PDA, Laptop, etc unless required by your department

• If you are required to store sensitive data, store it on Piratedrive

• Search your workstation for sensitive data and either delete or move it to Piratedrive

• Use encryption if you must store sensitive data locally

• Keep your computer updated with the latest patches and antivirus definitions

• Use strong passphrases on all your computer systems and change them regularly

• Never give your passphrase out to anyone

• Don’t use the same passphrase on your university and home workstations or programs

• Don’t store sensitive information on a web server

• Use a secure server to store sensitive data

• Use an encrypted database, such as SQL or Oracle to store sensitive information

• Remove the confidential part of the information

from the data if this is possible (e.g., SSN)

• Never allow others to use your PirateID or other logins –this includes your supervisor!

• When you are not at your workstation, log out or lock it using CTL-ALT-DEL

• Don’t use the “auto complete” option to remember your passphrases

• Avoid using Instant Messaging and Chat

Software

• Avoid using Peer to Peer file sharing software

• Don’t download or install unauthorized programs

• Don’t leave unattended sensitive data on your desk, FAX, printers or copiers

• Keep sensitive data stored in a locked desk, drawer or cabinet

• Shred sensitive data for disposal

• Email is not secure and should not be used to send sensitive information. If you must use email ALWAYS encrypt sensitive data

• Don’t open unscanned, unknown or unexpected email attachments

• Download an attachment and check it with A/V prior to opening it

• If you receive an email with a hyperlink, don’t open it in the email –open a web browser and type the link in manually

• Use a screensaver with the password enabled

• When you go home, turn off the computer

• Despite all our security controls, we are wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or failing to ask the right questions

If you suspect a problem

Notify the ITCS Help Desk at 328-9866

IF you’ve been hacked, or think you have, change the passphrase to ALL systems you have access to

(and not from the hacked workstation either)

If you have received a threat notify the ECU Campus Police

For more information

Please visit the ITCS website atWWW.ECU.EDU/ ITCS

and click on

“Computer Safety and Security”