Information Security2013 Roadshow

Roadshow Outline

Why We Care About Information Security

Safe Computing• Recognize a Secure Web Site (HTTPS)• How to Spot a Spoofed Web Site• Recognize a Phishing Attempt• What is Social Engineering

Privacy and Compliance• PCI/HIPAA/FERPA• Policy• Privacy and Best Practice

Why We Care About Information Security

Personal Reasons:Identity TheftLoss of DataFinancial LossPoor Computer Performance

Institutional Reasons:Protect Middlebury CollegeCompliance with Laws and StandardsPrevent Reputational DamageReduce Legal Liability for the CollegeAs Well As the Personal Reasons Listed Above

How do I Know a Web Site is Secure?

• HTTPS in the Address bar

is an indicator of a secure

web site.

• A web site encrypted with

SSL should display a near the address bar.

• Not all devices orbrowsers display the same.

What is a Spoofed Web Site

• Just because the site looks like Middlebury does not mean it is

• Check the address or URL

• Never enter login information unless the site is secure and you have checked the URL

How to Spot Phishing

    

• Do NOT click on links or open attachments in suspicious emails!• Forward all suspected Phishing messages to

phishing@middlebury.edu before deleting the message.• If you fall victim to a phishing attack RESET your password

immediately and then call the Helpdesk!

What Phishing Can Do

• Do NOT click on links or open attachments in suspicious emails!• Forward all suspected Phishing messages to

phishing@middlebury.edu before deleting the message.• If you fall victim to a phishing attack RESET your password

immediately and then call the Helpdesk!

• Infect a system with malware

• Mislead a user into giving up credentials

• Compromise email with rules and scripts

• Stet the stage for a larger attack

What is FakeAV

• Tries to look like regular AV

• Clicking on the warning will download a virus

• Often the best bet is a hard shutdown of the system

• Know what your AV warnings look like 

• Sophos anti-virus does offer some web protections which help to prevent the download activity of FakeAV.

Social Engineering

• Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

(From Wikipedia)

Examples:

• You are in a hotel and receive a call from the front desk to confirm your credit card details.

• You receive a call at work from support services asking for your password to fix a problem on your computer.

• You are at home and get a call from the help desk asking for your login information to reset your email account.

What Laws Protect Information Here at Middlebury

• Family Education Rights and Privacy Act (FERPA) = Student Data

• Health Information Portability and Accountability Act (HIPAA) = Health Data

• Sarbanes – Oxley Act (SOX) = Financial Data for Businesses

• Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions

• VT Act 162 = Data Breach Notification & SSN Handling

• Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data

What Policies Protect Information Here at Middlebury

• Privacy Policy = Confidentiality of Datahttp://go.middlebury.edu/privacy

• Network Monitoring Policy = Protection of College Technology Resourceshttp://go.middlebury.edu/netmon

• Technical Incident Response Policy = Response to Information Security Eventshttp://go.middlebury.edu/tirp

• Data Classification Policy = Defines Data TypesNot in handbook as of yet

• Red Flags Policy = Identity Theft ProtectionNot presently in hand book

• PCI Policy = Payment Card Data Handlinghttp://go.middlebury.edu/policy?pci

Other Policies Live Here: http://go.middlebury.edu/handbook

What are Some Best Practices

Do• Look for HTTPS and other key address indicators when you are going to different web sites.

• Use a strong challenge question in Banner SSB

• Redaction – remove or mask (block out) personally identifiable information when sharing data

• Be suspicious of unsolicited email or phone calls.

•Lock your computer or secure information when you leave your work space.

•Use Anti-Virus on both your work and home systems

•Use secure passwords which you change often. This also applies to mobile devices.

Do

What are Some Best Practices

Do Not• DO NOT write down or share your passwords

- tools such as eWallet or 1Password work well as secure password storage alternatives.

• DO NOT store confidential data on unencrypted thumb drives or other unsecured media

-if you need to transfer the data encrypt the file or password protect the file and keep a master copy on the server.

Do Not• DO NOT place confidential data in

email-email a link to where the file

is stored. This may add complexity but increases security. Windows Explorer can show you the path to the location of the file.

• DO NOT record sensitive data on the College web site, blog or Wiki

Discussion and Links

Please share your thoughts!Information Security Resources:

http://go.middlebury.edu/infosechttp://go.miis.edu/infosec

Report Information Security Events To: infosec@middlebury.edu