Professional Documents
Culture Documents
DoIT NonDoIT
Campus IT Policies
Appropriate
200-level
System Admin (others?)
Security 201: Windows
(SEP 21)
Security 202: OS X
(AUG 11)
Firewall Security
Other?
5
200-level
System Admin (others?)
You are here! Security 201:
Windows
(SEP 21)
Security 202: OS X
(AUG 11)
Firewall Security
Other?
6
200-level
System Admin (others?)
Security 201: Windows
(SEP 21)
Security 202: OS X
(AUG 11)
Firewall Security
Other?
7
200-level
System Admin (others?)
Security 201: Windows
(SEP 21)
Security 202: OS X
(AUG 11)
Firewall Security
Other? Other?
8
lessons
AGENDA
1.
2.
3. 4.
5.
10
Financial
information Health information Grades Credit cards Other sensitive types of information
11
HAND-OUTS
Packet of handouts Sign-up sheet
12
AGENDA
1.
2.
3.
4.
5.
13
June 4, 2009 Maine Office of Information Technology (Augusta, ME) Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. "We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person. Number effected: 597
14
June 5, 2009 Virginia Commonwealth University (Richmond, VA) A desktop computer was stolen from a secured area. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been. Number effected: 17,214
15
Ohio State University Dining Services (Columbus, OH) Student employees SSNs accidentally leaked in an e-mail. OSU employee received an e-mail with an attachment that included students' names and social security numbers. He unwittingly forwarded with attachment to his student employees. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent. Number effected: 350
16
DISCUSS
17
20%
44%
21%
20%
55%
38%
37%
57%
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
18
20%
44%
21%
20%
55%
38%
37%
57%
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
19
WHO CARES?
Why should we be concerned about the handling of sensitive data?
20
On the individual
Personal
credit info can be destroyed Embarrassment Patents & intellectual property rights
On the university
Reputation Grants Patents
If there is any financial damage I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.
Quotes taken from article OU has been getting an earful about huge data theft by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12
22
THAT IS WHY
IT professionals are scattered on campus. Data security presents a huge financial, ethical and reputational exposure. We need to unify our efforts.
E pluribus unum:
Out
of many, one.
23
AGENDA
1.
2.
3. 4.
5.
24
CLASSES OF INFORMATION
Personal information Health & medical information Financial information
Academic information
25
PERSONAL INFORMATION
Social Security Numbers Drivers License Number Name & Address Biometric data
26
Prescriptions
27
FINANCIAL INFORMATION
28
ACADEMIC INFORMATION
Students
Faculty/Staff
29
895.507 (2006) Formerly, Act 138 Any unauthorized access to personal info
Data
includes
SSN Drivers
license or state ID Account number, code, password, PIN DNA or biometric info
30
31
FEDERAL LAW
FERPA academic
Family
32
33
Public Information Considered public * Examples includes Name, address, phone Email address Dates of attendance Degrees awarded Enrollment status Major field of study
Private Information Tightly restricted Examples includes SSN Student ID number Race, ethnicity, nationality Gender Transcripts & grades
(partial list)
34
35
WWW.REGISTRAR.WISC.EDU
36
37
THE FACTS
On an unnamed Big 10 university campus DoIT Store website collecting data from hits This data was being analyzed by the web hosting service Web hosting service posted its findings
Web hosting service didnt know about SSNs Captured data posted on semi-public site
39
THE ANALYSIS
All were capable, professional entities They didnt know They didnt anticipate
Therefore
40
Dont overestimate
other folks knowledge or motivation.
Dont underestimate
the value that you can add.
41
AGENDA
1.
2.
3. 4.
5.
42
43
AGENDA
1.
2.
3. 4.
5.
44
They
46
HOW?
Question: How might sensitive data find its way onto a piece of hardware?
47
PII FINDER
Identity Finder
Being
considered by UW DoIT Security group More costly, but more robust Free edition is now available, so its worth a try
48
OCIS provides access to a few scanning tools These tools test the security of network & workstation This will tell you whether you are at risk.
49
AGENDA
1.
2.
3. 4.
5.
51
Define incident
Undetermined
a laptop Firewall down Critical patches are out-of-date Hacked, or infected with malware
52
Define breach
We
53
54
WELL-HANDLED INCIDENTS
Well-handled incidents will reduce
1. 2.
55
DISCUSSION QUESTION
56
- Investigators
- CIO - Admin Leader Team - University Commns
57
- Investigators
- CIO - Admin Leader Team - University Commns
58
59
1 WHAT HAPPENED?
Incident
60
Does the device contain sensitive information? Was that information accessible by nonauthorized user?
Physically accessible Cyber-accessible
(judgment?)
61
62
You need to escalate the issue But, how do you report an incident?
63
Open a DoIT HelpDesk ticket They can escalate it if necessary Contact Network Operations Center (NOC) Phone: 263-4188
After hours?
64
WHAT DO I DO?
Preserve as much data as possible.
65
SCENARIOS
1.
2.
3.
A laptop in your department has been infected with a virus. You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised. You get a call saying your departments web server is unexpectedly serving pop-up ads.
66
AGENDA
1.
2.
3. 4.
5.
67
68
AGENDA
1.
2.
3. 4.
5.
69
lessons
70
Difficult to get rid of. Considerations It replicates Do you really need the data?
Hardcopy Rethink business practices. Cached Frequently re-assess security Email forward standards. Backed up Things change Yesterday: SSNs Get rid of it! (if possible) Tomorrow: Mobile phone numbers?
Extensive resources
Individual & Departmental Security risk assessment IT Security Principles
72
IT SECURITY PRINCIPLE #1
Principle #1: Security is everyones responsibility.
It takes a village...
Managers IT support Office staff Faculty End users Students Campus police You!
73
IT SECURITY PRINCIPLE #2
Principle #2: Security is part of the development life cycle.
Not an after-thought! Designed into the project plan i.e. Allocate the necessary resources Logging & auditing capabilities Layering security defenses
74
IT SECURITY PRINCIPLE #3
Principle #3: Security is asset management.
Lock it up! Classification of data Establishing privileges Separating or redistributing job responsibilities and duties
75
IT SECURITY PRINCIPLE #4
Principle #4: Security is a common understanding.
Incident handling
76
your manager Do we generate, use, receive, store sensitive data? If so, what measures, practices are in place
77
Finder GET PERMISSION FIRST! Suggest that you scour ALL servers
78
70% of data breaches involve data the owners didnt even know was there.
79
about current response procedure Make sure it is well-known, published Remember our flow chart
80
info with coworkers Bookmark OCIS website Future IT security courses Put appointment in calendar to check progress
81
RESOURCES
Organizations
www.doit.wisc.edu/about/advisory.asp
TechPartners
Sign-up
forum
CTIG
Watch
MTAG
Know
82
83
AGENDA - RECAP
1. 2.
3.
4.
5.
THE END
Thank you!
Please fill out the course evaluation and leave it by the door on your way out.
85