Security 101 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 85

Security 101: PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on
  • Presentation posted in: General

Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington. Security 101:. Information Security Basics. Cliff Cunningham - DoIT

Download Presentation

Security 101:

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security 101 l.jpg

Sponsored by UW Division of Informational Technology

Office of Campus Information Security

and Professional Technical Education

--------------------------------

Instructors: Cliff Cunningham & Braden Bruington

Security 101:

Information Security Basics


Greetings introductions l.jpg

  • Cliff Cunningham - DoIT

  • Braden Bruington - DoIT

  • Rick Keir - OCIS

    (Office of Campus Information Security)

GREETINGS & Introductions


Did you know l.jpg

Did you know…?

  • Approx 1,200 IT professionals in UW schools

  • 2/3 of them are not affiliated with DoIT


Policies guidelines l.jpg

  • Campus IT Policies

    • Appropriate Use Policies

    • Electronic Devices

  • Payment Card Industry Data Security Standard

    • a.k.a. PCIDSS

    • List of specific suggestions

    • Used by OCIS

Policies & guidelines


Security training in the beginning l.jpg

Security training – in the beginning


Security training winter 08 l.jpg

Security training – winter ‘08

You are here!


Security training spr sum 09 l.jpg

Security training – SPR/sum ‘09


Security training sum fall 09 l.jpg

Security training – sum/FAll ’09

  • Other…?


Goals for these courses l.jpg

  • To continue the campus-wide conversation

  • Advertise OCIS training resources

  • Increase networking (social) within IT community on UW campuses

  • Share war stories

    • lessons learned, scars received.

goalS for these courses


Agenda l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Who are you l.jpg

  • Titles?

  • Roles?

  • Operating systems?

  • What kinds of data?

    • Financial information

    • Health information

    • Grades

    • Credit cards

    • Other sensitive types of information

Who are you?


Hand outs l.jpg

Packet of handouts

Sign-up sheet

Hand-outs


Agenda13 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Data breach june 4 l.jpg

June 4, 2009 Maine Office of Information Technology(Augusta, ME)

Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person.

"We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person.

Number effected: 597

Data breach, June 4


Data breach june 5 l.jpg

June 5, 2009 Virginia Commonwealth University(Richmond, VA)

A desktop computer was stolen from a secured area.

The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007.

An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

Number effected: 17,214

Data breach, June 5


Data breach june 6 l.jpg

Ohio State University Dining Services (Columbus, OH)

Student employees’ SSNs accidentally leaked in an e-mail.

OSU employee received an e-mail with an attachment that included students' names and social security numbers. He unwittingly forwarded with attachment to his student employees.

After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent.

Number effected: 350

Data breach, June 6


Discuss l.jpg

What keeps you awake at night?

(Please restrict your answers to IT security-related topics.)

Discuss


Analysis of data loss incidents l.jpg

Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm


Analysis of data loss incidents19 l.jpg

Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm


Who cares l.jpg

Why should we be concerned about the handling of sensitive data?

Who cares?


Effects of data loss l.jpg

  • On the individual

    • Personal credit info can be destroyed

    • Embarrassment

    • Patents & intellectual property rights

  • On the university

    • Reputation

    • Grants

    • Patents & intellectual property rights

Effects of data loss


Fallout from data loss at ou l.jpg

“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.”

Fallout from data loss at OU

“I will never donate another penny to you.”

“It was my intention to leave a sizable endowment to OU, but not any longer”

Quotes taken from article “OU has been getting an earful about huge data theft”

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12


That is why l.jpg

  • IT professionals are scattered on campus.

  • Data security presents a huge financial, ethical and reputational exposure.

  • We need to unify our efforts.

    E pluribus unum:

    • Out of many, one.

That is why…


Agenda24 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Classes of information l.jpg

Classes of information

Personal information

Health & medical information

Financial information

Academic information


Personal information l.jpg

personal information

  • Social Security Numbers

  • Drivers License Number

  • Name & Address

  • Biometric data

    • Finger prints

    • DNA Maps

    • Voice patterns


Health medical information l.jpg

health & medical information

  • Physical diagnoses

  • Mental health

    • Psychological diagnoses

    • Treatment

  • Prescriptions


Financial information l.jpg

Financial information

  • Account numbers

  • Account pass codes

  • Credit card numbers

    (NOTE: All financial informationtends to be sensitive.)


Academic information l.jpg

Academic information

  • Students

    • Grades

    • Transcripts

    • Communications w/faculty

  • Faculty/Staff

    • Intellectual property

    • Research data


Wisconsin state law l.jpg

  • Wisconsin’s Data Breach Notification Law

    • Statute 895.507 (2006)

    • Formerly, Act 138

    • Any unauthorized access to personal info…

      • … must notify individual(s) within 45 days

    • Data includes

      • SSN

      • Driver’s license or state ID

      • Account number, code, password, PIN

      • DNA or biometric info

Wisconsin state law


Restricted vs sensitive l.jpg

Restricted: explicitly protected under Wisconsin State Law. Must notify if lost.

Sensitive: still needs to be guarded with great care, but notification not required.

All restricted data is sensitive.

Not all sensitive data is restricted.

Restricted vs. sensitive


Federal law l.jpg

  • FERPA – academic

    • Family Education Rights and Privacy Act

  • HIPAA – health & medical

    • Health Insurance Portability and Accountability Act

Federal Law


Cliff s personal anecdote l.jpg

From just this past June (2009).

Cliff’s Personal anecdote


Ferpa two types of info l.jpg

FERPA: TWO TYPES OF INFO

Public Information

  • Considered public *

  • Examples includes

    • Name, address, phone

    • Email address

    • Dates of attendance

    • Degrees awarded

    • Enrollment status

    • Major field of study

      * Students can request this information be suppressed

Private Information

  • Tightly restricted

  • Examples includes

    • SSN

    • Student ID number

    • Race, ethnicity, nationality

    • Gender

    • Transcripts & grades

(partial list)

(partial list)

Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities


Ferpa and its tentacles l.jpg

  • Lesser-known items within FERPA’s reach

    • Educational records

    • Personal notes between faculty and students

    • Communications with parents/guardians

    • How to post grades

    • Letters of recommendations

FERPA and its tentacles


Www registrar wisc edu l.jpg

  • For more info, Office of the Registrar

    • Brochures

    • FAQs

    • On-line tutorials

    • On-site training

    • One-on-one consultation

www.registrar.wisc.edu


Now for something entirely different l.jpg

A data security case study…

Now for something entirely different


The facts l.jpg

On an unnamed Big 10 university campus

DoIT Store website collecting data from hits

This data was being analyzed by the web hosting service

Web hosting service posted its findings

The facts

Any warning signs?


The rest of the story l.jpg

  • The data being captured included…

    • campus ID’s and NetIDs

    • Old Campus ID’s used to contain SSN’s

  • Web hosting service didn’t know about SSN’s

  • Captured data posted on semi-public site

The rest of the story…


The analysis l.jpg

All were capable, professional entities

They didn’t know

They didn’t anticipate

Therefore…

The Analysis


The moral of the story l.jpg

  • Don’t overestimate…

    other folks’ knowledge or motivation.

  • Don’t underestimate…

    the value that you can add.

The Moral of the story


Agenda42 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Agenda44 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Before running a scan l.jpg

These scans will produce unusual net-traffic !

Before running a scan!!

GET INFORMED PERMISSION!!!


Finding sensitive information l.jpg

  • PII = Personally identifiable information

  • Numerous applications, called “PII finders”

    • They scan drives

    • They locate recognizable patterns

    • They produce reports

  • You don’t always know what is on your machine

Finding sensitive information?


Slide47 l.jpg

Question:How might sensitive data find its way onto a piece of hardware?

How?


Pii finder l.jpg

  • Identity Finder

    • Being considered by UW DoIT Security group

    • More costly, but more robust

    • Free edition is now available, so it’s worth a try

  • Let’s see how it works.

PII finder


Are you at risk l.jpg

  • OCIS provides access to a few scanning tools

  • These tools test the security of network & workstation

  • This will tell you whether you are “at risk”.

Are you at risk?


Before running a scan50 l.jpg

These scans will produce unusual net-traffic !

Before running a scan!!

GET INFORMED PERMISSION!!!


Agenda51 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Incident vs breach l.jpg

  • Define “incident”

    • Undetermined whether data has been lost

    • Any number of scenarios…

      • Losing a laptop

      • Firewall down

      • Critical patches are out-of-date

      • Hacked, or infected with malware

Incident vs. breach


Incident vs breach53 l.jpg

  • Define “breach”

    • We know data has been acquired by unauthorized person

Incident vs. breach


Incident vs breach54 l.jpg

All breaches are incidents.

Not all incidents are breaches.

Incident vs. breach


Well handled incidents l.jpg

Well-handled incidents will reduce…

  • … your exposure,

  • … the university’s exposure.

Well-handled incidents


Discussion question l.jpg

Do you have an incident handling process?

DISCUSSion question…


Slide57 l.jpg

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns


Slide58 l.jpg

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns


Slide59 l.jpg

The part you need to know


1 what happened l.jpg

1 – What happened?

  • Incident

    • Any exposure

    • Any risk

    • Not a “breach”, yet


2 was data at risk l.jpg

2 – was data at risk?

  • Was sensitive information at risk?

    • Does the device contain sensitive information?

    • Was that information accessible by non-authorized user?

      • Physically accessible

      • Cyber-accessible

  • (judgment?)


3 if no resolve the incident l.jpg

3 – IF “no”… resolve the incident

  • Close the issue

  • No need to report it


4 if yes report the incident l.jpg

4 – If “YES”… Report the incident

  • You need to escalate the issue…

  • But, how do you report an incident?


How to report an incident l.jpg

“It depends.”

  • Non-urgent: [email protected]

  • Need a faster response?

    • Open a DoITHelpDesk ticket

    • They can escalate it if necessary

  • After hours?

    • Contact NetworkOperations Center (NOC)

    • Phone: 263-4188

How to report an incident?


What do i do l.jpg

Preserve as much data as possible.

  • Do not tamper with the information

    • This can hinder further investigation.

  • Remove device from the network

    • This cuts off any remote access to the machine

  • Do not power-off the machine

    • Some forensic information may be stored in cache

What do I do?


Scenarios l.jpg

A laptop in your department has been infected with a virus.

You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.

You get a call saying your department’s web server is unexpectedly serving pop-up ads.

Scenarios


Agenda67 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Agenda69 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Goals for these courses reminder l.jpg

  • To continue the campus-wide conversation

  • Advertise OCIS training resources

  • Increase networking (social) within IT community on UW campuses

  • Share war stories

    • lessons learned, scars received.

goalS for these courses (reminder)


The trouble with sensitive data l.jpg

The trouble with sensitive data…

  • Difficult to get rid of.

  • It replicates…

    • Hardcopy

    • Cached

    • Email forward

    • Backed up

  • Get rid of it! (if possible)

  • Considerations

  • Do you really need the data?

    • Rethink business practices.

  • Frequently re-assess security standards.

    • Things change…

    • Yesterday: SSNs

    • Tomorrow: Mobile phone numbers?

  • Office of Campus Information Security

    • OCIS is your friend


Ocis is your friend l.jpg

OCIS is your friend

Training and Lockdown

Extensive resources

Security risk assessment

Individual & Departmental

www.cio.wisc.edu/security

IT Security Principles


It security principle 1 l.jpg

IT Security principle #1

Principle #1:Security is everyone’s responsibility.

  • It takes a village...

    • Managers

    • IT support

    • Office staff

    • Faculty

    • End users

    • Students

    • Campus police

    • You!


It security principle 2 l.jpg

IT Security principle #2

Principle #2:Security is part of the development life cycle.

  • Plan for it!

    • Not an after-thought!

    • Designed into the project plan

      • i.e. Allocate the necessary resources

    • Logging & auditing capabilities

    • Layering security defenses


It security principle 3 l.jpg

IT Security principle #3

Principle #3:Security is asset management.

  • Lock it up!

  • Classification of data

  • Establishing privileges

  • Separating or redistributing job responsibilities and duties


It security principle 4 l.jpg

IT Security principle #4

Principle #4:Security is a common understanding.

  • Think it through!

  • Due diligence

  • Risks & Threats

    • Costs (OCIS assessment)

  • Incident handling


When i get back to the office 1 l.jpg

  • Find the data

    • Ask your manager

    • Do we generate, use, receive, store sensitive data?

    • If so, what measures, practices are in place

When I get back to the office… 1


When i get back to the office 2 l.jpg

  • Scanning for sensitive data

    • Identify Finder

    • GET PERMISSION FIRST!

    • Suggest that you scour ALL servers

When I get back to the office… 2


Slide79 l.jpg

70% of data breaches involve data the owners didn’t even know was there.


When i get back to the office 3 l.jpg

  • Prepare to respond to an incident

    • Inquire about current response procedure

    • Make sure it is well-known, published

    • Remember our flow chart

When I get back to the office… 3


When i get back to the office 4 l.jpg

  • Keep the conversation alive

    • Share info with coworkers

    • Bookmark OCIS website

    • Future IT security courses

    • Put appointment in calendar to check progress

When I get back to the office… 4


Resources l.jpg

  • Organizations

    • www.doit.wisc.edu/about/advisory.asp

    • TechPartners – forum

      • Sign-up

    • CTIG – Campus Technical Issues Group

      • Watch for presentations, attend… and join?

    • MTAG – Madison Technology Advisory Group

      • Know they exist… appointed roles

Resources


Resources next steps l.jpg

  • Refer to your handout…

    • “When I Get Back to My Office, I Will…”

Resources & next steps


Agenda recap l.jpg

General discussion

Defining sensitive data

How do I find sensitive data?

Handling a data security incident

Resources & Next steps

Agenda - recap


The end l.jpg

Thank you!

Please fill out the course evaluation

and leave it by the door on your way out.

The end…


  • Login