security 101
Download
Skip this Video
Download Presentation
Security 101:

Loading in 2 Seconds...

play fullscreen
1 / 85

Security 101: - PowerPoint PPT Presentation


  • 140 Views
  • Uploaded on

Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington. Security 101:. Information Security Basics. Cliff Cunningham - DoIT

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security 101:' - chibale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security 101

Sponsored by UW Division of Informational Technology

Office of Campus Information Security

and Professional Technical Education

--------------------------------

Instructors: Cliff Cunningham & Braden Bruington

Security 101:

Information Security Basics

greetings introductions

Cliff Cunningham - DoIT

  • Braden Bruington - DoIT
  • Rick Keir - OCIS

(Office of Campus Information Security)

GREETINGS & Introductions
did you know
Did you know…?
  • Approx 1,200 IT professionals in UW schools
  • 2/3 of them are not affiliated with DoIT
policies guidelines

Campus IT Policies

    • Appropriate Use Policies
    • Electronic Devices
  • Payment Card Industry Data Security Standard
    • a.k.a. PCIDSS
    • List of specific suggestions
    • Used by OCIS
Policies & guidelines
goals for these courses

To continue the campus-wide conversation

  • Advertise OCIS training resources
  • Increase networking (social) within IT community on UW campuses
  • Share war stories
    • lessons learned, scars received.
goalS for these courses
agenda

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
who are you

Titles?

  • Roles?
  • Operating systems?
  • What kinds of data?
    • Financial information
    • Health information
    • Grades
    • Credit cards
    • Other sensitive types of information
Who are you?
agenda13

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
data breach june 4

June 4, 2009 Maine Office of Information Technology(Augusta, ME)

Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person.

"We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person.

Number effected: 597

Data breach, June 4
data breach june 5

June 5, 2009 Virginia Commonwealth University(Richmond, VA)

A desktop computer was stolen from a secured area.

The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007.

An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

Number effected: 17,214

Data breach, June 5
data breach june 6

Ohio State University Dining Services (Columbus, OH)

Student employees’ SSNs accidentally leaked in an e-mail.

OSU employee received an e-mail with an attachment that included students\' names and social security numbers. He unwittingly forwarded with attachment to his student employees.

After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent.

Number effected: 350

Data breach, June 6
discuss

What keeps you awake at night?

(Please restrict your answers to IT security-related topics.)

Discuss
analysis of data loss incidents
Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

analysis of data loss incidents19
Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

effects of data loss

On the individual

    • Personal credit info can be destroyed
    • Embarrassment
    • Patents & intellectual property rights
  • On the university
    • Reputation
    • Grants
    • Patents & intellectual property rights
Effects of data loss
fallout from data loss at ou

“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.”

Fallout from data loss at OU

“I will never donate another penny to you.”

“It was my intention to leave a sizable endowment to OU, but not any longer”

Quotes taken from article “OU has been getting an earful about huge data theft”

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12

that is why

IT professionals are scattered on campus.

  • Data security presents a huge financial, ethical and reputational exposure.
  • We need to unify our efforts.

E pluribus unum:

    • Out of many, one.
That is why…
agenda24

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
classes of information
Classes of information

Personal information

Health & medical information

Financial information

Academic information

personal information
personal information
  • Social Security Numbers
  • Drivers License Number
  • Name & Address
  • Biometric data
    • Finger prints
    • DNA Maps
    • Voice patterns
health medical information
health & medical information
  • Physical diagnoses
  • Mental health
    • Psychological diagnoses
    • Treatment
  • Prescriptions
financial information
Financial information
  • Account numbers
  • Account pass codes
  • Credit card numbers

(NOTE: All financial informationtends to be sensitive.)

academic information
Academic information
  • Students
    • Grades
    • Transcripts
    • Communications w/faculty
  • Faculty/Staff
    • Intellectual property
    • Research data
wisconsin state law

Wisconsin’s Data Breach Notification Law

    • Statute 895.507 (2006)
    • Formerly, Act 138
    • Any unauthorized access to personal info…
      • … must notify individual(s) within 45 days
    • Data includes
      • SSN
      • Driver’s license or state ID
      • Account number, code, password, PIN
      • DNA or biometric info
Wisconsin state law
restricted vs sensitive

Restricted: explicitly protected under Wisconsin State Law. Must notify if lost.

Sensitive: still needs to be guarded with great care, but notification not required.

All restricted data is sensitive.

Not all sensitive data is restricted.

Restricted vs. sensitive
federal law

FERPA – academic

    • Family Education Rights and Privacy Act
  • HIPAA – health & medical
    • Health Insurance Portability and Accountability Act
Federal Law
ferpa two types of info
FERPA: TWO TYPES OF INFO

Public Information

  • Considered public *
  • Examples includes
    • Name, address, phone
    • Email address
    • Dates of attendance
    • Degrees awarded
    • Enrollment status
    • Major field of study

* Students can request this information be suppressed

Private Information

  • Tightly restricted
  • Examples includes
    • SSN
    • Student ID number
    • Race, ethnicity, nationality
    • Gender
    • Transcripts & grades

(partial list)

(partial list)

Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities

ferpa and its tentacles

Lesser-known items within FERPA’s reach

    • Educational records
    • Personal notes between faculty and students
    • Communications with parents/guardians
    • How to post grades
    • Letters of recommendations
FERPA and its tentacles
www registrar wisc edu

For more info, Office of the Registrar

    • Brochures
    • FAQs
    • On-line tutorials
    • On-site training
    • One-on-one consultation
www.registrar.wisc.edu
the facts

On an unnamed Big 10 university campus

DoIT Store website collecting data from hits

This data was being analyzed by the web hosting service

Web hosting service posted its findings

The facts

Any warning signs?

the rest of the story

The data being captured included…

    • campus ID’s and NetIDs
    • Old Campus ID’s used to contain SSN’s
  • Web hosting service didn’t know about SSN’s
  • Captured data posted on semi-public site
The rest of the story…
the analysis

All were capable, professional entities

They didn’t know

They didn’t anticipate

Therefore…

The Analysis
the moral of the story

Don’t overestimate…

other folks’ knowledge or motivation.

  • Don’t underestimate…

the value that you can add.

The Moral of the story
agenda42

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
agenda44

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
finding sensitive information

PII = Personally identifiable information

  • Numerous applications, called “PII finders”
    • They scan drives
    • They locate recognizable patterns
    • They produce reports
  • You don’t always know what is on your machine
Finding sensitive information?
pii finder

Identity Finder

    • Being considered by UW DoIT Security group
    • More costly, but more robust
    • Free edition is now available, so it’s worth a try
  • Let’s see how it works.
PII finder
are you at risk

OCIS provides access to a few scanning tools

  • These tools test the security of network & workstation
  • This will tell you whether you are “at risk”.
Are you at risk?
agenda51

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
incident vs breach

Define “incident”

    • Undetermined whether data has been lost
    • Any number of scenarios…
      • Losing a laptop
      • Firewall down
      • Critical patches are out-of-date
      • Hacked, or infected with malware
Incident vs. breach
incident vs breach53

Define “breach”

    • We know data has been acquired by unauthorized person
Incident vs. breach
incident vs breach54

All breaches are incidents.

Not all incidents are breaches.

Incident vs. breach
well handled incidents

Well-handled incidents will reduce…

  • … your exposure,
  • … the university’s exposure.
Well-handled incidents
slide57

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

slide58

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

1 what happened
1 – What happened?
  • Incident
    • Any exposure
    • Any risk
    • Not a “breach”, yet
2 was data at risk
2 – was data at risk?
  • Was sensitive information at risk?
    • Does the device contain sensitive information?
    • Was that information accessible by non-authorized user?
      • Physically accessible
      • Cyber-accessible
  • (judgment?)
3 if no resolve the incident
3 – IF “no”… resolve the incident
  • Close the issue
  • No need to report it
4 if yes report the incident
4 – If “YES”… Report the incident
  • You need to escalate the issue…
  • But, how do you report an incident?
how to report an incident

“It depends.”

  • Non-urgent: [email protected]
  • Need a faster response?
    • Open a DoITHelpDesk ticket
    • They can escalate it if necessary
  • After hours?
    • Contact NetworkOperations Center (NOC)
    • Phone: 263-4188
How to report an incident?
what do i do

Preserve as much data as possible.

  • Do not tamper with the information
    • This can hinder further investigation.
  • Remove device from the network
    • This cuts off any remote access to the machine
  • Do not power-off the machine
    • Some forensic information may be stored in cache
What do I do?
scenarios

A laptop in your department has been infected with a virus.

You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.

You get a call saying your department’s web server is unexpectedly serving pop-up ads.

Scenarios
agenda67

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
agenda69

General discussion

  • Defining sensitive data

---------- BREAK ----------

  • How do I find sensitive data?
  • Handling a data security incident

---------- BREAK ----------

  • Closing remarks & next steps
agenda
goals for these courses reminder

To continue the campus-wide conversation

  • Advertise OCIS training resources
  • Increase networking (social) within IT community on UW campuses
  • Share war stories
    • lessons learned, scars received.
goalS for these courses (reminder)
the trouble with sensitive data
The trouble with sensitive data…
  • Difficult to get rid of.
  • It replicates…
    • Hardcopy
    • Cached
    • Email forward
    • Backed up
  • Get rid of it! (if possible)
  • Considerations
  • Do you really need the data?
    • Rethink business practices.
  • Frequently re-assess security standards.
    • Things change…
    • Yesterday: SSNs
    • Tomorrow: Mobile phone numbers?
  • Office of Campus Information Security
    • OCIS is your friend
ocis is your friend
OCIS is your friend

Training and Lockdown

Extensive resources

Security risk assessment

Individual & Departmental

www.cio.wisc.edu/security

IT Security Principles

it security principle 1
IT Security principle #1

Principle #1: Security is everyone’s responsibility.

  • It takes a village...
    • Managers
    • IT support
    • Office staff
    • Faculty
    • End users
    • Students
    • Campus police
    • You!
it security principle 2
IT Security principle #2

Principle #2: Security is part of the development life cycle.

  • Plan for it!
    • Not an after-thought!
    • Designed into the project plan
      • i.e. Allocate the necessary resources
    • Logging & auditing capabilities
    • Layering security defenses
it security principle 3
IT Security principle #3

Principle #3: Security is asset management.

  • Lock it up!
  • Classification of data
  • Establishing privileges
  • Separating or redistributing job responsibilities and duties
it security principle 4
IT Security principle #4

Principle #4: Security is a common understanding.

  • Think it through!
  • Due diligence
  • Risks & Threats
    • Costs (OCIS assessment)
  • Incident handling
when i get back to the office 1

Find the data

    • Ask your manager
    • Do we generate, use, receive, store sensitive data?
    • If so, what measures, practices are in place
When I get back to the office… 1
when i get back to the office 2

Scanning for sensitive data

    • Identify Finder
    • GET PERMISSION FIRST!
    • Suggest that you scour ALL servers
When I get back to the office… 2
when i get back to the office 3

Prepare to respond to an incident

    • Inquire about current response procedure
    • Make sure it is well-known, published
    • Remember our flow chart
When I get back to the office… 3
when i get back to the office 4

Keep the conversation alive

    • Share info with coworkers
    • Bookmark OCIS website
    • Future IT security courses
    • Put appointment in calendar to check progress
When I get back to the office… 4
resources

Organizations

    • www.doit.wisc.edu/about/advisory.asp
    • TechPartners – forum
      • Sign-up
    • CTIG – Campus Technical Issues Group
      • Watch for presentations, attend… and join?
    • MTAG – Madison Technology Advisory Group
      • Know they exist… appointed roles
Resources
resources next steps

Refer to your handout…

    • “When I Get Back to My Office, I Will…”
Resources & next steps
agenda recap

General discussion

Defining sensitive data

How do I find sensitive data?

Handling a data security incident

Resources & Next steps

Agenda - recap
the end

Thank you!

Please fill out the course evaluation

and leave it by the door on your way out.

The end…
ad