Security 101
Download
1 / 85

Security 101: - PowerPoint PPT Presentation


  • 130 Views
  • Updated On :

Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------- Instructors: Cliff Cunningham & Braden Bruington. Security 101:. Information Security Basics. Cliff Cunningham - DoIT

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security 101:' - chibale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security 101 l.jpg

Sponsored by UW Division of Informational Technology

Office of Campus Information Security

and Professional Technical Education

--------------------------------

Instructors: Cliff Cunningham & Braden Bruington

Security 101:

Information Security Basics


Greetings introductions l.jpg

GREETINGS & Introductions


Did you know l.jpg
Did you know…?

  • Approx 1,200 IT professionals in UW schools

  • 2/3 of them are not affiliated with DoIT


Policies guidelines l.jpg

  • Campus IT Policies

    • Appropriate Use Policies

    • Electronic Devices

  • Payment Card Industry Data Security Standard

    • a.k.a. PCIDSS

    • List of specific suggestions

    • Used by OCIS

Policies & guidelines





Security training sum fall 09 l.jpg
Security training – sum/FAll ’09

  • Other…?


Goals for these courses l.jpg

goalS for these courses


Agenda l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Who are you l.jpg

  • Titles?

  • Roles?

  • Operating systems?

  • What kinds of data?

    • Financial information

    • Health information

    • Grades

    • Credit cards

    • Other sensitive types of information

Who are you?


Hand outs l.jpg

Packet of handouts

Sign-up sheet

Hand-outs


Agenda13 l.jpg

  • General discussion

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Data breach june 4 l.jpg

June 4, 2009 Maine Office of Information Technology(Augusta, ME)

Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person.

"We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person.

Number effected: 597

Data breach, June 4


Data breach june 5 l.jpg

June 5, 2009 Virginia Commonwealth University(Richmond, VA)

A desktop computer was stolen from a secured area.

The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007.

An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

Number effected: 17,214

Data breach, June 5


Data breach june 6 l.jpg

Ohio State University Dining Services (Columbus, OH)

Student employees’ SSNs accidentally leaked in an e-mail.

OSU employee received an e-mail with an attachment that included students' names and social security numbers. He unwittingly forwarded with attachment to his student employees.

After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent.

Number effected: 350

Data breach, June 6


Discuss l.jpg

What keeps you awake at night?

(Please restrict your answers to IT security-related topics.)

Discuss


Analysis of data loss incidents l.jpg
Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm


Analysis of data loss incidents19 l.jpg
Analysis of data loss incidents

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm



Effects of data loss l.jpg

  • On the individual data?

    • Personal credit info can be destroyed

    • Embarrassment

    • Patents & intellectual property rights

  • On the university

    • Reputation

    • Grants

    • Patents & intellectual property rights

Effects of data loss


Fallout from data loss at ou l.jpg

“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.”

Fallout from data loss at OU

“I will never donate another penny to you.”

“It was my intention to leave a sizable endowment to OU, but not any longer”

Quotes taken from article “OU has been getting an earful about huge data theft”

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12


That is why l.jpg

  • IT professionals are scattered on campus. fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Data security presents a huge financial, ethical and reputational exposure.

  • We need to unify our efforts.

    E pluribus unum:

    • Out of many, one.

That is why…


Agenda24 l.jpg

  • General discussion fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Classes of information l.jpg
Classes of information fault and seek legal counsel to recover any and all loss, with punitive damages.”

Personal information

Health & medical information

Financial information

Academic information


Personal information l.jpg
personal information fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Social Security Numbers

  • Drivers License Number

  • Name & Address

  • Biometric data

    • Finger prints

    • DNA Maps

    • Voice patterns


Health medical information l.jpg
health & medical information fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Physical diagnoses

  • Mental health

    • Psychological diagnoses

    • Treatment

  • Prescriptions


Financial information l.jpg
Financial information fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Account numbers

  • Account pass codes

  • Credit card numbers

    (NOTE: All financial informationtends to be sensitive.)


Academic information l.jpg
Academic information fault and seek legal counsel to recover any and all loss, with punitive damages.”

  • Students

    • Grades

    • Transcripts

    • Communications w/faculty

  • Faculty/Staff

    • Intellectual property

    • Research data


Wisconsin state law l.jpg

  • Wisconsin’s Data Breach Notification Law fault and seek legal counsel to recover any and all loss, with punitive damages.”

    • Statute 895.507 (2006)

    • Formerly, Act 138

    • Any unauthorized access to personal info…

      • … must notify individual(s) within 45 days

    • Data includes

      • SSN

      • Driver’s license or state ID

      • Account number, code, password, PIN

      • DNA or biometric info

Wisconsin state law


Restricted vs sensitive l.jpg

Restricted: explicitly protected under Wisconsin State Law. Must notify if lost.

Sensitive: still needs to be guarded with great care, but notification not required.

All restricted data is sensitive.

Not all sensitive data is restricted.

Restricted vs. sensitive


Federal law l.jpg

  • FERPA – academic Must notify if lost.

    • Family Education Rights and Privacy Act

  • HIPAA – health & medical

    • Health Insurance Portability and Accountability Act

Federal Law


Cliff s personal anecdote l.jpg

From just this past June (2009). Must notify if lost.

Cliff’s Personal anecdote


Ferpa two types of info l.jpg
FERPA: TWO TYPES OF INFO Must notify if lost.

Public Information

  • Considered public *

  • Examples includes

    • Name, address, phone

    • Email address

    • Dates of attendance

    • Degrees awarded

    • Enrollment status

    • Major field of study

      * Students can request this information be suppressed

Private Information

  • Tightly restricted

  • Examples includes

    • SSN

    • Student ID number

    • Race, ethnicity, nationality

    • Gender

    • Transcripts & grades

(partial list)

(partial list)

Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities


Ferpa and its tentacles l.jpg

  • Lesser-known items within FERPA’s reach Must notify if lost.

    • Educational records

    • Personal notes between faculty and students

    • Communications with parents/guardians

    • How to post grades

    • Letters of recommendations

FERPA and its tentacles


Www registrar wisc edu l.jpg

www.registrar.wisc.edu


Now for something entirely different l.jpg

A data security case study… Must notify if lost.

Now for something entirely different


The facts l.jpg

On an unnamed Big 10 university campus Must notify if lost.

DoIT Store website collecting data from hits

This data was being analyzed by the web hosting service

Web hosting service posted its findings

The facts

Any warning signs?


The rest of the story l.jpg

  • The data being captured included… Must notify if lost.

    • campus ID’s and NetIDs

    • Old Campus ID’s used to contain SSN’s

  • Web hosting service didn’t know about SSN’s

  • Captured data posted on semi-public site

The rest of the story…


The analysis l.jpg

All were capable, professional entities Must notify if lost.

They didn’t know

They didn’t anticipate

Therefore…

The Analysis


The moral of the story l.jpg

  • Don’t overestimate… Must notify if lost.

    other folks’ knowledge or motivation.

  • Don’t underestimate…

    the value that you can add.

The Moral of the story


Agenda42 l.jpg

  • General discussion Must notify if lost.

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Agenda44 l.jpg

  • General discussion Must notify if lost.

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Before running a scan l.jpg

These scans will produce unusual net-traffic ! Must notify if lost.

Before running a scan!!

GET INFORMED PERMISSION!!!


Finding sensitive information l.jpg

  • PII Must notify if lost. = Personally identifiable information

  • Numerous applications, called “PII finders”

    • They scan drives

    • They locate recognizable patterns

    • They produce reports

  • You don’t always know what is on your machine

Finding sensitive information?



Pii finder l.jpg

  • Identity of hardware?Finder

    • Being considered by UW DoIT Security group

    • More costly, but more robust

    • Free edition is now available, so it’s worth a try

  • Let’s see how it works.

PII finder


Are you at risk l.jpg

Are you at risk?


Before running a scan50 l.jpg

These scans will produce unusual net-traffic ! of hardware?

Before running a scan!!

GET INFORMED PERMISSION!!!


Agenda51 l.jpg

  • General discussion of hardware?

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Incident vs breach l.jpg

  • Define “incident” of hardware?

    • Undetermined whether data has been lost

    • Any number of scenarios…

      • Losing a laptop

      • Firewall down

      • Critical patches are out-of-date

      • Hacked, or infected with malware

Incident vs. breach


Incident vs breach53 l.jpg

Incident vs. breach


Incident vs breach54 l.jpg

All breaches are incidents. of hardware?

Not all incidents are breaches.

Incident vs. breach


Well handled incidents l.jpg

Well-handled incidents will reduce… of hardware?

  • … your exposure,

  • … the university’s exposure.

Well-handled incidents


Discussion question l.jpg

Do you have an incident handling process? of hardware?

DISCUSSion question…


Slide57 l.jpg

Incident Response Flowchart of hardware?

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns


Slide58 l.jpg

Incident Response Flowchart of hardware?

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns



1 what happened l.jpg
1 – What happened? of hardware?

  • Incident

    • Any exposure

    • Any risk

    • Not a “breach”, yet


2 was data at risk l.jpg
2 – was data at risk? of hardware?

  • Was sensitive information at risk?

    • Does the device contain sensitive information?

    • Was that information accessible by non-authorized user?

      • Physically accessible

      • Cyber-accessible

  • (judgment?)


3 if no resolve the incident l.jpg
3 – IF “no”… resolve the incident of hardware?

  • Close the issue

  • No need to report it


4 if yes report the incident l.jpg
4 – If “YES”… Report the incident of hardware?

  • You need to escalate the issue…

  • But, how do you report an incident?


How to report an incident l.jpg

“It depends.” of hardware?

  • Non-urgent: [email protected]

  • Need a faster response?

    • Open a DoITHelpDesk ticket

    • They can escalate it if necessary

  • After hours?

    • Contact NetworkOperations Center (NOC)

    • Phone: 263-4188

How to report an incident?


What do i do l.jpg

Preserve as much data as possible. of hardware?

  • Do not tamper with the information

    • This can hinder further investigation.

  • Remove device from the network

    • This cuts off any remote access to the machine

  • Do not power-off the machine

    • Some forensic information may be stored in cache

What do I do?


Scenarios l.jpg

A laptop in your department has been infected with a virus. of hardware?

You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.

You get a call saying your department’s web server is unexpectedly serving pop-up ads.

Scenarios


Agenda67 l.jpg

  • General discussion of hardware?

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Agenda69 l.jpg

  • General discussion of hardware?

  • Defining sensitive data

    ---------- BREAK ----------

  • How do I find sensitive data?

  • Handling a data security incident

    ---------- BREAK ----------

  • Closing remarks & next steps

agenda


Goals for these courses reminder l.jpg

  • To continue the campus-wide conversation of hardware?

  • Advertise OCIS training resources

  • Increase networking (social) within IT community on UW campuses

  • Share war stories

    • lessons learned, scars received.

goalS for these courses (reminder)


The trouble with sensitive data l.jpg
The trouble with sensitive data… of hardware?

  • Difficult to get rid of.

  • It replicates…

    • Hardcopy

    • Cached

    • Email forward

    • Backed up

  • Get rid of it! (if possible)

  • Considerations

  • Do you really need the data?

    • Rethink business practices.

  • Frequently re-assess security standards.

    • Things change…

    • Yesterday: SSNs

    • Tomorrow: Mobile phone numbers?

  • Office of Campus Information Security

    • OCIS is your friend


Ocis is your friend l.jpg
OCIS is your friend of hardware?

Training and Lockdown

Extensive resources

Security risk assessment

Individual & Departmental

www.cio.wisc.edu/security

IT Security Principles


It security principle 1 l.jpg
IT Security principle #1 of hardware?

Principle #1: Security is everyone’s responsibility.

  • It takes a village...

    • Managers

    • IT support

    • Office staff

    • Faculty

    • End users

    • Students

    • Campus police

    • You!


It security principle 2 l.jpg
IT Security principle #2 of hardware?

Principle #2: Security is part of the development life cycle.

  • Plan for it!

    • Not an after-thought!

    • Designed into the project plan

      • i.e. Allocate the necessary resources

    • Logging & auditing capabilities

    • Layering security defenses


It security principle 3 l.jpg
IT Security principle #3 of hardware?

Principle #3: Security is asset management.

  • Lock it up!

  • Classification of data

  • Establishing privileges

  • Separating or redistributing job responsibilities and duties


It security principle 4 l.jpg
IT Security principle #4 of hardware?

Principle #4: Security is a common understanding.

  • Think it through!

  • Due diligence

  • Risks & Threats

    • Costs (OCIS assessment)

  • Incident handling


When i get back to the office 1 l.jpg

  • Find the data of hardware?

    • Ask your manager

    • Do we generate, use, receive, store sensitive data?

    • If so, what measures, practices are in place

When I get back to the office… 1


When i get back to the office 2 l.jpg

When I get back to the office… 2



When i get back to the office 3 l.jpg

When I get back to the office… 3


When i get back to the office 4 l.jpg

  • Keep the conversation alive know was there.

    • Share info with coworkers

    • Bookmark OCIS website

    • Future IT security courses

    • Put appointment in calendar to check progress

When I get back to the office… 4


Resources l.jpg

  • Organizations know was there.

    • www.doit.wisc.edu/about/advisory.asp

    • TechPartners – forum

      • Sign-up

    • CTIG – Campus Technical Issues Group

      • Watch for presentations, attend… and join?

    • MTAG – Madison Technology Advisory Group

      • Know they exist… appointed roles

Resources


Resources next steps l.jpg

Resources & next steps


Agenda recap l.jpg

General discussion know was there.

Defining sensitive data

How do I find sensitive data?

Handling a data security incident

Resources & Next steps

Agenda - recap


The end l.jpg

Thank you! know was there.

Please fill out the course evaluation

and leave it by the door on your way out.

The end…


ad