Information Security 2014 Roadshow

1. Information Security 2014 Roadshow

2. Threats Facing Us Today • Scams • Phishing • Social Engineering • Malware • What We Can Do • Information Security’s Efforts • Efforts You Can Make • Data Classification • Data Collection • Risks • PCI • Resources Roadshow Outline

3. What to Watch Out For Web Scams: Always check the Address of the site Check to verify HTTPS if appropriate Check links for spoofed destinations Miss directed URLs – Bad download sites Phishing: Do NOT click links or attachments when you do not know the sender Read the message to verify the language and content Check the address of the sender to see if spoofed Check any links to see if spoofed Make sure the signature is from a valid person If victim of phishing, RESET PASSWORD, call Helpdesk Forward suspect phishing messages to phishing@middlebury.edu

4. What to Watch Out For Malware: Ensure you are running anti-virus software at all times Verify download sites before downloading any software. Always pull from the vendor and only install necessary components Watch for Adware Look for browser plugins and software add-ons during installs. Ensure you are downloading the correct software Ensure you are at the correct download site Don’t install software you do not need With Fake-AV, power down the system. Do not try to save or perform a safe Shutdown.

5. What to do if Infected with Malware What is Information Security Doing • Monitoring: • Through network equipment we watch for potential threats and will notify if we suspect a threat. • Support: • User Services will help to restore your system and if possible protect your data. • Education: • Through programs like this and new CBTs we work to inform users of threats and safeguards. • Endpoint protections: • Through tools such as anti-virus we work to protect users computers against malware threats and attacks. What can you do if you suspect you have been infected. • Remove your computer from the network: • If you suspect you have a virus power down your computer and unplug the network connection immediately. • Change all of your passwords: • From a different computer, reset all of your passwords (Network, Banner, etc.). • Contact the Helpdesk: • The helpdesk is your first line of support. They have a protocol for managing malware infected systems. • Inventory your data: • LIS makes no promises of being able to recover locally stored data. Begin an inventory off all data and where you have it stored. This will aid in the recovery process as well as assessing where we need to look for potential corruption.

6. What Can be Done to Prevent an Attack What is Information Security Doing • Education: • CBT: New CBT being developed • RoadShow: Updated InfoSec presentation • Web: http://go.middlebury.edu/infosec • Working with the Helpdesk to improve response time for security issues. • Architecting a More Secure Infrastructure • Working with CSNS to improve edge Security • PCI Enclave • Technology improvements • Auditing tools • Multi-Factor authentication • Secure communication and messaging • Governance enhancements • New Policies: PCI, DCP • Better Auditing through automation • Better Monitoring through automation and more coverage What can you do around Information Security • Always maintain your anti-virus • Stay educated and aware on information security issues • Employ best and safe computing practices • Stay aware of current security policies • Verify all software before instillation • Only download applications or data from known sources.

7. Data Classification – What to Collect and How http://go.middlebury.edu/sensitivedata http://go.miis.edu/sensitivedata

8. What is the Risk Risk • Loss of Data • Exposure of Data • Corruption of Data Consequences • Reputational Damage • Fines and Loss of Revenue • Legal Repercussions

9. PCI-DSS: How Schools Compare

10. PCI-DSS: What Does it Mean to Middlebury and You • Compliance with PCI determines our ability to process credit cards • A data breach could include your data. • A breach could result in penalties and fines as well as reputational damage. • As a data processor or an MDRP you are partially responsible for the protection of the card holder data. • Middlebury has committed to PCI through policy and practice. • Middlebury will not accept payment cards by email or fax and does not store card data in written form. • A part of PCI-DSS includes education which will help you better understand the security concerns

11. Resources on Information Security Policies: • Privacy Policy =Confidentiality of Data http://go.middlebury.edu/privacy • Network Monitoring Policy = Protection of College Technology Resources http://go.middlebury.edu/netmon • Technical Incident Response Policy = Response to Information Security Events http://go.middlebury.edu/tirp • Data Classification Policy = Defines Data Types http://go.Middlebury.edu/dcp • Red Flags Policy = Identity Theft Protection Not presently in hand book • PCI Policy = Payment Card Data Handling http://go.middlebury.edu/pcipolicy Web Sites: • Middlebury’s Information Security http://go.middlebury.edu/infosec • Phishing Information http://go.middlebury.edu/phish http://www.phishing.org/ • Protect Yourself On-line http://www.onguardonline.gov/ • Parents Resource for Kids On-line http://getnetwise.org/ • Best Practices for Home and Work http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

12. Please share your thoughts! Information Security Resources: http://go.middlebury.edu/infosec http://go.miis.edu/infosec Report Information Security Events To: infosec@middlebury.edu Discussion and Links