Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Management and Storage of Sensitive Information
UH Information Security Team (InfoSec)
Who Are We?
• UH Information Security Team
– Jodi Ito - Information Security Officer
– Deanna Pasternak & Taylor Summers Information Security Specialists
2
What Do We Do?
• Support the system-wide information security program– Provide oversight of IT security issues and concerns– Ensure compliance with policies– Perform security audits and risk assessments– Initiate and monitor the protection of sensitive
information– Review and revise Security Policies– Implement mandatory Information Security Training– Support the automatic monitoring of network and
technology resources
3
National Cyber Security Awareness Month (NCSAM) History
• Started in 2004
• Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA)
4
Cyber Security Awareness Month
• The National Cyber Security Alliance (NCSA) Initiated Cyber Security Month To:– Raise awareness about cyber security
and online safety precautions– Protect our national digital
infrastructure– Help prevent fraud and identity theft
5
Examples of Cyber Attacks
• Flame – Kaspersky dubbed it the most powerful computer virus in history. Primary target was Iran. Has the ability to steal audio, screen capture, transmit visual data, data behind input boxes (passwords), scan local Bluetooth devices.
• Stuxnet – A computer worm that destroyed centrifuges at the heart of Iran’s nuclear program.
• Slammer/Sapphire – Worm infected 200,000+ Microsoft SQL servers world wide with a denial of service attack. Infecting 75,000 in the first 10 minutes. Disrupting Internet services and some business processes. January 24, 2003
6
Yet Another Variant
7http://mashable.com/2012/08/09/gauss-virus/
STOP | THINK | CONNECT
8
Be Cyber Smart
• In conjunction with the STOP.THINK.CONNECT campaign
• InfoSec brings you
R U Cyber S.M.A.R.T.
9
UH Awareness Campaign for Cyber Security Month
• What’s in it for the UH community?– Prevent future breaches– Safeguard sensitive information– Educate the UH community on safe
personal computing practices
Be Cyber S.M.A.R.T
10
R U - S.M.A.R.T.
• Identified five topics for the five weeks in October– Secure Information Destruction– Management and Storage of Sensitive
Information – Avoid Identity Theft– Responsible Computing Practices– Think Before You Click
11
What Will We Cover?• Laws related to sensitive information
• Storage of sensitive information– Where to keep it– Where not to keep it
• Management of sensitive information– How to safely transfer to others– Encryption– Sensitive information best practices– Posting sensitive information online
12
Secure Information Destruction Review
• Keep paper locked up until you shred it
• Shred sensitive information on paper, DVD’s
• Physically destroy media• Securely delete both internal and
external hard drivesSlides available at http://www.hawaii.edu/infosec/ncsam.html. Rebroadcastavailable soon
13
Document Retention
• University of Hawai‘i – A8.450 Records Management Policy
• www.hawaii.edu/svpa/apm/recmgmt/a8450.pdf
One Objective: To eliminate the maintenance of unnecessary copies of records
• Personal records retention• www.shredit.com
14
UH is sponsoring another eWaste Disposal Days in October
Check the website for days and times
15
What is Sensitive Information?
• Information is considered sensitive if it can be used to cause an adverse effect on the organization or individual if disclosed to unauthorized individuals
• Some examples are:– Social Security Numbers, Student records, Health information, Drivers
license numbers, credit card numbers, dates of birth, job applicant records, etc.
• State, Federal and Regulatory requirements provide standards for protecting sensitive information
• UH Policy E2.214 has a detailed description of Sensitive information http://www.hawaii.edu/apis/ep/e2/e2214.pdf
16
Know What to Protect
• A partial list of data considered sensitive as outlined in UH Policy E2.214
• Student records (FERPA)• Health information (HIPAA)• Personal financial information • Social Security Numbers• Dates of birth• Access codes, passwords and PINs • Answers to "security questions" • Confidential salary information
17
Many Laws - Similar Requirements
FERPA, HIPAA, PCI-DSS, HRS-487, ITAR
Protect the Confidentiality, Integrity, and Availability of Sensitive Information
•Safeguards include– Access controls to limit access to persons with a need
to know– Encrypt data at rest & in transit– Auditing/Logging access & modifications– Develop Policies and Procedures – Conduct Training
•ITAR restrictions on the export of research data 18
19
Where is Data Stored?
20
Protect Sensitive Information
• The best way is to:– Be aware– Know what to protect– Know how to protect it– Know how it is being used
21
Be Aware
• Know where your information is stored
• Know what others are using your information for – privacy rights
• Know the laws protecting information
22
Your Privacy Rights
• There are several Federal and State laws that require businesses to provide their clients with an annual notice on what personal information is collected and how it is used
• Notices are also posted on websites and require you to acknowledge you agree before you are given access to their product
23
Read the Privacy Statement
24
The Allegations Against Google Are:
• Those litigants claim Google violated its previous policies that promised information provided by a user for one service would not be used by another service without the consumer's consent.
• The company is accused not only of combining the information but also of not providing an easy and efficient way for consumers to opt out.
• It allegedly violated the American Federal Wiretap Act (for willfully intercepting communications and aggregating personal information for financial benefit), breached the Stored Electronic Communications Act (for the way it accessed consumer communications stored on its systems), violated the Computer Fraud Abuse Act, and transgressed other statutes and state laws.
• http://www.vancouversun.com/technology/Google+legal+troubles+underscore+vulnerability+privacy+rights/7348685/story.html#ixzz28epyJdFT
25
Read Before You Click
Before you click Accept Terms of Agreement•Read what you are agreeing to•They may be sharing your information
26http://news.cnet.com/8301-1023_3-57524073-93/facebook-wants-like-button-to-be-exempt-from-child-privacy-laws/
How to Protect Information
• Know where it is stored• Safeguard it with physical security• Encrypt it• Use programs to store passwords
securely• Use password protection• Redact it• Delete it – securely wipe it
27
Scan Your Computer• Identity Finder – Windows and Macs
– Download at www.hawaii.edu/software– How to use: www.hawaii.edu/askus/1297
• Find SSN – Linux, Solaris and Legacy OS– www.hawaii.edu/askus/1323
• Scan for vulnerabilities– Scan a single machine:
http://openvas.hawaii.edu/cgi-bin/myopenvas– Batch scan:
http://openvas.hawaii.edu/batchopenvas/index.php
28
Register Any Servers Containing Sensitive Information
• All public file, web, and ftp servers must be registered & scanned for sensitive, personal information and vulnerabilities.– http://www.hawaii.edu/its/server/registration/
• The UH Personal Information System survey is designed to identify ALL personal information systems in the University of Hawaii as required by Hawaii State Law.– http://www.hawaii.edu/its/information/survey/
29
What Does An Encrypted File Look Like?
30
Encryption
• Encrypting a Windows file, folder, and entire disk– http://www.hawaii.edu/askus/1285
• Encrypted disk images and full disk encryption for a Mac– http://www.hawaii.edu/askus/676
31
DO NOT LOSE YOUR ENCRYPTION KEY
• When using encryption be careful to safeguard your encryption key. If lost ITS may not even be able to help you recover your data.
32
Ways To Securely Transfer Sensitive Information
33
Secure File Transfer
• www.hawaii.edu/filedrop– Secure file transfer up to 800MB– Can share with people not part of UH
community– Secure URL is available for five days
• Security ends at transmission, you will still need to secure information on your computer.
34
Secure Shell (SSH)
• What is SSH?– Secure channel that encrypts
information such as passwords over the internet
• Do not use telnet– Passwords are sent in the clear making
them vulnerable to cyber crime
35
Secure Socket Layer (SSL)
• What is SSL?– A protocol that establishes an
encrypted link between a web server and a browser ensuring all data passed between the web server and browsers remain private
• In other words:– “keeps your data safe”
36
How do I Know the Link is Secure?
Why is it important?•The S or the padlock means:
– That you have a secure (encrypted) link with this web site – That this web site is a valid and legitimate organization or an
accountable legal entity
Look for the httpS:// (the S means it is encrypted)
And/Or a padlock
37
Do Not Use The Following To Transfer Sensitive Information
• Unencrypted Email• Third party cloud applications such as
Dropbox• Google Drive• Unsecured USB drives or other
external devices
38
Where Should Sensitive Info Be Stored?
• Encrypted folders, partitions, or drives
• Secured servers• Encrypted external drives• Secure applications• Locked file cabinets
39
Where Not To Store Sensitive Information
• Your email• Unsecured paper files• Your hard drive unencrypted• Social networking sites
40
Know How it is Being Used
• Who has your information and how are they using it?– The Bank– Credit Card Companies– The University– Social Media– Health Care– Malicious Information Gathering
41
PenaltyMinimum 10 years in jail, $250,000 fine or BOTH
42
35,000 e-mail addresses, thousands of user names, and
other information compromised.
http://www.vancouversun.com/technology/Googles+legal+troubles+underscore+vulnerability+privacy+rights/7348685/story.html43
So What?
• Following policies and laws to protect sensitive information will not only protect the consumer, but it protects you from possible disciplinary action as stated in the University of Hawai‘i General Confidentiality Notice UH Form 92
44
Securing Your Password
• Password keepers– http://keepass.info/
• Do not store on your monitor or under keyboard• Use something easy to remember but hard to
guess• Follow password generation guidelines
– CAPITALS– lowercase– Numb3r5– $ymbols
45
46
The Cloud
• The Cloud is not secure• Do not store information in the
cloud unless it is encrypted
47
Keep Sensitive Information Secure From Social Engineers
• Verify callers
• Do not respond to email scams, phishing, or suspicious phone calls requesting confidential UH information or your own personal information.– Remember ITS will NEVER ask for your
password over email.
48
Don’t Fall For This
More on Phishing on Week 5 49
50
Back-Up?
• Regularly backing up your data is critical in case of a computer problem
BUT– Store your backup in a safe place– Preferably in a different location than the
host data– And secure it - lock it up, encrypt it– Regularly verify the backup can be restored
51
52
Key Points to Remember
• Handle sensitive information responsibly
• Protect sensitive information in paper form, electronic data at rest and in transit
• Follow policy – if in doubt ask• Bad things can happen if you do not
Think Before You Click
53
How Do I Get iTunes?• To be eligible for the weekly $15 iTunes cards drawing you must:
– Attend or watch a rebroadcast of this presentation– Have a Facebook Account– Like our page at www.facebook.com/uhinfosec– Answer the Security Question of the Week for October correctly (will be
posted after this session ends)– You will then be added to the drawing for an iTunes card
• I will contact you directly if you are the winner for delivery
• To be entered to win the $25 gift card at the end of October, you must sign up for a session at www.hawaii.edu/training
(no Facebook account required)
54
More PrizesRegister or sign in on-line (www.hawaii.edu/training)
to be eligible for a drawing each week for a UH Manoa Bookstore donated prize. Prizes will be mailed to outer island winners.
55
For More Information
• Visit the Cyber Security Month (NSCAM) website
– Link to all presentations (posted soon)– Link to FTC materials– Posters– Cyber security brochure– Think. Stop. Connect. brochures
56
http://www.hawaii.edu/infosec/ncsam.html
57
http://www.hawaii.edu/infosec
58
Email us at: [email protected]
Visit us at: www.hawaii.edu/infosec
Like us on Facebook: www.facebook.com/uhinfosec
Follow us on Twitter:www.twitter.com/ITSecurityUH
59