How Secure is Your Information? - PowerPoint Presentation

Slide1

How Secure is Your Information?

Susan McHugh, Executive Director – IT ServicesMount Wachusett Community CollegeSherry Horeanopoulos, Information Security OfficerFitchburg State University

NERCOMP 2011 Annual Conference

Slide2

Agenda

Security StandardsInstitutional Data – Where is it?Information MiningPhishingTargeted SPAMKeystroke LoggingSocial Network MinersData Loss Prevention

Slide3

Security Standards

The first step in securing information is to…Have a plan**.Does your institution have an Enterprise or Information Security Program and what drives it?PCI-DSS v2?State laws and regulations?Data Breach at your institution or others?Common Sense?Whose????Higher Education Institutions have unique challenges that other entities do not encounter – i.e., “Academic Freedom” and ‘Free Range’ Internet/Network Access**By the way, you should write it down!

Slide4

PCI-DSS

A framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidentsDocumentation and policy-drivenIf you meet the criteria to pass a PCI audit, you have the foundation of a good security plan.

Slide5

State Laws and Regulations

GREAT places to be an ISO: New Mexico, Kentucky, Alabama and South DakotaHowever, if you are from California or Massachusetts, well…MA – MGL 93H (Definition of PII, Notification in the event of a Breach)MGL 66A – FIPA (Non-disclosure requirements)EO 504 – the Commonwealth’s commitment to Security Policies and StandardsMA 201 CMR 17 (Resident’s Personal Information Privacy Protection)

Slide6

State and Federal Regulations

Social Security Administration Information Exchange Agreement (transmission of files to and from the SSA)HIPAA (Health Information Privacy)FERPA (Educational Rights and Privacy)And then…Cable Communications, Census Confidentiality, Children’s Online Privacy, Criminal Justice Information, Driver’s Protection….and so on.

Slide7

What to do?

Develop a matrix defining the specifications for each regulation. Most regulations overlap – take advantage of this when making new policy.Collaborate with others. Each institution is under the same pressure to come up with policies – leverage others experiences.Remember: The institution is not the same entity as the Department of Revenue, the Registry of Motor Vehicles or the Board of Health. Tailor your ESP/ISP to the parameters of your institution.Keep in mind – the TITANIC was 100% compliant.

Slide8

Data Inventory

Do you know where your data resides?(Bet ya don’t!)Some formal ways to find out:Interguard, VontuNetanium, McAfeeIdentity FinderThe free trial edition will let you see how this works on your own computer or laptop – to find data on your network will cost you…yes – big bucks!With the more robust applications, you can crawl the network in search of PII and other sensitive information

Slide9

Where’s the data?

Informal ways:You could go looking for .xls or .mdb kinds of files on File Servers, departmental drives, home drives, etc. Clever SysAdmins can script this.You could ask!If audited, you probably should know where any sensitive information resides. Not every department or every user is utilizing your Oracle or SQL server. We DO give them MS Access and other tools that make small local databases and spreadsheets awfully convenient. (Those darned end-users!)

Slide10

What About Mobile Devices

Smart phonesiPadsDroidsUSB Drives small and largeTime Machine-like personal backup devicesCameras?

Slide11

What to do?

Enforce passcode/protection policiesEnd-Point encryptionRemote WipeExample iPhone (Look in Settings): Enable Passcode ProtectionEnable SIM PIN ProtectionEnable

Auto-LockRe-map Your Home Button

Use a Password Storing App

Slide12

Slide13

Data Mining

What are some of the ways that Personal Information gets released to the wild?Phishing ExpeditionsTargeted SPAM and eMailKeystroke LoggingSocial NetworkingHuman NatureTheft (remember the mobile devices)

Slide14

Gone Phishin’

From: webmaster [alert@webmail.edu]Sent: Saturday, July 17, 2010 3:54 PMSubject: Mail AlertAttn webmail Subscribers,Scheduled Service MaintenanceYour web mail account is in the process of being upgraded to a new set of servers. The new servers will provide better anti-spam and anti-virus function, along with IMAP Support for mobile devices like  Exchange Active Sync and all Mobile PDA-Phones and phones that Support IMAP/S to enhance

your

your usage.

To confirm and keep your web mail account active and after our upgrade, kindly reconfirm your web mail Login details by stating:

 * Username:

 * Password:

Failure to acknowledge receipt of this notification, might result to a permanent deactivation of your web mail account from our database for up coming users.

Your web mail account shall remain active after you have successfully confirmed your account details.

Technical Support apologize for any inconvenience caused.

Technical Support Team

Slide15

Phishing Hazards

The replier is handing over info to the phisher. Basically, there was a cast and a bite!Your users are replying to another entity who, by virtue of the reply, now have the user’s email address, username and password. The clever phisher can now use that email account to SPAM, phish some more with an assumed identity or utilize login/password info to hack.Tell end users how to check the message header. It may save you some calls.If they forward the message to you, the message header is gone.

Slide16

Using the mined info

From: Linda DiPasquale [mailto:lindi50@hotmail.com] Sent: Wednesday, October 13, 2010 10:57 PMTo: agnes fabric shop; amymarty13@msn.com; arethaniheuaqjqn@hotmail.com; B & N DiPasquale; bernardinegish94@hotmail.com;

bisexualcutie6311qu@hotmail.com; caritasirrine6097@hotmail.com; Carol

Beauchemin; carylbelhumeurcoofe@hotmail.com; cherishpitzen71y@hotmail.com; Chris at work Perkins; Christine Dufresne

; Cindy Hess; Cindy

Testa

; clarafusysy@hotmail.com;

Dave

Petrucci

; David

Petrucci

;

Dawn at work; Dominic

Corriveau

; Dominic

Corriveau

; Donna Johnson; Dorothy

Consiglio

; Doug

Hampson

; Elaine Paul

Subject:

EMERGENCY

 

This had to come in a hurry and it has left me in a devastating state, it's an EMERGENCY. I'm in some terrible situation and I'm really going to need you ASAP. Few days ago, unannounced, I went on a trip to Glasgow, Scotland (United Kingdom) and unfortunately for me I got robbed by thieves, they got all my cash, credit cards everything and now I'm stranded. Right now and my return flight leaves in few hours time but I need some money to clear some bills, I didn't bring my cell phone along since I didn't get to roam them before coming over. So all I can do now is pay cash and get out of here

quickly.I

do not want to make a scene of this which is why I did not call my house, this is embarrassing enough.

I was wondering if you could loan me some cash, I'll refund it to you as soon as I arrive home just need to clear my Hotel bills and get the next plane home, As soon as I get home I'll refund it immediately.

Write me so I can let you know how to send it.

Regards.

Slide17

The Inadvertant Phisher

From: Sherry Horeanopoulos Sent: Tuesday, September 21, 2010 2:19 PMTo: StaffCc: Technology ManagersSubject: RE: Email Reset 

Thanks to many people who shared this hoax with me....please see below (another phishing email) and remember that IT will not ask for your username and password by email. - Sherry H

From: Karen Stafford [Karen.Stafford@hnehealth.nsw.gov.au]

Sent:

Monday, September 20, 2010 11:27 AM

Subject:

Email Reset

You have reached the limit of your mailbox by your web mail service,  you are

above your limit which is 20GB as set by your administrator, you are

currently

running on 20.9GB,  you may not be able to send or receive emails. To Prevent

this! Please click on the link below to upgrade your Quota

http://www.opinionpower.com/Surveys/421059529.html

Notice Do NOT give out your email address, username or password! to any

person asking for your email password

Failure to do so will result in a limited access to your mailbox. Warning!

Reverence.

Web service Administrator

NOTICE: The information contained in this e-mail may be confidential and is

intended solely for the use of the named addressee. Access, copying or re-use

of the e-mail or any information contained herein by any other person is not

authorized. If you are not the intended recipient please notify us

immediately

by returning the e-mail to the originator

Slide18

People are people.

Two problems (at least):By including the hoax email in the message to ignore it, you may be redistributing the link AND giving the receiver an additional chance to click on it.People scan. Users will send YOU their username and password. You are, after all, a trusted entity.

Slide19

What to do?

Enforce complex password policyChange passwords at LEAST every 90 daysWhat’s happening with FSU student passwordsOne-password-fits-all practices may not be such a great ideaHow MWCC handles Portal Passwords

Slide20

Targeted SPAM 1

MR ANDRE LUCASTELEPHONE :+44-703-1896105EMAIL- andre_lucas@fsmail.net This e-mail address is being protected from spambots. You need JavaScript enabled to view it .Dear Sir/Madam,It is indeed my great pleasure to write you this letter, which I believe it will meet you in good condition of health but i know it will be a surprise to you as we have never met before, and I am deeply sorry if I have in any manner disturbed your privacy. Please forgive me and this unusual manner of contacting you but

i just can help it, so i felt i have to reach you with this letter to support me in order to achieve my dream for the less privilege ones in our society and the world at large.

My name is Mr. Andre Lucas, A business merchant in Durban South Africa, but am presently under-going treatment here in Italy . I have been diagnosed with Oesophageal cancer. It has defied all forms of medical treatment, and right now I have only about a few months to live, according to medical experts. I have not particularly lived my life so well, as I never really cared for anyone (not even myself) but only my business. Though I am very rich, I was never generous, I was always hostile to people and only focused on my business as that was the only thing I cared for. Its now

i

know that no matter how much money you have it cannot safe life because

i

have spent millions of dollars on my illness but to no avail.

But now I regret all this as I now know that there is more to life than just wanting to have or make all the money in the world. I believe when God gives me a second chance to come to this world I would live my life a different way from how I have lived it. Now that God has called me, I have willed and given most of my property and assets to my immediate and extended family members as well as a few close friends.

I want God to be merciful to me and accept my soul, so I have decided to give alms to charity organizations for the less privilege in the society, as I want this to be one of the last good deeds I do on earth. So far, I have Distributed money to some charity organizations in the  Somalia and Haiti before my sickness got worsen to this present state. Now that my health has deteriorated so badly, I cannot do this myself anymore.

You volunteer for a local charity and have joined their listserv….

Slide21

Targeted SPAM 2

From: Bosnian Pyramid of the Sun [mailto:info@piramidasunca.org] Sent: Wednesday, March 16, 2011 4:22 PMTo: Sherry HoreanopoulosSubject: Zahi Hawass and Bosnian Pyramid project Chronology On the verge of the fall of dictator among Egyptologists  HOW DID “PHARAOH” DR ZAHI HAWASS TRY TO STOP  BOSNIAN PYRAMIDS PROJECT

 With fall of Hosny Mubarak’s regime in Egypt, numerous affairs of corrupted state officials came out. During decades of reign some ministers have managed to sling billions of dollars on their accounts. Undoubtedly, among the wealthiest is Dr.

Zahi Hawass, who ruled for decades in Supreme Council of Antiquities.  Though legally he had to retire three years ago, he succeeded, thanks to friendship with the wife of

Hosny

Mubarak Suzanne, to preserve his stay at the most powerful position in the domain of archaeology. Finally, last year he succeeded in getting assignment as the State minister for antiquities and lifelong position. At least, that’s what he hoped to be.

 

With revolution in Egypt it wasn’t possible to hide 1.600 documents that demonstrate that Dr.

Zahi

Hawass

stole precious artifacts, falsified historical findings (making them appear younger than they really are, because they didn’t fit into official history), and fired archeologists, Egyptologists, guides and state officials, who spoke loudly about corruption of his office. (Source:

http://www.piramidasunca.ba/en/index.php/Translation-from-Arabic-of-the-YouTube-interview-with-an-Egyptian-Manager-of-Antiquity-Locations-No.html

<

http://piramidasunca.org/mail/lt.php?c=30&m=24&nl=1&s=d9b15762c1e50eb54deb5155e33a54fc&lid=118&l=-http--www.piramidasunca.ba/en/index.php/Translation-from-Arabic-of-the-YouTube-interview-with-an-Egyptian-Manager-of-Antiquity-Locations-No.html

> )

Someone takes a shot in the dark…

Slide22

Those pesky links

Using regular tools, readily available on the Internet, you can get into some GREAT mischief….Like redirecting a URLTiny URLFacebookTwitterBlogs

Slide23

From any social media site the terms of service are clear –

if you post content to the site you grant the site permission to use the content for any purpose they deem appropriate.Guilt by association: Large financial institutions are checking social networking sites for an applicants “friends” with the idea that deadbeats associate with deadbeats!

Slide24

Facebook

Slide25

So what can we know about Charlie?

Birth date?Whereabouts?His friends?THEIR friends?Interests – He likes Denver!Crazy tattoos?

Slide26

85% success rate with targeted messaging!

Slide27

Remember to hover!

http://www.celebtat2.com

Slide28

Slide29

Data Loss Prevention

Intrusion PreventionNetwork Access ControlEnd Point ProtectionFirewalls Whitelist vs. BlacklistDLP Appliances and ApplicationsEncryption

Slide30

Intrusion Prevention

Tipping PointMcAfeePalo Alto FirewallDo you know what’s happening on your network every day?Are you logging activity on the firewall, on the endpoint services?

Slide31

Slide32

Slide33

DLP

From: Check Point Data Loss Prevention mail delivery system [mailto:dlp@fitchburg1.fitchburgstate.edu] Sent: Tuesday, March 29, 2011 2:23 PMTo: Joe SenderSubject: Email Blocked [Testing DLP] The attached message, sent by you, is addressed to an external email address. Check Point Data Loss Prevention system determined that it may contain confidential information. Email's body appears to contain a U.S. Social Security Number. The message is being

blocked and will not be delivered to its destination. For additional details, please refer to the corporate information security policy. [Reference: {78CF54E3-583A-F2B3-C7EA-FC39FA0CF013}]

Slide34

Slide35

What to do?

Educate! Train! Inform!You can tweak the technology, throw money into security appliances and applications but…it’s hard to reform the human. Appeal to people’s experiences…most people have had a credit card or account compromised. Message: “Think before clicking.”

Slide36

Contact info

Susansmchugh@mwcc.eduSherrysah@fitchburgstate.eduMA HigherED ISO Council – we welcome you to join us.http://lists.fitchburgstate.edu/scripts/wa.exe?A0=ISOCISA Training April 20-22 at UMass President’s Office in Shrewsbury$325.00 (ISACA Members) or $425.00 for three day class