Susan McHugh Executive Director IT Services Mount Wachusett Community College Sherry Horeanopoulos Information Security Officer Fitchburg State University NERCOMP 2011 Annual Conference ID: 783843
Download The PPT/PDF document "How Secure is Your Information?" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How Secure is Your Information?
Susan McHugh, Executive Director – IT ServicesMount Wachusett Community CollegeSherry Horeanopoulos, Information Security OfficerFitchburg State University
NERCOMP 2011 Annual Conference
Slide2Agenda
Security StandardsInstitutional Data – Where is it?Information MiningPhishingTargeted SPAMKeystroke LoggingSocial Network MinersData Loss Prevention
Slide3Security Standards
The first step in securing information is to…Have a plan**.Does your institution have an Enterprise or Information Security Program and what drives it?PCI-DSS v2?State laws and regulations?Data Breach at your institution or others?Common Sense?Whose????Higher Education Institutions have unique challenges that other entities do not encounter – i.e., “Academic Freedom” and ‘Free Range’ Internet/Network Access**By the way, you should write it down!
Slide4PCI-DSS
A framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidentsDocumentation and policy-drivenIf you meet the criteria to pass a PCI audit, you have the foundation of a good security plan.
Slide5State Laws and Regulations
GREAT places to be an ISO: New Mexico, Kentucky, Alabama and South DakotaHowever, if you are from California or Massachusetts, well…MA – MGL 93H (Definition of PII, Notification in the event of a Breach)MGL 66A – FIPA (Non-disclosure requirements)EO 504 – the Commonwealth’s commitment to Security Policies and StandardsMA 201 CMR 17 (Resident’s Personal Information Privacy Protection)
Slide6State and Federal Regulations
Social Security Administration Information Exchange Agreement (transmission of files to and from the SSA)HIPAA (Health Information Privacy)FERPA (Educational Rights and Privacy)And then…Cable Communications, Census Confidentiality, Children’s Online Privacy, Criminal Justice Information, Driver’s Protection….and so on.
Slide7What to do?
Develop a matrix defining the specifications for each regulation. Most regulations overlap – take advantage of this when making new policy.Collaborate with others. Each institution is under the same pressure to come up with policies – leverage others experiences.Remember: The institution is not the same entity as the Department of Revenue, the Registry of Motor Vehicles or the Board of Health. Tailor your ESP/ISP to the parameters of your institution.Keep in mind – the TITANIC was 100% compliant.
Slide8Data Inventory
Do you know where your data resides?(Bet ya don’t!)Some formal ways to find out:Interguard, VontuNetanium, McAfeeIdentity FinderThe free trial edition will let you see how this works on your own computer or laptop – to find data on your network will cost you…yes – big bucks!With the more robust applications, you can crawl the network in search of PII and other sensitive information
Slide9Where’s the data?
Informal ways:You could go looking for .xls or .mdb kinds of files on File Servers, departmental drives, home drives, etc. Clever SysAdmins can script this.You could ask!If audited, you probably should know where any sensitive information resides. Not every department or every user is utilizing your Oracle or SQL server. We DO give them MS Access and other tools that make small local databases and spreadsheets awfully convenient. (Those darned end-users!)
Slide10What About Mobile Devices
Smart phonesiPadsDroidsUSB Drives small and largeTime Machine-like personal backup devicesCameras?
Slide11What to do?
Enforce passcode/protection policiesEnd-Point encryptionRemote WipeExample iPhone (Look in Settings): Enable Passcode ProtectionEnable SIM PIN ProtectionEnable
Auto-LockRe-map Your Home Button
Use a Password Storing App
Slide12Slide13Data Mining
What are some of the ways that Personal Information gets released to the wild?Phishing ExpeditionsTargeted SPAM and eMailKeystroke LoggingSocial NetworkingHuman NatureTheft (remember the mobile devices)
Slide14Gone Phishin’
From: webmaster [alert@webmail.edu]Sent: Saturday, July 17, 2010 3:54 PMSubject: Mail AlertAttn webmail Subscribers,Scheduled Service MaintenanceYour web mail account is in the process of being upgraded to a new set of servers. The new servers will provide better anti-spam and anti-virus function, along with IMAP Support for mobile devices like Exchange Active Sync and all Mobile PDA-Phones and phones that Support IMAP/S to enhance
your
your usage.
To confirm and keep your web mail account active and after our upgrade, kindly reconfirm your web mail Login details by stating:
* Username:
* Password:
Failure to acknowledge receipt of this notification, might result to a permanent deactivation of your web mail account from our database for up coming users.
Your web mail account shall remain active after you have successfully confirmed your account details.
Technical Support apologize for any inconvenience caused.
Technical Support Team
Slide15Phishing Hazards
The replier is handing over info to the phisher. Basically, there was a cast and a bite!Your users are replying to another entity who, by virtue of the reply, now have the user’s email address, username and password. The clever phisher can now use that email account to SPAM, phish some more with an assumed identity or utilize login/password info to hack.Tell end users how to check the message header. It may save you some calls.If they forward the message to you, the message header is gone.
Slide16Using the mined info
From: Linda DiPasquale [mailto:lindi50@hotmail.com] Sent: Wednesday, October 13, 2010 10:57 PMTo: agnes fabric shop; amymarty13@msn.com; arethaniheuaqjqn@hotmail.com; B & N DiPasquale; bernardinegish94@hotmail.com;
bisexualcutie6311qu@hotmail.com; caritasirrine6097@hotmail.com; Carol
Beauchemin; carylbelhumeurcoofe@hotmail.com; cherishpitzen71y@hotmail.com; Chris at work Perkins; Christine Dufresne
; Cindy Hess; Cindy
Testa
; clarafusysy@hotmail.com;
Dave
Petrucci
; David
Petrucci
;
Dawn at work; Dominic
Corriveau
; Dominic
Corriveau
; Donna Johnson; Dorothy
Consiglio
; Doug
Hampson
; Elaine Paul
Subject:
EMERGENCY
This had to come in a hurry and it has left me in a devastating state, it's an EMERGENCY. I'm in some terrible situation and I'm really going to need you ASAP. Few days ago, unannounced, I went on a trip to Glasgow, Scotland (United Kingdom) and unfortunately for me I got robbed by thieves, they got all my cash, credit cards everything and now I'm stranded. Right now and my return flight leaves in few hours time but I need some money to clear some bills, I didn't bring my cell phone along since I didn't get to roam them before coming over. So all I can do now is pay cash and get out of here
quickly.I
do not want to make a scene of this which is why I did not call my house, this is embarrassing enough.
I was wondering if you could loan me some cash, I'll refund it to you as soon as I arrive home just need to clear my Hotel bills and get the next plane home, As soon as I get home I'll refund it immediately.
Write me so I can let you know how to send it.
Regards.
Slide17The Inadvertant Phisher
From: Sherry Horeanopoulos Sent: Tuesday, September 21, 2010 2:19 PMTo: StaffCc: Technology ManagersSubject: RE: Email Reset
Thanks to many people who shared this hoax with me....please see below (another phishing email) and remember that IT will not ask for your username and password by email. - Sherry H
From: Karen Stafford [Karen.Stafford@hnehealth.nsw.gov.au]
Sent:
Monday, September 20, 2010 11:27 AM
Subject:
Email Reset
You have reached the limit of your mailbox by your web mail service, you are
above your limit which is 20GB as set by your administrator, you are
currently
running on 20.9GB, you may not be able to send or receive emails. To Prevent
this! Please click on the link below to upgrade your Quota
http://www.opinionpower.com/Surveys/421059529.html
Notice Do NOT give out your email address, username or password! to any
person asking for your email password
Failure to do so will result in a limited access to your mailbox. Warning!
Reverence.
Web service Administrator
NOTICE: The information contained in this e-mail may be confidential and is
intended solely for the use of the named addressee. Access, copying or re-use
of the e-mail or any information contained herein by any other person is not
authorized. If you are not the intended recipient please notify us
immediately
by returning the e-mail to the originator
Slide18People are people.
Two problems (at least):By including the hoax email in the message to ignore it, you may be redistributing the link AND giving the receiver an additional chance to click on it.People scan. Users will send YOU their username and password. You are, after all, a trusted entity.
Slide19What to do?
Enforce complex password policyChange passwords at LEAST every 90 daysWhat’s happening with FSU student passwordsOne-password-fits-all practices may not be such a great ideaHow MWCC handles Portal Passwords
Slide20Targeted SPAM 1
MR ANDRE LUCASTELEPHONE :+44-703-1896105EMAIL- andre_lucas@fsmail.net This e-mail address is being protected from spambots. You need JavaScript enabled to view it .Dear Sir/Madam,It is indeed my great pleasure to write you this letter, which I believe it will meet you in good condition of health but i know it will be a surprise to you as we have never met before, and I am deeply sorry if I have in any manner disturbed your privacy. Please forgive me and this unusual manner of contacting you but
i just can help it, so i felt i have to reach you with this letter to support me in order to achieve my dream for the less privilege ones in our society and the world at large.
My name is Mr. Andre Lucas, A business merchant in Durban South Africa, but am presently under-going treatment here in Italy . I have been diagnosed with Oesophageal cancer. It has defied all forms of medical treatment, and right now I have only about a few months to live, according to medical experts. I have not particularly lived my life so well, as I never really cared for anyone (not even myself) but only my business. Though I am very rich, I was never generous, I was always hostile to people and only focused on my business as that was the only thing I cared for. Its now
i
know that no matter how much money you have it cannot safe life because
i
have spent millions of dollars on my illness but to no avail.
But now I regret all this as I now know that there is more to life than just wanting to have or make all the money in the world. I believe when God gives me a second chance to come to this world I would live my life a different way from how I have lived it. Now that God has called me, I have willed and given most of my property and assets to my immediate and extended family members as well as a few close friends.
I want God to be merciful to me and accept my soul, so I have decided to give alms to charity organizations for the less privilege in the society, as I want this to be one of the last good deeds I do on earth. So far, I have Distributed money to some charity organizations in the Somalia and Haiti before my sickness got worsen to this present state. Now that my health has deteriorated so badly, I cannot do this myself anymore.
You volunteer for a local charity and have joined their listserv….
Slide21Targeted SPAM 2
From: Bosnian Pyramid of the Sun [mailto:info@piramidasunca.org] Sent: Wednesday, March 16, 2011 4:22 PMTo: Sherry HoreanopoulosSubject: Zahi Hawass and Bosnian Pyramid project Chronology On the verge of the fall of dictator among Egyptologists HOW DID “PHARAOH” DR ZAHI HAWASS TRY TO STOP BOSNIAN PYRAMIDS PROJECT
With fall of Hosny Mubarak’s regime in Egypt, numerous affairs of corrupted state officials came out. During decades of reign some ministers have managed to sling billions of dollars on their accounts. Undoubtedly, among the wealthiest is Dr.
Zahi Hawass, who ruled for decades in Supreme Council of Antiquities. Though legally he had to retire three years ago, he succeeded, thanks to friendship with the wife of
Hosny
Mubarak Suzanne, to preserve his stay at the most powerful position in the domain of archaeology. Finally, last year he succeeded in getting assignment as the State minister for antiquities and lifelong position. At least, that’s what he hoped to be.
With revolution in Egypt it wasn’t possible to hide 1.600 documents that demonstrate that Dr.
Zahi
Hawass
stole precious artifacts, falsified historical findings (making them appear younger than they really are, because they didn’t fit into official history), and fired archeologists, Egyptologists, guides and state officials, who spoke loudly about corruption of his office. (Source:
http://www.piramidasunca.ba/en/index.php/Translation-from-Arabic-of-the-YouTube-interview-with-an-Egyptian-Manager-of-Antiquity-Locations-No.html
<
http://piramidasunca.org/mail/lt.php?c=30&m=24&nl=1&s=d9b15762c1e50eb54deb5155e33a54fc&lid=118&l=-http--www.piramidasunca.ba/en/index.php/Translation-from-Arabic-of-the-YouTube-interview-with-an-Egyptian-Manager-of-Antiquity-Locations-No.html
> )
Someone takes a shot in the dark…
Slide22Those pesky links
Using regular tools, readily available on the Internet, you can get into some GREAT mischief….Like redirecting a URLTiny URLFacebookTwitterBlogs
Slide23From any social media site the terms of service are clear –
if you post content to the site you grant the site permission to use the content for any purpose they deem appropriate.Guilt by association: Large financial institutions are checking social networking sites for an applicants “friends” with the idea that deadbeats associate with deadbeats!
Slide24Facebook
Slide25So what can we know about Charlie?
Birth date?Whereabouts?His friends?THEIR friends?Interests – He likes Denver!Crazy tattoos?
Slide2685% success rate with targeted messaging!
Slide27Remember to hover!
http://www.celebtat2.com
Slide28Slide29Data Loss Prevention
Intrusion PreventionNetwork Access ControlEnd Point ProtectionFirewalls Whitelist vs. BlacklistDLP Appliances and ApplicationsEncryption
Slide30Intrusion Prevention
Tipping PointMcAfeePalo Alto FirewallDo you know what’s happening on your network every day?Are you logging activity on the firewall, on the endpoint services?
Slide31Slide32Slide33DLP
From: Check Point Data Loss Prevention mail delivery system [mailto:dlp@fitchburg1.fitchburgstate.edu] Sent: Tuesday, March 29, 2011 2:23 PMTo: Joe SenderSubject: Email Blocked [Testing DLP] The attached message, sent by you, is addressed to an external email address. Check Point Data Loss Prevention system determined that it may contain confidential information. Email's body appears to contain a U.S. Social Security Number. The message is being
blocked and will not be delivered to its destination. For additional details, please refer to the corporate information security policy. [Reference: {78CF54E3-583A-F2B3-C7EA-FC39FA0CF013}]
Slide34Slide35What to do?
Educate! Train! Inform!You can tweak the technology, throw money into security appliances and applications but…it’s hard to reform the human. Appeal to people’s experiences…most people have had a credit card or account compromised. Message: “Think before clicking.”
Slide36Contact info
Susansmchugh@mwcc.eduSherrysah@fitchburgstate.eduMA HigherED ISO Council – we welcome you to join us.http://lists.fitchburgstate.edu/scripts/wa.exe?A0=ISOCISA Training April 20-22 at UMass President’s Office in Shrewsbury$325.00 (ISACA Members) or $425.00 for three day class