At School & On-Line: Helping Students Avoid Security Threats on the Internet

Transcription

1 At School & On-Line: Helping Stuents Avoi Security Threats on the Internet Insert picture in this frame Insert picture in this frame Presentation by Richar K. Avery, CPP Presient, New Englan Region Securitas Security Services USA

2 ri ri Agena Scope of the Problem (Slie 3-6) Potential Impact on University (Slie 7) Proactive Steps to Enhance Data Security (Slie 8-9) Social Engineering: Exploiting Human Psychology (Slie 10) Social Networking Tips (Slie 11-12) Phishing, Pharming an Scams (Slie 13-14) The Low-tech Approach of Laptop Theft (Slie 15-16) Ientity Theft: How oo Names o Ba (Slie 17) Data Breach Institutional Response Checklist (Slie 18) Data Breach Institutional Response (Slie 19) Security Awareness (Slie 20) Q&A Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

3 ri ri Scope of the Problem: Colleges an Universities For example- A very partial list of affecte institutions inclues: Valosta State University in Valosta, eorgia Buena Vista University in Storm Lake, Iowa University of California - San Francisco (UCSF) Meical Center University of Texas Arlington University of North Carolina at reensboro, an The University of North Floria in Jacksonville Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

4 ri ri Scope of the Problem: Corporations 78% of responent organizations experience computer virus attacks over the previous 12 months. 53% experience unauthorize use of their computer systems. The 2009 stuy conucte by the Javelin Strategy & Research Center reveals that: Ientity theft is on the rise, affecting almost 10 million victims in 2008 (a 22% increase from 2007) 71% of frau happens within a week of stealing a victim s personal ata. Low-tech methos for stealing personal information are still the most popular for ientity thieves. Stolen wallets an physical ocuments accounte for 43% of all ientity theft, while online methos accounte for only 11%. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

5 ri ri Scope of the Problem: Stuents an Staff From the Equifax Learning Center: "More than 27 million Americans have been victims of ientity theft in the last five years... To eal with the problem, consumers reporte nearly $5 billion in out-ofpocket expenses." -The New York Times "This year alone more than 500,000 Americans will be robbe of their ientities...with more than $4 billion stolen in their names." -CBSnews.com Any organization or iniviual is vulnerable to cyber attack. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

6 ri ri Scope of the Problem: Universal Concern Victims of Cyber-security Incients are not limite to universities an corporations. Eucational institutions an corporations are far from the only organizations ealing with the aftermath of a cyber intrusion or other ata loss. Defense Department was attacke by malicious hackers a few years ago that force the military agency to take an estimate 1,500 computers offline. Congress ha to give the Homelan Security Department a stern talking ue to over 844 reporte "cyber-security incients" that the agency has experience over the past two years. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

7 ri ri Potential Impact on University In 2007, the U.S. Department of Energy has propose levying a fine of $3 million on the University of California, Oaklan, an a separate $300,000 fine on Los Alamos National Security (LANS), for their allege failures to protect classifie information in an October 2006 security breach. In a formal Preliminary Notice of Violation the DOE liste five separate areas where the school faile to follow DOE requirements for protecting classifie information. Those violations inclue: a failure by the university to protect ata ports, espite knowing about the vulnerability. a failure to impose aequate escorting requirements to etect unauthorize access an removal of classifie ata. the unauthorize reprouction of classifie material both on paper an on removable electronic meia, an allowing the material to be store in a private resience. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

8 ri ri Proactive Steps to Enhance Data Security Steps that can be taken to enhance ata security at a number of eucational institutions: Assess an inventory ata within centrally manage aministrative systems. Implement improvements to ata management protocols. Removal of uplicate information from the schools central atabase. Protect ata that is in use or in storage by reucing access to, an use of, sensitive information except for purposes authorize an essential to institutional work. Conuct esk-by-esk auits of key epartments to ensure aherence to new security stanars. Develop a ata security training program for employees. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

9 ri ri Proactive Steps to Enhance Data Security Aitional Steps Inclue: Ask that employees reouble their efforts to ensure the security an safe practices surrouning their iniviual, epartmental an unit-wie computer systems. Contact people an warn those affecte to look out for ientity theft an to avise them how to protect personal information an provie instructions on how to monitor their creit reports an other financial recors for suspicious activity. Conuct a full investigation of the thefts in collaboration with the university police, local police epartment, an/or the FBI, as well as the University s computing an auit professionals. Hire an outsie agency or company to auit security proceures. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

10 ri ri Social Engineering - Exploiting Human Psychology Social engineering - relies on one of the best aspects of human personality trust. In recent years, social engineering has evolve to encompass a wie range of exploits, usually aime at liberating sensitive, confiential, or proprietary information from unsuspecting stuents an employees. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

11 ri ri Social Networking Tips Social networking sites as pathways leaing to ientity theft. To avoi problems, stuents an other users shoul be avise accoringly: The internet is a public resource. Iniviual users shoul only post information that they are comfortable with anyone seeing. Limit the amount of personal information poste. Be wary of strangers. Be skeptical. Check privacy policies. Stuent an others entering the labor market shoul be very careful what they post. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

12 ri ri Social Networking Tips The grave threat pose by ientity thieves: They can create a whole new you. How stuents can protect themselves: Use anti-virus software. Install a firewall. Stay current with software upates an security patches. Aitionally: Look out for attachments. Log off when you are one for the ay. Pay attention to passwors. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

13 ri ri Phishing, Pharming & Scams "Phishing - elicits secure information through an message that appears to come from a legitimate source such as a financial institution or the University. The message may ask the user to reply with the sensitive ata, or to access a website to upate information such as a bank account number. These fake websites look realistic enough to fool many victims into revealing ata that can be use for ientity theft. "Pharming - also takes avantage of false websites, but reirects users to the false site as they attempt to access a legitimate website. Any secure information entere into the false website, such as a user name an passwor, is capture by hackers. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

14 ri ri Phishing in Acaemia Phishing attacks targete at a specific subset of people, while fairly common in the corporate worl an against banking customers, have not often been use against stuents. In 2008, stuents an faculty at nearly a ozen universities an colleges incluing Columbia University, Duke University, Princeton University, Purue University, an the University of Notre Dame - ha been targete by phishing s. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

15 ri ri The Low-tech Approach of Laptop Theft etting physical / Lock it or lose it: Tell stuents to physically protect their laptop PC against theft in orer to thwart subsequent theft of their finances or ientity. Help plug a huge source of ata leaks! Provie an/or inform stuents an others about available counter-theft tools an evices: Cable an locks Tie-own brackets Anti-theft tags Encryption software Use lockable cabinets in orm rooms an keep orm room oors locke when unoccupie. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

16 ri ri The Low-tech Approach of Laptop Theft Protecting that laptop PC when on-the-go: Keep it out of sight when not being use. Use an inconspicuous carrying case. Keep that laptop close by. Be aware of istractions. There are growing opportunities for thieves on the prowl. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

17 ri ri Ientity Theft: How oo Names o Ba The fastest growing white-collar crime in America is ientity theft: There were 7 million reporte victims in Victims spen an average of 600 hours an $1,400 in out-of-pocket expenses recovering from this crime. The average arrest rate for ientity theft is uner 5% of all cases reporte by victims. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

18 ri ri Data Breach Institutional Response Checklist Have a written post-breach response plan reay an teste before a breach happens. Ensure that institutional officials know what role they will have when a breach happens. Have a communications plan regaring breaches. Know what regulations, statutes, an contracts cover post-breach obligations. Act promptly to prevent further exposure of ata when a breach happens. Promptly fin out what happene an preserve the evience. Involve technology an legal experts as neee. Have raft notices that are reay to be customize with reference to the facts. Contact law enforcement, creit reporting agencies, an the institution's insurance carrier as appropriate. Keep regulators informe, both when require by law an when merely sensible. Provie timely notice; legal ealines are strict. Help affecte iniviuals; their goowill can forestall legal ifficulties. Upate the breach response plan perioically. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

19 ri ri Data Breach Institutional Response Universities shoul promptly take the following actions if a breach has occurre: Contain the breach Convene a response team Analyze the breach Determine timing requirements Collect information promptly Analyze legal implications of the breach Contact law enforcement Contact insurance carrier Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

20 ri ri Security Awareness In general, computer users will always be a weak link, an, consequently, cyber attacks will continue to be successful. Simply being aware of scammers an savvy of their wiles an ways will help protect against them an the amage they can o. The best efense against these kins of attacks is a continuing security awareness program, formalize to the extent that is practicably feasible at each institution. Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

21 ri ri Aitional Information Stuents an others can learn more by visiting the Feeral Trae Commission s Web site at an Securitas Presentation to the New Englan Boar of Higher Eucation ri ri

22 ri ri Integrity Vigilance Helpfulness securitasinc.com Securitas Name Surname Presentation Title of to presentation the New Englan Date Boar of Higher EucationName Surname Title of presentation Date 22 ri ri