Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

Transcription

1 Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

2 Who Are We? UH Information Security Team Jodi Ito - Information Security Officer Deanna Pasternak & Taylor Summers Information Security Specialists [email protected] 2

3 What Do We Do? Support the system-wide information security program Provide oversight of IT security issues and concerns Ensure compliance with policies Perform security audits and risk assessments Initiate and monitor the protection of sensitive information Review and revise Security Policies Implement mandatory Information Security Training Support the automatic monitoring of network and technology resources 3

4 National Cyber Security Awareness Month (NCSAM) History Started in 2004 Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA) 4

5 Cyber Security Awareness Month The National Cyber Security Alliance (NCSA) Initiated Cyber Security Month To: Raise awareness about cyber security and online safety precautions Protect our national digital infrastructure Help prevent fraud and identity theft 5

6 Examples of Cyber Attacks Flame Kaspersky dubbed it the most powerful computer virus in history. Primary target was Iran. Has the ability to steal audio, screen capture, transmit visual data, data behind input boxes (passwords), scan local Bluetooth devices. Stuxnet A computer worm that destroyed centrifuges at the heart of Iran s nuclear program. Slammer/Sapphire Worm infected 200,000+ Microsoft SQL servers world wide with a denial of service attack. Infecting 75,000 in the first 10 minutes. Disrupting Internet services and some business processes. January 24,

7 Yet Another Variant 7

8 STOP THINK CONNECT 8

9 Be Cyber Smart In conjunction with the STOP.THINK.CONNECT campaign InfoSec brings you R U Cyber S.M.A.R.T. 9

10 UH Awareness Campaign for Cyber Security Month What s in it for the UH community? Prevent future breaches Safeguard sensitive information Educate the UH community on safe personal computing practices Be Cyber S.M.A.R.T 10

11 R U - S.M.A.R.T. Identified five topics for the five weeks in October Secure Information Destruction Management and Storage of Sensitive Information Avoid Identity Theft Responsible Computing Practices Think Before You Click 11

12 What Will We Cover? Laws related to sensitive information Storage of sensitive information Where to keep it Where not to keep it Management of sensitive information How to safely transfer to others Encryption Sensitive information best practices Posting sensitive information online 12

13 Secure Information Destruction Review Keep paper locked up until you shred it Shred sensitive information on paper, DVD s Physically destroy media Securely delete both internal and external hard drives Slides available at Rebroadcast available soon 13

14 Document Retention University of Hawai i A8.450 Records Management Policy One Objective: To eliminate the maintenance of unnecessary copies of records Personal records retention 14

15 UH is sponsoring another ewaste Disposal Days in October Check the website for days and times 15

16 What is Sensitive Information? Information is considered sensitive if it can be used to cause an adverse effect on the organization or individual if disclosed to unauthorized individuals Some examples are: Social Security Numbers, Student records, Health information, Drivers license numbers, credit card numbers, dates of birth, job applicant records, etc. State, Federal and Regulatory requirements provide standards for protecting sensitive information UH Policy E2.214 has a detailed description of Sensitive information 16

17 Know What to Protect A partial list of data considered sensitive as outlined in UH Policy E2.214 Student records (FERPA) Health information (HIPAA) Personal financial information Social Security Numbers Dates of birth Access codes, passwords and PINs Answers to "security questions" Confidential salary information 17

18 Many Laws - Similar Requirements FERPA, HIPAA, PCI-DSS, HRS-487, ITAR Protect the Confidentiality, Integrity, and Availability of Sensitive Information Safeguards include Access controls to limit access to persons with a need to know Encrypt data at rest & in transit Auditing/Logging access & modifications Develop Policies and Procedures Conduct Training ITAR restrictions on the export of research data 18

19 19

20 Where is Data Stored? 20

21 Protect Sensitive Information The best way is to: Be aware Know what to protect Know how to protect it Know how it is being used 21

22 Be Aware Know where your information is stored Know what others are using your information for privacy rights Know the laws protecting information 22

23 Your Privacy Rights There are several Federal and State laws that require businesses to provide their clients with an annual notice on what personal information is collected and how it is used Notices are also posted on websites and require you to acknowledge you agree before you are given access to their product 23

24 Read the Privacy Statement 24

25 The Allegations Against Google Are: Those litigants claim Google violated its previous policies that promised information provided by a user for one service would not be used by another service without the consumer's consent. The company is accused not only of combining the information but also of not providing an easy and efficient way for consumers to opt out. It allegedly violated the American Federal Wiretap Act (for willfully intercepting communications and aggregating personal information for financial benefit), breached the Stored Electronic Communications Act (for the way it accessed consumer communications stored on its systems), violated the Computer Fraud Abuse Act, and transgressed other statutes and state laws. 25

26 Read Before You Click Before you click Accept Terms of Agreement Read what you are agreeing to They may be sharing your information 26

27 How to Protect Information Know where it is stored Safeguard it with physical security Encrypt it Use programs to store passwords securely Use password protection Redact it Delete it securely wipe it 27

28 Scan Your Computer Identity Finder Windows and Macs Download at How to use: Find SSN Linux, Solaris and Legacy OS Scan for vulnerabilities Scan a single machine: Batch scan: 28

29 Register Any Servers Containing Sensitive Information All public file, web, and ftp servers must be registered & scanned for sensitive, personal information and vulnerabilities. The UH Personal Information System survey is designed to identify ALL personal information systems in the University of Hawaii as required by Hawaii State Law. 29

30 What Does An Encrypted File Look Like? 30

31 Encryption Encrypting a Windows file, folder, and entire disk Encrypted disk images and full disk encryption for a Mac 31

32 DO NOT LOSE YOUR ENCRYPTION KEY When using encryption be careful to safeguard your encryption key. If lost ITS may not even be able to help you recover your data. 32

33 Ways To Securely Transfer Sensitive Information 33

34 Secure File Transfer Secure file transfer up to 800MB Can share with people not part of UH community Secure URL is available for five days Security ends at transmission, you will still need to secure information on your computer. 34

35 Secure Shell (SSH) What is SSH? Secure channel that encrypts information such as passwords over the internet Do not use telnet Passwords are sent in the clear making them vulnerable to cyber crime 35

36 Secure Socket Layer (SSL) What is SSL? A protocol that establishes an encrypted link between a web server and a browser ensuring all data passed between the web server and browsers remain private In other words: keeps your data safe 36

37 How do I Know the Link is Secure? Look for the (the S means it is encrypted) And/Or a padlock Why is it important? The S or the padlock means: That you have a secure (encrypted) link with this web site That this web site is a valid and legitimate organization or an accountable legal entity 37

38 Do Not Use The Following To Transfer Sensitive Information Unencrypted Third party cloud applications such as Dropbox Google Drive Unsecured USB drives or other external devices 38

39 Where Should Sensitive Info Be Stored? Encrypted folders, partitions, or drives Secured servers Encrypted external drives Secure applications Locked file cabinets 39

40 Where Not To Store Sensitive Information Your Unsecured paper files Your hard drive unencrypted Social networking sites 40

41 Know How it is Being Used Who has your information and how are they using it? The Bank Credit Card Companies The University Social Media Health Care Malicious Information Gathering 41

42 Penalty Minimum 10 years in jail, $250,000 fine or BOTH 42

43 35,000 addresses, thousands of user names, and other information compromised. 43

44 So What? Following policies and laws to protect sensitive information will not only protect the consumer, but it protects you from possible disciplinary action as stated in the University of Hawai i General Confidentiality Notice UH Form 92 44

45 Securing Your Password Password keepers Do not store on your monitor or under keyboard Use something easy to remember but hard to guess Follow password generation guidelines CAPITALS lowercase Numb3r5 $ymbols 45

46 46

47 The Cloud The Cloud is not secure Do not store information in the cloud unless it is encrypted 47

48 Keep Sensitive Information Secure From Social Engineers Verify callers Do not respond to scams, phishing, or suspicious phone calls requesting confidential UH information or your own personal information. Remember ITS will NEVER ask for your password over . 48

49 Don t Fall For This More on Phishing on Week 5 49

50 50

51 Back-Up? Regularly backing up your data is critical in case of a computer problem BUT Store your backup in a safe place Preferably in a different location than the host data And secure it - lock it up, encrypt it Regularly verify the backup can be restored 51

52 52

53 Key Points to Remember Handle sensitive information responsibly Protect sensitive information in paper form, electronic data at rest and in transit Follow policy if in doubt ask Bad things can happen if you do not Think Before You Click 53

54 How Do I Get itunes? To be eligible for the weekly $15 itunes cards drawing you must: Attend or watch a rebroadcast of this presentation Have a Facebook Account Like our page at Answer the Security Question of the Week for October correctly (will be posted after this session ends) You will then be added to the drawing for an itunes card I will contact you directly if you are the winner for delivery To be entered to win the $25 gift card at the end of October, you must sign up for a session at (no Facebook account required) 54

55 More Prizes Register or sign in on-line ( to be eligible for a drawing each week for a UH Manoa Bookstore donated prize. Prizes will be mailed to outer island winners. 55

56 For More Information Visit the Cyber Security Month (NSCAM) website Link to all presentations (posted soon) Link to FTC materials Posters Cyber security brochure Think. Stop. Connect. brochures 56

57 57

58 58

59 us at: Visit us at: Like us on Facebook: Follow us on Twitter: 59