Privacy and Security: Protecting personally identifiable information (PII) and securing your mobile device

Transcription

1 Privacy and Security: Protecting personally identifiable information (PII) and securing your mobile device

2 UH Information Security Team Jodi Ito - Information Security Officer Deanna Pasternak & Darryl Higa Information Security Specialists INFOSEC@HAWAII.EDU

3 What Do We Do? Support the system-wide information security program Provide oversight of IT security issues and concerns Ensure compliance with policies Perform security audits and risk assessments Initiate and monitor the protection of sensitive information Review and revise Security Policies Implement mandatory Information Security Training Support the automatic monitoring of network and technology resources

4 Cyber Security Awareness Month The National Cyber Security Alliance (NCSA) Initiated Cyber Security Month To: Raise awareness about cyber security and online safety precautions Protect our national digital infrastructure Help prevent fraud and identity theft

5 Cyber Security Awareness Month Started in 2004 Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA)

6

7 What Will We Cover? Laws related to sensitive information Management of sensitive information How to safely transfer to others Encryption Sensitive information best practices Posting sensitive information online Storage of sensitive information Where to keep it Where not to keep it

8 What Will We Cover? Web browsing safety Password Safety Phishing & Spam Digital Millennium Copyright Act (DMCA) Mobile Security 8

9 What is Sensitive Information? Information is considered sensitive if it can be used to cause an adverse effect on the organization or individual if disclosed to unauthorized individuals Some examples are: Social Security Numbers, Student records, Health information, credit card numbers, dates of birth, job applicant records, etc. State, Federal and Regulatory requirements provide standards for protecting sensitive information UH Policy E2.214 has a detailed description of Sensitive information

10 Know What to Protect A partial list of data considered sensitive as outlined in UH Policy E2.214 Student records (FERPA) Health information (HIPAA) Personal financial information Social Security Numbers Dates of birth Access codes, passwords and PINs Answers to "security questions" Confidential salary information

11 How to Protect Information Know where it is stored Safeguard it with physical security Encrypt it Redact it Delete it

12 Scan Your Computer Identity Finder Windows and Macs Download at How to use: Find SSN Linux, Solaris and Legacy OS Scan for vulnerabilities Scan a single machine: Batch scan: 12

13 Register Any Servers Containing Sensitive Information All file, web, and ftp servers must be registered & scanned for sensitive, personal information and vulnerabilities. The UH Personal Information System survey is designed to identify ALL personal information systems in the University of Hawaii as required by Hawaii State Law.

14 Encryption Encrypting a Windows file, folder, and entire disk Encrypted disk images and full disk encryption for a Mac

15 What Does An Encrypted File Look Like?

16 DO NOT LOSE YOUR ENCRYPTION KEY When using encryption be careful to safeguard your encryption key. If lost ITS might not be able to help you recover your data.

17 Ways To Securely Transfer Sensitive Information

18 Secure File Transfer Secure file transfer up to 800MB Can share with people not part of UH community Secure URL is available for up to five days Security ends at transmission, you will still need to secure information on your computer.

19 How do I Know the Link is Secure? Look for the (the S means it is encrypted) The S or the padlock means: That you have a secure (encrypted) link with this web site That this web site is a valid and legitimate organization or an accountable legal entity 19

20 Do Not Use To Transfer Sensitive Information Unencrypted Third party cloud applications such as Dropbox Google Drive Unsecured USB drives or other external devices

21 Where Should Sensitive Info Be Stored? Encrypted folders, partitions, or drives Secured servers Encrypted external drives Secure applications Locked file cabinets 21

22 Where Not To Store Sensitive Information Your Unsecured paper files Your hard drive unencrypted Social networking sites

23 Following policies and laws to protect sensitive information will not only protect the consumer, but it protects you from possible disciplinary action as stated in the UH General Confidentiality Notice UH Form 92 I understand that failure to abide by this notice may result in disciplinary action in accordance with University policies and procedures, State and federal laws, and applicable collective bargaining agreement up to and including dismissal.

24 The Cloud The Cloud is not secure Do not store information in the cloud unless it is encrypted

25 Keep Sensitive Information Secure From Social Engineers Verify callers Do not respond to scams, phishing, or suspicious phone calls requesting confidential UH information or your own personal information. Remember ITS will NEVER ask for your password over .

26 Back-Up Regularly backing up your data is critical in case of a computer failure Store your backup in a secure location Secure your backup, lock it up, encrypt it. Regularly verify you can restore from this backup.

27 Securing Your Password Password keepers Do not store on your monitor or under keyboard Use something easy to remember but hard to guess Follow password generation guidelines CAPITALS lowercase numb3r5 $ymbols

28 Use STRONG Passwords Not easily guessable Do not use dictionary words Use a combination of upper and lowercase letters, numbers, and special characters No less than 8 characters Check your password strength: checker.aspx

29 Creating a Strong Password Incorporate something memorable to you Replace letters with numbers or characters Example: First dog s name is Bingo You got him in 1965 Black spots Add special characters ==> B1NG01965bs!

30 Web Browsing Safety Use anti-virus software on your computer Create and use strong passwords Beware of instant message links and attachments Protect yourself on all wireless networks Check the URL of a website to make sure it s legitimate Ensure your web browser software and all plugins are up to date 30

31 31

32 URL Safety Avoid clicking on links in pop-up ads or links in s that seem to be phony or suspicious. A good general rule is to type the Web site address in your address bar directly, rather than use a link in an message You can check the URL in any or on another Web site by simply holding your mouse above the link. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your screen) and you can see what the name of the site is before you actually click on it. 32

33 Common Signs of a Fake URL A fairly sure sign that a URL is fake is if the URL contains the "@" sign in the middle of the address. If a URL contains the "@" sign, the browser ignores everything to the left of the link. For example, if you go to a Web site that is you are not going to the Paypal site at all. A dead giveaway for a fake URL or a fake Web site is basic spelling mistakes in the Web address itself. Some URLs look very much like the name of a well-known company, but there may be letters transposed or left out. An example might be "mircosoft.com" instead of "microsoft.com." These slight differences can be easy to miss, and that's what phishers are counting on. 33

34 Using Public Computers Remember to Logoff of any password protected webpage instead of just closing your browser Clear the browser s cache and web cookies When logging into password protected sites, do not use the Save my username and password option Do not log into banking or other sensitive sites over public or unsecured wireless hotspots Use private browsing 34

35 Private Browsing Private Browsing allows you to browse the Internet without saving any information about which sites and pages you ve visited. Warning: Private Browsing doesn't make you anonymous on the Internet. Your Internet service provider, employer, or the sites themselves can still track what pages you visit. Private Browsing also doesn't protect you from keyloggers or spyware that may be installed on your computer. 35

36 Don t click on attachments that you weren t expecting Do not reply to Phishing s, even to say that you aren t interested in or to ask them to stop contacting you Use spam filters Be wary of s that have misspellings or don t use your correct name Type in the URLS of your bank or other sensitive websites instead of clicking on the URL in s 36

37 Spam Spam is the electronic version of junk mail. It involves sending unwanted messages, often unsolicited advertising, to a large number of recipients. Spam is a serious security concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted phishing attacks According to Symantec s latest State of Spam report, spam now accounts for 72% of all messages 37

38 How Do You Know it s Spam? Messages that do not include your address in the TO: or CC: fields are common forms of Spam Some Spam can contain offensive language or links to Web sites with inappropriate content Spam also includes many misspellings or poor sentence structure 38

39 Reporting Spam If you obtain spam from account, you can report it to If it's not from account: report suspicious activity to the Federal Trade Commission (FTC) at or If you get spam that is phishing for information, forward it to If you believe you've been scammed, file your complaint at and then visit the FTC's Identity Theft Web site at to learn how to minimize your risk of damage from ID theft. If you receive a porn spam (pornography), you can report it at It should also be reported back to the ISP (Internet Service Provider) where the originated from. 39

40 Phishing ITS will NEVER ask you for your password over Check the ITS website for current Phishing attempts How to report a Phishing targeting UH 40

41 Don t Fall For This

42 Digital Millennium Copyright Act (DMCA) 42

43 What is DMCA? An act created to protect intellectual property in digital form Downloading / Distribution of copyrighted work without authority constitutes an infringement Examples of copyrighted materials are songs, movies, TV Shows, software, and games Violations are subject to civil and criminal liabilities 43

44 Downloading Downloading and sharing of copyrighted materials via peer-to-peer file sharing software / networks WITHOUT LEGAL PERMISSION from the copyright owner or agent BitTorrent, LimeWire, and Gnutella are examples of methods used for downloading large amounts of data from the Internet 44

45 UH Requirements for DMCA Notify the copyright infringer of the infringement Require them to remove the infringing material Provide education on Copyright Infringement 45

46 DMCA Violation Consequences UH complies with all copyright legal obligations When presented with a subpoena UH will provide the violators information The individual can be sued Penalties include civil and criminal penalties Civil penalties may be actual damages at not less than $750 and not more than $30,000 per work infringed Criminal penalties include imprisonment of up to five years and fines up to $250,000 per offense 46

47 UH Responsibility for Copyright Infringements The University of Hawaii policy E2.210: Use and Management of Information Technology Resources prohibits illegal downloading or sharing of copyrighted information Copyright agents notify UH when copyrighted materials are illegally shared Per federal mandate, UH must investigate each incident UH must comply with all reported incidents or the University of Hawaii could lose ALL Federal Financial Aid! 47

48 Safe Social Networking Practices 48

49 Safe Social Networking Practices Limit personal information online Ensure information you post does not answer security questions (dog s name, mothers maiden name) Check privacy settings to see who has access to online info Google yourself to see what people can piece together about you 49

50 Snapchat is a new way to share moments with friends. Snap an ugly selfie or a video, add a caption, and send it to a friend (or maybe a few). They'll receive it, laugh, and then the snap disappears.!! Or does it? So when you share that "ugly selfie", where does it [really] end up? It's stored on your phone, but you'd expect that because you took it, so that's your lookout. It's stored on Snapchat's servers, where it will probably be deleted once it's been delivered, but not in every case. And it's stored on the recipients' phones, from where it apparently won't be deleted at all, though it will be marked "not for display," which seems to be synonymous in Snapchat's argot with "disappears forever". What to do about this? - Share snapshots only if you don't mind them hanging around forever. - Stop using Snapchat until these issues get fixed.

51 Social Networking Do not post TOO MUCH INFORMATION! The Internet is FOREVER! Whatever you post may circulate even AFTER you delete it New scams use social networking sites to get background personal information

52 Facebook Security

53 Mobile Device Security

54 Mobile Best Practices Secure your mobile devices Use accounts and complex passwords Don t leave your devices unattended Enable auto-wipe Encrypt sensitive information Be aware when using location-aware services

55 Mobile Malware How does a mobile device get infected? Crafted malicious URL Malicious Apps What can mobile malware do? Sends out SMS messages Destroys data on device Can spread to computers to infect them when synced 55

56 Geotagging Pictures taken w/ a GPS-enabled smartphone tags each picture with the longitude & latitude of the location of the picture

57

58

59

60

61 Turning off Location Services iphone Settings > Location Services

62 Location-Aware Services

63 Keep Your Computers Safe Update the software on your computer weekly (or more frequently) Install anti-virus and anti-spyware software and keep it up-todate (UH faculty/staff/students can download for free) Scan your computer for vulnerabilities and PII Use accounts and strong passwords Encrypt sensitive information Don t install unknown software from unknown sites DO NOT SHARE your accounts/passwords Use password protected screen savers

64 Wireless & Public Computers Be cautious when using open wireless networks Others using the network may be sniffing the network If you must use a public computer, change the password on the account accessed using a secure computer ASAP

65 Infosec Site

66 UH Resources Report phishing Download antivirus ITS security, phishing and virus alerts Opt-in ITS virus alert listserv Opt-in ITS phishing notification listserv 66

67 us at: Visit us at: Like us on Facebook: Follow us on Twitter: