Computer Security at Columbia College Barak Zahavy April 2010
Outline 2 Computer Security: What and Why Identity Theft Costs Prevention Further considerations
Approach Broad range of awareness Cover a wide range of material 3
Computer Security Protection of computers and their information from theft, while allowing them to remain accessible and productive to their intended users Protection of sensitive and valuable information and services from publication or tampering by unauthorized parties 4
Why worry about Computer Security? 5
Why worry about Computer Security? 6
Why worry about Computer Security? Identity theft FTC estimates that as many as 9 million Americans have their identities stolen every year Such crimes involve personally identifying information such as: Name and address Social Security Number Credit Card Numbers Property theft 7
Identity Theft Common vulnerabilities Old-fashioned theft Dumpster diving Social engineering Phishing Viruses, hacking 8
Identity Theft What do thieves do with a stolen identity? Credit card fraud open new account, change billing address Phone or utilities fraud open new account, run up charges on existing accounts Bank fraud open new account, fraudulent checks, take out a loan Government documents fraud get driver s license, get gov t benefits Others get a job, rent a house, get medical services, and many more! 9
Data breach An unintentional release of secure information to an untrusted environment (Wikipedia) Data Breach does not necessarily imply Identity Theft 78 breaches at American educational institutions in 2009; over 800,000 records exposed (Identity Theft Resource Center) 10
Data Breach Recent Local Incidents Housing and Dining, June 2008 5000 records on file uploaded to a Google project site Columbia College, January 2010 1400 records on 3 stolen laptops 11
Costs: Personal Some cases are resolved quickly Some cases costs individuals hundreds of dollars and many days repairing good name and credit record Examples of potential risks Lose out on job opportunities Be denied loans for education, housing, or cars 12
Costs: Institutional Disruption to University business Report to government agencies as required by law Internal investigation Mail to affected individuals Ex-post response Media management Potential repercussions Regulatory fines Loss of funding from government agencies Lawsuits Loss of donations and gifts Loss of reputation Credit monitoring for affected individuals Estimated $202 per disclosed record, including direct and indirect costs (Ponemon Institute) [202 x 1400 = 282,800] 13
Prevention Our obligation: Protect the confidential information of others Protect your own confidential information 14
How? The number one rule to avoiding privacy problems is, don t have the information in the first place --Steven Bellovin, Columbia University Department of Computer Science 15
How? Know your data and your computer Follow safe computing best practices Be conscious of data security Employ physical security Scan your computer regularly Let your computer get updated Ensure smartphones have passcodes 16
Know your data and your computer Know what data elements you use People may be unaware that SSNs or credit card numbers are on their computers Know how information is processed and stored in our computing environment What you save to your profile is synchronized with a secure file server upon login and logout Your profile includes My Documents, Desktop, and various customized settings Know the security controls in place Logins: Windows (College domain) and Applications (e.g. Outlook, OnBase) Physical security (e.g. cable locks, door locks) Secure protocols (e.g. Terminal Services, HTTPS) Disk Encryption (rollout in progress) Configurations: Automatic updates, Firewall, Anti-virus software, managed system privileges, PCPhoneHome 17
Safe computing best practices Do Be suspicious of requests for personal information that come via email Be careful about opening any email attachments Be conscious of security threats and viruses Don t Don t use peer-to-peer file-sharing on University-issued computers Don t give out personal information unless you know who you are dealing with Never click on links in unsolicited emails 18
Passwords Use strong passwords Use a combination of letters, numbers, and punctuation marks Switch between UppER and LoWer case Don t use easy-to-guess passwords like DOB, maiden name, password, dictionary words, names Commit passwords to memory Don t record them on post-its stuck to your monitor Don t share passwords with anyone 19
Data Security Precautions In general, do not store SSNs anywhere If you must store SSNs in a file, save it on a secure network file share (e.g. O drive ) If you need to share a file that contains sensitive data with a colleague, do it on the O drive, not via email If you need to deliver sensitive data outside the office, you may encrypt files on USB keys or CDs Documentation to come from CCIT 20
Physical Security Lock doors to areas that contain sensitive information Ensure computers are locked down Notify CCIT if cables are missing or with any questions Use laptop security cables Notify CCIT if you have issues, lost the key, etc. Don t leave paper lying around faxes or printers Erase sensitive information on whiteboards 21
Data Discovery Software Goal: Remove all confidential numbers from individual computers Exception: circumstances where such numbers are still required for University business Tool: Spider data discovery software 22
Data Discovery Software Searches for sensitive information, such as SSNs or Credit Card numbers Produces report of files that may contain such data. Some false-positives may be included What if you find sensitive data? On a case-by-case basis, evaluate if the file may be deleted, edited (e.g. remove column of SSNs), or moved to secure network file share ( O drive ) CCIT in process of rolling out software and documenting procedures 23
System Updates Windows Updates Automatically get installed in the middle of the night on the second Tuesday of every month Leave your computer logged out and powered on overnight Laptops should be left in the office, logged out and powered on to get these updates. If not the designated night, as soon as possible afterward Virus scanning updates Automatically get installed when you are logged in at the office 24
Smartphones Blackberries, iphones, etc. Sensitive data may exist in email or documents in memory Secure with a passcode Turn off Bluetooth if not in use 25
How? (Again) Know your data and your computer Follow safe computing best practices Be conscious of data security Employ physical security Scan your computer regularly Let your computer get updated Ensure smartphones have passcodes 26
What else? What else is being done about all of this? 27
CCIT is Keeping the servers secure Regular system maintenance, firewalls, system monitoring, backups, etc. Managing remote patches and updates So your computers reap the benefits 28
CCIT is in the process of Deploying encryption technology on all laptops Important tool to safeguard confidential data Rolling out Spider scanning tool and procedures Auditing physical computer locks and cables Looking for ways to remove reliance on SSNs 29
What may be coming Communications on records retention policies Data security agreement for your signature Sensitive data scanning updates Updates to procedures Results of CCIT network file share scans Reduced system reliance on SSNs 30
Further considerations Keep track of where you encounter sensitive data and report it to CCIT If you believe you inadvertently revealed sensitive University data, including any or your passwords, contact CCIT immediately 31
Policies and Regulations Relevant University Policies Social Security Number (SSN) and Unique Person Number Usage (UPN) Policy Information Security Charter Desktop and Laptop Security Policy Encryption Policy http://policylibrary.columbia.edu/ Federal laws protect the privacy and security of SSNs Personal Data Privacy and Security Act of 2007 Family Educational Rights and Privacy Act (FERPA) Federal law that protects the confidentiality of many student records 32
Summary Data breaches are costly Follow best practices and keep your computer secure Don t store SSNs in your profile Contact CCIT with questions 33
Questions? barak@columbia.edu 34