OAAIS Enterprise Information Security

1
Welcome to OAAIS Security Awareness Day

• April 10, 2007

2
Enterprise Information Security (EIS)
3
EIS develops, implements, and communicates
University-wide information security policies and
programs to ensure the confidentiality,
integrity, and availability of information
systems used for UCSF business purposes.

• Security Policy - recommend, document,
  communicate, and implement information security
  policies for the University
• Incident Response - document, track, and
  facilitate the resolution of information security
  incidents
• Security Alerts - communicate information
  security issues to appropriate members of the
  University community
• Risk Assessment - document and assess information
  security risk exposure
• Security Awareness and Training - provide
  security information and training to users
  through a structured, planned program

• Information security consultation, direction and
  architecture review for University projects
• Project management leadership, technical support
  on information security projects
• Research and recommend new information security
  products and technology
• Provider of remote access and client protection
  software services
• Security systems management of enterprise
  defensive systems

4
Goals of OAAIS Security Awareness Day

• To raise awareness and provide appropriate
  training so each
• member of the UCSF community can protect UCSFs
• confidential electronic information (i.e.,
  patient information,
• intellectual property, student and staff personal
  information,
• etc) and
• Better understand the risk when using and storing
  electronic information
• Better understand how to reduce the risks to the
  confidentiality, integrity, and availability of
  confidential electronic information
• Better understand their roles and
  responsibilities for the protection of
  information and systems

5
Agenda

• Top Security Threats Tiki Maxwell
• Security, Awareness, Training Education (SATE)
• Manager
• Policies and Laws Stephen Lau
• Policy and Program Manager
• Security Tools Sean Schluntz
• Architecture and Engineering Manager
• Incident Response Teresa Regalia and Stephen
  Lau

Sign in and return your feedback forms to be
entered into a drawing for an iPod Shuffle!
6

• Top Information Security Threats
• Presented by Tiki Maxwell
• April 10, 2007

7
Outcomes

• A better appreciation for the goals of
  information security
• Confidentiality, Integrity, Availability (CIA)
• A better understanding of the information
  security threats at UCSF
• An awareness of the steps necessary for
  protecting UCSF information and information
  resources

8
What is Information Security?

• The protection of information and its critical
• elements. This includes the systems and
• hardware that use, store, and transmits that
• information

9
CIA

• C Confidentiality
• Preventing disclosure or exposure to
  unauthorized individuals or systems
• I Integrity
• Being whole or complete and uncorrupted
• A Availability
• Provides access to information, without
  interference or obstruction, in the required
  format

The CIA Triad
10
Information Security Threats

• A threat is an object, person, or other entity
  that
• represents a danger to an asset.
• Assets are resources and information an
• organization needs to conduct its business
• Examples of Information Threats at UCSF
• Computer (information) compromises through
• Malware/Malicious code (software attacks)
• Brute force attacks (passwords attacks)
• Port scanning
• Lost mobile devices with restricted Information
• Restricted information sent in clear text
• Other types of threats i.e., spam scams etc.

11
Top Information Security Threats at UCSF
12
Malware - Malicious Code (Software Attacks)

• Examples of malicious code
• Viruses
• Worms
• Trojan Horses
• Logic Bombs

13
Viruses

• Self-replicating programs attached to legitimate
  files
• Usually written to be destructive, most often
  modifying or erasing system files
• Requires user to do something
• i.e. click on an email attachment
• Some defenses
• Up-to-date anti-virus programs
• User education

14
Worms

• Self-replicating codes
• Unlike viruses, dont require a host
• Searches networks for vulnerable systems and
  infects them
• Some defenses
• Up-to-date anti-virus programs
• Disable unused services
• Use host based firewalls

15
Trojan Horse

• Trojan Horses
• Typically dont replicate themselves
• Masquerade as legitimate programs, but hide more
  sinister activities
• Are often attached to worms
• Can allow attackers to
• Remotely control infected machines
• Perform malicious activities
• Some defenses
• User education
• Up-to-date anti-virus programs
• Regular backups
• Host based monitoring

16
Logic Bombs

• Buried malicious code in programs
• Are triggered by time or specific events
• Arent typically self-replicating
• The most dangerous logic bombs are
• programmed to execute when the user is not
• actively engaged or when something
• doesnt occur (e.g., machines that sit idle)

17
Brute Force Attacks

• A form of password attack
• Attack tries every possible combination as a
  password
• Attempts to repeatedly guess passwords for common
  accounts
• Attacks are often automated
• i.e. worms

18
Port Scanning

• Techniques used by both attackers and defenders
• (i.e., systems administrators) to identify
  computers that are active on a network
• To identify the ports and services active on
  those computers
• To identify the functions and roles the machines
  are fulfilling, and other useful information
• Can also be automated i.e. worms
• Malicious scans are happening all the time on the
  Internet
• Some defenses
• Disable ports and services not needed on machines
• Use least privilege in designing systems (if
  service or port is not being used disable it)

19
Mobile Devices

• Mobile (portable) devices such as laptops, PDAs
  and mobile phones are very convenient to use
• But
• Convenience comes at a price insecurity
• Device can be lost
• Physically knocked around and damaged
• Used off site, therefore they are more likely to
  be damaged, lost or stolen
• Susceptible to worms, viruses and other malware

20
Mobile Devices

• Some defenses are
• Enable password protection
• Backup your data to an OAAIS secure server
• Dont leave mobile devices unattended
• Use a cable lock for your laptop
• Use SSL VPN to access UCSF resources
• Login to the network regularly to pick up the
  latest antivirus updates, security patches, etc.
• Think about physical security and the safety of
  your home office
• Report thefts or losses ASAP!

21
Clear Text Emails

• Information being sent without using UCSFs
  secure
• email solution poses threats to the
  confidentiality,
• integrity and availability of that information
• The best defenses are
• Use UCSF Secure Email solution when sending any
  restricted
• or confidential information - It is easy to use!
• Type "Secure_ " at the beginning of your Outlook
  email Subject line. (Be sure to include the
  colon and the space after it.)
• Example Subject Secure_ project status.
• Continue typing your Subject line - Compose and
  send the email as you normally do.
• http//its.ucsf.edu/information/applications/excha
  nge/seu e_emal.jsp

22
Spam

• Spam is unsolicited commercial email sent over
  the Internet to as many recipients as possible,
  usually via an automated program
• Spams appeal? Relatively low advertising cost
• Spam scams
• Phishing

23
Phishing

• Scams that use Spam or pop-up messages
• Imitates well known companies using spoofed email
  messages and web sites
• i.e. financial institution or credit card company
  Paypal
• Created with the intent of fooling unsuspecting
  users into divulging personal information
• Passwords, credit card numbers, PINs
• Could result in Identity Theft

24
Spam Phishing

• Some defenses
• Educate users
• Use filtering software
• Use UCSF spam filter!
• Dont click on embedded web links in e-mail
• Be cautious about websites you visit
• Dont click on pop-ups or ads
• Dont enter sensitive information on a site you
  dont trust

25
Tips for protecting UCSF information and
information resources

• 10 Good Computer Security Practices

26

• Do not store restricted data on your mobile
  devices
• Back-up your data regularly to the departments
  secure server
• Use cryptic passwords at least 8 characters
  (i.e., upper/lower case letters, numbers and
  symbols)
• Make sure your computer has all necessary
  patches, updates and antivirus software
• Dont install unknown or suspicious software on
  your computer

• Practice safe emailing
• Be distrustful when using the internet
• Secure your area, files, and portable equipment
• Secure your laptop with a cable lock
• Shut down, lock, log off before leaving your
  computer unattended

27
Summary

• Information security is Everyones
  Responsibility and must be at the forefront of
  everyones minds.

All of these security threats will affect you.
With an awareness of these threats, you can help
UCSF achieve its mission!
28
Additional Resources

• OAAIS Enterprise
• Information Security Website
• http//isecurity.ucsf.edu/
• Phone 1-415-514-3333
• Email
• isecurity_at_its.ucsf.edu
• IT Security policies and
• Guidelines, Security
• Awareness, Training and
• Education
• http//isecurity.ucsf.edu/

• Loss or Theft of Computing
• Devices Must be reported
• immediately to the
• UCSF Police Department
• _at_ 1-415-476-1414
• Reporting IT Security
• Incidents
• Contact Customer Support
• Web http//help.ucsf.edu/
• Email itscs_at_its.ucsf.edu