Information Security Awareness

About This Presentation

Title:

Information Security Awareness

Description:

creates an email server on your computer ... Information Security Awareness. What are some examples? Email Scams (Citibank email) http://www ... – PowerPoint PPT presentation

Number of Views:2577

Avg rating:3.0/5.0

Slides: 68

Provided by: SAB17

more less

Transcript and Presenter's Notes

Title: Information Security Awareness

1
Information Security Awareness

Basic Training for the Campus Community

2
Information Security Awareness

What are we protecting?
Our personal data
Students personal data
Critical systems-email, network, file storage
What are we protecting them from?
Information exposure
DOS-Denial of Service
Malicious Editing
How do these things happen?
Direct attacks
Hacker gets remote control access to a
computer
DOS attack, such as a virus worm
Network/email slowed or stopped
Lack of physical security
computer stolen or paperwork viewed

3
Information Security Awareness

Attacks suffered (compared with last year) Last
12 months
Yes More
Less Same
Virus or worm 100 73 9
18
Laptop theft 63 32 15 54
Desktop theft 59 30 14 56
Denial-of-service attack 53 51 16
34
System compromised 41 46 18 36
Unauthorized access to student data
14 26 26 48
-from Educause Chronicle of Higher Education
Worst ones at UWM

4
Information Security Awareness

Statistics (from higher ed as of December, 2004)
Successfully hacked 41
Attacks Accellerating 73
Punitive measures (students) 89

5
Information Security Awareness

Virus/Security Impact at UWM
Worst yet? Blaster virus, August 2003
Support Hours (non-IMT) 175 hours
Employee Downtime (non-IMT) 149 hours

6
Information Security Awareness

Virus/Security Impact at UWM
UWM Help Desk Virus/Security Help Request Hours
485 hours
683 hours
1037 hours

7
Information Security Awareness

Legislation and Policy
Where do I go for help?

8
Information Security Awareness

Federal Legislation
GLBA (Graham Leach Bliley Act)
Financial Modernization
institutions ensure the security and
confidentiality of any individuals personal
financial information
bank and credit card account numbers
credit histories
social security numbers used in conjunction with
financial transactions
FERPA
HIPAA

9
Information Security Awareness

Federal Legislation
FERPA (Family Educational Rights and Privacy Act)
Protects the privacy of student educational
records
HIPAA
Health Insurance Portability and Accountability
Act
Protect personally identifiable health
information

10
Information Security Awareness

UWM Computer Use Policy
Harassing other users, stealing passwords and
corrupting files will not be tolerated.
Only UWM students, faculty and staff members are
authorized to use IMT computers. You may not
permit anyone else to use your computer account.
Everyone is expected to do their share of
avoiding waste of limited resources.
Do not attempt to break into any computers or use
any other person's computer account without their
permission.
In general, common sense reigns.
http//www.uwm.edu/IMT/Computing/Docs/csdGuideline
.html

11
Information Security Awareness

Where do I get computer help?
Decentralized campus IT environment
Ask your supervisor what their dept. policy is
General information and questions?
UWM Help Desk 229-4040
Email help_at_uwm.edu
Virus or security questions?
Help desk
http//security.uwm.edu
virus_at_uwm.edu
csirt_at_uwm.edu

12
Information Security Awareness

Where do I get computer help?
When to contact Campus Police
Feel your or others personal safety is at risk
Believe a law has been violated
Believe your identity or other theft has occurred
When in doubt, call campus PD x9911

13
Information Security Awareness

Prevention and Awareness to avoid threats
Virus Protection
System Hardening-stop hackers!
Spyware Prevention/Awareness
Social Engineering and other threats
Email Safety Tips
Passwords
Fraud/Identity Theft
Physical Information Security

14
Information Security Awareness

Virus Protection
What is a computer Virus?
Generally speaking
A virus is a computer program, usually disguised
as something else, (mail, game, joke) that is
designed to automatically spread itself to other
computer users.
Clogs networks by spreading itself
Creates great expense in cleanup and downtime

15
Information Security Awareness

Virus Protection
Most common Computer Virus delivery at UWM
An email with an attachment that appears to have
been intentionally sent by someone you regularly
communicate with

16
Information Security Awareness

How do computers get infected?
Opening Email Attachments
How does it work?
Open a bad attachment
Actually a disguised program that does 2 things
creates an email server on your computer
uses your address book to email itself to
everyone you know, thus it looks like its from
you!
Your friend opens it too and the cycle
continues..

17
Information Security Awareness

What can I do to prevent this?
Use care when opening attachments
You should never open an attachment unless you
can answer YES to all three of the following
conditions
I know exactly what this file is
I have scanned this file with my virus scan AND I
have ensured that my virus scan was recently
updated
I have verified the identity of the sender and
their intentions via email or phone call.

18
Information Security Awareness

Anti-Virus Software
Campus License of Mcafee Virus scan
Can use at home
Available in ccls, download
Preconfigured for
Auto-updates
Full scans
No yearly subscription fees
Daily monitoring for virus trends

19
Information Security Awareness

Where do I get virus protection?
Campus Computer Labs
Links at http//security.uwm.edu

20
Information Security Awareness

Do I already have virus protection?
Departmental computers If you dont see the
McAfee shield (below) on your computer in the
bottom right hand corner contact help person for
information on what you should be using on your
office computer

21
Information Security Awareness

How do I know if I have a virus on my computer?
Strange behavior or you get a Mcafee pop-up
Unusual performance problems
Suspect you clicked on something bad
Where can I go for help if I think I have a virus
on my computer?
Your areas computer help staff
Campus help desk 229-4040 or security.uwm.edu
website
virus_at_uwm.edu

22
Information Security Awareness

How do I initiate a scan?
Whole hard drive
Single file
Remember
Anti Virus products are only as good as their
last update!

23
Information Security Awareness

If McAfee finds a virus on my computer, now what?
It may clean it automatically
It may not be able to clean it because it is a
program that is running
Restart in safe mode (hit f8 during
pre-windows boot up)
Run scan again or manually clean it up
Check for documentation about the virus it
identifies
http//vil.mcafee.com
http//securityresponse.symantec.com

24
Information Security Awareness

Stopping Hackers
All these steps help, but there are additional
steps Windows PC users should take
1. Secure all accounts on your PC and limit the
number of accounts
2. Ensure your PC is up to date and enable Auto
Updates
3. Use a software and hardware firewall

25
Information Security Awareness

Stopping Hackers
1. Secure all accounts on your PC and limit the
number of accounts
(this is different on different versions)
Go to start/settings/control panel
Choose Users and groups
Choose Users
Limit this to the bare minimum
Rename the administrator account
Disable guest unless using Windows file sharing

26
Information Security Awareness

Stopping Hackers
2. Ensure your PC is up to date and enable Auto
Updates
Go to start, and Windows Update
Alternately, open Internet Explorer and go to
http//windowsupdate.microsoft.com
-Windows XP Service Pack 2
AutoUpdate feature
May not be available on IMT or other campus
machines
right click on My Computer, choose
properties and choose the Automatic Updates
tab

27
Information Security Awareness

Stopping Hackers
3. Use a Hardware and/or Software Firewall
Firewall
A computer Firewall helps filter traffic and
limits the kinds of communications your
computer/network can have with the world

28
Information Security Awareness

Stopping Hackers
Hardware Firewall (Router)
Suggested if you are using Broadband at home
Includes Roadrunner, DSL
D-Link DI-604 30 Linksys BEFSR41 40

29
Information Security Awareness

Stopping Hackers
Software Firewall
Norton Personal Firewall 50

Zone Alarm free/40
30
Information Security Awareness

Spyware
Spyware is software that is installed on a
computer to covertly gather information through
your internet connection.
-used by Advertisers and Market Researchers

31
Information Security Awareness

Spyware
Spyware lurks on as many as 80 of computers
nationwide, according to the National Cyber
Security Alliance, a trade group.
In a recent survey, 31 of online shoppers said
they were buying less than before because of
security issues.
Fed up over problems stemming from viruses and
spyware, some computer users are giving up or
curbing their use of the Web
-LA Times article http//www.latimes.com/business/
la-fi-fedup14jan14,0,111456.story?collla-home-hea
dlines
.

32
Information Security Awareness

Spyware vs. Viruses
Viruses Mostly designed to propagate itself and
damage network and computer performance
Spyware Designed to gain information from your
computer by running unnoticed or providing some
other service.
.

33
Information Security Awareness

I have an anti-virus program. Will this stop
spyware?
Some spyware is detected by anti-virus products
such as McAffee and Norton, but for the most part
this is not the case.

34
Spyware has the potential to share personal
information with third parties without your
knowledge or consent.
35
Information Security Awareness

Increasing threat level!
Spyware type attack gains financial information
(http//www.eweek.com/article2/0,1759,1619842,00.a
sp)
An attack in June of 2004 which had the ability
to monitor web traffic for the purposes of
gaining account numbers and passwords for victims
online banking accounts.
While this attack also depended on other elements
to be successful, it represents a disturbing
trend for spyware toward increasingly invasive
and disturbing attacks.

36
Information Security Awareness

Spyware two kinds voluntary vs involuntary
Voluntary
Programs installed intentionally to server a
purpose that also report personal information to
a third party
browser toolbars
browser help windows
free screensavers
internet speed optimizers
Anti-spyware programs

37
Information Security Awareness

Spyware
Voluntary Examples
Weatherbug
Webshots
Marketscore
How to avoid this?
1. Google new things before installing
2. Read your EULA
NUMEROUS ANTI-SPYWARE PRODUCTS ARE ACTUALLY
SPYWARE!!
.

38
Information Security Awareness

Marketscore (voluntary)
Promises to increase your internet speed.
Passes ALL of your internet traffic through their
servers

39
Information Security Awareness

Marketscore (voluntary)
Evil Eula
Accept Marketscore-provided software upgrades or
changes to your system settings
Make reasonable efforts to configure all of the
computers having Internet access that are used at
home by anyone in your Household to use the
Marketscore Network and, where allowed by company
policy, on all such computers having Internet
access that are used at work by anyone in your
Household
Provide complete and accurate information about
yourself and your Household as requested during
registration for the Marketscore Network
Allow Marketscore to combine the information that
you provide with information such as credit or
prescription information from third parties

40
Information Security Awareness

Spyware
Involuntary
Programs you accidentally pickup on the internet
that hook into your browser
symptoms include
Changed homepage
sluggish performance
new toolbars
lots more pop ups
How to avoid this?
1. Stop using Internet Explorer
2. Use a reputable anti-spyware program

41
Information Security Awareness

Suggested Anti-Spyware Products
Spybot
Ad-Aware
Giant Anti Spyware (Now Microsoft product)
Pest Patrol
Webroot Spy Sweeper
Other resource
Spywarewarrior.com

42
Information Security Awareness

Spyware
Prevention in detail
1. Use Anti- Spyware software
2. get rid of IE
3. keep PC updated
4. read your EULAs
5. research software that you are considering
installing
6. Avoid software that is advertised via
pop-ups or SPAM.
.

43
Information Security Awareness

Email Safety Tips
Be careful with email attachments! - They can be
an open door to your computer!
Avoid links to jokes, free downloads, etc. (Do
you REALLY know where that link goes?)
Be aware of virus hoaxes (jdbgmgr.exe)
Do not submit personal data over email
Ssn
Address
Phone

44
Information Security Awareness

Email Safety Tips
Forged email addresses. i.e. From bob_at_uwm.com
This is simply text-can be forged for purposes of
gaining personal information.
Do you REALLY know who you are sending that email
to?

45
Information Security Awareness

Email Safety Tips
Your bank will not ask for personal information
via unsolicited email
Neither we nor Microsoft will email you a patch
to install via email attachment
Do you REALLY know who you are sending that email
to?

46
Information Security Awareness

Passwords
Use strong passwords and change them regularly!
What are Strong Passwords?
Minimum 8 characters
Capitalized/lower case
Some non-letter characters like, and
The trick to making passwords

47
Information Security Awareness

Passwords
Epanther ID password characteristics
Do not use your name or variations of your name.
Do not use your address or other sequences of
characters that someone may guess about you.
Use exactly 8 characters.
Include upper case as well as lower case letters,
digits and non-alphanumeric characters.
Please do not use the backslash character.

48
Information Security Awareness

Fraud/Identity Theft
My purse was stolen in December. By February, I
started getting notices of bounced checks. About
a year later I received information that someone
using my identity had defaulted on a number of
lease agreements and bought a car. In 1997, I
learned that someone had been working under my
Social Security number for a number of years. A
man had been arrested and used my SSN on his
arrest sheet. Theres a hit in the FBI computers
for my SSN with a different name and gender. I
cant get credit because of this situation. I
was denied a mortgage loan, employment, credit
cards, and medical care for my children. Ive
even had auto insurance denied, medical insurance
and tuition assistance denied.
-From a consumer complaint to the FTC, January
2, 2001

49
Information Security Awareness

Fraud/Identity Theft
Identity Theft is the use of someone elses good
name and credit to obtain things you will never
pay for.
Fraud/Identity Theft
Identity Fraud vs Identity Theft
Identity Theft When someone gathers personal
information about you and assumes your identity
as your own
Identity Fraud Consists mainly of someone
making unauthorized charges to your credit cart

50
Information Security Awareness

What are some examples?
Email Scams (Citibank email) http//www.uwm.edu/s
ab2/sample.htm
Dumpster diving
Credit Card information theft
Lost/Stolen Wallets
Bogus change of address requests

51
Information Security Awareness

Fraud/Identity Theft
Statistics
1. Approximately 7 million people were victims of
identity theft in 2002. That breaks down to a
little more than 13 identity thefts every minute.
2. 85 percent of all identity theft victims find
out about the crime only when they are denied
credit or employment, contacted by the police, or
have to deal with collection agencies, credit
cards, and bills.
3. On average, victims spend 600 hours to fix the
damage. The time can add up to as much as 16,000
in lost wages or income.
http//www.insideid.com/idtheft/article.php/343826
1

52
Information Security Awareness

Fraud/Identity Theft
How Victims Information is Misused (2003)
33 credit card fraud
21 phone or utilities fraud
17 Bank Fraud
6 Loan Fraud
-Courtesy of FTC

53
Information Security Awareness

Fraud/Identity Theft

54
Information Security Awareness

What are some methods of stealing identities?
Stealing records from employer
Abusing access to credit reports (landlords,
employers)
Email Scams (Phishing)
http//www.uwm.edu/sab2/sample.htm
Simply stealing your mail
Computer Hacking/Theft
Skimming
Dumpster diving
Credit Card information theft
Lost/Stolen Wallets
Bogus change of address requests
Pretext Calling

55
Information Security Awareness

What do thieves do with this information?
Open credit card and bank accounts in your
name/credit
Change the billing address for current accounts
Take out auto loans
File for bankruptcy in your name
Identify themselves as you when being arrested
Obtain IDs/ driver licenses in your name
Open cell phone or utility bills, then not pay
Change of address requests

56
Information Security Awareness

What does it take to steal someone's identity?
Name
Social Security Number
D.O.B.
Mothers maiden name
Address
Phone number

57
Information Security Awareness

Fraud/Identity Theft
How Can I Tell if I'm a Victim of Identity Theft?
Monitor the balances of your financial accounts.
Look for unexplained charges or withdrawals.
Other indications of identity theft can be
failing to receive bills or other mail signaling
an address change by the identity thief
receiving credit cards for which you did not
apply
denial of credit for no apparent reason or
receiving calls from debt collectors or companies
about merchandise or services you didn't buy.
-(UWM Police Department)

58
Information Security Awareness

Fraud/Identity Theft
How can I detect it?
Order a copy of your credit report regularly
When you do your taxes?
Credit bureaus
Equifax, 800-525-6285
Experion, 888-397-3742
TransUnion, 800-680-7289.

59
Information Security Awareness

Free credit reports available March 1
Online
Fair and Accurate Credit Transactions Act of
2004.
www.annualcreditreport.com gets you all 3
reporting agencies
(actually have to type the address in!)
Stick with that site. There are many reporting
companies, some with strings or costs attached
By Phone
877-322-8228
By Mail
Fill out the form (linked below) and mail it to
Annual Credit Report Request Service, PO Box
105281, Atlanta, GA 30348-5281.
www.ftc.gov/bcp/conline/edcams/credit/docs/fact_ac
t_request_form.pdf.

60
Information Security Awareness

Fraud/Identity Theft
How can I prevent it?-other tips
Shred everything with you information on it that
you dont need
Place passwords on bank and credit cards
Store card information separately
Dont write pin s anywhere
Dont provide personal info unless you initiated
the contact
More email cautions
Secure personal information in your home

61
Information Security Awareness

What can I do if I think its already happened to
me?
Contact the fraud departments of any one of the
three credit bureaus or the clearinghouse
mentioned earlier to place a fraud alert on your
credit file.
Close the accounts that you know or believe have
been tampered with or opened fraudulently.
File a police report. Get a copy of the report to
submit to your creditors and others that may
require proof of the crime.
File a complaint with the FTC using the ID Theft
Affadvit. The FTC maintains a database of
identity theft cases used by law enforcement
agencies for investigations.