The University of Connecticut

1
The University of Connecticut
Introduction to Information Security Awareness

• This presentation has been modeled from materials
  provided by the University of Arizona Information
  Security office.

2
Objectives

• The purpose of this overview is to provide an
  understanding of information security, the
  potential problems that can result from
  inadequate information security and the steps
  that you can take to protect the University
  information technology resources.

3
The key to security awareness is embedded in the
word security
U - R - IT
SEC- -Y
4
What is Information Security?

• Information Security encompasses those steps
  taken to ensure the integrity, confidentiality
  and availability of our information resources
  (data).
• Data integrity means that we have confidence
  that the information we use, transmit, process
  or store has not been modified by accident or
  design in an inappropriate manner.
• Data confidentiality means that no one who does
  not have authority to access the information has
  done so.
• Data availability means that the computer and
  the information is available when we need it.

5
What is Security Awareness?

• Recognizing what types of security issues and
  incidents might arise
• knowing what your responsibilities are for
  preventing security breaches and
• knowing which actions to take in the event of a
  security breach
• Most security incidents can be prevented

6
Why should you care?

• Federal and State regulations require us to
  secure our information resources to protect
  confidential and/or sensitive data.
• System insecurity leads to a leak of confidential
  information which may result in a major lawsuit.

7
Why should you care?

• Our dependence on computers is increasing.
• Enabling us to communicate globally.
• Provide us access to many University and external
  services.
• Allow us to carry out the business (both academic
  and administrative) of the University.

8
Why should you care?

• A compromised computer can
• provide access to accounts, keystrokes, and data
  including email, documents and financial
  transactions
• cause operational difficulties
• lead to identity theft
• (and often is) used to attack other computers.

9
Why should you care?

• Weak security can damage the prestige of the
  University and cause us to be a target for future
  attacks.
• The way we operate our computers increasingly
  affects others on our network and other networks.
• The bottom line
• The cost of security breaches can be massive.

10
Why should you care?

• The Universitys policy on Individual
• Responsibility with Respect to Appropriate Use
• of Information Technology Resources requires
• you to make every effort to ensure the security,
• confidentiality and integrity of individual and
• institutional information stored on its systems.
• That means that you are responsible for all
• activities that originate from your computer
• accounts and/or system.

11
Why should you care?

• Would you want others to
• Look at the websites youve visited?
• Read all your email?
• Write email with your account name?
• Use any credit cards youve used online?
• Alter/delete data on your system?
• Hijack your system for further attacks to other
  systems?

12
What threatens Information Security?
Data Theft and/or Corruption
Data Theft and/or Corruption
Data Interception
Vandalism
Trojan Horse
Spam
Computer Theft
Viruses
Theft of Identity and/or Passwords
Hacking
13
Viruses, Worms and Trojan Horses
Viruses, Worms and Trojan Horses are all programs
that can damage and/or corrupt other programs,
data or files.
14
Effects

• Benign - cause annoying interruptions such as
  displaying a comical message when striking a
  certain letter on the keyboard
• More destructive - cause such problems as
  deleting files from a hard drive or slowing down
  a system

15
How to catch it

• Can be contracted by
• an attachment to an email containing a virus,
  worm or Trojan horse
• a file downloaded from the Internet
• copying a Trojan horse program to a computer

When one computer on a network becomes infected,
the other computers on the network or for that
matter other computers on the Internet are
highly susceptible to contracting the infection.
16
How to prevent it

• Ensure that all system and application
• patches are applied as soon as they are
• made available.
• Update your virus protection software regularly.
• Ensure your workstation runs a daily virus scan
  of all files.
• (see http//www.security.uconn.edu/guides/anti-vi
  rus.html)
• Do not configure your computer to automatically
  preview email messages.
• Do not be taken in by virus-hoaxes that use
  emotional or scare tactics to get you to pass
  along a malicious email or program.

17
How to prevent it

• Do not open attachments from unknown sources
• Be suspect of files downloaded from the internet.
• Be sure that the Automatically download HTML
  graphics option and Display graphics in
  messages option are turned off.
• Do not click on URLs within email messages.
  Instead retype the URL within your browser.
• Be aware and report unusual computer activity.
• Do not permit peer-to-peer file sharing from your
  computer.
• Log off your computer at the end of the day.

18
Website Defacement

• Website defacement refers to the change of the
  content (usually the front/main page) of a
  website with some messages by hacker or by virus.
• Can be embarrassing to the institution and the
  individual.
• Cost to the institution is considerable
• downtime,
• lost revenue,
• repair and
• credibility.

19
How to catch it

• In some cases it is intentional against the
• individual and/or institution. In most cases it
  is the
• result of a random act of hacking.
• Attacker probes web services through normal
  Internet connection looking for systems which
  will accept their particular method of attack.
• Attacker modifies HTML or JAVA code, which
  changes website or web storefront.

20
How to prevent it

• Replace, update, and patch software. Software
  that is old, out of date, or un-patched is the
  most exploited method an attacker will use to
  gain access to a website.
• Use strong passwords and change them frequently.
  Weak passwords make it easy to gain access.
• Require appropriate authentication and access
  controls on the system. Lack of access control
  and authentication can be blamed for 10s of
  1000s of attacks.
• Test your website for security vulnerabilities on
  a regular basis.

21
Denial of Service Attacks

• A denial of service attack is an incident that
  prevents legitimate users of a service from using
  that service.

Modes of attack Usually achieved by sending
large amounts of malicious connection requests or
other unmanageable data to a machine that is
connected to the Internet, blocking legitimate
traffic from getting through.
22
Examples include

• attempts to flood a network, thereby preventing
  legitimate network traffic
• attempts to disrupt connections between two
  machines thereby preventing access to a machine
• attempts to prevent a particular individual from
  accessing a service
• attempts to disrupt service to a particular
  system or person

23
How to prevent it

• In general, denial of service attacks are
• hard to prevent. However, many denial of
• service attacks can be hindered by restricting
• access to critical accounts, resources, and
• files, and protecting them from unauthorized
• users, as well as staying up on Operating
• System patches.

24
Data Theft

• Can be caused by either a malicious act or
  through negligence.
• Can result in disclosure of confidential
  information and/or identity theft.
• Phishing sending email messages that seem to
  come from trustworthy sources, such as banking
  entities, but attempt to harvest confidential
  user data. Email message usually includes a link,
  that, if accessed, takes the user to a fake
  website.

25
Examples

• May 2005 Hackers broke into a Georgia Southern
  University server that contained thousands of
  credit card and Social Security numbers collected
  over more than 3 years. (Malicious act)
• March 2005 A backup tape containing confidential
  health records of hundreds of thousands of
  individuals disappeared or were tampered with
  while in transit between two government
  facilities. (Improper handling of confidential
  data)
• March 2005 A disgruntled former employee at
  Kaiser Permanente posted a link to a Web site
  containing the personal information of 140 Kaiser
  patients. (Malicious act)

26
Examples (continued)

• Oct. 2004 Four individuals were charged with
  defrauding online banks of hundreds of thousands
  through an elaborate phishing scam which
  resulted in siphoned cash from ebanking accounts
  after conning consumers into handling over
  confidential banking details. (Malicious act)
• Sept. 2004 The hard drive of a laptop from Cal
  State contained the Social Security numbers of
  23,000 faculty, staff and students from seven (7)
  CSU campuses. The hard drive was left unattended
  over the weekend after it was replaced, and was
  found missing the following Monday. (Negligence)

27
Examples (continued)

• March 2003 The names and Social Security
  numbers of about 59,000 former and current
  students, faculty and staff at the University of
  Texas were obtained by computer hackers. The
  thieves found a vulnerability in the
  Universitys security system. (Malicious act)
• Feb. 2003 A state of Kentucky computer put up
  for sale as surplus contained confidential files
  naming thousands of people with AIDs and other
  sexually transmitted diseases. (Negligence)

28
How to prevent it

• Be aware of phishing scams. DON'T click on
  links offered in email texts! Be wary of websites
  that claim to be official but don't end in .com.
• Make sure that all University-owned and
  privately-owned electronic media (hard drives,
  PDAs, etc.) are cleaned of data prior to disposal
  or transfer to another individual.
• Be careful to whom you give out your personal
  information.

29
How to prevent it

• Protect the confidential information that has
  been entrusted to you.
• Do not give anyone access to your account(s),
  password(s) or equipment.
• Employ all security measures required/recommended
  by your department.
• Use defensive tactics firewalls, encryption,
  etc.

30
Universal Access

• There are an estimated 304 million people with
  internet access (NUA Internet Surveys, June 2000)
• All 304 million of them can communicate with your
  UCONN connected computer
• Any of the 304 million can rattle the door to
  your computer to see if its locked

31
Opportunities for Abuse

• To break into a safe, the safe cracker needs to
  know something about safes.
• To break into your computer, the
• computer cracker only needs to know where to
  download a program written by someone else who
  knows something about computers.
• Identity Theft is the fastest growing crime in
  the U.S. In 2002 it accounted for more than 9
  million victims and losses exceeded 48 Billion
  dollars.  
• (FTC Survey, 2003)

32
What is Expected of You?

• Learn and practice good security habits
• Review and adhere to University and departmental
  security policies and procedures.
• Follow University security standards,
  recommendations, and guidelines.
• Participate in required training activities.
• Be aware
• Know how to identify a potential issue.
• Report anything unusual
• Notify the appropriate contacts if you become
  aware of a suspected security incident.

33
Security Checklist

• The following checklist will help you assess how
• well you practice good security habits.
• Physical Security
• Do you protect your computer, laptop, PDA,
  electronic media from being stolen or accessed by
  others?
• Accounts and Passwords
• Do you ensure that your account is not shared
  with anyone else?
• Do you use strong passwords, do you make sure
  that your passwords are not available to others
  and do you follow the guidelines for passwords
  (http//itpolicy.uconn.edu/pswd2004.html)?

34
Security Checklist (continued)

• Virus Protection
• Do you use and regularly update anti-virus
  software on all of the computers you use for
  accessing University resources? (see
  http//www.security.uconn.edu/guides/anti-virus.ht
  ml)
• Data backup and restoration
• Do you regularly backup individual/departmental
  data for which you are responsible, ensure that
  backups can be restored, and store backups in a
  safe environment?
• Operating Systems and Network Applications
• Are the operating systems and network
  applications of your computers updated with
  current patches? (see http//www.security.uconn.ed
  u/guides/windowsupdate.html)

35
Security Checklist (continued)

• Information security
• Do you use good judgment about the amount of
  institutional or other confidential data that you
  store on your university-owned or
  personally-owned devices?
• Do you use encryption for transmitting and
  storing confidential data?
• Do you ensure that your computers are wiped clean
  of all confidential data (using the Universitys
  procedures http//itspolicy.uconn.edu/datawipe.htm
  l) before being surplused or redeployed to
  another individual?

36
Security Checklist (continued)

• Email security
• Have you configured your email program to not
  render html or other scripting languages?
• Do you keep your inbox preview pane closed to
  prevent certain types of malicious code from
  executing?
• Do you turn off Automatically download HTML
  graphics and Display graphics in messages
  options?
• Do you use mail filtering software to screen
  email and identify suspect messages, and do you
  regularly delete unwanted and suspicious
  messages?

37
Security Checklist (continued)

• Incident response
• Do you know how to report suspicious activities
  involving computing resources?
• Assistance
• Does your department or unit have staff to
  provide technical assistance, and do you know who
  they are and how to contact them?

38
University of Connecticut Contacts
Report All Security Incidents Immediately to