Mechanical Engineering Computer Security at Tuskegee University

Mechanical Engineering

Computer Security at

Tuskegee University

Computer Science

Securing your data

After viewing this presentation, you should have a better understanding of the following:

1. The types of secure information in which you have access

2. How information may be stolen

3. How to secure this information

Computer Science

The helpful professor

Professor Helpful has been using computers since they used vacuum tubes. You have probably heard her talk about running punch card batches at 2:00am in order to have access to time on the computer.

Professor Helpful has always supported the use of computers to make life easier and now that technology allows her to communicate with all of her students at the touch of a button, she intends to make the technology work for her

Computer Science


Since the government has decided that faculty cannot post grades on her office door like she used to, she has decided to put a copy of the scores on a web page so that the students can see what they made.

Unfortunately, a local reporter doing a story on grade inflation quotes her web site and reproduces part of it in the local paper to add emphasis to his article.

Computer Science


Now he is working on an even bigger story. The Federal lawsuit several of the students have filed against Professor Helpful and Tuskegee University for releasing information that is supposed to be protected by the Family Education Rights Practice Act (FERPA).

Computer Science

• Keeping your computer and your work secure is important• It is a TU requirement, • It is a federal law

Computer Security at TU

Computer Science


• Security concerns can be divided into several areas

• TU Network security

• Server data security

• Internet security

Physical (office) security PC security

Lab computer security

Computer Science

• Federal guidelines have also been developed to protect certain types of data

• FERPA

• GLB Act


Computer Science

Physical Security

• Physical (office) security can be compromised by a thief using the old fashion methods• Picking a lock• Breaking and entering• Illegally using a set of master keys

Computer Science

Physical Security

• Your assigned space should be locked when you’re not present

• Make sure all locks and alarms are working

• Sensitive information should not be accessible to others even when you are present

Computer Science

Physical Security

• Do not share your computer with a student if it has sensitive data on it• Student workers need to be trained in FERPA

requirements before working with sensitive data

• Do not post-it-note usernames or passwords on your monitor

Computer Science

The overworked secretary

Mr Overworked is the “go to” person for the entire office. Even though he was

always busy, everyone knew that if they needed it done, he was the one to give it to.

He found that his computer was a wonderful time saver for accessing all the information he needed throughout the day.

Computer Science


Mr Overworked had also figured out

that he could have the computer remember his passwords for all the areas around campus that he used. By programming them into his machine, he was able to work even faster.

Computer Science


Unfortunately, a student worker of

his had seen him accessing student records through ASIS and when Mr. Overworked left on an errand she pulled up his web browser, went into the history and logged into Mr. Overworked’s ASIS account using his saved username and password.

Computer Science


The student worker was just curious

to see where her boyfriends ex-wife

had moved. She was surprised to see that she actually had not moved out of town, just to a different address. Later on that evening she mentioned this to her boyfriend who became upset that his ex-wife was not living where she had told him.

Computer Science


The boyfriend got drunk that night and decided to pay her a little visit and show her that he did not appreciate her trying to hide from him.

After she got out of the hospital, she brought a lawsuit against the university for releasing her address.

Computer Science

PC Security

• A computer can only be hacked if it can be accessed.

• Besides physical security, you can set up security within your computer itself.

Computer Science

PC Security

• You need to require some way for the computer to be able to identify you as a valid user before it allows you to access sensitive information.• Operating System password needs to be set• Screen saver needs to be turned on and a

password required to turn it off• Press the “Windows Logo key” + “L” whenever

you leave your computer. (WinXP users)

Computer Science

PC Security

• Currently, TU recommends that passwords be :• Changed at least every 180 days. • A mix of characters, digits, and special characters. • At least 7 characters. Longer is better• Not using:

• a single word,

• a simple predictable sequence,

• any personal information (e.g. name, birth date, telephone, pet, etc.)

Computer Science

PC Security

• Have an updated operating system• As the bad guys come up with ways to sneak

into your computer,• The good guys come up with ways to block

them• Your computer should be set up (by the help

desk) to automatically get these new patches that block the bad guys.

Computer Science

PC Security

• Antivirus protection• The University has purchased a site license for

antivirus software.• It must be installed to protect your computer

from viruses and to protect everyone else's computer.

• It needs to be set up so that even you cannot disable the program’s protection. If you cannot disable it, hopefully a virus cannot disable it.

Computer Science

PC Security

• Anti-spyware protection• Instead of bugging your computer, spyware is

aimed at bugging you. It sneaks onto your machine and tries to watch what your are doing.

• Microsoft has released a program to prevent spyware from installing on your computer. Call the helpdesk (x8040) to have it installed or to learn how you can install it yourself.

Computer Science

Lab Computer Security

• Whenever you use a public computer, it is like using a public bathroom.

• If it looks like the facility is poorly maintained, you may catch something.

Computer Science


• A well maintained lab will require you to identify yourself before using the computer

• you will not have the ability (rights) to install programs on the computer.

• If good users cannot install programs, bad users (hopefully) can’t install programs.

• like spyware that could record your passwords.

Computer Science


• Do not use public computers to access financial information. • If you access your bank from a lab computer

and someone sees you type your password. • They can now get to your money.

Computer Science


• Public machines are convenient, however they also may have been compromised and logging software installed. Logging software can record everything you type, including passwords and bank account numbers.

• Remember to take your external storage devices with you when you are done (USB Key Drives)

Computer Science

Network Security

• New resources call for new security• With this connectivity, it is not just your data

that is at risk• Physical security is not enough • Have the helpdesk help you identify open

conduits on your computer and close them• Close any open shared resources

• Fully patch your machine

• Maintain an up-to-date antivirus program

Computer Science

Network Security

• Shared access to resources is very convenient. • However, Windows shared folders are not secure

and could be used to infect your machine!• Use only official shared folders (P: drive and

Blackboard)• Never share login information. All persons

who should be able to access this information will be able to use their own login information.

Computer Science

Network Security

• Do not run programs that bypass the University security

• peer to peer networking,

• file sharing

• remote connection into the university.

• It is not just a legal issue, it is a security one• If you need this type of ability, the Helpdesk

can help you set it up securely.

Computer Science

Server Security

• resources are spread out all over the University

• OneNet• Email• Blackboard• IRIS • etc

Computer Science

Server Security

• Resources have been set up to allow approved people to use them while preventing everyone else from being able to use them

• Approval is granted to access a University resource by asking you to provide your assigned user ID and your private password

Computer Science

Server Security

• All users must have a unique User ID so that someone else's actions cannot be blamed on you

• Check with System Administrator before trying to run new programs in your server space. • A bad or poorly running program could effect the

entire server, not just your area. It could also allow viruses or spy programs to illegally run on University servers.

Computer Science

The difference between private and public server space

• Private server space is only accessible by you using your username and password.

• Public server space is accessible by anyone. (Example) your Public_html subdirectory.

• Any file or subdirectory that you put in Public_html subdirectory is visible by anyone in the world across the Internet.

Computer Science

Internet Security

• There are safe places

• and unsafe places

• What is at risk?• Private information (yours)• Protected information (the University’s)

Computer Science

Internet Security

• Use secure methods of accessing the Internet• A modern updated browser• A paranoid attitude

• This is the single most important defense against malicious software and people!

Computer Science

Internet Security

• Never give out sensitive information across the unencrypted Internet.

• File sharing programs make it easy to get computer files. Unfortunately a lot of these files end up being spyware, viruses and Trojan horse programs.

Computer Science

??? Internet Security

• Computers that are able to edit protected private information will not be able to access the Internet.

• This prevents spyware from giving a hacker access from across the Internet.

Computer Science

Internet Security

• Instant messaging (IM) is a great way to communicate with other people. It is also a great way to infect your machine.

• Please call the helpdesk and ask them if you may install new programs.

Computer Science

The kid and the cookie jar

• Eve was finally on campus. No more parents telling her when and what to do, she was in control of herself now. She got to decide what she did and when she did it. At least till school started next week.

• As she got her new dorm room squared away, she started thinking, wouldn't it be nice if she had some tunes to liven up her crib. Unfortunately, she had left most of her CDs at home and would have to wait to pick them up.

Computer Science


• Just then, she remembered her friend

Damien telling her how he had gotten hundreds of songs off of the internet using a P2P program called Bearshare. And she now had a fast ethernet connection straight into the source!

• Eve fires up her new graduation present Dell and quickly finds and installs the client program.

• A quick search find a couple dozen albums that she always wanted and starts bringing them home.

Computer Science


• “This is like free money,” she thinks

and proceeds to find other songs that she always wanted.

• Unfortunately, some of the songs she was downloading were being monitored by the Record Industry Association of America and her IP was recorded.

Computer Science


• A few days later she receives a real letter informing her that she was being sued by the Recording Industry Association of America for copyright violations in the range of $68,000.

• The University also informed her that because she had violated the acceptable use agreement, her dorm Internet service had been suspended.

Computer Science

FERPAThe Buckley Amendment

• Postsecondary students control their records and data release

• Not their parents!

• Even if the parents pay the bills

• Directory data can be released without specific consent

Computer Science

FERPAThe Buckley Amendment

• No data may be released for a student who has the DO NOT RELEASE indicator on their record.

• Data can only be viewed by someone who has a “legitimate educational need”

• If you make restricted personal information available you will be putting the University at risk.

Computer Science

Portable media security

• It is possible to carry all your sensitive data around with you using either a USB key or a laptop

• It is also possible that this portable media can be stolen since it is, well, portable.

Computer Science


• Protected data must be encrypted if it is on portable media such as a USB key.

• Call the help desk for specs on ordering a secure USB key or to obtain an encryption program for the USB key you already have

Computer Science


• Sensitive information on a laptop needs to be kept in an encrypted file or subdirectory.

• Call the help desk for help setting this up.

Computer Science

GLB Act

• The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions.

Computer Science

GLB Act

• Applies to institutions that engage in financial activities. Such as:

• lending• brokering or servicing any type of consumer loan• transferring or safeguarding money• preparing individual tax returns• providing financial advice or credit counseling• providing residential real estate settlement services• collecting consumer debts

Computer Science

GLB Act

• There are three principal parts to the privacy requirements:

• Financial Privacy Rule• Safeguards Rule• Pretexting Rule

Computer Science

Financial Privacy Rule

• Requires that customers receive privacy notices that explain the financial institution’s information collection and sharing practices

• Customers have the right to limit some sharing of their information

Computer Science

Safeguards Rule

• Enforced by the Federal Trade Commission, requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information.

Computer Science

Pretexting rule

• Makes the obtaining of a consumers’ personal financial information through fraudulent means illegal, for example:• False impersonation• Creating phony bank statement and requests• Solicitation of others to do the above

Computer Science

But I don’t have access to that!

• Actually, most people who work at TU have access to some sort of protected information

• Even a small hole in security can allow a big violation of Federally protected data

Computer Science

Gullible’s travels

When in doubt, click!

Renee’ Gullible is a professor who likes to assume the best from the world. One day while searching for new content for her 252 class, she comes across a website. A window pops up telling her, her computer was not protected! Click here to activate full protection!

So she does, and continues surfing thankful that she was now better protected against bad things than she was before.

Computer Science



Unfortunately, what Renee’ clicked on actually installed a program that records all her keystrokes and sends them to a criminal. This person scans through the file until he comes to where Renee’ went online and paid some bills. The criminal then copies Renee’s username and password as well as her bank account number.

Computer Science



He accepts a generous offer from Renee’s bank for an unsecured loan and has the check sent to a mailbox down the street that he regularly looks through.

By the way, he also has access to Renee’s ASIS account and is downloading as much private information as he can. You never know when he will need to impersonate a college graduate, or find a date.

Documents

Mechanical Engineering Computer Security at Tuskegee University