Upload
harry-mills
View
223
Download
0
Embed Size (px)
Citation preview
Mechanical Engineering
Computer Security at
Tuskegee University
Computer Science
Securing your data
After viewing this presentation, you should have a better understanding of the following:
1. The types of secure information in which you have access
2. How information may be stolen
3. How to secure this information
Computer Science
The helpful professor
Professor Helpful has been using computers since they used vacuum tubes. You have probably heard her talk about running punch card batches at 2:00am in order to have access to time on the computer.
Professor Helpful has always supported the use of computers to make life easier and now that technology allows her to communicate with all of her students at the touch of a button, she intends to make the technology work for her
Computer Science
The helpful professor
Since the government has decided that faculty cannot post grades on her office door like she used to, she has decided to put a copy of the scores on a web page so that the students can see what they made.
Unfortunately, a local reporter doing a story on grade inflation quotes her web site and reproduces part of it in the local paper to add emphasis to his article.
Computer Science
The helpful professor
Now he is working on an even bigger story. The Federal lawsuit several of the students have filed against Professor Helpful and Tuskegee University for releasing information that is supposed to be protected by the Family Education Rights Practice Act (FERPA).
Computer Science
• Keeping your computer and your work secure is important• It is a TU requirement, • It is a federal law
Computer Security at TU
Computer Science
Computer Security at TU
• Security concerns can be divided into several areas
• TU Network security
• Server data security
• Internet security
Physical (office) security PC security
Lab computer security
Computer Science
• Federal guidelines have also been developed to protect certain types of data
• FERPA
• GLB Act
Computer Security at TU
Computer Science
Physical Security
• Physical (office) security can be compromised by a thief using the old fashion methods• Picking a lock• Breaking and entering• Illegally using a set of master keys
Computer Science
Physical Security
• Your assigned space should be locked when you’re not present
• Make sure all locks and alarms are working
• Sensitive information should not be accessible to others even when you are present
Computer Science
Physical Security
• Do not share your computer with a student if it has sensitive data on it• Student workers need to be trained in FERPA
requirements before working with sensitive data
• Do not post-it-note usernames or passwords on your monitor
Computer Science
The overworked secretary
Mr Overworked is the “go to” person for the entire office. Even though he was
always busy, everyone knew that if they needed it done, he was the one to give it to.
He found that his computer was a wonderful time saver for accessing all the information he needed throughout the day.
Computer Science
The overworked secretary
Mr Overworked had also figured out
that he could have the computer remember his passwords for all the areas around campus that he used. By programming them into his machine, he was able to work even faster.
Computer Science
The overworked secretary
Unfortunately, a student worker of
his had seen him accessing student records through ASIS and when Mr. Overworked left on an errand she pulled up his web browser, went into the history and logged into Mr. Overworked’s ASIS account using his saved username and password.
Computer Science
The overworked secretary
The student worker was just curious
to see where her boyfriends ex-wife
had moved. She was surprised to see that she actually had not moved out of town, just to a different address. Later on that evening she mentioned this to her boyfriend who became upset that his ex-wife was not living where she had told him.
Computer Science
The overworked secretary
The boyfriend got drunk that night and decided to pay her a little visit and show her that he did not appreciate her trying to hide from him.
After she got out of the hospital, she brought a lawsuit against the university for releasing her address.
Computer Science
PC Security
• A computer can only be hacked if it can be accessed.
• Besides physical security, you can set up security within your computer itself.
Computer Science
PC Security
• You need to require some way for the computer to be able to identify you as a valid user before it allows you to access sensitive information.• Operating System password needs to be set• Screen saver needs to be turned on and a
password required to turn it off• Press the “Windows Logo key” + “L” whenever
you leave your computer. (WinXP users)
Computer Science
PC Security
• Currently, TU recommends that passwords be :• Changed at least every 180 days. • A mix of characters, digits, and special characters. • At least 7 characters. Longer is better• Not using:
• a single word,
• a simple predictable sequence,
• any personal information (e.g. name, birth date, telephone, pet, etc.)
Computer Science
PC Security
• Have an updated operating system• As the bad guys come up with ways to sneak
into your computer,• The good guys come up with ways to block
them• Your computer should be set up (by the help
desk) to automatically get these new patches that block the bad guys.
Computer Science
PC Security
• Antivirus protection• The University has purchased a site license for
antivirus software.• It must be installed to protect your computer
from viruses and to protect everyone else's computer.
• It needs to be set up so that even you cannot disable the program’s protection. If you cannot disable it, hopefully a virus cannot disable it.
Computer Science
PC Security
• Anti-spyware protection• Instead of bugging your computer, spyware is
aimed at bugging you. It sneaks onto your machine and tries to watch what your are doing.
• Microsoft has released a program to prevent spyware from installing on your computer. Call the helpdesk (x8040) to have it installed or to learn how you can install it yourself.
Computer Science
Lab Computer Security
• Whenever you use a public computer, it is like using a public bathroom.
• If it looks like the facility is poorly maintained, you may catch something.
Computer Science
Lab Computer Security
• A well maintained lab will require you to identify yourself before using the computer
• you will not have the ability (rights) to install programs on the computer.
• If good users cannot install programs, bad users (hopefully) can’t install programs.
• like spyware that could record your passwords.
Computer Science
Lab Computer Security
• Do not use public computers to access financial information. • If you access your bank from a lab computer
and someone sees you type your password. • They can now get to your money.
Computer Science
Lab Computer Security
• Public machines are convenient, however they also may have been compromised and logging software installed. Logging software can record everything you type, including passwords and bank account numbers.
• Remember to take your external storage devices with you when you are done (USB Key Drives)
Computer Science
Network Security
• New resources call for new security• With this connectivity, it is not just your data
that is at risk• Physical security is not enough • Have the helpdesk help you identify open
conduits on your computer and close them• Close any open shared resources
• Fully patch your machine
• Maintain an up-to-date antivirus program
Computer Science
Network Security
• Shared access to resources is very convenient. • However, Windows shared folders are not secure
and could be used to infect your machine!• Use only official shared folders (P: drive and
Blackboard)• Never share login information. All persons
who should be able to access this information will be able to use their own login information.
Computer Science
Network Security
• Do not run programs that bypass the University security
• peer to peer networking,
• file sharing
• remote connection into the university.
• It is not just a legal issue, it is a security one• If you need this type of ability, the Helpdesk
can help you set it up securely.
Computer Science
Server Security
• resources are spread out all over the University
• OneNet• Email• Blackboard• IRIS • etc
Computer Science
Server Security
• Resources have been set up to allow approved people to use them while preventing everyone else from being able to use them
• Approval is granted to access a University resource by asking you to provide your assigned user ID and your private password
Computer Science
Server Security
• All users must have a unique User ID so that someone else's actions cannot be blamed on you
• Check with System Administrator before trying to run new programs in your server space. • A bad or poorly running program could effect the
entire server, not just your area. It could also allow viruses or spy programs to illegally run on University servers.
Computer Science
The difference between private and public server space
• Private server space is only accessible by you using your username and password.
• Public server space is accessible by anyone. (Example) your Public_html subdirectory.
• Any file or subdirectory that you put in Public_html subdirectory is visible by anyone in the world across the Internet.
Computer Science
Internet Security
• There are safe places
• and unsafe places
• What is at risk?• Private information (yours)• Protected information (the University’s)
Computer Science
Internet Security
• Use secure methods of accessing the Internet• A modern updated browser• A paranoid attitude
• This is the single most important defense against malicious software and people!
Computer Science
Internet Security
• Never give out sensitive information across the unencrypted Internet.
• File sharing programs make it easy to get computer files. Unfortunately a lot of these files end up being spyware, viruses and Trojan horse programs.
Computer Science
??? Internet Security
• Computers that are able to edit protected private information will not be able to access the Internet.
• This prevents spyware from giving a hacker access from across the Internet.
Computer Science
Internet Security
• Instant messaging (IM) is a great way to communicate with other people. It is also a great way to infect your machine.
• Please call the helpdesk and ask them if you may install new programs.
Computer Science
The kid and the cookie jar
• Eve was finally on campus. No more parents telling her when and what to do, she was in control of herself now. She got to decide what she did and when she did it. At least till school started next week.
• As she got her new dorm room squared away, she started thinking, wouldn't it be nice if she had some tunes to liven up her crib. Unfortunately, she had left most of her CDs at home and would have to wait to pick them up.
Computer Science
The kid and the cookie jar
• Just then, she remembered her friend
Damien telling her how he had gotten hundreds of songs off of the internet using a P2P program called Bearshare. And she now had a fast ethernet connection straight into the source!
• Eve fires up her new graduation present Dell and quickly finds and installs the client program.
• A quick search find a couple dozen albums that she always wanted and starts bringing them home.
Computer Science
The kid and the cookie jar
• “This is like free money,” she thinks
and proceeds to find other songs that she always wanted.
• Unfortunately, some of the songs she was downloading were being monitored by the Record Industry Association of America and her IP was recorded.
Computer Science
The kid and the cookie jar
• A few days later she receives a real letter informing her that she was being sued by the Recording Industry Association of America for copyright violations in the range of $68,000.
• The University also informed her that because she had violated the acceptable use agreement, her dorm Internet service had been suspended.
Computer Science
FERPAThe Buckley Amendment
• Postsecondary students control their records and data release
• Not their parents!
• Even if the parents pay the bills
• Directory data can be released without specific consent
Computer Science
FERPAThe Buckley Amendment
• No data may be released for a student who has the DO NOT RELEASE indicator on their record.
• Data can only be viewed by someone who has a “legitimate educational need”
• If you make restricted personal information available you will be putting the University at risk.
Computer Science
Portable media security
• It is possible to carry all your sensitive data around with you using either a USB key or a laptop
• It is also possible that this portable media can be stolen since it is, well, portable.
Computer Science
Portable media security
• Protected data must be encrypted if it is on portable media such as a USB key.
• Call the help desk for specs on ordering a secure USB key or to obtain an encryption program for the USB key you already have
Computer Science
Portable media security
• Sensitive information on a laptop needs to be kept in an encrypted file or subdirectory.
• Call the help desk for help setting this up.
Computer Science
GLB Act
• The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions.
Computer Science
GLB Act
• Applies to institutions that engage in financial activities. Such as:
• lending• brokering or servicing any type of consumer loan• transferring or safeguarding money• preparing individual tax returns• providing financial advice or credit counseling• providing residential real estate settlement services• collecting consumer debts
Computer Science
GLB Act
• There are three principal parts to the privacy requirements:
• Financial Privacy Rule• Safeguards Rule• Pretexting Rule
Computer Science
Financial Privacy Rule
• Requires that customers receive privacy notices that explain the financial institution’s information collection and sharing practices
• Customers have the right to limit some sharing of their information
Computer Science
Safeguards Rule
• Enforced by the Federal Trade Commission, requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information.
Computer Science
Pretexting rule
• Makes the obtaining of a consumers’ personal financial information through fraudulent means illegal, for example:• False impersonation• Creating phony bank statement and requests• Solicitation of others to do the above
Computer Science
But I don’t have access to that!
• Actually, most people who work at TU have access to some sort of protected information
• Even a small hole in security can allow a big violation of Federally protected data
Computer Science
Gullible’s travels
When in doubt, click!
Renee’ Gullible is a professor who likes to assume the best from the world. One day while searching for new content for her 252 class, she comes across a website. A window pops up telling her, her computer was not protected! Click here to activate full protection!
So she does, and continues surfing thankful that she was now better protected against bad things than she was before.
Computer Science
Gullible’s travels
When in doubt, click!
Unfortunately, what Renee’ clicked on actually installed a program that records all her keystrokes and sends them to a criminal. This person scans through the file until he comes to where Renee’ went online and paid some bills. The criminal then copies Renee’s username and password as well as her bank account number.
Computer Science
Gullible’s travels
When in doubt, click!
He accepts a generous offer from Renee’s bank for an unsecured loan and has the check sent to a mailbox down the street that he regularly looks through.
By the way, he also has access to Renee’s ASIS account and is downloading as much private information as he can. You never know when he will need to impersonate a college graduate, or find a date.