Upload
melina-campbell
View
216
Download
1
Embed Size (px)
Citation preview
Protecting Sensitive Information and Keeping Your Identity Your Own
Cyberethics, Cybersafety, and Cybersecurity Conference
October 7, 2005
Amy Ginther, Project NEThics Coordinator
Office of Information Technology
Types of Data Compromise
Data loss
Data theft
Identity theft
CIFAC Project
Computer Incident Factor Analysis and Categorization Project
Examined perceptions of the importance of 80 variables in causing computer-related incidents involving systems, data, or people
Lack of sufficient training and education identified as most frequent cause of incidents.
Analysis of best practice recommendations for incident prevention, mitigation and management yielded conclusion:
“Having policies in place, enforcing policies, and providing user awareness training was considered the most important factor in preventing the incidents from happening.” Rezmierski, Rothschild, Kazanis, Rivas (2005).
Personal Identification Initiative
• Policy on the Collection, Use and Protection of ID numbers• Limit use of social security numbers• Promote the use of alternate identifiers: U ID
(number) and Directory ID (alpha-numeric ID)• Increase protection of ssn
• For more information, see http://www.oit.umd.edu/dataadmin/PersonalIdentification/and http://www.oit.umd.edu/units/dataadmin/Policies/Policy_on_Collection_Use_Protection_of_ID_Numbers.pdf
State Privacy Law
• Privacy policy: www.umd.edu/privacyIf you are asked to provide personal information on an official
university web site, university policy provides that you should be notified of the following:
• The purpose for which the personal information is collected;• Any specific consequences for refusing to provide the
information; • Your right to inspect, amend, or correct personal records, if
any; • Whether the personal information is generally available for
public inspection; and • Whether the personal information is made available or
transferred to or shared with any entity.
Potential ID Theft at Universities
• “Universities have accounted for 28% of the 50 securities breaches of personal information recorded by California since 2003… …that’s more than any other group…” - San Francisco Chronicle March 29th 2005
• And this is just California!
Shadow Databases
• “A thief recently walked into a Berkeley office and swiped a laptop containing personal information about nearly 100,000 alumni…” - San Francisco Chronicle March 29th 2005
Universities with ID Theft Incidents
• UC, Berkeley• Carnegie Mellon University• UTexas, Austin• George Mason University• and several more…
What can be done?
• Stop using shadow databases• Limit who has/has access to sensitive data• Encryption• Ensure the computer it’s stored on is
protected (both physically and electronically)
Shadow Databases
• Shadow databases are copies of a master database (ex: a copy of the Alumni database made for a professor for research purposes)
Shadow Databases
• Shadow databases on laptops and desktops are often unprotected. • This leaves them vulnerable to theft, viruses,
worms, bots, hackers, etc.
Limiting Access to Sensitive Data
• Why does someone need a copy of a database?• Why does there need to be a full SSN? Use
the last 5-6 numbers• Once the data is no longer needed – delete
it!
Encryption
• Encryption is a way to convert a document into an unreadable format by way of an algorithm• You need a key (a password or passphrase)
to convert the encrypted version back to the original document• If an encrypted DB is stolen and the thief
doesn’t have the key they can’t read it
Protecting computers
• Physical security: laptop/desktop cables and locks (like a bicycle lock), STOP Tag• Up-to-date anti-virus software (
http://www.helpdesk.umd.edu)• Up-to-date on patches (Windows Update)• Personal firewall (XP Service Pack 2 or
ZoneAlarm)
Better Password Practices
• Use strong passwords! (ex: ‘tIaHrdPa$s2Crk’, not ‘password’)
• Store passwords safely. Do not store your passwords on your computer, keep a list of them next to your computer, or put them in your top drawer where a snooping visitor can find them.
• Use different passwords for different accounts.
• Change passwords with some regularity.
UMD’s push to minimize SSN use
• Creation of the UID – a unique number not tied to SSNs; needed for variety of purposes
• Move to U ID from SSN:• Policy approval by President • Inventory where SSN is used to plan conversion• Print U ID NOT SSN on ID cards• Remove SSN from display on information system
screens and on printed reports• Remove SSN option from login screens• Continue education of all• Password self-service
UMD’s push to minimize SSN use
• OIT is currently auditing every department on campus to minimize the number of computers that have sensitive data on them, and to lock down those computers that MUST have sensitive data
UMD’s push to minimize SSN use
We will lock down these computers by:• Encrypt the database containing sensitive
info• Up-to-date on patches• Personal firewall• Use of strong passwords• Services that aren’t needed are turned off
The Range of Dangers
Fee fraud hoax
ShareYourExperiences.com and Word-of-Mouth.org
Work from home scam
Phishing
Pharming
Evil Twins
Legit?
PayPal notice•“…and we have reasons to belive
that your account was hijacked by a third party”
•“If you choose to ignore our request, you leave us no choise but to
temporaly suspend your account.”
PayPal logo on legitimate Web site (http://www.paypal.com/)
always appears with trademark
http://www.citibank.com/us/index.htm
How to Identify Scam Messages
Fraudulent messages only offer one means of communication with the company.
Look for awkward writing, grammatical and spelling errors in messages—they abound!
Fraudulent messages begin with a general greeting; you are not identified by name
Dangerous messages may contain attachments that load software to enable thieves to record your keystrokes
Additional Tips to Avoid Victimization
Don’t react to the urgent or obligatory nature of the message
Don’t click on links to reach a company…they can take you to an illegitimate site. Instead, type the URL into a browser window to go to a secure (https) site.
Your legitimate service provider should be requiring you to authenticate using an established user ID and password to login
Checking legitimacy of Web host
Steps to Take if You Become a Victim
1. Contact your creditors and banks immediately.
2. Begin keeping records
3. Flag your credit file for fraud. For more information, go tohttp://www.consumer.gov/idtheft_old/index.html
4. Review your credit reports
5. Report the crime
6. Address public record errors
What Compromised Agency Should Do
• Communicate with you• Explain the nature of compromise and the likelihood of data
theft• Advise you of steps to take (fraud alert)• Provide Web site for more information and other resources• Tell you how to expect that you will be contacted with
additional information• Do not release personal information in response to contacts
which you have not initiated• Tell you the steps that have been taken to mitigate the
situation, protect information
Other Self-Protection Strategies
• Next time you have checks printed, have only your initials and last name printed on them
• Do not sign the back of your credit cards; instead, write “Photo ID Required”
• Do not put the full account number on the “for” line of your checks when paying bills, just use the last four numbers
• Do put your work phone on your checks instead of home phone
• Do photocopy the contents of your wallet
Contact information
Amy Ginther, Project NEThics Coordinator, [email protected], x52619
Gerry Sneeringer, IT Security Director, [email protected], x52996
Project NEThics, [email protected], x58787
Thanks to: Kevin Shivers, Lead Security Analyst (former), for input to this session.