Embed Size (px)
Citation preview
Insert picture in this frame Insert picture in this frame
Gri
Gri
Gri
Gri
Grid
Grid
Grid
Grid
Presentation by Richard K. Avery, CPP President, New England Region
Securitas Security Services USA
At School & On-Line: Helping Students Avoid Security Threats on the Internet
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
• Scope of the Problem (Slide 3-6) • Potential Impact on University (Slide 7) • Proactive Steps to Enhance Data Security (Slide 8-9) • Social Engineering: Exploiting Human Psychology (Slide 10) • Social Networking Tips (Slide 11-12) • Phishing, Pharming and Email Scams (Slide 13-14) • The Low-tech Approach of Laptop Theft (Slide 15-16) • Identity Theft: How Good Names Go Bad (Slide 17) • Data Breach Institutional Response Checklist (Slide 18) • Data Breach Institutional Response (Slide 19) • Security Awareness (Slide 20) • Q&A
Agenda
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Scope of the Problem: Colleges and Universities
For example-
A very partial list of affected institutions includes:
• Valdosta State University in Valdosta, Georgia • Buena Vista University in Storm Lake, Iowa • University of California - San Francisco (UCSF) Medical Center • University of Texas – Arlington • University of North Carolina at Greensboro, and • The University of North Florida in Jacksonville
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Scope of the Problem: Corporations
• 78% of respondent organizations experienced computer virus attacks over the previous 12 months.
• 53% experienced unauthorized use of their computer systems.
• The 2009 study conducted by the Javelin Strategy & Research Center reveals that:
• Identity theft is on the rise, affecting almost 10 million victims in 2008 (a 22% increase from 2007)
• 71% of fraud happens within a week of stealing a victim’s personal data. Low-tech methods for stealing personal information are still the most popular for identity thieves.
• Stolen wallets and physical documents accounted for 43% of all identity theft, while online methods accounted for only 11%.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Scope of the Problem: Students and Staff
• From the Equifax Learning Center: • "More than 27 million Americans have been victims of identity theft in the last five
years.... To deal with the problem, consumers reported nearly $5 billion in out-of-pocket expenses."
• -The New York Times • "This year alone more than 500,000 Americans will be robbed of their
identities...with more than $4 billion stolen in their names."
• -CBSnews.com • “Any organization or individual is vulnerable to cyber attack.”
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Scope of the Problem: Universal Concern
Victims of “Cyber-security Incidents” are not limited to universities and corporations.
• Educational institutions and corporations are far from the only organizations dealing with the aftermath of a cyber intrusion or other data loss.
• Defense Department was attacked by malicious hackers a few years ago that forced the military agency to take an estimated 1,500 computers offline.
• Congress had to give the Homeland Security Department a stern talking due to over 844 reported "cyber-security incidents" that the agency has experienced over the past two years.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Potential Impact on University
• In 2007, the U.S. Department of Energy has proposed levying a fine of $3 million on the University of California, Oakland, and a separate $300,000 fine on Los Alamos National Security (LANS), for their alleged failures to protect classified information in an October 2006 security breach.
• In a formal Preliminary Notice of Violation the DOE listed five separate areas where the school failed to follow DOE requirements for protecting classified information. Those violations included:
• a failure by the university to protect data ports, despite knowing about the vulnerability.
• a failure to impose adequate escorting requirements to detect unauthorized access and removal of classified data.
• the unauthorized reproduction of classified material both on paper and on removable electronic media, and
• allowing the material to be stored in a private residence.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Proactive Steps to Enhance Data Security
• Steps that can be taken to enhance data security at a number of educational institutions:
• Assess and inventory data within centrally managed administrative systems. • Implement improvements to data management protocols. • Removal of duplicated information from the schools’ central database. • Protect data that is in use or in storage by reducing access to, and use of,
sensitive information except for purposes authorized and essential to institutional work.
• Conduct desk-by-desk audits of key departments to ensure adherence to new security standards.
• Develop a data security training program for employees.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Proactive Steps to Enhance Data Security
• Additional Steps Include:
• Ask that employees redouble their efforts to ensure the security and safe practices surrounding their individual, departmental and unit-wide computer systems.
• Contact people and warn those affected to look out for identity theft and to advise them how to protect personal information and provide instructions on how to monitor their credit reports and other financial records for suspicious activity.
• Conduct a full investigation of the thefts in collaboration with the university police, local police department, and/or the FBI, as well as the University’s computing and audit professionals.
• Hire an outside agency or company to audit security procedures.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Social Engineering - Exploiting Human Psychology
• Social engineering - relies on one of the best aspects of human personality – trust.
• In recent years, social engineering has evolved to encompass a wide range of exploits, usually aimed at liberating sensitive, confidential, or proprietary information from unsuspecting students and employees.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Social Networking Tips
• Social networking sites as pathways leading to identity theft.
• To avoid problems, students and other users should be advised accordingly:
• The internet is a public resource. Individual users should only post information that they are comfortable with anyone seeing.
• Limit the amount of personal information posted. • Be wary of strangers. • Be skeptical. • Check privacy policies. • Student and others entering the labor market should be very careful what they
post.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Social Networking Tips
• The grave threat posed by identity thieves:
• They can create a whole new “you”. • How students can protect themselves: • Use anti-virus software. • Install a firewall. • Stay current with software updates and security patches.
• Additionally:
• Look out for e-mail attachments. • Log off when you are done for the day. • Pay attention to passwords.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Phishing, Pharming & Email Scams
• "Phishing” - elicits secure information through an e-mail message that appears to come from a legitimate source such as a financial institution or the University.
• The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.
• These fake websites look realistic enough to fool many victims into revealing data that can be used for identity theft.
• "Pharming - also takes advantage of false websites, but redirects users to the false site as they attempt to access a legitimate website.
• Any secure information entered into the false website, such as a user name and password, is captured by hackers.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Phishing in Academia
• Phishing attacks targeted at a specific subset of people, while fairly common in the corporate world and against banking customers, have not often been used against students.
• In 2008, students and faculty at nearly a dozen universities and colleges – including Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame - had been targeted by phishing e-mails.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
The Low-tech Approach of Laptop Theft
• Getting physical / Lock it or lose it:
• Tell students to physically protect their laptop PC against theft in order to thwart subsequent theft of their finances or identity.
• Help plug a huge source of data leaks! • Provide and/or inform students and others about available
counter-theft tools and devices: • Cable and locks • Tie-down brackets • Anti-theft tags • Encryption software • Use lockable cabinets in dorm rooms and keep dorm
room doors locked when unoccupied.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
The Low-tech Approach of Laptop Theft
• Protecting that laptop PC when on-the-go:
• Keep it out of sight when not being used. • Use an inconspicuous carrying case. • Keep that laptop close by. • Be aware of distractions. • There are growing opportunities for thieves on
the prowl.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Identity Theft: How Good Names Go Bad
• The fastest growing white-collar crime in America is identity theft:
• There were 7 million reported victims in 2003. • Victims spend an average of 600 hours and $1,400 in out-of-pocket
expenses recovering from this crime. • The average arrest rate for identity theft is under 5% of all cases reported by
victims.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Data Breach Institutional Response Checklist
• Have a written post-breach response plan ready and tested before a breach happens. • Ensure that institutional officials know what role they will have when a breach happens. • Have a communications plan regarding breaches. • Know what regulations, statutes, and contracts cover post-breach obligations. • Act promptly to prevent further exposure of data when a breach happens. • Promptly find out what happened and preserve the evidence. • Involve technology and legal experts as needed. • Have draft notices that are ready to be customized with reference to the facts. • Contact law enforcement, credit reporting agencies, and the institution's insurance
carrier as appropriate. • Keep regulators informed, both when required by law and when merely sensible. • Provide timely notice; legal deadlines are strict. • Help affected individuals; their goodwill can forestall legal difficulties. • Update the breach response plan periodically.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Data Breach Institutional Response
Universities should promptly take the following actions if a breach has occurred:
• Contain the breach • Convene a response team • Analyze the breach • Determine timing requirements • Collect information promptly • Analyze legal implications of the breach • Contact law enforcement • Contact insurance carrier
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Security Awareness
• In general, computer users will always be a weak link, and, consequently, cyber attacks will continue to be successful.
• Simply being aware of scammers and savvy of their wiles and ways will help protect against them and the damage they can do.
• The best defense against these kinds of attacks is a continuing security awareness program, formalized to the extent that is practicably feasible at each institution.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher Education
Additional Information
• Students and others can learn more by visiting the Federal Trade Commission’s Web site at www.ftc.gov and www.onguardonline.gov.
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Gri Grid
Grid
Grid
Grid
Grid
Securitas Presentation to the New England Board of Higher EducationName Surname | Title of presentation | Date Name Surname | Title of presentation | Date 22
Integrity | Vigilance | Helpfulness
securitasinc.com
