Sponsored by UW Division of Informational Technology Office of Campus Information Security and Professional Technical Education -------------------------------Instructors: Cliff Cunningham

& Braden Bruington

SECURITY 101: Information Security Basics

1

GREETINGS & INTRODUCTIONS

Cliff Cunningham - DoIT Braden Bruington - DoIT Rick Keir - OCIS

(Office of Campus Information Security)

DID YOU KNOW?

Approx 1,200 IT professionals in UW schools

2/3 of them are not affiliated with DoIT

DoIT NonDoIT

POLICIES & GUIDELINES

Campus IT Policies
Appropriate

Use Policies Electronic Devices

Payment Card Industry Data Security Standard

a.k.a.

PCIDSS List of specific suggestions Used by OCIS

4

SECURITY TRAINING IN THE BEGINNING

All staff 100-level
All staff

200-level
System Admin (others?)
Security 201: Windows

300-level Selected staff

Security workshop Security brownbags Security 101: Information Security Basics

IIS Security Developing Secure Code

(SEP 21)

Security 202: OS X
(AUG 11)

Apache Security Oracle Security

On-line material Security 203: Linux

(FALL 2009?)

Firewall Security

Other?
5

SECURITY TRAINING WINTER 08

All staff 100-level
All staff

200-level
System Admin (others?)
You are here! Security 201:
Windows
(SEP 21)

300-level Selected staff

Security workshop Security brownbags Security 101: Information Security Basics

IIS Security Developing Secure Code

Security 202: OS X
(AUG 11)

Apache Security Oracle Security

On-line material Security 203: Linux

(FALL 2009?)

Firewall Security

Other?
6

SECURITY TRAINING SPR/SUM 09

All staff 100-level
All staff

200-level
System Admin (others?)
Security 201: Windows

300-level Selected staff

Security workshop Security brownbags Security 101: Information Security Basics

IIS Security Developing Secure Code

(SEP 21)

Security 202: OS X
(AUG 11)

Apache Security Oracle Security

On-line material Security 203: Linux

(FALL 2009?)

Firewall Security

Other?
7

SECURITY TRAINING SUM/FALL 09

All staff 100-level
All staff

200-level
System Admin (others?)
Security 201: Windows

300-level Selected staff

Security workshop Security brownbags Security 101: Information Security Basics

IIS Security Developing Secure Code

(SEP 21)

Security 202: OS X
(AUG 11)

Apache Security Oracle Security

On-line material Security 203: Linux

(FALL 2009?)

Firewall Security

Other? Other?
8

GOALS FOR THESE COURSES

To continue the campus-wide conversation Advertise OCIS training resources Increase networking (social) within IT community on UW campuses Share war stories

lessons

learned, scars received.

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

10

WHO ARE YOU?

Titles? Roles? Operating systems? What kinds of data?

Financial

information Health information Grades Credit cards Other sensitive types of information
11

HAND-OUTS
Packet of handouts Sign-up sheet

12

AGENDA
1.
2.

General discussion Defining sensitive data

---------- BREAK ----------

3.
4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

13

DATA BREACH, JUNE 4

June 4, 2009 Maine Office of Information Technology (Augusta, ME) Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. "We received a print job and were running it, and there was an equipment malfunction." Recipients received one page with their own information and another page with information belonging to a different person. Number effected: 597
14

DATA BREACH, JUNE 5

June 5, 2009 Virginia Commonwealth University (Richmond, VA) A desktop computer was stolen from a secured area. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been. Number effected: 17,214
15

DATA BREACH, JUNE 6

Ohio State University Dining Services (Columbus, OH) Student employees SSNs accidentally leaked in an e-mail. OSU employee received an e-mail with an attachment that included students' names and social security numbers. He unwittingly forwarded with attachment to his student employees. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent. Number effected: 350
16

DISCUSS

What keeps you awake at night?

(Please restrict your answers to IT security-related topics.)

17

ANALYSIS OF DATA LOSS INCIDENTS

2006 Private Sector 15% 10% Public Sector 13% 5% Higher Educn 52% 2% Medical Centers 3% 20%

Outside Hackers Insider Malfeasance Human Error or Software Misconfig Theft

20%

44%

21%

20%

55%

38%

37%

57%

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

18

ANALYSIS OF DATA LOSS INCIDENTS

2006 Private Sector 15% 10% Public Sector 13% 5% Higher Educn 52% 2% Medical Centers 3% 20%

Outside Hackers Insider Malfeasance Human Error or Software Misconfig Theft

20%

44%

21%

20%

55%

38%

37%

57%

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

19

WHO CARES?
Why should we be concerned about the handling of sensitive data?

20

EFFECTS OF DATA LOSS

On the individual
Personal

credit info can be destroyed Embarrassment Patents & intellectual property rights

On the university
Reputation Grants Patents

& intellectual property rights

21

FALLOUT FROM DATA LOSS AT OU

If there is any financial damage I will hold OU at fault and seek legal counsel to recover any and all loss, with punitive damages.

Quotes taken from article OU has been getting an earful about huge data theft by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12
22

THAT IS WHY
IT professionals are scattered on campus. Data security presents a huge financial, ethical and reputational exposure. We need to unify our efforts.

E pluribus unum:
Out

of many, one.
23

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

24

CLASSES OF INFORMATION
Personal information Health & medical information Financial information

Academic information

25

PERSONAL INFORMATION

Social Security Numbers Drivers License Number Name & Address Biometric data

Finger prints DNA Maps Voice patterns

26

HEALTH & MEDICAL INFORMATION

Physical diagnoses Mental health

Psychological diagnoses Treatment

Prescriptions

27

FINANCIAL INFORMATION

Account numbers Account pass codes Credit card numbers

(NOTE: All financial information tends to be sensitive.)

28

ACADEMIC INFORMATION

Students

Grades Transcripts Communications w/faculty

Intellectual property Research data

Faculty/Staff

29

WISCONSIN STATE LAW

Wisconsins Data Breach Notification Law

Statute

895.507 (2006) Formerly, Act 138 Any unauthorized access to personal info

must notify individual(s) within 45 days

Data

includes

SSN Drivers

license or state ID Account number, code, password, PIN DNA or biometric info
30

RESTRICTED VS. SENSITIVE

Restricted: explicitly protected under Wisconsin State Law. Must notify if lost. Sensitive: still needs to be guarded with great care, but notification not required.

All restricted data is sensitive. Not all sensitive data is restricted.

31

FEDERAL LAW

FERPA academic
Family

Education Rights and Privacy Act

HIPAA health & medical

Health Insurance Portability and Accountability Act

32

CLIFFS PERSONAL ANECDOTE

From just this past June (2009).

33

FERPA: TWO TYPES OF INFO

Public Information Considered public * Examples includes Name, address, phone Email address Dates of attendance Degrees awarded Enrollment status Major field of study

Private Information Tightly restricted Examples includes SSN Student ID number Race, ethnicity, nationality Gender Transcripts & grades
(partial list)

* Students can request this information be suppressed (partial list)

Information provided by Office of Registrar UW-Madison Student Privacy Rights and Responsibilities

34

FERPA AND ITS TENTACLES

Lesser-known items within FERPAs reach

Educational records Personal notes between faculty and students Communications with parents/guardians How to post grades Letters of recommendations

35

WWW.REGISTRAR.WISC.EDU

For more info, Office of the Registrar

Brochures
FAQs On-line

tutorials On-site training One-on-one consultation

36

NOW FOR SOMETHING ENTIRELY DIFFERENT

A data security case study

37

THE FACTS
On an unnamed Big 10 university campus DoIT Store website collecting data from hits This data was being analyzed by the web hosting service Web hosting service posted its findings

Any warning signs?

38

THE REST OF THE STORY

The data being captured included

campus

IDs and NetIDs Old Campus IDs used to contain SSNs

Web hosting service didnt know about SSNs Captured data posted on semi-public site

39

THE ANALYSIS
All were capable, professional entities They didnt know They didnt anticipate

Therefore

40

THE MORAL OF THE STORY

Dont overestimate
other folks knowledge or motivation.

Dont underestimate
the value that you can add.

41

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

42

43

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

44

BEFORE RUNNING A SCAN!!

These scans will produce unusual nettraffic !

GET INFORMED PERMISSION!!!
45

FINDING SENSITIVE INFORMATION?

PII = Personally identifiable information Numerous applications, called PII finders

They

scan drives They locate recognizable patterns They produce reports

You dont always know what is on your machine

46

HOW?

Question: How might sensitive data find its way onto a piece of hardware?

47

PII FINDER

Identity Finder
Being

considered by UW DoIT Security group More costly, but more robust Free edition is now available, so its worth a try

Lets see how it works.

48

ARE YOU AT RISK?

OCIS provides access to a few scanning tools These tools test the security of network & workstation This will tell you whether you are at risk.

49

BEFORE RUNNING A SCAN!!

These scans will produce unusual nettraffic !

GET INFORMED PERMISSION!!!
50

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

51

INCIDENT VS. BREACH

Define incident
Undetermined

whether data has been lost Any number of scenarios

Losing

a laptop Firewall down Critical patches are out-of-date Hacked, or infected with malware

52

INCIDENT VS. BREACH

Define breach
We

know data has been acquired by unauthorized person

53

INCIDENT VS. BREACH

54

WELL-HANDLED INCIDENTS
Well-handled incidents will reduce
1. 2.

your exposure, the universitys exposure.

55

DISCUSSION QUESTION

Do you have an incident handling process?

56

Incident Response Flowchart

- Department

- Investigators
- CIO - Admin Leader Team - University Commns

57

Incident Response Flowchart

- Department

- Investigators
- CIO - Admin Leader Team - University Commns

58

The part you need to know

59

1 WHAT HAPPENED?

Incident

Any exposure Any risk Not a breach, yet

60

2 WAS DATA AT RISK?

Was sensitive information at risk?

Does the device contain sensitive information? Was that information accessible by nonauthorized user?
Physically accessible Cyber-accessible

(judgment?)
61

3 IF NO RESOLVE THE INCIDENT

Close the issue No need to report it

62

4 IF YES REPORT THE INCIDENT

You need to escalate the issue But, how do you report an incident?

63

HOW TO REPORT AN INCIDENT?

It depends.

Non-urgent: abuse@doit.wisc.edu Need a faster response?

Open a DoIT HelpDesk ticket They can escalate it if necessary Contact Network Operations Center (NOC) Phone: 263-4188

After hours?

64

WHAT DO I DO?
Preserve as much data as possible.

Do not tamper with the information

This can hinder further investigation.

Remove device from the network

This cuts off any remote access to the machine

Some forensic information may be stored in cache

Do not power-off the machine

65

SCENARIOS
1.

2.

3.

A laptop in your department has been infected with a virus. You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised. You get a call saying your departments web server is unexpectedly serving pop-up ads.
66

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

67

68

AGENDA
1.

2.

General discussion Defining sensitive data

---------- BREAK ----------

3. 4.

How do I find sensitive data? Handling a data security incident

---------- BREAK ----------

5.

Closing remarks & next steps

69

GOALS FOR THESE COURSES (REMINDER)

To continue the campus-wide conversation Advertise OCIS training resources Increase networking (social) within IT community on UW campuses Share war stories

lessons

learned, scars received.

70

THE TROUBLE WITH SENSITIVE DATA

Difficult to get rid of. Considerations It replicates Do you really need the data?

Hardcopy Rethink business practices. Cached Frequently re-assess security Email forward standards. Backed up Things change Yesterday: SSNs Get rid of it! (if possible) Tomorrow: Mobile phone numbers?

Office of Campus Information Security

OCIS is your friend

71

OCIS IS YOUR FRIEND

www.cio.wisc.edu/security

Training and Lockdown

Extensive resources
Individual & Departmental Security risk assessment IT Security Principles
72

IT SECURITY PRINCIPLE #1
Principle #1: Security is everyones responsibility.

It takes a village...

Managers IT support Office staff Faculty End users Students Campus police You!

73

IT SECURITY PRINCIPLE #2
Principle #2: Security is part of the development life cycle.

Plan for it!

Not an after-thought! Designed into the project plan i.e. Allocate the necessary resources Logging & auditing capabilities Layering security defenses

74

IT SECURITY PRINCIPLE #3
Principle #3: Security is asset management.

Lock it up! Classification of data Establishing privileges Separating or redistributing job responsibilities and duties

75

IT SECURITY PRINCIPLE #4
Principle #4: Security is a common understanding.

Think it through! Due diligence Risks & Threats

Costs (OCIS assessment)

Incident handling

76

WHEN I GET BACK TO THE OFFICE 1

Find the data

Ask

your manager Do we generate, use, receive, store sensitive data? If so, what measures, practices are in place

77

WHEN I GET BACK TO THE OFFICE 2

Scanning for sensitive data

Identify

Finder GET PERMISSION FIRST! Suggest that you scour ALL servers

78

70% of data breaches involve data the owners didnt even know was there.

79

WHEN I GET BACK TO THE OFFICE 3

Prepare to respond to an incident

Inquire

about current response procedure Make sure it is well-known, published Remember our flow chart

80

WHEN I GET BACK TO THE OFFICE 4

Keep the conversation alive

Share

info with coworkers Bookmark OCIS website Future IT security courses Put appointment in calendar to check progress

81

RESOURCES

Organizations
www.doit.wisc.edu/about/advisory.asp
TechPartners
Sign-up

forum

CTIG

Campus Technical Issues Group

for presentations, attend and join?

Watch

MTAG

Madison Technology Advisory Group

they exist appointed roles

Know

82

RESOURCES & NEXT STEPS

Refer to your handout

When

I Get Back to My Office, I Will

83

AGENDA - RECAP
1. 2.

General discussion Defining sensitive data

3.
4.

How do I find sensitive data?

Handling a data security incident

5.

Resources & Next steps

84

THE END

Thank you!
Please fill out the course evaluation and leave it by the door on your way out.

85