Presentation is loading. Please wait.

Presentation is loading. Please wait.

FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.

Published byGertrude Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators."— Presentation transcript:

1

2 FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators

3 2 Mike Tassey Data Security Advisor Privacy Technical Assistance Center (PTAC) http://ptac.ed.gov/ E-mail: PrivacyTA@ed.govPrivacyTA@ed.gov Phone:855-249-3072

4 Agenda About schools and data security Passwords – How do they work? Various authenticator attacks Best Practices for password security Pro tips for individual data security How PTAC can help / Security Resources 3

5 FERPA & Data Security FERPA states that we must use “Reasonable Methods” to protect PII from student records from unauthorized disclosure. What does FERPA say about passwords or other data security controls? 4

6 FERPA & Data Security 5 Yup…Nada…Nothing…Zilch…

7 FERPA & Data Security Why doesn’t FERPA tell me how to protect student records? 6

8 FERPA is a child of the 70’s Records used to be paper Computers…. LOL Could not imagine longitudinal data systems, or linking computers together in a network FERPA was 9 years old when the Internet was born! FERPA & Data Security 7

9 We generally interpret reasonable methods to mean that set of security controls which would be deemed in line with current accepted security and privacy best practices for data of similar sensitivity. 8 rea·son·a·ble meth·od / ˈ rēz(ə)nəb(ə)l/ / ˈ meTHəd/

10 9  Cyber budget = $5.45 BillionCyber Budget = Gym Teacher FERPA & Data Security

11 How you prove who you are What you are allowed to access Who you claim to be 10 IdentificationAuthentication Authorization

12 FERPA & Data Security 11 Authentication Factors Something you know Something you have Something you are

13 FERPA & Data Security What are passwords? Strings of characters that you remember Hard to guess Rely on entropy 12

14 FERPA & Data Security A Double Edged Sword Onerous passwords get written down Password reuse can lead to compromise Supplement with additional factors 13

15 FERPA & Data Security Using brute force: PassWord1 = 9 Characters, Multi-case, Numbers log2(62) = 5.95 bits * 9 Characters = 54 Bits of Entropy 2^54 bits / 3,000,000,000 guesses/second = 69 Days PassWord1 = 3 words log2(7776) = 12.9 bits * 3 words = 39 Bits of Entropy 2^39 bits / 3,000,000,000 guesses/second = 3 Minutes 14 But “PassWord1” meets the requirements!

16 FERPA & Data Security Rainbow Tables Time / Memory Trade Off Precomputed solutions Simple lookup Reduces lookup time by orders of magnitude 15

17 FERPA & Data Security 16 Password Hashing Passwords not stored Hashing algorithms are one way functions that return a fixed length string unique to input Cannot determine the initial value from the hash

18 FERPA & Data Security 17 Using SHA256 Hashing Algorithm: Input Value: PassWord1 Output Value: c04265d72b749 debd67451c083 785aa572742e3 222e86884de16 485fa14b55e7 =

19 FERPA & Data Security 18 In most modern authentication systems the hash is what is compared, not the password!

20 Let’s Hack Stuff 19

21 FERPA & Data Security Review: Application didn’t sanitize user input SQLi vulnerability enabled access to user hashes Unsalted MD5 hash is relatively trivial to crack Strong hashing or better filtering would have saved them 20

22 FERPA & Data Security Password Security Best Practices Complexity is nice, length is better Avoid common passwords Passphrases are better than words Change them often Don’t reuse Beware storing passwords in browsers 21

23 FERPA & Data Security Pro Tips for Digital Survival Set screen lock / passcode Stop clicking on stuff! Update software and OS regularly Look for HTTPS: in the URL Install and update AV / anti-malware Backup your data.. No seriously.. Do it. 22

24 PTAC Services & Assistance Privacy & security resources on: Data Sharing/Dissemination, Disclosure Avoidance, Data Security and Data Governance Legal References (FERPA and Cross-Agency) Technical Assistance site visits to State and local educational agencies Hands-on support for establishing and reviewing security policy, data governance, FERPA compliance, staff training, and related topics. Support center, including an interactive Help Desk, offering assistance via phone or email. 23

25 ED/PTAC Resources available FERPA Training FERPA 101 professional training video FERPA 201 (Data Sharing) professional training video FERPA 301 (Postsecondary) professional training video FERPA 101 For Parents and Students Data Security Protecting Student Privacy While Using Online Educational ServicesProtecting Student Privacy While Using Online Educational Services Data Governance Checklist Cloud Computing Identity Authentication Best Practices Data Breach Response Checklist 24

26 Contact Information Family Policy Compliance Office Telephone:(202) 260-3887 Email: FERPA@ed.govFERPA@ed.gov FAX:(202) 260-9001 Website: familypolicy.ed.govfamilypolicy.ed.gov Privacy Technical Assistance Center Telephone:(855) 249-3072 Email:privacyTA@ed.govprivacyTA@ed.gov FAX:(855) 249-3073 Website: ptac.ed.govptac.ed.gov 25

Download ppt "FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Online Privacy A Module of the CYC Course – Personal Security 8-9-10.

Online Privacy A Module of the CYC Course – Personal Security
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA 30040 Office: 678-513-1864 ext 58727 Fax: 770-887-9339.

Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA Office: ext Fax:
“We’re From the Government and We’re Here to Help You” Privacy Initiatives at the U.S. Department of Education January 25, 2012 EDUCAUSE Webinar Kathleen.

“We’re From the Government and We’re Here to Help You” Privacy Initiatives at the U.S. Department of Education January 25, 2012 EDUCAUSE Webinar Kathleen.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.

KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
James Sees Senior Network Administrator Management Analyst Cyber Protection Strategies White Hall Business Association - Cyber Security & Awareness Conference.

James Sees Senior Network Administrator Management Analyst Cyber Protection Strategies White Hall Business Association - Cyber Security & Awareness Conference.
Welcome to New Hire Orientation Information Security

Welcome to New Hire Orientation Information Security
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)

Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Do you know how to keep yourself safe?

Do you know how to keep yourself safe?
INTERNET SAFETY FOR STUDENTS

INTERNET SAFETY FOR STUDENTS
HIPAA Privacy & Security EVMS Health Services 2004 Training.

HIPAA Privacy & Security EVMS Health Services 2004 Training.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,

Similar presentations

Ads by Google