Presentation on theme: "Security Awareness at MU Becky Thurmond Fowler April 7, 2005."— Presentation transcript:
Security Awareness at MU Becky Thurmond Fowler April 7, 2005
Why Do We Care About Security Education? Importance of average user to security of the network as a whole Secure environment required to conduct business (education) Many users already care about security, they just lack the necessary knowledge
How Can We Educate Users? Start a security awareness program!
You Are the Key to Security! IAT Services Security Awareness Training Winter 2004
MU Security Awareness Program Two main components of program – Activities based on monthly topics – Security awareness training Trying to reach varied audiences – Faculty/Staff – On-campus students – Off-campus students
Choosing the Right Topics Listed known weaknesses in our environment and compared with industry trends Researched federal laws that apply to the University Looked at industry leaders to see what they considered important
Possible Topics Best Practices Physical Security Identity Theft Digital Millennium Copyright Act (DMCA) Workstation Security Internet Threats –Phishing, Spyware, Keylogging
August/September ’04Best Practices October ’04Identity Theft November ’04Awareness Day December ’04Safe Shopping / Fraud January/February ‘05DMCA March ’05Internet Threats April ’05AntiVirus Protection May ’05IM Security
Delivery Methods Posters Table tents (dining halls) Technology newsletter articles Security Awareness web page Payroll stuffers Training courses Guest speakers, special events
Best Practices Poster campaign Best Practices Web Page
Identity Theft Table tents in dining halls Guest speaker –Officer Jenna Redel, MUPD –Announced via mass e-mail –One hour presentation ID Theft Presentation
MU Security Awareness Day Security Awareness Day Webpage Free one-day workshop –Guest speakers Department of Justice, FBI, MOREnet, Apple, Cisco, Microsoft and Symantec Identity theft, cyber terrorism, online safety for kids, security initiatives of key technology companies Raffle prizes to encourage attendance
Security Awareness Training One hour instructor led course – Password safety – Workstation security – Physical security – Internet and e-mail security – Social Engineering/Principle of least privilege – FERPA/HIPAA overview Online course in development – Same topics as instructor led course – Student version and faculty/staff version
Key Points Don’t use your PawPrint and password on external entities. Always choose a secure password!
# of Characters26(abc)36(abc123)52(AaBbCc) 6 51.5 minutes3.74 hours13.7 days 7 22.3 hours9.07 days3.91 months 8 24.2 days10.7 months17.0 years 9 1.72 years32.2 years8.82 centuries 10 44.8 years1.16 millennia45.8 millennia 11 11.6 centuries41.7 millennia2,384 millennia 12 30.3 millennia1,503 millennia123,946 millennia Password Cracking – It’s Easier Than You Think!
What Could Someone Do If They Had Your Password? Send threatening e-mail on your behalf Access Web sites on which you have enabled one-click ordering and purchase items with your credit card
What Could Someone Do If They Had Your Password? Connect to MU e-mail servers and spam thousands of people Gain access to the MU network and attack other entities on your behalf
Characteristics of A Secure Password Easy to remember Can be typed quickly without having to look at the keyboard Mix of apparently random letters, digits, and punctuation
Xms25thoD* = “Christmas is on the 25 th of December*” Ihomdf5y. = “I have owned my dog for 5 years.”
UMC PawPrint Password Requirements Your password MUST: – Consist of between 8 and 26 characters – Contain at least one character from each of the following: Lowercase letters: a-z Uppercase letters: A-Z Digits: 0-9 Special Characters: ( * & ) = ? | ^ } / _ > # : - + ; ] ~, [ <.
UMC PawPrint Password Requirements Your password MAY NOT: – Be a word found in a dictionary – Be the same as your PawPrint – Contain a space – Contain symbols other than the approved special characters – Contain UMC related terms (tiger, truman, jesse, etc)
Things To Avoid When Choosing a Password Simple keyboard patterns University or state team names Use of the word “password” or “secret”
Password Safety Never share your password with anyone! There are other methods of granting access to data and systems if there is a legitimate need.
Password Safety (Continued) Change your password regularly using the Password Manager. Don’t record your passwords any place they could be vulnerable, including Web pages that can store your login ID and password.
Treat Your Password Like Your Signature Your password is the major form of protection for your computer account and the University resources that you have permission to access.
Web CT Course Course covers same topics as in-person training Ideal for departments/groups not based on campus Flexible for those with limited time
Obstacles Requests for training customization –Meet with department/student representative prior to training to go over content Scheduling Issues –Require minimum of 20 people per session
Obstacles Communicating with faculty/staff and off-campus students –Working closely with internal marketing group to leverage non-standard avenues of communication –Encourage departmental IT professionals to communicate with faculty & staff Metrics
Lessons Learned Intra-departmental cooperation is vital Success requires a long term commitment Flexibility is important because of the rapidly changing environment One size does not fit all
Future Goals Improve metrics to measure effectiveness of program Increase visibility of program on campus Make WebCT course mandatory for students
Future Goals Continue to revise the security awareness program to make it relevant for the current user
Questions or Comments? Becky Thurmond Fowler firstname.lastname@example.org http://iatservices.missouri.edu/safe-computing