Presentation on theme: "Top IT Threats Facing UH Jodi Ito Information Security Officer VP IT & CIO Office Information Technology Services X."— Presentation transcript:
Top IT Threats Facing UH Jodi Ito Information Security Officer VP IT & CIO Office Information Technology Services X
FBI Honolulu Contact Special Agent Jimmy Chen Ph: (808) Report: Suspected child pornography Intrusions/hacking attacks on systems w/ sensitive information (not just sensitive, personal information, but also intellectual property)
Child Pornography On a computer that DID NOT HAVE ANY PASSWORD! No accountability Could be installed by anyone Everyone could be a suspect
Top Security Issues at UH Copyright Violations (DMCA violations) Protecting Sensitive Info & UH Data Breaches Protecting Users, Computers & Networks WE (people) are the weakest link!
What ITS is seeing… Phishing Compromised accounts Increase reports of bot-infected computers Increase in DMCA notices Increase in breaches
Targeted Attacks Subject of phishing attacks are specifically selected Such as senior administrators & management Uses social engineering techniques Very convincing messages and images: North Carolina State University: phishing.html
Compromised UH Usernames Used to send spam & phishes 87 compromised this year <20 before July Most often victims responded to phishing s Account used almost immediately to send spam
Increase in Bot Traffic ITS receiving more reports of “bot” infected machines on UH network Most Torpig & Mebroot Torpig uses fast flux DNS to change name of C&C and malware-infected sites Uses java and Twitter API to generate ®ister new hostnames Designed to harvest sensitive information such as credit card & bank account information
Copyright Violations HEOA All universities must have: An annual disclosure to students describing copyright law and campus policies related to violating copyright law.annual disclosure A plan to “effectively combat the unauthorized distribution of copyrighted materials” by users of its network, including "the use of one or more technology-based deterrents".effectively combat A plan to "offer alternatives to illegal downloading".offer alternatives
HEOA Compliance Compliance by July 1, 2010 Failure to do so: lose all federal financial aid!
UH Statistics: As of 9/2010
DMCA Statistics As of 9/2010
ITS Procedures Identify and Notify If no response, block Currently, infringers are “counseled” and must sign Copyright Notification Failure to do so, blocked & reported to Dean of Students (or supervisor/Dean/Director) for action
UH Policies Executive Policy E2.210: Use and Management of Information Technology Resources Executive Policy E2.214: Security and Protection of Sensitive Information
More UH Policies UH Form 92: UH General Confidentiality Notice System-wide Student Conduct Code
Protecting Sensitive Info Hawaii Revised Statutes: HRS 487J - SSN Protection /HRS0487J/ HRS 487N - Breach Disclosure /HRS0487N/ HRS 487R - Destruction of PI Records /HRS0487R/
UH Breaches RECAP 2009 April: Kapiolani CC 2010 March: Honolulu CC 2010 July: UH Manoa 2010 October (now!) OVER 100,000 exposed records!
October Breach Still under investigation NOT PUBLIC YET! Google indexes ftp: Check all UH public websites for sensitive information!
Open Source Tools Find_SSN: Spider: SENF: https://senf.security.utexas.edu/wiki/
Breach Notification Determined that pursuant to HRS 487N, UH required to do a “Breach Notification”: Written notification to all affected individuals Legislative Report due 20 days after discovery of breach Press Release/website
Personal Information Protection POC
Key Items Campus designee: “Personal Information Protection” Point of Contact Limiting storage and retention of personal information to what is absolutely essential and required by law Review and strengthen internal controls over personal information
Annual Personal Information Survey Information Privacy & Security Council Just completed 2010 ALL systems (electronic or paper) needs to be reported
Policies and Compliance Enforce laws, regulations, policies FERPA, HIPAA, FTC Red Flags, PCI DSS, FISMA, State & Federal laws & regulations, etc. Legal Issues E-Discovery & Litigation holds Subpoenas & National Security Letters Internal Investigations
Protecting Users Increase in compromised UH usernames Used to send spam/phish Increase because: Responding to PHISHES! Weak passwords Using unsecured computers and/or networks
Other Unsafe Behaviors Respond to “phishes” Do not update operating systems and applications on a routine basis Do not use or update anti-virus/anti-spyware software Visit unsafe websites Share accounts/passwords Use unsecured wi-fi for sensitive transactions