FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Online Privacy A Module of the CYC Course – Personal Security
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Stay Safe Online in Six Steps Presented by: Scott Rhinehart 540 Lake Center Parkway, Suite 102 Cumming, GA Office: ext Fax:
“We’re From the Government and We’re Here to Help You” Privacy Initiatives at the U.S. Department of Education January 25, 2012 EDUCAUSE Webinar Kathleen.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
James Sees Senior Network Administrator Management Analyst Cyber Protection Strategies White Hall Business Association - Cyber Security & Awareness Conference.
Welcome to New Hire Orientation Information Security
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Do you know how to keep yourself safe?
INTERNET SAFETY FOR STUDENTS
HIPAA Privacy & Security EVMS Health Services 2004 Training.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Manjit kaur Manjit Kaur1. Why do we need to protect our computer from a virus? A reason why we need to protect our computer from a virus is because it.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT :
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
SACHIN DEDHIA Cyber Crime Investigator Cert. Ethical Hacker(USA)
ESCCO Data Security Training David Dixon September 2014.
Stay Safe & Secure Online. Outline Passwords Everyday Security Security Physical Security Protecting Personal Information.
Staying Safe Online Keep your Information Secure.
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.
End User Cyber Security Awareness Training. Who should complete this training This training is required for all individuals that owns a computer, mobile.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology January 17,
Safeguarding Your Privacy Section 1.3. Safeguarding Your Privacy 1. What is Identity Theft? 2. Research a story on identity theft and be prepared to report.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
Manjit kaur Manjit Kaur1. Why do we need to protect our computer from a virus? A reason why we need to protect our computer from a virus is because it.
Grades 4-6 Be SAFE Online! Ceres Unified School District.
INTERNET SAFETY FOR KIDS
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.
KTAC Security Task Force Superintendents Update April 23, 2015.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Data Sharing: Federal TA Efforts, What We Know & What We Need to Know Improving Data Improving Outcomes Meeting September 2013 Washington, DC 1.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Onguardonline.gov By Austin Kellogg. Main ideas  Protect your personal information  Know who your dealing with  Use security software that updates.
Strategic Agenda We want to be connected to the internet……… We may even want to host our own web site……… We must have a secure network! What are the.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Copyright © 2008 AusCERT 1 Practical Computer Security See the notes section throughout the slide presentation for additional information.
Common sense solutions to data privacy observed by each employee is the crucial first step toward data security Data Privacy/Data Security Contact IRT.
They Need You - to encourage them to make good choices. - to teach them about how to stay safe. - to help them to recognise scams. - to encourage good.
Setting Up Your New iPad. Turn on Your iPad and then… Select English Select United States Select DVUSD Mobile as your wifi network Select enable location.
Todays’ Agenda Private vs. Personal Information Take out your notebook and copy the following information. Private information – information that can be.
19 November 2014 Pennsylvania Local School Districts: Regional Data Breach Exercise.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
DaSy Conference Data Breach Exercise August 2016 [Logo]
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
IT Security Awareness Day October 19, 2016
To the ETS – Accounts Setup and Preferences Online Training Course
Symantec Code Signing Certificate
Education – Partnership – Solutions
Things To Avoid: 1-Never your password to anyone.
IT Security awareness Training.
Information is at the heart of any University, and Harvard is no exception. We create it, analyze it, share it, and apply it. As you would imagine, we.
Lesson 2: Epic Security Considerations
To the ETS – Accounts Setup and Preferences Online Training Course
Protecting Student Data
Presentation transcript:

FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators

2 Mike Tassey Data Security Advisor Privacy Technical Assistance Center (PTAC) Phone:

Agenda About schools and data security Passwords – How do they work? Various authenticator attacks Best Practices for password security Pro tips for individual data security How PTAC can help / Security Resources 3

FERPA & Data Security FERPA states that we must use “Reasonable Methods” to protect PII from student records from unauthorized disclosure. What does FERPA say about passwords or other data security controls? 4

FERPA & Data Security 5 Yup…Nada…Nothing…Zilch…

FERPA & Data Security Why doesn’t FERPA tell me how to protect student records? 6

FERPA is a child of the 70’s Records used to be paper Computers…. LOL Could not imagine longitudinal data systems, or linking computers together in a network FERPA was 9 years old when the Internet was born! FERPA & Data Security 7

We generally interpret reasonable methods to mean that set of security controls which would be deemed in line with current accepted security and privacy best practices for data of similar sensitivity. 8 rea·son·a·ble meth·od / ˈ rēz(ə)nəb(ə)l/ / ˈ meTHəd/

9  Cyber budget = $5.45 BillionCyber Budget = Gym Teacher FERPA & Data Security

How you prove who you are What you are allowed to access Who you claim to be 10 IdentificationAuthentication Authorization

FERPA & Data Security 11 Authentication Factors Something you know Something you have Something you are

FERPA & Data Security What are passwords? Strings of characters that you remember Hard to guess Rely on entropy 12

FERPA & Data Security A Double Edged Sword Onerous passwords get written down Password reuse can lead to compromise Supplement with additional factors 13

FERPA & Data Security Using brute force: PassWord1 = 9 Characters, Multi-case, Numbers log2(62) = 5.95 bits * 9 Characters = 54 Bits of Entropy 2^54 bits / 3,000,000,000 guesses/second = 69 Days PassWord1 = 3 words log2(7776) = 12.9 bits * 3 words = 39 Bits of Entropy 2^39 bits / 3,000,000,000 guesses/second = 3 Minutes 14 But “PassWord1” meets the requirements!

FERPA & Data Security Rainbow Tables Time / Memory Trade Off Precomputed solutions Simple lookup Reduces lookup time by orders of magnitude 15

FERPA & Data Security 16 Password Hashing Passwords not stored Hashing algorithms are one way functions that return a fixed length string unique to input Cannot determine the initial value from the hash

FERPA & Data Security 17 Using SHA256 Hashing Algorithm: Input Value: PassWord1 Output Value: c04265d72b749 debd67451c aa572742e3 222e86884de16 485fa14b55e7 =

FERPA & Data Security 18 In most modern authentication systems the hash is what is compared, not the password!

Let’s Hack Stuff 19

FERPA & Data Security Review: Application didn’t sanitize user input SQLi vulnerability enabled access to user hashes Unsalted MD5 hash is relatively trivial to crack Strong hashing or better filtering would have saved them 20

FERPA & Data Security Password Security Best Practices Complexity is nice, length is better Avoid common passwords Passphrases are better than words Change them often Don’t reuse Beware storing passwords in browsers 21

FERPA & Data Security Pro Tips for Digital Survival Set screen lock / passcode Stop clicking on stuff! Update software and OS regularly Look for HTTPS: in the URL Install and update AV / anti-malware Backup your data.. No seriously.. Do it. 22

PTAC Services & Assistance Privacy & security resources on: Data Sharing/Dissemination, Disclosure Avoidance, Data Security and Data Governance Legal References (FERPA and Cross-Agency) Technical Assistance site visits to State and local educational agencies Hands-on support for establishing and reviewing security policy, data governance, FERPA compliance, staff training, and related topics. Support center, including an interactive Help Desk, offering assistance via phone or . 23

ED/PTAC Resources available FERPA Training FERPA 101 professional training video FERPA 201 (Data Sharing) professional training video FERPA 301 (Postsecondary) professional training video FERPA 101 For Parents and Students Data Security Protecting Student Privacy While Using Online Educational ServicesProtecting Student Privacy While Using Online Educational Services Data Governance Checklist Cloud Computing Identity Authentication Best Practices Data Breach Response Checklist 24

Contact Information Family Policy Compliance Office Telephone:(202) FAX:(202) Website: familypolicy.ed.govfamilypolicy.ed.gov Privacy Technical Assistance Center Telephone:(855) FAX:(855) Website: ptac.ed.govptac.ed.gov 25

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.