Computer Based Training Program C B T T he raining T P ost An Educational Computer Based Training Program
UTPA Information Security Awareness Course General Information Security Training The University of Texas - Pan American Information Security Office
Information Security Awareness Training Objectives How UTPA protects its systems, data, and research Acceptable use of UTPA Information Technology resources Recognition of different types of sensitive information Access control and how to ensure login credentials are secure Staying safe while visiting the World Wide Web Heighten awareness of physical security measures and illustrate the value of backing up work Evaluate what can be done to increase workstation security
UTPA User Acknowledgement Please be aware that by viewing this presentation, you agree to follow UTPA’s policies and requirements regarding the use and protection of state resources.
UTPA User Acknowledgement, cont. UTPA HOP 8.9.1 – Policy for the Use and Protection of Information Resources http://www.utpa.edu/newhop/files/pdf/J5234461.pdf UTPA HOP 8.9.2 – Computer and Information Technology Use Policy http://www.utpa.edu/newhop/files/pdf/F9165952.pdf UTPA HOP 8.9.4 – Server Management Policy http://www.utpa.edu/newhop/files/pdf/V4519997.pdf UTS165 – Information Resources Use and Security Policy http://www.utsystem.edu/policy/ov/uts165.html
Section 1: Security Overview
How does UTPA protect its systems? Spam Filter for email Firewalls Intrusion detection (from outside the UTPA campus) 24-7 Network monitoring Anti-virus software for servers, workstations and e-mail
Main Goals of I.T. Security Confidentiality – the requirement that sensitive information is protected from unauthorized disclosure Availability – automated systems are available when needed
Main Goals of I.T. Security (cont.) Integrity – electronic information that is not corrupted Authenticity - the ability to verify that data has not changed in transit Non-repudiation – the origin and receipt of a message can be verified Accountability – the actions of a person can be traced to that individual
What Can You Do to Help? Follow the technical, personnel, administrative, and telecommunication safeguards for computer systems you use. Follow the UTPA and UT-System information resource policies. Report computer incidents or any incidents of suspected fraud, waste, or misuse. Obtain a Verisign Digital Certificate by contacting the I.T. Help Desk Allows an email sender to use a “digital signature” to verify their identity in email as well as encrypt messages deemed “security sensitive”
Where can you find more information? The UTPA Information Technology web page (http://www.utpa.edu/it)
Section 2: Using Resources
Using I.T. Resources Why do we have rules? Knowledgeable users are the foundation of a successful security program. People behave best when they know their responsibilities and boundaries.
Using I.T. Resources The UTPA general rules for the staff use of I.T. resources Limit personal use on the Internet, as it is primarily for business purposes Be careful when navigating to sites of unknown security Be aware that sensitive information can be intercepted on the Internet and over e-mail unless encrypted. No downloading of videos, music, or other software that uses large amounts of network resources and that can be subject to copyright laws
Questions to ask before opening suspicious E-mail attachments Is the subject line strange? Do I recognize the sender? Is it work-related? Does the filename and/or extension seem to be suspicious? Was I expecting an attachment in the reply? Does the received message ask for personal data? If you’re still in doubt, DO NOT OPEN!
UTPA Acceptable Use Policy with regards to personal use of equipment UTPA policy does allow for limited personal use if… The use is incidental and does not interfere with staff productivity or operations It’s not used to potentially embarrass UTPA It does not compromise UTPA systems or security safeguards It does not violate applicable laws or UTPA policies
Section 3: Internet Safety
Internet Safety What can Internet intruders do? infect machines steal information Turn your machine into a zombie to launch attacks on other machines and networks Can deface UTPA’s websites, bring E-mail and Internet services to a crawl, disrupt operations, and cause financial and productive chaos They can also learn about YOU
Internet Safety Where do intruders come from? Teenage pranksters Hackers (both foreign and domestic) Disgruntled former employees Terrorists and/or criminals Foreign intelligence agents Spyware
Internet Safety What to do to reduce your machine’s vulnerability Scan machine for viruses and other malware on a regular basis Avoid Phishing scams in E-mail and on Internet Phishing – term coined by hackers who imitate legitimate companies in e-mails to entice people to share personal information. Do not provide personal information, such as passwords, credit card numbers or any data that can be used to grant access to your information, in reply to an e-mail message. Use good judgment when visiting websites and opening messages from people you don’t know
Internet Safety, cont. What to do to reduce your machine’s vulnerability Keep your machine up to date with any patches and critical updates that are released with regards to new and existing vulnerabilities Contact the UTPA Help Desk to have your computer centrally managed… all essential updates and antivirus definitions will be automatically pushed out to your machine
Section 4: Office, Personal, and Workstation Basics
Office Considerations As you look at the entrance to your office, ask yourself: Is it easy for people to walk up and get access to my workstation? Is my paperwork hidden from view or easily accessible to anyone that walks in? Is the fax machine access limited only to UTPA employees and are the printouts picked up in a timely manner? Do we shred documents regularly?
Office Consideration When leaving the office at the end of the day, ask yourself: Do I log off and shut down when leaving for the day? Do I regularly back-up important files in case my computer crashes and isn’t recoverable? Is my laptop locked away or secured with a security cable to prevent theft? Do I lock my door when I leave the office? Is my screensaver set to activate after 5 or 10 minutes of inactivity?
Password Basics One of the most effective ways to protect access to a computer system is password protection. Unfortunately, people often create weak passwords. A name, a pet’s name, a dictionary word… all can be guessed, generally within seconds. Take time to create a strong password. Strong password: Consists of at least 10 characters (uppercase and lowercase letters, numbers, and any of the following special characters: !#%^*()-=+/;:,.`~ Example: tolmerr12! Never post or share your password, or store it in your workstation. Memorize it and do not have it written down where it can be compromised. Change it frequently.
Workstation Basics Final housekeeping advice: Periodically clean up your workstation by deleting files you no longer need. They take up space and use network resources unnecessarily. Dispose of old disks and workstations by contacting the I.T. Help Desk @ x2020. Clear out your Internet browser cache on a regular basis.
Section 5: Access Controls
Access Controls What do access controls do? Keeps out unauthorized users and limit what authorized uses can do. Helps stop people with various motives from reading, copying, stealing, deleting, disclosing, or modifying sensitive information. Also helps prevent access that is above and beyond a person’s span of authority.
Access Controls Understanding your access responsibility is important because you play a significant role in preventing unauthorized access. So that everyone understands what it means to use State Agency computers, UTPA uses a Warning Banner that appears when you logon.
Access controls The Warning Banner tells you that: State Agency computers are to be used by authorized users for authorized purposes only. Failure to follow this restriction can lead to disciplinary action, which can include criminal prosecution. You could be monitored at any time. You should have no expectation of privacy.
Section 6: Sensitive Data
Sensitive Data One may think that E-mail is a secure medium in which to send sensitive data, but the reality is, it’s not. Because it’s clear text, a person monitoring the network can see the message going across and easily steal the information it contains.
Sensitive Data Portable Devices Storing sensitive data on portable devices must be approved by both the Data Owner and Supervisor before an individual can place any sensitive data on a portable device… if approval is given, the device MUST BE encrypted.
What is considered sensitive data? Credit Card Numbers Social Security Numbers Driver’s License Numbers Automatic Clearing House information (i.e., bank account numbers) Certificate/License Numbers Credit Reports/Histories Electronic Signatures Passwords PIN Numbers FERPA and or HIPAA protected information would also be included.
Sensitive Data As per UTS 165: “Except in those instances in which an Entity is legally required to collect a social security number, an individual shall not be required to disclose his or her social security number, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her social security number”
Sensitive Data What can you do to make sure sensitive data is kept safe? Do not send it over email. If you absolutely must send sensitive data via email, it’s recommended that you obtain a Verisign Digital ID by contacting the I.T. Help Desk. The Digital ID allows the sender to use encryption to keep the information secure… however, the receiver must also have a Digital ID for the encryption to be successful. Encryption is a way of coding the information in a file or e-mail message so that if it is intercepted by a third party as it travels over a network it cannot be read. Only the persons sending and receiving the information have the key and this makes it unreadable to anyone except the intended persons.
Sensitive Data, cont. What can you do to make sure sensitive data is safe? Do not place any sensitive data on any publicly accessible medium, including web servers, FTP servers, or public shares. Keep your workstation secure, and shred any documents that contain sensitive data on a regular basis. Also, make sure to properly dispose of any media (CDs, floppy disks, flash drives, ZIP drives) that contains sensitive data by contacting Environmental Health and Safety. If you absolutely have to deal with sensitive data, please contact the Help Desk for encryption software for your workstation.
Sensitive Data For further information: UT System Security Bulletin on Encrypting and Storing Sensitive Data http://www.utsystem.edu/ciso/SPB1.pdf TAC 202 – Information Security Standards http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=4&ti=1&pt=10&ch=202&rl=Y UTS 165 (UT System Information Resources Use and Security Policy) http://www.utsystem.edu/policy/policies/uts165.html UTPA HOP 4.11.1 (Privacy and Security of Personal Information) http://www.utpa.edu/newhop/files/pdf/Q7276862.pdf
Review Questions
Test Your Knowledge Following are several questions to test your knowledge of the information presented. Answer all questions correctly to receive credit for the training.
Question #1 Which of the following is TRUE? Access controls keep out unauthorized users and limit what authorized users can do. One of the most effective ways to protect access to a computer system is password protection. Both of the above statements are true.
SORRY TRY AGAIN Retry
Question #2 You have an expectation of privacy when using a UTPA-owned computer. TRUE FALSE
SORRY TRY AGAIN Retry
Question #3 What can Internet intruders do? Infect machines Steal information Deface websites All of the above
SORRY TRY AGAIN Retry
Social Security Numbers Question #4 Which of the following can be considered “sensitive data”? Social Security Numbers Credit Card Numbers Passwords All of the above
SORRY TRY AGAIN Retry
Question #5 Clear text information going across a network in an email message can be read and/or stolen by a hacker who’s monitoring the network. TRUE FALSE
SORRY TRY AGAIN Retry
Question #6 A portable device that has been authorized to carry sensitive data does not have to be encrypted. TRUE FALSE
SORRY TRY AGAIN Retry
Question #7 It is safe to download a file or click on a link in a message from an unknown sender. TRUE FALSE
SORRY TRY AGAIN Retry
Question #8 It is a good idea to forward chain letters to everyone you know that has a UTPA e-mail address. TRUE FALSE
SORRY TRY AGAIN Retry
The University of Texas - Pan American Information Security Office Congratulations… you have completed your training for Information Security Awareness. General Information Security Training The University of Texas - Pan American Information Security Office
An Educational Computer Based Training Program C B T T he E nd The Training Post An Educational Computer Based Training Program