Information Security Awareness Training Welcome Why is this important… Identity theft is the #1 fastest growing crime in the (world) According to the Multi-State Information Sharing and Analysis Center Cyber Crime is big business costing 24 countries $388 billion in 2011 Cybercrime has affected 431 million adults around the world in the past year Forty-Four percent of all online adults have experienced cyber crime in the last year Forty-two percent of younger children (grades 4-8) have been cyber bullied Many of us has (direct or indirect) access to sensitive data. Custodians, data entry people, call center employees, HR, IT, Healthcare. UMMS Information Security Office
What is Information Security? InfoSec is the protection of data in all forms Electronic files Static files Database files Paper documents Printed materials Hand written notes Photographs Recordings Video recordings Audio recordings Conversations Telephone Cell phone Face to face Messages Email Fax Video Instant messages Paper messages Whether or not an employee uses a computer in their job, We must consider that sensitive data can be found in many forms -Above List- Email and data is now everywhere including on your smart phone and other mobile devices. If your mobile device is not password protected and becomes stolen or lost, you risk exposing UMMS sensitive emails to cyber criminals. Papers printed and left on the train Face-to-face conversations, FAX, telephone calls… Visible computer monitors with sensitive data can cause a reportable breach, and worse – the school may not even know it happened, much less – respond to it.
Why is this Important? A data breach could result in: Requirement to report the loss HIPAA, FERPA, MGL c.93H, PCI, SOX, others Civil and criminal penalties Damage to organizational reputation Loss of revenue Individual accountability Potential impacts of breach HIPAA fee structure $50k per record up to $1.5M (annual maximum) Criminal, Civil fines, Organizational reputation, Lost revenue (unlike TJX), Individual accountability (including YOU and I!!)
Isn’t this just a technical problem? Technology defenses comprise roughly 15% of our controls Technical controls often cannot compensate for user’s behavior Cyber-criminals focus on users as a weak link in security Having a security-aware workforce is a requirement in today’s threat landscape Technology continues to keep out most “legacy” threats, (viruses, etc.) and many new ones. Technical controls are like a seat belt in a car. The seat belt (control) helps protect you but you need to be a good driver to avoid accidents (malicious attacker). Users who click on SPAM eMail or who visit infected web sites invite malware inside our network perimeter Getting users to click on the “bad things” is the focus of cyber criminals. These are organized criminal syndicates. Employees knowing not to click on suspicious content is today’s best defense.
What are the risks? Evolving “Threat Landscape” Older attacks targeted infrastructure Modern attacks target users Nature of threat landscape Over 90% of Cyber thieves are affiliated with organized crime Their sophistication rivals those of commercial software vendors Methods of infection Cyber thieves attack high-volume web sites Computers that visit the site become infected Email-borne ‘malware’ Infected machine “phones home” to say I’m infected Use the infected computer to strengthen their hold on the organization “Attacks” used to consist of mostly harmless, but annoying website defacements and viruses. These attacks were obvious and relatively unsophisticated. Today’s attacks are quiet, below the radar, and impactful. 90% are perpetrated by organized crime, and cross multiple international jurisdictions, typically those that do not have good diplomatic relations. Attackers have an arsenal of easily accessible (u can even rent the service!), sophisticated tools such as the Black Hole exploit kit. These tools are quickly updated with the latest software vulnerabilities often before a “fix” is available from the software vendor. Methods of infection: “Poisoned web site”, Email borne “badness”, each gives the attackers a ‘toe-hold’ on the target.
Social Engineering and Top Techniques Social engineering is: “the art of manipulating people into performing actions or divulging confidential information”. E.G. Reply now in order to keep your email account from being deleted Did you see this video of YOU? Check out this link! Click here to see a message from your secret admirer. You’ve won the big sweepstakes! Click here to claim your prize. Can you hold the door for me? I don’t have my access card. Hi, I’m the rep from the copier company and I’m here to see Jeff. “APTs” Mitnick quote. Have any of these happened to you? APT – Advanced Persistent Threat. – Highly sophisticated organized crime using state of the art tools to go after a very specific target of a specific business. E.G. Highly sensitive research data, PHI, PII. Determined until done. Willing to wait weeks or longer to get the data. Example: Close to home – user receives email from at first glance appears to be from “IT Department” – account is about to be deleted, need to reply immediately with username and password so account is not deleted. User replies “Is this legit?”. Response “Yes”. User sends credentials unknowingly to a person of malicious intent. Fortunately able to catch quickly a change password before damage done. Dead giveaways IS will NEVER ask for your username and password. Against AUP. NEVER SHARE YOUR PASSWORD! Accountability. URGENT – must do NOW! Sender Email address was not from IS Ask a reputable source to confirm a real request – The Helpdesk. Before I turn to the next slide – Who owns a Flash/USB drive? Show. Amateurs target systems -Professionals target people -Kevin Mitnick
An Honest Mistake To work at home you copy sensitive information onto a handy USB flash drive. You lose your flash drive. The data which you took from your secure work computer is now possibly in the hands of someone who can use it inappropriately. The likelihood of this scenario is increasing as the use of convenient plug and play devices like USB flash drives becomes more common. Who owns a Flash/USB drive? How would you prevent from happening? VPN to you desktop from home. Keep data at work where it is secure!! Example: Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. To Pay $1.5 Million To Resolve HIPAA Charges - and take a series of corrective actions. Stolen non encrypted laptop that contained patient info. All UMMS issued laptops are required to be encrypted via IS.
What can I do? Become aware of cyber threats Understand that YOU are often the front line of defense against cyber threats Select a strong password, and never share it!! Remain guarded when working with data, email, WWW Understand data sensitivity and how to manage data appropriately Safeguard information that is entrusted to you Report suspected InfoSec incidents (UMass Help Desk, 508-856-UMHD) Develop awareness of these problems Understand that YOUR computer habits can either invite or discourage people of malicious intent Understand the sensitivity of data that is entrusted to you, and know how to handle it. Report suspected incidents…
Security Resources UMMS IS Help Desk 508-856-8643 Look for our IT Security postings on Inside.umassmed.edu UMass Security Policy: http://media.umassp.edu/massedu/policy/2-1-12%20University%20Information%20Security%20Policy.pdf Take the MSISAC Cyber Security Pledge: https://msisac.cisecurity.org/cyber-pledge/ Daily tip: https://msisac.cisecurity.org/daily-tips/ Security Resources Helpdesk MOTD/Alerts on Inside.umassmed.edu Policy Pledge Daily tips
FIN Welcome to UMMS! Discussion