May 26, 2013

Posts Comments

Protect your UM Passwords!

April 30, 2013 by

The University email system has been inundated lately with phishing emails. These take various forms and purport to come from both people and groups you know. This illuminates one key point the IT security awareness presentation emphasizes, that the “From” part of an email message is easily forged by criminals to lead you into believing a message comes from a legitimate source. As always, a best practice is to not click links in email messages. While we all realize your common work correspondence includes links, these phishing messages are unsolicited emails that were not part of an ongoing email conversation. Another key feature these messages rely on is they imply they are from IT professionals asking you to “verify” your login information. IT will NEVER send you an email asking you to verify your login credentials.

Some of the sites these emails direct you to will attempt to install malware on your computer. If your system and antivirus patches are not up to date, key logging or screen capturing software can be installed on your computer. Software to destroy all the data on your computer could be installed, or as a worst case a root kit can be put in place to completely take over the computer system without your knowledge or consent.

Inadvertently revealing your login password via these phishing attempts is magnified significantly with the use of VPN.  Your VPN credentials are the same as your email credentials. Once authenticated via VPN, a remote host becomes a “trusted” host.  If a criminal logs into VPN as “you,” the remote computer they are using then becomes a “trusted” host  and security measures put in place are circumvented.

Some best practices to keep in mind concerning your user  account:

  • NEVER click links in unsolicited emails!
  • Use good passwords and change them every 90 days. Good passwords are a minimum of 8 characters with upper/lower case letters, special characters and numbers.
    • Even better passwords can be based on a phrase and approximately 15 characters if your system will permit.
  • Always be suspicious of a site that asks for your account or personal information. Familiarize yourself with the address bar at the top of your browser. Beware entering your account information if the site does not end in “olemiss.edu.”

Additional trust is given with VPN access. Please take care of your account!

 

Filed Under: Email, Security

Laptop Theft: Anything But Uncommon

April 4, 2013 by

According to University Police, 17 laptops have been reported stolen on the Ole Miss campus since August 2012.

It’s important to keep in mind that this number doesn’t reflect stolen smartphones or tablets, only laptops. With technology doubling every 2 years, there are multiple ways to keep yourself, and your mobile devices, protected. The best approach to defending yourself against thieves is to have multiple layers of security. This includes using software to locate your devices in case of theft, encrypting stored personal data, and writing down serial numbers, MAC addresses, and model numbers.  The most effective theft deterrent, however, is using common sense.

UNPROTECTED MOBILE DEVICESlaptop002

Don’t leave your devices unprotected, not even for a second. A majority of thefts occur when students step away from their mobile devices during study sessions, prior to class, or in offices while leaving the door unlocked.  It’s important to remember never to leave your hardware lying around, as it takes only seconds to pick up an unattended device.  Some theft deterrents for laptop thieves include items such as visual stickers, labels, or metal plates indicating the laptop can be traced, cable locks that can anchor the hardware to a chair or table, or even laptop theft alarm systems.

GPS TRACKING SOFTWARE FOR MAC AND PC

For Mac hardware, it’s possible to set up location software, called Find My iPhone, using an iCloud account. This allows you to locate your MacBook, iPhone or iPad, using their built-in GPS capabilities. You can also remotely lock the device, wipe it, have it play a sound, or even display a message on the screen. For PC’s, a program called Prey can help you locate your laptop in the event of theft, and offers many of the same options as the Find My iPhone software.

MAKE YOUR LAPTOP IDENTIFIABLE

There are ways to make sure your laptop is harder to sell in the event of theft, which can be a theft deterrent on its own. One method is “tagging” your laptop, which entails applying a metal security plate with a customized barcode linking to the owner’s information. One of the more common brands of this product is called the Stop Tag, which boasts requiring 800 pounds of pressure to remove, and also has a chemically bonded tattoo underneath that says “Stolen Property.”

PROTECT YOUR PRIVACY

According to a report by Javelin Strategy and Research, in 2012 there were over 12 million cases of identity fraud. It’s important to make sure that your personal information is secure on any of your devices, especially laptops.  To keep personal information safe, it’s important to choose strong passwords comprised of a mix of upper and lowercase letters and numbers. It’s also recommended to change your passwords frequently. For added security, you can set up an encryption for sensitive files on your devices, requiring a special password to be able to access them.

ENCRYPTING YOUR PERSONAL INFORMATION

Setting up part of all or your hard drive to be encrypted can help keep your personal information safe in the event of theft, and is relatively easy to do. For Macs running Mountain Lion, you simply use disk utility to create a partitioned section of the hard drive, choose 128 bit or 256 bit encryption (one is more secure, but slower,) and then enter the password you want to use for access to the partitioned drive. (Instructions Here) For PCs, AxCrypt, allows the encryption of single files, and is the self-proclaimed  leading open-source encryption program  for Windows.  (Instructions Here)

* It is important to note that if you encrypt your data, you MUST remember the password used for the encryption. If you forget or lose it, you will be unable to retrieve any of the encrypted data.

REPORT ANY THEFTS IMMEDIATELY

In the event of theft of any personal devices, be sure to notify University Police immediately. The longer you wait to notify the police, the less likely you will be to find stolen devices. UPD can be reached at 662-915-7234, or via email at upd@olemiss.edu.

 

 

Filed Under: Equipment, Helpdesk, Security

Online UM Security Awareness Training

September 11, 2012 by

Since 2005, select University employees have been required to participate in security awareness training.  In the past, these required sessions have taken place in a classroom/lecture format.  As of September 17, 2012, the University has partnered with the SANS Institute to offer online security awareness training.  The online training modules are organized to train specific groups such as SAP GUI users, Information Technology specialists, and others.  Online training modules will need to be completed by all SAP GUI users on or before December 21, 2012.  If training is not completed by this deadline,  SAP accounts will be locked until this requirement is met.  (Once the requirement is met, email will need to be sent to davidd@olemiss.edu  to unlock accounts.) 

About SANS Institute

“The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and by far the largest source for information security training in the world. Courses are taught by real-world practitioners who are the best at ensuring you not only learn the material, but that you can apply it immediately when you return to the office” ( www.sans.org).  “The online training we chose through SANS is a standardized presentation that covers in depth security awareness issues,” says David Drewrey, Director of Telecommunications/Security Coordinator.

Importance of Security Awareness Training

The purpose of security awareness training is to raise awareness, change behaviors, reduce risks, and educate those who handle sensitive data on computer networks, systems, etc. Security awareness training is important for users to know the dangers that exist as well as the mitigation techniques and best practices in online communication,” says David Drewrey.  “Examples of scenarios that can occur due to non-security awareness are computer viruses, malware, identity theft, spam, phishing, exposure to criminal elements, etc.”

SAP GUI Users and Select Employees

All targeted groups for security awareness training will start receiving email from David Drewrey, davidd@olemiss.edu, on September 17, 2012.  The subject line will be “University of Mississippi SAP Security Awareness Training Account.”  The email will provide your login information to the training modules.  Once you log in, you will be required to reset your password.  Here’s a sample of the communication that will be forthcoming:

Dear (User’s Name),

 All University of Mississippi SAP GUI users must attend a security awareness presentation every two  years to become aware of the latest security issues and techniques available to protect university data.  Information Technology has purchased online training from SANS (www.sans.org), which users can view and complete at their own pace.  These modules must be completed by December 21, 2012 in order to retain access to SAP.  The SAP GUI accounts belonging to those who have not completed security training by the indicated deadline will be disabled.  Others who deal with sensitive data as part of their jobs are strongly encouraged to complete the training.

A security awareness training account has been created for you and you have been issued with a temporary password.

Your login information is as follows:

Username:   WebID@olemiss.edu

Password:   initial_password

                      (You will need to change your password when you log in the first time.)

To start using your security awareness training account, log in at:  https://vle.securingthehuman.org/login/

In most mail programs, this should appear as a blue link which you can just click on.  If that does not work, then cut and paste the address into the address line at the top of your web browser window.

Once you have changed your password, please click on Quick Start Introduction to receive instructions.

Thank you,

David Drewrey
Director of Telecommunications/Security Coordinator
davidd@olemiss.edu

 

Duration of the Training Modules

Each of the training modules is approximately 3-5 minutes in length; the entire training is approximately 1 hour.  You can complete these modules at your own pace, just as long as all is completed by the December 21, 2012 deadline.  The system automatically saves and keeps track of your completed modules.

Non-SAP GUI Users and Other UM Employees

For non-SAP GUI users and other UM employees, you can register for the classroom security awareness training or request online training.  We can accommodate up to 400 additional users in the online training.  You are not required to attend this training, but it is highly recommended.  For available classroom security awareness training dates, please visit http://ittraining.olemiss.edu/ or contact David Drewrey at davidd@olemiss.edu.

More Information

Security training reminders will be sent via UM Today.  All questions about security awareness can be directed to davidd@olemiss.edu.

Filed Under: Security, Training Tagged With: , ,

How to Protect Your Passwords

August 27, 2012 by

With increasing use of the Internet in this digital world, it is very important that you secure your information with a strong password.  You have heard that you should always use a password that is complex and hard to guess or crack.  So, what constitutes a strong password?  The following are few guidelines or “things to think about” when managing your passwords:

• Choose your password wisely.  The password should use at least 8 characters (the longer, the better).  According to a study by Carnegie Mellon University,  “The biggest factor in determining the strength of your password is its length.”

• The password should be built using a mixture of upper and lower case letters, at least one number, and if the site or service allows, special characters (&, ?, @, !, #, ?, etc.).  This makes it nearly impossible for anyone to guess the password. Using a sentence or pass phrase that is easy to remember can also help create a strong password.  You can check your password strength at Microsoft’s Password Checker, passfault.com, or howsecureismypassword.net.

• If you think you cannot create an unbreakable password, there are plenty of tools like PC Tools Secure Password Generator which will generate a strong password for you.

• You should never share your password with anyone, not even your best friend, your relative, or your colleague.

• Use different passwords for different sites and software.  In case somebody hacks your account, this limits the possible damage to only one site.

• These days, almost everyone has a LinkedIn account, a Facebook profile, and a Twitter feed that expose some personal information to the outside world.  So, never create your passwords from personal information that has been made public or can be guessed due to the availability on such websites.

• You should change your password frequently, at least once every three months.  Always change your password if you think there is a chance that someone has seen it.

• Avoid letting browsers save or store your passwords.  Make sure that you log out of the program or system when you are done with your work, especially on public computers.

• The best thing to protect your passwords is to memorize them all. However, remembering all different passwords for various sites, services, and software may be a difficult task.  In such situations, you can use the password manager that comes with your Internet security software, for example, Norton Internet Security 2012 or Kaspersky Internet Security 2013.

In today’s password-driven world, these tips and tricks can help you create a strong password that will secure your information from malicious hackers.

 

Filed Under: Security Tagged With: ,

Easy-to-Use Data Protection with Hardware Encryption Devices

April 13, 2012 by

Encryption is a technique to protect data by making it unintelligible to unauthorized users.  Historically, using encryption techniques to protect files has been difficult.  The process frequently requires the assistance of an IT expert.

Times have changed.  Over the last few months IT staff members have been testing the latest hardware encryption devices that provide ways to protect data with few hassles.  Two devices emerged that combine exceptional security with ease of use:  the Corsair USB Padlock 2 flash drive and the BUSlink CipherShield AES 256-bit external drive.  Both devices use USB to connect to a computer.  Both devices work with Windows, Macintosh and Linux computers without additional software installations.

The Corsair USB Padlock 2 device has built in 256-bit hardware AES encryption for locking the device from unauthorized access.    AES is an acronym for American Encryption Standard, an encryption standard adopted by the U.S. Government.   The 256-bit just means the encryption is the best you can get today.

On the Corsair flash drive, there are five buttons to create a four to ten character pin.    Initially, you create a personal pin and memorize it.  Then before plugging the device in to your computer, enter the correct pin to enable the drive.    This Corsair flash drive contains built-in hacking detection that locks the device for two minutes after five failed attempts.   Corsair USB Padlock 2 drives are currently priced at approximately $30 for the 8 GB model and approximately $50 for the 16 GB model.

The BUSlink CipherShield AES 256-bit external hard drive offers more storage capacity than a USB flash storage device, up to 6 TB of storage on some models.  Support for USB 3.0 is available for faster access.  Like the Corsair USB drive, the Buslink CipherShield drive uses AES encryption.  The convenient feature about the CipherShield models is the easy encryption method.  It uses a physical key.  Plug the key in to the drive and access is granted.   Remove the key and data is encrypted and inaccessible.

Two keys are delivered with the models.   Since the key is essential to accessing drive data, DO NOT carry, ship or store the key in the drive.   This negates the data security and would be similar to locking an office door but leaving the key in the door knob.   Second, the BUSlink CipherShield drive is just like any external hard drive and is sensitive to damage via water, dropping or any physical hazards.  The BUSlink CipherShield drives range in price based on storage capacity.  Drive sizes range from 160 GB to 6 TB.   Currently, a 1 TB CipherShield AES 256-bit Encryption External Hard Drive sells for $559.99 through Buslink.

If you have questions about these products, please contact David Drewrey, the University of Mississippi Security Coordinator and Director of Telecommunications.

Filed Under: Academic Technology, Equipment, Security

Cloud Storage and Sensitive Data

July 25, 2011 by

Effective July 1, 2011, Mississippi has a data breach notification law, House Bill 583. This law defines what data is considered to be sensitive (confidential), what constitutes a breach under this law, and the process that must be followed in the event sensitive information is “leaked” in a data breach. In addition to the state law description, the University also considers student grades, private correspondence, classified research, etc. as sensitive. The growing trend to store business, including university, data on a “cloud” has brought to the forefront data security issues and concerns.

Sites like Dropbox, Amazon, Google and countless others offer storage that can be accessed remotely from any device (desktop, laptop, smartphone, tablet, etc.) using the Internet. Users should note, however, that this convenience comes at a price – a price that can be too high when sensitive data is involved. Cloud-based services for storing data are very popular, mostly because of the easy, convenient access they provide. Often, this easy access is the driving factor for using cloud computing, and other critical concerns such as reliability, data security and liability are relegated to the background. This article focuses on the security, liability and reliability risks of cloud-based data storage services.

How Safe is Your Data in “the Cloud”?

While larger, more reputable cloud storage companies have the money, resources, and technical expertise to address reliability and security, they often contain usage clauses that free them from any responsibility for “lost, stolen, or damaged data” or from unauthorized access to data. However, if you cause a person’s sensitive data to be compromised, you are responsible under Mississippi law. The University will be required to notify every individual whose data was exposed and may be subject to other penalties. Meanwhile, the cloud service itself will be insulated from the consequences of any breach by its usage agreement. This may prevent you and your organization from recouping any of the costs associated with the breach; it also reduces the service’s incentive to protect data as carefully as it should.

Data Breach Examples

Last month, Dropbox had a security issue in which password authentication was disabled for 4 hours. This means that any documents stored on their servers were susceptible to access without a password during this interval. The Computer World article has complete details.

The following Security News Daily article on May 4 of this year detailed a vulnerability in which Dropbox stores unencrypted login files on each device. In the envent these login files were copied maliciously, the entire user’s account would be accessible without requiring any login credentials.:
http://www.securitynewsdaily.com/cracks-in-cloud-security-issues-loom-over-online-backup-services-0752/

University Policy for Protecting Sensitive Data

UM’s Information Confidentiality/Security Policy addresses the requirements for protecting confidential data. It is never acceptable to store confidential data such as grades, social security numbers, private correspondence, classified research, etc. on externally hosted systems, including cloud-based storage systems, without a contract that is fully vetted for compliance with university policies.

Secure Document Exchange

Screenshot of Secure Document Exchange application

Screenshot of Secure Document Exchange application

Please keep in mind that confidential data should not be sent using email either. Likewise, do not store files that contain sensitive data on Web servers where they might be inadvertently accessed or indexed by search engines such as Google. The safest way to exchange sensitive or confidential information with other university employees is by using Secure Document Exchange within myOleMiss. To access Secure Document Exchange, point your Web browser to my.olemiss.edu, and choose Employee -> Tools and then Secure Document Exchange from the Detailed Navigation on the left.

Be Aware!

It is more important than ever to be aware of how you store and transmit confidential data. Your first choice should always be to store confidential data on university-owned, protected systems such as those housed in the Data Center and protected by a university firewall. If information must be stored at the department level or on your desktop or laptop computer, then the servers on which the data resides must be registered with IT so they can be scanned periodically for any security vulnerabilities. Occasionally, departments may have a need to use externally hosted systems that contain sensitive data. In this case, the contract for these services must address the requirements for protecting confidential data as defined in the UM’s Information Confidentiality/Security policy.
If you have any questions related to IT security please contact the IT Helpesk and we will work with your office to find solutions for protecting and storing sensitive or confidential data.

Filed Under: Helpdesk, myOleMiss, Security