This document outlines an information security roadshow covering topics like recognizing secure websites, avoiding phishing scams, understanding privacy laws and best practices for secure computing. It discusses why security is important to protect individuals and institutions from identity theft, data loss, and legal liability. Recommendations are provided for identifying spoofed sites, spotting phishing attempts, and social engineering as well as complying with regulations like FERPA, HIPAA, and PCI.
2. Roadshow Outline
Why We Care About Information Security
Safe Computing
• Recognize a Secure Web Site (HTTPS)
• How to Spot a Spoofed Web Site
• Recognize a Phishing Attempt
• What is Social Engineering
Privacy and Compliance
• PCI/HIPAA/FERPA
• Policy
• Privacy and Best Practice
3. Why We Care About Information Security
Personal Reasons:
Identity Theft
Loss of Data
Financial Loss
Poor Computer Performance
Institutional Reasons:
Protect Middlebury College and The Monterey Institute of International Studies
Compliance with Laws and Standards
Prevent Reputational Damage
Reduce Legal Liability for the College
As Well As the Personal Reasons Listed Above
4. How do I Know a Web Site is Secure?
• HTTPS in the Address bar
is an indicator of a secure
web site.
• A web site encrypted with
SSL should display a near the
address bar.
• Not all devices or
browsers
display the
same.
5. What is a Spoofed Web Site
• Just because the site
looks like MIIS
does not mean it is
• Check the address or URL
• Never enter login information unless the site is secure and you have checked the URL
6. How to Spot Phishing
• Forward all suspected Phishing messages to phishing@miis.edu before deleting the
message.
• If you fall victim to a phishing attack RESET your password immediately and then call the
Helpdesk.
7. What is FakeAV
• Tries to look like regular AV
• Clicking on the warning will download a virus
• Often the best bet is a hard shutdown of the
system
• Know what your AV warnings look like
• Sophos anti-virus does offer some web
protections which help to prevent the download
activity of FakeAV.
8. Social Engineering
• Social engineering, in the context of security, is understood to mean the art of manipulating people
into performing actions or divulging confidential information. While it is similar to a confidence trick or
simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never comes face-to-face with the victims.
(From Wikipedia)
Examples:
• You are in a hotel and receive a call from the front desk to confirm your credit card details.
• You receive a call at work from support services asking for your password to fix a problem on your
computer.
• You are at home and get a call from the help desk asking for your login information to reset your email
account.
9. What Laws Protect Information Here at Monterey
• Family Education Rights and Privacy Act (FERPA) = Student Data
• Health Information Portability and Accountability Act (HIPAA) = Health Data
• Sarbanes – Oxley Act (SOX) = Financial Data for Businesses
• Gramm Leach Bliley Act (GLBA) = Financial Data for Lending Institutions
• California Law SB 1386 / VT Act 162 = State Breach Notification laws
• Payment Card Industry Standards (PCI-DSS) = Credit/Debit Card Data
10. What Policies Protect Information Here at Monterey
• Privacy Policy = Confidentiality of Data
http://go.miis.edu/privacy
• Network Monitoring Policy = Protection of College Technology Resources
http://go.miis.edu/netmon
• Technical Incident Response Policy = Response to Information Security Events
http://go.miis.edu/tirp
• Data Classification Policy = Defines Data Types
Not in handbook as of yet
• Red Flags Policy = Identity Theft Protection
Not presently in hand book
• PCI Policy = Payment Card Data Handling
http://go.miis.edu/policy?pci
Other Policies Live Here:
http://www.miis.edu/media/view/30606/original/employee_handbook_rev_02.01.2013.pdf
11. What are Some Best Practices
Do• Look for HTTPS and other key address
indicators when you are going to different web
sites.
• Use a strong challenge question in Banner SSB
• Redaction – remove or mask (block out)
personally identifiable information when sharing
data
• Be suspicious of unsolicited email or phone calls.
•Lock your computer or secure information when
you leave your work space.
•Use Anti-Virus on both your work and home
systems
•Use secure passwords which you change often.
This also applies to mobile devices.
Do
12. What are Some Best Practices
Do Not• DO NOT write down or share your passwords
- tools such as eWallet or 1Password work
well as secure password storage alternatives.
• DO NOT store confidential data on unencrypted
thumb drives or other unsecured media
-if you need to transfer the data encrypt the
file or password protect the file and keep a
master copy on the server.
Do Not
• DO NOT place confidential data in email
-email a link to where the file is stored.
This may add complexity but increases
security. Windows Explorer can show
you the path to the location of the file.
• DO NOT record sensitive data on the College
web site, blog or Wiki
13. Discussion and Links
Please share your thoughts!
Information Security Resources:
http://go.middlebury.edu/infosec
http://go.miis.edu/infosec
Report Information Security Events To: infosec@middlebury.edu
Notes de l'éditeur
What is HTTPS and how does HTTPS/SSL protect you. What is the significance of the Lock and how can one use the lock to help themself.
I am on an HTTPS site why is that not enough. The site looks like Middlebury how can I tell it is not. What is an address bar in the first place. What if I am on my phone. How do I check the URLL in an email link?
What is phishing? Why do people do this stuff in the first place? What is the risk of a phishing attack or those spoofed web sites