Computer Security Quick Tutorial (Text-Only Version)

Home IT Security Awareness Computer Security Quick Tutorial (Text-Only Version)

Computer Security Tutorial (Text-Only Version)
Condensed Tutorial

COMPUTER SECURITY IS EVERYBODY'S RESPONSIBILITY

Computer Security is the protection of computing systems and the data that they store or access.

• Computer security is everyone’s responsibility.
  • Everyone who uses a computer needs to understand how to keep their computer and data secure.
• Members of the UCSC community are also responsible for familiarizing themselves and complying with all University policies, procedures and standards relating to information security.
  • http://its.ucsc.edu/security/policies/

Many cyber security threats are largely avoidable. Some key steps that everyone can take include:

• Use good, cryptic passwords that can't be easily guessed - and keep your passwords secret
• Make sure your computers operating system are protected with all necessary security "patches" and updates
• Make sure your computer is protected with up-to-date antivirus software
• Don't click on unknown or unsolicited links or attachments, and don't download unknown files or programs onto your computer
• Remember that information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept
  • To help reduce the risk, make sure web pages have https, (not http,) in the web address (URL) before you enter any sensitive information or a password.
  • Also avoid standard, unencrypted e-mail and unencrypted Instant Messaging (IM) if you're concerned about privacy

What are the consequences for security violations?

• Risk to security and integrity of personal or confidential information
  • e.g. identity theft, data corruption or destruction, unavailability of critical information in an emergency, etc.
• Loss of valuable business information
• Loss of employee and public trust, embarrassment, bad publicity, media coverage, news reports
• Costly reporting requirements in the case of a compromise of certain types of personal, financial and health information
• Internal disciplinary action(s) up to and including termination of employment, as well as possible penalties, prosecution and the potential for sanctions / lawsuits

SOCIAL ENGINEERING

"Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users" - Wikipedia

The principle behind social engineering is that “users are the weak link in security.” In other words, it can be easier to get sensitive information by tricking people than by hacking into a system by force.

A Social Engineer will commonly use email , Internet, or the telephoneto trick people into revealing sensitive information or get them to do something that is against policy.

Three extremely common examples of social engineering are:

• Spam scams/phishing: deceptive e-mails designed to get people to reveal personal, financial or log-in information (often via links to web sites that can look legitimate, but which are really bogus sites designed to steal information), click on links or open attachments that can infect computers, or send money.
• Impersonation: attackers typically pose as someone in authority, or an I.T. representative, in order to obtain information or direct access to systems. For targeted attacks, hackers will even go through dumpsters (“dumpster diving”, see below) or do other research so they know enough to convince you to trust them.
• Dumpster diving describes the practice of going through trash to obtain valuable information. Any sensitive information--paper or electronic--that is thrown away intact is vulnerable to dumpster diving.

Protecting Yourself

• Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know (in person, over the phone, via e-mail or the Internet), or who doesn’t have a legitimate need for it. Keep in mind that you may have to enter your password for someone to work on your computer, but you shouldn’t have to tell it to them.
• Destroy or securely erase sensitive information before recycling or throwing it away.
• Delete unsolicited e-mails; don’t open, forward, reply to, or click on links or attachments in them.
• If an offer sounds too good to be true, it probably is. If you want to investigate something, look it up on your own (e.g. do a Google search) instead of clicking on an unknown or unsolicited link.
• Even snippets of information can be harmful if someone is clever enough to get bits of information from several different people.
• You can report deceptive email to spam@uce.gov. The FTC uses these reports to pursue legal action against people who send this email.

SecurityFocusTM has an older (2001), yet still relevant and informative, 2-part article about social engineering on its website at: http://www.securityfocus.com/infocus/1527

INTERNET PRIVACY AND SECURITY: Be distrustful when using the internet

Internet Privacy Concerns

• Always remember: The Internet is not private.
  • Don't give out personal or sensitive information to anyone you don't know or who doesn't have a legitimate need for it.
  • Don't provide personal, sensitive or confidential information to Internet sites, surveys or forms unless you are using a trusted, secure web page.
    • Get to these web sites by typing the web address in directly. Don't click on links in unsolicited e-mails or cut and paste links from these e-mails.
    • Remember that links and web sites that look legitimate, can really be bogus sites designed to steal information
  • At a minimum, look for "https" in the URL and check for the little lock that appears in the corner on most browser windows to indicate that there is a secure connection.
• Be certain you don't put sensitive information in locations that are accessible from the Internet.
  • Even unlinked web pages can be found by search engines.
• Just opening a malicious web page can infect a poorly protected computer. Make sure you know where you're going before clicking on a link.
  • Use only known, trusted, secure websites when you enter sensitive or personal information online
  • Instead of clicking on a link, look up the company (e.g. Google it) and go to their website independently.
• Beware of scams, even on well-known sites such as ebay and craigslist.
• To help avoid viruses, don't use Internet Explorer unless you have a specific business need to do so. More secure alternatives may include Firefox and Safari, or ask your computer support person.

How about Instant Messaging?

• This area of the Internet is not private.
  • Do not reveal personal details or sensitive information via IM or on social networking sites.
  • Use separate passwords for IM, since it is generally insecure.
  • Do not open files sent to you via IM or P2P programs.
    • Viruses and other malicious code can be spread this way, and many anti-virus programs cannot detect viruses in IM/P2P/chat files

A Special Note about Copyrighted Information

The University of California is committed to upholding copyright law. Copying, downloading, using, or sharing copyrighted materials, including movie, music and video files, must be with the permission of the copyright owner or in accordance with fair use laws.

• You can be sued for copyright violations.
  • Information about UC's commitment to copyright law: http://www.ucop.edu/irc/policy/copycommit.html
  • UC's Copyright Education Web Site:
    http://www.universityofcalifornia.edu/copyright/

PRACTICE "SAFE EMAILING "

Email Safety Practices

• Don't open email attachments unless you REALLY know what you're opening.
• Don't click on website addresses in email unless you REALLY know where you're going.
  • If an email is unsolicited or even slightly suspicious, look up the website yourself and go there on your own instead of clicking on an email link.
• Delete spam and suspicious e-mails; don't open, forward, or reply to them.
  • If you have questions about the contents of an email message, contact the I.T.S. Support Center (459-HELP or help@ucsc.edu)

Should you open that email attachment?

• If it's suspicious, don't open it!
• What is suspicious?
  • Not work-related
  • The email containing the attachment was not addressed to you, specifically, by name
  • Incorrect or suspicious filename
  • Unexpected attachments
  • Attachments with suspicious or unknown file extensions (e.g.: *.exe, *.vbs, *.bin, *.com, *.pif, or *.zzx)
  • Web link to access attachment
  • Unusual topic lines; "Your car?"; "Oh!" ; "Nice Pic!"; "Family Update!"; "Very Funny!"

Some sure signs of "scam" email:

• It's not addressed to you by name
• It asks you for personal or financial information
• It asks you for a password
• It asks you to forward it to lots of other people

Additional "Best Practices" for Email

• Avoid sending large attachments
• Avoid sending proprietary file formats (e.g. Word or Excel documents). Send PDFs instead when possible.
• Use the "Bcc:" (blind carbon copy) line for large numbers of recipients
  • This protects the email addresses of the recipients by hiding them and makes your email easier to read.
• To help avoid viruses, don't use Microsoft Outlook unless you have a specific business need to do so. More secure alternatives may include Thunderbird and MacMail, or ask your local computer support person.

PASSWORDS STRENGTH AND SECURITY

Guidelines for Creating Good, Cryptic Passwords

Passwords should either:

• Be at least eight (8) characters in length and contain characters from at least
  3 of the following 4 categories:
  • lower case letters (e.g. a through z)
  • upper case letters (e.g. A through Z)
  • numbers (e.g. 0-9)
  • Special characters (e.g. exclamation point, question mark or slashes)

  OR

• Be a passphrase at least 10 characters in length.
• A passphrase is a complex password based on a memorable phrase,
  song or book title, line of poetry, etc.
• Hint: Passphrases are harder to crack if they don't always use the first letter of each word.
  

Passwords should also

• Not be a word found in the dictionary, whether spelled forwards or backwards, or a word preceded or followed by a digit (e.g., secret1, 1secret)
• Not include User Name or Login Name
• Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, etc.
• Avoid words that are slang, dialect, jargon, etc.
• Avoid common keyboard sequences, such as "qwerty89" or "a b c 1 2 3"

More tips for creating good passphrases

• Phrases shouldn't be too common (2bor!2b is pretty common!).
• A phrase that has personal meaning but might not appear widely is perhaps best.
• For example, the first line of your wedding vows (if you wrote them yourself) would be memorable but not widely available.
• A random line from your favorite movie is good too.
• Combining phrases is better still.
• Don't use passphrases you have seen in print as examples

Password Security Guidelines

• Passwords must be treated as sensitive and confidential UCSC information.
• Never share your password with anyone else for any reason.
  • Even if they say they work for UCSC, I.T.S., or other campus organizations.
  • This includes co-workers and supervisors.
  • Sharing passwords is a serious breach of UCSC policy and may result in disciplinary action.
• Passwords should not be written down, stored electronically, or published.
  • Choose passwords that you can remember without writing them down.
  • If you have to write something down, write a hint that others won't be able to decipher instead of the complete password - and store it securely.
  • Passwords providing access to restricted data should not be electronically stored or saved, including by browsers, local applications or keychains.
• Use different passwords for your different accounts.
  • This will minimize the risk to other systems and information should one of your passwords get compromised
• Change initial passwords, password resets and default passwords the first time you log in.
  • These passwords can be vulnerable to guessing or to the automated programs that hackers employ to try to break into systems
• Change any passwords that don't meet these password strength guidelines.

For More Information About Creating Good, Cryptic, Secure Passwords see the UCSC Password Strength and Security Standards at http://its.ucsc.edu/security/policies/password.php

TEN OTHER ESSENTIAL SECURITY MEASURES

1. Physically secure your area, files, and equipment before leaving them unattended.
   • Check doors, drawers, and windows.
   • Lock up any sensitive materials before you leave your area.
   • Never share your lock code, access card, key, etc.
     Question people in your area whom you don't recognize.
     • And don't hold doors open for unknown people
2. Secure laptop computers at all times: keep it with you or lock it up before you step away.
   • At all times: in your office, at meetings, conferences, coffee shops, etc.
   • Make sure it is locked to something permanent!
3. Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current.
   • Talk to your computer support person or the I.T.S. Support Center at 459-HELP (4357) for assistance.
4. Don't keep sensitive information or your only copy of critical data on portable devices (laptops, CDs/floppys, memory sticks, PDAs, phones, etc.) unless they are properly protected.
   • These items are extra vulnerable to theft or loss.
5. Do not install unknown or unsolicited programs on computers.
   • Such as programs you find out about through email.
   • These can harbor behind-the-scenes computer viruses or open a "back door" giving others access to your computer without your knowledge.
     • Ask your computer support person or the I.T.S. Support Center (459-HELP) if you're not sure.
6. Make backup copies of data you are not willing to lose -- and store the copies very securely.
7. Shut down, lock, log off of, or put your computer to sleep before leaving it unattended.
   • <ctrl> <alt> <delete> or Windows-L on a PC
   • Apple menu or power button on a Mac
     • For additional security, set up your computer to "lock," "sleep," or "auto log-off" when it is inactive.
8. Your computer should require a password to start up or wake-up.
   • If it doesn't, talk with your computer support person.
9. Be sure that automatic login and guest accounts are disabled on your computer.
   • Talk with your computer support person for help
10. Always shut your computer down properly when you shut down; don't just turn off the power button or the monitor.

PROTECTING PERSONAL IDENTITY INFORMATION (PII) AND OTHER RESTRICTED DATA

Defining Confidential Information and Restricted Data

• Confidential Information: The term “confidential information” applies broadly to information for which unauthorized access to or disclosure could result in an adverse effect. To address this risk, some degree of protection or access restriction may be warranted.
  
  
• Restricted Data: Restricted data is a specific category of confidential information. Restricted data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Access to Information Statement

Individuals with access to restricted data should, and in some cases are required to, read and sign the UCSC Access to Information Statement: http://its.ucsc.edu/services/accounts/online_forms/acc_info_stmt.pdf. Return the signed form to the requester.

• Access to Information Statements required for access to campus systems go to the I.T.S. Support Center (mailstop: I.T.S.-Kerr).
• Forms required by a department should be filed according to departmental procedures.

Examples of Personal Restricted Data

• Personal Identity Information (PII)
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation
• Credit card data regulated by the Payment Card Industry (PCI)
• Records of students who have requested "Non-Release of Public Information" under the Federal Family Educational Rights and Privacy Act of 1974 (FERPA)
• Information relating to an ongoing criminal investigation
• Judge-ordered settlement agreements requiring non-disclosure.
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Definition of Personal Identity Information (PII)

• Personal identity information (PII) is the electronic manifestation of an individual
  first name or first initial, and last name, in combination with one or more of the following*:
  • Social Security Number (SSN)
  • Driver’s license number, or State-Issued ID card #
  • Account number, credit or debit card number
  • Medical information
  • Health insurance information
  *Please note, this is a condensed list. For a complete definition please see our online glossary:
  http://its.ucsc.edu/security/policies/glossary.php#p

Personal Identity Information (PII) is Protected by State Law

• State Law: California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft), requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of "personal information." http://www.leginfo.ca.gov/cgi-bin/displaycode?section= civ&group=01001-02000&file=1798.25-1798.29
• UCSC Policy: UCSC Implementation Plan for Protection of Electronic Personal Identity Information. http://its.ucsc.edu/security/policies/ucsc_breach_guideline.php

Additional Information about Personal Restricted Data

• The I.T.S. security awareness website contains additional information about personal restricted data along with links to related resources, policies and guidelines: http://its.ucsc.edu/security_awareness/restricted_data_resources.php

Examples of Other Types of Confidential Information:

• Ethnicity
• Gender
• Date of birth
• Citizenship
• Marital Status
• Religion
• Sexual orientation
• Home address or home telephone number
• Personal information protected by anti-discrimination and information privacy laws
• Information subject to a non-disclosure agreement, including research data, intellectual property (IP), and patent information
• Academic evaluations and letters of recommendation
• Responses to a Request for Proposal (RFP) before a decision has been reached
• Applicant information in a pending recruitment
• Data containing budget projections for a campus department (if it has been designated as restricted)

Steps for Protecting Restricted Data and other Confidential Information

1. Know where this data exists.
   • All PII and other confidential information must be protected. Knowing what you have and where it is is an important first step.
     • Note: Restricted data can be in current or old files, including archives. Be sure to check copies, back-ups and previous versions of files.
2. Destroy confidential data which is no longer needed.
   • The best way to protect restricted data is not to have it in the first place.
   • Work with your computer support person to delete confidential data securely and completely.
     • If you don’t know where to start, contact the I.T.S. Support Center at 459-HELP or help@ucsc.edu.
   • Shred or otherwise destroy confidential data before throwing it away.
     • It is not uncommon to find all sorts of sensitive and even confidential information in trash cans, recycling bins, and dumpsters. This data can be on discarded papers, old computers or hard drives, CDs, floppy disks, etc. Even vacation schedules could be used by a resourceful hacker to justify a phony request for information.
   • Clean Devices before Disposal or Re-Use.
     • Work with your computer support person to “clean” electronic media (e.g. hard-drives, CDs, disks, flash drives, back-up tapes, etc.) before recycling, re-using, or disposing of it.
3. Never share or discuss confidential data with unauthorized individuals.
4. Know who has access to folders before you put confidential data there!
5. Don’t put sensitive information in locations that are accessible from the Internet.
6. Don’t leave confidential information lying around, including on remote printers, fax machines, or copiers - or even in your area when you step away.
7. Set up your workstation so that unauthorized people and passers-by cannot see the information on your monitor.

Special Cautions about Transferring and Downloading Restricted Data

• Confidential information should be sent securely.
  • Avoid email and Instant Messaging (IM)
  • Use https, sFTP, Secure telnet (SSL)
    
• Confidential information must be stored securely in both sending and receiving locations

For additional information, see Practices for Protecting Electronic Restricted Data: A Quick-Reference on the I.T.S. security policy website:
http://its.ucsc.edu/security/policies/rd.php

I.T. SECURITY INCIDENTS

An I.T. Security Incident Is: "The attempted or successful or improper instance of unauthorized access to, or use of information, or mis-use of information, disclosure, modification, or destruction of information or interference with system operations in an information system."

• Which basically translates to the unauthorized access or misuse of computing systems, data or networks.

Reporting Security Incidents

• Report anything unusual. If it sets off a warning in your mind, it just may be a problem. Don't ignore it!
• Immediately report suspected security incidents & breaches to your supervisor and the I.T.S. Support Center (459-HELP or help@ucsc.edu).
• If no one is available to receive your report, contact the I.T.S. Security Response Team at security@ucsc.edu.
• If you think someone might be accessing your computer remotely, it is best if you can unplug the network cable (and turn your wireless off, if you have it) and leave the computer on until help arrives.

Reporting Stolen Equipment

Laptop computers and other portable electronic devices are extremely vulnerable to theft and loss. Any suspected theft of UCSC-related computing equipment should be reported to the UCSC Police Department (http://www2.ucsc.edu/police/) and to the local authorities if the incident occurred away from campus.

• Be sure to let the police know if the missing equipment contains sensitive information.

ADDITIONAL INFORMATION AND RESOURCES

• I.T.S. Support Center - for general questions and information, and for reporting computer security incidents help@ucsc.edu or 459-HELP or http://its.ucsc.edu/support_center/
• I.T. Security Awareness Website: http://its.ucsc.edu/security_awareness/
• I.T. Security policies and guidelines: http://its.ucsc.edu/security/policies/

Basic Computer Security Condensed Tutorial Completion Cerificate

Other Training Modules:

Introduction to Computer Security
Social Engineering
Internet Privacy and Security
Practice "Safe Emailing"
Password Strength and Security
Ten Other Essential Security Measures
Protecting PII and Other Restricted Data
Reporting I.T. Security Incidents
Additional Information & Resources
Security Self-Test: Questions & Scenarios

Rev. January 2009