Keeping Your Data Safe

PDF Version

John Roberts
Director of Computer Systems and
Chief Information Security Officer

Security is everyone’s responsibility!

 

Today’s Topics

  • Why we need to know about data security
  • Teachers and administrators and data security
  • Safe computing practices for everyone
  • Resources

 

Why we need to know about data security

Teachers and administrators

  • Must comply with legal and regulatory requirements

Everyone

  • To protect personal data from exposure and malicious attacks

What is data security?

  • Data security is the practice of keeping data protected from unauthorized access and corruption or loss

 

What are the risks?

For teachers and administrators

  • Identity theft
  • Violation of federal/state/school system regulations
  • Damage to the school/school system reputation and subsequent loss of public trust
  • Civil action and fines
  • Loss of the ability to do business

For everyone

  • Identity theft
  • Financial loss
  • Personal exposure

 

 

Teachers and Administrators

 

Regulatory Requirements

  • FERPA – Family Educational Rights and Privacy Act – Student data
  • HIPAA – Health Insurance Portability and Accountability Act – Health information
  • GLBA – The Gramm-Leach-Bliley Act – Nonpublic data
  • RFR – Red Flags Rule – Identity theft prevention
  • PCI DSS – Payment Card Industry Data Security Standards – Credit card information

 

Responsibility for securing data

Show of Hands – who is responsible?

  1. 90% of security safeguards are technical and 10% rely on YOU, the computer user
  2. 50% of security safeguards are technical and 50% rely on YOU, the computer user
  3. 25% of security safeguards are technical and 75% rely on YOU, the computer user
  4. 10% of security safeguards are technical and 90% rely on YOU, the computer user

 

Sensitive and Regulated Data

What is it? – Data that is protected against unwarranted disclosure through the establishment and practice of regulations and policies. Examples:

  • Personal Information: SSN, human resource information, health information, educational records
  • Financial Information: credit card numbers, loan information, bank account information

 

SCENARIO: You are a teacher and receive an e-mail by mistake. Included in the email is an excel file containing student names, addresses, social security numbers, etc.

Show of Hands: What should you do?

  1. Immediately delete the e-mail and empty the deleted items
  2. Notify the sender & your administrative office/data security dept.
  3. Both A and B
  4. Save the file to your computer
  5. Ask your coworkers to review the file
  6. Ignore it, and hope it mysteriously goes away

 

The correct answer is “C” – Immediately delete the e-mail, empty the deleted items folder, and notify the sender and your administration/information security department.

  • This data could be FERPA, GLBA and RFR-protected data
  • Never save or read e-mails when you are not the intended recipient
  • Never save attachments from emails of which you were not the intended recipient…especially those including sensitive data

 

 

Everyone – Safe Computing Practices

 

Secure Equipment and Data

  • Lock down laptops and workstations

Keyboard shortcut to lock a PC: Windows key + LKeyboard shortcut to lock a Mac: Ctrl + Shift + Eject

 

  • Close down your browsers
  • Enable password protected screen saver
  • Do not leave sensitive papers or data on printers/fax machines
  • Turn off computer at day’s end
  • Lock your door

 

Settings and Software

  • Enable the computer’s firewall
  • Disable automatic logins (browser settings – Privacy & Security or Advanced Settings)
  • Do not install or open unknown programs or files
  • Password-protect your screen saver and set it to start after five minutes of inactivity (Control Panel > Power Options)
  • Enable blocking of pop ups (browser settings – Privacy & Security or Advanced Settings)
  • Control access to folders and file-shares
  • Turn on automatic updates/check frequently for software updates (Control Panel > System and Security > Windows Update)
  • Check that your browser is up-to-date
  • Review your application software (Control Panel > Programs > Programs and Features)

Turn Windows Firewall on or off

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Click Turn on Windows Firewall under each network location that you want to help protect, and then click OK.
  4. If you want the firewall to prevent all programs from communicating, including programs that you have previously allowed to communicate through the firewall, select the Block all incoming connections, including those in the list of allowed programs check box.

 

Antivirus

  • Ensure antivirus is installed and running
  • Ensure antivirus definitions are current
  • Turn on auto-scanning and real-time protection
  • Use free antivirus scanning software
  • Scan all removable media and email attachments

 

Passwords

Show of Hands – Which is the better password?

  1. LCP$@!%*^
  2. !9*A7b$%b8%s
  3. 2017AGGIESno1
  4. Ilovetoplaybasketball
  5. AdminAdmin

 

Construct strong passwords with:

  • A password containing more characters; it’s more secure
  • At minimum, set password to 8 characters with a combination of upper and lower case letters, numbers, and special characters

Protect your password

  • Do not share your password with others
  • Do not write down or post your password
  • Do not use the same password for multiple purposes/accounts!

When possible, use a longer, easy-to-remember passphrase instead of a password. Example:

  • Mydogatemyhomework!
  • NewMexicoismyfavoritestate.
  • Applepieandicecreamfordessert.
  • Mygirlfriendstompedallovermyheart

 

Protect Your Personal Data

Information available online about Chris Lascano, including his full name, age, city/state, and relatives

Information available online about Chris Lascano, including his phone number address, and zip code

 

Other great sites to help gauge what’s out there:

  • haveibeenpwnd.com – Shows sites were your account has been compromised
  • pipl.com – Shows what is available on the web about you
  • stalkscan.com – Show what information you are giving the world from your Facebook account

 

Phishing

Phishing attacks are designed to steal a person’s login and password information in order to take control of a victim’s account and they come to you as links in emails, tweets, posts, and online advertising.

Phishing emails have become harder to detect due to the cleverness of attackers and they appear as legitimate email. As you check your email, follow these practices:

  • When in doubt, throw it out!
  • If you didn’t expect it, reject it!
  • Never enter your credentials from links provided by e-mail
  • If unsure of the legitimacy of an e-mail, always forward it to abuse@nmsu.edu

 

Phishing Examples:

Phishing email made to look like a Netflix cancellation notice


Phishing email made to look like an official notice of a failed UPS delivery


Phishing email made to look like a Wells Fargo security alert


From: Yohannes Bekele <ybekele@PSAV.COM>
Date: February 3, 2016 at 9:31:09 AM EST
To: Undisclosed recipients:;
Subject: !!

You won $1M contact; pchlotto@pch-service.net

 

Confidentiality Notice: New Mexico has a very broad public records law. Most written communication to
or from state employees are public records. Your email communications may therefore be subject to
public disclosure. This email, including all attachments is for the sole use of the intended recipients. Any
unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the
New Mexico Inspection of Public Records Act.


IRS Logo

Sir/Madam,

Our records indicate that your are a non-resident, and that you are exempted from the United States of America Tax reporting
and withholdings on interest paid to your on your account and other financial benefits. To protect your exemption from tax and
other financial benefits, you need to re-certify your exempt status to enable us confirm your records with us.

Therefore, your are required to authenticate the following by completing form W-8BEN attached and return same to us as soon
as possible with a valid copy of government issued identifications (eg. International Passport) through fax number or the email at
the bottom of the form.

List of required documents:
1.  A copy of filled W-8BEN FORM.
2.  A photocopy of the photo page of your international passport.

We appreciate your co-operation in helping us protect your exempt status and also confirm records.

Sincerely,

Mark Schneider,
IRS Public Relations


Security notices commonly seen when opening phishing emails

 

Phishing – Spotting a bad URL

Scam webpage made to look like the NMSU Office 365 Portal

Although the above website may look familiar or legitimate, take a close look at the web address. Notice it’s not from NMSU but from an external source, “justhost.com.”

 

Phishing – Spotting a good URL

Website verified as legitimate

 

Make a copy

  • Frequency and method of backup depends on the data’s value
  • Backup to:
    • Institution’s backup facility
    • Using existing MS Office System Software
    • Free cloud services, see: https://www.thebalance.com/freecloud-storage-1356638
    • Portable device: external hard drive or USB/flash drive. Remember to lock this up. Recommendation: water/fire proof

 

Safe Network Practices

  • Set a password to access your home router
  • Change home router admin account name and password
  • Use encrypted wireless networks when transmitting private data, such as NMSU’s Aggie Air, WPA2
  • Use VPN – Virtual Private Networks when possible

Logos for Mcdonalds, Starbucks, and Barnes & Noble (left to right)

DO NOT use these wireless connections for anything “IMPORTANT!”

 

General Safe Practices

Don’t:

  • Save sensitive data on your computer unless necessary
  • Gossip or share sensitive data with others
  • Look up confidential data for co-workers or students who do not have access without your supervisor’s approval
  • Throw reports or printouts that have sensitive data in the trash
  • Install a network printer in your office without consulting your computer support technician
  • Install a wireless access point without consulting your computer support technician
  • Use found USBs/flash drives

Do:

  • Use encryption for sensitive data
    • For example, add a password to your Word Document (steps for PPT and Excel).
      • File > Info > Protect Document > Encrypt with Password
  • Check new documents for hidden properties or personal information
    • Steps below for Word, PPT, and Excel
      • File > Info > Check for Issues > Inspect Document

 

Resources

 

Government Accounts and Credit Monitoring

 

Child Safety

 

Hacked?

 

Security Tips

 

 

National Cyber Security Awareness Month (NCSAM)