Computer security is a big deal. As University staff, we are stewards of sensitive data, and it is our responsibility to protect it. There is a lot of information out there about what computer security is and what you need to do to avoid viruses or prevent data breaches. While it is challenging to simplify the topic into one or two things to remember, we'll try to break it down to how to make sense of it all within our computing environment
Computer Security and Identity Theft
While there are many reasons to be concerned about computer security, we'll focus in this post on identity theft as our primary concern. While identity theft can result from "old fashioned" vulnerabilities, like records from a stolen purse or wallet or from a whole host of other channels, we will concentrate on those related to computing.
Thieves can do a lot of damage with a stolen identity. Identity theft can result in credit card fraud, bank fraud, phone or utilities fraud, government documents fraud, or many other harmful consequences. Theives can open accounts in your name, change account information, or run up charges on your accounts.
While data breaches don't necessarily imply identity theft, we unfortunately need to assume that once the data is out there, it can fall into the wrong hands. There were 78 data breaches at American educational institutions in 2009 that exposed over 800,000 records combined.
When a data breach does lead to identity theft, some individuals have to spend hundreds of dollars and many days repairing a good name and credit record. Other consequences could include losing out on job opportunities or being denied loans for education or housing.
Data breaches are costly to our institution, too. Costs include disruptions to University business. We have to launch an internal investigation and report to government agencies as required by law. We need to contact affected individuals and support them through the process of understanding what they can or should do. And we need to communicate information as relevant to our greater community.
There are other potential repercussions to the University such as fines, lawsuits, loss of funding or loss of reputation. Further tangible costs include offering credit monitoring for affected individuals. One estimate aggregate these costs at over $200 per exposed record.
Preventative Measures for Keeping Things Secure
Here are some tips for maintaing a secure computing environment.
1. Know your data and your computer
People may be unaware that SSNs or credit card numbers are on their computers. Any file you save to your profile, including the "My Documents" and "Desktop" folders, are stored on your local hard drive. When you log out, new files or modifications are synchronized with a server in the University data center. For our discussion, it's important to understand that the files are stored on your hard drive.
If your computer is lost or stolen, it is possible for an enterprising individual to bypass the Microsoft Windows login and gain access to the files on the drive. Fortunately, CCIT has encrypted a number of computers in our environment to protect the data even if the hard drive falls in the wrong hands. Unfortunately, not all of our computers are encrypted. Whether or not your computer is encrypted, it is important to know the nature of the data with which you work.
2. Follow safe computing best practices
Some general tips:
- Be suspicious of requests for personal information that come via email
- Be careful about opening any email attachments
- Be conscious of security threats and viruses
- Don't use peer-to-peer file-sharing on University-issued computers
- Don't give out personal information unless you know who you are dealing with
- Never click on links in unsolicited emails
Use strong passwords, like a combination of letters, numbers, punctuation marks, UppER and LoWer case letters. Switch between UppER and LoWer case. Avoid easy-to-guess passwords like DOB, maiden name, "password", or dictionary words.
Commit passwords to memory. Don't record them on stickies stuck to your monitor or under your keyboard. And don't share passwords with anyone.
There are password managers like KeePass and LastPass that can help you store all your passwords. From an IT department standpoint it is especially challenging to support such tools, though we are working on identifying a viable approach. Let us know if you have questions about these password tools.
3. Be conscious of data security
In general, do not store social security numbers anywhere. That's easier said than done, especially if you need SSNs for doing your job. If you must store SSNs in a file, save it on a secure network file share (which in our computing environment is often referred to as the "O drive" or "P drive"). If you need to share a file that contains sensitive data with a colleague, do it on the shared drive, not via email. If you need to deliver sensitive data outside the office, you may encrypt files on USB keys or CDs using GuardianEdge; For Windows 7, you may encrypt files on USB keys using BitLocker To Go. You may also encrypt files via WinZip or 7zip.
4. Employ physical security
Lock doors to areas that contain sensitive information. Ensure your computer is locked down. Notify CCIT if cables are missing or if you have any issues locking down your computer -- especially if you have a laptop. It might sound obvious, but it's good practice to not leave paper lying around faxes or printers and to erase sensitive information on whiteboards or other trafficked areas.
5. Scan your computer regularly for sensitive information
Clearly, we should remove all confidential numbers from individual computer, except where such information is still required for University business. If only we had a way of finding all the files with sensitive data. Well... we do! It's called Spider, and it was developed at Cornell. It searches for sensitive information, such as SSNs or credit card numbers, and produces a report of files that may contain such data. Some false-positives may be included in the results, so files need to be evaluated on a case-by-case basis.
If Spider turns up sensitive data, then you need to evaluate if the file may be deleted, edited, or moved to a secure network file share (which in our computing environment is often referred to as the "O drive" or "P drive").
Before running Spider, remove temporary files with CCleaner. Then you may follow our instructions on how to run Spider yourself.
6. Let your computer get its updates
Microsoft Windows Patches
On a monthly basis Microsoft releases patches that keep your computer healthy. CCIT maintains a mechanism to manage what patches get installed on your system. What we need from you is to leave your computer logged out and powered on the second Tuesday of every month. It's okay if you can't remember to do that; if it makes it easier, just try to remember to leave your computer logged out and powered on at least one night per week.
It is a bit more complicated if you have a laptop that you take home every night. We will go into more detail in another post.
Virus Scanning Update
Updates for you virus scanning software get installed automatically while you are logged in on your computer, so you don't have to do anything. Just a heads up that it's happening behind the scenes.
7. Ensure smartphones have passcodes
If you have a Blackberry, iPhone, or another mobile device that you use for reading University e-mail, ensure that you have it protected with a passcode. Sensitive data may exist in e-mail or in documents on the device's memory. Note that doing this is a CUIT policy. Turn off Bluetooth if you don't use it, too.
Related Policies and Regulations
Relevant University Policies
- Social Security Number (SSN) and Unique Person Number Usage (UPN) Policy
- Information Security Charter
- Desktop and Laptop Security Policy
- Encryption Policy
- University Policy Library: Computing and Technology
The Personal Data Privacy and Security Act of 2007 protects personally identifiable information, including social security numbers.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the confidentiality of many student records
- Cormac Herley makes a solid case as to why most of the advice in this article is rejected. Basically, you would be irrational, economically speaking, to follow our guidelines. But please do it anyway.
- CUIT Security Web site
- If you don't mind filtering out information pertaining to a different campus, the Yale ITS security site is packed with useful information.
- In the spring of 2010, CCIT delivered computer security presentations to a number of campus administrative offices.
Related CCIT Knowledge Base Articles
- CCleaner How-to
- Spider How-to
- Removable Storage Encryption with GuardianEdge (Windows XP)
- Removable Storage Encryption with BitLocker To Go (Windows 7)
- Secure E-mail attachments with WinZip
- Secure E-mail attachments with 7-Zip