Security Awareness

Understand ESI and E-Discovery

Why Phishing Works?

Minimum Standard for Protection (the Digital Dozen)*

1. Install and maintain a working firewall to protect data:
   An Internet Firewall is a piece of software or hardware that helps protect your system against hackers and many computer viruses and worms. Using a firewall is an important line of defense for computer security.
    
2. Keep security patches up-to-date:
   Secure your system after OS installation, then keep it secure by installing the security patches as they are released. It is important to install patches as they get released. The campus is hit daily by people trying to hack in to our systems. With the proper security patches installed our machines are less vulnerable. It is very expensive in time and manpower to restore a system that has been compromised.
    
3. Protect stored data:  
   Encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption. This is an illustration of the defense in depth principle.
    
4. Encrypt data sent across public networks:
   Sensitive information must be encrypted during transmission over the Internet, because it is easy and common for a hacker to intercept and/or divert data while in transit. Use strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC) to safeguard sensitive data during transmission over public networks.
    
5. Use and regularly update anti-virus software:
   Many vulnerabilities and malicious viruses enter the network via employees’ email activities. Anti-virus software must be used on all email systems and desktops to protect systems from malicious software. Anti-Virus Software can be dowloaded here.
    
6. Restrict access by "need to know."
   Limit access to computing resources and sensitive information to only those individuals whose job requires such access.
    
7. Assign an unique ID to each person with computer access:
   This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
    
8. Do not use vendor-supplied defaults for passwords and security parameters:
   Hackers (external and internal) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
    
9. Track all access to data by unique ID:
   Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
    
10. Regularly test security systems and processes:
    Vulnerabilities are continually being discovered by hackers/researchers and introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and through changes.
     
11. Implement and maintain an information security policy.
     
12. Restrict physical access to data:
    Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit sensitive data.
     

Identity Theft

Identity theft occurs when someone uses an individual's personal information — such as Social Security number, birth date, or credit card and bank account information — to impersonate the victim in financial transactions. During the 2003 calendar year, the Federal Trade Commission received nearly 215,000 reports of identity theft, up from 162,000 the previous year. Identity theft represented 42 percent of all complaints received by the FTC, reflecting a growing trend. (source: EDUCAUSE)

• Identity Theft: A compendium of resources and information (from EDUCAUSE)
• Identity Theft Statistics (Federal Trade Commission)
• Identity Theft 101 (FTC)
• Minimizing Your Risk (FTC)
• Internet Crime Complaint Center (FBI)
• Identify Theft Guide (from SpywareGuide.com)

Copyright & Filesharing

Downloading and sharing copyrighted files is a serious issue. Universities throughout the country are struggling to cope with the growing problem of university resources being used for illegal file sharing. While Tulane University encourages the free flow of ideas, and provides resources such as the network to support this activity, we do so in a manner consistent with all applicable state and federal laws. Tulane does not condone the illegal or inappropriate use of material that is subject to copyright protection and covered by state and federal laws.

• US Copyright Office
• US Copyright Laws
• Copyright @ Tulane
• University of Texas Copyright Crash Course
• RespectCopyrights.Org (MPAA¹)
• RIAA's Penalities of Piracy
• EDUCAUSE Copyright resources web site
• EDUCAUSE's Fair Use web site
• About the Digital Millennium Copyright Act (EDUCAUSE³)

Malware: Phishing, Pharming, Spywares and Viruses

Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission. (source SearchSecurity.com)

The following are tutorials prepared by Microsoft to help protect you and your information. They focus on secure computing at home.

• Defend yourself against viruses and worms
• Protecting your computer from spyware
• Protecting the privacy of your personal information online
• What you should know about phishing scams: protecting your home from online fraud

* Adopted from Visa CISP