Tag Archives: electronic data

Related to data stored electronically on computers, servers, at cloud storage locations or on portable storage; as opposed to printed or hard-copy data

Beware Humans with Computers!

At a recent presentation to state risk managers in Olympia, representatives of the law firm BakerHostetler, which includes a number of attorney’s who specialize in resolving information security data breach issues, identified that cyber attacks using Phishing and Malware  was the cause of 31% of the more than 300 data security incidents the firm handled nationwide in 2015.  This is not much of a surprise given the recent increases in the number of these types of attacks.

The second highest category identified at 24% was Employee Action/Mistake, which includes failures of employees to follow organizational policies resulting in a data breach.

Interestingly, the next highest causes of data losses include other categories which also have significant ties to how authorized users interact with information technology and the data stored and manipulated with that technology.  These include: Loss or Theft of a Device (17%); Vendor/ Contractor Actions (14%); Internal Employee Theft (8%); and Lost or Improperly Disposed Data (6%).

These statistics show that the human component of data protection is significantly more important with regard to modern IT security issues than is the technology component.

The underlying source of ALL of these top kinds (92%) of data breaches can easily be attributed to the authorized users of the compromised data and either a deliberate disregard for organizational policies or a lack of information security awareness on their part.

Clearly, it is important for each of us to understand that we each need to constantly protect the college data we access during the course of our daily work, and to ask questions of our supervisors when we are not certain how best to do that.

The college has published a number of policies and procedures related to technology use by college employees and the protection of college data.  Here are links to a few of those current documents:

Take some time this week to update yourself on the information in these important documents and, as always:  Safe Computing!

Free Stuff!!

Information Security part:

It is not uncommon for malicious parties to send out e-mail or other communications with the text “Free Stuff!!” as part of the subject line or emblazoned in bold letters across the top of the ad.  Often this lure of the possibility of getting something free is irresistible to we human beings.

This means we, as consumers of technology, need to be cautious whenever we see offers that seem too good to be true.  In one of my favorite childhood science fiction books, The Moon is a Harsh Mistress by Robert Heinlein, I learned to look carefully at free offers through the lens of the acronym TANSTAAFL.

“There Ain’t No Such Thing As A Free Lunch” means simply that there is often a hidden cost behind “free” offers, and that an intelligent person will be certain to look for that cost before jumping onto any “free” bandwagon.

Non-Information Security part (sort-of):

I’ve mentioned before that I would periodically include in this blog things outside the realm of information security if I found it interesting and worth sharing.  This is one of those times.

Microsoft yesterday announced that they are increasing in July the amount of storage space allocated to users of their OneDrive cloud file storage.  OneDrive allows users to access saved files through the internet from anywhere, using any computer or device (such as a smart phone or pad).

The amount of storage space available in the “free” (advertiser supported) version of OneDrive is increasing from 7 GB (gigabytes) to 15 GB.

Microsoft also offers paid OneDrive subscriptions, the first as a stand alone product for which they are charging $1.99 for 100 GB [previously $7.49] or $3.99 for 200 GB [previously $11.49] per month.

The second subscription version is associated with the various (and variously priced) versions of their online Office 365 product.  They have not changed the price of the monthly or annual Office 365 subscriptions, but are changing the amount of OneDrive space available to subscribers to 1 TB (terabytes; equivalent to about 1,000 GB).  This is a HUGE amount of personal storage space!

This offer, including it’s “free” version, may well be worth checking out if you are interested in personal cloud storage of your files.

Privacy Disclaimer

It is important to always keep in mind that in storing your personal files “in the cloud” –whether it is OneDrive or other free or paid offerings, like BOXDropBoxGoogle Drive, Amazon Cloud,  Apple’s iCloud, or any other company–those files are resting on servers controlled by whichever company is providing the service.

This means they are subject to disclosure either to certain company technical employees or through legal requests, to courts or law-enforcement officials.  Just as with files stored on college systems, they are not totally protected from disclosure in certain situations.

However, if you make an informed decision, weighing the benefit of using such personal file storage services against their hidden costs (such as lack of perfect privacy), they can be pretty useful, especially if you access files from multiple locations on multiple devices.

Social Engineering

WHAT’S THAT?

Social manipulation (or “engineering”: a term coined by hackers) is a collection of successful physical and psychological techniques which allow the exploitation by malicious persons of the human tendency to trust or help other people, and is one of the greatest on-going information security threats. 

Social and environmental engineering is done to gain unauthorized access to college information, or to network and computing resources.  Because it is so successful in providing  attackers a way to bypass, through users, any electronic security methods which may be in place, various social engineering techniques are used every day.

Preventing intrusion by outside parties to college systems through the unwitting collaboration of students and employees is an important goal of information security, because once any access is attained, severe damage can be done.

In a service-oriented environment such as the college, this manipulation of trust creates a significant challenge to staff and requires that we are constantly on guard.  User awareness of various methods used to gather information is an imperative step in maintaining information security. 

Campus employees should always be thoughtful about legal requirements, such as FERPA, and college policies addressing what information may and may not be released to outside parties.

 PURPOSE

The initial purpose of social engineering is to obtain a user’s password.  Any account which provides access to the Bellevue College computers or network can be used by a knowledgeable user in many malicious ways, the least of which compromises only the account for which the password is known.     

Subsequent purposes related to social engineering are to physically obtain desirable sensitive information or to gain access to unattended systems,  thus negating the need for a computer password.

Social engineering attacks use both physical and psychological methods:

Physical methods for collecting information may include:

    • Impersonation of repairmen, IT support personnel, managers, etc., either by phone or in person.
    • Collecting and analyzing information from discarded trash (dumpster diving).
    • “Shoulder surfing”, which is watching to see employees type their passwords.
    • Searching a work area for passwords or other sensitive information that has been written down.
    • Using unattended computers that are already logged-in.

Psychological methods for collecting information manipulate trust and emotion to acquire information or access.  Some of these interactions may be in person, but more likely will be over the phone or through e-mail.  Some risks include:

  • E-mail purporting to be from a campus authority, such as the Help Desk or Information Resources (IR).
  • Direct phone requests to the Help Desk for password resets for the accounts of other users.
  • Pleas or threats for information by impersonation of authority figures or support personnel.

When this type of social engineering is done by e-mail, it is often referred to as “phishing.”

SUGGESTED RESPONSES

Area of Risk:   Office trash; dumpsters

Malicious user Tactic: Dumpster diving

Strategy to combat: Once something is left for trash, there is no expectation of privacy.

    • Reports containing confidential or sensitive data should be shredded before disposal.
    • All computer system media (Floppy disks, CD-ROM disks, tape, internal or external hard drives, USB drives, etc.) should be carefully erased and disposed of properly.

Area of Risk:  Psychological

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat:  If you don’t know someone, check!

    • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
    • IT support personnel will always wear Bellevue College identification.

Area of Risk:  Network, e-mail, and internet usage

Malicious user Tactic:  Creation and insertion of malicious software on systems to acquire passwords or other sensitive information

Strategy to combat:  User initiative and awareness

    • Appropriate password use and management.
    • Campus user caution regarding e-mail from unknown senders and e-mails with attachments.

Area of Risk:  Offices

Malicious user Tactic:  Shoulder surfing; stealing sensitive documents or external hard drives; wandering through halls looking for open offices; using unattended computers that are already logged-in

Strategy to combat:  User initiative and awareness

  • Don’t type passwords with anyone else present (and be courteous by not watching others typing in theirs).
  • Mark documents as confidential and require hard copies of those documents to be physically locked up.
  • Lock external hard drives and USBs up at night.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:  Phone

Malicious user Tactic:  Stealing toll-free access

Strategy to combat: 

  • Protect SCAN codes the same as passwords.

Area of Risk:  Help Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat: 

  • Remember that the Help Desk will not ask you for your password in an e-mail or over the phone.

If you have any questions about social engineering, or are uncertain if you have been a victim of social engineering, be sure to contact the Help Desk (415.564.4357).

EBay intrusion exposes personal information

Personal privacy issue

As stated on the home page for this blog, sometimes I will be writing about privacy issues, as they are intricately tied to many topics related to information security.  In fact, the whole basic idea of information security is to keep electronically-stored things private when they should stay private.

I will also sometimes talk about issues that may not be directly tied to information security at the workplace.  This is because personal security and privacy practices related to our non-work lives can have tenets  or lessons that can apply directly to our work security and privacy practices.  Today is an example.

Currently, there is a lot of news about an intrusion into the network systems holding personal and private information related to eBay customers .  Because of this breach, the company is recommending that all customers change their passwords.

In fact, the eBay passwords that may have been compromised are encrypted, which will be difficult for the hackers to break (but not impossible).  However, a significant aspect of this data security breach is that the exposed user accounts may have also included unencrypted personal information, such as names, addresses, etc.

This puts many of eBay’s customers at a high risk of increased attempts to social engineer, or trick,  them into providing even more  private personal information.

The importance of password security and the principles of social engineering are basic information security concepts every technology user should understand, whether you are applying them to your personal life, or to your work responsibilities.

If you are an eBay customer, or a customer of PayPal, which is also owned by eBay, you should at least take the recommended precautionary step of changing those passwords.  Making this change does not guarantee that your personal information held by the company is totally secure, but it is a good first step in the wake of this incident.


 

Copyright law and file sharing

Just a short post today, as I try to get out some links to basic information security material out to the campus.

The college has a legal obligation to provide notice annually to campus users regarding the sharing of electronic copies of copyrighted materials.  While the law (related to the federal Higher Education Opportunities Act) specifically addresses  notification to students, the college policies related to copyright apply to all employees and other users of campus technology, as well.

Because of a responsibility to post this notification in a public place, an extensive Knowledge Base article is available at http://depts.bellevuecollege.edu/helpdesk/students/file-sharing/ which everyone on campus should read.

As always, if you have any information security concerns, ideas or questions, please feel free to contact me.

Five Important Security Concerns for Employees

The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.

All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it.   In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).

Every Bellevue College employee should understand:

1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared. 

In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.

Individuals should also never allow anyone else to use a computer into which they’ve logged-in.  This is not only a security risk for the network, it is an individual identity protection measure as well.  If someone else is logged in as you, everything they may do online appears to be your doing. 

2- Bellevue College policies require that employees secure their workstations if they leave the immediate area

This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. 

Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.   

  • Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts.   The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially  data stored on college laptop computers, is of the highest concern at all times.
 4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.

This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation).  In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

A significant aspect of the public nature of college electronic communication is the use of e-mail.  All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper. 

5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.

  • The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!   

    In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

    Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply.  In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.


These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees.  If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.