Tag Archives: IT security

Holiday Season Security

The state of Washington Office of Cybersecurity has recently posted a good article related to information security and online shopping at http://cybersecurity.wa.gov/resources/security-tips/.  This is a good time of year for this kind of reminder as we all are taking advantage of the convenience and ease of shopping online.

It cannot be emphasized enough that we each must constantly take care with our private information, particularly financial information like bank accounts and credit cards, and particularly when using or accessing such information using mobile devices.

Don’t trust public computers or wireless networks (even the college’s public Wi-Fi network) to be secure enough for these kinds of transactions.  It is not difficult for a malicious actor to be able to intercept wireless signals as they pass between your phone and the most secure wireless access point, thus having access to obtain whatever information you type into your device.  This could include account numbers, user names, passwords and personal identification numbers (PIN).

Do your online shopping with a trusted wired connection as often as you can (not with public computers like in a library or college computer labs–you never know if the person using it before you compromised the machine).  If you must use a mobile device, like a phone or tablet, be certain to follow the OCS guidelines to make your shopping “trip” as uneventful as possible.

Safe Computing!

 

Seasonal Phishing

Did you know that Phishing has a season, just like real fishing?

Statistics show that during the year-end holiday period, malicious users are more successful with phishing attacks about holiday giving or shopping because they tailor their message to fit the hustle and bustle and activities of the season.

Here is a short videowhich reminds all of us not to let our guard down just because we are too busy or distracted to carefully scrutinize an e-mail advertises a sale or touches our heart.

Have a good holiday season, and Safe Computing!

Cybersecurity Awareness… or not?

An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.

Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.

The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure.  This is a worthy goal, I believe.

However, Bruce Schneier,  a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:

Stop Trying to Fix the User

I am sure that many technology users will agree that there are basic technology fixes that should happen!  However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:

Why Bruce is Wrong

The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus.  However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.

Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.

So in a way, both of these authors are correct:  There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.

This  will continue to be an interesting discussion, I think…

Safe Computing!

Beware Humans with Computers!

At a recent presentation to state risk managers in Olympia, representatives of the law firm BakerHostetler, which includes a number of attorney’s who specialize in resolving information security data breach issues, identified that cyber attacks using Phishing and Malware  was the cause of 31% of the more than 300 data security incidents the firm handled nationwide in 2015.  This is not much of a surprise given the recent increases in the number of these types of attacks.

The second highest category identified at 24% was Employee Action/Mistake, which includes failures of employees to follow organizational policies resulting in a data breach.

Interestingly, the next highest causes of data losses include other categories which also have significant ties to how authorized users interact with information technology and the data stored and manipulated with that technology.  These include: Loss or Theft of a Device (17%); Vendor/ Contractor Actions (14%); Internal Employee Theft (8%); and Lost or Improperly Disposed Data (6%).

These statistics show that the human component of data protection is significantly more important with regard to modern IT security issues than is the technology component.

The underlying source of ALL of these top kinds (92%) of data breaches can easily be attributed to the authorized users of the compromised data and either a deliberate disregard for organizational policies or a lack of information security awareness on their part.

Clearly, it is important for each of us to understand that we each need to constantly protect the college data we access during the course of our daily work, and to ask questions of our supervisors when we are not certain how best to do that.

The college has published a number of policies and procedures related to technology use by college employees and the protection of college data.  Here are links to a few of those current documents:

Take some time this week to update yourself on the information in these important documents and, as always:  Safe Computing!

Security Information about Office 365

Many campus users have questions as college e-mail accounts are now stored in the cloud version of Exchange ( called Exchange Online) as part of our Office 365 deployment.

In addition to mitigating some of the costs incurred by the college to provide and support e-mail on campus, Exchange Online provides easier access to e-mail from off-campus, and provides additional layers of security and redundancy that have previously been cost-prohibitive for the college.

If you have any concerns about the privacy and/or security of Office 365, or would like more information, check out the Microsoft Office 365 Trust Center, or contact me with specific questions.

Security Intelligence Report

Warning:  for serious information security buffs only!

Microsoft has recently published it most recent security intelligence report (152 pages!) on the current state of information security and exploitation trends in the world.  While it is not really intended for the casual computer user, it is fascinating reading if you are interested in diving a little deeper into the bigger information security picture.

There is a 21 page summary version and a 94 page worldwide threat assessment also posted on their Security Intelligence Report website, along with lots of links to other related information if you are bored and have an afternoon to kill…

Just think!  Some of us get to read this stuff every day!

ENJOY the beginning of summer this weekend.

EBay intrusion exposes personal information

Personal privacy issue

As stated on the home page for this blog, sometimes I will be writing about privacy issues, as they are intricately tied to many topics related to information security.  In fact, the whole basic idea of information security is to keep electronically-stored things private when they should stay private.

I will also sometimes talk about issues that may not be directly tied to information security at the workplace.  This is because personal security and privacy practices related to our non-work lives can have tenets  or lessons that can apply directly to our work security and privacy practices.  Today is an example.

Currently, there is a lot of news about an intrusion into the network systems holding personal and private information related to eBay customers .  Because of this breach, the company is recommending that all customers change their passwords.

In fact, the eBay passwords that may have been compromised are encrypted, which will be difficult for the hackers to break (but not impossible).  However, a significant aspect of this data security breach is that the exposed user accounts may have also included unencrypted personal information, such as names, addresses, etc.

This puts many of eBay’s customers at a high risk of increased attempts to social engineer, or trick,  them into providing even more  private personal information.

The importance of password security and the principles of social engineering are basic information security concepts every technology user should understand, whether you are applying them to your personal life, or to your work responsibilities.

If you are an eBay customer, or a customer of PayPal, which is also owned by eBay, you should at least take the recommended precautionary step of changing those passwords.  Making this change does not guarantee that your personal information held by the company is totally secure, but it is a good first step in the wake of this incident.


 

Purposes of this site

Information security program

In addition to providing a channel for ongoing communication regarding information security at the college through this blog, this website is also the repository for some of the documents which are part of the official information security program. 

Today a new link is posted on the top menu which allows users to see the current information security standards.  Along with college policies and procedures, these standards address how the college ensures secure interactions will take place within specific aspects of the college’s technical working environment.

The college’s information security standards are categorized as either:

  •  TECHNICAL, which usually is only of interest to those IT support personnel on campus providing technical support in the specific areas addressed in the standard, or
  • GENERAL, which is of interest to all users on campus.  These standards provide guidelines regarding how the security of information must be maintained by all technology users and how campus technology may be accessed and used.

All information security standards will be numbered (generally in accordance with the domains established under ISO/IEC standard 27002, if you are interested in the tedious details).  General  standards will have just a number and those that are technical in nature will be appended with a letter “T.”

As of this posting, there are no standards listed on the page yet.  All information security processes on campus are undergoing revision during the next few months and approved updated versions of the standards will be posted as they are approved.

(Though they are out of date and reflect many expectations and processes that are no longer in effect, the old security standards may be accessed at: https://commons.bellevuecollege.edu/itsecurity/old-standards/)

Five Important Security Concerns for Employees

The items listed below seem to be the source of the most consistent confusion and questions, particularly with regard to individual employee responsibilities and expectations regarding information security.

All employees have expected roles securing the valuable information available for use on campus and the technology with which we access it.   In the interest of saving some time, I am including only fairly brief bullet points regarding these five areas of particular concern; if you have further questions regarding this or any other information security topic, please feel free to contact either myself or the Help Desk (x4357).

Every Bellevue College employee should understand:

1- Login accounts and passwords providing access to Bellevue College IT resources should not be shared. 

In some cases, groups of individuals may share access to an e-mail account acting as a central unit contact resource for business purposes, but such shared e-mail accounts may never be used to log into computers or the college network.

Individuals should also never allow anyone else to use a computer into which they’ve logged-in.  This is not only a security risk for the network, it is an individual identity protection measure as well.  If someone else is logged in as you, everything they may do online appears to be your doing. 

2- Bellevue College policies require that employees secure their workstations if they leave the immediate area

This may mean logging out and shutting down the computer in some cases, but most of the time locking the screen and requiring a password to unlock it is sufficient.

3- Electronic data is subject to the same privacy restrictions as non-electronic information and data, and requires the same protections. 

Protection of sensitive electronic data collected and used at the college is the primary purpose for implementing information security measures.   

  • Caution always needs to be used to ensure that protected college data is not unintentionally disclosed through e-mail, instant messaging, the web, blogs or podcasts.   The physical security of protected data saved to any storage media (tapes, disks, USB drives or hard drives), especially  data stored on college laptop computers, is of the highest concern at all times.
 4- All communications through the college network is logged (recorded in a database), and is publically-disclosable information.

This does not mean individual activities are monitored on a routine basis, but it does mean that Bellevue College has an obligation to produce all network records when legally required (either in response to a public records request, to civil litigation, or in a criminal investigation).  In the case of on-going investigations, this could include real time monitoring, as directed by the HR VP.

A significant aspect of the public nature of college electronic communication is the use of e-mail.  All e-mail is potentially disclosable in response to a legal or public disclosure request. A good rule of thumb is not to put something into an e-mail that you would be uncomfortable with being subsequently published in a newspaper. 

5- All software and technology hardware used at Bellevue College must be properly licensed and processed through Computing Services (CS) for records and auditing purposes.

  • The civil and financial liability to the college and to individuals related to using improperly licensed software is significant, as much as $100,000 for each individual incident!   

    In the case of college-owned technology, this requirement for keeping records includes any hardware and software, whether purchased by unit funds, college funds or professional development funds.

    Personally-owned or purchased software and hardware may be installed on campus, but the same guidelines for licensing apply.  In the case of personally-owned hardware, requirements exist for testing for compatibility with the existing BC technology and network, and for proper security configuration.


These points obviously do not cover all aspects of IT security on campus, but they are perhaps the five areas most misunderstood and most easily remedied by employees.  If everyone on campus understands these issues and follows the guidelines and procedures related to them, information security on campus can be significantly increased.