Document Sample
Danger Powered By Docstoc

Danger! Internet Ahead!
General Information
Use complex passwords. Passwords are stored in codes, but these codes can be captured in various ways. The length of time needed to break the code is directly related to the complexity of the password. Use at least three of the following four character sets: uppercase, lowercase, numbers, and symbols. Use a password that is at least 8 characters long, preferably longer. Do not display passwords on monitors or elsewhere that a casual visitor might notice. Never use your netid password for anything other than CIT services such as email. Your password gives people access to a great deal of personal information about you and may be used to compromise or make unauthorized use of large-scale university-owned systems such as email. Guard that password! Carefully evaluate whether software should be installed. Research all new software by looking it up in Google. Try two searches: first type the name of the software and then the word “spyware” and review the search results. Then type the name of the software and the word “security” and review those results. If you have questions about a piece of software, contact IT. Use a firewall. Firewalls filter out unwanted network traffic and deter hackers and viruses/worms. The built-in firewalls for all the major operating systems are good basic firewalls and FAR better than nothing. 3rd-party firewalls extend functionality but introduce the need to better understand the firewall in order to manage it. An improperly managed firewall may be no better than no firewall at all. If you use a 3rd party firewalls, read any pop-up messages from the firewall carefully before okaying a change in the firewall configuration. It could be asking if you want to allow a hacker to access your computer! If you have questions about firewall configuration be sure to consult with your IT group. To determine if your Windows Firewall is turned on in XP, right-click the “My Network Places” icon on your desktop, click “Properties”, and then look down the “Status” column. Each entry should say “Firewalled”. If an entry does not, consult with your IT staff. To turn on the Windows Firewall at this point, click “Change Windows Firewall settings” (located on the left.) Select “On”. Note – Windows 2000 and earlier does not have a built-in firewall! Note – if you do not see “My Network Places” on your desktop, try this: click the Start button, click “Control Panel”, and click “Network Connections”. In order for network software to function, firewalls must have “holes” that allow network traffic through. Understand that these holes can lead to compromise of a system and therefore should be kept to a minimum. Install what you need, but do not install unnecessary software especially software that interacts with the network and the internet.

Verify that your antivirus program is checking for updates every day. An update may not be available every day, but your antivirus program should check every day. (Most CALS computers are on a centrally managed antivirus system that configures computers to check every day.) Scan your computer with an online scanner occasionally. If you get a virus, your antivirus program may no longer work properly, but online scanners will likely continue to work. Two excellent online scanners can be found at: http://www.trendmicro.com, and http://www.bitdefender.com. DIA-handout.doc

10/15/07 Use an anti-spyware program; verify that it is checking for updates daily. Some recommended programs: Microsoft’s Windows Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx Spybot S&D - http://www.safer-networking.org/en/index.html Spysweeper (commercial) - http://www.webroot.com/consumer/products/spysweeper/. If, during an infection or hack, a keylogger is installed on your system, bear in mind that all your keystrokes may have been recorded since it was installed. Antivirus/anti-spyware programs may be able to show the date of infection. Change any passwords you may have used while the system was infected, and keep an eye on bank account information if you’ve used credit cards recently.

Beware of generic emails, even from known senders such as colleagues, friends, and family. Especially those that request personal information, have an urgent tone, or an anonymous salutation. Verify unsolicited emails, even from seemingly reputable companies, if you are uncertain whether the email is real. Many companies now have web sites that allow you to copy/paste a questionable email into a form on the site and submit it for analysis. Generally these web sites are prominently displayed on the main company web page. If the link is not evident there, try the customer service web page for the company. Do not click on links or open attachments in any unanticipated emails unless you are absolutely certain via some kind of verification, that the email is legitimate. Adopt a default attitude of being dubious regarding email.

Web Browsing
Do not click on windows that pop up while web browsing. Spyware and viruses often propagate via web pop-ups. A pop-up will look like a mini version of your web browser and text in it may claim that your computer has a virus, that it is running slower than it should be, that you are missing some critical software, that you’re paying too much for your mortgage, etc. Simply close the pop-up and move on. Configure your browser to only allow “originating sites” access to browsing information. Browsers, by default, allow all web sites access to all browsing information. This allows spyware and spammers to track where you’ve been on the web. To make this change: Internet Explorer, click: Tools/internet options/privacy/advanced, choose “block 3rd party cookies” Firefox, click: Tools/options/privacy, click the cookies tab, choose “for the originating site only”. Do not turn off cookies entirely as this will cause problems with many sites including some Cornell applications. Watch for the padlock icon on web sites asking for sensitive information. When you type a credit card number or social security number or any other sensitive information into a web site, verify that a padlock appears in the lower-right corner of the browser before typing. Know that it is technically possible to get around or fool the security on “padlocked” sites. If you ever visit a site that routinely requests confidential information such as a bank, and you are presented with a pop-up screen that you normally do not see, with the title bar “Web Site Certified by an DIA-handout.doc

10/15/07 Unknown Authority”, do not continue. Someone may be intercepting your network transmissions from elsewhere on the network. Alert the local system administrator if possible.

Instant Messaging
If you are using an instant messaging program, keep it up to date by installing updates or new versions. Visit the vendor’s web site for more information. Do not accept files or click on links in messages from people you do not know. It is as easy to get a virus from an instant message as it is from an email. Do not give out confidential personal information over instant messaging, even to people you know. Instant messages travel on the network in a format that is easily readable by eavesdroppers.

Protecting Data
Remember that off-campus email, instant messaging, and most web traffic (unless the padlock appears in the web browser) can be easily eavesdropped on. Public wireless networks are especially prone to eavesdropping. Do not install wireless base stations without consulting local IT staff for secure configuration information. For those setting up wireless – remember that WEP encryption is not secure, and not broadcasting the SSID does not help much. WPA is more secure, and MAC address filtering is a must. Confine filesharing to dedicated, professionally managed servers rather than workstations. Servers are generally regularly monitored and updated, and are not used as workstations (no email, web browsing, or similar type of activities that could lead to acquiring viruses.) Improperly configured filesharing can inadvertently lead to disclosure of undesirable information. Filesharing also opens holes in firewalls and makes systems more susceptible to security issues. Laws and policies protect information such as social security numbers, banking information, driver’s license numbers, as well as student personal and academic information. Some breaches of security including those caused by viruses may require public disclosure of loss of information by the university. Detailed information about protected data types can be acquired from Cornell’s policy office. Software is available at Cornell to scan hard drives for sensitive information. Called “Spider”, developed by CIT’s security group, this software uses sophisticated pattern matching to find filenames that may contain sensitive data. It then displays the filenames and allows the user to open the files to further inspect them to determine if sensitive data is present. Instructions on how to acquire, install and use Spider are available from the CALS IT Security Officer. Statistics as of January 2007 show that over half of all faculty and staff scanned, numbering several thousand, had sensitive data on their systems. Of those, over half did not realize they had such data. If you are aware that your system has sensitive data on it, inform your IT staff. The #1 recommendation of the Cornell IT security office regarding sensitive data is to “get rid of it” if it is not needed. If the data is needed, consider whether it can be moved to a server, archived offline, or encrypted. See your IT staff, the CALS Security Officer, or the CIT Security Office for more information.



New York State Information Security Breach and Notification Act
Affective December 8th, 2005 What is it?  New legislation designed to protect confidential information, that could be used in fraud or identity theft, and to stimulate a higher level of computer security in organizations in New York State.  Requires organizations in New York to notify state agencies and affected residents upon discovery of a security breach when confidential data is reasonably believed to have been acquired without authorization. What is “confidential data”? Confidential data, as it relates to this new law, consists of any personally identifying data (such as a name, personal mark, or other identifier), in conjunction with one or more of the following:    A social security number A driver’s license (or non-driver identification card) number A credit/debit card number or other interest-bearing account number

In order for the law to apply, either the name or the confidential data element must have been acquired in unencrypted form or in an encrypted form where the encryption key has been compromised. What is the process in the event of a breach of security? 1. The system must be removed from the network immediately, turned off, and placed in a physically secure location. 2. Investigation of the system will take place by CIT Security in concert with local IT support staff and the owner/user of the system, to determine if confidential data can be reasonably believed to have been acquired. 3. If the results indicate that the law applies in the situation, a group consisting of the provost, the dean of the affected unit, the VP of CIT, the university CSO, representatives from the university Counsel’s Office, CU Police, the audit office, the public relations office, the data stewardship office, and whoever is responsible for the system in question will collaborate on any public announcement. 4. Notification must be provided to: a. The affected citizens in the form of personal notices b. NYS Attorney General’s office c. NYS Consumer Protection Board d. NYS Office of Cyber Security e. If > 5000 people affected, consumer reporting agencies Non-compliance “Knowing or reckless violation of the notification or reporting requirements” may result in civil penalties of up to $150,000, and the potential for lawsuits.


Shared By: