INFOSEC: information security news from the University System of Georgia, Oct. 2010

in this issue >>>>
Protecting Children Online Who Has Your Personal Information? Let's Talk: Password Length Clickjacking Using Encryption to Protect Data FREE is Not Free

Issue
EIGHT

Information Security News from the University System of Georgia

INFOSEC

www.usg.edu/infosec

October, 2010

coming soon >>>>

Who Has Your

Security Awareness Personal Information?

Training & Education

Few people even suspect how much of their personal information is available in

Abstracts Now Available For:

numerous public and private databases around the world. Your data is collected, stored, exchanged, harvested and sold - often without your knowledge or consent.

Role and Responsibilities of an Information Security Officer within Public Sector an Government
Building an Information Security Program within Public Sector and Government
IT & IS Risk Management within Public Sector and Government see page 4 for details
To hear the latest USG InfoSec podcast
"Smartphone Security"
go to http://itunes.usg.edu

Personal data is available through a number of records and reports including specialty reports, credit reports, public and government records and online information brokers. Specialty reports are used by companies that may be considering offering you a job, renting you an apartment or providing you with an insurance policy. These companies assess their "risk" in dealing with you by using specialized "consumer reports" to find out more about you. Specialty consumer reporting agencies operate much like the credit bureaus. Agencies collect information about you from a variety of sources, including public records of criminal or civil cases, your credit history, any bankruptcy filings, medical information and driving records as well as companies with which you have an existing or prior business relationship, such as insurance companies or banks From this information, specialty reporting agencies compile reports based on the requirements of targeted users like insurance companies, employers & landlords. A credit report is a historical record of your credit and loan activities - how you pay your bills, and whether you've been sued, arrested, or filed for bankruptcy.

Companies that have granted you credit make regular reports about your accounts to the three main Credit Reporting Agencies: Equifax, Experian (formerly TRW), and TransUnion. If you are late in making payments, to utilities, hospitals, and landlords they may report this information to the CRA. In addition, your bank may inform the CRA if you overdraw your account or do not make credit card, auto loan, or mortgage payments on time.
Your credit report contains your name and any name variations, your current and previous addresses, telephone number (including unlisted numbers), Social Security number, year and month of birth, and employment information. Your report also includes matters of public record such as civil judgments, tax liens and bankruptcies. Who has access to your credit report? Anyone with a "legitimate business need" can gain access to your credit history including landlords, employers and potential employers (with your consent), state and local child support enforcement agencies, insurance companies, some government agencies (applications for licensing or benefits; usually limited to name, addresses and current and former employers) see personal information P2

personal information cont. >>>>

as well as companies you have credit with, or those considering granting you credit. Public and Government records can be accessed by anyone - including future employers - without your knowledge or consent. Government records are public in order to enable citizens to monitor their government and to ensure accountability in a democratic society. The challenge to policymakers has been to seek a balance between the public's right to information with the individual's right to privacy. Virtually every major change in life is recorded somewhere in a government document. Shortly after you are born, a birth certificate is issued. If you obtain a driver's license, get married, buy a house, file a lawsuit--all of these events are recorded in public documents easily available to you and to others.

Online information brokers comb through public records for personal information - including your name, address, and even your Social Security number! - and sell this information online at minimal costs.

A growing number of websites sell (or give freely)

the personal information of individuals. These

online information brokers

(also known as data

brokers or data vendors)

gather personal information

through public records.

This may include portions

of DMV records, court

records, birth certificates,

marriage

certificates,

death certificates, property

records, arrest records and

even voting records.

Some information brokers may offer the ability to look someone up via their name, e-mail address, telephone number or Social Security number, while others offer the ability to conduct "social searches," which gather information by searching public profiles on social networking sites.

As with public and government records, there is a wide range of personal information available via these online databases, including your full name, physical address, telephone number, marital status, how much you owe on a mortgage and the ages of your children! However, the extent of information available in public records will vary from state to state and county to county. So, as you see your information is out there! And accessible by many! Morale of this story: Be stingy about your information and treat it like luggage at the airport keep an eye on it at all times...

data safety >>>>

Lets Talk: Password Length
Passwords are the single most powerful protection for data. In early systems, passwords were stored in 16 character fields (14 characters plus two "check fields" to total 16 characters).

Clickjacking
What is transparent to Internet users, simple to implement and difficult to stop? Clickjacking. Clickjacking occurs when hackers hide malware under the cover of the graphic content (pictures) on a legitimate web site.

Hackers wrote password cracking programs that split the 14 characters up to crack two 7 character fields as this was quicker than cracking one 14 character field. They'd work on one half (7 characters) and use the results to crack the other half. It is now simple to crack the 8th character and then use that to crack the first 7 due to advances in computer processing capabilities, complicated cracking formulas, digital dictionaries and lists of previously cracked passwords. All of this means that 8 character passwords are actually less secure than 7 character passwords! The 7+7 approach still used by cracking programs can be overcome by using a 15 (or more) character password as the cracking programs register the 15th character as an error and don't try to crack the password. Cracking programs also have "levels" of cracking. The characters it takes them longest to crack are mostly on the lower right corner of keyboards, reachable with your right-most fingers (right-ring & pinky). An easy way to remember a 15 character password is to use the first letters of song lyric words and punctuate them with the "right pinky" characters ` " / . > [ .< { ] etc.

Similar to carjacking, clickjacking yanks you out of the driver's seat of your browser and drives you, against your knowledge or will, to hostile computer code. When a clickjacked link is selected on a web site, your browser activates the hidden code behind that clickjacked link and executes the hacker's content or attack.

The bottom line: use a 15 character password! It's only 5 characters more than the USG-USO requirement of 10 and is significantly more secure.
Using Encryption to Protect Data
With major data breaches being reported all too frequently, organizations are now placing increased emphasis on security of personal, private and sensitive information. One method of increasing security is through data encryption. Encryption is the process of scrambling a message or data so that no one but the sender and the intended recipient can read it. Militaries, businesses, and governments all over the world use it in a variety of ways.

What can you do to avoid it? Not much. Be alert to what a page does when you click on it's links, make it a habit to know and check the URL especially for financial sites like your bank or credit card payment pages, patch your computer, and don't automatically click on all links and attachments.

There are two general types of encryption used for cyber security: hardware-based and software-based. Hardwarebased encryption is built into a piece of hardware. An example of hardware-based encryption would be the preencrypted hard drives that are currently on the market. All data stored on them is automatically encrypted, even the temporary files. A pre-encrypted USB drive is another example of hardware-based encryption. Software-based encryption refers to an encryption program installed on a computer or a server that encrypts either some or all of the data on the system.

With the increasing use of computers in every aspect of our life, and the need to protect the information on those

computers, the use of encryption has expanded. Here are some examples of where encryption can be a key component

of a defense-in-depth strategy:

see encryption P3

encryption cont. >>>>

Laptop protection - The first use for encryption many people think of is encrypting the data on laptops. This can be done by encrypting specific directories and files or by encrypting the entire hard drive (full disk encryption). Some analysts recommend using both forms of encryption on the same laptop as that is more secure than either method on its own. Minimally, file level encryption should be implemented; full disk encryption is a best practice.

Backup tapes and media Many cases of data breach have been the result of backup tapes and other storage media being lost or stolen. These items should be encrypted to prevent unauthorized access.

Removable Media CDs, DVDs, and USB flash drives are all capable of holding large amounts of data, and these removable devices are being used more frequently. However, one must be vigilant about where these devices are used and the potential vulnerabilities of using them on an unprotected system. These devices should be encrypted. You can also purchase pre-encrypted USB drives.

Free is not FREE Smartphones, PDAs and other similar devices These devices can hold a large
amount of data. Because of their small size, they can more easily be lost or

stolen, putting the data on them at risk. Where practicable, these devices should be encrypted.

However enticing, force

There are a variety of encryption tools available in the marketplace - some of which are open source. However, any solution you implement should be compliant with accepted industry standards.

yourself to decline offers of free software.

keeping kids safe >>>>
Protecting Children Online
Children are spending more time online than ever before.
According to a recent Kaiser Family Foundation study*, 8-18 year-olds spend an average of 1.5 hours a day using a computer outside of school. As use of the Internet and online technologies becomes more ingrained into everyday life, it is important to ensure that our youth understand how to use these powerful tools and how to protect themselves from becoming cyber victims.
Children of all ages face online risks. However, there are steps that parents, educators and others who work with kids can take to help keep children safe on-line.
How Do I Keep My Children Safe?
Computer Location: Keep your home computer in a central and open location.
Supervise Access: Supervise computer access and monitor the types of sites visited.
Consider Using Parental Controls: Provided by some Internet Service Providers or available for purchase as a separate software package. You also may be able to set some parental controls within your browser. As an example in Internet Explorer: click on Tools on your menu bar, select Internet Options, choose the Content tab, and click the Enable button under Content Advisor (For other browsers, contact the vendor to determine what parental controls are included).
Establish Rules: Create guidelines for computer use such as amount of time that may be spent online and type of sites that may be visited. Post these rules near the computer.

Almost all "free" software advertised in browser pop-up windows and through e-mail has malware in it, designed to gather information about you, defraud you of money or even steal your identity. "Free" programs can use various techniques to collect credit card or gift card numbers, social security numbers, examine your computer, or where you go on the Internet. The bad guys often gather this information and then use it to trick you into revealing additional information. They use free software and social engineering techniques as an entry to install malware (malicious software including viruses, trojans, worms, bots, root kits and/or keystroke loggers) on your computer or coax you to visit a malicious website. Be very suspicious. Learn to think of "Free" as a synonym of "malware". Malware is usually free, recovering from it is not.

Security Awareness Personal Information: Create a safe screen name that does not reveal personal information and teach children

not to post or share information such as their photo, address, age or activity schedule.

Quips & Quotes

Web Filtering: Use web filtering software that restricts access to inappropriate websites and content.
Communication: Maintain open lines of communication. Encourage children to come to you if they feel scared or threatened online.

Passwords are like underwear: you don't let people see it, you should change it very often, and you shouldn't share it with strangers. - Chris Pirillo

The whole notion of passwords is based on an

Cyber bullying: Teach children not to respond to cyber bullies. Report incidents of cyber bullying to school

oxymoron. The idea is to have a random string that

administrators and local law enforcement when appropriate.

is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.'

*Generation M2: Media in the Lives of 8- to 18-Year-Olds http://www.kff.org/entmedia/mh012010pkg.cfm And if it's random, like 'r7U2*Qnp,' then it's not

easy to remember.



- Bruce Schneier

finalthoughts...
We are all responsible for keeping information, and information systems secure. As the Irish Republican Army advised British Prime Minister Margaret Thatcher after a failed assassination attempt:
"...We only need to be lucky once. You need to be lucky every time..."

Hey Managers & Leadership Team!

InfoSec in the News

Supporting Information Security makes good business sense and good management.
The volume of data we currently use and the speed at which data are manipulated means we have to use computers to stay on top and provide services to our students, faculty and staff.
There are five reasons for incorporating IT security at project start or to have information security at the table from the beginning: laws/compliance, reputation/integrity, money/financial, operational, and efficiency.
Laws are enacted to alleviate wide spread problems and standardize corrections. No manager/leader wants the public embarrassment of a security breach. Planning security from the beginning stages reduces money spent fixing flaws over the life of the project. Good security mandates planning, should automate and simplify, reduce staff effort, and yield efficiency. If it doesn't, it doesn't mean security is bad, it means it was planned poorly.

Security chiefs at home: No such thing as 'off duty'
Does being a chief security officer influence life outside the office? ComputerWorld magazine recently talked to Stan Gatewood and CSO's from other big organizations about this topic.
Find out what Stan's thoughts on this subject are at http://www.computerworld.com/s/ article/9181139/Security_chiefs_at_home_No_ such_thing_as_off_duty_

Good information/IT security is good business.

SATE Course Abstracts
Guide for the Role and Responsibilities of an Information Security Officer Within Public Sector and Government
Each institution and public library must identify and implement information security policies, standards, guidelines, processes, procedures, and best practices to further strengthen its security program in order to protect its information assets while assuring its goals and objectives are being met. The Guide for the Roles and Responsibilities of an Information Security Officer Within Public Sector and Government provides a University System of Georgia (USG) institution and public library and the ISO general guidance and assistance in understanding the ISO role and responsibilities in developing and maintaining an effective information security program.
Guide for IT/IS Risk Management Within Public Sector and Government
Each institution and public library must create a program/practice information technology & information security risk management within the institution or library; the program must be based upon the results of the entities' risk analysis process. Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The risk management practices implemented by the institution or library will vary depending upon the nature of the entities' information assets. The IT/IS Risk Management Within Public Sector and Government provides a University System of Georgia (USG) institution and public library and the ISO general guidance and assistance in understanding the IT/IS Risk Management models and processes.
USG Information Security Program Guide for Public Sector and Government
The USG Information Security Program Guide was originally developed by the USG Office of Information Security (OIS) in Aug 2008 as a guide to assist the University System of Georgia (USG) System Office (USO), USG Institutions and the Georgia Public Library Service in developing an information security program or enhance/strengthen existing information assurance programs. This Guide identifies the ten key components to be considered by an institution when developing, implementing, reviewing, or seeking to improve the value of its information security program. These components are to be reviewed for applicability to an institution's business and technology environments and compliance with existing laws and policies, and implemented as appropriate for each institution.

"Creating A More Educated Georgia" www.usg.edu

USG Office of Information Security www.usg.edu/infosec

Stanton S. Gatewood Chief of Information Security 706.583.2001 or 888.875.3697

http://twitter.com/infosec/