1

Why Are We Here Together Introduce Myself

• Because of the many incidents throughout the country and at universities in particular of identity theft and security breaches CUNY has made a security course available on line.

• Because that course was commercially developed it was designed on a corporate and factory model.

• I was tasked to create a revised presentation which would be relevant to the college and university environment in general, and QCC in specific.

• he University wants everyone to become aware of the dangers of the problem and how to protect yourself and your computers at home and at work

• CUNY wants to make sure that QCC and all colleges are taking this seriously

• By taking the course together we can answer questions that may arise for you

• Booklet• A little more than an hour – if anyone has to leave to make a class just do

so

Play Video CCNY – Open With VLC

2

Some Recent Headlines •Computer Containing 7,000 CUNY Students Personal

Information Stolen Weeks Ago (City College, Daily News, 9/7/10) Laptop Lost or Stolen

•U.S. Workers on Alert After Breach of Data (New York Times, 11/6/10) 12,000 affected; 1-yr credit reporting;

$25,000 id theft insurance•Security Breach Leaves 45,000 at Risk of Identity Theft

(Cornell, Cornell Daily Sun, 6/24/09 Stolen Laptop; college providing credit reporting

and id theft insurance •University of Virginia victim of $996,000 cyber attack

(eweek.com 9/3/10) •Saint Anselm College Alumni Mailing Exposed SSN

(9/17/10)•Service members Face Identity Theft (New York Times,

12/7/10) SSN Hijacked

3

Get Started on the Security Course

• 1. This course will help you in the office and especially with your home computer to help you from becoming a victim of identity theft and cyber attacks on your computer.

• About the film you just saw about City College: YOU MAY HAVE THOUGHT THAT A PASSWORD PROTECTED COMPUTER WAS SAFE. BUT THE HARD DRIVE CAN BE REMOVED AND INSTALLED IN ANOTHER COMPUTER AND THE DATA RETRIEVED.

• Head of Office will be responsible to the students and public.

• 2. Go to the site:– http://security.cuny.edu

• 3. Click on the lock • You should be directed to the site:• http://www.enterprisetraining.com/cunycourse.htm • 4.Enter Name, Email Address, for code, select “None”; from dropdown “Your Role at CUNY”

select from among Student, CUNY Faculty Member, or CUNY Employee; from dropdown select Queensborough Comm College

• 5.Click on Proceed to CUNY Security Awareness Course

4

Identity Theft

• Fastest Growing Crime in America

• Avoid being a victim by adopting safeguards while handling sensitive personal information

Ask if anyone here has been a victim of identity theft

Skip “Understand Information” and go to “Identify the Need for Cybersecurity after presenting Information Security Two Pages

5

Information Security Safeguarding information from:

1. Misuse

2. Theft

3. Loss

4. Damage ONE OF TWO PAGES RELATING TO SLIDE

NO SLIDE

CONTINUE NEXT PAGE

6

Information Security • Safeguard Information – Insure:• Confidentiality

(Transport data securely with encryption)

• Integrity • Availability to Authorized Users (CUNY First passwords)If your computer is compromised it can

compromise all linked computers

Why do we have Passwords?

GO TO IDENTIFY THE NEED FOR CYBER SECURITY

7

Cyber Security • Is the protection of data and systems

connected to the internet

• Deter – Detect – Defend Against Information Theft Attacks

• Desktops, laptops, cell phones, wireless gadgets, PDA’s’s

• Proliferation due to the increased use of the internet

THERE ARE TWO CYBER SECURITY SLIDES AND A PAGE OF COMMENTARY FOR EACH

8

Cyber Security

• Safeguards reduce the risks and minimize the damage that can be caused by cyber attacks– Precautions must be taken in using social

networking, e.g., Facebook, YouTube, and Twitter

HOLD THE NEXT SLIDE UNTIL AFTER CYBER SECURITY AT QCC COMMENTARY

How many of you are on Facebook? It makes its money by selling your information

9

Computer Security is Everyone’s Job Your QCC desktop attached to the

campus network has:• McAfee VirusScan Enterprise software that guards

against threats• Internal Firewall security • Fireeye anti-spyware, a gateway appliance, to protect

computer from being taken over by external sources• Barracuda, another gateway appliance, to remove

malware and virus coming from external websites • McAfee software to remove external spam• External Firewall wraparound security for campus wired

and wireless network• Central Office has its own security in place

10

Social Engineering Exploits

• Can provide an end-run around the most extensive security barriers

• Type of attack on sensitive information• Targets individuals not equipment • Requires individuals to take action for its

success• Uses trickery and deceit • Often presents a deceitful link• No one connected with CUNY will ever ask

for your password

Show security headlines document

HOLD FOR 4 SLIDES TO FINISH

11

Phishing

• A social engineering exploit • An internet scam• Designed to gain access to

Social Security Numbers Credit Card Numbers Passwords

• Often asks you to respond to email to provide updated information

• Do not respond to such request; do not click on any links• Responding indicates that the email account they

located belongs to a real address and person• Robocalls

READ EPSILON LETTER CHASE

12

Pharming

• The creation of a fraudulent website that

embodies real web pages to obtain confidential information

-Study web address

-Legitimate secure sites should have “https” in their web address and the icon of a lock on the status bar

-If you receive a message “This Connection is Untrusted” from your browser do not proceed

N.B. OPEN IN A NEW TAB

13

Spoofing

• An email that pretends to come from a trusted source or one known to you

• An email threat that seeks to gain confidential information for fraudulent purposes

• Seeks information for identity theft• Often in the guise of a PRIZE or AWARD that requires your social

security number or credit card information• Can be the result of hijacking of one’s email address book• At QCC a dean recently had to send out this message after her

email address book was hijacked: “Someone got into my password and sent a message entitled ‘Hello, Friend’ – please disregard. Sorry for the inconvenience.”

SECTION AT BACK OF BOOKLET WITH EXAMPLES

14

• After “Identify Social Engineering Exploits” go to “Strengthen Desktop Security”.

• Present Guidelines for a Strong Password

• Present Password Protect Your Screen Saver and Demonstrate at the Desktop

15

Guidelines for a Strong Password • Use at least seven (7) characters • Use combination of upper case and lower case

letters, numbers, and symbols • Try to place a symbol after the first character • A new password should be significantly different

from your current password• Do not use common words, your name, or other

words that people associate with you• Hackers know that users typically start a

password with a capital letter and end with the number 1. Do not follow this pattern.

Paula = Daedelus = 1)@eXw3

.

16

Password Protect Your Screen Saver

• If you step away from your desk while your computer is on, your information will not be accessible to anyone

• To password protect your computer right click an empty space on the desktop, select properties, select screen saver, check “on resume, password protect”

• You may select and adjust the number of minutes before screen locks

• When locked you will see message “This Computer is in Use and has been locked”

• Control + ALT + Delete • Enter your desktop password

GO TO DESKTOP and RIGHT CLICK PERSONALIZE

Password Protect Your Smart Phone

• You can and should password protect your smart phone in which you can send and receive email and surf the internet.

• In which you have contact information • The Iphone, Android, and Blackberry phones

have this feature. • If the phone is lost a third party cannot readily

access your data.

17

18

Downloading Software Guidelines

• Downloading copyright protected files off the internet is an infringement of the copyright owner’s exclusive rights of reproduction and/or distribution and is very dangerous to your computer

• Files which can be downloaded over peer-to-peer networks, e.g., BitTorrent, are primarily copyrighted works

• Authorized services that allow copyrighted works to be purchased online, e.g., ITunes, eliminate the risk of infringement

• Authorized services can also limit the exposure to other potential risks like viruses and spyware

• If the use is business related, a college or university software agreement may exist

• We recommend that you do not download to your college computer software that is not work related. The only software on your office computer should be supplied by QCC

• Be very careful in deciding to download software to your home computer

19

Encryption/DecryptionA type of file protection that disguises the file contents

• File cannot be read by unauthorized users who have not been given the key used to encrypt or disguise the contents

• Sensitive material or private information includes, but is not limited to, social security numbers, driver’s license or non-driver identification card numbers, credit, debit, or other financial account numbers.

• Sensitive material should never be emailed• Sensitive material should never be stored in “the cloud” or with other third party

storage systems.• If you have need to transmit or receive sensitive material to or from others on

campus, IT will install Webdrive encryption software on your computer.• If you have need to transmit sensitive material outside of QCC to other CUNY units ,

or outside of CUNY to other colleges or entities, Tumbleweed software must be used. You can open a Tumbleweed account at the CUNY portal/.

• Sensitive material may not be taken between campus and home without expressed approval of the Vice President of Finance and Administration

• Sensitive material may only be transported between campus and home if encrypted. • IT will supply encrypted flash drives for the approved use of faculty and administration

20

Disposing and Deleting Sensitive Files

(Student Personal Data)• Safe Disposal: Erase floppy disks, hard drives, flash

drives, and tapes; Shred paper documents; Break CD’s in half.

• Deleting a file does not erase the data from the computer. It is still retrievable by others.

• Deleting a file deletes the pointer to the data and not the data itself.

• To safeguard deleted data from others be sure to empty your cache, and trash or recycle bin.

• When IT removes your old computer and it is readied for disposal utilities are applied to the computer to totally wipe out data.

Go from outline of “Implementing File Security” and discussion of Encyption and Decryption to “Guarding Against Attacks”

21

Defend Against Email Attacks

• Most security breaches occur via email attachments and surfing websites

• Almost everyone uses their computer for some form of personal, professional, or institutional email

• Email attacks can affect one computer or all linked computers

22

Malware Malicious Code

• Crashes program or computer

• Loss of data

• Computer can be controlled by attackers

• Unauthorized access to sensitive data

• Internet browser redirected to harmful or dangerous websites

23

Virus

• A computer program that attaches itself to your computer and replicates itself

• It may run or lurk in the background• Will be on executable files, e.g.,:

.Bat

.Com

.Exe

.Scr

.Shs

24

Trojan (as in Horse)

• Malicious program masquerading as harmless

• Does things user does not expect

• May locate passwords

• May destroy programs or data

• Sneak in with illegal downloads of games, utilities, software, or music

25

SPAM

• Unsolicited and Unwanted email

• Can overload mailbox or mail servers

• May contain viruses, pharming, phishing, or spoofing

• May direct you to another site

• Due to filters applied by IT to incoming email to QCC, only a fraction of the spam that you are sent reaches your inbox

26

Virus Hoaxes

• Never act on emails, even from friends, urging you to delete files or forward emails regarding hoaxes except from QCC IT Security.

27

Hacking

• Illegal creating or altering hardware and software

• Illegal hacking destroys or disrupts data

• May engage in illegal activities on your computer and in your name

• Vital information falls into the wrong hands

Stieg Larsson  and Lisbeth Salander 35 million copies

28

Virus Protection Software

• Your office computer is protected by virus protection software and updates are applied automatically

• Computer program that identifies and removes malware from your computer • Software Engine• Virus Definition Files• Download Updates• Virus Scans check computer for malware• Your office computer scans for viruses upon start up• Your home computer must be continuously or regularly updated by

downloads* Free virus protection software is available to you from the CUNY Portal e-

mall.

4 SLIDES – HOLD COMMENTARY UNTIL AFTER VIRUS SCANS

Symantec Antivirus Software

GO FROM VIRUS SCANS TO BLOCK SPYWARE

29

Spyware

• Intercepts or takes control of computer• Tracks surfing and activities for commercial use• Infected computer will be:

slowcrashes often

• See pop-ups when not on internet• Changes internet sites without your control• Often attached to free-to-download “cute”

utilities and applications.

30

Block Spyware

• Use Anti-Spyware Programs

• Use Pop-Up Blockers

• Adjust Security Settings for maximum control

31

If your office computer is infected

• Call the Help Desk – x 6348