Download - STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Protect Your Data, Protect Yourself Tech Briefing August 6, 2010 Turing Auditorium.

STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES

Protect Your Data, Protect YourselfProtect Your Data, Protect Yourself

Tech BriefingTech Briefing

August 6, 2010August 6, 2010

Turing AuditoriumTuring Auditorium


AgendaAgenda

Risks of data loss What kinds of data need to be treated with

special care An overview of free tools to protect your data:

• Stanford Whole Disk Encryption (SWDE)• Secure AFS• Stanford IM• Secure Email

Data Security for Mobile Devices Avoiding the perils of phishing attacks Upcoming changes to WebLogin password

update procedures04/18/23 Protect Your Data, Protect Yourself page 2


04/18/23 Protect Your Data, Protect Yourself page 3

You’re Doing it All Right, Right?You’re Doing it All Right, Right?

A lot of us have Prohibited, Restricted, or Confidential Data we work with every day.

It’s part of the job. Your computer is locked up. You don’t give out your password or have it

taped to your keyboard. You don’t download and install weird

programs from unreliable sources.


You Are LiableYou Are Liable

If your computer is lost or stolen, you are liable for the unprotected data on it.

Depending on the type of data, various legal entities must be notified.

You will likely be discharged by the university.

For example, a laptop was stolen…



Prohibited DataProhibited Data

Prohibited Data includes:• Social Security Numbers• Credit Card Numbers• Financial Account Numbers, such as checking or

investment account numbers• Driver’s License Numbers• Health Insurance Policy ID Numbers

These CANNOT be on your computer without explicit permission from the Data Governance Board• If DGB approved, NIST-approved encryption is required on

Computing Equipment.



Restricted DataRestricted Data

Restricted Data includes:• Student Records • Protected Health Information (PHI) • Passport and visa numbers • Research and other information covered by non-disclosure

agreements

Access limited to those permitted under law, regulation and Stanford’s policies, and with a need to know.

NIST-approved encryption is required if information is stored on Computing Equipment.



Confidential DataConfidential Data

Confidential Data includes:• Faculty/staff employment applications, personnel files, benefits

information, salary, birth date, and personal contact information.

• Admission applications• Donor contact information and non-public gift amounts• Privileged attorney-client communications • Non-public Stanford policies and policy manuals• Stanford internal memos and email, and non-public reports,

budgets, plans, and financial information• Non-public contracts• University and employee ID numbers• Information subject to Export Control License

NIST-approved encryption is recommended if information is stored on Computing Equipment.



What Does it Mean?What Does it Mean?

No Problem Access via Oracle, Peoplesoft, etc. is over a

protected transmission channel and data remains on the server.

Needs Protection Excel, Word, etc. files stored on your computer

• Grant proposal data• HR files• Student data

Email attachments Email sending and receiving Instant Message conversations04/18/23 Protect Your Data, Protect Yourself page 8


Stanford Whole Disk EncryptionStanford Whole Disk Encryption

To protect everything on the drive, use Stanford Whole Disk Encryption• It’s free• Initial set up takes some time.• You must use Big Fix and Sophos Anti-Virus

SWDE works on Macintosh and Window SWDE protects your data at rest.



How Does SWDE Work?How Does SWDE Work?

After installation, after encryption, when you reboot your computer, you will see this new screen:

Type your passphrase and press Enter/Return Type your ID & password to login to your

computer operating system.04/18/23 Protect Your Data, Protect Yourself page 11


I Don’t Want the Data on My I Don’t Want the Data on My Computer?!Computer?!

Delete old, unnecessary files• Secure Delete for Mac:

https://encryption.stanford.edu/desktop/mac/securedelete.html

• Eraser for Windows: http://encryption.stanford.edu/desktop/windows/securedelete.html

Move it to a server• Use a departmental server• Use for-fee services like Sharepoint, Secure Virtualized

Server, or SafeFiles (contact IT Services for more information)

• Use the free, centrally provided WebAFS service with SecureAFS



SecureAFSSecureAFS

Free space granted to a workgroup by request for storing Prohibited, Restricted and Confidential data

Access Secure AFS via WebAFS or an AFS client paired with Stanford VPN

To ensure file safety, data is backed up nightly and kept for 30 days• If an important file is deleted, submit a HelpSU

request and the file can be restored

Secure AFS space must be renewed annually• At the end of the grace period, the account is

deleted and files purged



Secure AFS Request FormSecure AFS Request Form



Secure AFS Confirmation EmailSecure AFS Confirmation Email



WebAFSWebAFS



Secure AFSSecure AFS



Secure EmailSecure Email

After July 20, 2010, all email sent via an @stanford.edu address is encrypted over-the-wire from your computer to the SMTP gateway.

Secure Email must be used when sending Prohibited, Restricted, or Confidential data in email.

Starting August 22, 2010, you can send secure email from webmail or your desktop client by adding “Secure:” to the Subject of the message.

Stanford recipients receive the message normally. Non-Stanford recipients must prove their identity

before being allowed to unencrypt the message.



Non-Stanford RecipientsNon-Stanford Recipients





Look! Important confidential data!

Ammy


Instant MessageInstant Message

Using AIM, Yahoo!IM, Microsoft Messenger, Google Chat, or other IM tools sends your conversation to servers at that company.

For Stanford business, use Stanford IM instead. • Servers belong to Stanford.• It is required for Confidential data over IM. • Prohibited and Restricted data should NEVER be sent via

IM.

Go to im.stanford.edu



Securing Your Mobile DeviceSecuring Your Mobile Device

Always use a lock code to protect data If you are synchronizing Stanford data to your

phone, be prepared to remotely wipe of your phone if it is lost or stolen. This wipes EVERYTHING from the phone.



Phishing AttacksPhishing Attacks

A phishing attack attempts to get you to reveal your username and password

Credentials are sent to an anonymous attacker who then takes over the account and uses it to launch other attacks.

Emails can be extremely deceptive. Stanford will NEVER ask you to send your

password via email. Watch for senders who are not @stanford.edu,

not at https:, as well as for spelling and date errors.



Phishing SamplePhishing Sample



Password Change CompliancePassword Change Compliance

HIPAA rules require that passwords are changed every six months.• The Admin Guide recommends changing passwords every

90 days.

In the past, you got an email. If the password was not updated, you got another email.

If you are in a HIPAA data group, you will likely see the new password change page in the next six months.

Always double check the URL at the top of the page to make sure it starts with https and is at stanford.edu before entering any information.



Change Password ButtonChange Password Button



Password Change PagePassword Change Page



What questions do you have?What questions do you have?