Protecting our institutional and your personal data Information Security Protecting our institutional and your personal data

Keep our Campus Safe Different forms of safety and security Environmental Safety Physical Security Information Security

Information Security the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.

Information Security Today we're going to focus on Personally Identifiable Information (PII) PII: Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context

PII Examples: Full name (if not common) Home address Email address (if private from a business or association) National identification number Passport number Vehicle registration plate number Driver's license number Face, fingerprints, or handwriting Credit card numbers Digital identity Date of birth Birthplace Genetic information Telephone number Login name, screen name, nickname, or handle

Information Security: Most Common Threats Social Engineering Trick you into providing credentials or information Malicious emails and websites Trick you into downloading and installing malicious software, or providing your credentials Exploit vulnerabilities in software Security hole in the application that hackers can use to create their own "key" to access information in that application/system

Social Engineering: Examples Phishing: the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Vishing: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

Social Engineering: Phishing Examples

Social Engineering: Phishing Examples

Malicious Websites: Examples

Malicious Websites: Examples

Malicious Email: Examples

Ransomware: Example

Attacks on Northwestern Email Spam requesting for username and passwords. Recently an employee’s account was compromised. They were sent a link asking to verify their username and password. Once filled out their credentials were used to send spam emails to a majority of Northwestern Employees to gather more credentials Ransom Ware Lockey – An attachment in an email was clicked on and a malicious program was installed and it started to encrypt the entire computers contents. This particular software can also spread across the network to encrypt other computers/systems. (Symantec blocked the threat and we lost minimal data) Social Engineering Posing as Microsoft representative with a request to remotely access your computer. This happen to a student employee two years ago and the computer was encrypted and they asked for money. Adam – I personally have been called by a fake Microsoft representative informing me that my windows license key had some issues and they could help me fix the issue by remoting into my computer and changing some settings.

Generally, the goal is to get money What are they after? Steal your identity to access your bank accounts or open fraudulent accounts Steal information to sell on the black market Steal your credit card information to purchase things Trick you into sending money to an account Hold your information ransom Generally, the goal is to get money

What's the risk? Who's at risk: Everyone Businesses Countries Governments Healthcare Higher Education Individuals How often does this happen: All the time

Symantec ISTR Statistics Email Becomes the Weapon of Choice Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining $3 billion over the last three years. USA is an Easy Mark for Ransomware Scammers The United States was the biggest – and softest – target. Symantec found 64 percent of Americans are willing to pay a ransom, compared to 34 percent globally.

What if an attacker gets my personal information? Access your accounts Steal your information Steal your identity Open fraudulent accounts (e.g. credit cards) Ruin your credit Destroy your information

What if an attacker gets my UNW information? Access UNW information or systems using your account Destroy data (e.g. delete S: drive folders you can access) Use your account for to send email spam Hold your computer or other data for ransom Access Banner and export records (e.g. Data Breach)

Data Breach Data Breach A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment MN Law requires organizations to report any breach that includes these types of PII Social Security number; driver's license number or Minnesota identification card number; or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Data breaches in the last 5 years Companies: Yahoo – 1B email accounts compromised/DOB 2017 Anthem Health insurance – PII (SSN/DOB/etc) 2016 Target - 70M customers credit card info -                               2015 Chase – 76M customers info (names/address/emails) 2014 HomeDepot – 56M credit card details 2014 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ River City Media: Yahoo: Anthem: Target: Chase: HomeDepot: DropBox:

Data breaches in the last 5 years Yahoo – unknown but many believe it was lack of investment in security from the company Anthem Health insurance – malware that stole login credentials of an employee Target - Compromised credentials lead to installing credit card stealing application onto cash registers Chase – list of applications and programs on work computers and found a vulnerability and got into their bank systems HomeDepot – hackers stole vendors credentials to get into the HD computer network and installed credit card stealing software onto check out registers Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ River City Media: Yahoo: Anthem: Target: Chase: HomeDepot: DropBox:

Higher Education Example The University of Hawaii had multiple data breaches compromising the information of 90,000 individuals PII, between April 2009 and June 2011 The settlement required the university to provide credit monitoring and fraud restoration services to affected individuals. The cost of providing those services was approximately $550,000, and the university was also required to pay an undisclosed amount of attorneys’ fees and costs.  https://www.universitybusiness.com/article/0816-wisp

Average cost of a Breach? Average cost of a data breach for US companies is $217 for each compromised record $225 for higher education Average cost is $6.5 million per breach

Cost of Breach to UNW UNW has Data Breach Insurance Without Insurance: Cost of Deductible (per breach) Lost productivity Without Insurance: Full breach of all sensitive records from Banner - >$20 Million Other Impacts Lost reputation > lower enrollment > lower revenue Possible lawsuits 

Preventative measures you can do Be aware of social engineering tactics Verify the information if it seems odd or contact the IT Department Do not open suspicious emails or download software from questionable sites Never give out or write down your passwords (no sticky notes) IT will never ask for your password in email or over the phone Long passwords (long passwords that are memorable) Consider a password manager (KeePass, LastPass, DashLane) Two factor authentication (for websites like your email, bank accounts,  Check for Website Security (HTTPS) Backup of your important files External Hard Drive at home, H: or S: at UNW

Preventative measures IT is doing at UNW Email Filtering Credit Cards and Social Security Numbers Vulnerability Scans Find and Remediate vulnerabilities before they're exploited Laptop encryption Protect information stored on our computers Endpoint Protection (AV) Detect malicious programs before they cause problems Backups regular nightly and weekly backups

What to do if you suspect a breach What should you do if you believe that your account or computer has been comprised Personal: Change your passwords Contact your bank and credit card companies Northwestern Contact IT Immediately – 651-631-5699

Questions or concerns Contact IT Support with any questions or concerns.  This power point and other security related resources will be available on the IT Knowledge Base in the next week