Protecting Sensitive Information and Keeping Your Identity Your Own Cyberethics, Cybersafety, and Cybersecurity Conference October 7, 2005 Amy Ginther, Project NEThics Coordinator Office of Information Technology

Types of Data Compromise Data loss Data theft Identity theft

CIFAC Project Computer Incident Factor Analysis and Categorization Project Examined perceptions of the importance of 80 variables in causing computer-related incidents involving systems, data, or people Lack of sufficient training and education identified as most frequent cause of incidents. Analysis of best practice recommendations for incident prevention, mitigation and management yielded conclusion: “Having policies in place, enforcing policies, and providing user awareness training was considered the most important factor in preventing the incidents from happening.” Rezmierski, Rothschild, Kazanis, Rivas (2005).

Personal Identification Initiative Policy on the Collection, Use and Protection of ID numbers Limit use of social security numbers Promote the use of alternate identifiers: U ID (number) and Directory ID (alpha-numeric ID) Increase protection of ssn For more information, see and llection_Use_Protection_of_ID_Numbers.pdf llection_Use_Protection_of_ID_Numbers.pdf

State Privacy Law Privacy policy: If you are asked to provide personal information on an official university web site, university policy provides that you should be notified of the following: The purpose for which the personal information is collected; Any specific consequences for refusing to provide the information; Your right to inspect, amend, or correct personal records, if any; Whether the personal information is generally available for public inspection; and Whether the personal information is made available or transferred to or shared with any entity.

Potential ID Theft at Universities “Universities have accounted for 28% of the 50 securities breaches of personal information recorded by California since 2003… …that’s more than any other group…” - San Francisco Chronicle March 29 th 2005 And this is just California!

Shadow Databases “A thief recently walked into a Berkeley office and swiped a laptop containing personal information about nearly 100,000 alumni…” - San Francisco Chronicle March 29 th 2005

Universities with ID Theft Incidents UC, Berkeley Carnegie Mellon University UTexas, Austin George Mason University and several more…

What can be done? Stop using shadow databases Limit who has/has access to sensitive data Encryption Ensure the computer it’s stored on is protected (both physically and electronically)

Shadow Databases Shadow databases are copies of a master database (ex: a copy of the Alumni database made for a professor for research purposes)

Shadow Databases Shadow databases on laptops and desktops are often unprotected. This leaves them vulnerable to theft, viruses, worms, bots, hackers, etc.

Limiting Access to Sensitive Data Why does someone need a copy of a database? Why does there need to be a full SSN? Use the last 5-6 numbers Once the data is no longer needed – delete it!

Encryption Encryption is a way to convert a document into an unreadable format by way of an algorithm You need a key (a password or passphrase) to convert the encrypted version back to the original document If an encrypted DB is stolen and the thief doesn’t have the key they can’t read it

Protecting computers Physical security: laptop/desktop cables and locks (like a bicycle lock), STOP Tag Up-to-date anti-virus software ( Up-to-date on patches (Windows Update) Personal firewall (XP Service Pack 2 or ZoneAlarm)

Better Password Practices Use strong passwords! (ex: ‘tIaHrdPa$s2Crk’, not ‘password’) Store passwords safely. Do not store your passwords on your computer, keep a list of them next to your computer, or put them in your top drawer where a snooping visitor can find them. Use different passwords for different accounts. Change passwords with some regularity.

UMD’s push to minimize SSN use Creation of the UID – a unique number not tied to SSNs; needed for variety of purposes Move to U ID from SSN: Policy approval by President Inventory where SSN is used to plan conversion Print U ID NOT SSN on ID cards Remove SSN from display on information system screens and on printed reports Remove SSN option from login screens Continue education of all Password self-service

UMD’s push to minimize SSN use OIT is currently auditing every department on campus to minimize the number of computers that have sensitive data on them, and to lock down those computers that MUST have sensitive data

UMD’s push to minimize SSN use We will lock down these computers by: Encrypt the database containing sensitive info Up-to-date on patches Personal firewall Use of strong passwords Services that aren’t needed are turned off

The Range of Dangers Fee fraud hoax ShareYourExperiences.com and Word-of-Mouth.org Work from home scam Phishing Pharming Evil Twins

Legit? PayPal notice “…and we have reasons to belive that your account was hijacked by a third party” “If you choose to ignore our request, you leave us no choise but to temporaly suspend your account.” PayPal logo on legitimate Web site ( always appears with trademarkhttp://

How to Identify Scam Messages Fraudulent messages only offer one means of communication with the company. Look for awkward writing, grammatical and spelling errors in messages—they abound! Fraudulent messages begin with a general greeting; you are not identified by name Dangerous messages may contain attachments that load software to enable thieves to record your keystrokes

Additional Tips to Avoid Victimization Don’t react to the urgent or obligatory nature of the message Don’t click on links to reach a company…they can take you to an illegitimate site. Instead, type the URL into a browser window to go to a secure (https) site. Your legitimate service provider should be requiring you to authenticate using an established user ID and password to login Checking legitimacy of Web host

Steps to Take if You Become a Victim 1. Contact your creditors and banks immediately. 2. Begin keeping records 3. Flag your credit file for fraud. For more information, go to 4. Review your credit reports 5. Report the crime 6. Address public record errors

What Compromised Agency Should Do Communicate with you Explain the nature of compromise and the likelihood of data theft Advise you of steps to take (fraud alert) Provide Web site for more information and other resources Tell you how to expect that you will be contacted with additional information Do not release personal information in response to contacts which you have not initiated Tell you the steps that have been taken to mitigate the situation, protect information

Other Self-Protection Strategies Next time you have checks printed, have only your initials and last name printed on them Do not sign the back of your credit cards; instead, write “Photo ID Required” Do not put the full account number on the “for” line of your checks when paying bills, just use the last four numbers Do put your work phone on your checks instead of home phone Do photocopy the contents of your wallet

Contact information Amy Ginther, Project NEThics Coordinator, x52619 Gerry Sneeringer, IT Security Director, Project NEThics, Thanks to: Kevin Shivers, Lead Security Analyst (former), for input to this session.