Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security, Encryption, and User Awareness

Published byDelphia McKinney Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Security, Encryption, and User Awareness"— Presentation transcript:

1 Data Security, Encryption, and User Awareness
2019 Pritzker Summer Research Group Rebecca Schaefer IT Security Analyst, BSD ISO

2 Agenda Who is Hacking Us and Why? Secure Computing Best Practices
Statistics of 2018 Cybersecurity Trends Cyber Threat Actors Secure Computing Best Practices Secure Computing Practices Tips Enabling Multi-factor Authentication (2FA) Password Security Data Encryption Phishing User Awareness Know Who to Contact

3 Who is Hacking us and why?
Data Security, Encryption, and User Awareness Who is Hacking us and why?

4 2018 Cybersecurity Trends 1 in 10 URLs are malicious
Average user receives 16 malicious s a month More than half of all s in the world are spam 78% of organizations said they experienced phishing attacks 48% of malicious attachments are Microsoft Office files 92% of all malware is delivered by Supply chain attacks have risen by 78% since 2017 Mobile ransomware has increased by 33% since 2017

5 Hacktivists, Terrorist Groups, and Thrill-Seekers
Cyber Threat Actors Nation-States Most sophisticated threat actors Dedicated resources and personnel Extensive planning and coordination Cybercriminals Moderate sophistication in comparison to nation-states Planning and support functions Specialized technical capabilities Hacktivists, Terrorist Groups, and Thrill-Seekers Lowest level of sophistication Often utilizes widely available tools that require little technical skill Actions usually have no lasting affect on target past reputation Insider Threats Individuals working within their organization Dangerous due to unique access to internal networks and resources Can be associated as another threat actor in addition to being insider threat Threat actors in the top tier of sophistication and skill, capable of using advanced techniques to conduct complex and protracted campaigns in the pursuit of their strategic goals, are often called advanced persistent threats (APT). This designator is usually reserved for nation-states or very proficient organized crime groups. Nation-states are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination. Cybercriminals are generally understood to have moderate sophistication in comparison to nation-states. Nonetheless, they still have planning and support functions in addition to specialized technical capabilities that affect a large number of victims. Hacktivists, terrorist groups, and thrill-seekers are typically at the lowest level of sophistication as they often rely on widely available tools that require little technical skill to deploy. Their actions, more often than not, have no lasting effect on their targets beyond reputation. Insider threats are individuals working within their organization who are particularly dangerous because of their access to internal networks that are protected by security perimeters. Access is a key component for malicious threat actors and having privileged acess eliminates the need to employ other remote means. Insider threats may be associated with any of the other listed types of threat actors, but can also include disgruntled employees with motive.

6

7 Secure Computing Best Practices
Data Security, Encryption, and User Awareness Secure Computing Best Practices

8 Secure Computing Practices Tips
Use a password manager to create strong passwords and store them. Be on alert for signs of a phishing . Don’t open attachments or links in an untrusted . Utilize multi-factor authentication to prevent account compromise Ensure all ePHI or PII data stored on a device is encrypted Ensure any ePHI or PII data is securely deleted when it’s no longer needed. Keep your devices fully patched to avoid exploitation Install an Anti-Virus program and keep it up-to-date Ensure that your devices firewall is enabled and configured Backup your data to a secure location regularly “90/10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to secure computing practices

9 Enabling Multi-Factor Authentication
What is Multi-Factor Authentication (2FA)? When a user logs into an account, that account uses one or more authentication factors in order to verify the identity of an authorized user. You are required to enroll in 2FA. Applications you can’t access without 2FA: Workday, UChicagoBox, VPN BSD: Secures your BSDAD account for BSD VPN and other secured applications Sign up at FAQ sheet is on the BSD ISO website at UChicago: Secures your CNet account for cVPN and other secured applications Sign up at

10 Password Security Creating Strong Passwords
A strong password has at least 12 characters. Utilize a password manager to create and store passwords. The University utilizes the password manager, LastPass. LastPass or 1Password are recommended password managers. For a better understanding of password strength visit, However, DO NOT enter any real passwords into this website. The table below shows how fast your password can be guessed Pattern Calculation Result Time to Guess 8 chars: lower case alpha 268 2x1011 < 1 second 8 chars: alphanumeric 628 2x1014 3.4 min 8 chars: all keyboard 958 7x1015 2 hours 12 chars: alphanumeric 6212 3x1021 96 years

11 Encryption vs. Passwords
Encrypting data is not the same as having a password. Passwords themselves do not scramble information. If something is only “password protected,” it’s not necessarily protected. Someone could bypass the password and read the information directly.

12 Types of Sensitive Data
Restricted / Confidential ePHI or electronic Protected Health Information (Personal + Health) Names, Medical Record Numbers, reports, test results, or appointment dates etc. PII or Personally Identified Information Name, SSN, driver’s license number etc. Clinical Research Data Privileged & Confidential Information (legal) Sensitive / Internal Use Only Policies and Procedures IT schematics, diagrams, configuration documents Contracts not subject to confidentiality agreements Public Content approved for posting to the web Directory Information listed on a public website When the classification is not clearly defined, default to Sensitive unless defined in writing by your supervisor.

13 Data Exposure Costs This table shows how much an incident costs the University both in time an money. Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident Description User’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour 50 hours 35 hours Security Forensics Costs $ 0 $ 2,000 $ 800 Reputation Damage Costs Priceless

14 Data Encryption Type Encryption Solutions Cost/Impact How Apple
File Vault 2 Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. Strong AES 128 based encryption. can store recover key with Apple; well-documented install guide. Choose Apple menu () > System Preferences, then click Security & Privacy. Click the FileVault tab. Click the Lock  button, then enter an administrator name and password. Click Turn On FileVault. Windows BitLocker Strong encryption for data protection. Some hardware and software dependencies. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer. Select one of the following recover options from the recovery password page, you will see the following options: Saves the password to a USB flash drive. Saves the password to a network drive or other location. Print the password

15 Data Encryption Type Encryption Solutions Use/Features How
External Storage Apricorn Aegis USB Secures the transport of data, documents, and presentations. Strong, 256-bit AES hardware-based encryption; unlocks with onboard PIN pad; PIN activated 7-15 digits -Alphanumeric keypad. Purchase through University procurement or on you own from Amazon, Staples or any other major IT equipment provider. Apple Phone/ Tablet IOS Work for personally- owned and BSD-owned devices Native security feature, enabled by default with the use of passcode; vendor-supported Strong, 256-bit AES hardware-based encryption Can store recover key with Apple Set a passcode on phone Scroll down to the bottom of the Passcode settings page. You should see a message that says “Data protection enabled.” This means that the device's encryption is now tied to your passcode. Android Phone/ Tablet Android Easy setup, but not enabled by default Well-documented install guide. Your device’s battery must be at least 80% charged or won’t start. Your device must be plugged in throughout the entire process. Unroot phone if rooted before continuing. Following your manufacture’s steps to complete the encryption.

16 Phishing User Awareness
DO NOT click on any links or attachments in an that you do not recognize. If you are unsure of the intent of the and it looks suspicious, forward it as an attachment to If you receive an prompting you to login to a known service, do not navigate to that service through the . Instead, navigate to that service using a trusted method. An example would be if you receive a Google alert about your account, navigate to Google using your browser like you would normally rather than clicking on the link in the . Links in a phishing will often attempt to grab a copy of your credentials by leading you to a “cloned website” login. Make sure to check the domain of a URL. Often phishing s use similar domains (i.e. google.com vs. googie.com)

17 Know Who to Contact How to reach us:
It’s important that if you observe anything suspicious occurring that you reach out to the BSD ISO as soon as possible. Send us any suspicious s you receive so that we can investigate them. We’re here to help you, reach out to us if you have any questions regarding anything. We can help you secure your data so that you can focus on your work. How to reach us: Web Site: BSD ISO Team UCM ISO Team Plamen Martinov (773)

Download ppt "Data Security, Encryption, and User Awareness"

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
Encryption – First line of defense Plamen Martinov Director of Systems and Security.

Encryption – First line of defense Plamen Martinov Director of Systems and Security.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:

Information Security Awareness:
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
IT Security Essentials Ian Lazerwitz, Information Security Officer.

IT Security Essentials Ian Lazerwitz, Information Security Officer.
Security Computing Practices Plamen Martinov Chief Information Security Officer.

Security Computing Practices Plamen Martinov Chief Information Security Officer.
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Similar presentations

Ads by Google