Here - LSU Health New Orleans

Information Security Training for
LSUHSC Employees and Students
Protecting
Yourself and
Your University
in the
Digital World
Revised August 17, 2016
1
Introduction
• Welcome to the LSUHSC’s Basic End User Information Security
training module. It is intended for all employees and students
who have access to LSU’s computing resources and must be
renewed on an annual basis.
• Information Security at LSU is everyone’s responsibility! During
your workday, you probably engage in various computer related
activities (e.g. communicating with others via email, or going to
various websites to perform research or access campus
resources).
• If you don’t follow appropriate security measures during these
seemly harmless activities, you can inadvertently leave your
personal data, as well as sensitive University data, open to attack
from unauthorized users. These attacks can result in the
breakdown of your computer, portable device or LSU’s network.
2
What is an END USER?
• An End User is any employee, student or affiliate
who uses the LSU Computer infra-structure in the
course of work or studies.
3
What You Need to Know
• Goals
• End User Responsibilities
• Password Management
Procedures
• Tampered Accounts
• Social Engineering
• LSU Security Policies
• Confidentiality/ Safeguards
• Safe Use of Portable Devices
4
Goals for Training
• Educate End Users about Information Security.
• Provide information on the role each End User plays
in protecting our network and data.
5
End Users Have Responsibilities
• As a user of LSUHSC computing resources you
have the responsibility to:
• Comply with LSU Security Policies (CM-42 & PM-36).
• Use computer resources responsibly.
• Create strong passwords.
• Use the computer for authorized purposes only (e.g. jobrelated or school related).
• Participate in the protection of electronic resources and data.
• Take reasonable precautions to avoid introducing computer
viruses into the network.
• Stay up-to-date with your compliance training.
6
What is Information Security?
• Information Security is the protection of computing
resources and the data that they store or access.
7
Why Do I Need to Learn about
Information Security?
Isn’t this just an IT Problem?
8
Why is Information Security
Important?
• Information Security allows the University to carry
out its mission by:
– Enabling people to carry out their jobs, education,
and research.
– Supporting critical business processes.
– Protecting personal and sensitive information.
• Security violations have consequences.
9
Consequences
• Risk to integrity of confidential information (e.g. data corruption,
destruction, unavailability of patient information in an
emergency).
• Risk to security of personal information (e.g. identity theft).
• Loss of confidentiality, integrity & availability of data (and time).
• Embarrassment, bad publicity, media coverage, news reports.
• Loss of patients’ trust, employee and public trust.
• Costly reporting requirements.
• Internal disciplinary action(s), termination of employment or
student enrollment.
• Penalties, prosecution and potential for sanctions/lawsuits.
10
Passwords
• Your use of a strong password is critical to secure
Protected and Restricted information.
• Your password is like the lock on your house (you
want it to be as strong as possible).
11
If Someone Knows Your Username and
Password They Can….
•
•
•
•
Read your emails
Respond to your emails as if they were you
Have the same access to all the information you have
Have you blamed for offenses they commit using your
login ID
• Execute financial transactions in your name
• Access information on your patients
• Steal your identity
12
Strong Passwords
• No password is unbreakable.
• Given enough time and
computing power a hacker can
crack any password.
13
Passwords Under Attack
• Because passwords are the most common method
used to allow users access to computer networks,
cracking passwords quickly has become a top priority
not only for the independent hacker, but also for
governments, organized crime and other
organizations seeking unauthorized access to online
information.
14
Passwords Under Attack (cont.)
• Recent developments have aided these groups in their
quest to illicitly obtain passwords.
– New software that turns computer video cards into password
cracking supercomputers.
– Internet search engine software has been turned to cracking
passwords.
– Breaches of large networks such as Sony, Gawker, and
RockYou have made millions of passwords public, allowing
hackers to identify patterns in how the average network user
creates a password.
– Social Engineering scams to trick individuals into revealing
their passwords.
15
The Best Defense
• Choose passwords that take considerable time to
break (given commonly available computing power).
• Change your password frequently (do not give a
would-be hacker enough time to complete the
cracking of your password.)
• Never, ever share your password (if someone you
don’t know asks for your password, s/he is up to no
good.)
16
Remembering Passwords
• If at all possible, never write down your password.
• As passwords become more complex, it may become
necessary to write down a password to remember it.
• If you must write down your password(s) in order to
remember them, take the following precautions:
17
Take Precautions to Remember your
Passwords
•
Don’t keep your User ID and its Password together.
Store them separately in a secure location.
•
Don’t store your password on or near the computer
you use (e.g. Instead of taping the password to the
bottom of your keyboard [really bad idea], keep it in
your glasses case).
• Instead of writing down the password, write down a
hint that will remind you of the password.
• Many smartphones have an app for storing passwords
securely (but you need another password to access it).
18
Should:
The Characteristics of a Strong
Password
• Be long, the longer the better
• Be difficult to guess
• Not be found in the dictionary
• Not be based on some readily available
personal information (e.g. child’s
name, home address, birth date, etc.)
• Contain characteristics from four
different categories (upper case and
lower case letters, numbers and
special characters)
19
The Characteristics of a Strong Password
(cont.)
• Password = “mydogrover”. 10 lower case letters. Ten
positions w/26 possible values for each position or
2610 or 141,167,095,653,376 possible combinations.
• Password = “MyD0gR0ver”. 10 upper and lower case
letters and numbers. Ten positons w/62 possible
values for each position or 6210 or
839,299,365,868,340,224 or about 6000 times as
many possible combinations.
20
The Characteristics of a Strong Password
(cont.)
• Password= “henrysdogrover” 14 lower case letters.
Fourteen positions w/26 possible values for each
position or 2614 or 64,509,974,703,297,150,976
possible combinations or 456,000 times as many
possible combinations as “mydogrover”.
21
The Characteristics of a Strong Password
(cont.)
• In the first case the number of available characters
was increased from 26 to 62, a difference of 36. The
increase resulted in 6000 times as many possible
combinations.
• In the second case, the length of the password was
increased from 10 characters to 14, a difference of 4.
The increase resulted in 456,000 times as many
possible combinations.
22
How To Create a Strong Password
The “strength” of a password is based upon the number of
combinations possible:
• Password= “Eek!_the_beAt1e$!” - 17 characters. U/L case Alphanumeric w/
numbers & special characters or 6617
(8,555,529,718,761,317,069,203,003,539.456) possible combinations.
– It would take approximately 6 months of continuous processing to crack this password
using methods described above.
• Password= “Alex_hates_avacados!” 20 characters. U/L case Alphabetic and
special characters. 5420 (4.4450351179593105816204799588172 times 10 to
the 34th power) possible combinations.
– It would take over twelve years of continuous processing to crack this password using the
methods described above.
Which password is stronger?
Which password is easier to remember?
23
How To Create a Strong Password (cont.)
• Tips on using phrases or sentences as passwords:
– Avoid well known phrases like book or movie titles or quotes
of your favorite characters or historical figures. Hackers collect
lists of such phrases to try first before switching to brute force
techniques.
– Instead build sentences about your everyday life, e.g.,
“GeorgehasaCamaro!” or “Tom_likes_Mustangs_better”.
24
How To Create a Strong Password (cont.)
– Avoid using pronouns (e. g., I, me, mine, you,
yours, he, she, it, etc.) in your sentences.
Pronouns make your password vulnerable to a
syntax attack.
• Instead of a password like “I_hate_broccoli” use
“Carol_hates_broccoli”. Using proper names also
makes the password longer.
– You can still include numbers and special
characters if you wish. For example,
“Bill_is_LSUs_#1_fan!” would take centuries to
crack using modern methods.
25
How To Make YOUR Password Stronger
• Make it longer – 15 character passwords are much
more secure than 10 character passwords.
• Use a larger pool of characters – Passwords
containing upper and lower case letters, numbers
and special characters like ‘$’, ‘!’, and ‘_’ are more
secure than passwords using lower case letters alone
for the same length.
26
LSUHSC Password Policy
• The password must contain characters from three of
the four following categories:
–
–
–
–
English upper case letters (A-Z)
English lower case letters (a-z)
Base 10 digits (0-9)
Non-alphanumeric characters: ONLY @, #, $, _
• The first character must be a lower case or an upper
case character (a-z, A-Z).
• The password must be no less than 10 characters
(but can be longer).
27
LSUHSC Password Policy (cont.)
• The password must be different from the previous
14 passwords used.
• The password must be changed at least every 70
days, and will remain valid for 70 days.
• The password cannot be changed more than once in
24 hours.
• The password cannot contain the UserID as a
substring.
• The password cannot contain a string of characters
from the user’s name.
28
Social Engineering
The process of deceiving people into giving away access
or confidential information. It is the act of manipulating
people into performing actions or divulging confidential
information, rather than defeating technical defenses
like breaching firewalls or cracking passwords. The
term typically applies to trickery or deception for the
purpose of information gathering, fraud, or computer
system access; in most cases the attacker never comes
face-to-face with the victim.
29
Why Do People Fall for Social Engineering
Techniques?
People are fooled every day by these scams
because they haven't been adequately warned
about social engineers. Without the proper
education, most people won't recognize a social
engineer's tricks because they are often very
sophisticated.
Awareness is the number one defensive measure.
Employees and students should be aware that
social engineering exists and also be aware of the
tactics most commonly used.
30
Social Engineering (cont.)
• Examples of “People Hacking” include:
– Telephone conversations from someone
pretending to be a Help Desk supporter or
computer vendor
– Shoulder surfing
– Phishing Scams
– Combination Attacks
– Hoaxes
– Dumpster diving
– Physical access to your computer
31
Telephone Conversations
• A hacker might attempt to gain your password by
impersonating a Help Desk supporter or a computer
vendor such as Microsoft during a phone conversation.
• Passwords should NEVER be given out during a telephone
conversation.
• Computer vendors will NOT call users directly.
‐ If someone calls claiming to be a vendor, tell them to
contact Computer Services and explain the problem.
‐ Do not, under any circumstances, follow any instructions
given to you by this person, no matter what dire
consequences they may describe.
‐ Hang up as quickly as possible and report the call to the
Help Desk at 568-4357.
32
Telephone Conversations (cont.)
• The Help Desk will ask for a secondary form of
authentication when unlocking your account or
resetting your password such as:
₋ Last four digits of your Social Security number
₋ Date of birth
₋ Place of birth
33
You Get a Call at Your
Desk
• The caller gives his name and
states he works for MicroSoft
Corp. He is calling you because he
is getting numerous alerts from
your computer indicating your
computer is infected with multiple
viruses.
• Your computer is working fine as
far as you can tell.
• He wants you to carry out a series
of steps to correct the problem.
What Should You Do?
a. Hang up on the caller and
continue working. No big deal.
b. Hang up and call the Help Desk
(4357) to report a phishing call.
c. Follow the caller’s instructions.
Virus infections are very serious
and the caller said he was from
MicroSoft so he must know
what he is doing.
34
You Should
Hang up and call the Help Desk to report a
phishing call.
– An employee of a computer vendor (e.g.
MicroSoft, Cisco, HP, etc.) will never call an
individual user.
– Never perform steps on your computer at
someone’s direction unless you have called that
individual (e.g. the Help Desk) and asked for help.
35
Shoulder Surfing
• A hacker could attempt to learn your
password or breach confidential
information by:
–
–
•
watching while you type your password
reading your computer’s screen
Prevention:
–
–
Type your password quickly or when no
one else is watching.
Position your screen so it can’t be easily
viewed by someone behind you.
36
Phishing Scams
• Phishing is a technique to trick you in to taking
action you would not ordinarily take (e.g.
transferring funds or revealing your password).
The hacker sends an email that pretends to be
from a legitimate provider of services such as the
IT department, a bank, a brokerage house, an ISP
or an email service provider, etc.
• In the message of the email, the hacker creates a sense of urgency
or fear to motivate the reader to take the action (usually clicking
on a link or an attachment) he desires.
• If you suspect that an email may be a fishing scam, contact the
purported sender, without using any links or other information
from the email, and confirm the email is legitimate. For example, if
the email says its from the IT department, call the Helpdesk at 568HELP.
37
Phishing Scams (cont.)
• DO NOT click on any of the links or take any other action
directed by the email until you confirm it is legitimate.
• A phishing message will direct you to take an action such
as:
⁻ Clicking on a link or an attachment
⁻ Reveal your username and password
⁻ Transfer funds
• It will contain one or both of the following elements:
⁻ Reason (“Due to the recent email upgrade. . .”)
⁻ Consequence ( “. . . or your account will be
suspended.”)
38
Phishing Scams (cont.)
• Milder messages may omit or imply the
consequence: “Due to a lack of activity on your
account (reason), you must click on the link below
and login with your username and password
(action).”
• The loss of access to the account is implied.
• More aggressive messages may omit the reason:
“Funds must be transferred by clicking on the link
below before COB today (action) or your payroll
account will be overdrawn! (consequence)”
39
Could it Be a Phishing Email?
• Does it ask you to take an actions such as clicking on a
link or an attachment or transferring funds?
• Does it give a reason that makes the action seem
logical?
• Does it ask for your username and password?
• Does it create a sense of fear or urgency by stating or
implying dire consequences for failing to act (e.g.
access suspended, account overdrawn, legal action
taken, etc.)?
• Does the message start with “EXTERNAL EMAIL.
EVALUATE”?
40
Could it Be a Phishing Email?
If the answer is “YES” to three (3) or more of
the questions in the previous slide, it may be
a phishing email and you should
independently confirm that it is legitimate.
41
What Do I Do?
• If you suspect an email might be a phishing
email:
– DO NOT take any action directed by the email.
– Attempt to contact the entity listed as the sender to
confirm that the request is legitimate.
– When contacting the sender, DO NOT use any
information contained in the suspect email.
– Instead obtain contact information from your own
contact list or from the entity’s website.
– If the sender denies sending the email, Send the
suspicious email as an attachment to [email protected].
42
Phishing Scams (cont.)
• Don’t click on these links in unsolicited emails or text
messages:
– Celebrity pictures or scandals (“HOT PICS of [name of celebrity].”)
– Breaking news (“LATEST INFO on flood insurance, Affordable Care Act,
etc.)
– Offers for “free” or “discounted” software.
– Unbelievable bargains (Cruises, iPads, etc.)
– Attachments claiming to be invoices or lawsuits.
– Charity scams (“Aid the victims of the Haitian earthquake.”)
– Offers of “exclusive access” if you simply login with your email
credentials.
– Online surveys.
– Emails claiming to be from the IRS or FBI.
43
Actual Phishing Email
From: LSU Health Sciences Center [mailto:[email protected]]
Sent: Monday, October 18, 2010 11:14 AM
Subject: Notice
REASON
Please note that some of the staff and faculty mailboxes will not be
available between 6:00 and 9:00 pm Tuesday, October 19th, 2010. for
system maintenance.
ACTION
The Maintenance will include the upgrading of the current user info, you
are hereby requested to send your current (User Name) (Password) for
upgrade to [email protected]
Thank you
Information Technology
Asks for your User Name and
Password
Implies you won’t be “upgraded without supplying username
and password
44
Legitimate Email from LSUHSC
•
From: Bettina Owens - Asst Vice Chancellor for Information Technology
Sent: Wednesday, March 04, 2015 10:13 AM
To: LSUHSC N.O. Faculty, Staff and Students
Subject: Password Policy Changes
•
On April 1, 2015, the length of time between required password changes for your
LSUHSC account will extend from 35 days to 70 days. Additionally, the minimum length
of the password will increase from 8 characters to 10 characters.
Your current password will expire as scheduled, whether that is 1 day or 34 days after
April 1st . The next time you change your password after April 1st you will have 70 days
before you have to change it again. When your current password expires you will be
required to select a 10-character password. View our password policy for full policy
details.
**********************************************************************
This message has been authorized by LSU Health Sciences Center administration for
mass distribution as a service to our faculty, staff, and students.
45
Is this a Phishing Scam? Yes or No
From: Mary Nucci [mailto:[email protected]]
Sent: Wednesday, July 06, 2016 10:06 AM
Subject: To All Faculty\Staff\Outlook Web Access Users
*EXTERNAL EMAIL: EVALUATE*
To All Faculty\Staff\Outlook Web Access Users
Take note of this important update that our new web mail has been improved with a
new messaging system from Outlook Web Access which also include faster usage on email,
shared calendar, web-documents and the new 2016 anti-spam version.
Please use the link below to complete your upgrade for our new Outlook Web Access
improved Webmail.
CLICK on FACULTY AND STAFF UPGRADE.
Regards
IT Service Desk Support.
46
YES!!
From: Mary Nucci [mailto:[email protected]]
Sent: Wednesday, July 06, 2016 10:06 AM
Subject: To All Faculty\Staff\Outlook Web Access Users
*EXTERNAL EMAIL: EVALUATE* Email is from outside the LSUHSC campus
To All Faculty\Staff\Outlook Web Access Users
URGENT
Take note of this important update that our new web mail has been improved with a
new messaging system from Outlook Web Access which also include faster usage on email,
shared calendar, web-documents and the new 2016 anti-spam version. REASON
CONSEQUENCE
Please use the link below to complete your upgrade for our new Outlook Web Access
improved Webmail. ACTION
CLICK on FACULTY AND STAFF UPGRADE.
Regards
IT Service Desk Support.
47
Is this a Phishing Scam? Yes or No
From: donotreply [mailto:[email protected]]
Sent: Thursday, May 12, 2016 2:33 PM
To: [email protected]
Subject: Help Desk Ticket - # HD99573091 Account Validation
*EXTERNAL EMAIL: EVALUATE*
Hello user
We have placed a temporal hold on two incoming mails to your account due to insufficient
validation.
To continue receiving messages, please follow address and validate your service.
This helps us stop automated programs from sending junk email.
We apologize for any inconvenience and appreciate your understanding.
Thanks,
The account team.
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
48
Yes!
From: donotreply [mailto:[email protected]]
Sent: Thursday, May 12, 2016 2:33 PM
To: [email protected]
Subject: Help Desk Ticket - # HD99573091 Account Validation
URGENT
*EXTERNAL EMAIL: EVALUATE* FROM OUTSIDE THE CAMPUS
Hello user
We have placed a temporal hold on two incoming mails to your account due to insufficient validation.
To continue receiving messages, please follow address and validate your service. ACTION
CONSEQUENCE
This helps us stop automated programs from sending junk email. REASON
We apologize for any inconvenience and appreciate your understanding.
Thanks,
The account team.
This email has been sent from a virus-free computer protected by Avast.
www.avast.com
49
Thing to Remember
• LSUHSC-NO will NEVER ask for your user name or password in
an email.
• If it is an email sent to all employees and/or students, it will
contain the sender’s name and job title and the following text
will be appended to the end of the message: “This message has
been authorized by LSU Health Sciences Center administration for
mass distribution as a service to our faculty, staff and students.”
• Emails from outside the LSUHSC network will contain the
message “*EXTERNAL EMAIL: EVALUATE*” NEVER provide your
username or password in response to an email from outside the
LSUHSC network.
• If you suspect the email is a phishing scam, independently
confirm the email by contacting the sender without using any
information in the email. Obtain information from your own
contact list or from the sender’s website.
50
Combination Attacks
• Recently, hackers have been combining different
social engineering attacks. One example is called
Franco-phoning.
– Franco-phoning combines a phishing email with a
telephone call to convince the victim to turn over
sensitive data or install malware.
– First, the hacker carefully researches the target
organization to obtain names of executives, their
assistants, customers, phone numbers, and email
addresses.
51
Combination Attacks (cont.)
– Using that information, the hacker calls a targeted
individual within the organization, usually an
accountant or an administrative assistant with
authority to make large financial transactions.
– The hacker poses as a customer, bank representative
or another employee using a real name based on his
research.
– The hacker provides a plausible story, again using his
research, and requests the assistance of the victim.
52
Combination Attacks (cont.)
– The hacker then sends an email with an attachment
that is supposed to be an invoice or wire transfer that
needs immediate processing.
– When the victim clicks on the attachment, malware is
installed on the victim’s computer that allows the
hacker to assume the victim’s logon ID and executes
transfers of large sums of money.
– Unlike other phishing attacks, franco-phoning emails
have perfect grammar and spelling.
53
Combination Attacks (cont.)
– Because of the research the hacker does, special
formats and messages are usually correct.
– The best defense is to independently verify
everything before taking action on any request that
seems out of the ordinary.
– If the caller claims to be from IT, call IT on a separate
line and verify what the caller says.
– If the caller claims to be from your bank, call your
regular banker to verify what you are being told.
54
Hoaxes
• One type of suspicious email is the hoax. It warns of a virus or
other type of malware that will cause serious harm to your
computer such as wiping the hard drive. It is especially perfidious
because it usually comes from a well-meaning friend or relative
who has been duped by the hoax.
• Hoax emails generally have the following characteristics:
– They are sent by a friend or colleague.
– They warn of a “new” virus, malware or hazard.
– They claim that this new hazard damages your computer in some
catastrophic way, usually erasing the hard drive.
– The email claims that anti-virus programs are unable to detect it or have
been caught off guard by its appearance.
– It urges your to send this “warning” to everyone in your address list.
55
Problems Caused by Hoaxes
• The main problem caused by Hoaxes is that they overload
email systems with unnecessary traffic.
• In addition, those that follow the instructions in the Hoax
email wind up disabling their computers and must have them
repaired or reconfigured before they are usable again.
• As with other threats, Hoaxes have developed variations.
Some variants to watch out for are:
– The virus named in the hoax is the name of an actual virus.
However, the real virus acts differently than what the hoax
describes.
– The hoax will instruct recipients to delete an obscure system file
causing their computers to malfunction on the next boot-up.
56
How Can You Tell if it is a Hoax?
• How do you determine whether a message is
genuine or a hoax?
– Does the message have three or more of the
characteristics of a hoax?
– Remember that any links in the message are there to
convince you of its authenticity so don’t rely to them.
– Enter specific or unique terms from the message into an
Internet search engine and see if any references to hoaxes
come up.
– Call the Help Desk.
• It is a violation of CM-42 to re-transmit virus
hoaxes.
57
How Can You Tell
• You can check the following websites:
– http://home.mcafee.com/virusinfo/virus-hoaxes
– http://www.snopes.com/computer/virus/virus.asp
– http://antivirus.about.com/od/emailhoaxes/l/blenh
oax.htm
58
Dumpster Diving
• A hacker might learn information by:
- scouring trash for passwords written on scraps of paper
- reading documented computing procedures
- finding discarded hard drives, discs, or CDs
• Destroy all information in accordance with policy once it is no
longer needed.
• Contact your local computer supporter or the Help Desk for
assistance with properly erasing or destroying computer
media.
59
Physical Access to your Computer
• A hacker could access, remove, destroy,
or otherwise damage your computer.
• Prevention: Always use good physical
security measures to prevent theft or
damage to your computer.
– Lock your office when you leave for
lunch or breaks.
– Keep your laptop in the trunk of your
car, not on the seat.
60
Information Security Polices
• LSUHSC-NO has two information security policies. Employees
and Students should familiarize themselves with both of them.
– CM-42 - Information Technology (IT) Infrastructure
(http://www.lsuhsc.edu/administration/cm/cm-42.pdf)
– PM-36 Louisiana State University System Information Security
Plan (http://www.lsuhsc.edu/administration/pm/pm-36.pdf)
61
CM-42 Connected
• Applies to any person using, or
any device that Connects to the
LSUHSC IT Infrastructure.
• A device is considered Connected
to the LSUHSC IT Infrastructure if
it is plugged into a wired network
jack on campus, connects to the
LSUHSC wireless network on
campus, remotely connects to the
LSUHSC network via the Internet,
telephone connection, or other
remote mechanism.
• Examples of remotely
connecting include, but are
not limited to:
- using the remote.lsuhsc.edu
VPN “Network Connect”
option
- logging on to Citrix (DesktopNew or PSDesktop) on campus
- using a mobile device that is
on a cellular network and uses
ActiveSync to access email
(sometimes called “push”
email)
62
CM-42 Not Connected
• Methods of accessing the LSUHSC network that do
NOT meet the definition of Connected include, but
are not limited to:
– using the remote.lsuhsc.edu VPN with the “Web
Connect” option
– using Outlook Web Access (OWA) off campus
– logging on to Citrix (Desktop or PSDesktop) off
campus
63
CM-42 Acceptable Use
• End Users are accountable for any violations
associated with their user IDs.
• The IT infrastructure must only be used in the
furtherance of the user’s work as an employee or
student.
• All computer equipment purchased with LSUHSC
funds and the electronic data created by it are
LSUHSC property.
• End users are not allowed to store personal files
on LSUHSC equipment.
64
CM-42 Acceptable Use (cont.)
• End users must exhibit responsible behavior by
complying with:
-
All Federal and State laws
LSU rules and policies
Terms and computing contracts
Software licensing rules
• Proper authorization must be obtained from the
supervisor (if an employee) or dean (if a student):
-
to use LSU computing resources
before accessing or sharing data
65
CM-42 Illegal Use of the I.T.
Infrastructure
End Users shall NOT:
• Engage in any activity that jeopardizes the
availability, performance, integrity, or
security of the I.T. infrastructure.
• Use computing resources in a wasteful
manner.
• Use I.T. resources for personal gain or
commercial purposes not directly related
to their jobs.
• Use I.T. resources to store personal files.
66
CM-42 Illegal Use (cont.)
• Install, copy, or use any software in violation of
licensing agreements, copyrights, or contracts.
• Obtain or attempt to access the files or electronic
mail of others unless authorized by the owner.
• Harass, intimidate, or threaten others through
electronic messages.
• Construct a false communication that appears to be
from someone else.
• Use non-LSUHSC E-mail to conduct official LSUHSC
business unless authorized by the Chancellor.
67
CM-42 Illegal Use (cont.)
• Send or forward unsolicited E-mail to lists of
people unrelated to official business.
• Send, forward, or reply to E-mail chain
letters.
• “Reply to all” to mass E-mail mailings.
• Create or transmit any offensive, obscene, or
indecent images, data, or other material.
• Retransmit virus hoaxes.
68
Examples of Illegal Use
• Using “Napster” clones (Kazaa, Morpheus,
BitTorrent, etc.)
• Playing streaming audio or video that is not
work or school related.
• Operating a website on the LSUHSC network
for personal use or business use not related
to your job.
• Accessing of websites not related to your job
or your studies.
69
CM-42 Data
• Data is defined as any information residing on the University’s
IT Infrastructure or held on any other IT Infrastructure on
behalf of the University. These data includes files, documents,
messages in any format, including e-mail messages and posts
made on any Social Media site maintained by/for the
University.
• All University data created and/or maintained by a User are
also subject to this Policy, even if the data are created and/or
stored on the User’s own personal computer, smartphone, or
other personal device.
70
CM-42 Data (cont.)
• Courts have ruled that for purposes of e-discovery or
public records requests, whether the information
resides on the agency’s own devices or those of its
employees. LSUHSC bears the responsibility for
producing the information under penalty of law.
• Therefore, faculty, staff and students must
understand that there is no expectation of privacy
regarding LSUHSC Data, even if it resides on one’s
personally owned device.
71
PM-36
• PM-36 is the LSU System Information Security Plan.
• It classifies sensitive information into two categories:
– Protected Information
– Restricted Information
72
PM-36 Protected Information
• Protected Information includes, but is not limited to:
–
–
–
–
–
–
Employment records
Medical records (including research data)
Student records
Personal financial information (SSN’s, credit card numbers, etc.)
Trade secret information
Classified government information
73
PM-36 Restricted Information
• Restricted information is limited to a few individuals. It
includes but is not limited to:
–
–
–
–
Any information related to potential or actual litigation
Ongoing investigations
Psychotherapy notes
Disciplinary actions
74
PM-36 Contingency Plans
• All Protected and Restricted information must have a
contingency plan that covers the possible loss of the
information due to fire, equipment failure, data corruption,
weather, power failure, accidental erasure, etc.
- All data stored on LSUHSC servers are covered by the LSUHSC
Contingency Plan.
- Contingency plans for Protected and Restricted information
stored on workstations, laptops, external hard drives, flash
drives, etc. are the responsibility of the end user.
75
PM-36 Public Records
• Any email or other electronic file, produced in connection with
your employment or education at LSUHSC-NO that does not meet
the definition of protected or restricted information is considered
to be a public record under State law and must be made available
to any citizen within 72 hours of the request.
• For that reason, any email or other electronic file created or received
in connection with your work at LSUHSC-NO must be kept on LSUHSCNO servers so as to be available in the event of a public records
request.
• Any email or other electronic file created or received in connection
with your work at LSUHSC-NO that resides on your personal device
may need to be produced in order to satisfy a public records request.
76
Data Breaches
• A data breach occurs when sensitive information is accessed by
unauthorized persons.
• Federal and State laws require that persons whose personal,
financial, or health information is compromised by a data breach
must be notified that their information has been disclosed.
• Information that is encrypted is exempt from these notification
requirements.
• Data breaches can expose LSUHSC and its employees to civil and
criminal penalties.
• Civil monetary penalties for data breaches range from $100 to
$50,000 per record.
• Criminal penalties include imprisonment for up to ten years.
77
Examples of Data Breaches
• Lost or stolen laptops storing unencrypted PHI or student
data.
• Lost or stolen smart phones with email access.
• Lost or stolen USB “thumb” drives or portable hard drives
with unencrypted PHI or student data.
• Papers, handwritten notes, photographs, images, or other
documents with PHI not disposed of properly.
• CD, DVD, floppies, backup tapes with PHI that have not been
destroyed at end-of-life per University policy.
78
Breaches and Consequences
• On February 24, 2011, Massachusetts General Hospital
agreed in a settlement to pay $1,000,000.00 to the U.S.
government for violations involving the breach of 192 patient
records.
• On January 7, 2011 Tulane University announced that a
university owned laptop was stolen December 29, 2010 that
had a file containing private information of each person
employed at the university in the past year, according to
school officials.
– The computer had W-2 information, names, Social Security
numbers, addresses and salaries for every employee, including
student and part-time employees and anyone who received a
2010 W-2.
79
Breaches and Consequences (cont.)
- School officials said the laptop, used to process 2010 tax
records during the university's winter break, was not
encrypted and was in a briefcase in the locked automobile
of an employee who was out of town. It was stolen Dec. 29,
and school officials were notified the following day.
- The university sent letters to the more than 10,000 affected
individuals and offered them a full year of credit
monitoring.
80
Breaches and Consequences (cont.)
• In 2010, New York Presbyterian Hospital and
Columbia University Medical Center agreed to pay
$4.8 million in monetary payments to DHHS after a
faculty member exposed records of 6800 patients to
the Internet while operating a file server without
appropriate technical safeguards.
http://www.hhs.gov/news/press/2014pres/05/2014
0507b.html
81
Prevention is The BEST Approach
• Data breaches can be prevented by ensuring that the
appropriate safeguards are in place and followed. For
example:
– Adding extra security measures (e.g. password protection, encryption,
backups) to portable devices (laptop, smartphone, flash drive,
external hard drive).
– Taking precautions when protected information (health or financial
information) is stored on a local computer (e.g. locking computer,
encryption, backups).
– Taking precautions when protected information (health or financial
information) is sent to another location (e.g. encrypting data or
encrypting the transmission or use LSU Health FileS).
– Taking precautions when accessing protected information (employee,
student, health, financial, etc.) from a remote location.
82
When a Breach is Suspected
• When a breach occurs or is thought to have
occurred:
– Contact the Office of Compliance Programs
immediately:
• Phone – (504) 568-5135
• Anonymous Hotline – (504) 568-4347
• Email – [email protected]
83
Portable Devices
• Add extra security measures to prevent device
theft by:
− storing important data separately
− installing and maintaining anti-virus software
− activating the password protect feature on your device
(This is required if you connect to the LSUHSC network)
− encrypting sensitive files
− backing up your data
84
Portable Devices (cont.)
• Employees who use University owned portable
devices should:
− have a signed receipt on file with the department for
LSUHSC tagged equipment (especially laptops).
− be aware of requirements for reporting any theft of the
equipment.
− have any University owned tablets or smartphones
enrolled in the MDM system.
85
Data Hoarding
• With storage capacities allowing you to keep billions of
pages of information on something the size of a postage
stamp, there is a tendency to simply allow information to
accumulate like the stuff in the spare room of your home.
• This accumulation occurs whether the device is a
smartphone, laptop, or USB or portable hard drive.
86
Data Hoarding
• What happens when that device is lost or stolen?
If all that was on the device was your e-books or contact list
or a copy of your dissertation, then your biggest problem is
how to reconstruct the data.
• But what if those billions of pages of storage
contain patient information?
Now you are required to notify each of your patients that you
allowed their medical information to be breached. If 500 or
more patients are affected, you must also notify the news
media.
87
Don’t Be a Data Hoarder
• Review the data on your portable devices
periodically and remove anything that you don’t
need on a day-to-day basis.
• If there is a need to retain certain information even
though you are not using it frequently, back it up to
your O: drive.
• To secure information you retain on your portable
devices, use the precautions on the following slides:
88
Confidentiality/Safeguards
Extra precautions must be taken when protected
information (health or financial information) is stored
on a local computer:
• Data must be encrypted in case your laptop is lost or stolen
(contact your supporter for more information).
• Lock your computer if you leave your machine unattended.
• Written backup and disaster plans must be in place. LSUHSC
backs up all files on servers (O:, T:, U: and V: drives) daily.
89
Confidentiality/Safeguards (cont.)
Extra precautions must be taken when protected
information (health or financial information) is sent to
another location.
• Do not use any email system other than LSUHSC.EDU to send or
receive protected information. Email sites such as Yahoo or
Hotmail do not have the security features that the LSUHSC email
system has to protect sensitive information.
• Emails from one @LSUHSC.EDU email address to another are
protected by a variety of security measures and are considered
safe for protected and restricted information.
90
Confidentiality/Safeguards (cont.)
•
Do not automatically forward LSUHSC.EDU email to a non-LSU
email system. Email coming to your LSUHSC email box may
contain sensitive information. If it is automatically transferred
to a non-LSU email system that does not have the security
features to protect sensitive information, a data breach can
result.
•
Do not store files with protected or restricted information on
cloud services such as iCloud or Google Drive. They do not have
the security precautions that are in place on the LSUHSC
network. Using such sites increases the likelihood of a breach.
91
Confidentiality/Safeguards (cont.)
⁻ Many cloud service providers have facilities in different
countries. If the protected or restricted information on your
personal device is stored on a cloud server in another country,
it is no longer subject to the protections of U.S. law.
⁻ Be aware of any default settings on personally owned devices
that may automatically copy protected or restricted
information to a cloud drive.
92
Confidentiality/Safeguards (cont.)
• Do not use Web based file-sharing sites such as
YouSendit.Com, Sharefile.com or Doodle.com to transfer
protected or restricted information. These sites are not secure
and have been the source of data breaches. Instead use LSU
Health FileS.
• Do not use Internet file-sharing apps like BitTorrent to transfer
protected information. These applications are not secure and
have been the source of data breaches. Instead use LSU Health
FileS.
• The employee’s or student’s department will be held
responsible for any data breaches that occur and will bear the
expenses incurred in mitigating a breach.
93
Data Security When Traveling
• Extra precautions must be taken when accessing protected
information (employee, student, health, financial, etc.) from a
remote location.
- Make sure your connection is secure by using a VPN (Virtual Private
Network) or SSL (little lock icon at the bottom of your browser
screen).
- When accessing email or other files via the World Wide Web from
a computer at a hotel business center or conference:
• Don’t allow anyone to read your screen over your shoulder.
• Make sure any copies of such files are deleted from the Internet cache
on the computer before you leave. The following link has directions
for deleting the Internet cache: http://kb.iu.edu/data/ahic.html
- When working from home, ensure the computer you are using has
up-to-date anti-virus software and operating system patches.
94
Citrix
• An easy way to ensure that you do not leave any
sensitive data on a public computer is to use Citrix.
• It provides access to published Windows desktop
environments. These environments have preconfigured applications which may be run without
the need to install, configure or update applications
on your local workstations.
• Citrix can be accessed from the Internet and stores
information on your “O:” drive.
• Logon to LSU’s Remote Access Portal at link below
and select the Citrix Web Interface option.
https://remote.lsuhsc.edu/danana/auth/url_default/
welcome.cgi
95
Compromised Accounts
• Indications that your account has been
compromised include:
- a locked account
‐ a password that is no longer accepted
‐ missing data
‐ computer settings that have unexpectedly
changed
‐ transactions you did not authorize
• You should contact your computer supporter or
the Help Desk if you suspect that someone has
tampered with your account.
96
What Do I Do if I Think my Password Has
Been Compromised?
• Notify the Help Desk or your computer support
personnel.
• Change your password immediately (If you need
assistance changing your password, ask your
computer supporter or the Help Desk or go to
www.lsuhsc.edu/changepassword).
Remember:
You are responsible for all activities occurring
under your LSU login ID.
97
Incident Reporting
• Notify your local computer supporter or the
Help Desk if:
- You suspect your password has been
compromised.
- You suspect your files have been tampered
with.
- Your computer behaves abnormally.
- You suspect someone has obtained or is trying
to obtain unauthorized access.
- A device or media with protected or restricted
information has been lost or stolen.
- You have been called by someone claiming to
be a vendor.
98
Why Should I Take These Precautions if I
Only Use my PC for Reading Email?
• The REASON:
Hackers use a technique called “Escalating
Privilege” which enables them to turn ANY
user account into an administrator account
that gives them unrestricted access to our
network. All they need is an account to get past
the firewall.
99
Violations
• LSUHSC monitors network traffic.
• Violations of CM-42 or PM-36 will be reported to
the appropriate dean or vice-chancellor.
• Violating CM-42 or PM-36 will result in
disciplinary action up to and including loss of
network access, termination of employment,
expulsion and civil or criminal liability.
100
Any Questions?
We Are Here to Help!
Office of Compliance Programs
433 Bolivar St.
Suite 807
New Orleans, LA. 70112
568-5135
[email protected]
101