A User’s Guide to IT Security Awareness

PURPOSE
You’ve seen it on TV and heard it on the news. While there are many processes and applications in the background regarding security at WSU, it is vital that you are aware of those things that can assist Wichita State University in keeping data, information, and privacy intact.

 

INTRODUCTION

INFORMATION SECURITY EXPLAINED
Information security involves the preservation of:

  • Confidentiality - Ensuring information is disclosed to, and reviewed exclusively by intended recipients and/or authorized individuals
  • Integrity - Ensuring the accuracy and completeness of information and processing methods
  • Availability - Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals

LAWS AND ACTS TO FOLLOW
In many cases, the responsibility of data security is the LAW.  WSU must consider many Federal and State laws which are intended to make certain that certain data does not fall into the wrong hands.

  • Health Insurance Portability and Accountability Act (HIPAA)
  • USA Patriot Act
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Higher Education Opportunity Act of 2008
  • Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment)
  • Digital Millennium Copyright Act (DMCA)

CONSEQUENCES OF A BREACH OF SECURITY
Should there be a breach of security, WSU could be subject to many costly consequences. Because we are a state educational institution of Kansas, these consequences can be very costly. The possible consequences of insufficient security are:

  • Loss of productivity
  • Identity theft
  • Equipment theft
  • Service interruption (e.g., email and Enterprise Resource Planning applications)
  • Embarrassing media coverage
  • Compromised confidence
  • Legal penalties

VITAL INFORMATION
Your effectiveness in securing Wichita State University’s information begins with an understanding of what is vitally important. Here are some examples of data that needs to be protected:

  • Credit Card Information
  • Social Security Numbers
  • Addresses
  • Private Documents
  • Payroll Information
  • Intellectual Property
  • Academic Transcripts

WSU TECHNOLOGY POLICIES
There is a chapter devoted to the policies regarding technology at our institution. It is the user’s responsibility to read and regularly review the Wichita State University - Policies and Procedures Manual for Technology, Chapter 19.

DIGITAL MILLENNIUM COPYRIGHT ACT (DMCA)
A brief side note about DCMA. Whether at work, or at home, if you are downloading music, games, or movies and you are NOT paying for them, chances are you are in violation of the DMCA. If Wichita State authorities receive notification from DMCA that a specific University computer is distributing illegal media, WSU is required to shut down that system until the offending software is removed. Departmental supervisors are notified of the offense.

 

THINK ABOUT WHAT YOU ARE DOING

THINK……..then CLICK

This is certainly something to ask yourself before proceeding on a pop-up, warning box, or error message.

  • Could the actions I am about to perform, in any way, harm either myself or Wichita State University?
  • Is the information I am currently handling of vital importance to either myself or Wichita State University?
  • Is the information I am about to review legitimate / authentic?
  • Have I contacted appropriate Wichita State University personnel with questions regarding my uncertainty of how to handle this sensitive situation?

Next, here are a list of dangers associated with personal security awareness.

 

DANGERS

VIRUSES
A virus is malicious code that is sometimes attached in email messages that is capable of inflicting a great deal of damage, and causing extensive frustration.

  • Stealing files containing personal information
  • Sending emails from your account
  • Rendering your computer unusable
  • Removing files from your computer

What you can do -

Do not open attachments to emails if:

  • Received from unknown individuals
  • In any way appear suspicious

SPYWARE
Spyware is any technology that aids in gathering information about you or WSU without your knowledge
and consent.

  • Specific programming that is placed into an unsuspecting computer to secretly gather information about the user, and relayed to advertisers or other interested parties
  • Cookies are used to store information about you on your own computer
  • Spyware exposure can be caused by a software virus or as a result of installing a new program

What you can do -

  • Do not click on options in deceptive / suspicious pop-up windows
  • Do not install any software without receiving prior approval from ITS or your supervisor
  • If you experience slowness / poor computer performance or excessive occurrences of pop-up windows, contact Information Technology Services (ITS)

UNAUTHORIZED SYSTEMS ACCESS
Unauthorized systems access occurs when individuals maliciously obtain unauthorized access to computers, applications, confidential information, and other valuable assets. Not all guilty parties are unknown…….some can be your co-workers. Unauthorized systems access can result in theft and damage of vital information

What you can do -

  • Use strong passwords for all accounts
  • Commit passwords to memory
  • If not possible to memorize, store all passwords in a secure location
  • Never tell anyone your password
  • Never use default passwords
  • Protect your computer with a password-protected screen saver
  • Report suspicious individuals / activities to ITS
  • Report compromised systems to your supervisor

SHOULDER SURFING
Shoulder surfing is the act of covertly observing employees’ actions with the objective of obtaining confidential information.

What you can do -

  • Be aware of everyone around you… and what they are doing
  • Be alert when traveling (airplanes, trains, buses, etc)
  • Be alert at restaurants; all public gathering areas
  • Be alert in Internet cafes
  • Be alert in Computer labs
  • Do not perform work involving confidential Wichita State University information if you are unable to safeguard yourself from shoulder surfing

UNAUTHORIZED FACILITY ACCESS
Some individuals maliciously obtain unauthorized access to offices with the objective to steal equipment, confidential information, and other valuable Wichita State University assets.

What you can do -

  • Do not allow access to University facilities by unidentified individuals;( i.e., referred to as “tailgating”)
  • Shred all Wichita State University confidential documents
  • Do not leave anything of value exposed in your office / work space (e.g., Lock all Wichita State University confidential documents in desk drawers / file cabinets)

CURIOUS PERSONNEL
Some employees, who are not necessarily malicious, might perform activities that test the limits of their network and facilities access.

What you can do -

  • Retrieve your Wichita State University confidential faxes and printed documents immediately
  • Shred all Wichita State University confidential documents
  • Lock all Wichita State University confidential documents in desk drawers / file cabinets
  • Follow the guidance previously provided to prevent unauthorized systems access
  • Report suspicious activity / behavior to your supervisor

SOCIAL ENGINEERING
Social engineering is basically taking advantage of people’s helping nature/conscience for malicious purposes.

What you can do -

  • Never lose sight of the fact that successful social engineering attacks are engineered for people’s natural inquisitiveness
  • If a received phone call is suspicious, request to return their call
  • Do not provide personal / confidential Wichita State University information to a caller until you are able to verify the caller’s identity, and their association with their employer’s company
  • Never provide a caller with anyone’s password, including your own
  • Report any unrecognized person in a Wichita State University facility to University Police

PHISHING
Phishing is an online scam whereby emails are sent by hackers who seek to steal your identity, rob your bank account, or take over your computer.

What you can do -

  • Use the “stop-look-question” technique:
    • Stop: Do not react to phishing ploys consisting of “upsetting”, “threatening”, or “exciting” information
    • Look: Look closely at the claims in the email, and carefully review all links and Web addresses
    • Question: Do not reply to emails requesting confirmation of account information; call or email the company in question to verify if the email is legitimate
  • Never email personal information
  • Report misuse of a Procurement Card transaction
  • Report suspicious computer activity to ITS

INSTANT MESSAGING SERVICES (IM)
Privacy threats caused by using free IM services in the workplace include personal information leakage, loss of confidential information, and eavesdropping.

What you can do -

  • Depending upon with whom you are communicating, and how IM was implemented, every message you send – even to a coworker sitting in the next cubicle – can/may traverse outside of Wichita State University’s local network
  • All messages you send may be highly susceptible to being captured and reviewed by malicious people
  • Never send confidential messages or any files to individuals
  • Realize that there is no means of knowing that the person you are communicating with is really who they say they are

COMPUTERS AND HANDHELD DEVICES

OFFICE COMPUTER USE
Here are some specific conditions and procedures that should be followed when using office computers:

  • Log out of all programs when you leave your work area
  • “Lock” your computer when you leave your work area
  • Screen Savers should have passwords
  • Make certain your system software and anti virus applications are always up to date
  • Install licensed programs only
  • If you leave your system on at night, make certain that your office space is physically secure

HOME COMPUTER USE
Here are some specific conditions and procedures that should be followed when using home computers for business purposes:

  • Make certain your home computer has all the latest updates for the operating system, applications, and anti-virus program
  • Use the VPN (Virtual Private Network) if you remote into your office desktop. WSU employees who remote into their office desktops at home are required by policy to use the VPN
  • Encrypt files or attach passwords to files that contain WSU data
  • Make certain that your home wireless connection is secured preferably with WPA and above
  • To be safe, it is a good idea to shutdown your system while you are away, or when you are not going to use the system
  • As a rule of thumb, imagine if your house was robbed and they stole your computer. Is your sensitive data protected? Do you have a backup somewhere else? Could you recover from a complete loss?

PORTABLE DEVICE USE
Here are some specific conditions and procedures should be followed when using University-Owned laptops, smartphones, netbooks, and tablets:

  • Always keep in mind that these devices are highly-regarded targets for theft
  • WSU data should be encrypted, and/or password-protected
  • The device should be password-protected
  • The device should remain physically inaccessible to others
  • Do not access sensitive data on open wireless networks
  • Make certain you have written down, and filed the serial number for your device
  • If possible, have a physical security lock available to use should you have to briefly walk away from the device

SMALL HANDHELD DEVICES, FLASH DRIVES, AND EXTERNAL DRIVE USE

Here are some specific conditions and procedures that should be followed when using these devices:

  • Smartphones are usually tied to a WSU email account, and should therefore be password protected
  • These devices are frequently lost
  • These devices are easily stolen
  • These devices can and should be password protected and/or encrypted if there is any WSU or personal data on them.

SUMMARY

REMEMBER THESE SUGGESTIONS

  • Be security-conscious regarding anything of vital importance to Wichita State University, and yourself
  • When your personal safety, Wichita State University’s safety, or any confidential information is involved, always ask yourself, “what measures should I perform to keep myself and WSU safe, and to ensure that WSU’s confidential information is protected against harm, theft, or inappropriate disclosure?”
  • Apply similar considerations mentioned in this document to systems at home
  • Threats do not stop at the work place; they extend to your home, and other surroundings
  • Do not allow this security awareness information to lead to paranoia
  • Make informed decisions to protect yourself, Wichita State University, and others

WHO TO CONTACT
It is important for you to contact appropriate Wichita State University personnel the moment you suspect anything might be wrong. Contact Information Technolgy Services (ITS) at 316-978-4357 (WSU-HELP), or email helpdesk@wichita.edu.