Security Awareness Training

Purpose of Computer Security

The campus network connects users to numerous local computer systems (Email, file servers, printers) as well as external information resources (World Wide Web). Computer systems and the network are essential to support the educational, business and research operations of the University. As we become more reliant on computer systems, we become more vulnerable to technical difficulties and the need to protect data becomes more critical.

Protect Sensitive Information

It is essential that you exercise care and good security practices to safeguard confidential or sensitive health information, such as information relating to individual's physical or mental health, electronic medical records, patient accounting information, or other information relating to treatment or payment for services. It is also vital to safeguard other types of sensitive and confidential data, such as:

• Personal information like home telephone number, home address, Social Security Number.
• Research Data, such as databases containing sensitive health or other identifiable information about individuals, collected for research purposes.
• Financial Data like credit card numbers and payroll records.
• Educational Records covered by FERPA.

Common threats to the security of data stored in electronic form include:

• Weak Password: Obvious or simple passwords (such as a name, address or common dictionary word) can easily be guessed or 'cracked' by a computer program.
• Computer Virus: A virus is a program written specifically to run and copy itself without a user's permission or knowledge. Some viruses corrupt or destroy computer files. Viruses often spread as Email attachments. Spam is sometimes used to transmit viruses.
• Trojan Program: A Trojan is an 'imposter program' installed on a computer without the knowledge of the user. Trojans may be disguised as harmless applications, such as screen savers or games. Several well-known Trojans allow remote control of a computer.
• Malicious Web Script: Malicious web script is a program that attacks the computer of a person who uses the Web. Malicious scripts may generate unwanted graphics or sound files, computer passwords, or cause the workstations to crash.
• Open Systems: Computers that permit unidentified users to connect are referred to as open systems. Computers running file-sharing applications, such as KaZaA and BearShare, for example, allow users to bypass network firewall protection.
• Social Engineering: Social engineering refers to tricking people into breaking normal security procedures. Social engineers often rely on the natural helpfulness of people by using lies, impersonation, bribes, or threats to gain access to computers.
• Spyware/Adware: Spyware refers to tracking programs installed on a workstation, without the user's knowledge, to secretly gather information about the user and relay it to advertisers or other interested parties.
• Additional threats include attacks against specific computer weaknesses.

5 Steps to Security

Step 1: Follow the Policies

The University's IT Security Policies address a number of important IT security issues, such as user and unit responsibilities, reporting of security incidents, incident response procedures and the consequences for violations of University IT policies. University policies regarding information technology, are available at: www.policy.ku.edu/it

In addition, the University has developed privacy and security policies for Clinics on the Lawrence Campus. These guidelines are available from your supervisor or the KU Privacy Office (Lawrence Campus) (785)864-9528.

Access to systems and networks containing electronic data is not permitted unless prior authorization is obtained. You must familiarize yourself with the specific policies and procedures of your unit regarding the security of confidential data. Questions regarding your unit's policies and procedures should be addressed to your supervisor.

Care and good security practices include:

• Not keeping unnecessary files that contain individually identifiable information.
• Storing sensitive information only in authorized locations, such as on servers that are protected by network firewalls, in accordance with the recommendations of the University's IT Security Officer.
• Restricting access to data on a need to know' basis and not sharing such information unless authorized to do so.
• Storing data in password protected files.
• Protecting data by using strong passwords and encrypting data in certain contexts.
• Protecting the security of laptops and hand-held devices, by using password protections and locking up the machine itself.
• Transferring data from hand-held devices to a secured server as soon as possible and removing the data from the device once it is transferred.
• Restricting physical access to equipment and storage media (such as disks, CD's, tapes) housing confidential or sensitive data.
• Using and regularly updating anti-virus software. Assigning a unique ID to each person with computer access to data.
• Keeping security patches up to date.
• Not transmitting data electronically unless certain confidentiality controls (such as encryption) are in place.
• Following proper procedures for removal/disposal of confidential data prior to re-use or disposal of equipment or storage media.

5 Steps to Security (continued)

Step 2: Guard Your Accounts

Many users have computer accounts for Email, network, remote access and individual applications or systems. Each of your accounts leads back to you. Protect yourself and the University. Don't share your account information with anyone!

The University Password Policy provides password selection guidelines and methods for password change requests. When choosing a password:

• Do not use any part of the account identifier (username, login ID, etc.)
• Do not use a proper name or any word in the dictionary without altering it in some way.
• Do not tell your password to anyone or let anyone observe you entering your password.
• Do not display your password in your work area or any other highly visible place.
• Change your password periodically.
• Do not reuse old passwords.
• Utilize proper password selection techniques:
  • Use 7 or more characters.
  • Use a mix of upper and lower case letters, and include digits.

For additional assistance in creating a secure password please refer to www.security.ku.edu.

5 Steps to Security (continued)

Step 3: Secure your Workstation

Use anti-virus software. The University has a license for Sophos anti-virus software. When installed properly this software will detect and stop most viruses before they infect your computer. Do not attempt to disable the anti-virus software. If for any reason anti-virus software is not on your computer, or if you are not sure, contact your registered Technical Liaison or network administrator. Once configured, the software will automatically update itself as needed.

Never open unknown Email attachments or embedded web links. Do not open any unexpected email attachments without first contacting the sender to verify its content. Be aware that viruses can be 'spoofed' to appear to come from someone you know. Do not click unknown embedded links, since they can redirect your browser to an unwanted site or download malicious programs.

Never open or install unknown files. Do not download files from unfamiliar sites. 'Harmless' games, screen savers and other utilities may include Trojan programs that steal passwords, credit card numbers, or allow remote control of your computer.

Avoid questionable Web sites. If you have never heard of a company, be wary of its Web site. Be cautious using sites that request personal information about you. Sites may contain scripts that track your Web usage, computer sensitive information, or run malicious programs against your computer while you browse.

Watch for locked accounts. Many systems detect attempts to log in with an incorrect password. To make password-guessing attacks more difficult, the systems may include an 'intruder lockout' feature. If several invalid attempts are made to the same account in a short period of time, then the account is automatically disabled. Note any time your account becomes 'locked' for an unknown reason.

Protect your desktop. Do not leave your workstation while you are logged in to a restricted application or while sensitive information is displayed on your screen. Close the application or use a password protected screen saver with a short 'wait' period. Shut down your workstation before you go home. If two or more users share a workstation, be sure to log out or reboot between users.

Keep your computer physically secure. To discourage theft, computers should be kept in attended or locked facilities. Consider using cables to lock computers (especially laptops) to something solid. Depending on the value of the computer and the sensitivity of its data, alarms, motion detectors or tracking devices may be appropriate to alert owners when someone tries to move a portable computer.

5 Steps to Security (continued)

Step 4: Be Aware

Watch for Security Alerts. Information regarding identified security threats or warnings, as well as information about security tools and resources, is available at the IT Security Office web site at www.security.ku.edu. When serious computer threats arise warnings are distributed by the IT Security Office or Technical Liaisons via Email. Be sure to read and follow computer security alerts.

Verify Hoaxes. Occasionally you may receive urgent alerts about some incurable virus, with advice to forward the message to everyone you know. These are classic signs of a virus hoax. Check the information against reputable virus hoax sites, such as Sophos. If you still are unsure whether the virus is authentic contact the IT Security Office.

Don't be deceived. Social engineers trick people into breaking normal security procedures. Beware of anyone who asks for your password, requests information about computer systems, or attempts to access sensitive data. Always verify the person's identity and only provide information to users with a legitimate need to know.

5 Steps to Security (continued)

Step 5: Recognize and Report Security Incidents

Recognizing Security Issues:

Unauthorized Password Use: Failure to guard passwords or use of weak passwords can result in unauthorized password use. Signs of unauthorized password attempts or use include:

• Account locked when you attempt to log in.
• Computer or program's custom settings have changed.
• Unfamiliar Email messages in Sent Items or Trash folders.
• Strange Web sites in browser history, or empty browser history folder.
• Unusual entries in the computer event logs.

Computer Viruses, Trojans, Malicious Programs: These can result in loss or destruction of data, unauthorized access to or disclosure of data, and other serious security problems. Symptoms vary, but the following could indicate your computer is infected:

• Frequent system crashes.
• Unusual messages, displays, sounds or music.
• Programs or files mysteriously disappear, or unexplained hidden files appear.
• Change in file sizes and contents.
• Sudden reduction in disk space.
• Programs take longer to start or run slower than usual.
• Unexplained decrease in available memory or system resources.
• Disk drive light and other indicators light up for no apparent reason.
• CD-ROM opens and closes once or in intervals.
• Web browser opens random URLs.
• Mouse moves around the screen without your intervention.
• Note: Legitimate software programs or hardware problems can also cause many of these effects. Don't automatically assume your computer is infected, but do consider the possibility.

Spam: Spam is unsolicited email or junk mail on the internet. Spam is sometimes used to transmit viruses.

Reporting Security Issues:

If you suspect your computer is infected you should contact your Technical Liaison. They will assess the situation and recommend appropriate action. It is not necessary to report spam unless the message is illegal or threatening.

If you observe, or have reported to you, a security or abuse problem such as unauthorized use of your password and/or unauthorized accessing of confidential data, you must immediately notify your supervisor and the KU IT Customer Service Center (formerly the IT Help Desk) (785) 864-8080immediately. For additional assistance with other breaches involving individual's protected health information contact the KU Privacy Office, Lawrence Campus at (785) 864-9528.

Stolen computer equipment or other portable devices (PDA, flashdrives, smartphones) must also be reported immediately to KU's Public Safety Office (Police http://www2.ku.edu/~kucops/ or at 785.864.5900). If the theft occurs outside or off campus, please contact the appropriate jurisdictional police department as soon as possible and the KU Privacy Office.