This page covers the basics of Information Security – online threats, physical (general) threats, applicable local, system, state and federal laws and policies and finally, how to report data breaches or identity theft.
TABLE OF CONTENTS
What is Information Security?
Information Security has many definitions. For our purposes, here are ours:
- An all encompassing term that refers to the security of the information systems that are used and the data that is processed. (www.public.iastate.edu/~ecommerce/glossary.html)
- The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional (www.securiguard.com/glossary.html)
Why is this document necessary?
State and Federal privacy protection and data protection laws, as well as Sul Ross State University and Texas State University System policies require that certain types of electronic information (data) be protected from disclosure. We have also seen an increase in the number of phishing attempts that are very crafty. Identity Theft is a very real threat with no end in sight. New web-based technologies are coming out regularly and with each service, there are new ways for the bad people to compromise your data. Almost every day, we hear of lost or stolen notebook computers, USB memory sticks, CD ‘s, etc that contain private and sensitive information.
We hope that this course will help you become more aware of information security in general and that you will gain a new understanding of why you may become a target for data thieves. You may have heard (or said it yourself) a statement like “I have nothing to hide, so I don’t care if someone has my email password” or “Setting a login on my PC just makes it harder for me to use and I don’t see the point”. We hope that, upon completion of this course, everyone will have a new understanding of why security is important, both personally and professionally.
Your role and responsibilities
Using Sul Ross State University IT resources comes with a certain amount of responsibilities. These resources include (but are not necessarily limited to):
- SRSU email
- Computer Labs
- SRSU owned PC’s
- SRSU’s network
SRSU’s Office of Information Technology has several policy and guideline documents available on its website: https://www.sulross.edu/oit.
Those policies and guidelines are the rules necessary for you to know and follow in order to have continued use of our network and information resources. They are designed to not only protect the network infrastructure, but to protect you, a user of our network.
This document does not go into fine detail all of the policy and guidelines, so we suggest that you take a look at them, print them out if you wish, ask questions and generally get to know them.
In addition, if your job involves having access to any confidential data, you will be subject to even greater responsibilities to keep that data safe. In Chapter 4, we will go over some of the laws and policies that impact this responsibility.
Viruses & Worms
The most prevalent and well known online security threat is the computer virus or worm.
The first instance (as far as the author’s research can find) of a computer virus was “Creeper” in the 1970’s. It infected the Arpa Net via a modem connection and it displayed a message ‘I’M THE CREEPER : CATCH ME IF YOU CAN.’ Interestingly enough, the next instance of a computer virus was “Reaper”, which was created and released with the purpose of eradicating “Creeper”. Computer viruses range from being simple and relatively benign like Creeper and Reaper to highly destructive like the famous “I Love You” virus which caused 5.5 to 10 billion dollars in damage.
Computer worms are a bit different from a virus. Symantec, makers of one of the popular anti-virus products, defines a computer worm as:
“programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file.”
Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the “worm” macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm.
A famous example of a computer worm is MyDoom released in January of 2004 and currently holds the record for the fastest-spreading mass mailer worm.
Trojan Horses and Spyware
A Trojan horse is just like the story in Greek Mythology. It is a software program that is hidden inside another program. It is an imposter. It claims to be something highly desirable, but it malicious instead.
An example of a Trojan horse is the Storm Trojan. It was sent in an email (possibly from an address of someone the recipient knows). Subject line examples: “Saddam Hussein alive!” or “230 dead as storm batters Europe.” Inside is a link to a “news story” that looks like a cnn, fox news, etc. news video. When you click on it, it installs its malicious self on your computer and starts replicating itself by sending a copy of the email to everyone in your address book. It even makes the email appear to have been sent by you!
Many of these Trojan horses await further commands by the original programmers. Most of them are what are called “spam bots” and together they are known as “bot nets”. A command will be sent to turn your pc into a spammer. In the case of the Storm Trojan, one Symantec engineer was quoted as saying, “During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped.” Want to guess what kind of spam an infected PC is sending out? Most likely, it is a pharmaceutical product that claims to enhance some portion of the body.
Spyware and Malware usually (but not always) infects your PC from websites that you visit. Once they have secretly installed themselves, they begin their work. Spyware will often record information such as passwords, what sites you visit, email that you send, etc. It then send the “log” of activities to a bad guy’s email address (or one that they have compromised). Malware can do the same, but also maliciously corrupts files, the registry on your computer, system files needed by the operating system and just generally makes a nuisance of itself.
Phishing and Pharming
The purpose of phishing is simply to obtain personal information about you. It is a powerful tool for identity theft. The type of information being sought are:
- Full name
- Credit Card info
There are several definitions of Pharming (pronounced “farming”), but suffice it to say that Pharming is a form of web page or browser hi-jacking and can take one of several forms. For example,
- It may come in the form of an actual website that has been cracked and its links changed to re-direct your browser to a bogus site.
- It may come in the form of the Domain Name System (DNS) of an organization that has been cracked to lead your brower to a different web site than intended.
- It may come in the form of a phishing email that may have a link that describes a legitimate website but will actually link to a bogus site.
There may be other forms of pharming and even arguments about the term, but it is really all about sending you to a web site that you had no intention of going to, for the purpose of identity theft.
How to spot a pharming site? It can often be difficult because the bad people try their best to make it look real. If you are tempted to click a link sent to you in an email;
- try “hovering” your mouse over the link and look for the information that shows you the true URL of the site your mouse is pointing to. You may see the real link address and notice that it is different from what you expect to see. That could be a clue to check further.
- Google the site and see if the link matches what your mouse hover gives you. If it doesn’t match, then delete the email.
What about web sites that have been cracked? Most of those cracked sites will be similar to the email links we described. Use your mouse to “hover” over the links, then make sure the address looks like the place you really are looking for.
Finally, what about DNS cracks? Sometimes, there is not much you can do except be watchful of ANY web site you browse. Look out for any attempts to gain information that could be used for identity theft. If you suspect a site, contact the company or organization by telephone or in person to confirm the site address and what you are seeing. It may seem like a lot of inconvenience, but compare it to the inconvenience of repairing your credit and clearing your good name.
Whether it be a virus, worm or Trojan horse, here are some tips:
ALWAYS keep an up-to-date anti-virus package running on your computer. Contact the LTAC at 8888 for more information.
Never open email attachments from someone you don’t know. Think before you click. Also, if you are not expecting an attachment from a person you know, follow up by confirming with the sender that they really did send it to you.
If you receieve a suspicous email, forward the email to firstname.lastname@example.org and then delete it from your inbox. Contact LTAC if you have any questions or concerns.
Wikipedia defines Social Engineering this way:
Social engineering is the art of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.
Someone may call you on the telephone, pretending to be from XYZ company, Bank or some other officious sounding organization. They talk smoothly and professionally and convince you that they need your (or a customer’s) Social Security number or Drivers License number or Credit Card number. They usually will have some sort of information about you or your customer that will help them convince you of their legitimacy such as Date of Birth, an amount on a last bill or statement or other information. Another name for this type of Social Engineering is “Pretexting”. Pretexting is often used to trick a person into giving out information about a customer, student or employee.
We’ve previously discussed Phishing which is another form of Social Engineering.
(See the section on Phishin and Pharming in Chapter 2.)
Another form of Social Engineering. A person may leave a floppy disk, CD or flash drive in a bathroom, office, computer lab or other public place in the hope that the person finding it will attempt to use it. Sometimes people will access this media in the hopes of finding the owner in order to return it and other times just to keep it to use. The media will be infected with some sort of malware such as a key-logger, Trojan horse or some other means of capturing information from the newly infected PC.
A form of Social Engineering that has been around a long time and unfortunately, still results in a lot of information being obtained from … the trash. Someone going through the dumpster or trash bins of a home or business may find old bills, old checks, even old credit cards that have been cut up, but can still result in numbers obtained. At the very least, this information can give a Social Engineer the information needed to pretext someone. A good idea is to invest in a good quality shredder for sensitive documents. When cutting up credit cards, don’t throw all the pieces in the trash at once or, better, use multiple dumpsters.
There are many forms of Social Engineering, so the best defense is to ask yourself if a person who is not authorized could obtain information from this call or this action you are taking. If the answer is yes, then be on guard and ask questions, ask for a name and you will call them back, but don’t accept their phone number from them. Look it up and call back. Remember, a Social Engineer is a very, very good actor.
Identity theft is the deliberate use of someone else’s identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to the other person’s disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator’s actions. Identity theft occurs when someone uses another’s personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes.
The Inside Job
It’s not pleasant to think about, but occasionally an employee of a company, organization or institution will release privileged information, either accidentally or on purpose. While we all try our best to control access to sensitive information, it really boils down to the people who have legitimate access to maintain its confidentiality. Disgruntled employees exposing confidential information is another risk. Malicously exposing private information that could lead to identity theft is a crime and could lead to harsh sentences for the person who is caught doing it.
Lost or stolen notebook computers have resulted in a large amount of confidential data being exposed. The cost to the company or institution hosting the lost information is enormous. Notebook computers, flash drives, CD’s, floppy disks or other portable devices that are easily lost or stolen should have, at least, the sensitive data encrypted. OIT has several options available to encrypt data securely, from file level encryption to whole disk encryption. Contact LTAC for discussion of your needs.
Loss of data doesn’t necessarily mean the bad guy’s got it! Hardware failures, power outages, power spikes or just plain wearing out are issues that sometime result in unrecoverable data loss. OIT servers regularly back up critical data. Your PC also has backup options. Whether you back up data to a CD or DVD, tape drive, external USB hard drive or to a server share, be sure you can recover that critical data in the event the device fails. For instructions and options for backing up your PC, contact OIT’s Desktop Services.
Passwords are a VERY important deterrent to people trying to steal your information. Because they are such a critical part of it, it is amazing how cavalier many people are about their choice of passwords. Choosing a good password is a balance between something that is easily memorized and something that is hard to crack.
Password cracking programs have been available for years on the Internet. They use sophisticated methods of “guessing” your password. They come with multiple dictionaries, in multiple languages. They use any and all parts of your name. They have a list of favorite sports, pet names, and slang words. They speak leet. They do much more and at the end of the day, they will try to brute force their way into your account.
Random Password Generators
Random password generators, such as the one used by SRSU when creating an email account have the benefit of being very difficult for a password cracking program to guess, but have the drawback of being very difficult to memorize. This results in the passwords being written down, kept in a desk drawer or taped to a monitor.
Good Passwords that are easy to remember. Is it even possible?
There are several ways to create seemingly random passwords that are easy to remember.
One way is to think of a favorite quote or song, book title or TV show. “One Flew Over the Cuckoo’s Nest” was written in 1962 by Ken Kesey, so a good password might be to take the first letters from the title and author, add to it the year to come up with a password of ofotcn62kk. Another way to randomize is to substitute numbers that look like letters in some (not all) . So, you might add a zero to it in place of one of the oh’s resulting in: of0tcn62kk
Let’s try another. Perhaps a song. I know! Hank Williams, “I’m So Lonesome I Could Cry”. What year? 1949. Well, there are so many ways to do this, but here is an example: Is1iccl949hw
Notice we start with a capital I (eye), but we substitute a 1 (one) for the lower case l (el), then follow up with a lower case I (eye) but we switch the 1 (one) in 1949 with an l (el). Maybe a bit complicated for anyone but me, but that is what we like. Something that isn’t complicated to you because you thought of it, but something that is a bit complex for anyone trying to guess it.
You don’t have to use songs, book titles or movies. Perhaps you like quotes. Whatever you like and is easy to remember for you but hard to guess for someone else or a password cracker program is good.
As good as some of these are, after a while, a password has outlived it’s “goodness”. A password can get stale and the longer it is kept around, the higher the probability that someone has seen it being typed, or is able to guess it. Sorry, but it’s just a bad idea to keep those forever. I know, a password can get to be an old friend and you really hate to see It go. Still, it is time to make a new friend at least every 90 days.
SRSU Policies and Guidelines
Sul Ross State University Office of Information Technology (OIT) maintains several policies and guidelines that you, as a part of the SRSU community and a user of the SRSU network, need to familiarize yourself with. You may view them from the Administrative Policy Manual.
Texas Administrative Code 202(c)
Texas Administrative Code Title 1, Part 10, Chapter 202, Subchapter C are State Laws pertaining to Information Security Standards For Institutes of Higher Education. We simplify it by just referring to it as TAC 202. It can be found at
While it is not possible to list all potentially applicable laws and regulations in this course, the following are particularly likely to have implications for the use of institutional information technology resources:
- The Federal Family Educational Rights and Privacy Act (commonly known as FERPA) – restricts access to personally identifiable information from students’ education records found at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- United States Code, Title 18, § 1030: Fraud and Related Activity in Connection with Computers – Federal law specifically pertaining to computer crimes. Among other stipulations, prohibits unauthorized and fraudulent access to information resources.
- Computer Fraud and Abuse Act of 1986 (Part of 18 U.S.C. § 1030) – Makes it a crime to access a computer to obtain restricted information without authorization; to alter, damage, or destroy information on a government computer; and to traffic in passwords or similar information used to gain unauthorized access to a government computer.
- The Computer Abuse Amendments Act of 1994 (Part of 18 U.S.C. § 1030) – Expands the Computer Fraud and Abuse Act of 1986 to address the transmission of viruses and other harmful code.
Data Incident Reporting
To report a suspected data compromise, send an email to:
SRSU’s Chief Information Officer at email@example.com
Include in the email details of the suspected breach without including sensitive information such as passwords or SSN’s or other personal or private information. If that information is needed, we will follow up with you. Remember, NEVER send out Personal or Private information in an unencrypted email. It is just not safe.
After the initial report
Upon receipt of an email report, the CIO and ISO will open an investigation. Depending on the type of information that has been breached, we may bring into the investigation:
- The Data Owner(s)
- The University Police Department
- The appropriate Vice-President, President or the Executive Committee
- IT auditors may be informed.
- State law enforcement (the appropriate agency)
- Federal law enforcement (the appropriate agency)
Interviews may be conducted at any time in the investigation and if determined necessary or appropriate by System attorneys, disclosures may be made.
All breaches are taken very seriously and steps will be taken to comply with all State and Federal Laws pertaining to the security breach.
The 90/10 rule: Information Security is 90% people/process and 10% technology.
It takes more than antivirus to prevent computer security incidents; it takes awareness and action by the end user as well as by OIT support staff. Taking action to secure your computer resources no only helps to keep your information safe; it also demonstrates your commitment to help protect the University network and data safe. OIT provides a lot of resources to help set up and maintain PC’s, network devices and servers, but ultimately it is you who is responsible for taking care of your computer and guarding the information entrusted to you.
1 – Update Software
Operating systems have update features that can be turned on and off. You may choose to update your system automatically or manually. All SRSU owned PC’s deployed by OIT are set to automatically obtain and apply security updates. If you choose to have your non-university owned PC manually update, you should get into a habit of running that update at least weekly.
Application software is often designed to alert you when an important update to the software is available. Most software companies are realizing the need to push the update notices to the users in order to apply security and bug fixes as they become available. When you get a notice of an update available, it is advisable that you apply that update as soon as possible.
2 – Use antivirus and anti-spyware tools
SRSU makes anti-virus and anti-spyware (aka anti-malware) software available via a site license. OIT Desktop Services will be happy to help correctly set this software up. Just give the Help Desk a call!
3 – Use strong passwords
You should consider your passwords as private and personal as your bank account number. Passwords are like underwear, they really shouldn’t be shared!
Introducing Pass Phrases!
Most people have heard of passwords, but pass “phrases” are making a quiet revolution. At it’s most basic, pass phrases are long passwords that are in a sentence style structure. The most effective pass phrase is easily remembered and is not easily guessed. Consider:
“Blue roses for a red lady” (note the twist on “Red roses for a blue lady”)
“Life is like a box of dark chocolate” (the twist is adding the word “dark”)
Pass phrases can be nonsensical made up sentences. Consider:
“Herman Munster scares Gomez Adams!” (we’ve added a special character in the exclamation point)
“2day is the first day of the rest of my life!” (added a number and a special character)
Pass phrases can be combinations of multiple sentences. Consider:
“It’s been a hard day tripper” (two beatles songs combined)
“Harry Potter & the prisoner of the werewolves of London” (My head hurts now)
More interesting password examples
Make up fake websites to use as passwords. Consider:
Make up imaginary file locations:
Fake email. Consider:
TIP! It is important that you not use any of the examples in this document as real passwords. This document is published publicly and many of the examples are common examples used in password training documents.
Mixing numbers and special characters, in addition to upper/lower case combinations help secure your password as long as you don’t make it easy. “123qwe” is NOT a good password even though it is a mixture of numbers and characters. Neither is any part of a birthdate, graduation year or phone number. Sometimes, the use of the “eleet” hacker language (or “leetspeak”) is helpful in securing passwords. “leetspeak” uses various combinations of ASCII characters to replace Latinate letters.
For example, “leet” might be spelled l337 (three looks like a backward E and seven sort of looks like a T). To learn more about leetspeak, browse to http://en.wikipedia.org/wiki/Leet
“/\/\yP@ssW0rd” à translates to “MyPassWord”
TIP! It is important that you not use any of the examples in this document as real passwords. This document is published publicly and many of the examples are common examples used in password training documents.
4 – Secure your accounts
Most modern operating systems have two types of accounts, user and administrator. Accounts set up as user level help prevent malware from being installed on your computer. Administrator accounts are necessary to install software and if you are logging in and doing your Internet browsing from an administrator access account, you are possibly giving a hacker access to your computer without your knowledge. SRSU owned PC’s are being set up to only allow OIT access to administrator level accounts, but we highly recommend that you set up a user level account on your personally owned PC and use the administrator account *ONLY* when required.
If you use an administrator level account for your daily business and you visit an unsafe web site, you have provided your administrator access to a hacker who can install malicious software (malware) on your system without you even knowing about it. This is sometimes referred to as drive-by hacking or drive-by downloading.
5 – Secure your physical environment
The bad guys aren’t necessarily limited to cyber-space. Physical access to your PC is a ripe target.
Consider: You walk out of your office to go to the break room or the UC to get a cup of coffee. You’ll only be gone a short while, so you leave your computer logged in. By the time you come back, someone may have inserted a flash drive an copied that spreadsheet of student records or maybe even installed a key logging program on your PC.
Solution: Always either log off, or lock your PC when you step away. Better yet, lock the door to your office if possible in addition to locking your PC.
Consider: You are walking down the hallway to your office and find a flash drive that someone has obviously lost. You want to be a good person and return it to the owner, but you have no way of knowing who that person is. Hmmm, perhaps you can get an idea by plugging the flash drive in and see if there is a clue on the files inside. Nope, nothing there. You turn it in to Lost and Found and think nothing else of it. What you don’t know is that a sneaky little hidden program on that flash drive has installed a key logger on your PC and is sending out your logins and passwords out to the bad guy.
Solution: Never plug an untrusted device into your PC.
Consider: You are on a business trip and go down for breakfast in your motel before heading out for that meeting. You take your notebook computer to check email while eating breakfast. You get up to go get a fresh cup of coffee. When you return, your notebook computer is missing and there is Personally Identifiable Information on it. You file a report with the Police, contact the University Police Department and OIT, but the data on the PC was not encrypted and there were hundreds of Social Security Numbers on those records. Congratulations, the University is now in the headlines.
Solution: Ask OIT about encryption options for notebook computers. Never leave your notebook computer unattended. Do not keep PII on your notebook computer or portable devices.
6 – Use wireless security
Wireless Access Points or Wireless Routers are fairly inexpensive today which enables people to set up home offices or add wireless to existing offices or residences. When setting up a wireless access point at your home, remember that the default setup for most of these inexpensive devices is to allow anyone to share your network. This includes your neighbors or people driving down the street. Read the documents that come with your device and be sure to set up security. Keep in mind that using wireless *may* allow other people to “sniff” your network traffic. That means that your logins and passwords and even your browsing habits may be monitored. Wireless encryption is one way to help ensure your cyber-safety, but not all encryption is strong.
NEVER set up a wireless access point (wireless router) on the SRSU network without checking with OIT first. Most wireless routers come with a “dhcp server” built in and turned on. This sometimes interferes with our own dhcp server and causes IP address conflicts. It also may cause frustration when you are not able to get to the Internet. OIT is in charge of the network on the SRSU campuses and will work with you to provide access.
7 – Practice online safety
- Only download what you trust and then think again. “Trust but verify”
- Read those pesky EULAs (End User License Agreement) and be sure you understand what you are agreeing to.
- What else are you getting when you download that software? Sometimes what you don’t want.
- Is it legal? Illegal file sharing are a gateway for hackers to get into your system
- Skype is a great tool, but it must be set up properly. If not set up correctly, it will create a problem for other users on our network. By default, Skype is a conduit for other peoples Skype conversations (even off campus).
- At SRSU, bandwidth hogs are monitored and may be disconnected from the network.
- Those, how shall we say, “risqué” sites are another hacker doorway into your computer.
8 – Understand peer-to-peer and social networking risks
Peer-to-peer software is a great way to share popular files, but *MANY* p2p file shares are illegal music, movies or software. Even legitimate file sharing can expose you to viruses, worms and spyware. The Federal Government has addressed peer-to-peer filesharing in it’s Higher Education Opportunity Act which SRSU is required to enforce. See https://www.sulross.edu/page/1236/higher-education-opportunity-act . Social Networking sites are a popular way to keep in touch with family and friends, but they have their own “dark side”. Be aware when you are setting up or maintaining your site.
- Use the privacy settings on your account for maximum security
- Be careful who you accept as a friend
- Be careful of the type of information you provide on these sites.
- If you want to include your birthday, don’t provide the year and don’t give your age.
- Don’t give your address.
- While it’s nice for your friends to see where you are, burglers can see you aren’t home, too.
- Be wary and think before you provide information.
9 – Send and receive secure messages
- Never believe that email is secure. It wasn’t designed to be.
- Never use Instant Message for sensitive information unless both you and the recipient are set to encryption. Even then, be cautious.
- Beware of email attachments.
- Don’t send personally identifiable information in email.
- OIT will not ask you for your personal information in an email (even to keep your email account active).
10 – Backup your data
- Backup up the data you can’t afford to lose.
- While OIT does backups on critical servers, don’t assume the backup will recover the files on your PC.
- Don’t assume OIT will be able to recover data from a month ago or three weeks ago. Backups are not kept forever and roll over regularly. The length that backup data is kept varies from server to server.
Consequences of poor Information Security
- Loss of access to data (especially if it isn’t backed up)
- Loss of productivity
- Endangering the SRSU network
- Endangering other user’s data
- Institutional financial loss
- Harming the University’s reputation
Securing your computer
- Up to date Anti-virus software
- Up to date Anti-spyware software
- Strong passwords
- Physical security
- Don’t do work with administrative privileges
- Keep the OS and installed software patched and updated
- Don’t believe that nobody would want to break into your computer
- Don’t fall for phishing attempts
- Don’t fall for lottery scams
- Don’t hi-jack the wireless just because it shows up as available.
- Backup your data
Protecting your identity and University information
There are a LOT of scams out there, most designed to obtain your identity. Many are very well written and very persuasive:
- OIT does not send out email threatening to shut off your account unless you give up your password, SSN, Birthdate, etc.
- If you get something from your bank asking for your SSN, birthdate, account number, etc, be suspicious. Call your bank to verify, if you think it could possible be a real request.
- Watch what you throw away! People *will* go through the trash to find information that could lead to obtaining your identity.
- Don’t plug in a USB drive that you’ve found, it may install a key logger or a root kit on your computer without you knowing about it.
- That “old friend” that you almost remember from grade school…could be an identity thief trying to gain your trust.
- Chances are that the Congress has not really declared war on Europe, despite the “click here for the story” email that says he has.
What sensitive information is on your computer?
OIT has software called “identity finder” available that will automatically find files on your computer that may contain sensitive or protected data. Please contact OIT to request a scan