By Damon Armour, IT Security Officer
The year 2009 has finally arrived. What challenges lie ahead for the campus this year have yet to be determined. Understanding concepts, topics, and threats from last year is one way to prepare and prevent information security occurrences. Let’s begin by reviewing topics covered in 2008 in the IT Security segment of the ASU Report.
Spam is a topic that never seems to go away. Each year, tools are improved to defeat spam, yet spam finds a way to reinvent itself in order to reach its intended audiences. In March 2008, two examples of spam messages are discussed. The first example is a message with threatening language that is intended to generate fear. Upon further investigation, this message is discovered to be a hoax. Holiday e-cards are another potential spam tool. In this case, the e-card directs you to a site that can infect your PC with Malware. Find out more on spam by reading the full article at http://www.aug.edu/public_relations/March08/IT.html.
In May 2008, several tools to improve data security are discussed. One tool places your data on a USB drive using 128-bit encryption. The value of this tool is its ability to use a fingerprint to unlock the contents of the USB device. Biometrics is growing as a means of providing secure access and data storage. Read more on this topic here: http://www.aug.edu/public_relations/May2008/IT.html.
The June 2008 article discusses the topic of email with spam on a mission. Individuals on campus receive messages that appear to be official business requesting sensitive information. An example in the article mentions messages claiming to be from the IRS. In December 2008, we had several cases on campus of email messages pretending to be from the IRS requesting a form to be completed and faxed back. Neither private nor public institutions, including the government, will use email as a method to retrieve sensitive information from individuals. Sensitive data such as social security numbers, account numbers, or passwords should not be sent through email. More information on this topic can be found at http://www.aug.edu/public_relations/asureport/IT.html.
The July and November 2008 articles touch again on data security, specifically, with regard to data that has sensitive information within it. There were media reports throughout the year of cases of information stored on a device, which came up missing. That information was valuable because it contained sensitive components like those described above. There are cases when individuals on campus will need to work with sensitive faculty, staff, and student information. All reasonable measures to protect the privacy of that information need to be taken. Treat the information as you would want yours to be treated. Find out more information in both articles:
July – http://www.asupr.com/2008/06/27/personal-identifiable-information-what-are-you-storing-and-why/.
November – http://www.asupr.com/asureport/2008/10/data-retention-%E2%80%93-should-i-save-this-on-my-desktop/.
The September article brings up the topic of peer-to-peer (P2P) filesharing. The technology involved for P2P can be used as a legitimate method of transferring files across the Internet. Yet in many cases, this technology is being used to exchange media files such as movies, music, etc., that have not been paid for, nor have permission from the publisher to distribute. ITS gets notifications from media publishers on any offenders they discover. ITS notifies the offending individual and requires a written response on the discontinuation of the activities. Read more at http://www.asupr.com/2008/08/29/peer-to-peer-p2p-%E2%80%93-file-sharing-gone-bad/.
During the month of October 2008, the ASU campus was under an IT audit by the University System of Georgia. The IT audit covered three main areas of concern. The first was on network security, the second on identity management, and the third on access management. The IT audit has completed its phase on campus, and the final report is expected in early 2009. Look for more information here: http://www.asupr.com/asureport/2008/09/it-audit-%E2%80%9908-%E2%80%93-what-will-this-mean/.
Finally, in December of 2008, the concept of blacklisting was introduced. Blacklisting can affect the email of everyone on campus. All it takes is one person to provide his or her email credentials (username/password) to a spammer. If a spammer utilizes our email resources to send out mass messages, network providers across the globe can blacklist us and, therefore, prevent our messages from reaching their intended recipients. Find out more on this topic at http://www.asupr.com/asureport/2008/11/email-blacklisting-%E2%80%93-what-it-is-and-how-to-prevent-it/.
2008 covered a variety of topics that affect our campus and its users. An integral part of IT security is information security awareness. Always use good judgment when dealing with institutional information and applications. Apply these same principles at home as well. Let’s make 2009 a successful year by avoiding any triggers for incidents. Information security awareness begins with each of us. Look for more information during the upcoming year to help with security awareness.
To report security issues or to get answers to questions, contact the ITS Help Desk at 706-737-1482. Questions or comments on this article or any security awareness training can be directed to firstname.lastname@example.org.