Open & Secure

Today is “Data Privacy Day”.   A day to stop and think about your data and that of others and the organizations we deal with everyday.  Digital footprints don’t have anything to do with global warming but they could easily cause a firestorm.  Think about where all of your information is right now.  The government has records, your doctor, dentist, insurers, schools, work, banks, and any number of websites you have set up accounts with and log into, or have even forgotten about.

Then imagine you have the same user name and password for all of them, and imagine someone figured out your username and password for one of them…but could then use it for all of them, talk about things that make you go hmmm. 

It’s really easy to say we don’t have time, so we try and make things easy for ourselves, which makes it easy for them too.  So maybe Data Privacy Day can be the day where you take the time to think about all of your data and where it is and have you taken the precautions to protect it and your privacy.

And if you are looking for ideas and best practices remember to check out the HLS security website: Open&Secure.

The anti-virus company McAfee recently posted ”Avoid the 12 Scams of the Holidays” on their website:

(http://promos.mcafee.com/en-us/lp/5918_maa.aspx?cid=113981).

With the holidays comes increased internet sales and offers, and opportunities to reach out to friends and family.  Along with those activities comes increased activities from cybercriminals trying to exploit all of our goodwill.  Please see the article for more detailed information, but here is the list to watch out for:

1. Phony E-tailers;  fake sites trying to steal credit card info
2. Malicious Mobil Apps; so many apps to choose from, choose wisely
3. Travel Scams; more fake web pages looking for your financial info
4. Holiday Spam/Phishing; tempting gifts to lure you in
5. iPhone 5, iPad,  and Hot Holiday Gifts; “great” deals to get you to click on that malware link
6. Skype Message Scare;  instant messages that infect your device when clicked
7. Bogus Gift Cards;  use caution shopping online or from third parties
8. Holiday SMiShing; bad guys pretending to be legitimate organizations to lure you in
9. Social Media Scams;  beware of  phony contests, ads, or jobs from Facebook or Twitter “friends”
10. Fake Charities;  beware of fake emails trying to get you to give your money and info
11. Dangerous E-Cards;  careful of cards that actually are links to malware
12. Phony Classifieds;  beware of offers that want too much personal info or want you to wire transfer funds

Tip:  Before you click on any links, hover the cursor over the link (don’t click) and see if the URL/address is really what it is supposed to be.

There was a time not long ago when a cell phone was just that, a phone.  Now they are small computers with more features and capabilities than early PCs.  Your smart phone has the ability to surf the web, handle email and texting, and even take pictures.  This means that it is as susceptible to viruses and spyware that PCs are.  The steps you take to protect your computer should be applied to your phone:

Enable a password/PIN

Use a mobile version anti-virus program

Use caution surfing the web with your phone

Make sure you are downloading clean, legitimate applications

When it comes to personal information, your phone probably has more than your computer. After all the main items on your phone are your contacts and pictures, and both are most likely to be things you don’t want shared with just anyone.

Earlier this week, I was walking outside, through the patio by the Hark, when I noticed a table.  It was a nice sunny afternoon and there were plenty of people around but not at this table.  What this table did have was a laptop bag and a Blackberry sitting on it.  I wasn’t sure who they belonged to (contractor, faculty, staff or student?) but I looked around and the closest people to it were about 10 feet away having a discussion.

I realize we are an academic environment and for the most part we all feel pretty safe and trusting here.  The reality is that things happen here at HLS too.  A few months ago someone was bold enough to go into an office and walk away with a laptop.  Luckily it was encrypted and didn’t have any high risk data on it.  I can’t say the same for that  laptop bag and Blackberry on the table.  It would have been very easy for someone to pick them up and walk away with them.

How comfortable are you with someone getting your computer or cell phone?  Its not just about Harvard information but what about your own information. If someone stole your laptop and/or smartphone do you want them getting access to your personal information?  Are there documents that have your address, date of birth, phone numbers, or your kids names?  Are your email accounts linked to your smartphone?  Is your smartphone locked by a password?  Will the phone wipe out all of the data if someone tries to crack the password too many times?

The bad guys don’t need our help.  Please be aware of your surroundings and where your laptop and cell phone are.  It only takes a few seconds for them to walk..

DMCA, the Digital Millennium Copyright Act in a nutshell protects the copyright of digital assets such as music and movies.

HLS fully supports compliance with the DMCA and will respond to all notifications of copyright infringement.

Using Harvard’s network to download or share copyrighted material (music, movies, TV shows etc) without the owner’s permission may result in legal sanctions, network termination or both.

BitTorrent, Limewire, Gnutella, and other file sharing (P2P) applications  can transmit files with or without your permission.

If you have one of these types of programs on your computer you will be held responsible for any copyright violations you commit.

Once HLS is notified of a DMCA violation the person identified as the offender will be instructed to contact the HLS Help Desk so that they can determine if there is a violation.  If there is they will work with you to clean up the necessary files.

They will also have you sign an acknowledgment of the violation and if it is the 1st, 2nd, or 3rd violation and the consequences.

Consequences range from warnings to termination of network use.  They also escalate for repeat offenders.

It can be very difficult to do school work or your job without network access.

Sooner or later your computer becomes a paperweight.  Whether it is a hardware failure, software error, or a virus, your computer may become unusable.

On the one hand this may be no big deal, if you have your data backed up, or a nightmare if you don’t.

The easiest way to make sure that your files are backed up  is to use your home/personal drive.

Everyone should have a mapped drive to their home directory.  If you don’t have one or are not sure if you do, contact the help desk and they can either help you find it or help get you set up with one.

Your home directory is actually on one of ITS’s servers, which are backed up nightly.

Because they are backed up nightly and you have stored your files, ITS will have a copy of your files to restore to your new or repaired computer.  And you can have a shortcut to the folder on your desktop so you can access it easily.

Modern technology has given us digital assets and with them anti-virus programs, passwords, and firewalls.  Left over from the pre-digital era is paper.

We hear so much about having strong passwords, encryption, and not leaving our  computer logged on  when we aren’t at it that we forget about the data on paper.

High Risk Confidential Information and Confidential Information come in paper forms as well.

“Housekeeping” can take care of many of these issues.  When you leave your desk, make sure sensitive documents are put away and locked up.

Don’t throw documents with HRCI in the trash.  Place them in a shredder box or shred them yourself.

Many offices are legally obligated to maintain documents for a specific amount of time.

Contact Record Management Services for guidance with Harvard University policy and how long to keep various records, and how to dispose of them when they are no longer needed.

If passwords are too strong to crack quickly, how can the bad guys save time?  They go phishing.  Phishing is the method of using emails to trick people into giving over their username and passwords and other confidential information.  I’m sure all of us have received a phishing email at least once (every hour).

There are several different versions that include money that you can have if you contact them and pay them a “small fee” or there is a bank or company that needs you to follow a link and fill out a form so they can “update”  your account.  Ask yourself, do you have an account with that company?   Don’t click on any links in the email, but go to the company’s website and check out their security sections for any info on scams.  They usually have information on the ones involving them.  If you don’t see one similar to the one you received, there is a section to report it to the company and they will investigate it. 

When in doubt delete it, and remember it’s hard to win a lottery if you didn’t enter and what are the chances someone has millions of dollars and they are stuck in another country and you were the only person they could find to help them get it out and spend it?

HRCI, there I said it. It is something that is heard often around HLS.  High Risk Confidential Information  became the buzz word when MA 201 CMR 17.00 was enacted.  HRCI isn’t  a bad thing, it is a person’s first name or initial and last name along with any of the following:

Social Security Number

Driver’s License Number

State ID Card Number

Financial Acct Number

Credit Card Number

Debit Card Number

A person’s name and any one of these could be used by identity thieves.  Protecting HRCI is everyone’s responsibility.  The HRCI that we are trying to protect is yours, mine, your co-workers, and your fellow faculty and students’.  IT Services takes many steps to help with that such as an Anti-virus/Malware solution, Laptop encryption, and Firewalled Storage.

But there is so much more that each of us can do:

Clean your desk and lock up any confidential documents when you leave.

When travelling don’t leave your laptop unattended.

Set a screen lock on your cell phone.  If lost or stolen they can get your contacts (family and friends) and may be able to access your email accounts.

Don’t discuss case work in “public” places and don’t discuss with anyone that isn’t part of your team.

Don’t be fooled by email phishing schemes.  If you  have any doubts about an email you receive, delete it.

Remember, the HRCI you save may be your own.

Information Security uses the term “defense-in-depth” to describe the layers of hardware and software put in the way of the bad guys to protect our data.  In theory this is a best practice much like a castle was in the 1400s.  Castles have moats, drawbridges, high walls, and plenty of guards patrolling the walls.  But the attackers always found ways to breach the defenses.

Today’s  hackers are very good at getting through or around all the layers of defense-in-depth plans too.  Once they get through all of the layers there is only one thing between the attackers and our data; you.  Each one of you can be the strongest  link in our layers or the weakest link depending on how conscientious you are.

Hardware and software are limited to how they are configured and what we program them to look for.  Each of you has the ability to make much better decisions.  You have “instinct” or “gut-feelings”  that allow you to look at an email and decide to delete it, or to notice that someone left confidential info out that should be locked up, or maybe even notice someone that doesn’t belong in a building (whether a threat to data or someone’s personal safety).

The more you stay educated on information security issues the safer our data and all of us will be.