Transcript Document
Leaders’ Forum, March 16, 2006
The Invisible Risk: Leaders’ Role
in Protecting Western’s Electronic
Information
The Invisible Risk: Leaders’ Role in Protecting
Western’s Electronic Information
Today’s Speakers:
Arni Stinnissen, Detective Staff
Sergeant, Electronic Crimes Section
OPP
Debbie Jones, Director of
Information Technology, Western
Leaders’ Forum – March 16, 2006
IT Security @ Western
is a shared responsibility
Debbie Jones
Director,
Information Technology Services
•
Photos courtesy Flickr.com
Western’s Layered Security
Gateway Routers
• Provides routing and
denial of routing by IP or
port
• Block certain Denial of
Service attacks
• Block port based scans
– Blocks attacks against
specific ports such as
email, some microsoft
ports and sql
database ports
Gateway Intrusion Protection
• Can block or log traffic by
IP, port, pattern or
protocol
• First line of defense
against new viruses
• Identifies certain traffic
patterns and
automatically blocks
• Detects and automatically
blocks on-campus and
off-campus
scanning or
network
problems
Firewall
• Registered Services
– Restrict what machines
on campus receive
special traffic (email, ftp,
http, database
requests..)
• Ensure protocol integrity
• Allows for fine grained
rules for accepting or
rejecting specific types of
traffic
• Customizable for
different networks
on campus
Trend Antivirus Email Scanner
• Rejects certain types of
attachments that are high
risk of carrying malicious
code
• Detects viruses in
incoming emails and strips
the virus attachment off
Anti Spam Technology
• Spam can be a nuisance
(like junk mail), or a
threat laced with viruses,
malware, phishing or
links to unsavoury web
sites
• Western’s spam control
– Of the 8.3 million email
connections per week,
68% were rejected
and a further 5%
were tagged as
SPAM
Spam Tagging
Ramp
• Provides locking and
unlocking of infected
systems on campus
• Provides the setting of
service specific protection
• Provides systems
administrators with a
quarantined network for
new or infected machines
• Provides systems
administrators
access to
security scans
Trend Antivirus Anti-Spyware
• Campus wide license
• Protects PC’s from known
viruses and malware
• ITS Server automatically
updates 4,800 PCs at
Western
• 8 servers in other areas
update another 3,000
PCs
• PC-cillin is on 7,000
home computers and
5,000 residence
computers
Operating System Patches
• Operating Systems are
vulnerable and hackers
continually find new ways
of ‘sneaking in’
• Patches close the
vulnerabilities to prevent
them from being exploited
by hackers and worms
• ITS server automatically
sends patches to over
5,000 desktops
on campus
Protecting Western
• ITS Network Security office [email protected]
– Responsible for maintaining a secure and stable network and data
infrastructure for campus.
– Implements and supports the ‘many layers’ of protection
– Monitors network activity for anomalies and deals with problems
– Responds to security incidents or calls for help
– Makes new tools available to campus
• ITS Computer Wellness Clinics
– Laptops and computers may be brought to the clinic to be cleaned
of viruses and malware (by appointment, weekdays 8:30-4:30)
– Book an appointment by emailing [email protected]
• System Administrators all around campus
– All of the heros across campus that maintain and protect
computers with appropriate anti-virus software and
security patches.
Working Group on Information Security
(WGIS)
• Members provide broad expertise and input into IT Security
Issues
Graduate students
Campus system administrators
Faculty members
Information Technology Services
USC
PeopleSoft Resource Group
Office of the Registrars
Housing
Internal Audit
Campus Police
General Counsel
Research Services
Human Resources
Communications and Public Affairs
• Terms of reference include:
– Responsibility for drafting and recommending IT security policies
– Responsibility for IT security awareness on campus
started “ Computer Wellness Campaign” last September
Western Policies
• Provides structure
• Establishes campus wide
practices and understanding
• Clarifies roles
• Assigns responsibility
• Empowers Information
Technology Services, Unit
Heads and Systems
Administrators to
protect the network
integrity and
security
Excerpts - Computing Resources Policy
• Information Technology Services shall be responsible for
establishing, maintaining, implementing, administering, and interpreting
organization-wide information systems security standards, guidelines,
and procedures.
• Unit Heads, including Directors, are responsible for ensuring that
security policy is implemented within the unit.
• System Administrators will work closely with ITS and ensure that
systems they administer are operated in accordance with all applicable
Information Security Standards and Policies
• Any person, group, or custodian accessing University information
must recognize the responsibility to preserve the security and
confidentiality of this information.
Computer Wellness Campaign
1. Website http://wellness.uwo.ca
2. Posters in Middlesex College, USC, Office of the
Registrar, Libraries, Genlabs, all Food Services Areas &
Residences
3. Poster set as background in the Genlabs & the Sun Rays
in the Western Libraries.
4. Film Western airing the poster at the beginning of each
film.
5. CHRW Audiozine and advertisements
6. Mass Mailer sent to all Western Students, Staff & Faculty
7. Articles in the Western News and Gazette
8. Links off http://www.uwo.ca
Western’s Layered Security
How can you protect Western?
How can you protect Western?
Understand the policies and best practices
• Read the Security related policies and best practices at
http://www.uwo.ca/univsec/mapp/
– MAPP 1.13 Code of Behaviour for use of Computing
Resources
– MAPP 1.20 Computing Resources Security
– MAPP 1.21 Wireless Networking Policy
• Visit the Computer Wellness Site at
http://wellness.uwo.ca for more information
How can you protect Western?
Ensure your system is protected
• Your system should always be protected with the latest anti-virus
software and security patches. Think of it as a seatbelt and….
Buckle up!
• Know who is responsible and can help you if the
system is not protected or has been compromised
(or locked off the network)
How can you protect Western?
Don’t download freeware at work
• It may not be as ‘free’ as you think. Spyware, malware, trojans
& keystroke loggers are often hidden within ‘freeware’.
• Remember Don’t take gifts from strangers!
• If you need additional software installed, contact your
Systems Administrator for assistance
How can you protect Western?
Don’t surf suspicious websites
• Limit your web surfing to known University or commercial
websites.
• Always X out, don’t click ‘OK’ or ‘NO’ or ‘unsubscribe’
• Practice safe and responsible surfing
How can you protect Western?
Use strong passwords
• Keep your passwords in a secure place
• Avoid common words: hackers can crack dictionary passwords
• Passwords are like underwear
– They protect privacy
– They should never be shared
– The longer, the better
How can you protect Western?
Protect the data you use
• Think before storing, publishing or sharing data
– Is the data sensitive?
– Does it need to be portable?
– Who should see it?
– How have you protected it so that only
those that should see it have access?
• Mobile data on laptops and USB keys
is at risk - Leave it, Lose it.
How can you protect YOUR information?
Recognize phishing and don’t fall for it
• Phishing can come through emails or web sites
• Phishers are getting better, scams are getting trickier to detect
• Be suspicious when personal or private information is involved
and
Don’t Get Phished
• When in doubt, ask
And let’s not forget your Home
Computer!
What’s next?
It’s the Internet - Expect the unexpected
Thank you!
Arni Stinnissen - [email protected]
Debbie Jones - [email protected]
Questions?
[email protected]
http://wellness.uwo.ca
The Invisible Risk: Leaders’ Role in Protecting
Western’s Electronic Information
Table Dialogue:
Take 15 minutes to
1. Discuss what stood out for you
2. Formulate a question to pose to Arni or
Debbie
Leaders’ Forum – March 16, 2006
The Invisible Risk: Leaders’ Role in Protecting
Western’s Electronic Information
Paul Davenport
(President and ViceChancellor)
- Reflections…
Leaders’ Forum – March 16, 2006
The Invisible Risk: Leaders’ Role in Protecting
Western’s Electronic Information
Leaders’ Role:
• Inform staff
• Establish safeguards
• Approve data access
• Deal with security violations
• Communicate to HR, ITS, etc. any staff changes
that affect access
• Create a contact list of people responsible for all
computers in your area
• Identify to ITS your technical contact (System
Administrator) and a supervisory contact
Leaders’ Forum – March 16, 2006
The Invisible Risk: Leaders’ Role in Protecting
Western’s Electronic Information
…Next Steps
To Support Your Leadership Role:
See your “Meeting in a Bag” kit -- some resources
for ensuring your unit teams know about the risks,
ways to minimize them, and their accountabilities.
Thank you for your leadership in keeping
Western’s data, Western’s work, and Western’s
people safe!
Leaders’ Forum – March 16, 2006
Thank You…
Computer Wellness Committee
Elgin Austen
Jim Dunkin
Wendy Kennedy
Scott May
Geoff Pimlatt
Peggy Roffey
Ellen Smout
Leaders’ Forum – March 16, 2006
Thank you…
Forum Facilitators:
Carol Abraham
Jennifer Ashenden
Krys Chelchowski
Chris Costello
Debra Dawson
Frank DeGurse
Andrew Fuller
Paul Greenwood
Lori Gribbon
Nancy Griffiths
Stephanie Hayne
Brian Jeffs
Ruta Lawrence
Scott May
Graham Newbigging
Peggy Roffey
Malcolm Ruddock
Nancy Stewart
Glen Tigert
Peggy Wakabayashi
Leaders’ Forum – March 16, 2006
Next Leaders’ Forum
April 27, 2006,
12:00-2:00 p.m
Great Hall
Leaders’ Forum – March 16, 2006