Lessons from Recent Security Breaches
Dear Faculty and Staff,
Several recent high profile vulnerabilities and security breaches serve as reminders of the importance of reporting concerns, staying up to date with security patches, remaining vigilant to scams, and other good security practices, both on campus and at home.
- Follow basic security best practices such as keeping software patched, selecting strong passwords/passphrases, physically securing your computers and mobile devices, thinking twice before you click, and safeguarding institutional data. This month, the University of Maryland issued 309,079 notifications for the first major data breach reported for a college or university this year. Last year, Privacy Rights Clearinghouse recorded over 30 data breaches in higher education;
- 50% resulted from hacking (e.g., compromised passwords, malware infections, and exploited vulnerabilities)
- 20% resulted from user errors in disclosing sensitive content (e.g., uploading documents to publicly accessible sites, misdirecting email, and errors disabling privacy settings during system maintenance)
- 15% resulted from lost or stolen portable devices containing unencrypted data
- 10% resulted for malicious insiders
- 5% resulted from physical thefts (e.g., paper records)
- Please contact the Information Security Office (ISO) if you are ever notified of a data breach by a third party, especially if you use that third party to store or process private or restricted CMU data. Note that Andrew passwords are classified as restricted data, which is why we stress that Andrew passwords should never be reused elsewhere. Earlier this month, Forbes.com announced that over 1,000,000 user accounts were breached. If you received a breach notice or signed up with Forbes.com using your AndrewID and password, change your Andrew password immediately and contact the ISO at X8-2044.
- Stay Alert for email scams, especially in the wake of Target's December announcement of a massive data breach. Email scams are circulating that impersonate Target and/or attempt to lure recipients into divulging personal information or downloading malware, under the guise of providing credit monitoring services. Other circulating email scams are attempting to capitalize on tax season and the Health Insurance Marketplace rollout.
- In addition to keeping your home computer patched, make sure to keep your home router patched and configured securely. Your vendor's website should have instructions. Several significant vulnerabilities affecting popular home routers like Cisco, Linksys, Diamond, and Netgear can allow an intruder into your home network if you are not patched.
The ISO team would like to thank all of you for helping us keep the university's data and systems secure. In particular, a surge in timely reports of email scams have enabled us to take swift action to safeguard others. It's greatly appreciated.
Sincerely,
Mary Ann Blair
Director of Information Security
Information Security Office
Computing Services
Carnegie Mellon University
www.cmu.edu/iso
Phone: 412-268-2044
For additional information on:
Guidelines for Password Management (including recommendations for creating strong password).
http://www.cmu.edu/iso/governance/guidelines/password-management.html
Data breaches
https://www.privacyrights.org
Forbes breach
http://nakedsecurity.sophos.com/2014/02/16/syrian-electronic-army-hacks-forbes-spills-1000000-user-records/
Email scams
http://money.cnn.com/2014/01/21/pf/fake-target-email/
http://oig.hhs.gov/fraud/consumer-alerts/alerts/marketplace.asp
http://www.irs.gov/uac/Suspicious-e-Mails-and-Identity-Theft
Home router vulnerabilities and what you can do
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd
http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/
http://securityevaluators.com/knowledge/case_studies/routers/soho_router_hacks.php