For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Technology Update - Information Security Issue

May 24, 2018

Table of Contents

Focus on Privacy and Security
New Privacy Laws Taking Effect on May 25
Email Attachment Without the Wait
Protect Your Password, Protect Yourself
Ransomware, Privacy, and Recovery
Destruction of Sensitive Materials

Focus on Privacy and Security

Privacy is something we miss when we lose it. We feel that our privacy is violated when someone knows something about us that they should not know: what websites we visit in the morning, what prescriptions we take, what were our worst grades in high school. We also feel that our privacy is violated when our identities are stolen. Privacy is important for financial wellbeing and for personal safety. Privacy is critical for our personal growth, and for our freedom of action and expression.

This special issue of Tech Update explains upcoming changes in privacy laws, efficient and secure ways to collaborate, account security risks and ways to mitigate them, ransomware and recovery from it, and how to destroy data that is no longer needed.

New Privacy Laws Taking Effect on May 25

The United States issued sophisticated privacy legislation in the 1970s and 1990s. Today, the European Union's councils and parliaments are expanding privacy protections for their citizens and the citizens of other countries through sophisticated new regulations.

Beginning on May 25, the new European Union General Data Protection Regulation (GDPR) takes effect. GDPR regulates how organizations must protect and handle the information of people who are citizens of, or located in, a member country of the European Union. European data protection regulators could levy hefty fines to organizations that are subject to but do not comply with the new regulation.

What should you do about privacy if you don't know the law or the technology? To quote the Hitchhiker's Guide to the Galaxy, "Don't panic!" Pablo Molina, Chief Information Security Officer, and Robert Asante, interim Chief Privacy Officer, are working with representatives from several Drexel University offices to inventory our systems and processes. They are also working with the Office of the General Counsel to identify what aspects of GDPR may be applicable to Drexel University.

As the deadline approaches, organizations have ramped up their efforts to comply. Large technology companies—Google, Facebook, Twitter, etc.—and small ones recently translated their privacy practices from hard-to-understand legal language to common language. To alert us about these changes, they’ve been sending notices by email, displaying popup messages on websites, and requesting our consent to remain on mailing lists.

As a global university, Drexel also works with onsite and online students, faculty, professional staff, patients, research subjects, and other individuals who are citizens or residents of European Union countries. Therefore, certain GDPR provisions may apply to some of our community members.

If you have questions about how GDPR may affect a specific Drexel project or activity, please contact gdpr@drexel.edu.

Email Attachment Without the Wait

Email attachments remain the primary way that we collaborate on files. They also remain a primary vector for malware infection on our computers. While Advanced Threat Protection (ATP) in Office 365 helps protect us, there's no denying that it delays attachment delivery. Fortunately, those delays can often be bypassed, and there are better ways to collaborate immediately.

Bypass attachment scanning delays

Rather than wait the 30-60 seconds typically necessary for Advanced Threat Protection to scan attachments, you can preview many file types immediately after a message arrives. In Outlook, click once on the "ATP Scan in Progress" placeholder to see a summary of the PDF, Word, Excel and PowerPoint attachments being scanned and a Preview link for each.

When you click one of the Preview links, a web browser will open (you might have to sign in) to show you the file in Office Online.

Sharing files is better than emailing them

You can eliminate scanning delays and the effort of tracking file versions by storing documents in Drexel OneDrive, then sharing rather than emailing them. Documents saved to OneDrive auto-save, track who made changes and when, let you roll back the clock to previous versions, and let multiple users simultaneously edit a file.

Use OneDrive and other Office 365 tools to collaborate in a more modern way than emailing files back and forth. See drexel.edu/IT/Office365/Collaborate for guidance. Visit drexel.edu/IT/OneDrive for Drexel-specific instructions on setting up OneDrive and drexel.edu/IT/about/policies/tos/OneDrive for the Drexel OneDrive Terms of Service.

The online and mobile versions of Word, Excel, and PowerPoint support auto-save, version management, and co-editing. However, some older versions of these apps do not. If your apps do not show the "Share" button in the top right corner, contact your collegiate IT or the Drexel IT Help Desk to find out if a newer version of the Office apps is available for your computer.

 

Note: The "Version History" button is a feature of the "Subscription" and "Click-to-Run" versions of the Office apps and is available only when you edit a document stored on Drexel OneDrive.

Protect Your Password, Protect Yourself

Have hackers ever stolen your passwords? Most likely, yes, but they have stolen passwords for several billion other online accounts. Last year set another record for data breaches, which resulted in billions of compromised accounts hosted on public, private, and government websites and servers.

Password Security

Today, we seldom think twice about creating an account for an online service, despite the frequency of data breaches and password thefts. Instead of complacency when another company announces millions of account thefts, we can take steps to secure our online identity:

  1. Enable two-factor authentication for online services. Two-factor authentication uses your phone (or a second account) to approve sign-in attempts. Even if someone learns your password, they can't sign in without access to your second device/account.
  2. Use a unique password for each account. Password reuse increases risk; a compromise of one service exposes you on other services that use the same password. Password managers such KeyPass and LastPass make it so easy to manage passwords that you can use long, complex passwords without fear of forgetting them.
  3. Be mindful of social media and data you publicize. Social engineers can use what you share to answer security questions and change your passwords. Limit access to your posts, photos, and status updates to your family and friends. Review security settings—don't accept the defaults.

Sensitive Information Security

We all share the responsibility of information security. Here are additional suggestions for minimizing risk when working with sensitive data:

  1. Use only the minimum amount of information required.
  2. Use the Drexel Virtual Private Network (VPN) to encrypt communications data sent across public wireless networks (e.g. airports, cafes, libraries, hotels, etc.). The VPN software is available at vpn.drexel.edu. For help, email the IT Help Desk at consult@drexel.edu.
  3. Received an email or call asking you to sign in or provide information? Don't comply. Email and caller ID forgery is simple. "Urgent" or "act now" messaging, misspellings, and bad grammar are indicators someone is "phishing" for your personal information. See more information about email scams on the IT website.

Ransomware, Privacy, and Recovery

Ransomware takes computer files as "virtual hostages." Scammers use these viruses to encrypt files, then demand compensation for their release. Until this ransom is paid, the files remain inaccessible on your hard drive. Like Denial of Service (DoS) attacks that slow or crash computers, ransomware denies authorized people access to their information.

Newer and more dangerous versions of ransomware viruses can transmit the original files to criminals who then sell the credit card, health information, and other personal data they find. Ransomware is thus a privacy problem, too.

Prevention and Protection

Firewalls and anti-virus software prevent many attacks, but students, faculty, and professional staff should not expect perfection from these tools. We should all maintain suspicion of attachments and website links in emails. Following the suggestion that you "Check out this cute kitten video!" could ruin your day with one click of the mouse.

Drexel IT offers CrashPlan, a data backup service, to faculty and professional staff for their Drexel-owned computers. CrashPlan, which costs $70/year, allows a licensed user to protect up to four Drexel-owned computers (i.e., a faculty member with several computers need only pay one license fee). Backup space is not limited, but the license applies to individual use, not servers. More information is available at drexel.edu/IT/CrashPlan. Note: CrashPlan is not licensed for personally-owned computers. We recommend a backup service such as Carbonite.

Drexel OneDrive is a cloud file storage service included in Office 365. Use it in place of file storage on your local hard drive, where possible. OneDrive synchronizes cloud storage with a linked folder on your computer; this folder automatically copies files it contains to the cloud, where they are accessible from anywhere.

Both CrashPlan and OneDrive allow file versioning, a feature useful for the restoration of old files or corrupted/ransomed data.

Reporting and Recovering from Ransomware

If ransomware infects your computer, you’ll know: a ransom message will demand compensation, and your files will become inaccessible. Do not restart or turn off your computer, and do not pay. Contact Drexel IT Information Security at informationsecurity@drexel.edu or 215.895.1984.

In most cases, Drexel will not pay a ransom, as there is no guarantee the encrypted files will be released or that important data wasn't already transmitted to outsiders. Instead, the infected computer will be refreshed with an up-to-date version of the operating system and applications. Data files will be restored from CrashPlan and OneDrive.

Destruction of Sensitive Materials

Although Drexel strives to make recycling as easy as possible, don’t chuck everything into a blue recycling bin. You must take special care before recycling or disposing of hardcopy documents that might contain sensitive, confidential information; and electronic devices – particularly computers, laptops, tablets, and phones.

Hardcopies: Sensitive Documents Must Be Shredded

The Records Management Policy, administered by the Office of the General Counsel, tells you everything you need to know about when/how to retain/dispose of official University records.

"Records Management is all of our responsibility. Destruction of records is an important part of the policy, but it must be done in accordance with the guidelines in the policy, particularly if any records are subject to actual or potential litigation or have historical value," said Tami Wible, associate general counsel and managing attorney. Wible urges faculty and professional staff to carefully review the policy, including the supporting resources provided, and to contact her with any questions by calling the Office of the General Counsel at 215.895.6286.

Records custodians must pay particular attention to their obligations in the Records Management Policy. If you determine that records are expired according to the definition set forth in the policy and they do not need to be permanently retained as Historical Records, you must shred any hardcopies that contain confidential information in a manner that renders them unreadable and would prevent them from being reconstructed. Only then can the remaining material be recycled.

Hardware: E-Waste Must Be Wiped Clean

Did you know that even when you recycle a file on your computer, it can still be recovered by an undelete program? The only way to ensure data stored on a hard drive is completely removed is to overwrite it with pseudo-random numbers. Drexel IT uses a program called DBAN (see Drexel IT DBAN FAQ for more information and contact informationsecurity@drexel.edu if you need assistance).

It is each department"s responsibility to ensure the hard drives have been properly erased before disposal, recycling, or reuse.