Experts Outline Online Safety, Records Retention at U.Va. Conference

Hackers rely on their victims’ curiosity to lure them into compromising situations, where one wrong “click” can have devastating consequences. But the wary can avoid these traps.

Hacking, cyber security,  legal strategies and record retention were among the concerns reviewed at the University of Virginia Information Security, Policy and Records Office’s conference, held recently at the Omni Hotel in Charlottesville.

The office, which calls itself “ISPRO,” handles information policies and security for the University’s diverse and decentralized computing environment. It also oversees the University’s electronic and physical records management program.

In the all-day conference, held June 25, speakers examined issues involving information security and retention, as well as legal issues surrounding Freedom of Information Act requests, copyrights and end-user agreements.

Caroline J. Walters, the University’s records officer, led breakout sessions on Infolinx, the University’s new records management software; plus physical records storage and how to create a plan to clean out records.

“The conference went really well and I think all attendees learned more about information security, policy and records management that they can use in their work at U.Va.,” Walters said.

Karen McDowell, an information security specialist with ISPRO, discussed how vulnerable computers are to hackers, as well as outlining steps users can take to avoid being victimized.

“Hackers are trained researchers who do reconnaissance on their targets,” she said.

Hackers use “spear phishing,” a clever technique usually implemented by email, that seeks to trick a person at a specific company or organization into volunteering his or her personal information and passwords in order to gain control of their computer. Once they have this basic control, they can penetrate the  network and install  custom software to exploit its weaknesses.

“If they get administration credentials, then they can control a lot of information,” she said. “They can  install what is called a ’back door’ and send data back to their command and control servers for their own purposes.”

McDowell said once a hacker has control of any computer, he or she can turn it on or off at will,  use its processing power  to send out new spam and spear phishing messages, and link it to others to harness their combined power to bring down a website or a network.

She cited recent examples of hacking, such as an attack on the New York Times that the security company Mandiant linked to China, and attacks on 50 U.S. banks that have been traced to Iran. Hackers have also attacked the Federal Reserve Bank; a number of defense industries, including Oakland Laboratories; the Pentagon; Zappos; LinkedIn; Google; and Facebook.

McDowell said anti-virus programs alone will not stop hackers, because they design attacks to go around them, but anti-virus protection is still essential. She urged computer users to keep their anti-virus programs up to date and devise stronger passwords. The University is working on a protocol allowing passwords longer than 20 characters, since they are harder to break. She suggested computer users avoid logging into their email, banking, and other sensitive sites , while in wireless hotspots such as cyber cafes, airports or anywhere Wi-Fi is free.

“Stop and think before you connect,” McDowell said.

Web users should be leery of online advertisements, she added, suggesting that interested viewers type the product name into a browser and track it down, rather than clicking directly on an advertising link ­– “especially if you see something like ‘Lose 50 pounds in a week,’ or ‘flat abs’ or ‘celebrity photos.’” She also suggested hovering the cursor over the link to read its true URL.

She urged computer users to back up their data, so they do not lose it all if a computer gets infected.   

Many spear phishing emails seek to create a sense of urgency by suggesting that recipients must act now or something dire will happen to them, she said, adding that many people are undone by curiosity, clicking on links that look like they might be interesting.

McDowell warned that cyber security needs to extend to mobile telephones and that “smartphone” users should use both passcodes and auto-lock functions to protect their data.

“There are 113 smartphones stolen every minute,” she said. “Legislators  are pressuring  smartphone manufacturers to put remote kill switches in smartphones. This will prevent thieves from reinstalling the smartphone operating system in order to resell or reuse the phone they have stolen..”

In another session, Brian Davis, director of information security, policy and access, reviewed policies governing data protection and storage at the University, which breaks into three categories – “highly sensitive,” “moderately sensitive” and “not sensitive.”

“Highly sensitive” data requires the highest levels of technological and personal control, and consists of such items as medical information or personal information that could lead to identity theft. The “not sensitive” category includes material that is intentionally made public, such as reports and information posted on websites. “Moderately sensitive” data falls between the extremes.

Davis said that even “not sensitive” data requires a level of protection, to prevent it from being hacked and misused.

Madelyn Wessel, an attorney in the University’s Office of the General Counsel, outlined some of the legal ramifications of cyber security and records retention.

She touched on preserving University records to comply with the Virginia Freedom of Information Act, state and federal litigation discovery rules, laws on privacy and security protecting the University’s intellectual privacy and protecting the copyrights of others while using technology and the Internet.

In general, institutions with medical schools have extremely high compliance risks due to patient confidentiality issues, she said, followed by research institutions, due to their elaborate funding mechanisms. Modern society requires extensive measures to protect the University’s records and intellectual property.

She also explored end-user legal agreements that people sign, often without reading them, when they download software and other applications from the Web. She said these agreements can determine jurisdiction of any legal action, disclaimers, indemnification and responsibility for the other party’s legal fees, claims on intellectual property and content rights, data mining rights, use of trademarks and logos and liability for loss of data.

Wessel said the “fine print” agreements are common and are used by software producers from ITunesU to YouTube to Facebook and in consulting and publishing agreements, as well as software security updates.

“Online licenses are pretty likely to be found valid and enforceable against the end user,” she said. “It doesn’t matter that the service is free.”

As an example, Wessel cited some software she obtained in which the end-user agreement said any legal disputes over the product would be dealt with in California courts. She said in signing the agreement, she acquiesced to having to use a legal venue on the other side of the country if there were any problems. She said that  employees do not have the authority to bind the University to these agreements with their signatures, and that executing an agreement  makes the employee  personally liable. She said the examples of when these contracts have been enforced against an individual employee are rare, but she warned that this can happen.

Wessel said that the University is developing new standard contractual terms relating to data and intellectual property protection for all its negotiated agreements, and plans to make it part of vendor registration, every purchase order and contract.

Wessel also touched on public records issues, noting that any data or information owned by a public university falls under state record retention, disposition and Freedom of Information Act requirements, including information that results from various grants.

She said under the Virginia Freedom of Information Act, a record is defined as “recorded information that documents a transaction or activity by or with any public officer, agency or employee of an agency.” Public records are anything, in any form, generated, prepared and/or held by a public body, its officers, employees and agents, “in the transaction of public business.”

“Records that are not prepared for or used in the transaction of public business are not public records,” she said.

She also gave a short lesson on copyright compliance, noting that copy-protected works may be shown or performed in course of face-to-face teaching at a nonprofit educational institution; and that clips, image and digital objects may be used in exams, student portfolios and symposia. But she said in making the transition from the classroom to the Internet, it is often necessary to get permission of the copyright holder.

She predicted in the future, the University will have new policies on online licenses and end-user legal agreements. She predicted U.Va. will have to address more Freedom of Information Act requests, more discovery demands and new technologies that continue to tempt people to “sign” complex and confusing online agreements.

There are no easy solutions, Wessel said, but awareness of the risks through a careful review of the technology tools being used as well as any associated legal terms is really crucial. “Think before you download or click ’yes,’” she said.

”The University’s information security and records management program is primarily about managing risks to our institutional data, as well as meeting increasingly complex regulatory compliance requirements,” said Shirley Payne, assistant vice president in charge of the Information Security Policy and Records Office. “To be successful at this, we must keep tabs on environmental factors with security and records implications, such as new cybercrime threats and technological trends, and adjust our programs accordingly; and there must be recognition that everyone at the University has a role to play in reducing risks to institutional data.”

The Information Security Policy and Records Office also presented a Significant Information Security Contribution Award to Chris Prue, director of ExecTech, the IT support unit at Madison Hall. It presented a Significant Records Management Contribution individual award to Sharon Hiner, administrator in the Department of Molecular Physiology & Biological Physics in the School of Medicine, and a departmental records management award to the School of Continuing and Professional Studies, with an honorable mention to the former Office of the Vice President and Chief Financial Officer. Facilities Management’s recycling office, directed by Sonny Beale, also received recognition for its efforts in assisting with records clean-outs and destructions.

Media Contact

Matt Kelly

University News Associate Office of University Communications