Transcript Slide 1
Protecting Confidential
Client Data!
Presented by:
[Insert Your Name Here]
Background Agenda
Sizing Up the Problem
The Fix!
▬ Human Aspects
▬ Technology
Local
Remote
Sharing
▬ Disposing of Old Data
Background:
Sensational Headlines…daily!
Cyber-thieves shift nearly $450,000 from
Carson,CA city coffers (May 2007) using
keylogger software.
T.J. Maxx data theft (some 45 million credit and
debit card numbers) likely due to wireless
‘wardriving‘, i.e. thief with a laptop, a telescope
antenna, and a wireless LAN adapter
(December 2006).
Sensational Headlines…Daily!
Veterans Administration announces confidential
information of 26.5 million service personnel was
stolen when employee’s home laptop was stolen
(June 2006).
Over 600,000 laptop thefts occurred in 2004,
totaling an estimated $720 million in hardware
losses and $5.4 billion in theft of proprietary
information.
The Times are a Changing
Over the next 3 years employees equipped with
Notebooks or Tablet PCs will grow from 35% to 50%
95% will be wirelessly enabled.
Knowledge workers will be mobile 50% of the time
working from home, office, hotels, airports, customer
sites, etc.
Iny 2008 75% of business cell phones will be smart
phones (Blackberry, Treo, Communicator, etc.)
Most have removable memory cards.
In their present state they do not offer adequate security
(file encryption, “device kill”, firewalling, authentication,
tracking and logging).
The Times are a Changing
Increase in mobility with devices “roaming
wild” will cause a major upsurge in
breaches:
Breaches may go undetected or undiscovered
for long periods of time.
Problem could easily become overwhelming
(identity theft will look like child’s play).
Information Security Management
“Short List”
Router/IP addressing
Firewall
Patches
Anti Virus
Spam
Spyware
Passwords /
Passphrases
Unprotected Shares
Personal Firewall
Web-based e-mail/
file sharing
Wireless
Physical Access
Backups
Goals of IT Security
Confidentiality
Data is only available to authorized individuals
Integrity
Data can only be changed by authorized
individuals
Availability
Data and systems are available when needed
OVERALL GOAL:
Reduce Risk to an Acceptable
Level
Just because it can happen doesn’t mean
it will.
Put threats into perspective by assessing:
Probability of attack
Value of business assets put at risk
Business cost and consequence of attack
REMEMBER – no policy, procedure, or
measure can provide 100% security
Sizing Up the
Problem:
Social What’s
Security #Confidential?
Credit/debit card numbers
Driver’s license number
Bank account numbers
Birth dates
PIN codes
Medical records
Mother’s maiden name?
Where
IsSystems
Confidential Data Stored?
In-House
Physically secure?
Network access restricted to only authorized
individuals?
Backup Media
Physical location?
Format?
Remote Users
Laptops, home computers & memory sticks?
Who Has Access?
Data access restricted to authorized
individuals?
Shared passwords = shared data and no
accountability
Wide open network = information free-forall
The Fix:
The Fix!
In short…
Restrict access
and/or
Make it unreadable
Data is made “unreadable” using
encryption technology.
The Fix!
Encryption
Process of transforming information to make it
unreadable to anyone except those
possessing special key (to decrypt).
Ciphers
Algorithm or code used to encrypt/decrypt
information.
The Fix!
Encryption Ciphers
Ciphers
Classical
Substitution
Rotor Machines
Transposition
Stream
Modern
Private Key
Public Key
Block
The Fix!
Things to remember about encryption…
Use modern, public standards!
Longer key lengths are always better
(increased computing power has made
shorter keys vulnerable to cracking in shorter
time)
Private keys are optimal
Human Aspects
Policy
Who is allowed access?
When is access allowed?
What users are allowed to do?
Where is data permitted to be…
Accessed from (devices & locations?)
Stored
Network servers
Desktops
Laptops (data is now mobile)
Thumb drives
Human Aspects – Mitigating Risk
Acceptable Use Policies
Business data access rules: who, where, when and what
Supported mobile devices and operating systems
Required security measures and configurations
Process for usage monitoring, auditing and enforcement (check
your state and local laws)
Non-Disclosure Agreements (NDA)?
Training & Communication – regular and often?
Social Engineering
“Click here” to download key logger!
Phishing attacks are still highly effective for stealing
Personal information
Login information – can then be used to access systems contain
confidential data
Technology – Local
Physical security
Sensitive data located on secure
systems
Locked server room
Locker server cage(s)
Storage Media
Hard drive encryption – Software-based
Windows Encrypting File System (EFS)
Supported on NTFS volumes (W2K, XP & Vista)
Encrypt/decrypt files and/or folders in real time
Uses certificate issued by Windows
Storage Media
Hard drive encryption – Software-based
Vista BitLocker
Encrypts entire Windows Operating System
volume
Available with:
Vista Ultimate
Vista Enterprise
Third party, commercial encryption software
TrueCrypt
PGP Desktop Home
Storage Media
Hard drive encryption – Hardware-based
Seagate Technology Momentus 5400 FDE.2
laptop drive features built-in (hardware)
encryption (March 2007)
Heart of the new hardware-based system is a
special chip, built into the drive, that will serve to
encode and decode all data traveling to or from the
disk.
Requires password to boot machine
Disk is useless/inaccessible to others
Storage Media
“Phone home” software
Software that monitors machines and notifies
system administrators regarding:
Who is using
Where machine is located
What hardware and/or software changes are made
Example:
CompuTrace
Storage Media
USB Thumb Drives
Most older drives completely
insecure
If you want to store/transfer
secure data on USB thumb
drive, look for device that
can…
Encrypt data
Authenticate user
USB anti-copy products
Prevents data theft / data
leakage and introduction of
malware
Manage removable media and
I/O devices – USB, Firewire,
WiFi, Bluetooth, etc.
Audits I/O Device usage
Blocks Keyloggers (both PS2
and USB)
Encrypts removable media
Enables Regulatory Compliance
Products
Device Lock
Sanctuary
DeviceWall
Safe End Port Protector
Authentication
Authentication Factors
What you know
– Passwords/passphrases
What you have
– Tokens, digital certificates, PKI
Who you are
– Biometrics (finger, hand, retina, etc.)
Two factor authentication will become
increasingly important.
Authentication
APC BIOMETRIC PASSWORD MANAGER
fingerprint reader - USB by APC ($35 - $50)
Hundreds of devices like this ranging from $25 $300.
Application Software
In general, application passwords are poor
protection (since most can be broken)
e.g. Passware (www.lostpassword.com)
Unlock 25 different applications including
Windows, Office, Quick Books, Acrobat, Winzip,
etc.
Managed
services
– key piece
of security
puzzle
Mitigating
Unsafe
User
Behavior
Spam, virus, content management and filtering,
spyware, etc.
Benefits
Easier on the user
Easier on IT
Mobile devices should be periodically reviewed:
Currency of software and patches
Health of machine
User logs
Recommendation: Quarterly or Trimester
VPN (Virtual Private Network)
A VPN is a private network that uses a
public network (usually the Internet) to
connect remote sites or users together.
Instead of using a dedicated, real-world
connection such as leased line, a VPN
uses "virtual" connections routed through
the Internet from the company's private
network to the remote site or employee.
Overview
Benefits
VPN (Virtual
Private Network)
Extend geographic connectivity
Reduce transit time and transportation costs for
remote users
Provide telecommuter support
Improve security
Reduce operational costs versus traditional WAN
Improve productivity
Direct printing to office
Direct connect to network drives
VPN
Use 3rd-party VPN service, e.g.
HotSpotVPN, JiWire Spot Lock, Public
VPN or WiTopia Personal VPN
Host-Based Computing
Remote Control
GoToMyPC - $14-34/month
LogMeIn
Symantec pcAnywhere
VNC
Host-based Computing
Windows Terminal Server
Digital Certificates
Implement digital certificates for internally
hosted corporate web resources or webpresence, e.g. E-mail, CRM, B2? site, etc.
This allows all traffic to be encrypted via
SSL (Secure Sockets Layer).
Pad lock indicates traffic is being encrypted
and the web site owner’s identity can be
verified (by certificate authority).
Wireless
DON’T do aSecurity
plug-n-play –
install!
Network
Password protect administrative setup
Encryption:
Side
WEP (good) – remember to change keys
regularly
WPA (better)
WPA2 (best)
Enter authorized MAC addresses on WAP
Use VPN or IPSec to encrypt all traffic
Walk perimeter to determine whether rogue
WAPs are active
Wireless
Security
- shares
End Users
No
unprotected
shares – all
turned off
Ensure all mobile devices are updated with
the latest security patches
Only use SSL websites when
sending/entering sensitive data (credit cards
and personal identity information)
Digitally sign data to make it difficult for
hackers to change data during transport
Encrypt documents that contain sensitive
data that will be sent over the Internet
As
a general rule
(while not- always
possible)
Wireless
Security
End Users
use WiFi for Internet surfing only
Disable or remove wireless devices if they
are not being used. This includes:
WiFi – 802.11a/b/g/n
Bluetooth
Infrared
Cellular
Avoid hotspots where it is difficult to tell who
is connected
Ad-hoc/peer-to-peer setting should be
disabled
WiFi Security - End Users
WiFi Best Practices
Use broadband wireless access (EvDO,
3G/GPRS, EDGE, UMTS) to make wireless
connections:
Verizon and Sprint Broadband services are very
fast - $59.99/month – unlimited access
Wireless carriers offer fairly good encryption and
authentication
Wireless Recommendations
Consider using specialized security
software to help mobile users detect
threats and enforce company policies
Example - http://www.airdefense.net
Sharing Confidential Data
Options:
E-mail
FTP / Secure FTP
Secure transmission programs
Customer portal / extranet
3rd Party Hosted Data Exchange
Digital Rights Management (DRM)
Sharing Confidential Data
E-mail
As a general rule, e-mail is insecure!
In order to secure:
Digital Certificates / PKI
PGP
Verisign
Sharing Confidential Data
Secure FTP
Secure FTP utilizes encryption to transfer files
in a secure manner.
Can use a number of different
strategies/approaches to accomplish.
Due to complexity, not often utilized for
sharing data with clients.
Sharing Confidential Data
Client Extranets
Internal
Hosted
e.g. ShareFile
Branded!
$100/mo.
30 employees
Unlimited clients
CipherSend secure link
embedded in Email message –
when clicked,
brings up login
screen
$40/yr./user
Sharing Confidential Data
Evolving
strategy
utilizes Management
a combination of
Digital
Rights
technologies in order to control access to content.
Incorporates
Encrypted files – file is locked until permission to
access is granted by DRM Server.
Digital Rights Management Server – provides webbased permission to View/Edit/Copy/Print an
encrypted document.
Access granted based on date, version, user, etc.
Content can be shared freely & openly since
access is separately governed by DRM Server.
Disposing of Confidential Data
Remove media!
Wipe media
Software to overwrite
drive multiple times
Permanent magnet
Destroy media
Semshred –
www.semshred.com
Conclusion:
Keys to Implementing a
Successful Security Strategy for
Confidentiality
Define the scope
Users
Devices (don’t forget PDA’s and smart phones)
Locations
Define your usage policies
Communicate
Get buy in (if they don’t agree you won’t be
successful)
Enforce with management tools
Don’t over engineer
Contact Information
[Insert Your Name]
[Insert Firm Name Here]
[Insert Address]
[Insert Phone No.]
[Insert email address]