Transcript Slide 1
Protecting Confidential Client Data! Presented by: [Insert Your Name Here] Background Agenda Sizing Up the Problem The Fix! ▬ Human Aspects ▬ Technology Local Remote Sharing ▬ Disposing of Old Data Background: Sensational Headlines…daily! Cyber-thieves shift nearly $450,000 from Carson,CA city coffers (May 2007) using keylogger software. T.J. Maxx data theft (some 45 million credit and debit card numbers) likely due to wireless ‘wardriving‘, i.e. thief with a laptop, a telescope antenna, and a wireless LAN adapter (December 2006). Sensational Headlines…Daily! Veterans Administration announces confidential information of 26.5 million service personnel was stolen when employee’s home laptop was stolen (June 2006). Over 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. The Times are a Changing Over the next 3 years employees equipped with Notebooks or Tablet PCs will grow from 35% to 50% 95% will be wirelessly enabled. Knowledge workers will be mobile 50% of the time working from home, office, hotels, airports, customer sites, etc. Iny 2008 75% of business cell phones will be smart phones (Blackberry, Treo, Communicator, etc.) Most have removable memory cards. In their present state they do not offer adequate security (file encryption, “device kill”, firewalling, authentication, tracking and logging). The Times are a Changing Increase in mobility with devices “roaming wild” will cause a major upsurge in breaches: Breaches may go undetected or undiscovered for long periods of time. Problem could easily become overwhelming (identity theft will look like child’s play). Information Security Management “Short List” Router/IP addressing Firewall Patches Anti Virus Spam Spyware Passwords / Passphrases Unprotected Shares Personal Firewall Web-based e-mail/ file sharing Wireless Physical Access Backups Goals of IT Security Confidentiality Data is only available to authorized individuals Integrity Data can only be changed by authorized individuals Availability Data and systems are available when needed OVERALL GOAL: Reduce Risk to an Acceptable Level Just because it can happen doesn’t mean it will. Put threats into perspective by assessing: Probability of attack Value of business assets put at risk Business cost and consequence of attack REMEMBER – no policy, procedure, or measure can provide 100% security Sizing Up the Problem: Social What’s Security #Confidential? Credit/debit card numbers Driver’s license number Bank account numbers Birth dates PIN codes Medical records Mother’s maiden name? Where IsSystems Confidential Data Stored? In-House Physically secure? Network access restricted to only authorized individuals? Backup Media Physical location? Format? Remote Users Laptops, home computers & memory sticks? Who Has Access? Data access restricted to authorized individuals? Shared passwords = shared data and no accountability Wide open network = information free-forall The Fix: The Fix! In short… Restrict access and/or Make it unreadable Data is made “unreadable” using encryption technology. The Fix! Encryption Process of transforming information to make it unreadable to anyone except those possessing special key (to decrypt). Ciphers Algorithm or code used to encrypt/decrypt information. The Fix! Encryption Ciphers Ciphers Classical Substitution Rotor Machines Transposition Stream Modern Private Key Public Key Block The Fix! Things to remember about encryption… Use modern, public standards! Longer key lengths are always better (increased computing power has made shorter keys vulnerable to cracking in shorter time) Private keys are optimal Human Aspects Policy Who is allowed access? When is access allowed? What users are allowed to do? Where is data permitted to be… Accessed from (devices & locations?) Stored Network servers Desktops Laptops (data is now mobile) Thumb drives Human Aspects – Mitigating Risk Acceptable Use Policies Business data access rules: who, where, when and what Supported mobile devices and operating systems Required security measures and configurations Process for usage monitoring, auditing and enforcement (check your state and local laws) Non-Disclosure Agreements (NDA)? Training & Communication – regular and often? Social Engineering “Click here” to download key logger! Phishing attacks are still highly effective for stealing Personal information Login information – can then be used to access systems contain confidential data Technology – Local Physical security Sensitive data located on secure systems Locked server room Locker server cage(s) Storage Media Hard drive encryption – Software-based Windows Encrypting File System (EFS) Supported on NTFS volumes (W2K, XP & Vista) Encrypt/decrypt files and/or folders in real time Uses certificate issued by Windows Storage Media Hard drive encryption – Software-based Vista BitLocker Encrypts entire Windows Operating System volume Available with: Vista Ultimate Vista Enterprise Third party, commercial encryption software TrueCrypt PGP Desktop Home Storage Media Hard drive encryption – Hardware-based Seagate Technology Momentus 5400 FDE.2 laptop drive features built-in (hardware) encryption (March 2007) Heart of the new hardware-based system is a special chip, built into the drive, that will serve to encode and decode all data traveling to or from the disk. Requires password to boot machine Disk is useless/inaccessible to others Storage Media “Phone home” software Software that monitors machines and notifies system administrators regarding: Who is using Where machine is located What hardware and/or software changes are made Example: CompuTrace Storage Media USB Thumb Drives Most older drives completely insecure If you want to store/transfer secure data on USB thumb drive, look for device that can… Encrypt data Authenticate user USB anti-copy products Prevents data theft / data leakage and introduction of malware Manage removable media and I/O devices – USB, Firewire, WiFi, Bluetooth, etc. Audits I/O Device usage Blocks Keyloggers (both PS2 and USB) Encrypts removable media Enables Regulatory Compliance Products Device Lock Sanctuary DeviceWall Safe End Port Protector Authentication Authentication Factors What you know – Passwords/passphrases What you have – Tokens, digital certificates, PKI Who you are – Biometrics (finger, hand, retina, etc.) Two factor authentication will become increasingly important. Authentication APC BIOMETRIC PASSWORD MANAGER fingerprint reader - USB by APC ($35 - $50) Hundreds of devices like this ranging from $25 $300. Application Software In general, application passwords are poor protection (since most can be broken) e.g. Passware (www.lostpassword.com) Unlock 25 different applications including Windows, Office, Quick Books, Acrobat, Winzip, etc. Managed services – key piece of security puzzle Mitigating Unsafe User Behavior Spam, virus, content management and filtering, spyware, etc. Benefits Easier on the user Easier on IT Mobile devices should be periodically reviewed: Currency of software and patches Health of machine User logs Recommendation: Quarterly or Trimester VPN (Virtual Private Network) A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. Overview Benefits VPN (Virtual Private Network) Extend geographic connectivity Reduce transit time and transportation costs for remote users Provide telecommuter support Improve security Reduce operational costs versus traditional WAN Improve productivity Direct printing to office Direct connect to network drives VPN Use 3rd-party VPN service, e.g. HotSpotVPN, JiWire Spot Lock, Public VPN or WiTopia Personal VPN Host-Based Computing Remote Control GoToMyPC - $14-34/month LogMeIn Symantec pcAnywhere VNC Host-based Computing Windows Terminal Server Digital Certificates Implement digital certificates for internally hosted corporate web resources or webpresence, e.g. E-mail, CRM, B2? site, etc. This allows all traffic to be encrypted via SSL (Secure Sockets Layer). Pad lock indicates traffic is being encrypted and the web site owner’s identity can be verified (by certificate authority). Wireless DON’T do aSecurity plug-n-play – install! Network Password protect administrative setup Encryption: Side WEP (good) – remember to change keys regularly WPA (better) WPA2 (best) Enter authorized MAC addresses on WAP Use VPN or IPSec to encrypt all traffic Walk perimeter to determine whether rogue WAPs are active Wireless Security - shares End Users No unprotected shares – all turned off Ensure all mobile devices are updated with the latest security patches Only use SSL websites when sending/entering sensitive data (credit cards and personal identity information) Digitally sign data to make it difficult for hackers to change data during transport Encrypt documents that contain sensitive data that will be sent over the Internet As a general rule (while not- always possible) Wireless Security End Users use WiFi for Internet surfing only Disable or remove wireless devices if they are not being used. This includes: WiFi – 802.11a/b/g/n Bluetooth Infrared Cellular Avoid hotspots where it is difficult to tell who is connected Ad-hoc/peer-to-peer setting should be disabled WiFi Security - End Users WiFi Best Practices Use broadband wireless access (EvDO, 3G/GPRS, EDGE, UMTS) to make wireless connections: Verizon and Sprint Broadband services are very fast - $59.99/month – unlimited access Wireless carriers offer fairly good encryption and authentication Wireless Recommendations Consider using specialized security software to help mobile users detect threats and enforce company policies Example - http://www.airdefense.net Sharing Confidential Data Options: E-mail FTP / Secure FTP Secure transmission programs Customer portal / extranet 3rd Party Hosted Data Exchange Digital Rights Management (DRM) Sharing Confidential Data E-mail As a general rule, e-mail is insecure! In order to secure: Digital Certificates / PKI PGP Verisign Sharing Confidential Data Secure FTP Secure FTP utilizes encryption to transfer files in a secure manner. Can use a number of different strategies/approaches to accomplish. Due to complexity, not often utilized for sharing data with clients. Sharing Confidential Data Client Extranets Internal Hosted e.g. ShareFile Branded! $100/mo. 30 employees Unlimited clients CipherSend secure link embedded in Email message – when clicked, brings up login screen $40/yr./user Sharing Confidential Data Evolving strategy utilizes Management a combination of Digital Rights technologies in order to control access to content. Incorporates Encrypted files – file is locked until permission to access is granted by DRM Server. Digital Rights Management Server – provides webbased permission to View/Edit/Copy/Print an encrypted document. Access granted based on date, version, user, etc. Content can be shared freely & openly since access is separately governed by DRM Server. Disposing of Confidential Data Remove media! Wipe media Software to overwrite drive multiple times Permanent magnet Destroy media Semshred – www.semshred.com Conclusion: Keys to Implementing a Successful Security Strategy for Confidentiality Define the scope Users Devices (don’t forget PDA’s and smart phones) Locations Define your usage policies Communicate Get buy in (if they don’t agree you won’t be successful) Enforce with management tools Don’t over engineer Contact Information [Insert Your Name] [Insert Firm Name Here] [Insert Address] [Insert Phone No.] [Insert email address]