Protecting Confidential Client Data - PowerPoint PPT Presentation

1 / 61

About This Presentation

Title:

Protecting Confidential Client Data

Description:

Encrypt documents that contain sensitive data that will be sent over the Internet ... Verizon and Sprint Broadband services are very fast - $59.99/month ... – PowerPoint PPT presentation

Number of Views:103

Avg rating:3.0/5.0

Slides: 62

Provided by: cas748

Category:

more less

Transcript and Presenter's Notes

Title: Protecting Confidential Client Data

1
Protecting Confidential Client Data!

Presented by
Insert Your Name Here

2
Agenda

Background
Sizing Up the Problem
The Fix!
Human Aspects
Technology
Local
Remote
Sharing
Disposing of Old Data

3
Background
4
Sensational Headlinesdaily!

Cyber-thieves shift nearly 450,000 from
Carson,CA city coffers (May 2007) using keylogger
software.
T.J. Maxx data theft (some 45 million credit and
debit card numbers) likely due to wireless
wardriving, i.e. thief with a laptop, a
telescope antenna, and a wireless LAN adapter
(December 2006).

5
Sensational HeadlinesDaily!

Veterans Administration announces confidential
information of 26.5 million service personnel was
stolen when employees home laptop was stolen
(June 2006).
Over 600,000 laptop thefts occurred in 2004,
totaling an estimated 720 million in hardware
losses and 5.4 billion in theft of proprietary
information.

6
The Times are a Changing

Over the next 3 years employees equipped with
Notebooks or Tablet PCs will grow from 35 to 50
95 will be wirelessly enabled.
Knowledge workers will be mobile 50 of the time
working from home, office, hotels, airports,
customer sites, etc.
Iny 2008 75 of business cell phones will be
smart phones (Blackberry, Treo, Communicator,
etc.)
Most have removable memory cards.
In their present state they do not offer adequate
security (file encryption, device kill,
firewalling, authentication, tracking and
logging).

7
The Times are a Changing

Increase in mobility with devices roaming wild
will cause a major upsurge in breaches
Breaches may go undetected or undiscovered for
long periods of time.
Problem could easily become overwhelming
(identity theft will look like childs play).

8
Information Security ManagementShort List

Router/IP addressing
Firewall
Patches
Anti-
Virus
Spam
Spyware
Passwords / Passphrases

Unprotected Shares
Personal Firewall
Web-based e-mail/file sharing
Wireless
Physical Access
Backups

9
Goals of IT Security

Confidentiality
Data is only available to authorized individuals
Integrity
Data can only be changed by authorized
individuals
Availability
Data and systems are available when needed

10
OVERALL GOAL Reduce Risk to an Acceptable Level

Just because it can happen doesnt mean it will.
Put threats into perspective by assessing
Probability of attack
Value of business assets put at risk
Business cost and consequence of attack
REMEMBER no policy, procedure, or measure can
provide 100 security

11
Sizing Up the Problem
12
Whats Confidential?

Social Security
Credit/debit card numbers
Drivers license number
Bank account numbers
Birth dates
PIN codes
Medical records
Mothers maiden name?

13
Where Is Confidential Data Stored?

In-House Systems
Physically secure?
Network access restricted to only authorized
individuals?
Backup Media
Physical location?
Format?
Remote Users
Laptops, home computers memory sticks?

14
Who Has Access?

Data access restricted to authorized individuals?
Shared passwords shared data and no
accountability
Wide open network information free-for-all

15
The Fix
16
The Fix!

In short
Restrict access
and/or
Make it unreadable
Data is made unreadable using encryption
technology.

17
The Fix!

Encryption
Process of transforming information to make it
unreadable to anyone except those possessing
special key (to decrypt).
Ciphers
Algorithm or code used to encrypt/decrypt
information.

18
The Fix!

Encryption Ciphers

Ciphers
Classical
Rotor Machines
Modern
Substitution
Transposition
Private Key
Public Key
Stream
Block
19
The Fix!

Things to remember about encryption
Use modern, public standards!
Longer key lengths are always better (increased
computing power has made shorter keys vulnerable
to cracking in shorter time)
Private keys are optimal

20
Human Aspects

Policy
Who is allowed access?
When is access allowed?
What users are allowed to do?
Where is data permitted to be
Accessed from (devices locations?)
Stored
Network servers
Desktops
Laptops (data is now mobile)
Thumb drives

21
Human Aspects Mitigating Risk

Acceptable Use Policies
Business data access rules who, where, when and
what
Supported mobile devices and operating systems
Required security measures and configurations
Process for usage monitoring, auditing and
enforcement (check your state and local laws)
Non-Disclosure Agreements (NDA)?
Training Communication regular and often?
Social Engineering
Click here to download key logger!
Phishing attacks are still highly effective for
stealing
Personal information
Login information can then be used to access
systems contain confidential data

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Technology Local

Physical security
Sensitive data located on secure systems
Locked server room
Locker server cage(s)

26
Storage Media

Hard drive encryption Software-based
Windows Encrypting File System (EFS)
Supported on NTFS volumes (W2K, XP Vista)
Encrypt/decrypt files and/or folders in real time
Uses certificate issued by Windows

27
Storage Media

Hard drive encryption Software-based
Vista BitLocker
Encrypts entire Windows Operating System volume
Available with
Vista Ultimate
Vista Enterprise
Third party, commercial encryption software
TrueCrypt
PGP Desktop Home

28
Storage Media

Hard drive encryption Hardware-based
Seagate Technology Momentus 5400 FDE.2 laptop
drive features built-in (hardware) encryption
(March 2007)
Heart of the new hardware-based system is a
special chip, built into the drive, that will
serve to encode and decode all data traveling to
or from the disk.
Requires password to boot machine
Disk is useless/inaccessible to others

29
Storage Media

Phone home software
Software that monitors machines and notifies
system administrators regarding
Who is using
Where machine is located
What hardware and/or software changes are made
Example
CompuTrace

30
Storage Media

USB Thumb Drives
Most older drives completely insecure
If you want to store/transfer secure data on USB
thumb drive, look for device that can
Encrypt data
Authenticate user

USB anti-copy products
Prevents data theft / data leakage and
introduction of malware
Manage removable media and I/O devices USB,
Firewire, WiFi, Bluetooth, etc.
Audits I/O Device usage
Blocks Keyloggers (both PS2 and USB)
Encrypts removable media
Enables Regulatory Compliance
Products
Device Lock
Sanctuary
DeviceWall
Safe End Port Protector

32
Authentication

Authentication Factors
What you know
Passwords/passphrases
What you have
Tokens, digital certificates, PKI
Who you are
Biometrics (finger, hand, retina, etc.)
Two factor authentication will become
increasingly important.

33
Authentication

APC BIOMETRIC PASSWORD MANAGER fingerprint reader
- USB by APC (35 - 50)
Hundreds of devices like this ranging from 25 -
300.

34
Application Software

In general, application passwords are poor
protection (since most can be broken)
e.g. Passware (www.lostpassword.com)
Unlock 25 different applications including
Windows, Office, Quick Books, Acrobat, Winzip,
etc.

35
Mitigating Unsafe User Behavior

Managed services key piece of security puzzle
Spam, virus, content management and filtering,
spyware, etc.
Benefits
Easier on the user
Easier on IT
Mobile devices should be periodically reviewed
Currency of software and patches
Health of machine
User logs
Recommendation Quarterly or Trimester

36
VPN (Virtual Private Network)

A VPN is a private network that uses a public
network (usually the Internet) to connect remote
sites or users together. Instead of using a
dedicated, real-world connection such as leased
line, a VPN uses "virtual" connections routed
through the Internet from the company's private
network to the remote site or employee.

Overview

38
VPN (Virtual Private Network)

Benefits
Extend geographic connectivity
Reduce transit time and transportation costs for
remote users
Provide telecommuter support
Improve security
Reduce operational costs versus traditional WAN
Improve productivity
Direct printing to office
Direct connect to network drives

39
VPN

Use 3rd-party VPN service, e.g. HotSpotVPN,
JiWire Spot Lock, Public VPN or WiTopia Personal
VPN

40
Host-Based Computing

Remote Control
GoToMyPC - 14-34/month
LogMeIn
Symantec pcAnywhere
VNC

41
Host-based Computing

Windows Terminal Server

42
Digital Certificates

Implement digital certificates for internally
hosted corporate web resources or web-presence,
e.g. E-mail, CRM, B2? site, etc. This allows all
traffic to be encrypted via SSL (Secure Sockets
Layer).
Pad lock indicates traffic is being encrypted and
the web site owners identity can be verified (by
certificate authority).

43
Wireless Security Network Side

DONT do a plug-n-play install!
Password protect administrative setup
Encryption
WEP (good) remember to change keys regularly
WPA (better)
WPA2 (best)
Enter authorized MAC addresses on WAP
Use VPN or IPSec to encrypt all traffic
Walk perimeter to determine whether rogue WAPs
are active

44
Wireless Security - End Users

No unprotected shares all shares turned off
Ensure all mobile devices are updated with the
latest security patches
Only use SSL websites when sending/entering
sensitive data (credit cards and personal
identity information)
Digitally sign data to make it difficult for
hackers to change data during transport
Encrypt documents that contain sensitive data
that will be sent over the Internet

45
Wireless Security - End Users

As a general rule (while not always possible) use
WiFi for Internet surfing only
Disable or remove wireless devices if they are
not being used. This includes
WiFi 802.11a/b/g/n
Bluetooth
Infrared
Cellular
Avoid hotspots where it is difficult to tell who
is connected
Ad-hoc/peer-to-peer setting should be disabled

46
WiFi Security - End Users

WiFi Best Practices
Use broadband wireless access (EvDO, 3G/GPRS,
EDGE, UMTS) to make wireless connections
Verizon and Sprint Broadband services are very
fast - 59.99/month unlimited access
Wireless carriers offer fairly good encryption
and authentication

47
Wireless Recommendations

Consider using specialized security software to
help mobile users detect threats and enforce
company policies
Example - http//www.airdefense.net

48
Sharing Confidential Data

Options
E-mail
FTP / Secure FTP
Secure transmission programs
Customer portal / extranet
3rd Party Hosted Data Exchange
Digital Rights Management (DRM)

49
Sharing Confidential Data

E-mail
As a general rule, e-mail is insecure!
In order to secure
Digital Certificates / PKI
PGP
Verisign

50
Sharing Confidential Data

Secure FTP
Secure FTP utilizes encryption to transfer files
in a secure manner.
Can use a number of different strategies/approache
s to accomplish.
Due to complexity, not often utilized for sharing
data with clients.

51
(No Transcript)
52
(No Transcript)
53
Sharing Confidential Data

Client Extranets
Internal
Hosted
e.g. ShareFile
Branded!
100/mo.
30 employees
Unlimited clients

54
(No Transcript)
55

CipherSend - secure link embedded in E-mail
message when clicked, brings up login screen
40/yr./user

56
Sharing Confidential Data
57
Digital Rights Management

Evolving strategy utilizes a combination of
technologies in order to control access to
content.
Incorporates
Encrypted files file is locked until permission
to access is granted by DRM Server.
Digital Rights Management Server provides
web-based permission to View/Edit/Copy/Print an
encrypted document.
Access granted based on date, version, user, etc.
Content can be shared freely openly since
access is separately governed by DRM Server.

58
Disposing of Confidential Data