Data Privacy

1

• Data Privacy Protection What You Should Know
  Sooner Than Later
• Kevin Khoo
• VAR Manager
• Symantec Pte Ltd

2

• Discussion today is not a discussion of security
  technology but meant rather to provide an
  awareness of issues that will affect data privacy
  and integrity

3

• The topic will be addressed from a information
  security angle and not from the legislative
  (privacy laws) and availability continuity
  angle.

4
World-Wide Attack Trends
Blended Threats (CodeRed, Nimda, Slammer)
Denial of Service (Yahoo!, eBay)
Infection Attempts
Malicious Code Infection Attempts
Network Intrusion Attempts
Mass Mailer Viruses (Love Letter/Melissa)
Zombies
Network Intrusion Attempts
Polymorphic Viruses (Tequila)
0
0
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2003 estimated
Source CERT
5
Attack Trend Highlights

• Financial services, healthcare and power energy
  were among the hardest hit by severe events.
  Critical infrastructure and businesses with
  significant financial resources tend to
  experience a relatively high severe attack rate.

Severe Events Experienced by Industries Per
10,000 Events
6
Attack Trend Less Knowledge Required to Attack
High
Low
1980
1985
1990
1995
2000
2005
7
Product Vulnerabilities
Average number of new vulnerabilities discovered
every week
Vulnerabilities
Source Symantec
8
Blended Threats
9
Blended Threats

• Traditional viruses used one method of infection
• Blended Threats combine different methods of
  infection
• Attack your system on many different fronts
  simultaneously
• By using multiple methods and techniques, blended
  threats can rapidly spread and cause widespread
  damage
• CodeRed, NIMDA, SQL Slammer, Bugbear
• Integrated security is the best solution

10
Future Trends

• The decreasing time between vulnerability
  disclosure and widespread exploitation is
  shortening.
• The likelihood of blended threats that exploit
  unpublished vulnerabilities (otherwise known as
  zero-day blended threats) is increasing.
  Zero-day threats are imminent.
• A zero-day blended threat could target such a
  vulnerability before that vulnerability is
  announced and a patch made available. If such an
  outbreak occurs, widespread damage could occur
  before users are able to effectively patch their
  systems.

11
Security is a Board Room Issue
12
Open Networks

• Conducting business by adopting internet-based
  network solutions result in benefits like
  optimised business processes,new streams of
  revenue, increased competitive advantages, larger
  and more diverse customer base, etc.
• Mission critical business applications and
  services are increasingly deployed on open
  networks with substantial connection to the
  public internet.
• This has resulted in the risk of network security
  breaches which can result in damaging losses.

13
Common Threats to Data Privacy Integrity

• Viruses
• Worms
• Malicious Codes
• Blended Threats
• Product Vulnerabilities
• Unauthorised Access/Intrusions

14
Network Security

• Network security helps ensure data privacy
• Investment in information security to protect
  corporate networks against external threats
  coming from the public internet is therefore
  essential

15
Countermeasures

• Traditional Anti-Virus solutions and Firewalls
  are not enough!
• IDS (intrusion detection system), PKI (public key
  infrastructure, VPN (virtual private network),
  Encryption Authentication mechanisms should be
  rolled out and properly configured as well
• These corresponding security techniques,
  anti-virus solutions, firewalls and VPNs are
  collectively called perimeter security.

16
Countermeasures

• Perimeter defences may now be insufficient too
  because the perimeter has become increasingly
  porous.
• Holes are being punched in this perimeter due
  to
• business conducted online
• mobile computing
• IM (instant messaging)
• Early warning systems, VPNs and vulnerability
  assessment solutions required
• Client security encryption for mobile/remote
  users

17

• POP QUIZ!

18
Other Key Areas

• Have only addressed Technical Security
• Need also to look at
• Physical Security
• Physical siting, environment, availability,
  continuity (DR)
• Data Security (information integrity)
• Data not corrupted/altered incldg. data sent to
  or received from a network
• Logistical Security
• Policies and procedures the mgt. aspect of the
  security spectrum

19
Policies and Procedures

• Security policies and procedures remain at the
  top spot among key concerns that companies need
  to address.
• Companys security policy is the key to its
  success. It should spell out what can and cant
  be done by users and list how and what services
  should be available for their use.
• Should be the SOP for the company with regard to
  security operations. This document will form the
  basis of the companys security implementations
  and covers the who, what, when and where of
  access to the companys resources.

20
Policies and Procedures

• Clients, business partners and vendors should be
  covered by the security policies.
• Partners and vendors that do not uphold the same
  level of commitment to security and observe
  similar security policies should be dropped if
  the security risk they pose be higher than the
  business they bring in.
• Cover waste disposal

21
Internal Threats

• Employees
• Disgruntled and/or Ex-employees
• Contractors
• The potential for data theft by insiders is an
  even more
• serious problems than virus attacks and network
• intrusions by hackers!

22
Internal Threats

• Companies may want to consider investing more in
• HR and vendor screening processes
• Educating employees about tools and techniques to
  upgrade their IT security practices
• Putting in programs to raise IT security
  awareness and create a strong security culture

23
Offshoring

• Companies must exert the strongest control over
  the information they send offshore
• Security concerns arises due to
• Physical distance between the two countries
• Different cultural practices and norms in the
  foreign country
• Different or non-existent privacy laws
• Less stringent data encryption standards
• Unstable political climates adding concerns to
  confidentiality and integrity of data

24
IM

• Beware!
• Most IM systems are not designed with security in
  mind
• IM communication the network in plain text format
  making it extremely easy for anyone to listen
  in
• Major IM software from Microsoft, AOL, Yahoo and
  ICQ all have documented multiple security
  problems
• IM users always fall prey to social engineering
  attacks
• Because IM is casual, users always drop their
  guard making them susceptible to sharing too much
  information with even strangers

25
IM some tips to tame it

• Keep IM within the firewall. Route instant
  messages locally so they never transverse the
  public network
• Install a gateway product that can scan instant
  messages for viruses and filter content
• Encrypt messages (not widely adopted because
  complex)
• Educate users on IMs security holes and set
  policies governing its use
• Block file transfers
• Control who can use IM, and who can talk to whom
• Put a lock on your PC auto log-off to combat IM
  sessions being left on the entire day

26

• Thank You!