Sensational Headlines…daily! Cyber-thieves shift nearly $450,000 from Carson,CA city coffers (May 2007) using keylogger software. T.J. Maxx data theft (some 45 million credit and debit card numbers) likely due to wireless ‘wardriving‘, i.e. thief with a laptop, a telescope antenna, and a wireless LAN adapter (December 2006).
Sensational Headlines…Daily! Veterans Administration announces confidential information of 26.5 million service personnel was stolen when employee’s home laptop was stolen (June 2006). Over 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information.
The Times are a Changing Over the next 3 years employees equipped with Notebooks or Tablet PCs will grow from 35% to 50% 95% will be wirelessly enabled. Knowledge workers will be mobile 50% of the time working from home, office, hotels, airports, customer sites, etc. Iny 2008 75% of business cell phones will be smart phones (Blackberry, Treo, Communicator, etc.) Most have removable memory cards. In their present state they do not offer adequate security (file encryption, “device kill”, firewalling, authentication, tracking and logging).
The Times are a Changing Increase in mobility with devices “roaming wild” will cause a major upsurge in breaches: Breaches may go undetected or undiscovered for long periods of time. Problem could easily become overwhelming (identity theft will look like child’s play).
Goals of IT Security Confidentiality Data is only available to authorized individuals Integrity Data can only be changed by authorized individuals Availability Data and systems are available when needed
OVERALL GOAL: Reduce Risk to an Acceptable Level Just because it can happen doesn’t mean it will. Put threats into perspective by assessing: Probability of attack Value of business assets put at risk Business cost and consequence of attack REMEMBER – no policy, procedure, or measure can provide 100% security
What’s Confidential? Social Security # Credit/debit card numbers Driver’s license number Bank account numbers Birth dates PIN codes Medical records Mother’s maiden name?
Where Is Confidential Data Stored? In-House Systems Physically secure? Network access restricted to only authorized individuals? Backup Media Physical location? Format? Remote Users Laptops, home computers & memory sticks?
Who Has Access? Data access restricted to authorized individuals? Shared passwords = shared data and no accountability Wide open network = information free-for- all
The Fix! In short… Restrict access and/or Make it unreadable Data is made “unreadable” using encryption technology.
The Fix! Encryption Process of transforming information to make it unreadable to anyone except those possessing special key (to decrypt). Ciphers Algorithm or code used to encrypt/decrypt information.
The Fix! Encryption Ciphers ClassicalRotor Machines Ciphers Modern SubstitutionTranspositionPrivate KeyPublic Key StreamBlock
The Fix! Things to remember about encryption… Use modern, public standards! Longer key lengths are always better (increased computing power has made shorter keys vulnerable to cracking in shorter time) Private keys are optimal
Human Aspects Policy Who is allowed access? When is access allowed? What users are allowed to do? Where is data permitted to be… Accessed from (devices & locations?) Stored Network servers Desktops Laptops (data is now mobile) Thumb drives
Human Aspects – Mitigating Risk Acceptable Use Policies Business data access rules: who, where, when and what Supported mobile devices and operating systems Required security measures and configurations Process for usage monitoring, auditing and enforcement (check your state and local laws) Non-Disclosure Agreements (NDA)? Training & Communication – regular and often? Social Engineering “Click here” to download key logger! Phishing attacks are still highly effective for stealing Personal information Login information – can then be used to access systems contain confidential data
Technology – Local Physical security Sensitive data located on secure systems Locked server room Locker server cage(s)
Storage Media Hard drive encryption – Software-based Windows Encrypting File System (EFS) Supported on NTFS volumes (W2K, XP & Vista) Encrypt/decrypt files and/or folders in real time Uses certificate issued by Windows
Storage Media Hard drive encryption – Software-based Vista BitLocker Encrypts entire Windows Operating System volume Available with: Vista Ultimate Vista Enterprise Third party, commercial encryption software TrueCrypt PGP Desktop Home
Storage Media Hard drive encryption – Hardware-based Seagate Technology Momentus 5400 FDE.2 laptop drive features built-in (hardware) encryption (March 2007) Heart of the new hardware-based system is a special chip, built into the drive, that will serve to encode and decode all data traveling to or from the disk. Requires password to boot machine Disk is useless/inaccessible to others
Storage Media “Phone home” software Software that monitors machines and notifies system administrators regarding: Who is using Where machine is located What hardware and/or software changes are made Example: CompuTrace
Storage Media USB Thumb Drives Most older drives completely insecure If you want to store/transfer secure data on USB thumb drive, look for device that can… Encrypt data Authenticate user
USB anti-copy products Prevents data theft / data leakage and introduction of malware Manage removable media and I/O devices – USB, Firewire, WiFi, Bluetooth, etc. Audits I/O Device usage Blocks Keyloggers (both PS2 and USB) Encrypts removable media Enables Regulatory Compliance Products Device Lock Sanctuary DeviceWall Safe End Port Protector
Authentication Authentication Factors What you know –Passwords/passphrases What you have –Tokens, digital certificates, PKI Who you are –Biometrics (finger, hand, retina, etc.) Two factor authentication will become increasingly important.
Authentication APC BIOMETRIC PASSWORD MANAGER fingerprint reader - USB by APC ($35 - $50) Hundreds of devices like this ranging from $25 - $300.
Application Software In general, application passwords are poor protection (since most can be broken) e.g. Passware (www.lostpassword.com)www.lostpassword.com Unlock 25 different applications including Windows, Office, Quick Books, Acrobat, Winzip, etc.
Mitigating Unsafe User Behavior Managed services – key piece of security puzzle Spam, virus, content management and filtering, spyware, etc. Benefits Easier on the user Easier on IT Mobile devices should be periodically reviewed: Currency of software and patches Health of machine User logs Recommendation: Quarterly or Trimester
VPN (Virtual Private Network) A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.routed
VPN (Virtual Private Network) Benefits Extend geographic connectivity Reduce transit time and transportation costs for remote users Provide telecommuter support Improve security Reduce operational costs versus traditional WAN Improve productivity Direct printing to office Direct connect to network drives
VPN Use 3 rd -party VPN service, e.g. HotSpotVPN, JiWire Spot Lock, Public VPN or WiTopia Personal VPN
Digital Certificates Implement digital certificates for internally hosted corporate web resources or web- presence, e.g. E-mail, CRM, B2? site, etc. This allows all traffic to be encrypted via SSL (Secure Sockets Layer). Pad lock indicates traffic is being encrypted and the web site owner’s identity can be verified (by certificate authority).
Wireless Security – Network Side DON’T do a plug-n-play install! Password protect administrative setup Encryption: WEP (good) – remember to change keys regularly WPA (better) WPA2 (best) Enter authorized MAC addresses on WAP Use VPN or IPSec to encrypt all traffic Walk perimeter to determine whether rogue WAPs are active
Wireless Security - End Users No unprotected shares – all shares turned off Ensure all mobile devices are updated with the latest security patches Only use SSL websites when sending/entering sensitive data (credit cards and personal identity information) Digitally sign data to make it difficult for hackers to change data during transport Encrypt documents that contain sensitive data that will be sent over the Internet
Wireless Security - End Users As a general rule (while not always possible) use WiFi for Internet surfing only Disable or remove wireless devices if they are not being used. This includes: WiFi – 802.11a/b/g/n Bluetooth Infrared Cellular Avoid hotspots where it is difficult to tell who is connected Ad-hoc/peer-to-peer setting should be disabled
WiFi Security - End Users WiFi Best Practices Use broadband wireless access (EvDO, 3G/GPRS, EDGE, UMTS) to make wireless connections: Verizon and Sprint Broadband services are very fast - $59.99/month – unlimited access Wireless carriers offer fairly good encryption and authentication
Wireless Recommendations Consider using specialized security software to help mobile users detect threats and enforce company policies Example - http://www.airdefense.nethttp://www.airdefense.net
Sharing Confidential Data Options: E-mail FTP / Secure FTP Secure transmission programs Customer portal / extranet 3rd Party Hosted Data Exchange Digital Rights Management (DRM)
Sharing Confidential Data E-mail As a general rule, e-mail is insecure! In order to secure: Digital Certificates / PKI PGP Verisign
Sharing Confidential Data Secure FTP Secure FTP utilizes encryption to transfer files in a secure manner. Can use a number of different strategies/approaches to accomplish. Due to complexity, not often utilized for sharing data with clients.
Digital Rights Management Evolving strategy utilizes a combination of technologies in order to control access to content. Incorporates Encrypted files – file is locked until permission to access is granted by DRM Server. Digital Rights Management Server – provides web- based permission to View/Edit/Copy/Print an encrypted document. Access granted based on date, version, user, etc. Content can be shared freely & openly since access is separately governed by DRM Server.
Disposing of Confidential Data Remove media! Wipe media Software to overwrite drive multiple times Permanent magnet Destroy media Semshred – www.semshred.com www.semshred.com
Keys to Implementing a Successful Security Strategy for Confidentiality Define the scope Users Devices (don’t forget PDA’s and smart phones) Locations Define your usage policies Communicate Get buy in (if they don’t agree you won’t be successful) Enforce with management tools Don’t over engineer
Contact Information [Insert Your Name] [Insert Firm Name Here] [Insert Address] [Insert Phone No.] [Insert email address]