iMinistry: Website and Internet Security Issues Ernest Staats Technology Director MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+ Resources

Outline iMinistry Why? Safety Considerations COPPA –Does it apply? (so what) –COPPA Requirements –Report all Data Collected (opinion) Privacy Policies Reality of Web 2.0 Information Mining with Google Keeping Data Secure -- Web 2.0 AV not stopping everything… Test with Redseal, Security Space, Spi Dynamics WebInspect, and others WebInspect Online Design Tips Information

iMinistry: Why? The Consumer Electronics Association of America says that the average American home now has 26 different electronic devices for communication and media. The Consumer Electronics Association of America also tracks sales and consumer references for 53 separate gadgets. 1 30% of online Americans jack into the Internet wirelessly 45% of Internet users go online from someplace other than work or home 73% of American adults use the Internet 94% of American teens use the Internet 42% of American homes have high-speed broadband connections

Safety Considerations Be careful what your online name means or could mean Choose your words and photos wisely Never use full names of anyone under the age of 18 Have a media release for everyone who is going to be in your photos/videos Everything put online stays online forever… Never give out or store personal information on your website

COPPA Does it Apply? Children's Online Privacy Protection Act The rule applies to the following: –Operators of commercial websites or online services directed to children under 13 that collect personal information from children –Operators of general audience sites that knowingly collect personal information from children under 13 –Operators of general audience sites that have a separate children's area and that collect personal information from children

COPPA Requirements A site must obtain parental consent before collecting, using, or disclosing personal information about a child A site must post a privacy policy on the homepage of the website and provide a link to the privacy policy everywhere personal information is collected A site must allow parents to revoke their consent and delete information collected from their children A site must maintain the confidentiality, security, and integrity of the personal information collected from children

Privacy Policy Must Include Types of personal information they collect from kidsname, home address, address, or hobbies How the site will use the informationfor example, to market to the child who supplied the information, to notify contest winners, or to make the information available through a childs participation in a chat room Whether personal information is forwarded to advertisers or other third parties A contact person at the website Including Phone number, Snail Mail, and

Report all Forms of Data Collected Network Traffic Logs –In addition to the personal information described above, our system collects server log data (also called clickstream data) that may include an IP address, the type of browser and operating system used, the time of day visited, the pages viewed and the information requested through searches. We aggregate this data and use it for statistical purposes, helping us to understand, for example, the amount of interest in portions of our Web site and ways to improve the navigation and content of our Web site.clickstream

IMAGE RELEASE FORM Sample For value received, I hereby consent and authorize the [INSERT ORGANIZATION NAME] (____), or its assigns, to use my name and/or the names of my family members who are minors, as listed below, as well as my likeness, photos, videos and other information (or that of family members who are minors) for the purpose of news releases, advertising, publicity, publication or distribution in any manner whatsoever. I further consent to such use in their present form and to any changes, alterations, or additions thereto. I hereby release [INSERT NAME OF ORGANIZATION] from all liability in connection with all such uses. Dated this day of, 20.

General Guidelines Make sure you have a written privacy policy Make sure you have a media release form as a part of your privacy policy Collect as little information as possible and make sure it is stored safely Be careful of what you post online and of what you say to youth online You are responsible for everything you POST or collect online

Young people are being targeted and information collected about them is used to locate them. We must be careful what information we post about young people online MySpace the worry Easily tracked the reality The Reality of Web2.0 World

Why We Care: Some Statistics …A child goes missing every 40 seconds in the U.S, over 2,100 per day (OJJDP) In ,196 children were reported lost, runaway, or kidnapped (ncmec) 2/3 of all missing children reports were for youths aged (ncmec) 2/5 missing children ages are abducted due to Internet activity (ICAC) Do the math--over 2 million teens age are abducted due to Internet activity

Information Mining with Google Google search string –site:myspace.com birthday –site:myspace.com "phone number –Place name in quotation marks (use variations) First (Jon) Last -- Legal First (Jonathan) Last Information that the Google Hacking Database identifies: –Advisories and server vulnerabilities –Error messages that contain too much information –Files containing passwords –Sensitive directories –Pages containing logon portals –Pages containing network or vulnerability data such as firewall logs.

Keeping Data Secure in Web 2.0 world Continued Education of Computer Users –Dont click on strange links (avoid tempt-to- click attacks) –Do not release personal information online –Use caution with IM and SMS (short message service) –Avoid social networking sites –Dont sensitive information –Dont hit reply to a received - containing sensitive information –Require mandatory VPN (virtual private network) use over wireless networks

Keeping Data Secure in Web 2.0 World Host-Based Technology –Require hard drive encryption on all laptops –Control the use of portable storage media by managing desktops –Require the use of personal/desktop firewall software –Require the use of personal/desktop anti-malware software –Consider implementing document management systems

Keeping Data Secure in Web 2.0 World Network-Based Technology –Deploy network intrusion prevention (IPS) –Consider network admission control (NAC) –Implement information leakage detection and prevention –Consider IP reputation-based pre-filtering solutions –Run vulnerability scans on your network

AV test Results on

Results 2 on

Program# DetectedDetection % WebWasher605, % AVK , % AntiVir603, % F-Secure594, % Symantec593, % Kaspersky592, % Fortinet589, % Avast!584, % AVG583, % Rising582, % PC Mag posted the results from May 22, 2007AV-Test. In it, 29 antimalware products were tested against 606,901 sets of malware. Products were tuned to their most aggressive detection options Results 3

Online Design Strategies 1.Define and articulate your PURPOSE 2.Build flexible, extensible gathering PLACES 3.Create meaningful and evolving member PROFILES 4.Design for a range of ROLES 5.Develop a strong LEADERSHIP program 6. Promote cyclic EVENTS 7.Integrate the RITUALS of community life 8.Facilitate member-run SUBGROUPS 9.Build site for quick SCANNING 10. Write text in short chunks CHUNKING

How People Scan Online

iMinistry: Example Let every worker in the Master's vineyard, study, plan, devise methods, to reach the people where they are. --Ev 122, 123. GCA Church