Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Springfield Technical Community College Security Awareness Training.
7 Effective Habits when using the Internet Philip O’Kane 1.
David A. Brown Chief Information Security Officer State of Ohio
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
HIPAA Security Standards What’s happening in your office?
Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Best Practices for Data Protection and Cyber Security Thursday February 24, th Annual MIS Conference – Austin, TX Mark Hall.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
New Data Regulation Law 201 CMR TJX Video.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
ESCCO Data Security Training David Dixon September 2014.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Topic 5: Basic Security.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Information Security tools for records managers Frank Rankin.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Securing Information Systems
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
An Update on FERPA and Student Privacy
Cybersecurity - What’s Next? June 2017
Cyber Protections: First Step, Risk Assessment
Securing Information Systems
Security in Networking
Chapter 3: IRS and FTC Data Security Rules
I have many checklists: how do I get started with cyber security?
12 STEPS TO A GDPR AWARE NETWORK
Information Security Awareness
How to Mitigate the Consequences What are the Countermeasures?
HQ Expectations of DOE Site IRBs
6. Application Software Security
Anatomy of a Common Cyber Attack
Presentation transcript:

Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011

Agenda About PTAC Latest Threats Data Protection & Cyber Security Responses to Data Protection Data protection Security and Planning – New PTAC Resources!! Questions: Please send your questions in via the chat box window prior to the end of the webinar. 2

Privacy TA Center (PTAC) Mission The Privacy TA Center is designed to provide states with: A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems. A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality. A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment. A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information.

4 Data Security Threats Threats to your data: it’s happening it’s focused It’s sophisticated Social Security Numbers/Identity Education Records Employee Data Financial Records Disciplinary Actions Internal Memo’s Medical Information Personal Documents

5 Black Hat Conference What is it? A gathering of highly technical information security specialists from the government, corporate, academic and underground researchers to share practical insights of the leading edge discoveries and vulnerabilities in the information security landscape. Sydney University ‘breached student privacy’ (June, 2011)

6 Black Hat Conference Cool/Not So Cool Findings: Hackers have found a way to wirelessly manipulate medical devices such as insulin pumps. Attackers have the ability to use drone planes to intercept wireless signals and break into networks and cell phone information A battery exploit was discovered against a major laptop manufacturer so that a hacker could manipulate the settings to stop accepting a charge or overcharge so the battery catches fire or explodes. Sydney University ‘breached student privacy’ (June, 2011) *Sources: &

7 Black Hat Conference Relevant Findings: Improper SSL implementations leave websites wide-open to attack Less than 1/5 of websites claiming to have SSL have been configured correctly to redirected to SSL for authentication Spear Phishing Attacks for U.S. Government officials with Gmail accounts continue Phishing? An spoofing fraud attempt that targets a specific organization seeking unauthorized access to confidential data. Copiers/Printers with weak passwords (or with no passwords) can be compromised, allowing the intruder to steal images of documents and/or take control of devices. Digital Shadowing: As companies continue to track your online search and spending habits, the combined information can serve as a potential privacy threat when combined with your social networking sites and/or mobile technologies. Sydney University ‘breached student privacy’ (June, 2011)

8 But.. I’m a MAC user.. I’m safe!! 8. Remember the battery exploit? MacBook Pro line of laptops Studies have shown that MAC users aren’t as paranoid as Windows users about security. Some MAC specific recommendations: MAC OSX 10.7 is an upgrade that addresses some serious security vulnerabilities MAC OSX Server has major security issues that should be evaluated before deployment. Apple’s Bonjour file sharing/network discovery protocol has some major security weaknesses on untrusted networks (hotels, public Wi-Fi, guest networks, airports, etc.) Sydney University ‘breached student privacy’ (June, 2011)

Social Networking Sites: Are you protected? 9 Malware infects user on Social Network Site (e.g. Twitter, Facebook, Match.com) S t u d e n t D at a Internet facing application

Not connected to the internet? Removable Media 10 Policy, user training and monitoring Identity

USB (Flash) Drives In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB/Flash drives. Of those, 55% are related to malware infected devices that have introduced malicious code onto corporate networks Recommendation: Employ policies detailing how employees can use these devices to store sensitive/confidential information. 11 Source: Information Week, August 2011

12 Data Breaches in the news 12. Yale notifies 43,000 of SSN breach: Yale University is notifying 43,000 individuals that a 1999 computer file containing names and Social Security numbers was inadvertently made accessible to Google Internet searches for 10 months. Persons affected include faculty, staff, students, and about 1200 alumni. Recommendation: Data retention/archive policies and data classification process. North Carolina State research info compromised: Data housed at NCSU that contained private information for about 1800 school children from Wilson and Richmond counties was mistakenly put online. Recommendation: Research agreements/Memorandums of Understanding with explicit instructions on data destruction upon conclusion of the study.

13 Cloud Computing 13. Epsilon Data Breach: Millions of customer records within the Epsilon cloud were compromised by using customer addresses, weak passwords and phishing attacks to steal sensitive data such as financial information or login credentials to other sites. Recommendation: Security policies, and customer training/awareness are even more critical in a cloud computing environment where the outside potential for targeted attacks is greater. Source: CipherCloud.com, August 2011

14 The threat is real and affects all industries and information systems Government and Military (FISMA and federal standards) Education (FERPA) Private Sector (hodgepodge) Medical Records (HIPPA) Critical Infrastructure (Water, Gas, Electric) Financial sector (SOX) Home users (none)

15 Many ways to Protect Data Physical Security Policy ( What,who, how ) Access Controls Statistical Methods Cyber Security

16 Responses to Data Security Federal government has invested heavily in developing standards and implementing solutions. Best source for standards and solutions Private sector has mostly been reactionary Other industries have been uneven, including educational community What can your organization do to improve?

17 1)Seek outside resources to support your security team State and federal agencies PTAC Third party vendors Other informational resources (standards and guidelines) Initial and On-going Data Protection Planning NIST Special Pub Guide to Protecting the Confidentiality of Personally Identifiable Information,

18 New PTAC Resources Security Checklist Data Governance Checklist

19 2)Develop and implement a security architecture Map and understand your network Align security capabilities with mission requirements Overlay security tools and capabilities on your network and develop implementation plans 3)Create a security governance structure, responsible for: Reviewing security issues and implementing solutions Champion for resources Responding to incidents 4) Personnel Security and Users Both employees and users should be made aware of security policies Training and awareness 5)Policy Create, update, and enforce Initial and On-going Security Steps

20 Tools and Capabilities Physical Security. Make computing resources physically unavailable to unauthorized users. An unlocked server room is an invitation for malicious or accidental damage. Network Mapping. You cannot protect what you do not understand. Network mapping provides a picture of the network (servers, routers, etc) and its connections. Inventory of Assets. The inventory should include both authorized and unauthorized devices used in your computing environment. Authentication. The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are. Provide a layered defense. The most common layers to protect are hosts (individual computers), application, network and perimeter.

21 Tools and Capabilities Secure configurations. It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Role based Access Control. Defining specified roles and privileges for users is a required security procedure. Firewalls and Intrusion Detection/Prevention Systems (IDPS) Automated Vulnerability Scanning. When new vulnerabilities (to hardware, operating systems, applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities.

22 Tools and Capabilities Patch Management. Patch management is the process of using a strategy and plan for what patches should be applied to which systems at a specified time. Shut down unnecessary services. Each port, protocol, or service is a potential avenue for ingress into your network. Data at rest and mobile devices. When sensitive data is stored on servers, on laptops, or other mobile devices it should be encrypted. Incident Handling. When an incident does occur it is critical to have a process in place to both contain it and fix the problem. Audit and Compliance Monitoring. Audits are used to provide an independent assessment of your data protection capabilities and procedures (See PTAC article on Security Audits) and should be performed periodically.

23 Home Users: Stay Safe Online.org

24 PTAC The Privacy Technical Assistance Center is your “one-stop-shop” frequently asked questions links to useful online resources training materials for data administrators and data users regional meetings and lessons learned forums for education stakeholders site visits to state and local education agencies a help desk to respond to inquiries an extension of your LDS team

25 PTAC Publications Coming Soon (Really!) Data Center Consolidation Best Practices Webinar: September 16 th, :30-2:30 PM (EST) This webinar focuses on best practice security and privacy considerations for state and local agencies that are in the process of data center consolidation, as well as those agencies considering or planning consolidations. Annual District Notification Requirements FERPA 101 Training – Let your districts know!! Webinar: September 22 nd, :30-2:30 PM (EST) This webinar will provide a high-level overview of the Family Educational Rights Privacy Act (FERPA) including definitions and required processes.

PTAC Cyber Security Tasks We would like your ideas and thoughts on data protection/cyber security topics that would be helpful to you! 26

Questions? Thank you for participating! 27

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.