Protecting Customer Confidential Information

www.smbcybersecurity.org
Protecting Customer
Confidential Information!
Presented by:
William McBorrough, MSIA, CISSP
SMB Cyber Security Alliance

Agenda
 Background
 Sizing Up the Problem
 The Fix
o People Factor
o Technology
o Disposing of Old Data
Key Takeaways

Background:

Sensational Headlines…daily!
• Heartland Payments announced breach of more
than 100 million credit card numbers ( January
2009). One of the largest in history.
• T.J. Maxx data theft (some 45 million credit and
debit card numbers) likely due to wireless
‘wardriving‘, i.e. thief with a laptop, a telescope
antenna, and a wireless LAN adapter (December
2006).

Sensational Headlines…Daily!
• Veterans Administration announces confidential
information of 26.5 million service personnel was
stolen when employee’s home laptop was stolen
(June 2006).
• Over 600,000 laptop thefts occurred in 2004,
totaling an estimated $720 million in hardware
losses and $5.4 billion in theft of proprietary
information.

What’s not in the headlines?
A 2010 survey conducted by the Ponemon Institute and
Guardian Analytics of over 500 SMBs surfaced these
alarming statistics:
• 55% experienced a fraud attack in the last year
•58% of the incidents involved online banking
•Over 50% experienced multiple incidents
•87% failed to fully recover lost funds

The Times are a Changing
• Most small business owners today depend on
Laptops and Tablet PCs to manage their businesses
on the go
• Most require ready access to the Internet while
working from home, office, hotels, airports, customer
sites, etc sites, etc.
• Most utilize smart phones capable email, web
browsing, storing data and detailed contact
information, etc

The Times are a Changing
• Increase in mobility and portability has
caused a major upsurge in data breaches:
o Breaches may go undetected or undiscovered
for long periods of time.
o Problem could easily become overwhelming
(identity theft will look like child’s play).

What are the Consequences?
• Damage to reputation, brand,
relationships
• Legal liability and regulatory fines
• Customer and stakeholder distrusts
• Reduced revenues and market share
• Refusal of customers to use their personal
information for business purposes

Aware of the Privacy laws?
• HIPAA – for health services providers
• GLBA – for financial services providers
• COPPA – for online service providers to
minors
• Various State Breach Notification Laws

Information Security Management
“Short List”
• Router
• Patches
• Anti-
o Virus
o Spam
o Spyware
• Passwords /
Passphrases
• Personal Firewall
• Network Firewall
• Intrusion Detection
• Web-based e-mail/
file sharing Protection
• Wireless Encryption
• Physical Access
Control
• Backups

Security GOAL:
Reduce Risk to an Acceptable Level
• Just because it can happen doesn’t mean
it will.
• Put threats into perspective by assessing:
o Probability of attack
o Value of business assets put at risk
o Business cost and consequence of attack

Sizing Up the
Problem:

What is Confidential Data?
• Social Security #
• Credit/debit card numbers
• Driver’s license number
• Bank account numbers
• Birth dates
• PIN codes
• Medical records
• Mother’s maiden name?

Where Is Confidential Data
Stored?
In-House Systems
• Physically secure?
• Network access restricted to only authorized
individuals?
Backup Media
• Physical location?
• Format?
Remote Users
• Laptops, home computers & memory sticks?

Who Has Access?
• Data access restricted to authorized
individuals?
• Shared passwords = shared data and no
accountability
• Wide open network = information free-for-
all ( Remember 3 little pigs?)

The Fix:

The Fix!
• In short…
Restrict access
and/or
Make it unreadable
• Data is made “unreadable” using
encryption.
• Back it up remotely

People Factor
Policy
• Who is allowed access?
• When is access allowed?
• What users are allowed to do?
• Where is data permitted to be…
o Accessed from (devices & locations?)
o Stored
 Network servers
 Desktops
 Laptops /Tablets/Smart Phones
 Thumb drives

People Factor – Mitigating Risk
Acceptable Use Policies
• Business data access rules: who, where, when and what
• Supported mobile devices and operating systems
• Required security measures and configurations
• Process for usage monitoring, auditing and enforcement (check your
state and local laws)
Non-Disclosure Agreements (NDA)?
Training & Communication – regular and often?
Social Engineering
• “Click here” to download key logger!
• Phishing attacks are still highly effective for stealing
o Personal information
o Login information – can then be used to access systems contain confidential
data

Technology – OnSite
Physical security
• Sensitive data located on secure systems
• Locked server room
• Locker server cage(s)

Storage Media
Hard drive encryption
• Vista BitLocker
o Encrypts entire Windows Operating System volume
o Available with:
 Vista Ultimate
 Vista Enterprise
• Third party, commercial encryption software
o TrueCrypt
o PGP Desktop Home

Storage Media
USB Thumb Drives
• Most older drives completely
insecure
• If you want to store/transfer
secure data on USB thumb
drive, look for device that can…
o Encrypt data
o Authenticate user

Authentication
• APC BIOMETRIC PASSWORD MANAGER
fingerprint reader - USB by APC ($35 - $50)
• Hundreds of devices like this ranging from $25 -
$300.

Application Software
In general, application passwords are poor
protection (since most can be broken)
• e.g. Passware (www.lostpassword.com)
• Unlock 25 different applications including
Windows, Office, Quick Books, Acrobat, Winzip,
etc.

VPN (Virtual Private Network)
• A VPN is a private network that uses a
public network (usually the Internet) to
connect remote sites or users together.
Instead of using a dedicated, real-world
connection such as leased line, a VPN
uses “virtual” connections routed through
the Internet from the company's private
network to the remote site or employee.

• Overview

VPN (Virtual Private Network)
Benefits
• Extend geographic connectivity
• Reduce transit time and transportation costs for
remote users
• Provide telecommuter support
• Improve security
• Improve productivity
• Direct printing to office
• Direct connect to network drives

VPN
• Use 3rd
-party VPN service, e.g.
HotSpotVPN, JiWire Spot Lock, Public
VPN or WiTopia Personal VPN

Host-Based Remote Access
Remote Control
• GoToMyPC
• LogMeIn
• Symantec pcAnywhere

Digital Certificates
• Implement digital certificates for internally
hosted corporate web resources or web-
presence, e.g. E-mail, CRM, B2? site, etc.
This allows all traffic to be encrypted via
SSL (Secure Sockets Layer).
o Pad lock indicates traffic is being encrypted
and the web site owner’s identity can be
verified (by certificate authority).

Wireless Security – Network
• DON’T do a plug-n-play install!
• Password protect administrative setup
• Encryption:
o WEP – Easily cracked, better than nothing
o WPA (better)
o WPA2 (best)
• Enter authorized MAC addresses on WAP

Wireless Security - End Users
• Ensure all mobile devices are updated with
the latest security patches
• Only use SSL enabled ( https) websites when
sending/entering sensitive data (credit cards
and personal identity information)
• Encrypt documents that contain sensitive data
that will be sent over the Internet

Wireless Security - End Users
• As a general rule (while not always possible) use
WiFi for Internet surfing only
• Disable or remove wireless devices if they are
not being used. This includes:
o WiFi – 802.11a/b/g/n
o Bluetooth
o Infrared
o Cellular
• Avoid hotspots where it is difficult to tell who is
connected
• Ad-hoc/peer-to-peer setting should be disabledSMB Cyber Security Alliance

WiFi Security - End Users
WiFi Best Practices
• Use broadband wireless access (EvDO,
3G/GPRS, EDGE, UMTS) to make wireless
connections:
o Verizon and Sprint Broadband services are very fast -
$59.99/month – unlimited access
o Wireless carriers offer fairly good encryption and
authentication

Sharing Confidential Data
Options:
• E-mail
• FTP / Secure FTP
• Secure transmission programs
• Customer portal / extranet
• 3rd Party Hosted Data Exchange

E-mail
• As a general rule, e-mail is insecure!
• In order to secure:
o Digital Certificates / PKI
 PGP
 Verisign

Client Extranets
• Internal
• Hosted
o e.g. ShareFile
 Branded!
 $100/mo.
 30 employees
 Unlimited clients

Back up All Valuable
Information
• Make sure it’s
encrypted
• Make sure it is stored
securely offsite
• Many options:
• Carbonite
• Mozy
• Norton
• PCIC

Disposing of Confidential Data
• Remove media!
• Wipe media
o Software to overwrite
drive multiple times
o Permanent magnet
• Destroy media
o Semshred –
www.semshred.com

Conclusion:

Key Takeaway Points
• Learn about the Information security risks
affecting your business
• Address, Transfer or Accept them
• Don’t just ignore them
• Learn about the security and privacy related
regulations affecting your business
• Understand consequences of non-compliance
• Build security into your day-to-day operations
• Don’t just layer it on
• Don’t make it “extra work”

SMBCSA Online Helpdesk

Contact Information
Jerrod Barton
Director, Community Outreach
Tel: (540) 308-9609
Email: jerrod@smbcybersecurity.org

Protecting Customer Confidential Information

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (6)

Semelhante a Protecting Customer Confidential Information

Semelhante a Protecting Customer Confidential Information (20)

Mais de William McBorrough

Mais de William McBorrough (20)

Último

Último (20)

Protecting Customer Confidential Information

Notas do Editor