4. www.smbcybersecurity.org
Sensational Headlines…daily!
• Heartland Payments announced breach of more
than 100 million credit card numbers ( January
2009). One of the largest in history.
• T.J. Maxx data theft (some 45 million credit and
debit card numbers) likely due to wireless
‘wardriving‘, i.e. thief with a laptop, a telescope
antenna, and a wireless LAN adapter (December
2006).
SMB Cyber Security Alliance
5. www.smbcybersecurity.org
Sensational Headlines…Daily!
• Veterans Administration announces confidential
information of 26.5 million service personnel was
stolen when employee’s home laptop was stolen
(June 2006).
• Over 600,000 laptop thefts occurred in 2004,
totaling an estimated $720 million in hardware
losses and $5.4 billion in theft of proprietary
information.
SMB Cyber Security Alliance
6. www.smbcybersecurity.org
What’s not in the headlines?
A 2010 survey conducted by the Ponemon Institute and
Guardian Analytics of over 500 SMBs surfaced these
alarming statistics:
• 55% experienced a fraud attack in the last year
•58% of the incidents involved online banking
•Over 50% experienced multiple incidents
•87% failed to fully recover lost funds
SMB Cyber Security Alliance
7. www.smbcybersecurity.org
The Times are a Changing
• Most small business owners today depend on
Laptops and Tablet PCs to manage their businesses
on the go
• Most require ready access to the Internet while
working from home, office, hotels, airports, customer
sites, etc sites, etc.
• Most utilize smart phones capable email, web
browsing, storing data and detailed contact
information, etc
SMB Cyber Security Alliance
8. www.smbcybersecurity.org
The Times are a Changing
• Increase in mobility and portability has
caused a major upsurge in data breaches:
o Breaches may go undetected or undiscovered
for long periods of time.
o Problem could easily become overwhelming
(identity theft will look like child’s play).
SMB Cyber Security Alliance
9. www.smbcybersecurity.org
What are the Consequences?
• Damage to reputation, brand,
relationships
• Legal liability and regulatory fines
• Customer and stakeholder distrusts
• Reduced revenues and market share
• Refusal of customers to use their personal
information for business purposes
SMB Cyber Security Alliance
10. www.smbcybersecurity.org
Aware of the Privacy laws?
• HIPAA – for health services providers
• GLBA – for financial services providers
• COPPA – for online service providers to
minors
• Various State Breach Notification Laws
SMB Cyber Security Alliance
11. www.smbcybersecurity.org
Information Security Management
“Short List”
• Router
• Patches
• Anti-
o Virus
o Spam
o Spyware
• Passwords /
Passphrases
• Personal Firewall
• Network Firewall
• Intrusion Detection
• Web-based e-mail/
file sharing Protection
• Wireless Encryption
• Physical Access
Control
• Backups
SMB Cyber Security Alliance
12. www.smbcybersecurity.org
Security GOAL:
Reduce Risk to an Acceptable Level
• Just because it can happen doesn’t mean
it will.
• Put threats into perspective by assessing:
o Probability of attack
o Value of business assets put at risk
o Business cost and consequence of attack
SMB Cyber Security Alliance
14. www.smbcybersecurity.org
What is Confidential Data?
• Social Security #
• Credit/debit card numbers
• Driver’s license number
• Bank account numbers
• Birth dates
• PIN codes
• Medical records
• Mother’s maiden name?
SMB Cyber Security Alliance
15. www.smbcybersecurity.org
Where Is Confidential Data
Stored?
In-House Systems
• Physically secure?
• Network access restricted to only authorized
individuals?
Backup Media
• Physical location?
• Format?
Remote Users
• Laptops, home computers & memory sticks?
SMB Cyber Security Alliance
16. www.smbcybersecurity.org
Who Has Access?
• Data access restricted to authorized
individuals?
• Shared passwords = shared data and no
accountability
• Wide open network = information free-for-
all ( Remember 3 little pigs?)
SMB Cyber Security Alliance
18. www.smbcybersecurity.org
The Fix!
• In short…
Restrict access
and/or
Make it unreadable
• Data is made “unreadable” using
encryption.
• Back it up remotely
SMB Cyber Security Alliance
19. www.smbcybersecurity.org
People Factor
Policy
• Who is allowed access?
• When is access allowed?
• What users are allowed to do?
• Where is data permitted to be…
o Accessed from (devices & locations?)
o Stored
Network servers
Desktops
Laptops /Tablets/Smart Phones
Thumb drives
SMB Cyber Security Alliance
20. www.smbcybersecurity.org
People Factor – Mitigating Risk
Acceptable Use Policies
• Business data access rules: who, where, when and what
• Supported mobile devices and operating systems
• Required security measures and configurations
• Process for usage monitoring, auditing and enforcement (check your
state and local laws)
Non-Disclosure Agreements (NDA)?
Training & Communication – regular and often?
Social Engineering
• “Click here” to download key logger!
• Phishing attacks are still highly effective for stealing
o Personal information
o Login information – can then be used to access systems contain confidential
data
SMB Cyber Security Alliance
25. www.smbcybersecurity.org
Storage Media
Hard drive encryption
• Vista BitLocker
o Encrypts entire Windows Operating System volume
o Available with:
Vista Ultimate
Vista Enterprise
• Third party, commercial encryption software
o TrueCrypt
o PGP Desktop Home
SMB Cyber Security Alliance
26. www.smbcybersecurity.org
Storage Media
USB Thumb Drives
• Most older drives completely
insecure
• If you want to store/transfer
secure data on USB thumb
drive, look for device that can…
o Encrypt data
o Authenticate user
SMB Cyber Security Alliance
29. www.smbcybersecurity.org
VPN (Virtual Private Network)
• A VPN is a private network that uses a
public network (usually the Internet) to
connect remote sites or users together.
Instead of using a dedicated, real-world
connection such as leased line, a VPN
uses “virtual” connections routed through
the Internet from the company's private
network to the remote site or employee.
SMB Cyber Security Alliance
34. www.smbcybersecurity.org
Digital Certificates
• Implement digital certificates for internally
hosted corporate web resources or web-
presence, e.g. E-mail, CRM, B2? site, etc.
This allows all traffic to be encrypted via
SSL (Secure Sockets Layer).
o Pad lock indicates traffic is being encrypted
and the web site owner’s identity can be
verified (by certificate authority).
SMB Cyber Security Alliance
35. www.smbcybersecurity.org
Wireless Security – Network
• DON’T do a plug-n-play install!
• Password protect administrative setup
• Encryption:
o WEP – Easily cracked, better than nothing
o WPA (better)
o WPA2 (best)
• Enter authorized MAC addresses on WAP
SMB Cyber Security Alliance
36. www.smbcybersecurity.org
Wireless Security - End Users
• Ensure all mobile devices are updated with
the latest security patches
• Only use SSL enabled ( https) websites when
sending/entering sensitive data (credit cards
and personal identity information)
• Encrypt documents that contain sensitive data
that will be sent over the Internet
SMB Cyber Security Alliance
37. www.smbcybersecurity.org
Wireless Security - End Users
• As a general rule (while not always possible) use
WiFi for Internet surfing only
• Disable or remove wireless devices if they are
not being used. This includes:
o WiFi – 802.11a/b/g/n
o Bluetooth
o Infrared
o Cellular
• Avoid hotspots where it is difficult to tell who is
connected
• Ad-hoc/peer-to-peer setting should be disabledSMB Cyber Security Alliance
38. www.smbcybersecurity.org
WiFi Security - End Users
WiFi Best Practices
• Use broadband wireless access (EvDO,
3G/GPRS, EDGE, UMTS) to make wireless
connections:
o Verizon and Sprint Broadband services are very fast -
$59.99/month – unlimited access
o Wireless carriers offer fairly good encryption and
authentication
SMB Cyber Security Alliance
44. www.smbcybersecurity.org
Back up All Valuable
Information
• Make sure it’s
encrypted
• Make sure it is stored
securely offsite
• Many options:
• Carbonite
• Mozy
• Norton
• PCIC
SMB Cyber Security Alliance
45. www.smbcybersecurity.org
Disposing of Confidential Data
• Remove media!
• Wipe media
o Software to overwrite
drive multiple times
o Permanent magnet
• Destroy media
o Semshred –
www.semshred.com
SMB Cyber Security Alliance
47. www.smbcybersecurity.org
Key Takeaway Points
• Learn about the Information security risks
affecting your business
• Address, Transfer or Accept them
• Don’t just ignore them
• Learn about the security and privacy related
regulations affecting your business
• Understand consequences of non-compliance
• Build security into your day-to-day operations
• Don’t just layer it on
• Don’t make it “extra work”
SMB Cyber Security Alliance
Background
Goals of IT Security
Today’s reality
Sizing up the problem for an organization
The fix – In short, prevent access and/or make it unreadable if accessed
Human aspects
Procedures
NDAs
Policy – what do we allow on laptops?
Training
Social engineering
Local
Physical
Storage media
hard drive encryption
Vista Bit Locker
Seagate
Computrace
USB drives
2 factor authentication
Application security (Adobe Acrobat, MS Word, Win Zip) security vs. password hacking programs – easy break in!
Remote
VPNs
RDP
Web certificates
Sharing
E-mail – hosted encryption
Zix Corp e-mail for Outlook
Secure transmission programs
Portals
Disposing
Semshred - http://www.semshred.com/
Obsolete Agenda / other ideas:
Background
What’s confidential?
Where is it stored?
Restricting access
Physical
Authentication
Encryption
Secure sharing
AES Encrypted Portable Storage!
The KanguruMicro Drive AES is the only USB Flash Drive that meets federal requirements for insuring the confidentiality of sensitive data and information accessed by portable flash drives!This high speed, high quality USB2.0 Flash Drive has undergone rigorous testing and is FIPS 140-2 Certified (FIPS Certification # 682). It is the first USB2.0 Flash Drive with software based encryption to be FIPS Certified for Government use! The KanguruMicro Drive is ultra secure, utilizing 256-bit AES Encryption to protect data stored on the drive. Plug the KanguruMicro Drive AES into any available USB or USB 2.0 port and begin using it! Store and transport your work files in a safe, secure fashion
Start from $49 – 1GB drive ~ $110
Why is ShareFile the best way to transfer files securely?
Create online folders to simplify collaboration and communication
Completely custom branded with your company logo and colors
A login box can be placed on your company web site
Unlimited user accounts for clients and partners
Ability to send large files via e-mail with a hyperlink
Proven easy-to-use interface for file and user management
Tracking and alerts to confirm that clients have received files
Unlimited data storage backed up daily
128-bit encryption to secure your data against hackers
Great telephone and e-mail support
Easy to set up...signing up only takes about 5 minutes
Automatic compression of downloaded files
Ability to request files from clients with an e-mail hyperlink
Upload multiple files at once
No software to install or complicated Java Applets
Easy user management
Enterprise Account
$99.95 per month or $119.95 per month with monthly billing
10 GB montly bandwidth
30 employee accounts
Unlimited client/users accounts
Unlimited disk space
Custom branding to match your company web site
Telephone and e-mail support
Daily backup
The ChallengeWith increasing compliance regulations and concerns about protecting information privacy, it is becoming critically important to exchange information, data, and file/documents via secure methods. However, it remains common practice today of many companies to send confidential or sensitive information across mediums that are insecure – namely email and FTP – technologies that were not built to address security or robust reporting requirements.
Solving the Secure File Delivery ChallengePipeline eXchange™ is an electronic file exchange service that enables you to securely send and receive documents/files of any type or size with your trading partners. Pipeline eXchange™ is 100% browser based and easy to use. Users simply specify the files they wish to be delivered, and then select the recipients and delivery options. The files are securely delivered to each recipient and Pipeline eXchange™ automatically tracks and generates an audit trail for the entire delivery process sending various status notifications to the sender.
Easy to Use Requires only a browser No software to install No hardware to manage Minimal user support required
Secure Layered encryption and access control SAS 70 certified data center User access audit log
Enterprise Features User and Groups administration ERP, CRM, SCM connectors Full service customization
Reliable 99.9% uptime guarantee 24x365 monitoring World-class infrastructure
Affordable Monthly subscription Usage-based billing options Get started for $79 per month