Your SlideShare is downloading. ×
0
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

A NonProfit Technologist's Guide to CyberSecurity and Data Protection

408

Published on

From NetSquared Houston, June 10, 2014. …

From NetSquared Houston, June 10, 2014.

By: Gerry McGreevy
Senior Systems Analyst, MD Anderson Cancer Center

http://www.meetup.com/Net2Houston/events/178372942/

Gerry McGreevy, long time Netsquared member, Senior Database Administrator with 15 years experience in IT, and newly re-tooled career as IT Security Consultant, will be our June speaker.



The theme for the evening's presentation will be: Know Your Data, and be Aware of Evolving Threats.

Gerry's going to talk about CyberSecurity including an overview of the current landscape on how you can protect your organization's and your personal data, whether it be at home, in your pocket, in the cloud, or you are roaming in the wild. Specific tips and pointers to resources will be included!

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A  NonProfit  Technologist's-­‐  Guide  to   CyberSecurity  and  Data  Protec=on   NetSquared  Houston    6/10/2014   Gerry  McGreevy   CISSP,  MBA,  OCP   Senior  Systems  Analyst,   MD  Anderson  Cancer  Center   gmcgreevy@mdanderson.org   Beiser  IT  Services   gerry.mcgreevy@beiser.us                                                            CommiAee  on  NaConal  Security  Systems  (CNSS)  
  • 2. State  of  Data  Security  Today   Na=onal  Security  -­‐  Major  Cyber  Wars    China      Eastern  Bloc      Iran      N.  Korea,  South  and  SE  Asia    Mid-­‐East    Drug  Cartels  &  Organized  Crime        (foreign  /  domesCc)   Threats  to  Infrastructure    Electric  &  water  uCliCes    TransportaCon  (air  system,  rail,  traffic  signals)    CommunicaCon  (internet,  phones,  satellites)    Others  (prisons,  hospitals)    Internet  of  Everything    
  • 3. Threats  to  Commerce    Intellectual  Property,  Trade  secrets    Contracts,  Order  systems    Proprietary  data  and  processes,  General  operaCons    Data  Breaches  and  Leakage  =  Heavy  Fines  +  ResCtuCon  +  Breach  of  Trust     Threats  to  Personal  Digital  Life    IdenCty  Fraud    Credit  Hacking    Tax    Refunds    Medical  Data  Leakage    Embarrassing  Disclosures    LiCgaCon  /  Spousal  surveillance         The  Value  of  Your  Data  
  • 4. Source:    Mandiant   Source:    PWC  
  • 5. Source:    Mandiant  
  • 6. Privacy  ViolaCons  vs     Fraudulent  Access   What  You  Give  Away   Why  does  a  screen  lock     app  need  to  know?  >>     What  They  Steal  
  • 7. Concepts  in  Data  ProtecCon   What  you  are  protecCng  .  .  .     ConfidenCality   Integrity       Availability   Types  of  Data     Customer  records   Financial  Records   Compliance  Records     Personal  IdenCty  InformaCon  (employee  records,  Credit   Card,)   Trade  Secrets   OperaConal  Records    
  • 8. Best  PracCces  for  Small  Businesses     (and  Non-­‐Profits)     SuggesCons  from  NaConal  InsCtute  of  Standards  and   Technology   Best  PracCces  for  Small  Businesses  -­‐  NIST  7621   hAp://csrc.nist.gov/publicaCons/nisCr/ir7621/nisCr-­‐7621.pdf   SuggesCons  from  Greater  Houston  Partnership     Greater  Houston  Partnership  –  CyberThreat  Self  Assessment  Tool   hAp://www.houston.org/cybersecurity/pdf/Cyber-­‐Security-­‐Book.pdf  
  • 9. SuggesCons  from  NIST   “Must  Do’s”   •  Protect  against  viruses,  spyware,  and  other  malicious  code   •  Control  access  to  computer  and  network  (internal  and  external  firewalls)   •  Use  individual  username  /  passwords  across  your  network    (Strong  password  policies,  or  2  Factor  AuthenCcaCon  =  BeAer!)   •  Limit  access  to  important  data     •  Use  segmented  networks   •  Patch  operaCng  systems  and  applica&ons    (Secunia  PSI  hNp://secunia.com    )   •  Make  Regular  Backups  –  Fully  Test  a  Restore   •  Train  employee’s  in  basic  security  principles  
  • 10. SuggesCons  from  NIST   “Highly  Recommended”   •  Train  to  be  Alert  for  spear-­‐phishing  aAacks,  links  in  emails,  IM,  pop-­‐ ups,    social  Engineering  ,  web  surfing,    downloading.       •  Cau=ons  Against  Online  Business  or  Banking      Not  from  mobile  or  strange  networks,  only  from  secure  computer        Use  VPN,  Remote  Desktop,  or  encrypted  VNC,  GoToMyPC,  etc         •  Properly  Dispose  of  Old  Computers  and  Media   •  How  to  get  help  with  informa=on  security  when  you  need   •  Recommended  Personnel  Prac=ces  in  Hiring  Employees  
  • 11. AddiConal  SuggesCons     Greater  Houston  Partnership   •  Lockdown  Desktops     •  Disallow  sojware  installaCons,  usb,  other  devices   •  Whitelist  apps  that  are  okay  –install  fro  common  download  area   •  Lockdown  Wifi  and  Mobile  (by  mac  address  and  WPA2  password)   •  Monitor  Web  Usage    and  Report   •  Learn  how  to  Encrypt  Data    (MS  Doc  locks,  TrueCrypt,  BitLocker  )   •  Avoid  Using  Cloud  (  Especially  for  Sensi5ve  Info!  )   •  Classify  Data  &  Separate  Based  on  Content  &  ClassificaCon   •  Formalized  Security  Policies   •  Conduct  Assessments   •  Data  Recovery  Exercises  
  • 12. Segmented  Your  Network   Not-­‐so  SensiCve   Data  SensiCve  Data   Requires  you  to  know  and  classify  your   data.        <  CriCcal  Exercise    !  
  • 13. Top  20  Security  Controls   Advanced  /  Enterprise   CriCcal  Security  Controls  -­‐  Version  5   •  Critical Security Controls - Version 5 •  1: Inventory of Authorized and Unauthorized Devices •  2: Inventory of Authorized and Unauthorized Software •  3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers •  4: Continuous Vulnerability Assessment and Remediation •  5: Malware Defenses •  6: Application Software Security •  7: Wireless Access Control •  8: Data Recovery Capability •  9: Security Skills Assessment and Appropriate Training to Fill Gaps •  10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches •  11: Limitation and Control of Network Ports, Protocols, and Services •  12: Controlled Use of Administrative Privileges •  13: Boundary Defense •  14: Maintenance, Monitoring, and Analysis of Audit Logs •  15: Controlled Access Based on the Need to Know •  16: Account Monitoring and Control •  17: Data Protection •  18: Incident Response and Management •  19: Secure Network Engineering •  20: Penetration Tests and Red Team Exercises This  work  is  licensed  under  a  CreaCve  Commons  AAribuCon-­‐NoDerivs  3.0  Unported  License.       hAp://www.sans.org/criCcal-­‐security-­‐controls/    
  • 14. EncrypCon:  ProtecCng  Microsoj  Docs   File  >  Info  >  Restrict  Permission  by  People   (need  Windows  ID)   Microsoj  Office  360     Good  for  sharing,  not  good  for  sensiCve  data.       Use  Winzip  to  send  the  doc  in  an   encrypted  AES  256  wrapper.     GNU  Privacy  Guard                                               hAps://www.gnupg.org/  
  • 15. Current  Threat  Trends   Heartbleed                      Ransomware                        Spear-­‐phishing     Other  trends  
  • 16. Email  Security  AAachments   MS  Office  Docs   Turn  off  macros   (or  at  least  prompt)   Google  Docs   Preview   (big  difference  in  security   between    previewing   Gmail  vs  Outlook)  
  • 17. Email  Security  AAachments   Watch  for  weird-­‐long  names                coolvideo.mp4                                                                                                                                                                                                                                                                                                        .exe   Open  in  Sandbox  Environment    (Virtual  Machine)   Understand  Digital  Signatures  
  • 18. Social  Engineering  
  • 19. Hacking  -­‐    Things  You  Think  May  be   Secure  but  Aren't   •  Adobe   •  Java   •  Firefox     •  Google   •  Microsoj   •  Apple  
  • 20. Hacking  -­‐    Things  You  Think  May  be   Secure  but  Aren't   ssl  implementaCons   Don’t  download  directly    to  Dropbox    (it  tells  them  what  account,  and  you  have  to  login,  giving  your  password)    Download  to  local,  then  save  to  Dropbox.      Recommend  NOT  sharing  passwords  from  one  site  to  another        ie.  Don’t  use  Facebook  /  Google  id  to  log  into  some  site  
  • 21. Careful  What  You  Download   Which  of  these  search   results  are  safe?      
  • 22. Password  Cracking          Strong  Passwords   –  8  –  15  Characters  (  old  advice),  non-­‐dicConary  words   –  Stop  using  5  for  S,  1  for  I,  0  for  O  (doesn’t  really  help  anymore)   –  Be  aware  of  common  password  paAerns         (Paper  on  PIN  numbers:    hAp://www.datageneCcs.com/blog/september32012/  )   –  Problems  w/  password  managers  LastPass,  KeepPass,  others   –  Use  Phrases  with  spellings  all  messed  up      i.e:    toseideotsdonno   Don’t  communicate  passwords  via  email  or  SMS   Use  a  different  “channel”        BeAer  Protect  yourself  MulC-­‐Factor  AuthenCcaCon                                                      (ie.    Google  AuthenCcator,  can  be  used  by  some  apps)  
  • 23. Mobile  Data   Dropbox,  Google  Drive  and  Other  Cloud  Storage  Issues    Privacy,  Data  Ownership,  Responsibility      Only  put  docs  out  that  no  harm  done  if  revealed    Or,  encrypt  before  wriCng  to  cloud                    (warning  –  consider  where/  by  whom  encrypCon  is  being  done).       Thumbdrives        Very  easy  to  hide  a  virus    Use  encrypted  (or  hidden)  parCCon    Tool:    Truecrypt      
  • 24. Mobile  Data   Mobile  Devices      If  they  are  not  “locked  down”,  consider  open  to  internet.        Allow  non-­‐rooted  phones  only    Use  a  “guest”  network  to  connect  for  any  device  not    locked  down.          Most  client  apps  (email,  SMS,  etc,  leave  data  on  phone).      Far  from  guaranteed  you  can  erase  all  data  on  lost  phone  
  • 25. When  You  Are  Out  In  the  Wild   Resist  Strange  joining  networks     Protect  Yourself  by  Doing  Everything  Important  from  Home  (even  when  you’re  not)   Accessing  Your  Screen  At  Home  While  Away  -­‐  OpCons:                        Remote  Desktop  -­‐  (Windows)              GoToMyPC   VNC  Personal,  use  128  bit  encrypCon    (256  =  strong)   hAp://www.realvnc.com/                          OpenVPN  
  • 26. ProtecCng  Your  Home  Computer   Need  to  have  mulCple  copies  (and  safe  places)  for  each  backup:      Onsite  and  Remote   Where  and  how  you  encrypt  maAers  a  lot  to  both  security  and  costs   Easy:    Copy  files  to  USB  External  Hard  Drive  >  Remove  Drive  ,    give  it  to  friend.    Cost  $70  -­‐  $150.     Orig.                                        Backup  /  zip                            Upload       Data              >                  to  compress                                    >                        to    Cloud                                                        2nd  Local  Drive        (Encrypt  before              write  to  disk)     My  Docs  >  copy/zip  to      E:Backup      >      Upload  to  Amazon.      Cost  to  setup  $0            Cost  to  restore      $40  -­‐  $100   Must  Fully  Test  Restore.        A  restore  method  not  tested  is  makes  it  a  crap  shoot,  odds  against  you.      
  • 27. ProtecCng  Your  Home  Computer   Myth:    Mac’s  are  not    subject  to  viruses     Windows  vs.  Mac       hAp://www.cvedetails.com/top-­‐50-­‐vendors.php  
  • 28. hAp://www.cvedetails.com/vulnerability-­‐list/vendor_id-­‐49/product_id-­‐156/cvssscoremin-­‐2/ cvssscoremax-­‐2.99/Apple-­‐Mac-­‐Os-­‐X.html  
  • 29. hAp://secunia.com/vulnerability_scanning/personal/   Not  just  your  o/s   but  your  applicaCons   as  well       ProtecCng  Your  Home  Computer   Keep  it    Patched!    
  • 30. ProtecCng  Your  Home  Computer   Lock  DNS    (if  possible)       Know  (and  periodically  check)  where  your  DNS  is  pointed  to.       Logfiles,  know  where  they  are,  become  familiar  with  what  they  do    (may  be  overwhelming)   File  Shredding:    Learn  to  digitally  “shred”  sensiCve  files      (  hAp://www.fileshredder.org/  )  
  • 31. ProtecCng  Your  Home  Computer   Password  Repositories  -­‐  Not  Really  Safe   Simple  SoluCon:     Encrypt  spreadsheet  (winzip,  truecrypt)   White  out  the  passwords,  so  you  can  just  copy  /  paste  
  • 32. Using  EncrypCon   Protect  person-­‐person  communicaCons   Digital  Signatures  –  Brings  confidence  sender  is  as  claimed   Message  AuthenCcaCon    -­‐  Not  changed  in  transit   Privacy    -­‐  Secure  message  in  transit   Disc  encrypCon  –  Important  on  mobile  devices   Personal  IdenCty  in  public  space  –  Digital  ID’s   Common  Freeware:    TrueCrypt,  Windows  Bitlocker,  Gnu  Privacy  Guard,  Winzip  (pay)  
  • 33. Things  You  Don't  See  Have  Holes   Printers   Smart  TVs  and  other  appliances    “Samsung  All  Share“   Video  Game  Consoles   “Internet  of  Everything”   SoluCon:    Segmented  Network  /subnet/DMZ   Put  your  most  secure  data  behind  an  internal  firewall  
  • 34. Learn  How  to  Create  a  Segmented   Home  Network  
  • 35. Safe  Browsing  Choices   Use  Private  Browsing  (all  browsers  have  this  opCon)   Limits  amount  of  info  stored  in  browser.     Use  Virtual  Machines  for  browsing  the  internet   (need  to  isolate  the  VM  from  any  network)   TOR  (  The  Onion  Router  )     Not  really  anonymous,  but  very  hard  to  trace  
  • 36. LocaCng  SensiCve  Data   IdenCty  Finder  -­‐  Find  Personal  IdenCty  InformaCon  (PII)    on   your  computer  
  • 37. AnCvirus     Good  products:        Comodo          (  paid  )    MalwareBytes    (free)      Combofix  rootkit  fixer  (free)    Recommend  avoiding  Kaspersky    
  • 38. Keeping  Your  Ear  To  The  Ground     Resources  for  Further  InformaCon   Greater  Houston  Partnership  –  CyberThreat  Self  Assessment  Tool   hAp://www.houston.org/cybersecurity/pdf/Cyber-­‐Security-­‐Book.pdf   Best  PracCces  for  Small  Businesses  -­‐  NIST  7621   hAp://csrc.nist.gov/publicaCons/nisCr/ir7621/nisCr-­‐7621.pdf   SuggesCons  from  Greater  Houston  Partnership     Greater  Houston  Partnership  –  CyberThreat  Self  Assessment  Tool   hAp://www.houston.org/cybersecurity/pdf/Cyber-­‐Security-­‐Book.pdf   Know  the  Risks  Before  You  Head  to  the  Cloud:  A  Primer  on  Cloud  CompuCng  Legal  Risks  and  Issues  for  Nonprofits   hAp://www.jdsupra.com/post/documentViewer.aspx?fid=05a42be3-­‐161f-­‐4909-­‐af04-­‐50aa14b6689e   Cybersecurity:  The  Corporate  Counsel’s  Agenda   hAp://www.hoganlovells.com/custom/eDocs/Cybersecurity%20Advisory_Pearson_11152012.pdf   Online  Social  Networks,  CyberRisk  and  Your  Nonprofit:  What  You  Need  to  Know   hAp://www.nonprofitrisk.org/library/newsleAer/followme.shtml  
  • 39. Keeping  Your  Ear  To  The  Ground     Resources  for  Further  InformaCon   ExecuCve  Order  Begins  Process  of  Strengthening  NaCon's  Cybersecurity  and  CriCcal  Infrastructure   hAp://www.pepperlaw.com/publicaCons_update.aspx?ArCcleKey=2562   NIST  Special  PublicaCon  500-­‐292:  Cloud  Compu5ng  Reference  Architecture.   The  Importance  of  Cybersecurity  to  the  Legal  Profession  and  Outsourcing  as  a  Best  PracCce   hAp://e-­‐discoveryteam.com/2014/05/11/the-­‐importance-­‐of-­‐cybersecurity-­‐to-­‐the-­‐legal-­‐profession-­‐and-­‐outsourcing-­‐as-­‐a-­‐best-­‐pracCce-­‐part-­‐one/   Online  Privacy  for  Nonprofits   hAps://www.privacyrights.org/online-­‐privacy-­‐nonprofits   NIST  Proposes  Privacy  Control  Roadmap  for  OrganizaCons     hAp://www.pepperlaw.com/publicaCons_update.aspx?ArCcleKey=2658)   Common  Vulnerability  EvaluaCon  Database   hAp://www.cvedetails.com   Mandiant  Reports  hAps://www.mandiant.com/resources/mandiant-­‐reports/   Webcasts:   BiAer  C-­‐Suite:  Privacy,  Security  and  Data  ProtecCon  Issues  Facing  CorporaCons,  Directors  and  Officers  ( hAp://www.pepperlaw.com/webinars_update.aspx?ArCcleKey=2888)   BYOD  (Bring  Your  Own  Device)  *Liability  and  Data  Breach  Sold  Separately  (hAp://www.pepperlaw.com/webinars_update.aspx?ArCcleKey=2773)  
  • 40. Closing  Thoughts   Recognize  Data  Breaches  cannot  be  100%   prevented.    They  will  happen.    You  must  prepare   mulCple  defense  strategies  to  remediate.     Take  a  thorough  inventory  of  your  data,  your   devices,  your  systems,  and  who  is  “allowed”.   Understand,  and  stay  aware  of  a  conCnuously   evolving  threat  environment  -­‐  Defending  your  data   is  an  ongoing  process.      
  • 41. QuesCons  

×