Your SlideShare is downloading. ×
0
www.smbcybersecurity.org
Protecting Customer
Confidential Information!
Presented by:
William McBorrough, MSIA, CISSP
SMB C...
www.smbcybersecurity.org
Agenda
 Background
 Sizing Up the Problem
 The Fix
o People Factor
o Technology
o Disposing of...
www.smbcybersecurity.org
Background:
SMB Cyber Security Alliance
www.smbcybersecurity.org
Sensational Headlines…daily!
• Heartland Payments announced breach of more
than 100 million credi...
www.smbcybersecurity.org
Sensational Headlines…Daily!
• Veterans Administration announces confidential
information of 26.5...
www.smbcybersecurity.org
What’s not in the headlines?
A 2010 survey conducted by the Ponemon Institute and
Guardian Analyt...
www.smbcybersecurity.org
The Times are a Changing
• Most small business owners today depend on
Laptops and Tablet PCs to m...
www.smbcybersecurity.org
The Times are a Changing
• Increase in mobility and portability has
caused a major upsurge in dat...
www.smbcybersecurity.org
What are the Consequences?
• Damage to reputation, brand,
relationships
• Legal liability and reg...
www.smbcybersecurity.org
Aware of the Privacy laws?
• HIPAA – for health services providers
• GLBA – for financial service...
www.smbcybersecurity.org
Information Security Management
“Short List”
• Router
• Patches
• Anti-
o Virus
o Spam
o Spyware
...
www.smbcybersecurity.org
Security GOAL:
Reduce Risk to an Acceptable Level
• Just because it can happen doesn’t mean
it wi...
www.smbcybersecurity.org
Sizing Up the
Problem:
SMB Cyber Security Alliance
www.smbcybersecurity.org
What is Confidential Data?
• Social Security #
• Credit/debit card numbers
• Driver’s license num...
www.smbcybersecurity.org
Where Is Confidential Data
Stored?
In-House Systems
• Physically secure?
• Network access restric...
www.smbcybersecurity.org
Who Has Access?
• Data access restricted to authorized
individuals?
• Shared passwords = shared d...
www.smbcybersecurity.org
The Fix:
SMB Cyber Security Alliance
www.smbcybersecurity.org
The Fix!
• In short…
Restrict access
and/or
Make it unreadable
• Data is made “unreadable” using
...
www.smbcybersecurity.org
People Factor
Policy
• Who is allowed access?
• When is access allowed?
• What users are allowed ...
www.smbcybersecurity.org
People Factor – Mitigating Risk
Acceptable Use Policies
• Business data access rules: who, where,...
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
Technology – OnSite
Physical security
• Sensitive data located on secure systems
• Locked server ...
www.smbcybersecurity.org
Storage Media
Hard drive encryption
• Vista BitLocker
o Encrypts entire Windows Operating System ...
www.smbcybersecurity.org
Storage Media
USB Thumb Drives
• Most older drives completely
insecure
• If you want to store/tra...
www.smbcybersecurity.org
Authentication
• APC BIOMETRIC PASSWORD MANAGER
fingerprint reader - USB by APC ($35 - $50)
• Hun...
www.smbcybersecurity.org
Application Software
In general, application passwords are poor 
protection (since most can be br...
www.smbcybersecurity.org
VPN (Virtual Private Network)
• A VPN is a private network that uses a
public network (usually th...
www.smbcybersecurity.org
• Overview
SMB Cyber Security Alliance
www.smbcybersecurity.org
VPN (Virtual Private Network)
Benefits
• Extend geographic connectivity
• Reduce transit time and...
www.smbcybersecurity.org
VPN
• Use 3rd
-party VPN service, e.g.
HotSpotVPN, JiWire Spot Lock, Public
VPN or WiTopia Person...
www.smbcybersecurity.org
Host-Based Remote Access
Remote Control
• GoToMyPC
• LogMeIn
• Symantec pcAnywhere
SMB Cyber Secu...
www.smbcybersecurity.org
Digital Certificates
• Implement digital certificates for internally
hosted corporate web resourc...
www.smbcybersecurity.org
Wireless Security – Network
• DON’T do a plug-n-play install!
• Password protect administrative s...
www.smbcybersecurity.org
Wireless Security - End Users
• Ensure all mobile devices are updated with
the latest security pa...
www.smbcybersecurity.org
Wireless Security - End Users
• As a general rule (while not always possible) use
WiFi for Intern...
www.smbcybersecurity.org
WiFi Security - End Users
WiFi Best Practices
• Use broadband wireless access (EvDO,
3G/GPRS, EDG...
www.smbcybersecurity.org
Sharing Confidential Data
Options:
• E-mail
• FTP / Secure FTP
• Secure transmission programs
• C...
www.smbcybersecurity.org
Sharing Confidential Data
E-mail
• As a general rule, e-mail is insecure!
• In order to secure:
o...
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
Sharing Confidential Data
Client Extranets
• Internal
• Hosted
o e.g. ShareFile
 Branded!
 $100...
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
Back up All Valuable
Information
• Make sure it’s
encrypted
• Make sure it is stored
securely off...
www.smbcybersecurity.org
Disposing of Confidential Data
• Remove media!
• Wipe media
o Software to overwrite
drive multipl...
www.smbcybersecurity.org
Conclusion:
SMB Cyber Security Alliance
www.smbcybersecurity.org
Key Takeaway Points
• Learn about the Information security risks
affecting your business
• Addres...
www.smbcybersecurity.org
SMB Cyber Security Alliance
www.smbcybersecurity.org
SMBCSA Online Helpdesk
SMB Cyber Security Alliance
www.smbcybersecurity.org
Contact Information
Jerrod Barton
Director, Community Outreach
SMB Cyber Security Alliance
Tel: (...
Upcoming SlideShare
Loading in...5
×

Protecting Customer Confidential Information

246

Published on

Presentation to small business owners on information security.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
246
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Background
    Goals of IT Security
    Today’s reality
    Sizing up the problem for an organization
    The fix – In short, prevent access and/or make it unreadable if accessed
    Human aspects
    Procedures
    NDAs
    Policy – what do we allow on laptops?
    Training
    Social engineering
    Local
    Physical
    Storage media
    hard drive encryption
    Vista Bit Locker
    Seagate
    Computrace
    USB drives
    2 factor authentication
    Application security (Adobe Acrobat, MS Word, Win Zip) security vs. password hacking programs – easy break in!
    Remote
    VPNs
    RDP
    Web certificates
    Sharing
    E-mail – hosted encryption
    Zix Corp e-mail for Outlook
    Secure transmission programs
    Portals
    Disposing
    Semshred - http://www.semshred.com/
  • Obsolete Agenda / other ideas:
    Background
    What’s confidential?
    Where is it stored?
    Restricting access
    Physical
    Authentication
    Encryption
    Secure sharing
  • AES Encrypted Portable Storage!
    The KanguruMicro Drive AES is the only USB Flash Drive that meets federal requirements for insuring the confidentiality of sensitive data and information accessed by portable flash drives!This high speed, high quality USB2.0 Flash Drive has undergone rigorous testing and is FIPS 140-2 Certified (FIPS Certification # 682). It is the first USB2.0 Flash Drive with software based encryption to be FIPS Certified for Government use! The KanguruMicro Drive is ultra secure, utilizing 256-bit AES Encryption to protect data stored on the drive. Plug the KanguruMicro Drive AES into any available USB or USB 2.0 port and begin using it! Store and transport your work files in a safe, secure fashion
    Start from $49 – 1GB drive ~ $110
  • WAP = Wireless Access Point
    WEP = Wired Equivalent Privacy
    WPA = Wi-Fi Protected Access
  • Why is ShareFile the best way to transfer files securely?
    Create online folders to simplify collaboration and communication
    Completely custom branded with your company logo and colors
    A login box can be placed on your company web site
    Unlimited user accounts for clients and partners
    Ability to send large files via e-mail with a hyperlink
    Proven easy-to-use interface for file and user management
    Tracking and alerts to confirm that clients have received files
    Unlimited data storage backed up daily
    128-bit encryption to secure your data against hackers
    Great telephone and e-mail support
    Easy to set up...signing up only takes about 5 minutes
    Automatic compression of downloaded files
    Ability to request files from clients with an e-mail hyperlink
    Upload multiple files at once
    No software to install or complicated Java Applets
    Easy user management
    Enterprise Account
    $99.95 per month or $119.95 per month with monthly billing
    10 GB montly bandwidth
    30 employee accounts
    Unlimited client/users accounts
    Unlimited disk space
    Custom branding to match your company web site
    Telephone and e-mail support
    Daily backup
  • The ChallengeWith increasing compliance regulations and concerns about protecting information privacy, it is becoming critically important to exchange information, data, and file/documents via secure methods. However, it remains common practice today of many companies to send confidential or sensitive information across mediums that are insecure – namely email and FTP – technologies that were not built to address security or robust reporting requirements.
    Solving the Secure File Delivery ChallengePipeline eXchange™ is an electronic file exchange service that enables you to securely send and receive documents/files of any type or size with your trading partners. Pipeline eXchange™ is 100% browser based and easy to use. Users simply specify the files they wish to be delivered, and then select the recipients and delivery options. The files are securely delivered to each recipient and Pipeline eXchange™ automatically tracks and generates an audit trail for the entire delivery process sending various status notifications to the sender.
    Easy to Use    Requires only a browser    No software to install    No hardware to manage    Minimal user support required       
    Secure    Layered encryption and access control    SAS 70 certified data center    User access audit log       
    Enterprise Features    User and Groups administration    ERP, CRM, SCM connectors    Full service customization       
    Reliable    99.9% uptime guarantee    24x365 monitoring    World-class infrastructure       
    Affordable    Monthly subscription    Usage-based billing options    Get started for $79 per month
  • Transcript of "Protecting Customer Confidential Information"

    1. 1. www.smbcybersecurity.org Protecting Customer Confidential Information! Presented by: William McBorrough, MSIA, CISSP SMB Cyber Security Alliance
    2. 2. www.smbcybersecurity.org Agenda  Background  Sizing Up the Problem  The Fix o People Factor o Technology o Disposing of Old Data Key Takeaways SMB Cyber Security Alliance
    3. 3. www.smbcybersecurity.org Background: SMB Cyber Security Alliance
    4. 4. www.smbcybersecurity.org Sensational Headlines…daily! • Heartland Payments announced breach of more than 100 million credit card numbers ( January 2009). One of the largest in history. • T.J. Maxx data theft (some 45 million credit and debit card numbers) likely due to wireless ‘wardriving‘, i.e. thief with a laptop, a telescope antenna, and a wireless LAN adapter (December 2006). SMB Cyber Security Alliance
    5. 5. www.smbcybersecurity.org Sensational Headlines…Daily! • Veterans Administration announces confidential information of 26.5 million service personnel was stolen when employee’s home laptop was stolen (June 2006). • Over 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. SMB Cyber Security Alliance
    6. 6. www.smbcybersecurity.org What’s not in the headlines? A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics: • 55% experienced a fraud attack in the last year •58% of the incidents involved online banking •Over 50% experienced multiple incidents •87% failed to fully recover lost funds SMB Cyber Security Alliance
    7. 7. www.smbcybersecurity.org The Times are a Changing • Most small business owners today depend on Laptops and Tablet PCs to manage their businesses on the go • Most require ready access to the Internet while working from home, office, hotels, airports, customer sites, etc sites, etc. • Most utilize smart phones capable email, web browsing, storing data and detailed contact information, etc SMB Cyber Security Alliance
    8. 8. www.smbcybersecurity.org The Times are a Changing • Increase in mobility and portability has caused a major upsurge in data breaches: o Breaches may go undetected or undiscovered for long periods of time. o Problem could easily become overwhelming (identity theft will look like child’s play). SMB Cyber Security Alliance
    9. 9. www.smbcybersecurity.org What are the Consequences? • Damage to reputation, brand, relationships • Legal liability and regulatory fines • Customer and stakeholder distrusts • Reduced revenues and market share • Refusal of customers to use their personal information for business purposes SMB Cyber Security Alliance
    10. 10. www.smbcybersecurity.org Aware of the Privacy laws? • HIPAA – for health services providers • GLBA – for financial services providers • COPPA – for online service providers to minors • Various State Breach Notification Laws SMB Cyber Security Alliance
    11. 11. www.smbcybersecurity.org Information Security Management “Short List” • Router • Patches • Anti- o Virus o Spam o Spyware • Passwords / Passphrases • Personal Firewall • Network Firewall • Intrusion Detection • Web-based e-mail/ file sharing Protection • Wireless Encryption • Physical Access Control • Backups SMB Cyber Security Alliance
    12. 12. www.smbcybersecurity.org Security GOAL: Reduce Risk to an Acceptable Level • Just because it can happen doesn’t mean it will. • Put threats into perspective by assessing: o Probability of attack o Value of business assets put at risk o Business cost and consequence of attack SMB Cyber Security Alliance
    13. 13. www.smbcybersecurity.org Sizing Up the Problem: SMB Cyber Security Alliance
    14. 14. www.smbcybersecurity.org What is Confidential Data? • Social Security # • Credit/debit card numbers • Driver’s license number • Bank account numbers • Birth dates • PIN codes • Medical records • Mother’s maiden name? SMB Cyber Security Alliance
    15. 15. www.smbcybersecurity.org Where Is Confidential Data Stored? In-House Systems • Physically secure? • Network access restricted to only authorized individuals? Backup Media • Physical location? • Format? Remote Users • Laptops, home computers & memory sticks? SMB Cyber Security Alliance
    16. 16. www.smbcybersecurity.org Who Has Access? • Data access restricted to authorized individuals? • Shared passwords = shared data and no accountability • Wide open network = information free-for- all ( Remember 3 little pigs?) SMB Cyber Security Alliance
    17. 17. www.smbcybersecurity.org The Fix: SMB Cyber Security Alliance
    18. 18. www.smbcybersecurity.org The Fix! • In short… Restrict access and/or Make it unreadable • Data is made “unreadable” using encryption. • Back it up remotely SMB Cyber Security Alliance
    19. 19. www.smbcybersecurity.org People Factor Policy • Who is allowed access? • When is access allowed? • What users are allowed to do? • Where is data permitted to be… o Accessed from (devices & locations?) o Stored  Network servers  Desktops  Laptops /Tablets/Smart Phones  Thumb drives SMB Cyber Security Alliance
    20. 20. www.smbcybersecurity.org People Factor – Mitigating Risk Acceptable Use Policies • Business data access rules: who, where, when and what • Supported mobile devices and operating systems • Required security measures and configurations • Process for usage monitoring, auditing and enforcement (check your state and local laws) Non-Disclosure Agreements (NDA)? Training & Communication – regular and often? Social Engineering • “Click here” to download key logger! • Phishing attacks are still highly effective for stealing o Personal information o Login information – can then be used to access systems contain confidential data SMB Cyber Security Alliance
    21. 21. www.smbcybersecurity.org SMB Cyber Security Alliance
    22. 22. www.smbcybersecurity.org SMB Cyber Security Alliance
    23. 23. www.smbcybersecurity.org SMB Cyber Security Alliance
    24. 24. www.smbcybersecurity.org Technology – OnSite Physical security • Sensitive data located on secure systems • Locked server room • Locker server cage(s) SMB Cyber Security Alliance
    25. 25. www.smbcybersecurity.org Storage Media Hard drive encryption • Vista BitLocker o Encrypts entire Windows Operating System volume o Available with:  Vista Ultimate  Vista Enterprise • Third party, commercial encryption software o TrueCrypt o PGP Desktop Home SMB Cyber Security Alliance
    26. 26. www.smbcybersecurity.org Storage Media USB Thumb Drives • Most older drives completely insecure • If you want to store/transfer secure data on USB thumb drive, look for device that can… o Encrypt data o Authenticate user SMB Cyber Security Alliance
    27. 27. www.smbcybersecurity.org Authentication • APC BIOMETRIC PASSWORD MANAGER fingerprint reader - USB by APC ($35 - $50) • Hundreds of devices like this ranging from $25 - $300. SMB Cyber Security Alliance
    28. 28. www.smbcybersecurity.org Application Software In general, application passwords are poor  protection (since most can be broken) • e.g. Passware (www.lostpassword.com) • Unlock 25 different applications including Windows, Office, Quick Books, Acrobat, Winzip, etc. SMB Cyber Security Alliance
    29. 29. www.smbcybersecurity.org VPN (Virtual Private Network) • A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses “virtual” connections routed through the Internet from the company's private network to the remote site or employee. SMB Cyber Security Alliance
    30. 30. www.smbcybersecurity.org • Overview SMB Cyber Security Alliance
    31. 31. www.smbcybersecurity.org VPN (Virtual Private Network) Benefits • Extend geographic connectivity • Reduce transit time and transportation costs for remote users • Provide telecommuter support • Improve security • Improve productivity • Direct printing to office • Direct connect to network drives SMB Cyber Security Alliance
    32. 32. www.smbcybersecurity.org VPN • Use 3rd -party VPN service, e.g. HotSpotVPN, JiWire Spot Lock, Public VPN or WiTopia Personal VPN SMB Cyber Security Alliance
    33. 33. www.smbcybersecurity.org Host-Based Remote Access Remote Control • GoToMyPC • LogMeIn • Symantec pcAnywhere SMB Cyber Security Alliance
    34. 34. www.smbcybersecurity.org Digital Certificates • Implement digital certificates for internally hosted corporate web resources or web- presence, e.g. E-mail, CRM, B2? site, etc. This allows all traffic to be encrypted via SSL (Secure Sockets Layer). o Pad lock indicates traffic is being encrypted and the web site owner’s identity can be verified (by certificate authority). SMB Cyber Security Alliance
    35. 35. www.smbcybersecurity.org Wireless Security – Network • DON’T do a plug-n-play install! • Password protect administrative setup • Encryption: o WEP – Easily cracked, better than nothing o WPA (better) o WPA2 (best) • Enter authorized MAC addresses on WAP SMB Cyber Security Alliance
    36. 36. www.smbcybersecurity.org Wireless Security - End Users • Ensure all mobile devices are updated with the latest security patches • Only use SSL enabled ( https) websites when sending/entering sensitive data (credit cards and personal identity information) • Encrypt documents that contain sensitive data that will be sent over the Internet SMB Cyber Security Alliance
    37. 37. www.smbcybersecurity.org Wireless Security - End Users • As a general rule (while not always possible) use WiFi for Internet surfing only • Disable or remove wireless devices if they are not being used. This includes: o WiFi – 802.11a/b/g/n o Bluetooth o Infrared o Cellular • Avoid hotspots where it is difficult to tell who is connected • Ad-hoc/peer-to-peer setting should be disabledSMB Cyber Security Alliance
    38. 38. www.smbcybersecurity.org WiFi Security - End Users WiFi Best Practices • Use broadband wireless access (EvDO, 3G/GPRS, EDGE, UMTS) to make wireless connections: o Verizon and Sprint Broadband services are very fast - $59.99/month – unlimited access o Wireless carriers offer fairly good encryption and authentication SMB Cyber Security Alliance
    39. 39. www.smbcybersecurity.org Sharing Confidential Data Options: • E-mail • FTP / Secure FTP • Secure transmission programs • Customer portal / extranet • 3rd Party Hosted Data Exchange SMB Cyber Security Alliance
    40. 40. www.smbcybersecurity.org Sharing Confidential Data E-mail • As a general rule, e-mail is insecure! • In order to secure: o Digital Certificates / PKI  PGP  Verisign SMB Cyber Security Alliance
    41. 41. www.smbcybersecurity.org SMB Cyber Security Alliance
    42. 42. www.smbcybersecurity.org Sharing Confidential Data Client Extranets • Internal • Hosted o e.g. ShareFile  Branded!  $100/mo.  30 employees  Unlimited clients SMB Cyber Security Alliance
    43. 43. www.smbcybersecurity.org SMB Cyber Security Alliance
    44. 44. www.smbcybersecurity.org Back up All Valuable Information • Make sure it’s encrypted • Make sure it is stored securely offsite • Many options: • Carbonite • Mozy • Norton • PCIC SMB Cyber Security Alliance
    45. 45. www.smbcybersecurity.org Disposing of Confidential Data • Remove media! • Wipe media o Software to overwrite drive multiple times o Permanent magnet • Destroy media o Semshred – www.semshred.com SMB Cyber Security Alliance
    46. 46. www.smbcybersecurity.org Conclusion: SMB Cyber Security Alliance
    47. 47. www.smbcybersecurity.org Key Takeaway Points • Learn about the Information security risks affecting your business • Address, Transfer or Accept them • Don’t just ignore them • Learn about the security and privacy related regulations affecting your business • Understand consequences of non-compliance • Build security into your day-to-day operations • Don’t just layer it on • Don’t make it “extra work” SMB Cyber Security Alliance
    48. 48. www.smbcybersecurity.org SMB Cyber Security Alliance
    49. 49. www.smbcybersecurity.org SMBCSA Online Helpdesk SMB Cyber Security Alliance
    50. 50. www.smbcybersecurity.org Contact Information Jerrod Barton Director, Community Outreach SMB Cyber Security Alliance Tel: (540) 308-9609 Email: jerrod@smbcybersecurity.org SMB Cyber Security Alliance
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×