This document provides guidance on minimizing business risks related to data security. It discusses identifying important business information, threats from outside and inside the organization, assessing risks based on likelihood and impact, and mitigation strategies like technology safeguards, policies, processes, employee training, and physical security measures. The document emphasizes that leadership must be aware of risks and implement adequate safeguards to protect the organization.
8. Thought Experiment What information is REALLY important to you? I have [INSERT IMPORTANT INFORMATION] What would happen to my organization if it were… Lost and I couldn’t get it back Wrong Shared with media or someone else
9. Where Is It? Once you know what is important – where is it? On a computer? On paper? On a thumb drive? In e-mail? Does it ever leave your physical office? If so, how? Is it protected? Laptop in a computer bag in the back seat Smart phone left in the taxi/restaurant (e-mail, donor list, etc.) E-mail sent / received Online backups Off-site copies of backups
10. What Could Hurt You? Threats come from outside: Cyber threats Organized crime, corporate and state-sponsored espionage, terrorists, thrill seekers Litigation/regulatory threats Payment Card Industry (PCI) standards, civil suits, NC & SC Identity Theft Protection Act (both states require notification), Health Insurance Portability and Accountability Act (HIPAA), …
11. What Could Hurt You? Threats come from outside: Physical threats Power outages, fire, hurricanes, tornados, vehicle crashing into your building Provider threats Internet access, website host, telephones, cleaning company
13. What Could Hurt You? Threats also come from inside your organization: Leadership Lack of awareness, inadequate policy & process Employees Disgruntled, thievery, carelessness, uninformed, socially engineered (scammed)
14.
15. What is the impact of the threat if it were realized?
18. What Will Hurt You? Likelihood examples: Credit card theft – ~100% on unprotected system Identity theft – ~100% on unprotected system PCI related fines – depends on your knowledge and application of the requirements System gets “botted” – High probability that an employee will click on a bad link Fire – low etc. – not rocket science
19. What Will Hurt You? Impact if the threat is realized Data Breach: Credit card numbers or personally identifiable information (PII) is stolen NC & SC laws require you to notify all people affected if they can be identified with certainty – otherwise all who could potentially be affected… your donors If PCI standards are not met, fines may be levied FTC prosecution and audits – non-profits have escaped notice…so far States with no security breach law: Alabama, Kentucky, New Mexico, & South Dakota.
20. What Will Hurt You? Impact if the threat is realized Social engineering: Someone convinces an employee to click on a link in e-mail and you get “botted” – what happens? Credit Card/PII theft…one time, ongoing Your machines send SPAM…to your donor list
21. What Will Hurt You? Impact if the threat is realized Fire: Your computers and paper records are destroyed. Best case - Execute your business continuity and disaster recovery plans Set up shop in designated space Forward all telephone lines into your cell phones Buy computers and restore from your backups Worst case – you don’t have a business continuity or disaster recovery plan The majority of organizations do not recover and or recover temporarily but cease operations permanently in the next 1-2 years
22.
23. Impact – high: particularly for business accounts – no FDIC protection
30. Four Ways to Deal with Risk 1. Terminate the Activity 3. Mitigate 2. Transfer 4. Tolerate Some combination of these is the answer… …there will still be residual risk.
48. Security of Donor Information On their computer Recommend they use the same mitigations that PCI requires for businesses. You need to know what these are anyway – learn enough to explain them to your donors in plain English Between their computer and yours Via website: use https:// On your computers and network Use PCI required mitigations Encrypt PII and credit card data
49. Questions from 2/23/11 Forum How can donors securely submit credit card numbers and other information via my website? For donations only: PayPal, or Incorporate SSL (https://) For donations and other information: Incorporate SSL (https://) If you have personally identifiable information (PII) on your computers, protect it. The PCI required mitigations are an excellent list.
50. Questions from 2/23/11 Forum How can I safely store credit card information? Remember the data breach laws cover all personally identifiable information (PII) , not just credit card information Know where your PII resides…it’s probably on your computers, but may also be other places. If your donor list is on your Blackberry or in a folder of papers, and you leave either in a restaurant, the breach laws still apply. Establish policy and processes Now look for technical solutions
52. Contact Information Ken Robey Security in Focus, Inc. 704-846-1245 robeygk@securityinfocus.com
53. Resources: Business Data Security SANS - Training, Free Resources, Free Policy Templates: https://www.sans.org/ Microsoft "Security Risk Management Guide“: http://technet.microsoft.com/en-us/library/cc163143.aspx Information Security Risk Assessment: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_sec_%20risk_asst.htm UNC-C Cyber Defense and Network Assurability Center: http://www.cyberdna.uncc.edu/ Wikipedia: http://en.wikipedia.org/wiki/Security_risk Security in Focus, Inc.: http://www.securityinfocus.com/ Security Risk Assessment (learn without buying): http://www.security-risk-analysis.com/ IBM - Threat reports: http://www-935.ibm.com/services/us/iss/xforce/trendreports/ National Check Fraud Center: http://www.ckfraud.org/ The Rising Threat of USB Drives: http://security.itbusinessnet.com/articles/viewarticle.jsp?id=1319668 Password Proliferation Adds Security Risk: http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=229000624 General Accounting Office - widely used practices (1999): http://www.gao.gov/special.pubs/ai00033.pdf
54. Resources: Personal Data Security FTC's Identity Theft Site: http://www.ftc.gov/bcp/edu/microsites/idtheft/ Dept of Justice: Identity Theft and Identity Theft Fraud: http://www.justice.gov/criminal/fraud/websites/idtheft.html Charlotte-Mecklenburg Police Identity Theft Report: http://ww.charmeck.org/online_reporting/fraud_instructions.htm Identity Theft Resource Center: http://www.idtheftcenter.org/ Identity Theft.org: http://www.identitytheft.org/ How Stuff Works: Identity Theft: http://money.howstuffworks.com/identity-theft.htm A Kid's Guide to Etiquette on the Net: http://www.kidsdomain.com/brain/computer/surfing/netiquette_kids.html SANS OUCH! - Using Smartphones Securely: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201102_en.pdf Antivirus products: effectiveness and performance ratings: http://www.pcantivirusreviews.com/comparison/ Antivirus products: editor's and users' ratings - use drop down boxes at top of list to change the sort order: http://reviews.cnet.com/1770-5_7-0.html?query=top+antivirus&searchtype=products&tag=contentMain;contentBody;allr;rh List of antivirus products and performance ratings: http://www.raymond.cc/blog/archives/2010/02/03/best-performing-speed-and-memory-usage-antivirus-and-internet-security-for-2010/ Another set of anit-virus performance ratings: http://www.anti-malware-test.com/?q=node/167 Malware via websites and e-mail: http://www.esecurityplanet.com/views/article.php/3903881/Top-10-Email-Malware-Threats.htm E-mail as a malware delivery mechanism: http://www.thetechherald.com/article.php/201026/5825/e-mail-becoming-a-booming-malware-delivery-method Malware and e-mail attachments: http://www.mysecurecyberspace.com/secure/email/threats/malware.html
55. NC G.S. 14-113.20(b) § 14‑113.20. Identity theft. (a) … (b) The term "identifying information" as used in this Article includes the following: (1) Social security or employer taxpayer identification numbers. (2) Drivers license, State identification card, or passport numbers. (3) Checking account numbers. (4) Savings account numbers. (5) Credit card numbers. (6) Debit card numbers. (7) Personal Identification (PIN) Code as defined in G.S. 14‑113.8(6). (8) Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names. (9) Digital signatures. (10) Any other numbers or information that can be used to access a person's financial resources. (11) Biometric data. (12) Fingerprints. (13) Passwords. (14) Parent's legal surname prior to marriage.
Editor's Notes
2 GbytesAnd these are the ones you can see. Others are just programs that install on your PC and continuously send back info.
Qualitative – rate the likelihood and impact of each threat you’ve identified.Look at Hugo:Likelihood – RareImpact – Material, maybe Catastrophic
Banking example from malwareBrowser overlay with keyloggerInformation captured and transmitted to criminals, but not bankAccount emptied within 3 minutes of user login while user being delayed by bogus error messagesUser then given false display showing old balance, and transaction list omitting those that emptied accountUser never actually connects with bank
Now you have one of these grids for each of the threats you identified and can make better decisions on which ones to mitigate.
If you decide to mitigate, there are two basic typesBehavioral (policy, process, education) – very effective for many threatsTechnological (anti-virus, firewall, intrusion detection, SPAM filters, …) – fairly effective in fighting yesterday’s threats; generally reacting to known threats; some new threat recognitionProbably need to do both. Avoid over reliance on technology.