2. What is security?
Wikipedia: Security is the degree of protection against danger,
damage, loss, and crime.
Security is not an absolute or any single mechanism.
“Is that secure?” From what? Fire, theft, flood, loss..?
My goal:
Knowledge to make an informed choice and to have you
think differently about security.
Ex: You lock your house + you add an alarm system = reducing your
risk.
3. What is the impact related to
technology?
Expanding and distributed nature of Internet
Explosion of mobile devices and apps
24/7/365 accessibility from anywhere
Information more digital (i.e. Healthcare)
Identity Theft and Personal Information (PI)
Huge storage capacity, small devices
Ex: Think about what a library used to be and the accessibility to
books. Simple access now with less physical constraints (i.e. -
Kindle).
4. Where is my information?
What exists already (public records) + what you give
(credit apps, driver license, mortgages, taxes, bank
accounts, etc…) + ……….
5. Where else do they get info about me?
Websites – Tracking, history, postings, search analytics, computer
cookies…
Device use - smartphones, iPads, iPods, Xbox, home and work
computers, paperwork, dumpsters, etc…
Apps – “Is it ok if I use all your FB information so you can play this
game?”
Social Engineering (leveraging human behavioral responses) –
phone calls, co-workers, relatives..
“Free” services – Google, Facebook, LinkedIn, etc...
Identity Theft (direct or indirect)
Purchase (legit and not legit)
Email ‐SPAM and Phishing responses
Legit 3rd parties who sell, lose or expose information (i.e. –
Heartland, TJX)
Illegally – sniffing, phishing, key loggers, hacking, malware…
Ex: So which is safer, mailing a check or paying online?
6.
7.
8. What do they do with it?
Provide service to you
Store it for later
Sell it to third parties (or use “internally”)
Use it for target marketing, trending analysis
Identity Theft
Expose it to others (improperly secured or poor processes)
Aggregators (i.e. ‐spokeo.com) – combine and sell
Increasingly more “360” views, connecting once disparate
information sources (“login with your FB account”). Build a profile
on who you are, based on a variety of content: browsing habits,
searches, shopping, click-through, etc…
Ex: Insurance companies using credit reporting for rate
“alignment”, Google Ads, etc…
9. Information Security Tools & Tactics
Awareness
– Example 1: Unknown person is walking around your office,
Ask “Who are you?”
– Example 2: Unsolicited phone caller asks for personal
information, “Can I get a number to call you back at?”
– Example 3: Email that asks you to alert everyone you know
about a scam they just discovered. DELETE. This may actually
be a scam.
Common Sense – If it appears suspect, probably is
Be stingy with your information (especially PI)
Limit your exposure – protect your home wireless, do not share
account info, avoid simple passwords, etc…
Know where you are going online – “mouse over” email links
Computer acting “weird” – ex: incorrect start page
10. Info Security Tools & Tactics (cont.)
Clean up after yourself ‐ Use appropriate malware, virus and
Trojan protection tools and cleaners (CCleaner, Ad-Aware,
Symantec). Note: ISPs, Google have own user history and have
provided in legal matters (similar to phone company subpoenas).
Avoid being the cause ‐“pass this on” email chains, don’t forward
to IT (you could be forwarding a trojan/virus)
Use a non‐primary email for random and one‐off needs
Use secure channels for online purchases and payments (HTTPS)
Monitor your personal transactions ‐bank, CC, mortgages, etc...
Secure your smartphone and mobile devices!
Ex: CCleaner. Bank of America purchase alerts on smartphone.
11.
12.
13. Securing your business (broad)
Prevent data loss ‐ DLP (data loss prevention) tools, network security
controls and protocols, staff policies, monitoring, encrypt all drives, etc...
Secure your data – know where it is, who touches it and the associated
value/risk of each piece. Make a data map/plan then look at surrounding
processes.
Limit your exposure – shred work papers, remove printed items from
copiers/printers at night, lock cabinets that contain papers with PI.
Review compliance requirements – HIPPA, SEC, PCI DSS, etc… (not
directly correlated to security)
Have a PI policy and train staff on it. Proactive position.
Establish a mobility policy for staff (smartphones, BYOT trends)
Understand data security “in the cloud” is a paradigm shift (not
necessarily bad but different control points)
Use secure communications (VPNs, HTTPS, etc…)
Protect data “at‐rest” (thumb drives, backups) AND in transit (email with
PI), encrypt PC drives. Question: Where do you think most security
breaches occur? (Opportunity)
Third party security review
Use secure PDFs for document delivery (email)
Use a layered security approach
Reduce opportunity theft – keep things in control or out of sight
14. Summary
Security Take-away
– Common sense, awareness, limiting your exposure and
asking questions will take you a long way in protecting
your information/assets and reducing your security
risks.
– Ask yourself “if this was my information, how would I
like it handled?”
– Effective security is an ongoing process.
References
http://www.privacyrights.org/
https://www.pcisecuritystandards.org/
http://www.piriform.com/ccleaner
http://www.symantec.com/
http://www.lavasoft.com/
http://www.sans.org/security‐resources/