Information Security & Internet SnoopingJerry Justice
What is security? Wikipedia: Security is the degree of protection against danger, damage, loss, and crime. Security is not an absolute or any single mechanism. “Is that secure?” From what? Fire, theft, flood, loss..? My goal: Knowledge to make an informed choice and to have you think differently about security.Ex: You lock your house + you add an alarm system = reducing yourrisk.
What is the impact related to technology? Expanding and distributed nature of Internet Explosion of mobile devices and apps 24/7/365 accessibility from anywhere Information more digital (i.e. Healthcare) Identity Theft and Personal Information (PI) Huge storage capacity, small devicesEx: Think about what a library used to be and the accessibility tobooks. Simple access now with less physical constraints (i.e. -Kindle).
Where is my information? What exists already (public records) + what you give (credit apps, driver license, mortgages, taxes, bank accounts, etc…) + ……….
Where else do they get info about me? Websites – Tracking, history, postings, search analytics, computer cookies… Device use - smartphones, iPads, iPods, Xbox, home and work computers, paperwork, dumpsters, etc… Apps – “Is it ok if I use all your FB information so you can play this game?” Social Engineering (leveraging human behavioral responses) – phone calls, co-workers, relatives.. “Free” services – Google, Facebook, LinkedIn, etc... Identity Theft (direct or indirect) Purchase (legit and not legit) Email ‐SPAM and Phishing responses Legit 3rd parties who sell, lose or expose information (i.e. – Heartland, TJX) Illegally – sniffing, phishing, key loggers, hacking, malware… Ex: So which is safer, mailing a check or paying online?
What do they do with it? Provide service to you Store it for later Sell it to third parties (or use “internally”) Use it for target marketing, trending analysis Identity Theft Expose it to others (improperly secured or poor processes) Aggregators (i.e. ‐spokeo.com) – combine and sell Increasingly more “360” views, connecting once disparate information sources (“login with your FB account”). Build a profile on who you are, based on a variety of content: browsing habits, searches, shopping, click-through, etc…Ex: Insurance companies using credit reporting for rate“alignment”, Google Ads, etc…
Information Security Tools & Tactics Awareness – Example 1: Unknown person is walking around your office, Ask “Who are you?” – Example 2: Unsolicited phone caller asks for personal information, “Can I get a number to call you back at?” – Example 3: Email that asks you to alert everyone you know about a scam they just discovered. DELETE. This may actually be a scam. Common Sense – If it appears suspect, probably is Be stingy with your information (especially PI) Limit your exposure – protect your home wireless, do not share account info, avoid simple passwords, etc… Know where you are going online – “mouse over” email links Computer acting “weird” – ex: incorrect start page
Info Security Tools & Tactics (cont.) Clean up after yourself ‐ Use appropriate malware, virus and Trojan protection tools and cleaners (CCleaner, Ad-Aware, Symantec). Note: ISPs, Google have own user history and have provided in legal matters (similar to phone company subpoenas). Avoid being the cause ‐“pass this on” email chains, don’t forward to IT (you could be forwarding a trojan/virus) Use a non‐primary email for random and one‐off needs Use secure channels for online purchases and payments (HTTPS) Monitor your personal transactions ‐bank, CC, mortgages, etc... Secure your smartphone and mobile devices!Ex: CCleaner. Bank of America purchase alerts on smartphone.
Securing your business (broad) Prevent data loss ‐ DLP (data loss prevention) tools, network security controls and protocols, staff policies, monitoring, encrypt all drives, etc... Secure your data – know where it is, who touches it and the associated value/risk of each piece. Make a data map/plan then look at surrounding processes. Limit your exposure – shred work papers, remove printed items from copiers/printers at night, lock cabinets that contain papers with PI. Review compliance requirements – HIPPA, SEC, PCI DSS, etc… (not directly correlated to security) Have a PI policy and train staff on it. Proactive position. Establish a mobility policy for staff (smartphones, BYOT trends) Understand data security “in the cloud” is a paradigm shift (not necessarily bad but different control points) Use secure communications (VPNs, HTTPS, etc…) Protect data “at‐rest” (thumb drives, backups) AND in transit (email with PI), encrypt PC drives. Question: Where do you think most security breaches occur? (Opportunity) Third party security review Use secure PDFs for document delivery (email) Use a layered security approach Reduce opportunity theft – keep things in control or out of sight
Summary Security Take-away – Common sense, awareness, limiting your exposure and asking questions will take you a long way in protecting your information/assets and reducing your security risks. – Ask yourself “if this was my information, how would I like it handled?” – Effective security is an ongoing process. References http://www.privacyrights.org/ https://www.pcisecuritystandards.org/ http://www.piriform.com/ccleaner http://www.symantec.com/ http://www.lavasoft.com/ http://www.sans.org/security‐resources/