1. Information Security & Internet Snooping
Jerry Justice

2. What is security?
 Wikipedia: Security is the degree of protection against danger,
damage, loss, and crime.
 Security is not an absolute or any single mechanism.
 “Is that secure?” From what? Fire, theft, flood, loss..?
 My goal:
Knowledge to make an informed choice and to have you
think differently about security.
Ex: You lock your house + you add an alarm system = reducing your
risk.

3. What is the impact related to
technology?
 Expanding and distributed nature of Internet
 Explosion of mobile devices and apps
 24/7/365 accessibility from anywhere
 Information more digital (i.e. Healthcare)
 Identity Theft and Personal Information (PI)
 Huge storage capacity, small devices
Ex: Think about what a library used to be and the accessibility to
books. Simple access now with less physical constraints (i.e. -
Kindle).

4. Where is my information?
 What exists already (public records) + what you give
(credit apps, driver license, mortgages, taxes, bank
accounts, etc…) + ……….

5. Where else do they get info about me?
 Websites – Tracking, history, postings, search analytics, computer
cookies…
 Device use - smartphones, iPads, iPods, Xbox, home and work
computers, paperwork, dumpsters, etc…
 Apps – “Is it ok if I use all your FB information so you can play this
game?”
 Social Engineering (leveraging human behavioral responses) –
phone calls, co-workers, relatives..
 “Free” services – Google, Facebook, LinkedIn, etc...
 Identity Theft (direct or indirect)
 Purchase (legit and not legit)
 Email ‐SPAM and Phishing responses
 Legit 3rd parties who sell, lose or expose information (i.e. –
Heartland, TJX)
 Illegally – sniffing, phishing, key loggers, hacking, malware…
Ex: So which is safer, mailing a check or paying online?

8. What do they do with it?
 Provide service to you
 Store it for later
 Sell it to third parties (or use “internally”)
 Use it for target marketing, trending analysis
 Identity Theft
 Expose it to others (improperly secured or poor processes)
 Aggregators (i.e. ‐spokeo.com) – combine and sell
 Increasingly more “360” views, connecting once disparate
information sources (“login with your FB account”). Build a profile
on who you are, based on a variety of content: browsing habits,
searches, shopping, click-through, etc…
Ex: Insurance companies using credit reporting for rate
“alignment”, Google Ads, etc…

9. Information Security Tools & Tactics
 Awareness
– Example 1: Unknown person is walking around your office,
Ask “Who are you?”
– Example 2: Unsolicited phone caller asks for personal
information, “Can I get a number to call you back at?”
– Example 3: Email that asks you to alert everyone you know
about a scam they just discovered. DELETE. This may actually
be a scam.
 Common Sense – If it appears suspect, probably is
 Be stingy with your information (especially PI)
 Limit your exposure – protect your home wireless, do not share
account info, avoid simple passwords, etc…
 Know where you are going online – “mouse over” email links
 Computer acting “weird” – ex: incorrect start page

10. Info Security Tools & Tactics (cont.)
 Clean up after yourself ‐ Use appropriate malware, virus and
Trojan protection tools and cleaners (CCleaner, Ad-Aware,
Symantec). Note: ISPs, Google have own user history and have
provided in legal matters (similar to phone company subpoenas).
 Avoid being the cause ‐“pass this on” email chains, don’t forward
to IT (you could be forwarding a trojan/virus)
 Use a non‐primary email for random and one‐off needs
 Use secure channels for online purchases and payments (HTTPS)
 Monitor your personal transactions ‐bank, CC, mortgages, etc...
 Secure your smartphone and mobile devices!
Ex: CCleaner. Bank of America purchase alerts on smartphone.

13. Securing your business (broad)
 Prevent data loss ‐ DLP (data loss prevention) tools, network security
controls and protocols, staff policies, monitoring, encrypt all drives, etc...
 Secure your data – know where it is, who touches it and the associated
value/risk of each piece. Make a data map/plan then look at surrounding
processes.
 Limit your exposure – shred work papers, remove printed items from
copiers/printers at night, lock cabinets that contain papers with PI.
 Review compliance requirements – HIPPA, SEC, PCI DSS, etc… (not
directly correlated to security)
 Have a PI policy and train staff on it. Proactive position.
 Establish a mobility policy for staff (smartphones, BYOT trends)
 Understand data security “in the cloud” is a paradigm shift (not
necessarily bad but different control points)
 Use secure communications (VPNs, HTTPS, etc…)
 Protect data “at‐rest” (thumb drives, backups) AND in transit (email with
PI), encrypt PC drives. Question: Where do you think most security
breaches occur? (Opportunity)
 Third party security review
 Use secure PDFs for document delivery (email)
 Use a layered security approach
 Reduce opportunity theft – keep things in control or out of sight

14. Summary
 Security Take-away
– Common sense, awareness, limiting your exposure and
asking questions will take you a long way in protecting
your information/assets and reducing your security
risks.
– Ask yourself “if this was my information, how would I
like it handled?”
– Effective security is an ongoing process.
 References
http://www.privacyrights.org/
https://www.pcisecuritystandards.org/
http://www.piriform.com/ccleaner
http://www.symantec.com/
http://www.lavasoft.com/
http://www.sans.org/security‐resources/

15. Connecting…
 jjustice@ssandg.com
 http://www.linkedin.com/in/jerryjustice
 Twitter - @jerrymjustice