Protecting Customer Confidential Information


Published on

Presentation to small business owners on information security.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Background
    Goals of IT Security
    Today’s reality
    Sizing up the problem for an organization
    The fix – In short, prevent access and/or make it unreadable if accessed
    Human aspects
    Policy – what do we allow on laptops?
    Social engineering
    Storage media
    hard drive encryption
    Vista Bit Locker
    USB drives
    2 factor authentication
    Application security (Adobe Acrobat, MS Word, Win Zip) security vs. password hacking programs – easy break in!
    Web certificates
    E-mail – hosted encryption
    Zix Corp e-mail for Outlook
    Secure transmission programs
    Semshred -
  • Obsolete Agenda / other ideas:
    What’s confidential?
    Where is it stored?
    Restricting access
    Secure sharing
  • AES Encrypted Portable Storage!
    The KanguruMicro Drive AES is the only USB Flash Drive that meets federal requirements for insuring the confidentiality of sensitive data and information accessed by portable flash drives!This high speed, high quality USB2.0 Flash Drive has undergone rigorous testing and is FIPS 140-2 Certified (FIPS Certification # 682). It is the first USB2.0 Flash Drive with software based encryption to be FIPS Certified for Government use! The KanguruMicro Drive is ultra secure, utilizing 256-bit AES Encryption to protect data stored on the drive. Plug the KanguruMicro Drive AES into any available USB or USB 2.0 port and begin using it! Store and transport your work files in a safe, secure fashion
    Start from $49 – 1GB drive ~ $110
  • WAP = Wireless Access Point
    WEP = Wired Equivalent Privacy
    WPA = Wi-Fi Protected Access
  • Why is ShareFile the best way to transfer files securely?
    Create online folders to simplify collaboration and communication
    Completely custom branded with your company logo and colors
    A login box can be placed on your company web site
    Unlimited user accounts for clients and partners
    Ability to send large files via e-mail with a hyperlink
    Proven easy-to-use interface for file and user management
    Tracking and alerts to confirm that clients have received files
    Unlimited data storage backed up daily
    128-bit encryption to secure your data against hackers
    Great telephone and e-mail support
    Easy to set up...signing up only takes about 5 minutes
    Automatic compression of downloaded files
    Ability to request files from clients with an e-mail hyperlink
    Upload multiple files at once
    No software to install or complicated Java Applets
    Easy user management
    Enterprise Account
    $99.95 per month or $119.95 per month with monthly billing
    10 GB montly bandwidth
    30 employee accounts
    Unlimited client/users accounts
    Unlimited disk space
    Custom branding to match your company web site
    Telephone and e-mail support
    Daily backup
  • The ChallengeWith increasing compliance regulations and concerns about protecting information privacy, it is becoming critically important to exchange information, data, and file/documents via secure methods. However, it remains common practice today of many companies to send confidential or sensitive information across mediums that are insecure – namely email and FTP – technologies that were not built to address security or robust reporting requirements.
    Solving the Secure File Delivery ChallengePipeline eXchange™ is an electronic file exchange service that enables you to securely send and receive documents/files of any type or size with your trading partners. Pipeline eXchange™ is 100% browser based and easy to use. Users simply specify the files they wish to be delivered, and then select the recipients and delivery options. The files are securely delivered to each recipient and Pipeline eXchange™ automatically tracks and generates an audit trail for the entire delivery process sending various status notifications to the sender.
    Easy to Use    Requires only a browser    No software to install    No hardware to manage    Minimal user support required       
    Secure    Layered encryption and access control    SAS 70 certified data center    User access audit log       
    Enterprise Features    User and Groups administration    ERP, CRM, SCM connectors    Full service customization       
    Reliable    99.9% uptime guarantee    24x365 monitoring    World-class infrastructure       
    Affordable    Monthly subscription    Usage-based billing options    Get started for $79 per month
  • Protecting Customer Confidential Information

    1. 1. Protecting Customer Confidential Information! Presented by: William McBorrough, MSIA, CISSP SMB Cyber Security Alliance
    2. 2. Agenda  Background  Sizing Up the Problem  The Fix o People Factor o Technology o Disposing of Old Data Key Takeaways SMB Cyber Security Alliance
    3. 3. Background: SMB Cyber Security Alliance
    4. 4. Sensational Headlines…daily! • Heartland Payments announced breach of more than 100 million credit card numbers ( January 2009). One of the largest in history. • T.J. Maxx data theft (some 45 million credit and debit card numbers) likely due to wireless ‘wardriving‘, i.e. thief with a laptop, a telescope antenna, and a wireless LAN adapter (December 2006). SMB Cyber Security Alliance
    5. 5. Sensational Headlines…Daily! • Veterans Administration announces confidential information of 26.5 million service personnel was stolen when employee’s home laptop was stolen (June 2006). • Over 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. SMB Cyber Security Alliance
    6. 6. What’s not in the headlines? A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics: • 55% experienced a fraud attack in the last year •58% of the incidents involved online banking •Over 50% experienced multiple incidents •87% failed to fully recover lost funds SMB Cyber Security Alliance
    7. 7. The Times are a Changing • Most small business owners today depend on Laptops and Tablet PCs to manage their businesses on the go • Most require ready access to the Internet while working from home, office, hotels, airports, customer sites, etc sites, etc. • Most utilize smart phones capable email, web browsing, storing data and detailed contact information, etc SMB Cyber Security Alliance
    8. 8. The Times are a Changing • Increase in mobility and portability has caused a major upsurge in data breaches: o Breaches may go undetected or undiscovered for long periods of time. o Problem could easily become overwhelming (identity theft will look like child’s play). SMB Cyber Security Alliance
    9. 9. What are the Consequences? • Damage to reputation, brand, relationships • Legal liability and regulatory fines • Customer and stakeholder distrusts • Reduced revenues and market share • Refusal of customers to use their personal information for business purposes SMB Cyber Security Alliance
    10. 10. Aware of the Privacy laws? • HIPAA – for health services providers • GLBA – for financial services providers • COPPA – for online service providers to minors • Various State Breach Notification Laws SMB Cyber Security Alliance
    11. 11. Information Security Management “Short List” • Router • Patches • Anti- o Virus o Spam o Spyware • Passwords / Passphrases • Personal Firewall • Network Firewall • Intrusion Detection • Web-based e-mail/ file sharing Protection • Wireless Encryption • Physical Access Control • Backups SMB Cyber Security Alliance
    12. 12. Security GOAL: Reduce Risk to an Acceptable Level • Just because it can happen doesn’t mean it will. • Put threats into perspective by assessing: o Probability of attack o Value of business assets put at risk o Business cost and consequence of attack SMB Cyber Security Alliance
    13. 13. Sizing Up the Problem: SMB Cyber Security Alliance
    14. 14. What is Confidential Data? • Social Security # • Credit/debit card numbers • Driver’s license number • Bank account numbers • Birth dates • PIN codes • Medical records • Mother’s maiden name? SMB Cyber Security Alliance
    15. 15. Where Is Confidential Data Stored? In-House Systems • Physically secure? • Network access restricted to only authorized individuals? Backup Media • Physical location? • Format? Remote Users • Laptops, home computers & memory sticks? SMB Cyber Security Alliance
    16. 16. Who Has Access? • Data access restricted to authorized individuals? • Shared passwords = shared data and no accountability • Wide open network = information free-for- all ( Remember 3 little pigs?) SMB Cyber Security Alliance
    17. 17. The Fix: SMB Cyber Security Alliance
    18. 18. The Fix! • In short… Restrict access and/or Make it unreadable • Data is made “unreadable” using encryption. • Back it up remotely SMB Cyber Security Alliance
    19. 19. People Factor Policy • Who is allowed access? • When is access allowed? • What users are allowed to do? • Where is data permitted to be… o Accessed from (devices & locations?) o Stored  Network servers  Desktops  Laptops /Tablets/Smart Phones  Thumb drives SMB Cyber Security Alliance
    20. 20. People Factor – Mitigating Risk Acceptable Use Policies • Business data access rules: who, where, when and what • Supported mobile devices and operating systems • Required security measures and configurations • Process for usage monitoring, auditing and enforcement (check your state and local laws) Non-Disclosure Agreements (NDA)? Training & Communication – regular and often? Social Engineering • “Click here” to download key logger! • Phishing attacks are still highly effective for stealing o Personal information o Login information – can then be used to access systems contain confidential data SMB Cyber Security Alliance
    21. 21. SMB Cyber Security Alliance
    22. 22. SMB Cyber Security Alliance
    23. 23. SMB Cyber Security Alliance
    24. 24. Technology – OnSite Physical security • Sensitive data located on secure systems • Locked server room • Locker server cage(s) SMB Cyber Security Alliance
    25. 25. Storage Media Hard drive encryption • Vista BitLocker o Encrypts entire Windows Operating System volume o Available with:  Vista Ultimate  Vista Enterprise • Third party, commercial encryption software o TrueCrypt o PGP Desktop Home SMB Cyber Security Alliance
    26. 26. Storage Media USB Thumb Drives • Most older drives completely insecure • If you want to store/transfer secure data on USB thumb drive, look for device that can… o Encrypt data o Authenticate user SMB Cyber Security Alliance
    27. 27. Authentication • APC BIOMETRIC PASSWORD MANAGER fingerprint reader - USB by APC ($35 - $50) • Hundreds of devices like this ranging from $25 - $300. SMB Cyber Security Alliance
    28. 28. Application Software In general, application passwords are poor  protection (since most can be broken) • e.g. Passware ( • Unlock 25 different applications including Windows, Office, Quick Books, Acrobat, Winzip, etc. SMB Cyber Security Alliance
    29. 29. VPN (Virtual Private Network) • A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses “virtual” connections routed through the Internet from the company's private network to the remote site or employee. SMB Cyber Security Alliance
    30. 30. • Overview SMB Cyber Security Alliance
    31. 31. VPN (Virtual Private Network) Benefits • Extend geographic connectivity • Reduce transit time and transportation costs for remote users • Provide telecommuter support • Improve security • Improve productivity • Direct printing to office • Direct connect to network drives SMB Cyber Security Alliance
    32. 32. VPN • Use 3rd -party VPN service, e.g. HotSpotVPN, JiWire Spot Lock, Public VPN or WiTopia Personal VPN SMB Cyber Security Alliance
    33. 33. Host-Based Remote Access Remote Control • GoToMyPC • LogMeIn • Symantec pcAnywhere SMB Cyber Security Alliance
    34. 34. Digital Certificates • Implement digital certificates for internally hosted corporate web resources or web- presence, e.g. E-mail, CRM, B2? site, etc. This allows all traffic to be encrypted via SSL (Secure Sockets Layer). o Pad lock indicates traffic is being encrypted and the web site owner’s identity can be verified (by certificate authority). SMB Cyber Security Alliance
    35. 35. Wireless Security – Network • DON’T do a plug-n-play install! • Password protect administrative setup • Encryption: o WEP – Easily cracked, better than nothing o WPA (better) o WPA2 (best) • Enter authorized MAC addresses on WAP SMB Cyber Security Alliance
    36. 36. Wireless Security - End Users • Ensure all mobile devices are updated with the latest security patches • Only use SSL enabled ( https) websites when sending/entering sensitive data (credit cards and personal identity information) • Encrypt documents that contain sensitive data that will be sent over the Internet SMB Cyber Security Alliance
    37. 37. Wireless Security - End Users • As a general rule (while not always possible) use WiFi for Internet surfing only • Disable or remove wireless devices if they are not being used. This includes: o WiFi – 802.11a/b/g/n o Bluetooth o Infrared o Cellular • Avoid hotspots where it is difficult to tell who is connected • Ad-hoc/peer-to-peer setting should be disabledSMB Cyber Security Alliance
    38. 38. WiFi Security - End Users WiFi Best Practices • Use broadband wireless access (EvDO, 3G/GPRS, EDGE, UMTS) to make wireless connections: o Verizon and Sprint Broadband services are very fast - $59.99/month – unlimited access o Wireless carriers offer fairly good encryption and authentication SMB Cyber Security Alliance
    39. 39. Sharing Confidential Data Options: • E-mail • FTP / Secure FTP • Secure transmission programs • Customer portal / extranet • 3rd Party Hosted Data Exchange SMB Cyber Security Alliance
    40. 40. Sharing Confidential Data E-mail • As a general rule, e-mail is insecure! • In order to secure: o Digital Certificates / PKI  PGP  Verisign SMB Cyber Security Alliance
    41. 41. SMB Cyber Security Alliance
    42. 42. Sharing Confidential Data Client Extranets • Internal • Hosted o e.g. ShareFile  Branded!  $100/mo.  30 employees  Unlimited clients SMB Cyber Security Alliance
    43. 43. SMB Cyber Security Alliance
    44. 44. Back up All Valuable Information • Make sure it’s encrypted • Make sure it is stored securely offsite • Many options: • Carbonite • Mozy • Norton • PCIC SMB Cyber Security Alliance
    45. 45. Disposing of Confidential Data • Remove media! • Wipe media o Software to overwrite drive multiple times o Permanent magnet • Destroy media o Semshred – SMB Cyber Security Alliance
    46. 46. Conclusion: SMB Cyber Security Alliance
    47. 47. Key Takeaway Points • Learn about the Information security risks affecting your business • Address, Transfer or Accept them • Don’t just ignore them • Learn about the security and privacy related regulations affecting your business • Understand consequences of non-compliance • Build security into your day-to-day operations • Don’t just layer it on • Don’t make it “extra work” SMB Cyber Security Alliance
    48. 48. SMB Cyber Security Alliance
    49. 49. SMBCSA Online Helpdesk SMB Cyber Security Alliance
    50. 50. Contact Information Jerrod Barton Director, Community Outreach SMB Cyber Security Alliance Tel: (540) 308-9609 Email: SMB Cyber Security Alliance