The document discusses information security and internet snooping. It defines security and notes that security risks can come from many sources like fire, theft, or loss. It then explores how technology like the internet, mobile devices, and digitization of information has expanded security risks, especially around personal information theft and exposure. The document outlines the many ways personal information can be collected, from public records to social media to purchases. It also discusses how collected information can be used, sold to third parties, or exposed. Finally, it provides some security best practices around awareness, limiting exposure, securing devices and networks, and establishing security policies.

1. Information Security & Internet Snooping
Jerry Justice

2. What is security?
 Wikipedia: Security is the degree of protection against danger,
damage, loss, and crime.
 Security is not an absolute or any single mechanism.
 “Is that secure?” From what? Fire, theft, flood, loss..?
 My goal:
Knowledge to make an informed choice and to have you
think differently about security.
Ex: You lock your house + you add an alarm system = reducing your
risk.

3. What is the impact related to
technology?
 Expanding and distributed nature of Internet
 Explosion of mobile devices and apps
 24/7/365 accessibility from anywhere
 Information more digital (i.e. Healthcare)
 Identity Theft and Personal Information (PI)
 Huge storage capacity, small devices
Ex: Think about what a library used to be and the accessibility to
books. Simple access now with less physical constraints (i.e. -
Kindle).

4. Where is my information?
 What exists already (public records) + what you give
(credit apps, driver license, mortgages, taxes, bank
accounts, etc…) + ……….

5. Where else do they get info about me?
 Websites – Tracking, history, postings, search analytics, computer
cookies…
 Device use - smartphones, iPads, iPods, Xbox, home and work
computers, paperwork, dumpsters, etc…
 Apps – “Is it ok if I use all your FB information so you can play this
game?”
 Social Engineering (leveraging human behavioral responses) –
phone calls, co-workers, relatives..
 “Free” services – Google, Facebook, LinkedIn, etc...
 Identity Theft (direct or indirect)
 Purchase (legit and not legit)
 Email ‐SPAM and Phishing responses
 Legit 3rd parties who sell, lose or expose information (i.e. –
Heartland, TJX)
 Illegally – sniffing, phishing, key loggers, hacking, malware…
Ex: So which is safer, mailing a check or paying online?

8. What do they do with it?
 Provide service to you
 Store it for later
 Sell it to third parties (or use “internally”)
 Use it for target marketing, trending analysis
 Identity Theft
 Expose it to others (improperly secured or poor processes)
 Aggregators (i.e. ‐spokeo.com) – combine and sell
 Increasingly more “360” views, connecting once disparate
information sources (“login with your FB account”). Build a profile
on who you are, based on a variety of content: browsing habits,
searches, shopping, click-through, etc…
Ex: Insurance companies using credit reporting for rate
“alignment”, Google Ads, etc…

9. Information Security Tools & Tactics
 Awareness
– Example 1: Unknown person is walking around your office,
Ask “Who are you?”
– Example 2: Unsolicited phone caller asks for personal
information, “Can I get a number to call you back at?”
– Example 3: Email that asks you to alert everyone you know
about a scam they just discovered. DELETE. This may actually
be a scam.
 Common Sense – If it appears suspect, probably is
 Be stingy with your information (especially PI)
 Limit your exposure – protect your home wireless, do not share
account info, avoid simple passwords, etc…
 Know where you are going online – “mouse over” email links
 Computer acting “weird” – ex: incorrect start page

10. Info Security Tools & Tactics (cont.)
 Clean up after yourself ‐ Use appropriate malware, virus and
Trojan protection tools and cleaners (CCleaner, Ad-Aware,
Symantec). Note: ISPs, Google have own user history and have
provided in legal matters (similar to phone company subpoenas).
 Avoid being the cause ‐“pass this on” email chains, don’t forward
to IT (you could be forwarding a trojan/virus)
 Use a non‐primary email for random and one‐off needs
 Use secure channels for online purchases and payments (HTTPS)
 Monitor your personal transactions ‐bank, CC, mortgages, etc...
 Secure your smartphone and mobile devices!
Ex: CCleaner. Bank of America purchase alerts on smartphone.

13. Securing your business (broad)
 Prevent data loss ‐ DLP (data loss prevention) tools, network security
controls and protocols, staff policies, monitoring, encrypt all drives, etc...
 Secure your data – know where it is, who touches it and the associated
value/risk of each piece. Make a data map/plan then look at surrounding
processes.
 Limit your exposure – shred work papers, remove printed items from
copiers/printers at night, lock cabinets that contain papers with PI.
 Review compliance requirements – HIPPA, SEC, PCI DSS, etc… (not
directly correlated to security)
 Have a PI policy and train staff on it. Proactive position.
 Establish a mobility policy for staff (smartphones, BYOT trends)
 Understand data security “in the cloud” is a paradigm shift (not
necessarily bad but different control points)
 Use secure communications (VPNs, HTTPS, etc…)
 Protect data “at‐rest” (thumb drives, backups) AND in transit (email with
PI), encrypt PC drives. Question: Where do you think most security
breaches occur? (Opportunity)
 Third party security review
 Use secure PDFs for document delivery (email)
 Use a layered security approach
 Reduce opportunity theft – keep things in control or out of sight

14. Summary
 Security Take-away
– Common sense, awareness, limiting your exposure and
asking questions will take you a long way in protecting
your information/assets and reducing your security
risks.
– Ask yourself “if this was my information, how would I
like it handled?”
– Effective security is an ongoing process.
 References
http://www.privacyrights.org/
https://www.pcisecuritystandards.org/
http://www.piriform.com/ccleaner
http://www.symantec.com/
http://www.lavasoft.com/
http://www.sans.org/security‐resources/

15. Connecting…
 jjustice@ssandg.com
 http://www.linkedin.com/in/jerryjustice
 Twitter - @jerrymjustice