Data Security: Are You Prepared

1
Data Security Are You Prepared? Presented
by Stuart A. Levine Narender Mangalam
2
Abstract

• This presentation will outline the current trends
  in information security, privacy, data protection
  and the compliance environment. It will attempt
  to educate the audience on the steps to be taken
  to achieve compliance and maintain information
  security especially in the financial sector,
  focused on data security.
• In addition, the presentation will walk through a
  security awareness training process to illustrate
  the kinds of information that is needed in order
  to assure data protection.

3
Agenda

• Abstract
• Introduction
• State of Security
• 2005/2006 Case Studies
• Compliance and Certification
• Good Security Practice
• Security Awareness 101
• QA

4
Introduction

• Founded in 2001
• Core offering Compliancy auditing (ISO17799,
  GLBA, HIPAA, PCI, NIST)
• Compliance Gap Analysis
• Penetration testing
• Forensics and Log Review
• Information Security Training

5
State of Security

• Source CERT

6
Security Breaches in the News

• July 28, 2006 Sisters of St. Francis Health
  Services via Advanced Receivables Strategy (ARS),
  a Perot Systems CompanyA contractor misplaced
  CDs containing the names and SSNs of 266,200
  patients, employees, physicians, and board
  members of St. Francis hospitals in Indiana and
  Illinois. The disks were inadvertently left in a
  laptop case that was returned to a store. The
  purchaser returned the disks. The records were
  not encrypted even though St. Francis and ARS
  policies require encryption.

http//www.privacyrights.org/ar/ChronDataBreaches.
htm
7
Security Breaches in the News

• Nov. 2, 2006 Intermountain Health Care(Salt Lake
  City, UT) A computer was purchased at a
  second-hand store, Deseret Industries, that
  contained the names, Social Security numbers,
  employment records, and other personal
  information about Intermountain Health Care
  employees employed there in 1999-2000.
• Records Lost 6,244

http//www.privacyrights.org/ar/ChronDataBreaches.
htm
8
Security Breaches in the News

• Dec 22, 2006 - Texas Woman's University A
  document containing names, addresses and SSNs of
  15,000 TWU students was transmitted over a
  non-secure connection.
• Jan 11th, 2007 - University of Idaho
• 3 desktop computers were stolen from the
  Advancement Services office containing personal
  information of alumni, donors, employees, and
  students. 331,000 individuals may have been
  exposed, with as many as 70,000 records
  containing SSNs, names and addresses.

http//www.privacyrights.org/ar/ChronDataBreaches.
htm
9
Case Study CardSystems Solutions

• June 2005 Breach of 40 Million Credit Cards
• 13.9 million MasterCard branded cards, 20 million
  Visa branded cards
• Multiple class action suits against CardSystems,
  Merrick Bank, MasterCard and Visa
• Admitted to having violated its contracts with
  Visa, American Express and others by failing to
  encrypt credit card transaction data and by
  keeping on file card verification numbers that
  are never supposed to be stored.
• John Perry, CardSystems President and CEO, told
  members of Congress that his company faces
  "imminent extinction.

10
2007 News

• Retailer TJX reports massive security breach
• 2000 retail stores (Bobs Stores, TJ Maxx,
  Marshalls)
• Occurred 7 months before it was detected
• 200,000 credit card numbers stolen not all
  banks have reported in yet
• Suffered an unauthorized intrusion" into parts
  of its computers that process and store details
  of customer purchases
• Track 2 data stolen, drivers license numbers,
  SSNs

11
Financial Impact of Data Loss

• 31 increase since 2005
• Cost Factors
• Compliance and contractual penalties
• Legal liability
• Recovery costs
• Legal investigation
• Administrative expenses
• Stock performance, customer defections,
  opportunity loss, reputation management

Source Oct 2006 study- Ponemon Institute, PGP
Corp Vontuhttp//www.ponemon.org/press/Ponemon
_200620Data20Breach20Cost_FINAL.pdf
12
Does it ever get better?
13
Does it ever get better?
Source Deloitte 2006 Global Security Survey
14
Who are the hackers?

• The threat often comes from inside.
• Poor appraisal
• New working practices
• Downsizing or restructuring
• An illegal act has 3 factors opportunity,
  ability and motivation

15

• Compliance and Certification

16
ISO17799 / ISO27001

• International Standards Organization
• 17799 is compliance based on standards (no
  certification)
• High end standards and guidelines
• 11 different security domains
• 27001 is a certification
• Concentration on organization (ISMS)
• Follows 17799 standards and guidelines
• Mostly for international businesses (right now)

17

• Compliance is usually of two kinds
• Regulatory compliance GLBA, NIST, SOX, HIPPAA,
  SB 1386 etc.
• Contractual compliance PCI DSS, Vendor
  management programs etc

18
Regulatory Compliance

• Gramm Leach Bliley Act
• Emphasis on data protection for Financial
  Institutions
• Includes requirement to ensure that any vendor
  that receives, handles, processes or has access
  to sensitive data is compliant
• Sensitive data includes SSN, Bank account number,
  PIN, credit card number, combination of name or
  address with any of the above

19
Regulatory Compliance

• NIST
• Emphasis on data protection for Financial
  Institutions
• Standard for all government agencies and covered
  contractors
• Enforced by government agency
• Based on contractor rank (high, medium, low)
  determined by agency based on NIST guidelines

20
Contractual Compliance

• PCI (Payment Card Industry)
• Data Security standard established by credit
  card companies
• Required of all merchants and service providers
• Covers any company storing, transmitting or
  processing card numbers
• Level of assessment required for compliance is
  determined by number of cards processed
• Enforced by bank or processor on merchants and
  service providers

21
Contractual Compliance

• ISO 17799
• Broad information security standard that covers
  all aspects of security
• Covers 11 Domains
• Security Policies
• Organizing Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management

22
Contractual Compliance

• ISO 17799 Domains (continued)
• Access Control
• Information Systems Acquisition, Development and
  Maintenance
• Information Security Incident Management
• Business Continuity
• Compliance

23
Cross Compliance

• Since there is are several compliance
  requirements both the requiring company and the
  complying company should try to consolidate
• Most of the standards have a high degree of
  overlap
• An audit should be leveraged to cover as many as
  possible
• This approach keeps costs low
• Also allows companies to get their own compliance
  in order to satisfy requirements of several
  customers.

24

• Security Standards(the must dos)

25
Data Classification

• Know your data (create a list of all the ways you
  collect identifiable customer data)
• Classify your data
• Segregate your sensitive data
• Limit access to sensitive data
• Encrypt your sensitive data
• At rest
• In use or motion
• In transmission

26
Create Enforceable Policies

• Acceptable Use (Internal)
• Privacy and Protection (internal and external)
• Access guidelines (internal and third party)
• On-going Awareness Presentations
• Find a way to communicate existing and changing
  policies
• IE Intranet, network share, email threads,
  bulletin board postings, signs etc

27
Access based on Job Function

• Who needs access to DO THEIR JOB
• Limit to read only if needed
• Lock down permissions to data housing folders
• Content filtering in deny all state
• Lock down USB, Floppy and CD burners
• Paperless environment if possible
• No digital recording devices (such as cells with
  cameras)

28
Technical Preventive Controls

• Intrusion Detection Prevention Software
• Antivirus and Spy ware
• Content Filtering Software
• Automatic locking options (timed sessions, screen
  saver locking, etc.

29
Patching and Updating

• All systems should be patched within 30 days
• Special interest groups for alerts
• Dont forget to update applications
• Networking gear counts! (firewalls, routers,
  switches)
• Test patches before applying to production
  systems

30
Formalizing a Team

• Define a sole owner of security (CISO)
• Create security objectives
• Attends infosec training, certification etc
• WHAT are we protecting?
• Create a security steering committee
• Cross functional (HR, Legal, IT, Development)
• Create owners (data, policy, assets)
• Document roles and responsibilities

31
Teamwork

• Emergency Response Teams
• Incident response
• Business Continuity
• Disaster Recovery
• Create the roles, Document the plans
• What is an incident?
• What is business continuity?
• What is a disaster?

32
Internal Auditing

• Enforce and review change control
• Review logs daily
• Scan internal and external machines and devices
• Password auditing
• Application testing and code reviews
• Ensures annual compliance !

33

• Security Awareness 101

34
What is Security Awareness?

• The advantage of knowing what types of security
  issues and incidents employees of your company
  may face in the day-to-day routine of their
  corporate function
• It is knowing what to do if you feel someone is
  attempting to
• wrongfully take company property or information
• obtain personal information about staff, clients
  or vendors
• utilize company resources for illegal or
  unethical purposes

35
What is Expected of you?

• Responsibility
• As an employee or contractor, it is your
  responsibility to help in the protection and
  proper use of information and technology assets.

36
Security Myths

• Information Security is the concern and
  responsibility of the MIS/IT department
• Security Threats from outsiders are the greatest
  source of risks
• Information Security is assured by safeguarding
  networks and the IT infrastructure
• Managing people issues is not as important
• Adopting latest technological solutions will
  increase security

37
Security Quiz

• Which of the following passwords is the most
  secure one, and why do you think so?
• spotabc123456
• HerculeS
• HRE42poL
• safe456TYs

38
Security Quiz

• Simply put.longer is better

39
Passwords

• Lets be honest.passwords are annoying
• Passwords are the first line of defense
• Lets remember why they are important protect
  personal information financial
  information health data private documents
• Passwords are easily cracked or broken
• Freely available crackers available on the net

40
Choosing Good Passwords

• No dictionary words, Proper nouns or Foreign
  words
• No personal information
• Length, width and depth
• Extra protection for executives
• encryption 2 factor authentication
• protect those PDAs (lost berries!)
• Changing Passwords regularly
• Never give ANYONE your password

41
How to Remember !!

• Create Phrases
• For example Every Good Boy Does Fine
• Add special characters (EG1B2dF)
• For Example Sweet as pie (Sw33tAsPie)
• NEVER GIVE YOUR PASSWORD TO ANYONE !!

42
PC Security

• No matter what type of computer you use or where
  you use it, there are a few things you should
  always do to protect your information.
• Password protect screensaver
• Power on password
• Log out when youre finished
• Physically secure your computer

43
Data Confidentiality

• To help maintain the confidentiality of
  information
• Dont leave documents unattended on the copier or
  fax machine
• Shred any confidential documents when discarding
  them
• Encrypt highly confidential e-mail sent through
  the Internet or consider using a courier
• Keep a clean desk and secure important files
  when leaving
• Remove papers and wipe boards clean when finished
  using conference rooms.

44
Physical Security

• Access into the building (tailgaters!)
• Do not prop doors open
• Access to your backups
• Access to your paper documents
• Documents left on your desk
• Documents in your garbage (dumpster diving!)
• Shred Shred Shred !
• Screen saver lock
• Locking computer when leaving your desk

45
Social Engineering

• By definitionThe acquisition of sensitive
  information or inappropriate access privileges by
  an outsider, based upon the building of
  inappropriate trust relationships with insiders.
  It is the art of manipulating people into actions
  they would not normally take.

46
Types of Social Engineering - Human

• Impersonation
• Important user
• Third party authorization
• Tech Support
• In Person
• Dumpster Diving
• Shoulder Surfing
• Instant Messaging

47
Types of Social Engineering - Human

• Never give your password in email
• Never give your password over the phone
• If in doubt, keep all privacy information to
  yourself
• Shred sensitive documents
• Lock your computer when you get up
• Lock sensitive documents when finished

48
Types of Social Engineering - Computer

• Pop up windows
• Mail attachments
• Spam, Chain letters and Hoaxes
• Websites
• Instant Messaging
• Phishing attacks

49

• The Street Interview

50
Giving too much information

• The Live Survey (from very friendly people)
• Youre stopped to give a survey (airports,
  theaters, streets etc.)
• Whats your name, and what do you think of the
  airport?
• Date of birth, favorite vacation spot
• Dream car, mothers maiden name
• What youd do with a million dollars, name of
  first school

51
Giving too much information

• Thank you for taking our survey
• If youd like a voucher mailed to you for free
  airport food, drinks, air miles etc, well need
  your home phone number, just in case of problems
  in the voucher delivery.

52
Giving too much information

• What have you just said?
• Mothers maiden name?
• Date of birth?
• First school attended?
• Phone number?
• For online or telephone banking, are these your
  verification items?
• Can a birth certificate be obtained with this
  information?

53

• Sounds like identity theft !

54

• Lets Go Phishing

55
Phishing

• The email LOOKS like it comes from a trusted
  source
• Asks you to click the link as your account needs
  updating or it will be shutdown
• Takes you to a page that looks like a trusted
  source
• Accepts personal data (your required update)
• Information does not go to trusted source

56
Phishing
57
Phishing
58
Phishing
59
Phishing
60
Phishing
61
Phishing
62
Phishing
Lets take another look.
63
Phishing
64
Phishing
65
Summary

• Good security starts and ends with you
• Confidentiality, integrity, availability (the
  bedrocks!)
• Nothing is 100 secure
• Protection of assets is a layered approach
• Multiple resources on the Web www.sans.org www.s
  ecurityfocus.com /cve.mitre.org/ (common
  vulnerabilities and exposures)