Computer Security: Data and Identity Management
12/17/2008IDTheftSecurity.com www.IDTheftSecurity.com
Computer Security: Data and Identity Management Overview
Hackers Business Prevention Dos’ Data Breaches Privacy Policy Shifts in Security Priorities Valuable Data Security Policy Firewalls Shredding Wireless Security Physical Security Using Technology ;Computers Authentication and Access Control Email Identity Management Spam Viruses Regulatory and Compliance Spyware Internal Threats Phishing Biometric Solutions Botnets Considerations
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hackers
12/17/2008 www.IDTheftSecurity.com
Botnets Zombies
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Data Breaches
Hacking Irresponsible insider Malicious insider 3rd party fault Laptop theft Theft Loss 12/17/2008 www.IDTheftSecurity.com
History of Hacking
2001 2004 2008 9 The need for security began with desktop computing when the only means of compromising data was by inserting a contaminated floppy disk into a PC or opening an infected email attachment. That was the anti-virus era. 9 The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era. 9 Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Using Technology
Ice-pick to an Iceberg
12/17/2008 www.IDTheftSecurity.com
Data Breaches
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Using Technology
Speed of technology Digital printers
12/17/2008 www.IDTheftSecurity.com
Black Hat Hacking
‘Def’Con convention
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Web Mobs
12/17/2008 www.IDTheftSecurity.com
Hacking for Money
Hacking for Dummies Hacking tools kits $100- several thousands
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacking for Money
Enterprise networks
12/17/2008 www.IDTheftSecurity.com
Hacking for Money
Unprotected networks sniffed by hackers
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Using Technology
Compliance and regulatory issues
12/17/2008 www.IDTheftSecurity.com
Using Technology
Flawed system 1) SSN 2) Credit
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacked
12/17/2008 www.IDTheftSecurity.com
InformationHacking for Brokers Money
Feb 2005 - Fined 15M
Computers - hacked or stolen; data tapes lost, insiders take files home. Scores of universities, hospitals, government agencies, merchants and financial firms continue to report such breaches.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacked
12/17/2008 www.IDTheftSecurity.com
Hacked
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacked
12/17/2008 www.IDTheftSecurity.com
Hacked
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacked
12/17/2008 www.IDTheftSecurity.com
Hacked
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Hacked
12/17/2008 www.IDTheftSecurity.com
How Stolen Information is Used
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Shifts in Security Priorities
Forrester Research says that new challenges such as the rising threats of fraud and identity theft are causing a fundamental shift in identity management. Attention has moved from the build-out of eBusiness, to efficiency and cost-cutting, and now to compliance. 2006 on will focus on the issues of fraud, theft, and privacy. This will manifest in the realm of authentication and account protection including authorization, administration, and then audit. Strengthen consumer data privacy protection policies.
12/17/2008 www.IDTheftSecurity.com
Bring on the Legislation!
State bills State legislation follows landmark California Security Breach Notice SB1386 . Requires any business or state agency that’s personal data was breached to notify consumers of unauthorized access. 168 security breach bills introduced in 29 states in 2006. 19 enacted, 14 pending. 12 states also cover breach of paper records.
Compelled by state data-loss notification laws, companies and organizations have disclosed since, February 2005 :
Over 916 incidents of personal data breached.
Total records reported lost: 227,000,000 million records.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Shifts in Security Priorities
12/17/2008 www.IDTheftSecurity.com
Shifts in Security Priorities
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Valuable Data
12/17/2008 www.IDTheftSecurity.com
Valuable Data
Social Security numbers Obsolete contracts Employment applications Obsolete personnel records Medical records Arbitration/grievance files Account numbers Insurance forms and records Client records Legal documents Approval/qualification documents Payroll records Accounts Payable and Receivable Classified documents Confidential financial information Customer or client lists Business correspondence Client/customer records Drafts of contracts Tax docs Cancelled checks
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
Firewalls 101
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Firewalls 101
http://firewallguide.com/ ZoneAlarm or Norton HTTP Hypertext transfer protocol: port 80 Ports used transiently as needed by software FTP File transfer protocol: port 21 Viruses/trojans exploit ports SMTP Simple mail transfer protocol: port 25 Hardware (IDS) intrusion detection system POP Post office protocol: port 110 65536 ports ProcessLibrary.com
12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Spam: Unsolicited commercial email sent in large numbers designed to be profitable from a very small number of responses.
Spyware: Software designed to compile usage statistics or take information from the host system and communicate it back to its home server for commercial or criminal purposes.
Virus/Worm: Unauthorized software that multiplies and carries a message, remote control component or destructive payload.
Phishing: An enabler of identity theft activity often carried out through email.
Social Most common method of gaining and abusing the trust of a stranger, Engineering: often for the purpose of identity theft and financial gain.
Wireless Networks
12/17/2008 www.IDTheftSecurity.com
Wireless Security
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Wireless Security
Be wary of free wi-fi (evil twins)
Wi-fi is insecure
300-500 ft range
Secure PDAs
http://www.purenetworks.com/securityscan/
12/17/2008 www.IDTheftSecurity.com
Wireless Security
Bluetooth
Disable when not in use
When you set up a wireless access point (WAP), immediately change the default SSID (network identifier or network name) and the default administrator password.
Turn off SSID broadcasting on the WAP.
Enable encryption with either WEP or WPA. WPA encryption is stronger and more secure, so it is the encryption method of choice if your hardware (WAP and wireless NICs) and your operating system support it.
Enable MAC address filtering and enter the physical addresses of computers that will be allowed to connect to the wireless network.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Wireless Security
Disable the Dynamic Host Configuration Protocol (DHCP) on the WAP and use a private IP addressing range that is outside the most common (192.168.x.x). This method prevents intruders from being assigned an IP address, and they will have to guess an address that is correct for your network. Disable Simple Network Management Protocol (SNMP) support on the WAP. This protocol can be used by hackers to gather information about your network. Do not use an overly powerful antenna that broadcasts beyond the range you need. Do not place the antenna close to a window; place it as close to the center of the area you want the network to cover as possible.
12/17/2008 www.IDTheftSecurity.com
Spyware
Keyloggers Adware Cookies Keycatchers Use spy removal software www.lavasoftusa.com/ * Spybot Search and Destroy www.download.com *
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Spyware
•Pop-ups = Spyware •Drive-bys •IE 7 •Google toolbar
12/17/2008 www.IDTheftSecurity.com
Spyware
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Spyware
12/17/2008 www.IDTheftSecurity.com
KeyCatchers
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Using Technology
12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Using Technology
e-mail Don’t reply to spam Don’t request to be taken off spam lists, just hit delete Don’t open attachments from those you do not know email signature Use throwaway addresses ISP Mailfilters, IP blocking, blacklists challenge/response
12/17/2008 www.IDTheftSecurity.com Challenge/response
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Challenge/response
12/17/2008 www.IDTheftSecurity.com Malware/Viruses/Spyware
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Viruses
5.5 million known viruses in 2007 15,000 to 20,000 daily 2,000 and 3,000 new viruses per hour First 2 months of 2008 = 1 million samples of malware. 24/7/365!!!!!!!!!!!!!!! 12/17/2008 www.IDTheftSecurity.com
Viruses
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Use Norton / McAffe / AVG / PC Cillin AVast @ http://www.avast.com/eng/download.html Install virus protection and keep it automatically updated* Configurations 12/17/2008 www.IDTheftSecurity.com
Windows Update
Use SP2 / automatic security patches for critical updates Run scans/missing patches
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Internet Explorer
Be careful about which Web sites you visit. Sites devoted to illegal or questionable subjects, such as hacker sites, sites for downloading pirated music or software, and pornographic sites are most likely to contain malicious code
Do not conduct financial transactions or send private information over the Web unless the site is secure (which is usually indicated by a dialog box or a “lock” icon in the browser’s status bar).
Configure your browser’s security settings for safe browsing.
Configure your browser’s privacy settings to avoid unwanted cookies and pop-up ads.
Enable checking of digital signatures on drivers and other programs you download.
12/17/2008 www.IDTheftSecurity.com
Internet Explorer
Configure your browser to not automatically download ActiveX controls, or run scripts, Java applets, or other code. If you want to be able to run code on some sites, configure the browser to prompt you before doing so.
You can test your Web browser software for common vulnerabilities and determine its encryption strength at the following Web sites:
The Scanit Browser Security Test page at http://bcheck.scanit.be/bcheck/
The Qualys Free Browser Checkup page at http://browsercheck.qualys.com/
The Verisign Browser Check page at www.verisign.com/advisor/check.html
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com Phishing
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com Phishing
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com
Phishing
Phishing, Pharming, Spoofing, Spear Phishing Authentic using existing company web HTML code Request to update account or verify information Investment opp, recover funds, claim prize Redirect to a spoof incorporating functional links Large banks, Regional, local, Corp, associations 5 percent catch rate 1/3rd of the population knows what phishing is
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com Phishing
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com Phishing
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com Phishing
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Phishing
12/17/2008 www.IDTheftSecurity.com
Botnets Zombies
Botnets, Zombies: host virus, trojans and spam lax security practices by consumers and small business are giving scammers a base from which to launch attacks. set up phishing Websites targeting well-known online brands sending junk mail e-mails advertising phishing Websites installing redirection services to deliver Web traffic to existing phishing Websites or for the propagation of spam and phishing messages Hosting viruses, malware and keylogggers
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Botnets Zombies
12/17/2008 www.IDTheftSecurity.com Botnets Zombies
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Business Prevention Do’s
12/17/2008 www.IDTheftSecurity.com
Business Prevention Do’s
Lock mailbox Secure all legal documents and account numbers Place mail in secure outgoing mailboxes or at the PO Call the post office if you go more than 4 days without mail Pay attention to delivery dates of all bills Bank Online Use automatic bill payment, auto payroll dep
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Business Prevention Do’s
Eliminate paper statements Reconcile bills and statements diligently and timely Pay attention to the expiration date of credit cards and look for arrival of new cards Have bank ordered checks delivered to the bank and not your office Be cautious ordering online and mail-order Ask all public and private entities about policies for disposal
12/17/2008 www.IDTheftSecurity.com
Privacy Policy
9 What personally identifiable information is collected from you 9 What cookies are and how they are used 9 How your information is used 9 Who is collecting your information 9 With whom your information may be shared 9 What choices are available to you regarding collection, use, and distribution of your information 9 The kind of security precautions that are in place to protect the loss, misuse, or alteration of your information 9 What else you should know about your online privacy
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Security Policy
9 Cover all organizational systems used for processing, storing or transmitting personal information. 9 Security risks faced assessed in the development of the policy 9 Cost-effective measures devised to reduce the risks to acceptable levels 9 Monitored and periodically reviewed. 9 Staff and management made aware of the protective security policies and how to implement them.
12/17/2008 www.IDTheftSecurity.com
Shredding Data
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Shredding Data
Secure disposal of paper-based records include: shredding or disintegration of paper files contracting an authorized disposal company for secure disposal
Thoroughly erase data from discarded hard drives www.killdisk.com or a sledge hammer McAfee Shredder and Norton WipeInfo
12/17/2008 www.IDTheftSecurity.com
Physical Security
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Physical Security
Alarm systems External and internal locks Cables, clamps, brackets Access control Perimeter security Guards CCTV cameras
12/17/2008 www.IDTheftSecurity.com
Internal Threats
Survey of 500 managers and employees with access to sensitive customer information found the following:
66% said their co-workers, not hackers, pose the greatest risk to consumer privacy; only 10% said hackers are the greatest threat.
62% reported incidents at work that put customer data at risk for identity theft.
46% said it would be “easy,” “very easy” or “extremely easy” for workers to remove sensitive data from the corporate database.
32% said they’re unaware of internal company policies to protect customer data.
28% said their company does not have a written security policy or they didn’t know if it has one.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Internal Threats
Web Browsing, Web-Based Email and P2P (peer to peer) : Viruses and malicious code can be hidden in Web sites and downloads of ActiveX and executables. MP3s, Avi’s and images, clog up network bandwidth and drive space. Confidential data can be transferred via web based email.
Instant Messaging and Chatrooms: IM has the same security concerns as Web-based email - users can potentially send and receive sensitive corporate data. There are also viruses that are specifically aimed at IM systems. Both also provide the means for confidential data to be transferred.
Decide whether your staff can use IM as a legitimate business tool or not, and then ensure you have a policy in place - and then communicate and enforce it. Use software to manage access.
Consider banning removable storage, usb, ipods, cd burners
12/17/2008 www.IDTheftSecurity.com
Identity and Access Management
Authentication: Requiring users to present strong proof of identity.
Single sign-on (SSO) Audit controls: Centralized logging is considered a best practice for tracking and monitoring user activity as part of mandated internal audit controls. ie: McDonalds
Encryption: Encryption makes sensitive information unreadable, except by authorized users who have the means to decrypt the data.
Data integrity/Digital signatures: The use of digital signatures can help to ensure the integrity of online communications and transactions; digital signatures also support non-repudiation by providing assurance that data has not been altered during transmission 12/17/2008 www.IDTheftSecurity.com
ID Theft Security Authentication and Access Control
Biometric Identifiers 9Fingerprinting 9Iris scans 9Facial recognition 9Voice recognition 9US-VISIT Biometric Enter/Exit 9Passports: fingerprint and iris scans at airport checkpoints. Oct 26th to enter US 12/17/2008 www.IDTheftSecurity.com
Authentication and Access Control
Strengthen password policies Change passwords semi annually Norton Password Manager USB tokens Smart cards Biometrics
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Authentication and Access Control
Two-factor authentication: The combination of something users know (their PIN) and something users have (the six digit tokencode shown on their token) provides strong, two-factor authentication. It is similar to how the banking ATM system works where users must present their PIN (something they know) together with their bankcard (something they have) before being granted access to their account.
12/17/2008 www.IDTheftSecurity.com
USB Wireless Security Lock
Walk away and your PC is locked The USB Wireless Security lock is an effective means to ensure computer access is limited to an authorized user When the user moves more than 2 meters away from the computer, the security dongle will disable access to the computer
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Considerations
Background Checks: verify education, work experience, criminal histories. Dumb Terminals: PCs with no hard drives, email or printers. No cell phones, notebooks or pens. Automatic lockout: former employees are security risks Beef up access control Shred Shred Shred Shred Shred Shred Shred Review policies for remote computing Shut down networks when not in use. 24/7 no good
12/17/2008 www.IDTheftSecurity.com
Considerations
Do not store Social Security Numbers. Use DMV
Do not store data on laptops, floppys, CDs. Develop identity and access management policies and procedures. Provide information access on a "need-to-know" basis. Assign access rights according to the job function. Monitor who's looking at what and why. Back up data / www.connected.com / and Norton Ghost
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Considerations
Disable the local administrator account A recommended security measure is to disable the local administrator's account, after creating a new account that has administrative privileges. This is to prevent hackers from using the default administrator account to get into your computer.
Here's how:
Create a user account and give it full administrative privileges. Log on as the user with administrative privileges. Right click My Computer and select Manage. In the left pane, expand Local Users and Groups. Click Users. In the right pane, double click Administrator. Click the General tab. Click Account is disabled to check the box, then click OK. The change will take place when you log off and log back on to the computer. You should not be able to log on with the default Administrator account.
12/17/2008 www.IDTheftSecurity.com
Regulatory and Compliance
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Regulatory and Compliance
Fair and Accurate Transactions F.A.C.T Act 2003
The Sarbanes Oxley Act
Health Insurance Portability and Accountability Act (HIPAA)
Graham-Leach-Bliley Act
Identity Theft Penalty Enhancement Act
The U.S. Financial Services Modernization Act
California A.B. 1950
12/17/2008 www.IDTheftSecurity.com
Fair and Accurate Transactions F.A.C.T Act 2003
Requires companies engaged in the delivery of financial services to the consumer to develop customer focused solutions that mitigate the damage of identity theft. If you've ever applied for a charge account, personal loan, insurance, or job, there's a file about you. This file contains information on where you work and live, how you pay your bills and whether you’ve been sued, arrested, or have filed for bankruptcy. Companies that gather and sell this information are called Consumer Reporting Agencies (CRAs).
“Any record about an individual, whether in paper, electronic, or other form that is a consumer report (also known as a credit report) or is derived from a consumer report." “Any person or company that possesses or maintains such information to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
12/17/2008 www.IDTheftSecurity.com
ID Theft Security The Sarbanes Oxley Act
Designed to increase corporate accountability, mandates that hard drives be erased before the disposal of a computer.
12/17/2008 www.IDTheftSecurity.com
Health Insurance Portability and Accountability Act (HIPAA)
Require companies to guard the confidentiality of medical and financial records, and hold them responsible for their computer data, even when it is no longer in their hands.
Disposal also must meet EPA standards.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Graham-Leach-Bliley Act
Includes provisions to protect consumers personal financial information held by
financial institutions. There are three principal parts to the privacy requirements:
The Financial Privacy Rule, Safeguards Rule and Pretexting Provisions.
Requires companies to guard the confidentiality of medical and financial
records, and hold them responsible for their computer data, even when it
is no longer in their hands.
12/17/2008 www.IDTheftSecurity.com
Identity Theft Penalty Enhancement Act
Two years to prison sentences for criminals convicted of using stolen credit card numbers and other personal data to commit crimes.
Orders the U.S. Sentencing Commission to consider increasing the penalties for employees who steal sensitive data from their own companies.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security The U.S. Financial Services Modernization Act
Requires financial institutions to have policies and procedures to ensure the security of customer information such as names, social security numbers, credit histories and bank account numbers.
12/17/2008 www.IDTheftSecurity.com
California A.B. 1950
Applies to all businesses that own or license covered personal information. The statutory definition of a business located in the
same Title of the Civil Code 1798.80 includes corporations, associations, or groups, however organized, and whether or
not organized to operate for a profit.
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Considerations
http://www.esafe.com / addresses multiple layers of content security
http://www.vontu.com/ stops confidential information, including customer data and intellectual property from being sent via email
http://www.pcguardiantechnologies.com/ encryption software for protecting fixed media, removable media and email.
http://www.protegrity.com/ protects data in all data stores and file systems, separates security policy from data management, audits & reports on all access to secure data 12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
Considerations 9 http://www.esafe.com / addresses multiple layers of content security
9 http://www.vontu.com/ stops confidential information, including customer data and intellectual property from being sent via email
9 http://www.pcguardiantechnologies.com/ encryption software for protecting fixed media, removable media and email.
9 http://www.protegrity.com/ protects data in all data stores and file systems, separates security policy from data management, audits & reports on all access to secure data
12/17/2008 www.IDTheftSecurity.com
ID Theft Security Considerations
US-cert.gov Security.cnet.com hp.com/sbso/security/index.html microsoft.com/security
12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
12/17/2008 www.IDTheftSecurity.com
ID Theft Security 12/17/2008 www.IDTheftSecurity.com
Robert Siciliano
Robert Siciliano is a Boston based Professional Speaker, Personal Security Consultant and president of 3 security related companies. He is certified under 14 State Real Estate Boards, various industry associations and under the guidelines of the Massachusetts Board of Nursing to train healthcare workers on personal safety. He has 18 years of security training as a member of the American Society of Industrial Security He is the author of 2 books including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud His seminar topics include; Safe Travel Security, ID Theft Security, Computer Security, Workplace Violence, Nurse Security, Realty Security, Self Defense, Children Security and Public School Security. Robert has appeared in Mademoiselle, Good Housekeeping, Consumer Digest REDBOOK, the New York Times, Los Angeles Times, Washington Times, New York Post and Boston Herald, on national TV including CNN, CNBC, FOX, MSNBC, the Montel Williams, Sally Jesse Raphael, Howard Stern, David Brenner, and the Maury Povich talk shows.
Reach him at www.IDTheftSecurity.com or e-mail [email protected] or call 1 800 2 GET SAFE. SafetyMinute Seminars, P.O. Box 15145, Boston, MA 02215 12/17/2008 www.IDTheftSecurity.com
ID Theft Security