Computer Security: Data and Identity Management 12/17/2008IDTheftSecurity.com www.IDTheftSecurity.com Computer Security: Data and Identity Management Overview Hackers Business Prevention Dos’ Data Breaches Privacy Policy Shifts in Security Priorities Valuable Data Security Policy Firewalls Shredding Wireless Security Physical Security Using Technology ;Computers Authentication and Access Control Email Identity Management Spam Viruses Regulatory and Compliance Spyware Internal Threats Phishing Biometric Solutions Botnets Considerations 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hackers 12/17/2008 www.IDTheftSecurity.com Botnets Zombies 12/17/2008 www.IDTheftSecurity.com ID Theft Security Data Breaches Hacking Irresponsible insider Malicious insider 3rd party fault Laptop theft Theft Loss 12/17/2008 www.IDTheftSecurity.com History of Hacking 2001 2004 2008 9 The need for security began with desktop computing when the only means of compromising data was by inserting a contaminated floppy disk into a PC or opening an infected email attachment. That was the anti-virus era. 9 The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era. 9 Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era. 12/17/2008 www.IDTheftSecurity.com ID Theft Security Using Technology Ice-pick to an Iceberg 12/17/2008 www.IDTheftSecurity.com Data Breaches 12/17/2008 www.IDTheftSecurity.com ID Theft Security Using Technology Speed of technology Digital printers 12/17/2008 www.IDTheftSecurity.com Black Hat Hacking ‘Def’Con convention 12/17/2008 www.IDTheftSecurity.com ID Theft Security Web Mobs 12/17/2008 www.IDTheftSecurity.com Hacking for Money Hacking for Dummies Hacking tools kits $100- several thousands 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacking for Money Enterprise networks 12/17/2008 www.IDTheftSecurity.com Hacking for Money Unprotected networks sniffed by hackers 12/17/2008 www.IDTheftSecurity.com ID Theft Security Using Technology Compliance and regulatory issues 12/17/2008 www.IDTheftSecurity.com Using Technology Flawed system 1) SSN 2) Credit 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacked 12/17/2008 www.IDTheftSecurity.com InformationHacking for Brokers Money Feb 2005 - Fined 15M Computers - hacked or stolen; data tapes lost, insiders take files home. Scores of universities, hospitals, government agencies, merchants and financial firms continue to report such breaches. 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacked 12/17/2008 www.IDTheftSecurity.com Hacked 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacked 12/17/2008 www.IDTheftSecurity.com Hacked 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacked 12/17/2008 www.IDTheftSecurity.com Hacked 12/17/2008 www.IDTheftSecurity.com ID Theft Security Hacked 12/17/2008 www.IDTheftSecurity.com How Stolen Information is Used 12/17/2008 www.IDTheftSecurity.com ID Theft Security Shifts in Security Priorities Forrester Research says that new challenges such as the rising threats of fraud and identity theft are causing a fundamental shift in identity management. Attention has moved from the build-out of eBusiness, to efficiency and cost-cutting, and now to compliance. 2006 on will focus on the issues of fraud, theft, and privacy. This will manifest in the realm of authentication and account protection including authorization, administration, and then audit. Strengthen consumer data privacy protection policies. 12/17/2008 www.IDTheftSecurity.com Bring on the Legislation! State bills State legislation follows landmark California Security Breach Notice SB1386 . Requires any business or state agency that’s personal data was breached to notify consumers of unauthorized access. 168 security breach bills introduced in 29 states in 2006. 19 enacted, 14 pending. 12 states also cover breach of paper records. Compelled by state data-loss notification laws, companies and organizations have disclosed since, February 2005 : Over 916 incidents of personal data breached. Total records reported lost: 227,000,000 million records. 12/17/2008 www.IDTheftSecurity.com ID Theft Security Shifts in Security Priorities 12/17/2008 www.IDTheftSecurity.com Shifts in Security Priorities 12/17/2008 www.IDTheftSecurity.com ID Theft Security Valuable Data 12/17/2008 www.IDTheftSecurity.com Valuable Data Social Security numbers Obsolete contracts Employment applications Obsolete personnel records Medical records Arbitration/grievance files Account numbers Insurance forms and records Client records Legal documents Approval/qualification documents Payroll records Accounts Payable and Receivable Classified documents Confidential financial information Customer or client lists Business correspondence Client/customer records Drafts of contracts Tax docs Cancelled checks 12/17/2008 www.IDTheftSecurity.com ID Theft Security 12/17/2008 www.IDTheftSecurity.com Firewalls 101 12/17/2008 www.IDTheftSecurity.com ID Theft Security Firewalls 101 http://firewallguide.com/ ZoneAlarm or Norton HTTP Hypertext transfer protocol: port 80 Ports used transiently as needed by software FTP File transfer protocol: port 21 Viruses/trojans exploit ports SMTP Simple mail transfer protocol: port 25 Hardware (IDS) intrusion detection system POP Post office protocol: port 110 65536 ports ProcessLibrary.com 12/17/2008 www.IDTheftSecurity.com 12/17/2008 www.IDTheftSecurity.com ID Theft Security Spam: Unsolicited commercial email sent in large numbers designed to be profitable from a very small number of responses. Spyware: Software designed to compile usage statistics or take information from the host system and communicate it back to its home server for commercial or criminal purposes. Virus/Worm: Unauthorized software that multiplies and carries a message, remote control component or destructive payload. Phishing: An enabler of identity theft activity often carried out through email. Social Most common method of gaining and abusing the trust of a stranger, Engineering: often for the purpose of identity theft and financial gain. Wireless Networks 12/17/2008 www.IDTheftSecurity.com Wireless Security 12/17/2008 www.IDTheftSecurity.com ID Theft Security Wireless Security Be wary of free wi-fi (evil twins) Wi-fi is insecure 300-500 ft range Secure PDAs http://www.purenetworks.com/securityscan/ 12/17/2008 www.IDTheftSecurity.com Wireless Security Bluetooth Disable when not in use When you set up a wireless access point (WAP), immediately change the default SSID (network identifier or network name) and the default administrator password. Turn off SSID broadcasting on the WAP. Enable encryption with either WEP or WPA. WPA encryption is stronger and more secure, so it is the encryption method of choice if your hardware (WAP and wireless NICs) and your operating system support it. Enable MAC address filtering and enter the physical addresses of computers that will be allowed to connect to the wireless network. 12/17/2008 www.IDTheftSecurity.com ID Theft Security Wireless Security Disable the Dynamic Host Configuration Protocol (DHCP) on the WAP and use a private IP addressing range that is outside the most common (192.168.x.x). This method prevents intruders from being assigned an IP address, and they will have to guess an address that is correct for your network. Disable Simple Network Management Protocol (SNMP) support on the WAP. This protocol can be used by hackers to gather information about your network. Do not use an overly powerful antenna that broadcasts beyond the range you need. Do not place the antenna close to a window; place it as close to the center of the area you want the network to cover as possible. 12/17/2008 www.IDTheftSecurity.com Spyware Keyloggers Adware Cookies Keycatchers Use spy removal software www.lavasoftusa.com/ * Spybot Search and Destroy www.download.com * 12/17/2008 www.IDTheftSecurity.com ID Theft Security Spyware •Pop-ups = Spyware •Drive-bys •IE 7 •Google toolbar 12/17/2008 www.IDTheftSecurity.com Spyware 12/17/2008 www.IDTheftSecurity.com ID Theft Security Spyware 12/17/2008 www.IDTheftSecurity.com KeyCatchers 12/17/2008 www.IDTheftSecurity.com ID Theft Security Using Technology e-mail 12/17/2008 www.IDTheftSecurity.com 12/17/2008 www.IDTheftSecurity.com ID Theft Security Using Technology e-mail Don’t reply to spam Don’t request to be taken off spam lists, just hit delete Don’t open attachments from those you do not know email signature Use throwaway addresses ISP Mailfilters, IP blocking, blacklists challenge/response 12/17/2008 www.IDTheftSecurity.com Challenge/response 12/17/2008 www.IDTheftSecurity.com ID Theft Security Challenge/response 12/17/2008 www.IDTheftSecurity.com Malware/Viruses/Spyware 12/17/2008 www.IDTheftSecurity.com ID Theft Security Viruses 5.5 million known viruses in 2007 15,000 to 20,000 daily 2,000 and 3,000 new viruses per hour First 2 months of 2008 = 1 million samples of malware. 24/7/365!!!!!!!!!!!!!!! 12/17/2008 www.IDTheftSecurity.com Viruses 12/17/2008 www.IDTheftSecurity.com ID Theft Security Use Norton / McAffe / AVG / PC Cillin AVast @ http://www.avast.com/eng/download.html Install virus protection and keep it automatically updated* Configurations 12/17/2008 www.IDTheftSecurity.com Windows Update Use SP2 / automatic security patches for critical updates Run scans/missing
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages60 Page
-
File Size-