logging in or signing up data security Mohan.katta Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 5874 Category: Education License: All Rights Reserved Like it (3) Dislike it (0) Added: February 14, 2009 This Presentation is Public Favorites: 4 Presentation Description about the data securing types.etc Comments Posting comment... By: Tendor (9 month(s) ago) hi i just want to get idea, allow me to download Saving..... Post Reply Close Saving..... Edit Comment Close By: jacquot (14 month(s) ago) Hello. Excellent presentation. Can you pls allow me to download it? Thx and Rgds. Saving..... Post Reply Close Saving..... Edit Comment Close By: aviss (14 month(s) ago) plz allow me to download this ppt............ Saving..... Post Reply Close Saving..... Edit Comment Close By: cyberorgindia (15 month(s) ago) Hello pl allow downloading the presentation as it is required for educational purpose. Saving..... Post Reply Close Saving..... Edit Comment Close By: pintukumari (15 month(s) ago) ur slides are very very gud n i like them. so can u plz send me this ppt on my e mail id today itself i need them vey urgently .my id is gajbhiyepreeti4@gmail.com.thankz............ Saving..... Post Reply Close Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Slide 1: Data Security: Are You Prepared? Presented by Stuart A. Levine& Narender Mangalam Abstract : Abstract This presentation will outline the current trends in information security, privacy, data protection and the compliance environment. It will attempt to educate the audience on the steps to be taken to achieve compliance and maintain information security especially in the financial sector, focused on data security. In addition, the presentation will walk through a security awareness training process to illustrate the kinds of information that is needed in order to assure data protection. Agenda : Agenda Abstract Introduction State of Security 2005/2006 Case Studies Compliance and Certification Good Security Practice Security Awareness 101 Q&A Introduction : Introduction Founded in 2001 Core offering: Compliancy auditing (ISO17799, GLBA, HIPAA, PCI, NIST) Compliance Gap Analysis Penetration testing Forensics and Log Review Information Security Training State of Security : State of Security Source: CERT Security Breaches in the News : Security Breaches in the News July 28, 2006 Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems CompanyA contractor misplaced CD’s containing the names and SSN’s of 266,200 patients, employees, physicians, and board members of St. Francis hospitals in Indiana and Illinois. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. http://www.privacyrights.org/ar/ChronDataBreaches.htm Security Breaches in the News : Security Breaches in the News Nov. 2, 2006 Intermountain Health Care(Salt Lake City, UT) A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 1999-2000. Records Lost: 6,244 http://www.privacyrights.org/ar/ChronDataBreaches.htm Security Breaches in the News : Security Breaches in the News Dec 22, 2006 - Texas Woman's University A document containing names, addresses and SSN’s of 15,000 TWU students was transmitted over a non-secure connection. Jan 11th, 2007 - University of Idaho 3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSN’s, names and addresses. http://www.privacyrights.org/ar/ChronDataBreaches.htm Case Study: CardSystems Solutions : Case Study: CardSystems Solutions June 2005 Breach of 40 Million Credit Cards 13.9 million MasterCard branded cards, 20 million Visa branded cards Multiple class action suits against CardSystems, Merrick Bank, MasterCard and Visa Admitted to having violated its contracts with Visa, American Express and others by failing to encrypt credit card transaction data and by keeping on file card verification numbers that are never supposed to be stored. John Perry, CardSystems President and CEO, told members of Congress that his company faces "imminent extinction“. 2007 News : 2007 News Retailer TJX reports massive security breach 2000 retail stores (Bob’s Stores, TJ Maxx, Marshalls) Occurred 7 months before it was detected 200,000 + credit card numbers stolen – not all banks have reported in yet Suffered an “unauthorized intrusion" into parts of its computers that process and store details of customer purchases Track 2 data stolen, drivers license numbers, SSNs Financial Impact of Data Loss : Financial Impact of Data Loss 31% increase since 2005 Cost Factors: Compliance and contractual penalties Legal liability Recovery costs Legal investigation Administrative expenses Stock performance, customer defections, opportunity loss, reputation management Source: Oct 2006 study- Ponemon Institute, PGP Corp & Vontuhttp://www.ponemon.org/press/Ponemon_2006%20Data%20Breach%20Cost_FINAL.pdf Does it ever get better? : Does it ever get better? Does it ever get better? : Does it ever get better? Source: Deloitte 2006 Global Security Survey Who are the hackers? : Who are the hackers? The threat often comes from inside…. Poor appraisal New working practices Downsizing or restructuring An illegal act has 3 factors: opportunity, ability and motivation Slide 15: Compliance and Certification ISO17799 / ISO27001 : ISO17799 / ISO27001 International Standards Organization 17799 is compliance based on standards (no certification) High end standards and guidelines 11 different security domains 27001 is a certification Concentration on organization (ISMS) Follows 17799 standards and guidelines Mostly for international businesses (right now) Slide 17: Compliance is usually of two kinds Regulatory compliance – GLBA, NIST, SOX, HIPPAA, SB 1386 etc. Contractual compliance – PCI DSS, Vendor management programs etc Regulatory Compliance : Regulatory Compliance Gramm Leach Bliley Act Emphasis on data protection for Financial Institutions Includes requirement to ensure that any vendor that receives, handles, processes or has access to sensitive data is compliant Sensitive data includes SSN, Bank account number, PIN, credit card number, combination of name or address with any of the above Regulatory Compliance : Regulatory Compliance NIST Emphasis on data protection for Financial Institutions Standard for all government agencies and covered contractors Enforced by government agency Based on contractor rank (high, medium, low) determined by agency based on NIST guidelines Contractual Compliance : Contractual Compliance PCI (Payment Card Industry) Data Security standard established by credit card companies Required of all merchants and service providers Covers any company storing, transmitting or processing card numbers Level of assessment required for compliance is determined by number of cards processed Enforced by bank or processor on merchants and service providers Contractual Compliance : Contractual Compliance ISO 17799 Broad information security standard that covers all aspects of security Covers 11 Domains Security Policies Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Contractual Compliance : Contractual Compliance ISO 17799 Domains (continued) Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Compliance Cross Compliance : Cross Compliance Since there is are several compliance requirements both the requiring company and the complying company should try to consolidate Most of the standards have a high degree of overlap An audit should be leveraged to cover as many as possible This approach keeps costs low Also allows companies to get their own compliance in order to satisfy requirements of several customers. Slide 24: Security Standards(the must do’s) Data Classification : Data Classification Know your data (create a list of all the ways you collect identifiable customer data) Classify your data Segregate your sensitive data Limit access to sensitive data Encrypt your sensitive data At rest In use or ‘motion’ In transmission Create Enforceable Policies : Create Enforceable Policies Acceptable Use (Internal) Privacy and Protection (internal and external) Access guidelines (internal and third party) On-going Awareness Presentations Find a way to communicate existing and changing policies IE: Intranet, network share, email threads, bulletin board postings, signs etc Access based on Job Function : Access based on Job Function Who needs access to DO THEIR JOB Limit to read only if needed Lock down permissions to data housing folders Content filtering in ‘deny all’ state Lock down USB, Floppy and CD burners Paperless environment if possible No digital recording devices (such as cells with cameras) Technical Preventive Controls : Technical Preventive Controls Intrusion Detection & Prevention Software Antivirus and Spy ware Content Filtering Software Automatic locking options (timed sessions, screen saver locking, etc. Patching and Updating : Patching and Updating All systems should be patched within 30 days Special interest groups for alerts Don’t forget to update applications Networking gear counts! (firewalls, routers, switches) Test patches before applying to production systems Formalizing a Team : Formalizing a Team Define a sole owner of security (CISO) Create security objectives Attends infosec training, certification etc WHAT are we protecting? Create a security steering committee Cross functional (HR, Legal, IT, Development) Create owners (data, policy, assets) Document roles and responsibilities Teamwork : Teamwork Emergency Response Teams Incident response Business Continuity Disaster Recovery Create the roles, Document the plans What is an incident? What is business continuity? What is a disaster? Internal Auditing : Internal Auditing Enforce and review change control Review logs daily Scan internal and external machines and devices Password auditing Application testing and code reviews Ensures annual compliance ! Slide 33: Security Awareness 101 What is Security Awareness? : What is Security Awareness? The advantage of knowing what types of security issues and incidents employees of your company may face in the day-to-day routine of their corporate function It is knowing what to do if you feel someone is attempting to: wrongfully take company property or information obtain personal information about staff, clients or vendors utilize company resources for illegal or unethical purposes What is Expected of you? : What is Expected of you? Responsibility: As an employee or contractor, it is your responsibility to help in the protection and proper use of information and technology assets. Security Myths : Security Myths Information Security is the concern and responsibility of the MIS/IT department Security Threats from outsiders are the greatest source of risks Information Security is assured by safeguarding networks and the IT infrastructure Managing people issues is not as important Adopting latest technological solutions will increase security Security Quiz : Security Quiz Which of the following passwords is the most secure one, and why do you think so? spotabc123456 HerculeS HRE42poL $safe456TY$s Security Quiz : Security Quiz Simply put….longer is better Passwords : Passwords Let’s be honest….passwords are annoying Passwords are the first line of defense Let’s remember why they are important protect personal information financial information health data private documents Passwords are easily cracked or broken Freely available crackers available on the net Choosing Good Passwords : Choosing Good Passwords No dictionary words, Proper nouns or Foreign words No personal information Length, width and depth Extra protection for executives encryption 2 factor authentication protect those PDAs (lost berries!) Changing Passwords regularly Never give ANYONE your password How to Remember !! : How to Remember !! Create Phrases For example: Every Good Boy Does Fine Add special characters (E$G1B2d$F) For Example: Sweet as pie ($Sw33tAsPie$) NEVER GIVE YOUR PASSWORD TO ANYONE !! PC Security : PC Security No matter what type of computer you use or where you use it, there are a few things you should always do to protect your information. Password protect screensaver Power on password Log out when you’re finished Physically secure your computer Data Confidentiality : Data Confidentiality To help maintain the confidentiality of information Don’t leave documents unattended on the copier or fax machine Shred any confidential documents when discarding them Encrypt highly confidential e-mail sent through the Internet or consider using a courier Keep a “clean desk” and secure important files when leaving Remove papers and wipe boards clean when finished using conference rooms. Physical Security : Physical Security Access into the building (tailgaters!) Do not prop doors open Access to your backups Access to your paper documents Documents left on your desk Documents in your garbage (dumpster diving!) Shred Shred Shred ! Screen saver lock Locking computer when leaving your desk Social Engineering : Social Engineering By definitionThe acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships with insiders. It is the art of manipulating people into actions they would not normally take. Types of Social Engineering - Human : Types of Social Engineering - Human Impersonation Important user Third party authorization Tech Support In Person Dumpster Diving Shoulder Surfing Instant Messaging Types of Social Engineering - Human : Types of Social Engineering - Human Never give your password in email Never give your password over the phone If in doubt, keep all privacy information to yourself Shred sensitive documents Lock your computer when you get up Lock sensitive documents when finished Types of Social Engineering - Computer : Types of Social Engineering - Computer Pop up windows Mail attachments Spam, Chain letters and Hoaxes Websites Instant Messaging Phishing attacks Slide 49: The Street Interview Giving too much information : Giving too much information The “Live Survey” (from very friendly people) You’re stopped to give a survey (airports, theaters, streets etc.) What’s your name, and what do you think of the airport? Date of birth, favorite vacation spot Dream car, mothers maiden name What you’d do with a million dollars, name of first school Giving too much information : Giving too much information Thank you for taking our survey If you’d like a voucher mailed to you for free airport food, drinks, air miles etc, we’ll need your home phone number, just in case of problems in the voucher delivery. Giving too much information : Giving too much information What have you just said? Mother’s maiden name? Date of birth? First school attended? Phone number? For online or telephone banking, are these your verification items? Can a birth certificate be obtained with this information? Slide 53: Sounds like identity theft ! Slide 54: Let’s Go Phishing Phishing : Phishing The email LOOKS like it comes from a trusted source Asks you to click the link as your account needs updating – or it will be shutdown Takes you to a page that looks like a trusted source Accepts personal data (your required update) Information does not go to trusted source Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Let’s take another look…. Phishing : Phishing Phishing : Phishing Summary : Summary Good security starts and ends with you Confidentiality, integrity, availability (the bedrocks!) Nothing is 100% secure Protection of assets is a layered approach Multiple resources on the Web www.sans.org www.securityfocus.com /cve.mitre.org/ (common vulnerabilities and exposures) You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
data security Mohan.katta Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 5874 Category: Education License: All Rights Reserved Like it (3) Dislike it (0) Added: February 14, 2009 This Presentation is Public Favorites: 4 Presentation Description about the data securing types.etc Comments Posting comment... By: Tendor (9 month(s) ago) hi i just want to get idea, allow me to download Saving..... Post Reply Close Saving..... Edit Comment Close By: jacquot (14 month(s) ago) Hello. Excellent presentation. Can you pls allow me to download it? Thx and Rgds. Saving..... Post Reply Close Saving..... Edit Comment Close By: aviss (14 month(s) ago) plz allow me to download this ppt............ Saving..... Post Reply Close Saving..... Edit Comment Close By: cyberorgindia (15 month(s) ago) Hello pl allow downloading the presentation as it is required for educational purpose. Saving..... Post Reply Close Saving..... Edit Comment Close By: pintukumari (15 month(s) ago) ur slides are very very gud n i like them. so can u plz send me this ppt on my e mail id today itself i need them vey urgently .my id is gajbhiyepreeti4@gmail.com.thankz............ Saving..... Post Reply Close Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Slide 1: Data Security: Are You Prepared? Presented by Stuart A. Levine& Narender Mangalam Abstract : Abstract This presentation will outline the current trends in information security, privacy, data protection and the compliance environment. It will attempt to educate the audience on the steps to be taken to achieve compliance and maintain information security especially in the financial sector, focused on data security. In addition, the presentation will walk through a security awareness training process to illustrate the kinds of information that is needed in order to assure data protection. Agenda : Agenda Abstract Introduction State of Security 2005/2006 Case Studies Compliance and Certification Good Security Practice Security Awareness 101 Q&A Introduction : Introduction Founded in 2001 Core offering: Compliancy auditing (ISO17799, GLBA, HIPAA, PCI, NIST) Compliance Gap Analysis Penetration testing Forensics and Log Review Information Security Training State of Security : State of Security Source: CERT Security Breaches in the News : Security Breaches in the News July 28, 2006 Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems CompanyA contractor misplaced CD’s containing the names and SSN’s of 266,200 patients, employees, physicians, and board members of St. Francis hospitals in Indiana and Illinois. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. http://www.privacyrights.org/ar/ChronDataBreaches.htm Security Breaches in the News : Security Breaches in the News Nov. 2, 2006 Intermountain Health Care(Salt Lake City, UT) A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 1999-2000. Records Lost: 6,244 http://www.privacyrights.org/ar/ChronDataBreaches.htm Security Breaches in the News : Security Breaches in the News Dec 22, 2006 - Texas Woman's University A document containing names, addresses and SSN’s of 15,000 TWU students was transmitted over a non-secure connection. Jan 11th, 2007 - University of Idaho 3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSN’s, names and addresses. http://www.privacyrights.org/ar/ChronDataBreaches.htm Case Study: CardSystems Solutions : Case Study: CardSystems Solutions June 2005 Breach of 40 Million Credit Cards 13.9 million MasterCard branded cards, 20 million Visa branded cards Multiple class action suits against CardSystems, Merrick Bank, MasterCard and Visa Admitted to having violated its contracts with Visa, American Express and others by failing to encrypt credit card transaction data and by keeping on file card verification numbers that are never supposed to be stored. John Perry, CardSystems President and CEO, told members of Congress that his company faces "imminent extinction“. 2007 News : 2007 News Retailer TJX reports massive security breach 2000 retail stores (Bob’s Stores, TJ Maxx, Marshalls) Occurred 7 months before it was detected 200,000 + credit card numbers stolen – not all banks have reported in yet Suffered an “unauthorized intrusion" into parts of its computers that process and store details of customer purchases Track 2 data stolen, drivers license numbers, SSNs Financial Impact of Data Loss : Financial Impact of Data Loss 31% increase since 2005 Cost Factors: Compliance and contractual penalties Legal liability Recovery costs Legal investigation Administrative expenses Stock performance, customer defections, opportunity loss, reputation management Source: Oct 2006 study- Ponemon Institute, PGP Corp & Vontuhttp://www.ponemon.org/press/Ponemon_2006%20Data%20Breach%20Cost_FINAL.pdf Does it ever get better? : Does it ever get better? Does it ever get better? : Does it ever get better? Source: Deloitte 2006 Global Security Survey Who are the hackers? : Who are the hackers? The threat often comes from inside…. Poor appraisal New working practices Downsizing or restructuring An illegal act has 3 factors: opportunity, ability and motivation Slide 15: Compliance and Certification ISO17799 / ISO27001 : ISO17799 / ISO27001 International Standards Organization 17799 is compliance based on standards (no certification) High end standards and guidelines 11 different security domains 27001 is a certification Concentration on organization (ISMS) Follows 17799 standards and guidelines Mostly for international businesses (right now) Slide 17: Compliance is usually of two kinds Regulatory compliance – GLBA, NIST, SOX, HIPPAA, SB 1386 etc. Contractual compliance – PCI DSS, Vendor management programs etc Regulatory Compliance : Regulatory Compliance Gramm Leach Bliley Act Emphasis on data protection for Financial Institutions Includes requirement to ensure that any vendor that receives, handles, processes or has access to sensitive data is compliant Sensitive data includes SSN, Bank account number, PIN, credit card number, combination of name or address with any of the above Regulatory Compliance : Regulatory Compliance NIST Emphasis on data protection for Financial Institutions Standard for all government agencies and covered contractors Enforced by government agency Based on contractor rank (high, medium, low) determined by agency based on NIST guidelines Contractual Compliance : Contractual Compliance PCI (Payment Card Industry) Data Security standard established by credit card companies Required of all merchants and service providers Covers any company storing, transmitting or processing card numbers Level of assessment required for compliance is determined by number of cards processed Enforced by bank or processor on merchants and service providers Contractual Compliance : Contractual Compliance ISO 17799 Broad information security standard that covers all aspects of security Covers 11 Domains Security Policies Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Contractual Compliance : Contractual Compliance ISO 17799 Domains (continued) Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Compliance Cross Compliance : Cross Compliance Since there is are several compliance requirements both the requiring company and the complying company should try to consolidate Most of the standards have a high degree of overlap An audit should be leveraged to cover as many as possible This approach keeps costs low Also allows companies to get their own compliance in order to satisfy requirements of several customers. Slide 24: Security Standards(the must do’s) Data Classification : Data Classification Know your data (create a list of all the ways you collect identifiable customer data) Classify your data Segregate your sensitive data Limit access to sensitive data Encrypt your sensitive data At rest In use or ‘motion’ In transmission Create Enforceable Policies : Create Enforceable Policies Acceptable Use (Internal) Privacy and Protection (internal and external) Access guidelines (internal and third party) On-going Awareness Presentations Find a way to communicate existing and changing policies IE: Intranet, network share, email threads, bulletin board postings, signs etc Access based on Job Function : Access based on Job Function Who needs access to DO THEIR JOB Limit to read only if needed Lock down permissions to data housing folders Content filtering in ‘deny all’ state Lock down USB, Floppy and CD burners Paperless environment if possible No digital recording devices (such as cells with cameras) Technical Preventive Controls : Technical Preventive Controls Intrusion Detection & Prevention Software Antivirus and Spy ware Content Filtering Software Automatic locking options (timed sessions, screen saver locking, etc. Patching and Updating : Patching and Updating All systems should be patched within 30 days Special interest groups for alerts Don’t forget to update applications Networking gear counts! (firewalls, routers, switches) Test patches before applying to production systems Formalizing a Team : Formalizing a Team Define a sole owner of security (CISO) Create security objectives Attends infosec training, certification etc WHAT are we protecting? Create a security steering committee Cross functional (HR, Legal, IT, Development) Create owners (data, policy, assets) Document roles and responsibilities Teamwork : Teamwork Emergency Response Teams Incident response Business Continuity Disaster Recovery Create the roles, Document the plans What is an incident? What is business continuity? What is a disaster? Internal Auditing : Internal Auditing Enforce and review change control Review logs daily Scan internal and external machines and devices Password auditing Application testing and code reviews Ensures annual compliance ! Slide 33: Security Awareness 101 What is Security Awareness? : What is Security Awareness? The advantage of knowing what types of security issues and incidents employees of your company may face in the day-to-day routine of their corporate function It is knowing what to do if you feel someone is attempting to: wrongfully take company property or information obtain personal information about staff, clients or vendors utilize company resources for illegal or unethical purposes What is Expected of you? : What is Expected of you? Responsibility: As an employee or contractor, it is your responsibility to help in the protection and proper use of information and technology assets. Security Myths : Security Myths Information Security is the concern and responsibility of the MIS/IT department Security Threats from outsiders are the greatest source of risks Information Security is assured by safeguarding networks and the IT infrastructure Managing people issues is not as important Adopting latest technological solutions will increase security Security Quiz : Security Quiz Which of the following passwords is the most secure one, and why do you think so? spotabc123456 HerculeS HRE42poL $safe456TY$s Security Quiz : Security Quiz Simply put….longer is better Passwords : Passwords Let’s be honest….passwords are annoying Passwords are the first line of defense Let’s remember why they are important protect personal information financial information health data private documents Passwords are easily cracked or broken Freely available crackers available on the net Choosing Good Passwords : Choosing Good Passwords No dictionary words, Proper nouns or Foreign words No personal information Length, width and depth Extra protection for executives encryption 2 factor authentication protect those PDAs (lost berries!) Changing Passwords regularly Never give ANYONE your password How to Remember !! : How to Remember !! Create Phrases For example: Every Good Boy Does Fine Add special characters (E$G1B2d$F) For Example: Sweet as pie ($Sw33tAsPie$) NEVER GIVE YOUR PASSWORD TO ANYONE !! PC Security : PC Security No matter what type of computer you use or where you use it, there are a few things you should always do to protect your information. Password protect screensaver Power on password Log out when you’re finished Physically secure your computer Data Confidentiality : Data Confidentiality To help maintain the confidentiality of information Don’t leave documents unattended on the copier or fax machine Shred any confidential documents when discarding them Encrypt highly confidential e-mail sent through the Internet or consider using a courier Keep a “clean desk” and secure important files when leaving Remove papers and wipe boards clean when finished using conference rooms. Physical Security : Physical Security Access into the building (tailgaters!) Do not prop doors open Access to your backups Access to your paper documents Documents left on your desk Documents in your garbage (dumpster diving!) Shred Shred Shred ! Screen saver lock Locking computer when leaving your desk Social Engineering : Social Engineering By definitionThe acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships with insiders. It is the art of manipulating people into actions they would not normally take. Types of Social Engineering - Human : Types of Social Engineering - Human Impersonation Important user Third party authorization Tech Support In Person Dumpster Diving Shoulder Surfing Instant Messaging Types of Social Engineering - Human : Types of Social Engineering - Human Never give your password in email Never give your password over the phone If in doubt, keep all privacy information to yourself Shred sensitive documents Lock your computer when you get up Lock sensitive documents when finished Types of Social Engineering - Computer : Types of Social Engineering - Computer Pop up windows Mail attachments Spam, Chain letters and Hoaxes Websites Instant Messaging Phishing attacks Slide 49: The Street Interview Giving too much information : Giving too much information The “Live Survey” (from very friendly people) You’re stopped to give a survey (airports, theaters, streets etc.) What’s your name, and what do you think of the airport? Date of birth, favorite vacation spot Dream car, mothers maiden name What you’d do with a million dollars, name of first school Giving too much information : Giving too much information Thank you for taking our survey If you’d like a voucher mailed to you for free airport food, drinks, air miles etc, we’ll need your home phone number, just in case of problems in the voucher delivery. Giving too much information : Giving too much information What have you just said? Mother’s maiden name? Date of birth? First school attended? Phone number? For online or telephone banking, are these your verification items? Can a birth certificate be obtained with this information? Slide 53: Sounds like identity theft ! Slide 54: Let’s Go Phishing Phishing : Phishing The email LOOKS like it comes from a trusted source Asks you to click the link as your account needs updating – or it will be shutdown Takes you to a page that looks like a trusted source Accepts personal data (your required update) Information does not go to trusted source Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Phishing : Phishing Let’s take another look…. Phishing : Phishing Phishing : Phishing Summary : Summary Good security starts and ends with you Confidentiality, integrity, availability (the bedrocks!) Nothing is 100% secure Protection of assets is a layered approach Multiple resources on the Web www.sans.org www.securityfocus.com /cve.mitre.org/ (common vulnerabilities and exposures)