www.strothman.com
Securing Your Data and
Electronic Devices
Presented by
Lisa Holden
CIA, CISA, CISSP, CRISC, PMP
Senior Manager
Strothman and Company
AGENDA
• Summary of recent breaches – Target, Neiman
Marcus, Michaels
• Highlights of latest Verizon Data Breach Report
• Overview of Cloud Computing – Is My Data Safe?
• Highlights of new Federal Cybersecurity Framework
• Overview of HIPAA and PCI Compliance – Healthcare
and Credit Card Data Security Issues
• Basic Steps for Securing Devices
www.strothman.com
Target
• Attackers broke in to Target after compromising a company
web server using stolen HVAC vendor credentials.
• Attackers moved through the network using an admin
account for IT management software installed on Target
servers.
• Attackers were able to upload the malicious BlackPOS
software to store point-of-sale machines in Nov and Dec.
• Attackers set up a control server within Target’s internal
network that served as a central repository for data
obtained by all of the infected point-of-sale devices. Data
was later downloaded to Russia.
• Over 40 million card records affected.
www.strothman.com
Neiman Marcus
• Attackers used same BlackPOS software,
starting in July through October, on store POS
machines.
• Company was notified by its card processing
company on December 13.
• Over 1 million cards affected.
www.strothman.com
Michaels
• In a 2011 attack, hackers replaced some 84
PIN pads on payment-card terminals at a small
number of Michaels stores, resulting in the
theft of about 94,000 payment card numbers
• New breach being investigated in 2014.
• Unknown number of cards affected.
Investigation is pending.
www.strothman.com
Breach History and Reporting
• Sears and Sally Beauty Supply
• http://www.informationisbeautiful.net/visualizations/
worlds-biggest-data-breaches-hacks/
Some 77 percent of the respondents say their firms
had been hit with a cyberattack in the past two years.
Only about 35 percent say they share attack and threat
information with other organizations in their industry,
32 percent say they do not share such intelligence, and
27 percent did not say one way or the other.
www.strothman.com
Verizon Data Breach Report
• http://www.verizonenterprise.com/resources/
media/large-133994-speed-sophistication.xml
• 2013 Highlights: Speed and Sophistication
www.strothman.com
Cloud Computing – Is My Data Safe?
www.strothman.com
CLOUD SECURITY ALLIANCE
The Notorious Nine: Cloud Computing
Top Threats in 2013
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
www.strothman.com
www.strothman.com
www.strothman.com
Securing
the Cloud…
www.strothman.com
NIST Federal Cybersecurity Framework
•
•
In February 2013, President Obama
issued Executive Order 13636:
Improving Critical Infrastructure
Cybersecurity. The order calls for the
development of a voluntary, riskbased Cybersecurity Framework—a
set of existing standards, guidelines
and practices to help organizations
manage cyber risks.
The resulting framework, created
through public-private collaboration,
provides a common language to
address and manage cyber risk in a
cost-effective way based on business
needs, without placing additional
regulatory requirements on
businesses.
PCI DSS 3.0
www.strothman.com
www.strothman.com
Confidentiality (FERPA) –
FERPA Pop Quiz – True or False?
•
•
•
•
•
•
•
•
•
•
It is okay to post student grades by social security number.
It is okay to include a student’s GPA in a letter of recommendation.
Examinations and term papers are not subject to FERPA.
Parents are allowed to see their child’s records.
A written note made by one person as an individual observation that is not shared
with anyone is subject to FERPA.
Directory Information pertains only to students’ names, addresses, and phone
numbers.
It is okay to distribute graded papers by placing them on a table for students to
pick up after class.
Student representatives on committees may have access to other students’
education records during the course of that committee’s work.
Faculty have a right to see education records of any student attending UMaine
without giving a reason.
In a divorce situation, both biological parents have equal standing in gaining access
to the student’s education records even if the student is a dependent of only one
parent.
www.strothman.com
Confidentiality (FERPA) –
FERPA Pop Quiz – Answers
•
•
•
•
•
•
•
•
•
•
It is okay to post student grades by social security number. FALSE
It is okay to include a student’s GPA in a letter of recommendation. FALSE
Examinations and term papers are not subject to FERPA. FALSE
Parents are allowed to see their child’s records. FALSE
A written note made by one person as an individual observation that is not shared
with anyone is subject to FERPA. FALSE
Directory Information pertains only to students’ names, addresses, and phone
numbers. FALSE
It is okay to distribute graded papers by placing them on a table for students to
pick up after class. FALSE
Student representatives on committees may have access to other students’
education records during the course of that committee’s work. TRUE
Faculty have a right to see education records of any student attending UMaine
without giving a reason. FALSE
In a divorce situation, both biological parents have equal standing in gaining access
to the student’s education records even if the student is a dependent of only one
parent. TRUE
www.strothman.com
SANS Consensus Audit Guidelines
• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
• Critical Control 4: Continuous Vulnerability Assessment and Remediation
• Critical Control 5: Malware Defenses
• Critical Control 6: Application Software Security
• Critical Control 7: Wireless Access Control
• Critical Control 8: Data Recovery Capability
• Critical Control 9: Security Skills Assessment and Appropriate Training to
Fill Gaps
• Critical Control 10: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches
www.strothman.com
SANS Consensus Audit Guidelines
• Critical Control 11: Limitation and Control of Network Ports,
Protocols, and Services
• Critical Control 12: Controlled Use of Administrative Privileges
• Critical Control 13: Boundary Defense
• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit
Logs
• Critical Control 15: Controlled Access Based on the Need to Know
• Critical Control 16: Account Monitoring and Control
• Critical Control 17: Data Protection
• Critical Control 18: Incident Response and Management
• Critical Control 19: Secure Network Engineering
• Critical Control 20: Penetration Tests and Red Team Exercises
www.strothman.com
Maintaining Desktops and Laptops
Use up-to-date antivirus and antispyware software
Install antivirus software (based on your operating system) on your computer, and schedule
daily updates that will recognize new virus types as they emerge. Enable the automatic
protection of all incoming files, and schedule weekly scans of your hard drive. Install
antispyware software on your computer, since antivirus protection is not enough.
Don't open files from unknown sources
Carefully judge the credibility and trustworthiness of the source of a file before opening it.
Email attachments and downloaded files are common sources for malicious programs. Bear
in mind that some viruses and worms can mimic the identity of a familiar email
correspondent. If you weren't expecting an attachment, you may want to contact the email
sender to verify the attachment before opening.
Keep your operating system up-to-date
Updates should be downloaded and installed immediately—many contain critical fixes for
security-related defects. Recent operating systems have automated the update process,
though you may be prompted to approve the process.
www.strothman.com
Maintaining Desktops and Laptops
Keep your operating system up-to-date
Updates should be downloaded and installed immediately—many contain critical fixes for securityrelated defects. Recent operating systems have automated the update process, though you may be
prompted to approve the process.
Keep your application software updated
Check your software manufacturers' websites regularly for updates to their products.
Delete Data Securely
Use secure data deletion to destroy files and folders immediately and permanently in a secure
manner.
Backup
Create a backup of your entire system periodically, and back up critical data files whenever you
update them. A network user folder provides adequate backup space for most people, but files
consuming large amounts of space—video or music—may require external disk drives to back
them up adequately.
Use Physical security
Protect your system from theft by physically securing your computer. Purchase a lockup cable for
your laptop to increase security in residence halls, libraries, and other places you may take your
computer, and a surge protector with a circuit breaker to protect against power line surges. Verify
that your home system is covered under a homeowner's or renter's insurance policy.
www.strothman.com
Setting Up Desktops and Laptops
Protect device with a strong login password
Learn what constitutes a strong password, create ones you can remember, and never share
your password with anyone. If you have reason to believe someone has learned one of your
passwords, change it immediately.
Use a password protected screen saver
Configure your computer to lock the screen automatically, after a brief period of about 1015 minutes of inactivity, with a password-protected screensaver. This enhances security and
causes you minimal inconvenience.
Encrypt laptops and any critical or private data
Use whole disk encryption for laptops and file or folder level encryption on network data to
protect data.
Use intrusion detection, data loss prevention, web filter and email filter tools
Use tools to manage network traffic in and out of your network and control what goes in
and out.
www.strothman.com
Setting Up Desktops and Laptops
Turn off file sharing
To ensure other people cannot access your files and folders, you must disable file sharing.
Turn on firewalls
Firewalls can prevent hackers from making unwanted connections to your machine. The
firewalls on recent Windows and Macintosh operating systems are turned on by default.
Turn off or delete unneeded software features
The more software packages there are on a computer, the more opportunity for hackers.
Uninstall applications and turn off features you don't use.
Configure properly for multiple users
If multiple people use a computer, ensure that they each have their own user account.
www.strothman.com
Smart Phones
Use a password
All smart phones must be protected with a password of at least four characters.
Lock the phone when not active
Configure your device to lock the screen automatically, after a brief period of about 10-15
minutes of inactivity, with password protection.
Backup contacts and data
Most carriers have a backup application to allow you to store a backup of your contacts and
data. Make sure the backup runs daily.
Use an anti-virus application
Both iTunes and Google Play have several anti-virus applications available for install. Make
sure that it works for your phone model and make sure to keep it up to date.
Configure phone to allow remote wipe
If your phone has corporate email, it should be configured for remote wipe by your system
administrator using Microsoft Exchange Active Synch tools. You should always be prepared
to have your phone wiped or need to perform a factory reset (lose data on the phone) at a
moment’s notice if necessary. Know how to recover and it won’t be a problem.
www.strothman.com