www.strothman.com Securing Your Data and Electronic Devices Presented by Lisa Holden CIA, CISA, CISSP, CRISC, PMP Senior Manager Strothman and Company AGENDA • Summary of recent breaches – Target, Neiman Marcus, Michaels • Highlights of latest Verizon Data Breach Report • Overview of Cloud Computing – Is My Data Safe? • Highlights of new Federal Cybersecurity Framework • Overview of HIPAA and PCI Compliance – Healthcare and Credit Card Data Security Issues • Basic Steps for Securing Devices www.strothman.com Target • Attackers broke in to Target after compromising a company web server using stolen HVAC vendor credentials. • Attackers moved through the network using an admin account for IT management software installed on Target servers. • Attackers were able to upload the malicious BlackPOS software to store point-of-sale machines in Nov and Dec. • Attackers set up a control server within Target’s internal network that served as a central repository for data obtained by all of the infected point-of-sale devices. Data was later downloaded to Russia. • Over 40 million card records affected. www.strothman.com Neiman Marcus • Attackers used same BlackPOS software, starting in July through October, on store POS machines. • Company was notified by its card processing company on December 13. • Over 1 million cards affected. www.strothman.com Michaels • In a 2011 attack, hackers replaced some 84 PIN pads on payment-card terminals at a small number of Michaels stores, resulting in the theft of about 94,000 payment card numbers • New breach being investigated in 2014. • Unknown number of cards affected. Investigation is pending. www.strothman.com Breach History and Reporting • Sears and Sally Beauty Supply • http://www.informationisbeautiful.net/visualizations/ worlds-biggest-data-breaches-hacks/ Some 77 percent of the respondents say their firms had been hit with a cyberattack in the past two years. Only about 35 percent say they share attack and threat information with other organizations in their industry, 32 percent say they do not share such intelligence, and 27 percent did not say one way or the other. www.strothman.com Verizon Data Breach Report • http://www.verizonenterprise.com/resources/ media/large-133994-speed-sophistication.xml • 2013 Highlights: Speed and Sophistication www.strothman.com Cloud Computing – Is My Data Safe? www.strothman.com CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues www.strothman.com www.strothman.com www.strothman.com Securing the Cloud… www.strothman.com NIST Federal Cybersecurity Framework • • In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, riskbased Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses. PCI DSS 3.0 www.strothman.com www.strothman.com Confidentiality (FERPA) – FERPA Pop Quiz – True or False? • • • • • • • • • • It is okay to post student grades by social security number. It is okay to include a student’s GPA in a letter of recommendation. Examinations and term papers are not subject to FERPA. Parents are allowed to see their child’s records. A written note made by one person as an individual observation that is not shared with anyone is subject to FERPA. Directory Information pertains only to students’ names, addresses, and phone numbers. It is okay to distribute graded papers by placing them on a table for students to pick up after class. Student representatives on committees may have access to other students’ education records during the course of that committee’s work. Faculty have a right to see education records of any student attending UMaine without giving a reason. In a divorce situation, both biological parents have equal standing in gaining access to the student’s education records even if the student is a dependent of only one parent. www.strothman.com Confidentiality (FERPA) – FERPA Pop Quiz – Answers • • • • • • • • • • It is okay to post student grades by social security number. FALSE It is okay to include a student’s GPA in a letter of recommendation. FALSE Examinations and term papers are not subject to FERPA. FALSE Parents are allowed to see their child’s records. FALSE A written note made by one person as an individual observation that is not shared with anyone is subject to FERPA. FALSE Directory Information pertains only to students’ names, addresses, and phone numbers. FALSE It is okay to distribute graded papers by placing them on a table for students to pick up after class. FALSE Student representatives on committees may have access to other students’ education records during the course of that committee’s work. TRUE Faculty have a right to see education records of any student attending UMaine without giving a reason. FALSE In a divorce situation, both biological parents have equal standing in gaining access to the student’s education records even if the student is a dependent of only one parent. TRUE www.strothman.com SANS Consensus Audit Guidelines • Critical Control 1: Inventory of Authorized and Unauthorized Devices • Critical Control 2: Inventory of Authorized and Unauthorized Software • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Critical Control 4: Continuous Vulnerability Assessment and Remediation • Critical Control 5: Malware Defenses • Critical Control 6: Application Software Security • Critical Control 7: Wireless Access Control • Critical Control 8: Data Recovery Capability • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches www.strothman.com SANS Consensus Audit Guidelines • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services • Critical Control 12: Controlled Use of Administrative Privileges • Critical Control 13: Boundary Defense • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs • Critical Control 15: Controlled Access Based on the Need to Know • Critical Control 16: Account Monitoring and Control • Critical Control 17: Data Protection • Critical Control 18: Incident Response and Management • Critical Control 19: Secure Network Engineering • Critical Control 20: Penetration Tests and Red Team Exercises www.strothman.com Maintaining Desktops and Laptops Use up-to-date antivirus and antispyware software Install antivirus software (based on your operating system) on your computer, and schedule daily updates that will recognize new virus types as they emerge. Enable the automatic protection of all incoming files, and schedule weekly scans of your hard drive. Install antispyware software on your computer, since antivirus protection is not enough. Don't open files from unknown sources Carefully judge the credibility and trustworthiness of the source of a file before opening it. Email attachments and downloaded files are common sources for malicious programs. Bear in mind that some viruses and worms can mimic the identity of a familiar email correspondent. If you weren't expecting an attachment, you may want to contact the email sender to verify the attachment before opening. Keep your operating system up-to-date Updates should be downloaded and installed immediately—many contain critical fixes for security-related defects. Recent operating systems have automated the update process, though you may be prompted to approve the process. www.strothman.com Maintaining Desktops and Laptops Keep your operating system up-to-date Updates should be downloaded and installed immediately—many contain critical fixes for securityrelated defects. Recent operating systems have automated the update process, though you may be prompted to approve the process. Keep your application software updated Check your software manufacturers' websites regularly for updates to their products. Delete Data Securely Use secure data deletion to destroy files and folders immediately and permanently in a secure manner. Backup Create a backup of your entire system periodically, and back up critical data files whenever you update them. A network user folder provides adequate backup space for most people, but files consuming large amounts of space—video or music—may require external disk drives to back them up adequately. Use Physical security Protect your system from theft by physically securing your computer. Purchase a lockup cable for your laptop to increase security in residence halls, libraries, and other places you may take your computer, and a surge protector with a circuit breaker to protect against power line surges. Verify that your home system is covered under a homeowner's or renter's insurance policy. www.strothman.com Setting Up Desktops and Laptops Protect device with a strong login password Learn what constitutes a strong password, create ones you can remember, and never share your password with anyone. If you have reason to believe someone has learned one of your passwords, change it immediately. Use a password protected screen saver Configure your computer to lock the screen automatically, after a brief period of about 1015 minutes of inactivity, with a password-protected screensaver. This enhances security and causes you minimal inconvenience. Encrypt laptops and any critical or private data Use whole disk encryption for laptops and file or folder level encryption on network data to protect data. Use intrusion detection, data loss prevention, web filter and email filter tools Use tools to manage network traffic in and out of your network and control what goes in and out. www.strothman.com Setting Up Desktops and Laptops Turn off file sharing To ensure other people cannot access your files and folders, you must disable file sharing. Turn on firewalls Firewalls can prevent hackers from making unwanted connections to your machine. The firewalls on recent Windows and Macintosh operating systems are turned on by default. Turn off or delete unneeded software features The more software packages there are on a computer, the more opportunity for hackers. Uninstall applications and turn off features you don't use. Configure properly for multiple users If multiple people use a computer, ensure that they each have their own user account. www.strothman.com Smart Phones Use a password All smart phones must be protected with a password of at least four characters. Lock the phone when not active Configure your device to lock the screen automatically, after a brief period of about 10-15 minutes of inactivity, with password protection. Backup contacts and data Most carriers have a backup application to allow you to store a backup of your contacts and data. Make sure the backup runs daily. Use an anti-virus application Both iTunes and Google Play have several anti-virus applications available for install. Make sure that it works for your phone model and make sure to keep it up to date. Configure phone to allow remote wipe If your phone has corporate email, it should be configured for remote wipe by your system administrator using Microsoft Exchange Active Synch tools. You should always be prepared to have your phone wiped or need to perform a factory reset (lose data on the phone) at a moment’s notice if necessary. Know how to recover and it won’t be a problem. www.strothman.com