Securing Confidential Data in a Connected World: Methods and Applications

Securing Confidential Data in a Connected World: Methods and Applications

A Connected World

Today, More people have access to the Internet than EVER before:

World Population = 2,405,518,376 (34.3 %) North America = 273,785,413 (78.6%) Teens Online 95%

(InternetWorldStats.com/Stats.htm)

Using Mobile Devices = 74%

Have Smart phones = 37% Tablets = 23%

80% have a desktop and/or laptop

(PewInternet.org)

Emerging Youth and Trends

Our emerging youth will present a much greater risk due to their perception of open source life and living within Notopia - a boundary-less world filled with eroded ethics and principles.

Due to the loss of boundaries, the online world is remodeling concepts of legality, right/wrong, and Private/Confidential materials. As the Digital babies mature, the need to increase security will follow with them

Responsibility of the Organization

It is the responsibility of the organization that collects, stores, and disseminates confidential data to maintain both its security and availability to those persons it was collected for.

By requiring security, there is an inference to an amount of value this data represents to the agency or person(s) the data concerns
Given value, data now has a proportionate level of risk if it is lost, stolen, or misused.

Law Enforcement

Who decides how to classify data?

Federally held data is within the realm of the FBI (non-intelligence)

Criminal data is held within the National Crime Information Centers (NCIC) at their Criminal Justice Information Services Division (CJIS) in West Virginia These agencies may choose to further restrict access and broaden the range of what is considered Confidential data (barring FOIA request in some cases and even then are still
responsible for preventing sensitive information from leaking)

State and Local Levels

Confidential Data

Now that is has been classified as Confidential the agency should

Craft fitting policies & SOPs to provide clear directives for personnel to handle and Protect the valuable data Routinely review their policies and SOPs to insure that they evolve along with risks Track infractions to model corrective training and provide risk data

Securing Confidential Data

Physical Security

Primary means of preventing access to workstations, servers, teletypes, fax machines, printers, and other monitoring devices
All access points must be locked to prevent noncleared personnel from access or viewing sensitive/confidential data

Technology - Hardware

Limit outside access from both Internet and local networks without clearance by using:
Firewalls limit network communications based on network protocols, activity, ports, and types of communication MPLS Can be used to connect geographically separate locations, intelligently route network packets, create VPNs to encapsulate data

Encryption Levels (AES [128 -256] Advanced Encryption Standard) and other advancing encryption schemes

Authentication

Domain Level

Secondary Security Server

Dual Authentication

Primary

Active Directory Windows

NIS (Network Information Services) - Linux Additional Server/Applications used to integrate Smart Cards, HID devices, and Biometrics

Secondary

Serves as bound medium to facilitate security measures while reducing user's burden of extra passwords

Encryption

Lower level security measure

By itself, may be weak use in conjunction with the previous devices mentioned

Hardware

Frees up computing resources and increases speed Increased up-front costs Ease of implementation as needed Decreased Cost Decreased speeds and increased CPU strain Whole drives/arrays Folders Files

Software

Implementations

Antivirus / Malware Detection

Hardware

Typically network-based devices

Can be less expensive financially Decreases overall network performance, while minimally affecting workstation resources and speed

Software

Can be Server and/or Workstation-based

Best use scenario includes centralized updates and configurations via Group Policies Can be configured at workstation level for specialized projects May cause interference with applications and websites

Wetware- Humans

Employees, users, vendors with access

Backgrounds, Polygraphs, and regular audits/debriefings

Training concerning historically effective security issues

Social Engineering

Social Engineering

Reminder of how social engineering is successful lax awareness

Various government organizations still use placards to keep the mindset of their personnel on guard against mindhackers

Confirm knowledge of SOPs, protocols, and personnel Identification and access rights
Never discuss sensitive information concerning security infrastructures and their access data

Pressure Testing

After backing up Confidential Data

Test Disaster Recovery and Protocols Periodically

Who are responsible for each measure, and can they quickly implement their tasks In case of Loss or Intrusion, review who needs to be notified

Invite Certified Security Personnel to assess your organizations security measures used to protect the Confidential Data

White Hats Grey Hats Black Hats

Methods of Testing

Intrusion Testing

Check Logs

Firewalls Routers Servers

Often Forgotten

Patches

Updates
Security Forums/Groups