We Implement Security Based on Cost vs. Risk. 4 ... Asses

1
Session 48

• Security on Your Campus How to Protect Privacy
  Information
• Robert Ingwalson

2
(No Transcript)
3
We Implement Security Based on Cost vs. Risk
4
Protecting personal information is Everybodys
Job!
Personally Identifiable Information
(PII) Information about an individual including
but not limited to, Education, Employment,
Financial Transactions, Medical History, and
Criminal Background information which can be used
to distinguish or trace and individuals
identity, such as their name, social security
number, date and place of birth, mothers maiden
name, biometric records, etc, including any other
personal information that can be linked to an
individual.
Dont become a headline!
5
Protecting Personally Identifiable Information

• In the Office
• On the System
• Data Transfers
• Remote Users
• Assess Your Security

6
Protecting Personally Identifiable Information

• In the Office
• Document handling and storage
• Phones and Faxes
• Land Shipments
• Physical Office Security
• Personnel Security
• Policy and Training

7
Protecting Personally Identifiable Information

• In the Office
• Document Handling and Storage
• Limit printing of PII
• Clean Desk
• Sensitivity Identification
• Shredding
• Monitoring
• Secure storage

8
Protecting Personally Identifiable Information

• In the Office
• Phones
• Limit PII conversations
• Dont leave PII voicemails
• Prevent listeners
• Faxes
• Limit faxing of PII
• Confirm fax number
• Two way communication before sending and upon
  receipt
• Monitor the Fax
• Safeguard document

9
Protecting Personally Identifiable Information

• In the Office
• Land Shipments
• Limit shipments of PII
• Encrypt sent media
• Double package
• Send by reputable shipping agent
• Include a manifest inside the package.
• Communicate shipment with receiver

10
Protecting Personally Identifiable Information

• In the Office
• Physical Office Security
• Staffed reception counter
• After hours?
• Card/key access
• Change combinations keys
• Logs
• Added Security
• Cameras
• Entry and exit checks

11
Protecting Personally Identifiable Information

• In the Office
• Personnel Security
• Know who should be there
• Challenge others
• Personnel background checks
• Criminal
• Employment history
• Credit
• Train shortly after employment begins and then
  refresh periodically

12
Protecting Personally Identifiable Information

• In the Office
• Personnel Security
• Know who should be there
• Challenge others
• Personnel background checks
• Criminal
• Employment history
• Credit
• Train shortly after employment begins and then
  refresh periodically

13
Protecting Personally Identifiable Information

• In the Office
• Policy and Training
• Policy provides basis for controls and a roadmap
  to follow
• Based on requirements and good practice
• Individuals need training on policy - Include in
  Personnel training

14
Protecting Personally Identifiable Information

• On the System (Defense in Depth)
• Policy
• Personnel Security
• Physical Security
• Network Security
• Host based Security
• Application Security

www.macroview.com/solutions/infosecurity/
15
Protecting Personally Identifiable Information

• On the System
• Policy
• Technical, Managerial, Operational control
  requirements
• Tells what needs to be done, not how
• Procedures provide the road maps on how to comply
  with policy
• Covers all other aspects of Security
• Personnel
• Physical
• Network Security
• Host based Security
• Application Security

16
Protecting Personally Identifiable Information

• On the System
• Personnel Security
• The same as in the office
• Know who should be there
• Challenge others
• Personnel background checks
• Criminal
• Employment History
• Credit
• Train shortly after employment begins and then
  refresh periodically

17
Protecting Personally Identifiable Information

• On the System
• Physical Security
• Includes environmental Security
• Access control
• Badges / Keycards
• Access lists and entry logs
• Escorted access
• Higher level of control for some areas
• Metal detectors and scanners
• Backup power
• Cameras

18
Protecting Personally Identifiable Information

• On the System
• Network Security
• Firewalls
• NIDs (Network Intrusion Detection)
• Auditing
• IPS (Intrusion Prevention System)
• Honeypots

19
Protecting Personally Identifiable Information

• On the System
• Host based Security
• Configuration compliance
• Internal Firewalls
• Access control
• HIDs (Host Based Intrusion Detection)
• Anti-Virus and Anti-Spyware
• Patch management
• Logging

20
Protecting Personally Identifiable Information

• On the System
• Application Security
• Develop Application Security Plan
• Test for known vulnerabilities prior to
  implementation
• Authorize access
• Rules of behavior
• Secure Web interface
• Limit PII entries and displays

21
Protecting Personally Identifiable Information

• Data Transfers
• Electronic File Transfers
• Tapes and CDs
• Thumb Drives
• Email
• Laptops

22
Protecting Personally Identifiable Information

• Data Transfers
• Encryption
• Encrypt with strong Algorithms
• AES, Advance Encryption Standard or Triple DES,
  Data Encryption Standard
• Use large key length, 256 or greater
• If passwords are used make them strong
• Complex with a mixture of numbers, upper and
  lower alpha characters, and special characters
• 8-12 characters in length
• No dictionary words or names
• Send separate from the data transfer
• Mask entry

23
Protecting Personally Identifiable Information

• Remote Users
• Two types of remote users Students and Staff
• Problem
• Work from personal or public PCs and laptops
• Data downloads need to be monitored
• Infected with viruses and spyware
• Open to phishing and pharming
• Subject to Keylogger attacks
• Resolution
• Limit PII displayed or entered on the screen
• Employ two factor authentication for application
  access
• Provide Web site notices
• Offer assistance

24
Protecting Personally Identifiable Information

• Remote Users
• Keylogger attacks
• What are Keyloggers?
• Why are we singling this threat out?
• What can be done about the Keylogger threat?
• Limit the amount of PII entered or displayed on
  the web site.
• Make sure that user passwords are changed
  frequently.
• Limit privileged users remote access.
• Use Two Factor authentication.
• Include warning banners on your web sites that
  provide a warning and instructions for
  prevention.
• Let users know not to use computers with unknown
  security. Cyber Cafes and other publicly
  accessible computers should be avoided when
  accessing PII.

25
Protecting Personally Identifiable Information

• Assess Your Security
• Identify data sensitivities for CIA
• Identify Likelihood
• Likelihood threatmotivation
• Identify security risks
• Risk level ImpactLikelihood
• Controls level of risk
• Identify test methods based on risk level
• Documentation reviews
• Interviews
• Observations
• Technical tests (network, OS and application
  scans, log reviews, penetration testing, password
  cracking)
• Use Baseline Security Requirements
• Complete testing and identify weaknesses /
  unmitigated vulnerabilities
• Create remediation plan

26
Protecting personal information is Everybodys
Job!
Personally Identifiable Information
(PII) Information about an individual including
but not limited to, Education, Employment,
Financial Transactions, Medical History, and
Criminal Background information which can be used
to distinguish or trace and individuals
identity, such as their name, social security
number, date and place of birth, mothers maiden
name, biometric records, etc, including any other
personal information that can be linked to an
individual.
Dont become a headline!
27
Resources

• Vulnerabilities
• OWASP (http//www.owasp.org)
• SANS Top 20 (www.sans.org/top20)
• National Vulnerability Database
  (http//nvd.nist.gov)
• cgisecurity (http//www.cgisecurity.com)
• Guidance
• National Institute of Standards and Technology
  (NIST) Computer Security Resource Center
  (http//csrc.nist.gov/publications/nistpubs/)
• Center for Internet Security (CIS)
  (http//www.cisecurity.org/)
• Educause (http//connect.educause.edu/term_view/Cy
  bersecurity)

28
Contact Information

• We appreciate your feedback and comments. We can
  be reached at
• Bob Ingwalson
• Phone 202.377.3563
• Email robert.ingwalson_at_ed.gov
• Fax 202.275.0907