Covering Your Information Assets: Developing security in a constantly changing environment. Synercomm, Inc. Jeffrey T. Lemmermann, CPA, CITP, CISA, CEH [email protected]Wisconsin Government Finance Officers Association September 12, 2019 – Green Bay, WI
58
Embed
Covering Your Information Assets - WGFOA€¦ · Covering Your Information Assets: Developing security in a constantly changing environment. ... computers lost along with data including
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Covering Your Information Assets: Developing security in a constantly changing environment.
Synercomm, Inc.Jeffrey T. Lemmermann, CPA, CITP, CISA, [email protected]
Wisconsin Government Finance Officers Association
September 12, 2019 – Green Bay, WI
Who Am I
ID• Jeffrey T. Lemmermann
• Information Assurance Consultant – SynerComm• January 2018
EXP• 24 Years with CliftonLarsonAllen
• Risk Services Practice Manager• IT Audit / IT Security Specialist
• 5+ Years as CIO/CFO – Manufacturing Industry
CERT• CPA, CITP, CISA, CEH
• CITP – Wisconsin Champion (If you are a CPA )
“Security Assessment & Consulting, IT Audit, Compliance with IT Frameworks (NIST, COBIT) and continuing an ongoing crusade to
promote information security!”
Information Security
1. 5G Fixed to 5G Mobile (4)
2. Expanded Chatbot Use
3. Cloud Computing Evolution
4. Blockchain Understanding (5)
5. Data Analytics (2) / Machine Learning (6)
Topping The Charts Everywhere!Forbes 2019 Top 10 Digital Transformation Trends
6. General Data Protection Regulation
7. Augmented Reality (7)
8. Edge Computing (3) / Internet of Things (1)
9. Consumption IT [all as a service] (8)
10.Hiring for Digital Transformation (10)
Importance of Data Security
Regulations GDPR / CCPA HIPAA GLBA / SOX 404 Red Flag Rules PCI Standards
Publicity“No such thing is bad publicity
…except your own obituary.”- Brendan Behan, Irish Dramatist
Damage to reputation. Loss of consumer confidence. Redirection of resources
Target40M Credit/Debit Cards
Compromised
46% Dip In 2013 4Q Profits
Atlanta, GA$11M+ in costs so far. 1/3 of applications still affected. 70 computers lost along with data including dash cam footage.
Riviera Beach, Florida5/29/19 Infected email attachment took down all of the city’s online
systems, including email and some phones, as well as water utility pump stations.
6/4/19 Authorized $900,000 to recover/replace affected hardware. 6/17/19 Authorized payment of $600,000 to hackers.
Baltimore, MD5/7/19 RobinHood ransomware attack -city service outages ultimately cost $18 million (and counting) in recovery costs
and lost revenues.
Dark Web / Deep Web / Surface Web
Simple Definition: The part of the internet that isn't visible to search engines.
It requires the use of an anonymizing browser, like Tor, to be accessed.
What is done with that information?
Exchange on the DARK WEB…
Voting Machines!
Data Security 101
Where is our data now? Where should our data go? Where can our data go?
Who can access our data? Who needs to access our data?
Understanding the environment
Where does it start?
You can’t protect…
…what you don’t know about.
Where Is Your Data?
The ObviousNetwork File/Data Servers Laptop ComputersBackup Storage Media
The ObscureSmartphones / TabletsPortable Storage (USB Drives)E-Mail Attachments
The ForgottenDisposed Equipment – LEASED Equipment!
Proper Disposal Rules
“Disposal practices that are reasonable and appropriate to prevent unauthorized access to –or
use of- information in a consumer report.”
Burn, pulverize, or shred papers so they cannot be reconstructed. Destroy or erase electronic files or media so information cannot be
read or reconstructed. Conduct due diligence and hire a document destruction contractor.
Due diligence could include: Reviewing contractor’s independent audit Obtain information from several references Require certification by recognized trade association Review contractor’s information security policies or procedures
Hard Drive Data
Study of 2nd Hand DrivesO & O Company:
2004: 88% of Disks from EBay contained recoverable data. 2005: 71%
Edith Cowan University – Annual study of 2nd hand hard drives 2006: 48% 2009: 39% 2012: 47% 2007: 40% 2010: 2008: 38% 2011:
Type of recoverable data: Internal company memos Legal correspondence of governmental agency Credit ratings (Bank owned hard drive)
File erasing Utilities Eraser (Freeware - up to 35 overwrite passes) Steganos Security Suite (up to 100 passes)
Hard Drive Data Worries
What About Smartphones?Deleting Apps Might Not Delete DataSD Card StorageData Stored By Service Providers
Tablet Computers – Same Issues as Smartphones
Solid State Drives (SSDs) Traditional Disk Wiping Utilities Do Not Work “Nearly impossible to completely delete data from SSD’s”Physical Destruction Highly RecommendedNewer SSDs – Deletion Utilities with Drives
Smartphone / Tablet Drive Data
Study of 2nd Hand Smartphones AVAST purchased 20 Android smartphones from eBay Factory Data Reset was performed on the devices What was still found on the phones:
40,000 photos: 1,500 were family photos including children750 email and text messages250 names and associated email addresses Identifiable information from four owners1 completed loan application
Recommendation First encrypt device and SD card Then perform factory data reset
Data Security
How can we keep our data safe?
"The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts."
- Canadian physician, William Osler
Case Study – Public School District
Case Study: Open Records
How “open” do you mean?
Security Points
Five Key Points of Data Security:Physical SecurityNetwork SecurityApplication SecurityExternal SecurityPlanning & Governance
Physical Security Fail
How to avoid this:
(1) Physical Security
Access to Equipment Locked server room, mobile equipment logs
Theft Prevention Procedures Cameras, user policies on mobile equipment
Separation of Duties Ordering / Inventory separate from Installers
Hardware Inventory Serial numbers, internal configurations, assignments
(2) Network Security
Password Policies Minimum characters, forced changes, complexity No sticky notes!
Key Application Security Accounting, HR, or other sensitive data applications Follow password standards of network Segregation of duties / Reporting Controls
Anti-Virus Protection (Symantec, McAfee, etc.) Server based, automatic updates of workstations E-mail protection
Patch Maintenance Windows Update Services
Employee Training Dangerous Files, E-Mail Concerns, Web Surfing
Spyware Protection
Spyware – Detecting & Eliminating
Signs you have been infected: Random “Security” Pop-up windows appear when browsing. Drop in computer performance. Normal home page has been replaced / new search bars.
Align IT Goals with Business Goals Does the IT Department work for you or run you? Is IT Planning part of the overall strategic planning process? Steering committee: department head involvement!
Must-Have Plans: Disaster Recovery \ Business Continuity
Testing! Involvement of all departments – what are their needs?
System Security Plan Incident Response Plan
Data disclosure events Contact Requirements
Policies & Procedures
Policies in general: Signature requirements \ acknowledgement Redistribution of policy \ general availability Centralize & minimize total number Training opportunity on changes!
Important groupings: Computer Use Policy
Internet Use E-Mail Use
IT Security Policy Confidentiality statements Data handling and storage Data retention & destruction
Policies & Procedures – Updating
The importance of reviewing and updating policies:
What happens when two worlds collide? Can social media be used for public debate? What rules are in place for posting information by the elected? How can the use of social media be policed?
Sunshine Laws
Data Security
Updating our policies and procedures is a critical part of the circle.
35
What is this hacking thing you speak of?
Computer Information Hacking
Attack Origins
Points of Origins of Network Attacks InternalHarder to protect against – productivity vs. securityMotivations:
Personal GainRevenge (Missed promotion, about to be fired)Job Security
ExternalHard to identify sourceMotivations:
Random AttackRevenge (Former employee, angry client, competitor) Industrial Espionage
37
Close your eyes.
Imagine a “hacker”
Computer Information Hacking
38
What Hackers Look Like
39
What Hackers Look Like - 2
40
Social Engineering Expert
• FBI Most Wanted List - 1994• Banned from the Internet on January 21, 2000• Current Chief Hacking Officer of KnowBe4• CEO of Mitnick Security
Kevin Mitnick
“Any act that influences a person to take an action
Business eMail FraudCity of Ottawa, Canada – urgent email to staffWire of $100,000 to scammer – procedures not followed
Payroll RedirectionCity of Tallahassee, FL - 3rd party vendor compromised $498,000 in payroll checks redirected to scam accounts Thomas County School System – Thwarted $2M attempt
RansomwareGreenville, NC – Stuart, FL – Augusta, MN, Imperial County, CA – Baltimore, MD – Albany, NYRiveria Beach, FL – Who is next???
How does it start and spread?
Phishing Emails Attachments / Website Links
Compromised Websites Drive-By Downloads Social Media Post Links Remote Desktop Protocol
SynerComm’s goal is to be a Trusted Advisor and Preferred IT Solutions Provider by assisting our clients to achieve a goal, solve a problem, or satisfy a need.
Jeffrey T. Lemmermann, CPA, CITP, CISA, CEHInformation Assurance Consultant - SynerComm, Inc.