Securing Confidential Data

7/27/2019 Securing Confidential Data

http://slidepdf.com/reader/full/securing-confidential-data 1/29

Securing Confidential Data in a Connected World:Methods and Applications



Securing Confidential Data in a Connected World:Methods and Applications



A Connected World

Today, More people have access to the Internetthan EVER before:

World Population = 2,405,518,376 (34.3 %)

North America = 273,785,413 (78.6%)(InternetWorldStats.com/Stats.htm)

Teens Online – 95%

Using Mobile Devices = 74%

Have Smart phones = 37%

Tablets = 23%

80% have a desktop and/or laptop

(PewInternet.org)



Emerging Youth and Trends



Our emerging youth will present a much greaterrisk due to their perception of open source lifeand living within “Notopia” - a boundary-less

world filled with eroded ethics and principles.

Due to the loss of boundaries, the online world isremodeling concepts of legality, right/wrong, andPrivate/Confidential materials.

As the Digital babies mature, the need to increasesecurity will follow with them



Responsibility of the Organization

It is the responsibility of the organization thatcollects, stores, and disseminates confidentialdata to maintain both its security and availability

to those persons it was collected for. By requiring security, there is an inference to an

amount of value this data represents to the agencyor person(s) the data concerns

Given value, data now has a proportionate level ofrisk if it is lost, stolen, or misused.



Law Enforcement

Who decides how to classify data?

Federally held data is within the realm of the FBI(non-intelligence)

Criminal data is held within the National CrimeInformation Centers (NCIC) at their Criminal JusticeInformation Services Division (CJIS) in West Virginia

State and Local Levels

These agencies may choose to further restrict accessand broaden the range of what is considered Confidentialdata (barring FOIA request in some cases and even then are stillresponsible for preventing sensitive information from leaking)





Confidential Data

Now that is has been classified as Confidentialthe agency should

Craft fitting policies & SOPs to provide clear

directives for personnel to handle and Protect thevaluable data

Routinely review their policies and SOPs to insurethat they evolve along with risks

Track infractions to model corrective training andprovide risk data



Securing Confidential Data

Physical Security

Primary means of preventing access toworkstations, servers, teletypes, fax machines,

printers, and other monitoring devices All access points must be locked to prevent non-

cleared personnel from access or viewingsensitive/confidential data



Technology - Hardware

Limit outside accessfrom both Internet andlocal networks without

clearance by using:

Firewalls – limit network communications based on networkprotocols, activity, ports, and types of communication

MPLS – Can be used to connect geographically separatelocations, intelligently route network packets, create VPNs toencapsulate data

Encryption Levels (AES [128 -256] – Advanced Encryption

Standard) and other advancing encryption schemes



Authentication

Domain Level

SecondarySecurity

Server



Dual Authentication

Primary

Active Directory – Windows

NIS (Network Information Services) - Linux

Secondary

Additional Server/Applications used to integrateSmart Cards, HID devices, and Biometrics

Serves as bound medium to facilitate security measureswhile reducing user's burden of extra passwords



Encryption

Lower level security measure

By itself, may be weak – use in conjunction with theprevious devices mentioned

Hardware Frees up computing resources and increases speed

Increased up-front costs

Software

Ease of implementation as needed

Decreased Cost

Decreased speeds and increased CPU strain

Implementations -

Whole drives/arrays

Folders Files



Antivirus / Malware Detection

Hardware

Typically network-based devices

Can be less expensive financially

Decreases overall network performance, while minimallyaffecting workstation resources and speed

Software

Can be Server and/or Workstation-based

Best use scenario includes centralized updates andconfigurations via Group Policies

Can be configured at workstation level for specializedprojects

May cause interference with applications and websites



Wetware- Humans

Employees, users, vendors with access

Backgrounds, Polygraphs, and regularaudits/debriefings

Training concerning historically effective securityissues



Social Engineering



Reminder of how social engineering issuccessful – lax awareness

Various government organizations still use placards to keepthe mindset of their personnel on guard against mind-hackers

Confirm knowledge of SOPs, protocols, and personnelIdentification and access rights

Never discuss sensitive information concerning security

infrastructures and their access data

Social Engineering





Pressure Testing

After backing up Confidential Data

Test Disaster Recovery and Protocols Periodically

Who are responsible for each measure, and can they

quickly implement their tasks In case of Loss or Intrusion, review who needs to be

notified

Invite Certified Security Personnel to assess yourorganizations security measures used to protect theConfidential Data

White Hats

Grey Hats

Black Hats



Methods of Testing

Intrusion Testing

Check Logs

Firewalls

Routers

Servers



Often Forgotten

Patches

Updates

Security Forums/Groups















Securing Confidential Data

Documents