1) The document provides tips on how to manage client data responsibly and securely, including using a VOI provider for identity checks, enabling two-factor authentication, sharing documents securely with expiration dates, storing documents securely in the cloud using encryption, properly disposing of data and physical documents, and contacting proper authorities in the event of a breach.
2) Topics covered include password security, document sharing best practices, secure storage and transfer methods, device and media disposal, and incident response.
3) Resources mentioned that can help with secure practices and incident response include the Law Council of Australia Cyber Precedent, Lawcover crisis management, and identity theft non-profits.
1. How to manage your client’s
data responsibly
Protect your clients from fraud, identity theft and
confidential information
Jeremiah Cruz
jeremy@cryptoaustralia.org.au
Nick Kavadias
nick@cryptoaustralia.org.au
Gabor Szathmari
gabor@cryptoaustralia.org.aucryptoaustralia.org.au
2. Who is CryptoAUSTRALIA
• A not-for-profit started by security and privacy enthusiasts.
• We have nothing to do with BitCoin, so please stop asking.
• We are for finding practical ways of dealing with the modern
privacy and security challenges.
• We are looking for sponsors in order to continue our work
and research.
• This may be a new concept to lawyers, but we are running
these events for free*.
* This presentation does not constitute cybersecurity advice.
4. We know how to internet…
@CryptoAustralia
#cryptoaus
http://chat.cryptoaustralia.org.au
https://fb.me/CryptoStraya
Interact with us in the digital world…
5. What we are covering tonight…
1) Bad practices
2) Password security
(2FA and Password reuse)
3) Sharing documents securely
4) Storing documents securely
5) Prudent data disposal practices
6) Physical security (dos and don’ts)
7) What to do post-breach 🙏
15. Bad client document & personal
information management practices
• VOI checks
• Online document conversion
• Document sharing (e.g. Dropbox)
• Keeping emails forever
• Public Wifi
16. Bad practices - VOI checks
100 points ID checks – Leaks everywhere
• Scan-to-email printers (bonus: unencrypted
traffic)
• Documents sent/received over emails
• Emails are never deleted on the
sender/receiver side
17. Bad practices - VOI checks
• Don’t ask for scanned documents to be sent over
emails
• Rely on VOI providers instead
• Secure smartphone app and web portal
• https://www.dvs.gov.au/users/Pages/Identity-
service-providers.aspx
19. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
• They provide a convenient service to
convert documents to PDF
20.
21. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
• Who’s behind the service?
• What happens to your documents?
• Why would you upload
sensitive documents to random
strangers?
23. Bad practices -
Document sharing over emails
Problem statement:
Your email file attachments and
embedder download links remain in
your ‘Sent’ email folder forever, waiting
for a hacker to login and download them
24. Bad practices -
Document sharing over cloud-based file
storage services
File sharing with Dropbox, OneDrive, random
service:
• Download links are valid forever
• Mailbox gets hacked → Links are still live
25. Transferring sensitive documents securely
• Send web links instead of file
attachments where appropriate
• Use expiring web links
Services:
Google Drive, Sync.com, Tresorit...
28. Bad practices - Emails are kept forever
Keeping all emails for extended period
• Limit the damage if the mailbox gets hacked
• Set an archive and retention policy and archive
emails to a secure third-party service
(e.g. Spinbackup, Backupify)
• Office 365, G Suite support retention policies
30. Bad practices - Public Wifi
Lots of hacking wizardry:
• Password theft via fake login pages
• HTTP pages tampered on the fly
• Theft of unencrypted sensitive data
Just take our advice on the next slide
37. Password hygiene – Wallets
Remember a single password only
• LastPass
• 1Password
• Dashlane
• RoboForm
• < Any random password wallet >
38. Storing documents securely
Cloud file storage – Who your adversary is
• Hackers? - Dropbox, G Drive, OneDrive + Two-factor
authentication turned on
• Government? - End-to-end encrypted service: Sync.com, Tresorit
• Encrypt your disks, USB flash drives and smartphones
• BitLocker - Windows 10 Professional
• FileVault – Mac
• Android supports disk encryption
• On iOS disk encryption is turned on by default
39. Prudent data disposal practices
Laptops, computers:
• Magnetic disks: overwrite
• DBAN (https://dban.org/)
• SSD: Physical destruction
• USB flash drives: Physical destruction
40. Prudent data disposal practices
iPhone: Factory reset
Android*:
1. Encrypt device
2. Remove storage and SIM cards
3. Factory reset
4. Remove from Google account
Phones (SD card): Physical destruction
* https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html
42. Physical security (dos and don’ts)
• Shredding documents
• Diamond cut shredder
• Secure document disposal service
• Can secure dispose digital media for you
• Digital certificates (e.g. PEXA key)
•Leave them unplugged when not in use
•Cut the built-in smart card in half to dispose
43. What to do when you get hacked 🙏
• Disconnect your computer from the
Internet and stop using it
• Notify LawCover - They have an
incident response team
• Checklist:
http://lca.lawcouncil.asn.au/lawcou
ncil/images/cyber/CP-What-to-
Do.pdf
44. Summary
1) Use a VOI provider for identity checks
2) Use 2FA and don’t reuse your password
3) Share documents with expiring links
4) Store documents in the cloud securely (2FA)
5) Dispose data securely
6) Shred documents & protect digital certificates
7) Notify LawCover when the house is on fire
45. Where to get help
• Law Council of Australia Cyber Precedent, great learning resource
• Law Council cyber-attack checklist
• Lawcover crisis management team can help you clean up the
mess.
• Victim of identity theft, you should contact IDCARE, NFP helping
people
• Have a conversation with your IT Service Provider, or staff. Use
these slides as a talking point!