From NetSquared Houston, June 10, 2014.
By: Gerry McGreevy
Senior Systems Analyst, MD Anderson Cancer Center
http://www.meetup.com/Net2Houston/events/178372942/
Gerry McGreevy, long time Netsquared member, Senior Database Administrator with 15 years experience in IT, and newly re-tooled career as IT Security Consultant, will be our June speaker.
The theme for the evening's presentation will be: Know Your Data, and be Aware of Evolving Threats.
Gerry's going to talk about CyberSecurity including an overview of the current landscape on how you can protect your organization's and your personal data, whether it be at home, in your pocket, in the cloud, or you are roaming in the wild. Specific tips and pointers to resources will be included!
Six Myths about Ontologies: The Basics of Formal Ontology
A NonProfit Technologist's Guide to CyberSecurity and Data Protection
1. A
NonProfit
Technologist's-‐
Guide
to
CyberSecurity
and
Data
Protec=on
NetSquared
Houston
6/10/2014
Gerry
McGreevy
CISSP,
MBA,
OCP
Senior
Systems
Analyst,
MD
Anderson
Cancer
Center
gmcgreevy@mdanderson.org
Beiser
IT
Services
gerry.mcgreevy@beiser.us
CommiAee
on
NaConal
Security
Systems
(CNSS)
2. State
of
Data
Security
Today
Na=onal
Security
-‐
Major
Cyber
Wars
China
Eastern
Bloc
Iran
N.
Korea,
South
and
SE
Asia
Mid-‐East
Drug
Cartels
&
Organized
Crime
(foreign
/
domesCc)
Threats
to
Infrastructure
Electric
&
water
uCliCes
TransportaCon
(air
system,
rail,
traffic
signals)
CommunicaCon
(internet,
phones,
satellites)
Others
(prisons,
hospitals)
Internet
of
Everything
3. Threats
to
Commerce
Intellectual
Property,
Trade
secrets
Contracts,
Order
systems
Proprietary
data
and
processes,
General
operaCons
Data
Breaches
and
Leakage
=
Heavy
Fines
+
ResCtuCon
+
Breach
of
Trust
Threats
to
Personal
Digital
Life
IdenCty
Fraud
Credit
Hacking
Tax
Refunds
Medical
Data
Leakage
Embarrassing
Disclosures
LiCgaCon
/
Spousal
surveillance
The
Value
of
Your
Data
6. Privacy
ViolaCons
vs
Fraudulent
Access
What
You
Give
Away
Why
does
a
screen
lock
app
need
to
know?
>>
What
They
Steal
7. Concepts
in
Data
ProtecCon
What
you
are
protecCng
.
.
.
ConfidenCality
Integrity
Availability
Types
of
Data
Customer
records
Financial
Records
Compliance
Records
Personal
IdenCty
InformaCon
(employee
records,
Credit
Card,)
Trade
Secrets
OperaConal
Records
8. Best
PracCces
for
Small
Businesses
(and
Non-‐Profits)
SuggesCons
from
NaConal
InsCtute
of
Standards
and
Technology
Best
PracCces
for
Small
Businesses
-‐
NIST
7621
hAp://csrc.nist.gov/publicaCons/nisCr/ir7621/nisCr-‐7621.pdf
SuggesCons
from
Greater
Houston
Partnership
Greater
Houston
Partnership
–
CyberThreat
Self
Assessment
Tool
hAp://www.houston.org/cybersecurity/pdf/Cyber-‐Security-‐Book.pdf
9. SuggesCons
from
NIST
“Must
Do’s”
• Protect
against
viruses,
spyware,
and
other
malicious
code
• Control
access
to
computer
and
network
(internal
and
external
firewalls)
• Use
individual
username
/
passwords
across
your
network
(Strong
password
policies,
or
2
Factor
AuthenCcaCon
=
BeAer!)
• Limit
access
to
important
data
• Use
segmented
networks
• Patch
operaCng
systems
and
applica&ons
(Secunia
PSI
hNp://secunia.com
)
• Make
Regular
Backups
–
Fully
Test
a
Restore
• Train
employee’s
in
basic
security
principles
10. SuggesCons
from
NIST
“Highly
Recommended”
• Train
to
be
Alert
for
spear-‐phishing
aAacks,
links
in
emails,
IM,
pop-‐
ups,
social
Engineering
,
web
surfing,
downloading.
• Cau=ons
Against
Online
Business
or
Banking
Not
from
mobile
or
strange
networks,
only
from
secure
computer
Use
VPN,
Remote
Desktop,
or
encrypted
VNC,
GoToMyPC,
etc
• Properly
Dispose
of
Old
Computers
and
Media
• How
to
get
help
with
informa=on
security
when
you
need
• Recommended
Personnel
Prac=ces
in
Hiring
Employees
11. AddiConal
SuggesCons
Greater
Houston
Partnership
• Lockdown
Desktops
• Disallow
sojware
installaCons,
usb,
other
devices
• Whitelist
apps
that
are
okay
–install
fro
common
download
area
• Lockdown
Wifi
and
Mobile
(by
mac
address
and
WPA2
password)
• Monitor
Web
Usage
and
Report
• Learn
how
to
Encrypt
Data
(MS
Doc
locks,
TrueCrypt,
BitLocker
)
• Avoid
Using
Cloud
(
Especially
for
Sensi5ve
Info!
)
• Classify
Data
&
Separate
Based
on
Content
&
ClassificaCon
• Formalized
Security
Policies
• Conduct
Assessments
• Data
Recovery
Exercises
12. Segmented
Your
Network
Not-‐so
SensiCve
Data
SensiCve
Data
Requires
you
to
know
and
classify
your
data.
<
CriCcal
Exercise
!
13. Top
20
Security
Controls
Advanced
/
Enterprise
CriCcal
Security
Controls
-‐
Version
5
• Critical Security Controls - Version 5
• 1: Inventory of Authorized and Unauthorized Devices
• 2: Inventory of Authorized and Unauthorized Software
• 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• 4: Continuous Vulnerability Assessment and Remediation
• 5: Malware Defenses
• 6: Application Software Security
• 7: Wireless Access Control
• 8: Data Recovery Capability
• 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• 11: Limitation and Control of Network Ports, Protocols, and Services
• 12: Controlled Use of Administrative Privileges
• 13: Boundary Defense
• 14: Maintenance, Monitoring, and Analysis of Audit Logs
• 15: Controlled Access Based on the Need to Know
• 16: Account Monitoring and Control
• 17: Data Protection
• 18: Incident Response and Management
• 19: Secure Network Engineering
• 20: Penetration Tests and Red Team Exercises
This
work
is
licensed
under
a
CreaCve
Commons
AAribuCon-‐NoDerivs
3.0
Unported
License.
hAp://www.sans.org/criCcal-‐security-‐controls/
14. EncrypCon:
ProtecCng
Microsoj
Docs
File
>
Info
>
Restrict
Permission
by
People
(need
Windows
ID)
Microsoj
Office
360
Good
for
sharing,
not
good
for
sensiCve
data.
Use
Winzip
to
send
the
doc
in
an
encrypted
AES
256
wrapper.
GNU
Privacy
Guard
hAps://www.gnupg.org/
16. Email
Security
AAachments
MS
Office
Docs
Turn
off
macros
(or
at
least
prompt)
Google
Docs
Preview
(big
difference
in
security
between
previewing
Gmail
vs
Outlook)
17. Email
Security
AAachments
Watch
for
weird-‐long
names
coolvideo.mp4
.exe
Open
in
Sandbox
Environment
(Virtual
Machine)
Understand
Digital
Signatures
19. Hacking
-‐
Things
You
Think
May
be
Secure
but
Aren't
• Adobe
• Java
• Firefox
• Google
• Microsoj
• Apple
20. Hacking
-‐
Things
You
Think
May
be
Secure
but
Aren't
ssl
implementaCons
Don’t
download
directly
to
Dropbox
(it
tells
them
what
account,
and
you
have
to
login,
giving
your
password)
Download
to
local,
then
save
to
Dropbox.
Recommend
NOT
sharing
passwords
from
one
site
to
another
ie.
Don’t
use
Facebook
/
Google
id
to
log
into
some
site
21. Careful
What
You
Download
Which
of
these
search
results
are
safe?
22. Password
Cracking
Strong
Passwords
– 8
–
15
Characters
(
old
advice),
non-‐dicConary
words
– Stop
using
5
for
S,
1
for
I,
0
for
O
(doesn’t
really
help
anymore)
– Be
aware
of
common
password
paAerns
(Paper
on
PIN
numbers:
hAp://www.datageneCcs.com/blog/september32012/
)
– Problems
w/
password
managers
LastPass,
KeepPass,
others
– Use
Phrases
with
spellings
all
messed
up
i.e:
toseideotsdonno
Don’t
communicate
passwords
via
email
or
SMS
Use
a
different
“channel”
BeAer
Protect
yourself
MulC-‐Factor
AuthenCcaCon
(ie.
Google
AuthenCcator,
can
be
used
by
some
apps)
23. Mobile
Data
Dropbox,
Google
Drive
and
Other
Cloud
Storage
Issues
Privacy,
Data
Ownership,
Responsibility
Only
put
docs
out
that
no
harm
done
if
revealed
Or,
encrypt
before
wriCng
to
cloud
(warning
–
consider
where/
by
whom
encrypCon
is
being
done).
Thumbdrives
Very
easy
to
hide
a
virus
Use
encrypted
(or
hidden)
parCCon
Tool:
Truecrypt
24. Mobile
Data
Mobile
Devices
If
they
are
not
“locked
down”,
consider
open
to
internet.
Allow
non-‐rooted
phones
only
Use
a
“guest”
network
to
connect
for
any
device
not
locked
down.
Most
client
apps
(email,
SMS,
etc,
leave
data
on
phone).
Far
from
guaranteed
you
can
erase
all
data
on
lost
phone
25. When
You
Are
Out
In
the
Wild
Resist
Strange
joining
networks
Protect
Yourself
by
Doing
Everything
Important
from
Home
(even
when
you’re
not)
Accessing
Your
Screen
At
Home
While
Away
-‐
OpCons:
Remote
Desktop
-‐
(Windows)
GoToMyPC
VNC
Personal,
use
128
bit
encrypCon
(256
=
strong)
hAp://www.realvnc.com/
OpenVPN
26. ProtecCng
Your
Home
Computer
Need
to
have
mulCple
copies
(and
safe
places)
for
each
backup:
Onsite
and
Remote
Where
and
how
you
encrypt
maAers
a
lot
to
both
security
and
costs
Easy:
Copy
files
to
USB
External
Hard
Drive
>
Remove
Drive
,
give
it
to
friend.
Cost
$70
-‐
$150.
Orig.
Backup
/
zip
Upload
Data
>
to
compress
>
to
Cloud
2nd
Local
Drive
(Encrypt
before
write
to
disk)
My
Docs
>
copy/zip
to
E:Backup
>
Upload
to
Amazon.
Cost
to
setup
$0
Cost
to
restore
$40
-‐
$100
Must
Fully
Test
Restore.
A
restore
method
not
tested
is
makes
it
a
crap
shoot,
odds
against
you.
27. ProtecCng
Your
Home
Computer
Myth:
Mac’s
are
not
subject
to
viruses
Windows
vs.
Mac
hAp://www.cvedetails.com/top-‐50-‐vendors.php
30. ProtecCng
Your
Home
Computer
Lock
DNS
(if
possible)
Know
(and
periodically
check)
where
your
DNS
is
pointed
to.
Logfiles,
know
where
they
are,
become
familiar
with
what
they
do
(may
be
overwhelming)
File
Shredding:
Learn
to
digitally
“shred”
sensiCve
files
(
hAp://www.fileshredder.org/
)
31. ProtecCng
Your
Home
Computer
Password
Repositories
-‐
Not
Really
Safe
Simple
SoluCon:
Encrypt
spreadsheet
(winzip,
truecrypt)
White
out
the
passwords,
so
you
can
just
copy
/
paste
32. Using
EncrypCon
Protect
person-‐person
communicaCons
Digital
Signatures
–
Brings
confidence
sender
is
as
claimed
Message
AuthenCcaCon
-‐
Not
changed
in
transit
Privacy
-‐
Secure
message
in
transit
Disc
encrypCon
–
Important
on
mobile
devices
Personal
IdenCty
in
public
space
–
Digital
ID’s
Common
Freeware:
TrueCrypt,
Windows
Bitlocker,
Gnu
Privacy
Guard,
Winzip
(pay)
33. Things
You
Don't
See
Have
Holes
Printers
Smart
TVs
and
other
appliances
“Samsung
All
Share“
Video
Game
Consoles
“Internet
of
Everything”
SoluCon:
Segmented
Network
/subnet/DMZ
Put
your
most
secure
data
behind
an
internal
firewall
35. Safe
Browsing
Choices
Use
Private
Browsing
(all
browsers
have
this
opCon)
Limits
amount
of
info
stored
in
browser.
Use
Virtual
Machines
for
browsing
the
internet
(need
to
isolate
the
VM
from
any
network)
TOR
(
The
Onion
Router
)
Not
really
anonymous,
but
very
hard
to
trace
36. LocaCng
SensiCve
Data
IdenCty
Finder
-‐
Find
Personal
IdenCty
InformaCon
(PII)
on
your
computer
38. Keeping
Your
Ear
To
The
Ground
Resources
for
Further
InformaCon
Greater
Houston
Partnership
–
CyberThreat
Self
Assessment
Tool
hAp://www.houston.org/cybersecurity/pdf/Cyber-‐Security-‐Book.pdf
Best
PracCces
for
Small
Businesses
-‐
NIST
7621
hAp://csrc.nist.gov/publicaCons/nisCr/ir7621/nisCr-‐7621.pdf
SuggesCons
from
Greater
Houston
Partnership
Greater
Houston
Partnership
–
CyberThreat
Self
Assessment
Tool
hAp://www.houston.org/cybersecurity/pdf/Cyber-‐Security-‐Book.pdf
Know
the
Risks
Before
You
Head
to
the
Cloud:
A
Primer
on
Cloud
CompuCng
Legal
Risks
and
Issues
for
Nonprofits
hAp://www.jdsupra.com/post/documentViewer.aspx?fid=05a42be3-‐161f-‐4909-‐af04-‐50aa14b6689e
Cybersecurity:
The
Corporate
Counsel’s
Agenda
hAp://www.hoganlovells.com/custom/eDocs/Cybersecurity%20Advisory_Pearson_11152012.pdf
Online
Social
Networks,
CyberRisk
and
Your
Nonprofit:
What
You
Need
to
Know
hAp://www.nonprofitrisk.org/library/newsleAer/followme.shtml
39. Keeping
Your
Ear
To
The
Ground
Resources
for
Further
InformaCon
ExecuCve
Order
Begins
Process
of
Strengthening
NaCon's
Cybersecurity
and
CriCcal
Infrastructure
hAp://www.pepperlaw.com/publicaCons_update.aspx?ArCcleKey=2562
NIST
Special
PublicaCon
500-‐292:
Cloud
Compu5ng
Reference
Architecture.
The
Importance
of
Cybersecurity
to
the
Legal
Profession
and
Outsourcing
as
a
Best
PracCce
hAp://e-‐discoveryteam.com/2014/05/11/the-‐importance-‐of-‐cybersecurity-‐to-‐the-‐legal-‐profession-‐and-‐outsourcing-‐as-‐a-‐best-‐pracCce-‐part-‐one/
Online
Privacy
for
Nonprofits
hAps://www.privacyrights.org/online-‐privacy-‐nonprofits
NIST
Proposes
Privacy
Control
Roadmap
for
OrganizaCons
hAp://www.pepperlaw.com/publicaCons_update.aspx?ArCcleKey=2658)
Common
Vulnerability
EvaluaCon
Database
hAp://www.cvedetails.com
Mandiant
Reports
hAps://www.mandiant.com/resources/mandiant-‐reports/
Webcasts:
BiAer
C-‐Suite:
Privacy,
Security
and
Data
ProtecCon
Issues
Facing
CorporaCons,
Directors
and
Officers
(
hAp://www.pepperlaw.com/webinars_update.aspx?ArCcleKey=2888)
BYOD
(Bring
Your
Own
Device)
*Liability
and
Data
Breach
Sold
Separately
(hAp://www.pepperlaw.com/webinars_update.aspx?ArCcleKey=2773)
40. Closing
Thoughts
Recognize
Data
Breaches
cannot
be
100%
prevented.
They
will
happen.
You
must
prepare
mulCple
defense
strategies
to
remediate.
Take
a
thorough
inventory
of
your
data,
your
devices,
your
systems,
and
who
is
“allowed”.
Understand,
and
stay
aware
of
a
conCnuously
evolving
threat
environment
-‐
Defending
your
data
is
an
ongoing
process.