Post on 09-Jun-2018
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 1
2010-06-26 Doctor A Security (r) Copyright (c) 2010 1
Doctor ASecurity Illuminating the Accidental
Leakage of Confidential Information in the Internet
(Day 2)
26 June 2010
Andrew LAW, Andrew LAW and Frank HO Solicitors
Norman PAN, Doctor A Security Systems (HK) Ltd.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 2
Doctor ASecurity
About Today
Day 1 (Last Sat.)1. Latest attacks from
the Internet Browsers Email
2. Personal firewall and Antivirus, only? Passwords Security patches
3. Safe Transaction Phishing sites Social Network
Day 2 (Today)1. Work at home
WIFI USB hard disk Social Networking
2. Physical & Hardware Security Backup
3. Protecting your client information Client-Attorney
privilege, not protected
Encryption
4. IT Security Policy5. Risk Assessment &
Audit
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 2
2010-06-26 Doctor A Security (r) Copyright (c) 2010 3
Doctor ASecurity
[!] About Today, Do and Dont
About Today IT Security Awareness for Users (not administrators)
Stories, Question & Answer, Demonstration
A 20 minutes break at about 11:00
Will recommend products, but dont sell
Do Ask question if any Participate in answering questions
Dont (Please) Make/answer any call with your mobile within the classroom
Doctor ASecurity
Work at Home
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 3
2010-06-26 Doctor A Security (r) Copyright (c) 2010 5
Doctor ASecurity
[R] Fathers Day Tips [1] Dads Computer
1. Keep it updated
Windows
Antivirus
2. Uninstall any software that dad does not use.
3. Make sure that his screen-saver requires a password to reactivate.
4. If dad has a laptop, be sure that the built-in disk encryption feature is running.
5. Turned off the PC after every use
http://isc.incidents.org/diary.html?storyid=9040
2010-06-26 Doctor A Security (r) Copyright (c) 2010 6
Doctor ASecurity
[R] Fathers Day Tips [2] Dads Web Sites
1. Careful with what he puts on social networking sites
2. Use website passwords that are complex but easy for him to remember
3. Pay close attention to where he is online Phishing sites
Think twice before entering password
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 4
2010-06-26 Doctor A Security (r) Copyright (c) 2010 7
Doctor ASecurity
[R] Fathers Day Tips [3] Dads Personal Information
1. Be very careful with peer-to-peer (P2P) or file-sharing programs pay close attention to which
parts of his hard drives are shared to others by these programs
2. Office information should NOT be put on this computer
3. check each of the email addresses if reply to all is used in emails
4. Know who to call or contact if he thinks he has become a victim of online crime Events happen fast online
5. backup copy of all of his personal information (passwords, credit card numbers, bank account information, emergency phone numbers, etc.) Locked in safe
Doctor ASecurity
WIFI & VPN
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 5
2010-06-26 Doctor A Security (r) Copyright (c) 2010 9
Doctor ASecurity
Your PC should be hidden
Hide the PC from the Internet
Enable firewall, or
Use a WIFI router
2010-06-26 Doctor A Security (r) Copyright (c) 2010 10
Doctor ASecurity
Connecting Internet directly is Dangerous
Your PC is visible on the Internet!
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 6
2010-06-26 Doctor A Security (r) Copyright (c) 2010 11
Doctor ASecurity
[R] Hide Behind a WIFI Router
Your Router is visible on the Internet,
Your PC is NOT.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 12
Doctor ASecurity
[R] Securing your home WIFI AP
Basic1. Use strong
encryption WPA2 Personal
2. Disable SSID broadcast Configure your
PC/PDA
3. Rename SSID dont use default
4. Management console access via cable connection only (Not accessible from the Internet)
Advanced1. Allow only pre-
defined MAC address
WEP and WPA were cracked!
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 7
2010-06-26 Doctor A Security (r) Copyright (c) 2010 13
Doctor ASecurity
Remote Desktop (or VNC), are you sure?
Hackers are trying to found internet visible Remote Desktop, VNC etc., Attack using
Password crack
Vulnerability
Free tools exist that assist hackers with breaking into Windows Remote Desktop connections.
Securing RDP on WinXP, if you really really need this:http://www.mobydisk.com/techres/securing_remote_desktop.html
2010-06-26 Doctor A Security (r) Copyright (c) 2010 14
Doctor ASecurity
Use VPN gateway, if really necessary
(1) Hello
(2) n3$87&1!t*1
Encryption
(3) n3$87&1!t*1
Decryption
(4) Hello
VPN Firewall
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 8
Doctor ASecurity
USB & Foxy
2010-06-26 Doctor A Security (r) Copyright (c) 2010 16
Doctor ASecurity
Hi, Lawyer, I like music, by the way,
do you download music using FOXY at your office?
.. a prospective big client
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 9
2010-06-26 Doctor A Security (r) Copyright (c) 2010 17
Doctor ASecurity
Incidents
, Ming Pao, January 28, 2008 FOXY , Ming Pao, April 5, 2008 665Ming Pao, April 26, 2008 Foxy, Ming Pao, May 27, 2008 Foxy, Ming Pao, June 14, 2008 , Sing Tao, May 8, 2008
2010-06-26 Doctor A Security (r) Copyright (c) 2010 18
Doctor ASecurity
2008-05-09 commuity.she.com ..
PCfoxy, PCdownload?Winmaxshareshare, foxy?
...
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 10
2010-06-26 Doctor A Security (r) Copyright (c) 2010 19
Doctor ASecurity
Are many people using Foxy?
2010-06-26 Doctor A Security (r) Copyright (c) 2010 20
Doctor ASecurity
Why Foxy?
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 11
2010-06-26 Doctor A Security (r) Copyright (c) 2010 21
Doctor ASecurity
In the Foxy Network
Foxy serversIn TX, USA
Iblinx.com -> gofoxy.net
1
2
3
Search in English &
Traditional Chinese
Characters
Foxy clients on the Internet
Foxy clients joining the network
2010-06-26 Doctor A Security (r) Copyright (c) 2010 22
Doctor ASecurity
Using Foxy to search ..
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 12
2010-06-26 Doctor A Security (r) Copyright (c) 2010 23
Doctor ASecurity
Foxy downloaded
2010-06-26 Doctor A Security (r) Copyright (c) 2010 24
Doctor ASecurity
Foxy To share my computer?
Default is
to ALL
shared!
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 13
2010-06-26 Doctor A Security (r) Copyright (c) 2010 25
Doctor ASecurity
I dont want to share , but
Still shared!
2010-06-26 Doctor A Security (r) Copyright (c) 2010 26
Doctor ASecurity
Security for using Foxy [1]
Least privileged user account(dont always use administrator)
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 14
2010-06-26 Doctor A Security (r) Copyright (c) 2010 27
Doctor ASecurity
Security for using Foxy [2a]
When using other peoples PC,
always check if Foxy is running (including plugging in your USB HD!)
2010-06-26 Doctor A Security (r) Copyright (c) 2010 28
Doctor ASecurity
Security for using Foxy [2b]
To make sure if Foxy is running
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 15
2010-06-26 Doctor A Security (r) Copyright (c) 2010 29
Doctor ASecurity
Security for using Foxy [3]
Disable Foxy to run at startup of the computer
Turn off Foxy after use
2010-06-26 Doctor A Security (r) Copyright (c) 2010 30
Doctor ASecurity
Security in using Foxy [4]
Uncheck all drives (to be shared by Foxy)
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 16
2010-06-26 Doctor A Security (r) Copyright (c) 2010 31
Doctor ASecurity
Using Foxy FAQ
1. If I dont activate Foxy (just installed), would my files be shared? Yes
2. Foxy set automatically all files in download to be shared? Yes
3. If share of a directory is NOT clicked, if it would be shared? No, but the DOWNLOAD directory
would still be shared
4. If I install Foxy at Desktop, will it be better No, All documents of your Desktop
would be shared
5. If I have Windows firewall, could it protect me? Not much, Windows firewall try to
prevent inbound attack
6. If files were upload, can I delete them from Foxy clients? No, it would be distributed among
Foxy clients
2010-06-26 Doctor A Security (r) Copyright (c) 2010 32
Doctor ASecurity
Is foxy the only way to leak?
Loss of USB Harddisk
Loss of Notebook PC
Compromised PC
FTP upload
Visit malicious web sites
Send out by email
Bluetooth of your smart phone (sms, email)
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 17
Doctor ASecurity
Social Networking
2010-06-26 Doctor A Security (r) Copyright (c) 2010 34
Doctor ASecurity
Using Facebook - a little too social?
50% employers blocked internal access to Facebook
Productivity
Security
66% workers worried their colleagues gave too much information away
Identify theft
Targeted phishing
Facebook best practice: http://www.sophos.com/security/best-practice/facebook.html
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 18
2010-06-26 Doctor A Security (r) Copyright (c) 2010 35
Doctor ASecurity
Facebook Privacy Setting
2010-06-26 Doctor A Security (r) Copyright (c) 2010 36
Doctor ASecurity
Clickjacking attacks on Facebook Like plugin
Get a user to click on a hidden link, go to a malicious web site
A Like button
The button follow the mouse! no matter where you click on the web page
posting a message on your profile saying that you like this malicious site
Your friend may follow
Facebook user, be especially careful of all links.
http://isc.incidents.org/diary.html?storyid=8893
NoScript of Firefoxshould protect from this!
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 19
2010-06-26 Doctor A Security (r) Copyright (c) 2010 37
Doctor ASecurity
Lets QQ ..
Risk
Virus (does not go thru email server with antivirus gateway)
Good updated AV at user PC is the last defence
Message in plain text (in transit and storage)
Files could be sent without control/record
2010-06-26 Doctor A Security (r) Copyright (c) 2010 38
Doctor ASecurity
Do you Twit .
In January 2009, a phishing scam tricked many Twitter users into revealing their usernames and passwords. Users were sent a teaser that said something like "funny blog about you." When they clicked on the attached link users were diverted to a fake sign-in site where they filled in their username and password. The phishing site then used that information to send spam to followers.
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 20
Doctor ASecurity
Backup & Imaging
2010-06-26 Doctor A Security (r) Copyright (c) 2010 40
Doctor ASecurity
Hard Disk Fails very often!
Cant boot Panic!
Data corrupted Loss of Data
Days to reinstall Loss of Productivity
Replace a new one within Replace a new one within
Every 3 yearsEvery 3 years
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 21
2010-06-26 Doctor A Security (r) Copyright (c) 2010 41
Doctor ASecurity
Site Loss ... Could Your Firm Recover?
2010-06-26 Doctor A Security (r) Copyright (c) 2010 42
Doctor ASecurity
[R] Backup - Data
Recommend Genie Backup Manager Pro
Should Weekly Full Data Backup
Daily DifferentialBackup
Monthly Restore Test
Backup should be encrypted
2 copies of backupOn site
Off sitehttp://www.genie-soft.com/Business/genie_backup_manager_Pro/Default.aspx)
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 22
2010-06-26 Doctor A Security (r) Copyright (c) 2010 43
Doctor ASecurity
[R] Imaging System Recovery
Recommend Paragon Hard Disk Manager Pro
Should Backup Bootable
Partition every month (before applying patches every 2nd Tue) to an external hard disk (store in safe place, e.g. safe)
Create a bootable CD using the HD Manager Pro, just in case.
http://www.paragon-software.com/home/hdm-professional/
2010-06-26 Doctor A Security (r) Copyright (c) 2010 44
Doctor ASecurity
[R] Sample Policy, Guidelines - Backup
Policy Back-up copies of informationand software should be takenand testedregularly in accordance with the agreed backup policy.
Guidelinesa) the necessary level of back-up information
should be defined;b) accurate and complete records of the back-
up copies and documented restoration procedures should be produced;
c) the extent (e.g. full or differential backup) and frequency of backups should reflect the business requirements of the organization, the security requirements of the information involved, and the criticality of the information to the continued operation of the organization;
d) the back-ups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;
e) back-up information should be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site; the controls applied to media at the main site should be extended to cover the back-up site;
f) back-up media should be regularly testedto ensure that they can be relied upon for emergency use when necessary;
g) restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery;
h) in situations where confidentiality is of importance, back-ups should be protected by means of encryption.
ISO 27001:2005 and ISO17799:2005
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 23
2010-06-26 Doctor A Security (r) Copyright (c) 2010 45
Doctor ASecurity
A break of 15 minutesDoctor ASecurity
Physical Security
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 24
2010-06-26 Doctor A Security (r) Copyright (c) 2010 47
Doctor ASecurity
Practice and Procedure [AL]
Recommended Practice and Procedure
1.Hardware security
2.Physical security
2010-06-26 Doctor A Security (r) Copyright (c) 2010 48
Doctor ASecurity
Hardware Security #1 [AL]
Hardware generally refers to monitor, mouse, keyboard, printer, computer, but it is the Storage Media (harddisk, USB, CD/DV disc, SSD) where information is stored, most commonly harddisk because of its relatively fast Read/Write speed and large storage capacity So for the purpose of this discussion, lets confirm hardware to harddisk.
Short term absence (eg toilet break) screen lockcomputer by pressing Alt-Ctrl-Del keys altogether. Of course, make sure you have your Windows User Password assigned in the first place !
Medium term absence (eglunch break) close all the data files, exit applications(eg MS Word, IE), log-off from network connecting to data server (if any), ideally detach also the physical network cable
Office day end ensure MS Windows being COMPLETELY shut down, with computer power off. Note these error messages which are often ignored by the departing user Windows fails to shut
down, there are print jobs pending.
Are you sure to shut down Windows ? - there are applications running.
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 25
2010-06-26 Doctor A Security (r) Copyright (c) 2010 49
Doctor ASecurity
Hardware Security #2 [AL]
Enable computers BIOS password assign Supervisor and User(s) password
Enable Harddiskactivation password
Enable MS Windows user password
Enable network user password
Enable harddiskvolume encryption
Enable figure-print recognition security, likewise Trust Platform Module if available
Enable face-recognition security
2010-06-26 Doctor A Security (r) Copyright (c) 2010 50
Doctor ASecurity
Hardware Security #3 [AL]
for lawyers traveling with notebook computer : keep computer in the airplane cabinet
do not leave computer in hotel room, not even the mini-safe
sleep with the notebook (physically next to you), run with it in case of emergency
Most ideally,
enable harddisk activation password AND store data in harddisk with automatic encryption feature, so that only encrypted files are exposed to intruders (check availability of such features before you buy acomputer or mobile harddisk).
BitLocker harddiskencryption comes as a standard feature with Windows 7 Ultimate version; otherwise add third party encryption software such as BigLock
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 26
2010-06-26 Doctor A Security (r) Copyright (c) 2010 51
Doctor ASecurity
Physical Security [AL]
lock your office door by day end
apply Kensington Lockto hardware containing confidential data, particularly for notebook computer / data server
install surveillance cameras in office as a deterrence control
server roomprotected with tampered glasscabinet, with automatic siren and report facility to the police
Doctor ASecurity
Duty of Confidentiality
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 27
2010-06-26 Doctor A Security (r) Copyright (c) 2010 53
Doctor ASecurity
Duty of confidentiality
Duty within the contractual retainer
Matter of professional conduct
Unauthorised disclosure could lead to civil claim for breach of confidence and disciplinary action
Continues beyond the end of the retainer and death of the client
2010-06-26 Doctor A Security (r) Copyright (c) 2010 54
Doctor ASecurity
Confidentiality (Guide Chapter 8.01)
All client information is confidential unless the clientauthorizes or waives disclosure, expressly or impliedly;
Required by law
Exceptional Circumstances Serious bodily harm
Exceptional circumstances involving a child
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 28
2010-06-26 Doctor A Security (r) Copyright (c) 2010 55
Doctor ASecurity
Commentary
#1 This duty
extends to the solicitors staff, whether admitted or unadmitted, and
it is the responsibility of the solicitor to ensure compliance.
#5 Unauthoriseddisclosure of clients confidences could lead to disciplinary proceedings against a solicitor and could also render a solicitor liable, in certain circumstances, to a civil action by the client arising out of the misuse of confidential information.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 56
Doctor ASecurity
Commentary (contd)
#18Problems with confidentiality can arise where a solicitor or firm shares office services provided by independent contractors (such as computers, equipment or typing services) with another person or business. A solicitor should only make use of these where strict confidentiality of client matters can be ensured: see Practice Direction D 5.
#30Where disclosure has taken place a solicitor should inform his client promptly that he has done so.
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 29
2010-06-26 Doctor A Security (r) Copyright (c) 2010 57
Doctor ASecurity
Complaints against law firm for breach of personal data privacy
failing to enclose legal documents in sealed envelops;
failing to properly mark the envelops (e.g. "Private and Confidential");
leaving legal documents in common areas or giving them to unrelated parties;
sending legal documents to outdated or wrong addresses when the correct address could be ascertained;
producing copies of the legal documents to a receptionist for the purpose of obtaining acknowledgment of receipt.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 58
Doctor ASecurity
Data Protection Principle
The complaints raise serious concerns over the security of sensitive personal data usually found in those legal documents. The requirements of Data Protection Principle 4 ("DPP4") in Schedule 1 to the Personal Data (Privacy) Ordinance ("the Ordinance") are of particular relevance. DPP4 provides that:-
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 30
2010-06-26 Doctor A Security (r) Copyright (c) 2010 59
Doctor ASecurity
DPP4
"All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to - the kind of data and the harm that could result if any of those
things should occur; the physical location where the data are stored; any security measures incorporated (whether by automated
means or otherwise) into any equipment in which the data are stored;
any measures taken for ensuring the integrity, prudence and competence of persons having access to the data, and
any measures taken for ensuring the secure transmission of the data." (emphasis added)
Here, "practicable" means "reasonably practicable" as defined in section 2 of the Ordinance.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 60
Doctor ASecurity
Practical Steps
Practicable steps should include:
delivering documents in sealed envelop marked "Private & Confidential" and, where appropriate, "To be Opened by Addressee Only";
avoiding leaving documents in common area or places where any passerby may have access;
avoiding leaving documents with unrelated parties such as neighbours or caretakers;
ensuring correctness of the address for service;
not disclosing contents of document to unrelated parties for the sake of getting an acknowledgement of receipt of the document.
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 31
2010-06-26 Doctor A Security (r) Copyright (c) 2010 61
Doctor ASecurity
Solicitors firm being sued
Foxy,
Foxy
Foxy
ABCFoxy ABC
2010-06-26 Doctor A Security (r) Copyright (c) 2010 62
Doctor ASecurity
Law Society
Foxy
Foxy
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 32
2010-06-26 Doctor A Security (r) Copyright (c) 2010 63
Doctor ASecurity
MSN
MSNfacebookemailDoctor ASecurity
IT Security Policy
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 33
2010-06-26 Doctor A Security (r) Copyright (c) 2010 65
Doctor ASecurity
Security is an antivirus issue only?
1. Do you allow your staff to use Foxy at office / at home?
2. Do you allow your staff to take home documents for work?
3. Do you control what software could be installed at office / at home?
4. What if the USB flash disk is left on a taxi?
2010-06-26 Doctor A Security (r) Copyright (c) 2010 66
Doctor ASecurity
[R] What should be done?
Data Classification
HKSARG Security Regulation
TOP SECRET
SECRET
CONFIDENTIAL
RESTRICTED
Handling classified information
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 34
2010-06-26 Doctor A Security (r) Copyright (c) 2010 67
Doctor ASecurity
Handling Confidential (e)Information
Encrypted
Transport over untrustednetwork
Store as a file
Risks
Loss or Forgotten passwords
2010-06-26 Doctor A Security (r) Copyright (c) 2010 68
Doctor ASecurity
[R] File Encryption
File Encryption Symmetric encryption (password should be known to each other)
Software: e.g. WinzipWinrarPowerarchiveAdobe acrobat professional (not acrobat reader)
Problems Too many
passwords Different
passwords forFile?Client?
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 35
2010-06-26 Doctor A Security (r) Copyright (c) 2010 69
Doctor ASecurity
[R] Email encryption
PKI
(Hong Kong Post ecert)
Install at your email software
PGP software (freeware avaiable)
Problem
Not commonly used among HK lawyer & clients
2010-06-26 Doctor A Security (r) Copyright (c) 2010 70
Doctor ASecurity
Loss of USB Flash or Hard Disk
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 36
2010-06-26 Doctor A Security (r) Copyright (c) 2010 71
Doctor ASecurity
[R] Drive Encryption - TrueCrypt
If you really need to take away CONFIDENTIAL information from office Get authorization
Use company provided USB devices
Encrypt a drive (usbflash drive) or a directory TRUECRYPT (freeware)
Return the USB device after use.
http://www.truecrypt.org/downloads
2010-06-26 Doctor A Security (r) Copyright (c) 2010 72
Doctor ASecurity
[R] Use Winzip for File Encryption
1. Password Pre-agreed with the Recipient(s)
2. Password saved in a file in the
project directory
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 37
2010-06-26 Doctor A Security (r) Copyright (c) 2010 73
Doctor ASecurity
[R] Sample Policy Data Classification
Policy Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization.
Policy An appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization.
ISO 27001:2005 and ISO17799:2005
2010-06-26 Doctor A Security (r) Copyright (c) 2010 74
Doctor ASecurity
[R] Information Disposal
All classified data must be erased, or destroyed (not just deleted)before the media are to be reused or disposed.
Data Destruction
Paper shred
CD degauss
Hard disk erase 3 times
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 38
2010-06-26 Doctor A Security (r) Copyright (c) 2010 75
Doctor ASecurity
[R] Data Destruction
Delete a data => store in Trash Bin
Trash Bin > Right Click > Clean up => Remove index in Operating System
Data is still in Hard Disk, could be recovered easily.
Recommend
Paragon HD Manager Pro > Wipe Free space, partition or entire disk (Take long time)
2010-06-26 Doctor A Security (r) Copyright (c) 2010 76
Doctor ASecurity
Digital Copy Machine, a Security Risk?
"modern" digital copy machines, those sold after 2002, contain a hard drive.
These hard drives store the images copied.
traded in for new models and then
refurbed and resold.
http://isc.incidents.org/diary.html?storyid=9010http://www.cbsnews.com/video/watch/?id=6412572n
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 39
2010-06-26 Doctor A Security (r) Copyright (c) 2010 77
Doctor ASecurity
Sample Policy Data Disposal
Policy All items of equipment
containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.
Guidlines1. Devices containing sensitive
information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.
2. Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded.
3. Information can be compromised through careless disposal or re-use of equipment.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 78
Doctor ASecurity
Is Data Security everything?
Information security policy Organization of information
security Asset management
Information classification
Human resource security Physical and environmental
security Secure areas Equipment security
Communications and operations management Backup & restore Media handling
Access control Information systems acquisition,
development and maintenance Cryptographic controls
Information security incident management
Business continuity management
Operational
40%
Technical
15%Management
45%
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 40
2010-06-26 Doctor A Security (r) Copyright (c) 2010 79
Doctor ASecurity
Risk Management
ISO 31000:2005
2010-06-26 Doctor A Security (r) Copyright (c) 2010 80
Doctor ASecurity
What is Security?
Freedom from riskor danger
http://www.thefreedictionary.com/security
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 41
2010-06-26 Doctor A Security (r) Copyright (c) 2010 81
Doctor ASecurity
Risk#3(e.g. system
Failures)
Risk#2(e.g.
Pandemic)
Risk#1(e.g. Info.leakage)
What is Risk?
Management
Acceptable
Risk Levels
(Risk Criteria /
Risk appetite)
Risk levels is combination of
Impact and Likelihood
Risk treatment for Primary Risk#2:
Additional Security Control:e.g. ISO27001-A.10.3
( higher priority)
Risk treatment for Primary Risk#3:
Additional Security Control: e.g. Cobit 4-1 xxx
( medium priority)
[2] Risk Analysis
determines Risk Levels
[3] Risk Assessmentevaluates Risk Levels vs
Risk Criteria
[1] Identify RiskMediumLow High
[4] Risk Treatment reduces risks to Acceptable Risk Level(s)
[ISO/DIS 31000]
2010-06-26 Doctor A Security (r) Copyright (c) 2010 82
Doctor ASecurity
Risk Assessment Examples
1) Use complex passwords
2) Change passwords every 3
months
1) Read email in plaintext
2) Ignore spam
3) Security awareness training
Business Continuity
Arrangement
-Documents scanned
-Information backup
-Alternative site
Additional Security Controls
YesYesYesAdditional Risk Treatment?
MediumMediumMediumRisk Criteria
(< Medium)
HighHighMediumRisk Level(Likelihood + Consequence)
High
Unauthorized disclosure of
CONFIDENTIAL information in
the email system
High
Unauthorized disclosure of
CONFIDENTIAL information in
the PC
High
Loss of businessConsequence
MediumHighLowLikelihood
Antivirus software
Personal Firewll
Fire alarmExisting Detective Controls
Antivirus software
Personal Firewall
Fire sprinklers
No smoking within office
building
Existing Preventive Controls
Password was easy to be
cracked
Antivirus software cannot
prevent all virus
No Business Continuity
ArrangementExisting Vulnerability
Password for email account was cracked
Clicking malicious url in spam email and PC compromised by virus
Loss of site due to Fire Event
Ris
k A
naly
sis
Ris
k A
sse
ss
men
tR
isk
Tre
atm
en
t
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 42
2010-06-26 Doctor A Security (r) Copyright (c) 2010 83
Doctor ASecurity
Sample Policy Risk Assessment
POLICY
Define the risk assessment approach of the organization. Identify a risk assessment methodology that is suited to the Organization, and the identified business information security, legal and regulatory requirements.
Develop criteria for accepting risks and identify the acceptable levels of risk.
POLICY
Identify the risks.1. Identify the assets
within the scope, and the owners of these assets.
2. Identify the threats to those assets.
3. Identify the vulnerabilities that might be exploited by the threats.
4. Identify the impactsthat losses of confidentiality, integrity andavailability may have on the assets.
2010-06-26 Doctor A Security (r) Copyright (c) 2010 84
Doctor ASecurity
Summary
1. Use Encryption for Confidential Information
2. Use a Safer Browser - Firefox
Enable NOSCRIPT(to prevent script from untrusted sites to run)
3. Read email in plaintext (not in html)
All urls will appear
4. Click, with care
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 43
2010-06-26 Doctor A Security (r) Copyright (c) 2010 85
Doctor ASecurity
Contact us
Andrew LAW
[AL @ TechLaw.com.hk ] [Tel: 3104-0311]
Norman PAN [npan @ drasecurity.com] [Tel: 2342-4991]
For professional business correspondence, thank you!
2010-06-26 Doctor A Security (r) Copyright (c) 2010 86
Doctor ASecurity
Questions?
Thank You
HK Academy of LAW - Seminar -Information Leakage
2010-06-26
Doctor A Security (r) All rights reserved (c) 2010 44
2010-06-26 Doctor A Security (r) Copyright (c) 2010 87
Doctor ASecurity
Recommended Reading (management):
1. Data Theft by Hugo Cornwall, ISBN 0-434-90265-9
2. The Art of Intrusion by Kevin D Mitnick and William L Simon, ISBN 0764569597
3. Risk Management Solutions for Sarbanes-Oxley Section 406 IT Compliance by John S Quarterman, ISBN 0-7645-9839-2
4. Security Controls for Sarbanes-Oxley Section 404 IT Compliance, Authorization, Authentication and Access by Dennis C Brewer, ISBN 0-7645-9838-4
5. International IT Governance by Calder & Watkins, ISBN 0-7494-4748-6
6. Information Security Management System ISO27001:2005
7. Risk Management Principles and guidelines on implementation [ISO/DIS 31000]
2010-06-26 Doctor A Security (r) Copyright (c) 2010 88
Doctor ASecurity
Recommended Reading (technical):
1. Computer and Intrusion Forensics, ISBN 1-58053-369-8
2. Google Hacks by Tara Calishain, ISBN 0596008570
1. IT Security Guidelines
http://www.ogcio.gov.hk/eng/prodev/download/g3_pub.pdf
2. NIST Special Publication Computer Security
http://csrc.nist.gov/publications/PubsSPs.html