Securing Confidential Data
Transcript of Securing Confidential Data
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 1/29
Securing Confidential Data in a Connected World:Methods and Applications
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 2/29
Securing Confidential Data in a Connected World:Methods and Applications
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 3/29
A Connected World
Today, More people have access to the Internetthan EVER before:
World Population = 2,405,518,376 (34.3 %)
North America = 273,785,413 (78.6%)(InternetWorldStats.com/Stats.htm)
Teens Online – 95%
Using Mobile Devices = 74%
Have Smart phones = 37%
Tablets = 23%
80% have a desktop and/or laptop
(PewInternet.org)
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 4/29
Emerging Youth and Trends
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 5/29
Our emerging youth will present a much greaterrisk due to their perception of open source lifeand living within “Notopia” - a boundary-less
world filled with eroded ethics and principles.
Due to the loss of boundaries, the online world isremodeling concepts of legality, right/wrong, andPrivate/Confidential materials.
As the Digital babies mature, the need to increasesecurity will follow with them
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 6/29
Responsibility of the Organization
It is the responsibility of the organization thatcollects, stores, and disseminates confidentialdata to maintain both its security and availability
to those persons it was collected for. By requiring security, there is an inference to an
amount of value this data represents to the agencyor person(s) the data concerns
Given value, data now has a proportionate level ofrisk if it is lost, stolen, or misused.
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 7/29
Law Enforcement
Who decides how to classify data?
Federally held data is within the realm of the FBI(non-intelligence)
Criminal data is held within the National CrimeInformation Centers (NCIC) at their Criminal JusticeInformation Services Division (CJIS) in West Virginia
State and Local Levels
These agencies may choose to further restrict accessand broaden the range of what is considered Confidentialdata (barring FOIA request in some cases and even then are stillresponsible for preventing sensitive information from leaking)
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 8/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 9/29
Confidential Data
Now that is has been classified as Confidentialthe agency should
Craft fitting policies & SOPs to provide clear
directives for personnel to handle and Protect thevaluable data
Routinely review their policies and SOPs to insurethat they evolve along with risks
Track infractions to model corrective training andprovide risk data
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 10/29
Securing Confidential Data
Physical Security
Primary means of preventing access toworkstations, servers, teletypes, fax machines,
printers, and other monitoring devices All access points must be locked to prevent non-
cleared personnel from access or viewingsensitive/confidential data
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 11/29
Technology - Hardware
Limit outside accessfrom both Internet andlocal networks without
clearance by using:
Firewalls – limit network communications based on networkprotocols, activity, ports, and types of communication
MPLS – Can be used to connect geographically separatelocations, intelligently route network packets, create VPNs toencapsulate data
Encryption Levels (AES [128 -256] – Advanced Encryption
Standard) and other advancing encryption schemes
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 12/29
Authentication
Domain Level
SecondarySecurity
Server
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 13/29
Dual Authentication
Primary
Active Directory – Windows
NIS (Network Information Services) - Linux
Secondary
Additional Server/Applications used to integrateSmart Cards, HID devices, and Biometrics
Serves as bound medium to facilitate security measureswhile reducing user's burden of extra passwords
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 14/29
Encryption
Lower level security measure
By itself, may be weak – use in conjunction with theprevious devices mentioned
Hardware Frees up computing resources and increases speed
Increased up-front costs
Software
Ease of implementation as needed
Decreased Cost
Decreased speeds and increased CPU strain
Implementations -
Whole drives/arrays
Folders Files
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 15/29
Antivirus / Malware Detection
Hardware
Typically network-based devices
Can be less expensive financially
Decreases overall network performance, while minimallyaffecting workstation resources and speed
Software
Can be Server and/or Workstation-based
Best use scenario includes centralized updates andconfigurations via Group Policies
Can be configured at workstation level for specializedprojects
May cause interference with applications and websites
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 16/29
Wetware- Humans
Employees, users, vendors with access
Backgrounds, Polygraphs, and regularaudits/debriefings
Training concerning historically effective securityissues
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 17/29
Social Engineering
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 18/29
Reminder of how social engineering issuccessful – lax awareness
Various government organizations still use placards to keepthe mindset of their personnel on guard against mind-hackers
Confirm knowledge of SOPs, protocols, and personnelIdentification and access rights
Never discuss sensitive information concerning security
infrastructures and their access data
Social Engineering
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 19/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 20/29
Pressure Testing
After backing up Confidential Data
Test Disaster Recovery and Protocols Periodically
Who are responsible for each measure, and can they
quickly implement their tasks In case of Loss or Intrusion, review who needs to be
notified
Invite Certified Security Personnel to assess yourorganizations security measures used to protect theConfidential Data
White Hats
Grey Hats
Black Hats
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 21/29
Methods of Testing
Intrusion Testing
Check Logs
Firewalls
Routers
Servers
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 22/29
Often Forgotten
Patches
Updates
Security Forums/Groups
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 23/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 24/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 25/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 26/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 27/29
7/27/2019 Securing Confidential Data
http://slidepdf.com/reader/full/securing-confidential-data 28/29