Information Security Data Protection |
|
A couple of my favorites were the 478 laptops stolen from/lost by the US Internal Revenue Service between 2002 and 2006 (http://www.treas.gov/tigta
/auditreports/2007reports )and the 160 laptops lost by the FBI in 44 months (http://arstechnica.com/news/200720048fr.pdf .ars/post/20070212-8821.html ). Myself, I have been part of a data breach. A former employer sent me a form letter saying that my personal information was involved in a data breach.
USA
The USA has similar legislation, such as SOX (Sarbanes-Oxley), Gramm-Leach-Bliley Act and HIPA (Health Insurance Portability and Accountability Act). This link, American (USA) Privacy Laws & Legislations, has links to many US privacy laws. California had one of the first state privacy laws, and many other states have based their laws on that one. These laws often have very clear requirements for companies to publicly disclose when data belonging to residents of their state has been leaked.
What is “Personal Information”
This definition is copied from section 3 of the Canadian Privacy Act: http://laws.justice.gc.ca/en/P
-21/section-3.html
"personal information"
«renseignements personnels »
"personal information" means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved
(c) any identifying number, symbol or other particular assigned to the individual
(d) the address, fingerprints or blood type of the individual
(e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations
(f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence
(g) the views or opinions of another individual about the individual
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
From the California privacy legislation (which is the base for privacy legislation in many other states) SB 1386 http://info.sen.ca.gov/pub/01
-02/bill/sen/sb_1351-1400/sb _1386_bill_20020926_chaptered .html
(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted
(1) Social security number
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Some of the specific data elements this would include are: Name, phone number, address
What Can Be Done to Protect Your Data and Your Company
“The only truly secure computer is one that is unplugged and locked into a bank vault.”
Phrases similar that have been around for a long time, and they are essentially true. As soon as a computer is connected to a network, it is exposed to risk of data security compromises. However, computer systems, networks and data have to be open in order to get the most value from them. Therefore there is always an appreciable risk that data will be leaked.
Information Security Policies & Procedures
Policies are the “laws” that define how the company intends to operate. Policies should be reviewed periodically. This is especially important in the Information Technology area since it is changing so rapidly. How many business people had used IM (Instant Messaging), VoIP (VoIP) or heard of “Phishing” attacks. Corporate policy and procedure should also address explicitly how suspected and actual data leaks will be handled. Public perception of mishandling that type of situation can cause as much, or more, damage to the company as the actual data leaks. Being able to prove to the public, auditors and the legal system that your company did take appropriate steps to prevent the leak is one of the best defenses you can have. Actually, the simplest security procedure to apply is encryption. For example, for many purposes, if leaked data (ie lost laptop, backup tape) is encrypted with an approved encryption system, then the data is still considered secure and the leak does not have to be publicly reported.
Threat Assessment
Identify all of the sensitive information you have, where it is stored and who is responsible for it, the data owner), and what is worth to the company. Spending a lot of money to protect the current, public, version of your catalog does not make sense. However, spending money to protect your customer's purchasing information or your company's “secret” 5 year marketing plan, does make sense.
Defense-In-Depth
The more layers of defense, and the more different types of defense you put into place, the harder it is for an attacker to get to your data. What types of defense are available:
- firewalls to limit access into and out of your corporate network and PCs
- IPS/IDS –Intrusion Protection Systems & Intrusion Detection Systems to identify when your network is being attacked from the outside and / or block those attacks
- Switches vs Hubs. Use switches to limit traffic on a network connection compared to Hubs which broadcast everything to everyone
- Network Segmentation – use your switches to divide the network into logically separated sections
- Encryption to protect data “in motion”, moving over internal wired and wireless networks or the internet. And to protect data “at rest” on various storage devices, and devices that most people do not consider as “data storage” devices. Data can be “at rest” on your desk top hard drive, on a server hard drive (file, web or email), or on a laptop hard drive. There are more relatively “new” technologies that can hold your data, such as USB thumb drive, MP3 player, Blackberry, Cell phone, digital camera, pager, PDA, and external hard drives (up to 500 GB, and growing).
- End Point Protection refers to most of the devices listed above as candidates for encryption. However it refers to controlling access to various connections to your network. In the early days of computing, a network was strictly limited to internal access. It was easy to control. Then the internal networks were connected to other networks, then by strictly controlled modem connections, next by firewall controlled access to the internet. Now computers now provide uncontrolled access to the computer, and the connected network via USB and Firewire connections and wireless devices. So now internet access can be made bypassing the corporate firewall.
- Software Patch Management is required ensure that all required application and operating system patches are applied in a timely manner. Although most of the current publicity is focused on new threats, the sad fact is that relatively “old” threats continue to be active on the internet, just waiting for the opportunity to attack a computer that is not up to date.
- Anti-Malware protection. “Malware” is a generic term for all forms of software that may attack your computer. “Viruses” were the original form of malware. Currently malware includes, spyware, Trojans, keyloggers, phishing and pharming attacks to name a few of the current recognized categories. One thing to remember is that “one size” anti-malware software does not “fit all”. Just because you have anti-malware on your server, does not mean that your desktops are protected. And then again, using versions of the same anti-malware on the desktop and server is not the best approach. Various anti-malware vendors have different approaches, they have different strengths and therefore may not find the same sets of malware. Therefore, there is an advantage to using different tools in different places to stand a better chance of finding more different malware.
- Proxy Servers or Application Servers are a specialized type of firewall. Each proxy server is designed for a specific application or programming language. This allows the proxy server to inspect the content in the traffic to determine if it contains harmful commands or content. Proxy servers are often implemented on standalone hardware so that they do not impact application speed or network data transfer speed.
SIM / SEM / SIEM
Security Information Management, Security Event Management, Security Information Event Management are variations on the same theme. Collect security information from all around the company, log it in a common location and act on events of interest. The idea is to be able to identify when your company is being attacked, and hopefully be able to act to block the attack before it succeeds. Even so, sometimes breaches will occur. Therefore it is helpful to have access to logged information that will help retroactively identify when the attack started /ended, how it was done and what was taken.
Conclusion
What combination of strategies you implement depends on your needs, the sensitivity of your data, and your budget. The choice is up to you.
Note: This information is generic. You have to identify and follow the specific legal requirements that apply to your business and location or customer's location. If you would like to purchase consulting services in this area contact us at Amik Technology we would be pleased to meet and discuss your concerns and how we can help further. Call 807-475-3196
ProtectTools for notebook and desktop PCs
From preventing targeted theft, to blocking unauthorized access to key company data and helping enforce strong password policies, HP ProtectTools offers you a complete toolset to protect your key business data and assets.
HP ProtectTools Security Manager brings key security technology areas together into a holistic approach to security that makes it easy for you to choose the level of security that is right for your business. Choose from a growing collection of software modules to offer better protection against unauthorized access to PCs while making accessing PCs and network resources simple.
| • | Embedded security for HP ProtectTools uses a TPM-embedded security chip designed to work with a growing number of third-party software solutions to help protect sensitive data stored locally on a PC. |
 |
|
| • | BIOS Configuration for HP ProtectTools* provides an easy to use alternative to the pre-boot BIOS configuration utility (known as the F10 Setup) to help protect a system from the moment power is turned on. The embedded security chip enhanced Drivelock* helps protect a hard drive from unauthorized access, even after it is removed from the system. |
|
|
| • | Smart Card Security for HP ProtectTools allows you to enable optional Smart Card authentication before the operating system loads, providing an additional layer of protection against unauthorized use of the PC. You can also configure separate Smart Cards for an administrator and a user, and easily backup and restore credentials stored and the Smart Card. |
|
|
| • | Credential Manager for HP ProtectTools is a personal password vault that makes accessing protected information more secure and convenient. Users won't need to remember multiple passwords for their collection of password protected websites, applications, and network resources, and a single sign-on capability adds additional protection, requiring users to use combinations of different security technologies, such as Smart Card and biometric when authenticating on the PC. |
|
|