illuminating the accidental leakage of confidential ... of confidential information in the internet...

HK Academy of LAW - Seminar -Information Leakage

2010-06-26

Doctor A Security (r) All rights reserved (c) 2010 1

2010-06-26 Doctor A Security (r) Copyright (c) 2010 1

Doctor ASecurity Illuminating the Accidental

Leakage of Confidential Information in the Internet

(Day 2)

26 June 2010

Andrew LAW, Andrew LAW and Frank HO Solicitors

Norman PAN, Doctor A Security Systems (HK) Ltd.


Doctor ASecurity

About Today

Day 1 (Last Sat.)1. Latest attacks from

the Internet Browsers Email

2. Personal firewall and Antivirus, only? Passwords Security patches

3. Safe Transaction Phishing sites Social Network

Day 2 (Today)1. Work at home

WIFI USB hard disk Social Networking

2. Physical & Hardware Security Backup

3. Protecting your client information Client-Attorney

privilege, not protected

Encryption

4. IT Security Policy5. Risk Assessment &

Audit


2010-06-26



Doctor ASecurity

[!] About Today, Do and Dont

About Today IT Security Awareness for Users (not administrators)

Stories, Question & Answer, Demonstration

A 20 minutes break at about 11:00

Will recommend products, but dont sell

Do Ask question if any Participate in answering questions

Dont (Please) Make/answer any call with your mobile within the classroom

Doctor ASecurity

Work at Home


2010-06-26



Doctor ASecurity

[R] Fathers Day Tips [1] Dads Computer

1. Keep it updated

Windows

Antivirus

2. Uninstall any software that dad does not use.

3. Make sure that his screen-saver requires a password to reactivate.

4. If dad has a laptop, be sure that the built-in disk encryption feature is running.

5. Turned off the PC after every use

http://isc.incidents.org/diary.html?storyid=9040


Doctor ASecurity

[R] Fathers Day Tips [2] Dads Web Sites

1. Careful with what he puts on social networking sites

2. Use website passwords that are complex but easy for him to remember

3. Pay close attention to where he is online Phishing sites

Think twice before entering password


2010-06-26



Doctor ASecurity

[R] Fathers Day Tips [3] Dads Personal Information

1. Be very careful with peer-to-peer (P2P) or file-sharing programs pay close attention to which

parts of his hard drives are shared to others by these programs

2. Office information should NOT be put on this computer

3. check each of the email addresses if reply to all is used in emails

4. Know who to call or contact if he thinks he has become a victim of online crime Events happen fast online

5. backup copy of all of his personal information (passwords, credit card numbers, bank account information, emergency phone numbers, etc.) Locked in safe

Doctor ASecurity

WIFI & VPN


2010-06-26



Doctor ASecurity

Your PC should be hidden

Hide the PC from the Internet

Enable firewall, or

Use a WIFI router


Doctor ASecurity

Connecting Internet directly is Dangerous

Your PC is visible on the Internet!


2010-06-26



Doctor ASecurity

[R] Hide Behind a WIFI Router

Your Router is visible on the Internet,

Your PC is NOT.


Doctor ASecurity

[R] Securing your home WIFI AP

Basic1. Use strong

encryption WPA2 Personal

2. Disable SSID broadcast Configure your

PC/PDA

3. Rename SSID dont use default

4. Management console access via cable connection only (Not accessible from the Internet)

Advanced1. Allow only pre-

defined MAC address

WEP and WPA were cracked!


2010-06-26



Doctor ASecurity

Remote Desktop (or VNC), are you sure?

Hackers are trying to found internet visible Remote Desktop, VNC etc., Attack using

Password crack

Vulnerability

Free tools exist that assist hackers with breaking into Windows Remote Desktop connections.

Securing RDP on WinXP, if you really really need this:http://www.mobydisk.com/techres/securing_remote_desktop.html


Doctor ASecurity

Use VPN gateway, if really necessary

(1) Hello

(2) n3$87&1!t*1

Encryption

(3) n3$87&1!t*1

Decryption

(4) Hello

VPN Firewall


2010-06-26


Doctor ASecurity

USB & Foxy


Doctor ASecurity

Hi, Lawyer, I like music, by the way,

do you download music using FOXY at your office?

.. a prospective big client


2010-06-26



Doctor ASecurity

Incidents

, Ming Pao, January 28, 2008 FOXY , Ming Pao, April 5, 2008 665Ming Pao, April 26, 2008 Foxy, Ming Pao, May 27, 2008 Foxy, Ming Pao, June 14, 2008 , Sing Tao, May 8, 2008


Doctor ASecurity

2008-05-09 commuity.she.com ..

PCfoxy, PCdownload?Winmaxshareshare, foxy?

...


2010-06-26



Doctor ASecurity

Are many people using Foxy?


Doctor ASecurity

Why Foxy?


2010-06-26



Doctor ASecurity

In the Foxy Network

Foxy serversIn TX, USA

Iblinx.com -> gofoxy.net

1

2

3

Search in English &

Traditional Chinese

Characters

Foxy clients on the Internet

Foxy clients joining the network


Doctor ASecurity

Using Foxy to search ..


2010-06-26



Doctor ASecurity

Foxy downloaded


Doctor ASecurity

Foxy To share my computer?

Default is

to ALL

shared!


2010-06-26



Doctor ASecurity

I dont want to share , but

Still shared!


Doctor ASecurity

Security for using Foxy [1]

Least privileged user account(dont always use administrator)


2010-06-26



Doctor ASecurity

Security for using Foxy [2a]

When using other peoples PC,

always check if Foxy is running (including plugging in your USB HD!)


Doctor ASecurity

Security for using Foxy [2b]

To make sure if Foxy is running


2010-06-26



Doctor ASecurity

Security for using Foxy [3]

Disable Foxy to run at startup of the computer

Turn off Foxy after use


Doctor ASecurity

Security in using Foxy [4]

Uncheck all drives (to be shared by Foxy)


2010-06-26



Doctor ASecurity

Using Foxy FAQ

1. If I dont activate Foxy (just installed), would my files be shared? Yes

2. Foxy set automatically all files in download to be shared? Yes

3. If share of a directory is NOT clicked, if it would be shared? No, but the DOWNLOAD directory

would still be shared

4. If I install Foxy at Desktop, will it be better No, All documents of your Desktop

would be shared

5. If I have Windows firewall, could it protect me? Not much, Windows firewall try to

prevent inbound attack

6. If files were upload, can I delete them from Foxy clients? No, it would be distributed among

Foxy clients


Doctor ASecurity

Is foxy the only way to leak?

Loss of USB Harddisk

Loss of Notebook PC

Compromised PC

FTP upload

Visit malicious web sites

Send out by email

Bluetooth of your smart phone (sms, email)


2010-06-26


Doctor ASecurity

Social Networking


Doctor ASecurity

Using Facebook - a little too social?

50% employers blocked internal access to Facebook

Productivity

Security

66% workers worried their colleagues gave too much information away

Identify theft

Targeted phishing

Facebook best practice: http://www.sophos.com/security/best-practice/facebook.html


2010-06-26



Doctor ASecurity

Facebook Privacy Setting


Doctor ASecurity

Clickjacking attacks on Facebook Like plugin

Get a user to click on a hidden link, go to a malicious web site

A Like button

The button follow the mouse! no matter where you click on the web page

posting a message on your profile saying that you like this malicious site

Your friend may follow

Facebook user, be especially careful of all links.

http://isc.incidents.org/diary.html?storyid=8893

NoScript of Firefoxshould protect from this!


2010-06-26



Doctor ASecurity

Lets QQ ..

Risk

Virus (does not go thru email server with antivirus gateway)

Good updated AV at user PC is the last defence

Message in plain text (in transit and storage)

Files could be sent without control/record


Doctor ASecurity

Do you Twit .

In January 2009, a phishing scam tricked many Twitter users into revealing their usernames and passwords. Users were sent a teaser that said something like "funny blog about you." When they clicked on the attached link users were diverted to a fake sign-in site where they filled in their username and password. The phishing site then used that information to send spam to followers.


2010-06-26


Doctor ASecurity

Backup & Imaging


Doctor ASecurity

Hard Disk Fails very often!

Cant boot Panic!

Data corrupted Loss of Data

Days to reinstall Loss of Productivity

Replace a new one within Replace a new one within

Every 3 yearsEvery 3 years


2010-06-26



Doctor ASecurity

Site Loss ... Could Your Firm Recover?


Doctor ASecurity

[R] Backup - Data

Recommend Genie Backup Manager Pro

Should Weekly Full Data Backup

Daily DifferentialBackup

Monthly Restore Test

Backup should be encrypted

2 copies of backupOn site

Off sitehttp://www.genie-soft.com/Business/genie_backup_manager_Pro/Default.aspx)


2010-06-26



Doctor ASecurity

[R] Imaging System Recovery

Recommend Paragon Hard Disk Manager Pro

Should Backup Bootable

Partition every month (before applying patches every 2nd Tue) to an external hard disk (store in safe place, e.g. safe)

Create a bootable CD using the HD Manager Pro, just in case.

http://www.paragon-software.com/home/hdm-professional/


Doctor ASecurity

[R] Sample Policy, Guidelines - Backup

Policy Back-up copies of informationand software should be takenand testedregularly in accordance with the agreed backup policy.

Guidelinesa) the necessary level of back-up information

should be defined;b) accurate and complete records of the back-

up copies and documented restoration procedures should be produced;

c) the extent (e.g. full or differential backup) and frequency of backups should reflect the business requirements of the organization, the security requirements of the information involved, and the criticality of the information to the continued operation of the organization;

d) the back-ups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;

e) back-up information should be given an appropriate level of physical and environmental protection consistent with the standards applied at the main site; the controls applied to media at the main site should be extended to cover the back-up site;

f) back-up media should be regularly testedto ensure that they can be relied upon for emergency use when necessary;

g) restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery;

h) in situations where confidentiality is of importance, back-ups should be protected by means of encryption.

ISO 27001:2005 and ISO17799:2005


2010-06-26



Doctor ASecurity

A break of 15 minutesDoctor ASecurity

Physical Security


2010-06-26



Doctor ASecurity

Practice and Procedure [AL]

Recommended Practice and Procedure

1.Hardware security

2.Physical security


Doctor ASecurity

Hardware Security #1 [AL]

Hardware generally refers to monitor, mouse, keyboard, printer, computer, but it is the Storage Media (harddisk, USB, CD/DV disc, SSD) where information is stored, most commonly harddisk because of its relatively fast Read/Write speed and large storage capacity So for the purpose of this discussion, lets confirm hardware to harddisk.

Short term absence (eg toilet break) screen lockcomputer by pressing Alt-Ctrl-Del keys altogether. Of course, make sure you have your Windows User Password assigned in the first place !

Medium term absence (eglunch break) close all the data files, exit applications(eg MS Word, IE), log-off from network connecting to data server (if any), ideally detach also the physical network cable

Office day end ensure MS Windows being COMPLETELY shut down, with computer power off. Note these error messages which are often ignored by the departing user Windows fails to shut

down, there are print jobs pending.

Are you sure to shut down Windows ? - there are applications running.


2010-06-26



Doctor ASecurity


Enable computers BIOS password assign Supervisor and User(s) password

Enable Harddiskactivation password

Enable MS Windows user password

Enable network user password

Enable harddiskvolume encryption

Enable figure-print recognition security, likewise Trust Platform Module if available

Enable face-recognition security


Doctor ASecurity


for lawyers traveling with notebook computer : keep computer in the airplane cabinet

do not leave computer in hotel room, not even the mini-safe

sleep with the notebook (physically next to you), run with it in case of emergency

Most ideally,

enable harddisk activation password AND store data in harddisk with automatic encryption feature, so that only encrypted files are exposed to intruders (check availability of such features before you buy acomputer or mobile harddisk).

BitLocker harddiskencryption comes as a standard feature with Windows 7 Ultimate version; otherwise add third party encryption software such as BigLock


2010-06-26



Doctor ASecurity

Physical Security [AL]

lock your office door by day end

apply Kensington Lockto hardware containing confidential data, particularly for notebook computer / data server

install surveillance cameras in office as a deterrence control

server roomprotected with tampered glasscabinet, with automatic siren and report facility to the police

Doctor ASecurity

Duty of Confidentiality


2010-06-26



Doctor ASecurity

Duty of confidentiality

Duty within the contractual retainer

Matter of professional conduct

Unauthorised disclosure could lead to civil claim for breach of confidence and disciplinary action

Continues beyond the end of the retainer and death of the client


Doctor ASecurity

Confidentiality (Guide Chapter 8.01)

All client information is confidential unless the clientauthorizes or waives disclosure, expressly or impliedly;

Required by law

Exceptional Circumstances Serious bodily harm

Exceptional circumstances involving a child


2010-06-26



Doctor ASecurity

Commentary

#1 This duty

extends to the solicitors staff, whether admitted or unadmitted, and

it is the responsibility of the solicitor to ensure compliance.

#5 Unauthoriseddisclosure of clients confidences could lead to disciplinary proceedings against a solicitor and could also render a solicitor liable, in certain circumstances, to a civil action by the client arising out of the misuse of confidential information.


Doctor ASecurity

Commentary (contd)

#18Problems with confidentiality can arise where a solicitor or firm shares office services provided by independent contractors (such as computers, equipment or typing services) with another person or business. A solicitor should only make use of these where strict confidentiality of client matters can be ensured: see Practice Direction D 5.

#30Where disclosure has taken place a solicitor should inform his client promptly that he has done so.


2010-06-26



Doctor ASecurity

Complaints against law firm for breach of personal data privacy

failing to enclose legal documents in sealed envelops;

failing to properly mark the envelops (e.g. "Private and Confidential");

leaving legal documents in common areas or giving them to unrelated parties;

sending legal documents to outdated or wrong addresses when the correct address could be ascertained;

producing copies of the legal documents to a receptionist for the purpose of obtaining acknowledgment of receipt.


Doctor ASecurity

Data Protection Principle

The complaints raise serious concerns over the security of sensitive personal data usually found in those legal documents. The requirements of Data Protection Principle 4 ("DPP4") in Schedule 1 to the Personal Data (Privacy) Ordinance ("the Ordinance") are of particular relevance. DPP4 provides that:-


2010-06-26



Doctor ASecurity

DPP4

"All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to - the kind of data and the harm that could result if any of those

things should occur; the physical location where the data are stored; any security measures incorporated (whether by automated

means or otherwise) into any equipment in which the data are stored;

any measures taken for ensuring the integrity, prudence and competence of persons having access to the data, and

any measures taken for ensuring the secure transmission of the data." (emphasis added)

Here, "practicable" means "reasonably practicable" as defined in section 2 of the Ordinance.


Doctor ASecurity

Practical Steps

Practicable steps should include:

delivering documents in sealed envelop marked "Private & Confidential" and, where appropriate, "To be Opened by Addressee Only";

avoiding leaving documents in common area or places where any passerby may have access;

avoiding leaving documents with unrelated parties such as neighbours or caretakers;

ensuring correctness of the address for service;

not disclosing contents of document to unrelated parties for the sake of getting an acknowledgement of receipt of the document.


2010-06-26



Doctor ASecurity

Solicitors firm being sued

Foxy,

Foxy

Foxy

ABCFoxy ABC


Doctor ASecurity

Law Society

Foxy

Foxy


2010-06-26



Doctor ASecurity

MSN

MSNfacebookemailDoctor ASecurity

IT Security Policy


2010-06-26



Doctor ASecurity

Security is an antivirus issue only?

1. Do you allow your staff to use Foxy at office / at home?

2. Do you allow your staff to take home documents for work?

3. Do you control what software could be installed at office / at home?

4. What if the USB flash disk is left on a taxi?


Doctor ASecurity

[R] What should be done?

Data Classification

HKSARG Security Regulation

TOP SECRET

SECRET

CONFIDENTIAL

RESTRICTED

Handling classified information


2010-06-26



Doctor ASecurity

Handling Confidential (e)Information

Encrypted

Transport over untrustednetwork

Store as a file

Risks

Loss or Forgotten passwords


Doctor ASecurity

[R] File Encryption

File Encryption Symmetric encryption (password should be known to each other)

Software: e.g. WinzipWinrarPowerarchiveAdobe acrobat professional (not acrobat reader)

Problems Too many

passwords Different

passwords forFile?Client?


2010-06-26



Doctor ASecurity

[R] Email encryption

PKI

(Hong Kong Post ecert)

Install at your email software

PGP software (freeware avaiable)

Problem

Not commonly used among HK lawyer & clients


Doctor ASecurity

Loss of USB Flash or Hard Disk


2010-06-26



Doctor ASecurity

[R] Drive Encryption - TrueCrypt

If you really need to take away CONFIDENTIAL information from office Get authorization

Use company provided USB devices

Encrypt a drive (usbflash drive) or a directory TRUECRYPT (freeware)

Return the USB device after use.

http://www.truecrypt.org/downloads


Doctor ASecurity

[R] Use Winzip for File Encryption

1. Password Pre-agreed with the Recipient(s)

2. Password saved in a file in the

project directory


2010-06-26



Doctor ASecurity

[R] Sample Policy Data Classification

Policy Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization.

Policy An appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization.

ISO 27001:2005 and ISO17799:2005


Doctor ASecurity

[R] Information Disposal

All classified data must be erased, or destroyed (not just deleted)before the media are to be reused or disposed.

Data Destruction

Paper shred

CD degauss

Hard disk erase 3 times


2010-06-26



Doctor ASecurity

[R] Data Destruction

Delete a data => store in Trash Bin

Trash Bin > Right Click > Clean up => Remove index in Operating System

Data is still in Hard Disk, could be recovered easily.

Recommend

Paragon HD Manager Pro > Wipe Free space, partition or entire disk (Take long time)


Doctor ASecurity

Digital Copy Machine, a Security Risk?

"modern" digital copy machines, those sold after 2002, contain a hard drive.

These hard drives store the images copied.

traded in for new models and then

refurbed and resold.

http://isc.incidents.org/diary.html?storyid=9010http://www.cbsnews.com/video/watch/?id=6412572n


2010-06-26



Doctor ASecurity

Sample Policy Data Disposal

Policy All items of equipment

containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.

Guidlines1. Devices containing sensitive

information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

2. Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded.

3. Information can be compromised through careless disposal or re-use of equipment.


Doctor ASecurity

Is Data Security everything?

Information security policy Organization of information

security Asset management

Information classification

Human resource security Physical and environmental

security Secure areas Equipment security

Communications and operations management Backup & restore Media handling

Access control Information systems acquisition,

development and maintenance Cryptographic controls

Information security incident management

Business continuity management

Operational

40%

Technical

15%Management

45%


2010-06-26



Doctor ASecurity

Risk Management

ISO 31000:2005


Doctor ASecurity

What is Security?

Freedom from riskor danger

http://www.thefreedictionary.com/security


2010-06-26



Doctor ASecurity

Risk#3(e.g. system

Failures)

Risk#2(e.g.

Pandemic)

Risk#1(e.g. Info.leakage)

What is Risk?

Management

Acceptable

Risk Levels

(Risk Criteria /

Risk appetite)

Risk levels is combination of

Impact and Likelihood

Risk treatment for Primary Risk#2:

Additional Security Control:e.g. ISO27001-A.10.3

( higher priority)

Risk treatment for Primary Risk#3:

Additional Security Control: e.g. Cobit 4-1 xxx

( medium priority)

[2] Risk Analysis

determines Risk Levels

[3] Risk Assessmentevaluates Risk Levels vs

Risk Criteria

[1] Identify RiskMediumLow High

[4] Risk Treatment reduces risks to Acceptable Risk Level(s)

[ISO/DIS 31000]


Doctor ASecurity

Risk Assessment Examples

1) Use complex passwords

2) Change passwords every 3

months

1) Read email in plaintext

2) Ignore spam

3) Security awareness training

Business Continuity

Arrangement

-Documents scanned

-Information backup

-Alternative site

Additional Security Controls

YesYesYesAdditional Risk Treatment?

MediumMediumMediumRisk Criteria

(< Medium)

HighHighMediumRisk Level(Likelihood + Consequence)

High

Unauthorized disclosure of

CONFIDENTIAL information in

the email system

High

Unauthorized disclosure of

CONFIDENTIAL information in

the PC

High

Loss of businessConsequence

MediumHighLowLikelihood

Antivirus software

Personal Firewll

Fire alarmExisting Detective Controls

Antivirus software

Personal Firewall

Fire sprinklers

No smoking within office

building

Existing Preventive Controls

Password was easy to be

cracked

Antivirus software cannot

prevent all virus

No Business Continuity

ArrangementExisting Vulnerability

Password for email account was cracked

Clicking malicious url in spam email and PC compromised by virus

Loss of site due to Fire Event

Ris

k A

naly

sis

Ris

k A

sse

ss

men

tR

isk

Tre

atm

en

t


2010-06-26



Doctor ASecurity

Sample Policy Risk Assessment

POLICY

Define the risk assessment approach of the organization. Identify a risk assessment methodology that is suited to the Organization, and the identified business information security, legal and regulatory requirements.

Develop criteria for accepting risks and identify the acceptable levels of risk.

POLICY

Identify the risks.1. Identify the assets

within the scope, and the owners of these assets.

2. Identify the threats to those assets.

3. Identify the vulnerabilities that might be exploited by the threats.

4. Identify the impactsthat losses of confidentiality, integrity andavailability may have on the assets.


Doctor ASecurity

Summary

1. Use Encryption for Confidential Information

2. Use a Safer Browser - Firefox

Enable NOSCRIPT(to prevent script from untrusted sites to run)

3. Read email in plaintext (not in html)

All urls will appear

4. Click, with care


2010-06-26



Doctor ASecurity

Contact us

Andrew LAW

[AL @ TechLaw.com.hk ] [Tel: 3104-0311]

Norman PAN [npan @ drasecurity.com] [Tel: 2342-4991]

For professional business correspondence, thank you!


Doctor ASecurity

Questions?

Thank You


2010-06-26



Doctor ASecurity

Recommended Reading (management):

1. Data Theft by Hugo Cornwall, ISBN 0-434-90265-9

2. The Art of Intrusion by Kevin D Mitnick and William L Simon, ISBN 0764569597

3. Risk Management Solutions for Sarbanes-Oxley Section 406 IT Compliance by John S Quarterman, ISBN 0-7645-9839-2

4. Security Controls for Sarbanes-Oxley Section 404 IT Compliance, Authorization, Authentication and Access by Dennis C Brewer, ISBN 0-7645-9838-4

5. International IT Governance by Calder & Watkins, ISBN 0-7494-4748-6

6. Information Security Management System ISO27001:2005

7. Risk Management Principles and guidelines on implementation [ISO/DIS 31000]


Doctor ASecurity

Recommended Reading (technical):

1. Computer and Intrusion Forensics, ISBN 1-58053-369-8

2. Google Hacks by Tara Calishain, ISBN 0596008570

1. IT Security Guidelines

http://www.ogcio.gov.hk/eng/prodev/download/g3_pub.pdf

2. NIST Special Publication Computer Security

http://csrc.nist.gov/publications/PubsSPs.html