Security and PrivacyWomen in Technology

2009Mary Henthorn

Security◦Prevent loss, theft, or inappropriate access

Privacy◦Ensure freedom from intrusion or disturbance

Security Policies Protect Privacy

Security and Privacy

Who’s responsible?

Security and Privacy

Chief Executive Officer Chief Technology Officer Chief Security Officer IT Professional Other Business Mom Everyone

Women in IT

Physical

Logical

There Is No Perimeter

Cameras Logs Monitoring Breach notification letters Data backup tapes RFID

Security May Breach Privacy

Breach laws Freedom of information

$20 Million Settlement on VA Data Theft

State tape with data on 800,000 missing

TV News Crew – and You!

Know your enemies Classify your assets Identify constraints and parameters Assess risks Implement security, develop policies

Repeat!

What’s Your Strategy?

Physical◦Equipment failure◦Natural disaster◦Manmade disaster◦Theft

Logical◦Malware◦Denial of service◦Data corruption

Threats

Physical accessibility Physical weaknesses Location

People

Application weaknesses◦Memory, input, race, privilege, user interface

Inadequate access control

Vulnerabilities

Property◦Dollar value

Systems◦Criticality

Data◦Sensitivity

Classify Assets

Extremely

Critical

Critical

Not Critical

Laws

Regulations

Contracts

Policies

Constraints and Parameters

Violation of law Disclosure of personal information Violation of contracts, regulations, or policy Loss of revenue Misuse of resources Corruption of data Unavailable resources Loss of reputation Criminal or civil liability Loss of trust

Risks

1. Use and update firewalls and anti-virus2. Properly setup and patch OS and applications3. Use appropriate authentication – passwords4. Lock unattended workstations5. Backup data6. Use the Internet with caution7. Be careful with email, social networking8. Review security regularly9. Respond to incidents appropriately10. Recognize security is everyone’s responsibility

Defensive Strategies

Layers of protection

◦Internet access point traffic analysis◦Router firewall◦Desktop firewall

◦Fence and secured gate◦Locked front door◦Locked office door

Defense in Depth

Variety of protection

◦Firewall◦Anti-virus◦Authentication

◦Security cameras◦Locked doors and file cabinets◦Scanners

Defense in Breadth

Be Informed, Stay Alert

Creative Office Security

Computer Emergency Readiness Team◦ www.uscert.gov

National Institute of Standards and Technology◦ www.nist.gov

Identity Theft◦ www.ftc.gov/idtheft

Arkansas Security◦ www.dis.arkansas.gov/security

Resources