Docstoc

Data Leaks For Dummies - Wiley

Document Sample
Data Leaks For Dummies - Wiley Powered By Docstoc
					                                    Index
                                          anti-spyware software, 188, 386
•A•                                       anti-threat technology, evolution of, 114–117
access cards, 168                         anti-virus software
                                           archive protection, 257




                                                         AL
access control
 archive protection, 257–258               effectiveness of, 180, 224
 comprehensive remediation, 245–248        endpoint security, 134
                                           overview, 115




                                                     RI
 implementing, 54
 IT security, 116                          spear phishing, 188
                                           updating, 129, 157, 159, 176, 385




                                                TE
 NAC, 243–245
 overview, 239–240                        appliances, inline encryption, 255
 protection of classified content, 237    applications
                                           analyzing access, 361–362

                                          MA
 role-based, 273
 self-auditing, 63                         data corruption, 267–270
 tightening, 240–243                       data integrity
acquisition, data, 207                       Open Source software, 272–273
acquisitions and mergers (M&A), 44, 94,      overview, 271
                                          D
     171, 236, 328                           periodic review of, 274–275
                                             testing, 273
                                  TE

add-ons, browser, 262
address bar, 384                           identification of, 63
Administrative standard, HIPAA, 51         malicious code targeted at, 18
                            GH



administrator access, 130, 340             management of, 219
administrator password, 192, 284           monitoring, 41
administrator privileges, 159              SaaS, 275–277
advertising, 357                           Web
                        RI




adware, 111, 386                             Internet browsers, 261–265
agentless technology, 143                    overview, 259
                  PY




agents                                       SQL injection attacks, 260–261
 defined, 143                             archiving data
 mail-transfer, 200                        data classification, 208
            CO




 NAC, 247–248                              identifying risk, 256–257
 self-enforcement, 242                     overview, 331
“allow” and “deny” functionality, 159      protecting corporate memory, 257–258
anomaly detection, IDS, 225–226           ARP poisoning, 243
answering machines, 287                   asset management, 157, 219
anti-adware software, 386                 Atom Flash Drive, 140–141
anti-malware software, 129, 157, 159,     at-risk data
     176, 385                              bank data, 92
anti-phishing filter, 135, 385             corporate data, 33, 94–95
anti-spam software, 135, 183, 188          credit cards, 92
388   Data Leaks For Dummies

      at-risk data (continued)
       customer communication, 93–94               •B•
       customer data, 32–33, 95                    backdooring, 130, 163, 272–273
       customer-loyalty cards, 92–93               background checks, contractor, 309–310
       data at rest, 31                            backup
       data in motion, 31–32                        disk-based, 254
       e-mail, 93–94                                hardware encryption, 254–256
       finding                                      overview, 251–252
         derivatives, 35                            process for, 320
         matching data to locations, 35–37          protection of, 231
         obvious locations, 34–35                   SIS, 331
         overview, 33                               tape-based
       health and welfare information, 94             destroying, 281
       overview, 91                                   encryption, 255
       zippering, 96                                  environment, 253
      auction account information, 100–101            overview, 32, 251–253
      audit logs, 270, 365                         bandwidth, 356
      audits                                       bank data, 92, 100, 105
       automating, 64–65                           banking
       backup tape, 253                             dangers of online, 121
       benefits of, 62–63                           passwords, 384
       compliance technology requirements, 62       regulation, 52–53
       fees, 68                                    Basel II Accord, 52–53
       for governance, 332–333                     BC (business continuity), 321
       information-security, 338–339               behavioral analysis, 261, 362–364
       overview, 61–63                             BIOS password, 150
       regularity of, 41                           black market, 37–38, 112
       self-audits, 62–64                          blackmail, 38
       tools for, 135                              blind trust, 380
      authorization control                        blocked e-mail, 202
       comprehensive remediation, 245–248          blocking USB devices, 135, 144
       NAC, 243–245                                blogs, 16, 95
       overview, 239–240                           bluebugging, 163
       tightening, 240–243                         bluejacking, 163
      automatic address-search function, 204       bluesnarfing, 163
      automatic code checkers, 271                 Bluetooth
      automatic data-loss prevention system, 212    overview, 161
      automatic form-filler application, 129        solutions for, 162
      automatic system control, 184                 turning off, 193
      automating audits, 64–65                      vulnerabilities, 162–163, 289
      Availability, CIA model, 88                  boot order, 150
      availability risks, IT, 21                   boot-image control, 228
      awareness program                            botnet, 111–112
       culture, 324                                bots, 111, 130, 231
       ongoing, 323                                brand damage, 69, 79, 103
       security training, 322–323
                                                                                   Index    389
briefing sessions, press, 354                   COBIT (Control Objectives for Information
bulk sale of information, 102                       and related Technology), 317
business continuity (BC), 321                   code, software, 268
business operation procedures, 358              code checkers, automatic, 271
business record, 11                             code reviews, 261, 274–275
business social-networking sites, 369–370       company information, 33, 94–95
                                                compensation, customer, 68
•C•                                             competitors, 99
                                                compliance
cached certificates, 126                         audits
caching, 233                                       automating, 64–65
calendars, 155                                     compliance technology requirements, 62
cameras, 288                                       overview, 61–63
Canadian regulation, 55                            self-audits, 63–64
Capability Maturity Model Integration            DLM/ILM as aid to, 208–209
     (CMMI), 318–319                             documenting, 169
cardholder data protection, 54                   full disclosure, 48–49
Cardtrp threat, 155                              good governance, 58–61
CD-ROMs                                          risks, 21
 destroying, 281                                compression, 255
 encrypting data to and sending, 303            conferences, 170–171, 288, 293
 free, 141, 170–171, 174                        Confidential classification level, 366
 overview, 32                                   confidential data, 74, 142–143
cellular phones. See mobile phones              Confidentiality, CIA model, 87
central management, 229                         connectivity, 156, 159
centralized backup, 230                         consent, data subject, 57
CEO (Chief Executive Officer), 353              consistency, 329
certificates, 126                               consultants, 130, 339
Chief Information Officer (CIO), 24, 326, 353   contact details, posting, 369
Chief Information Risk Officer (CIRO), 24,      content filtering, 116, 135
     326, 353                                   content management, 223
Chief Information Security Officer (CISO),      content-aware discovery technology, 160
     24, 326, 353                               content-based encryption policies,
CIA model, 87–88                                    145–146, 236
CIO (Chief Information Officer), 24, 326, 353   content-classification software, 91
CIRO (Chief Information Risk Officer), 24,      content-matching technology, 236–237
     326, 353                                   context, data, 29, 31
CISO (Chief Information Security Officer),      Continual service improvement, ITIL, 315
     24, 326, 353                               contractors, 130, 309–310
cleaners, 130, 310                              contracts, 57
cleaning data, 147                              Control Compliance Suite, 332
clickjacking, 264                               Control Objectives for Information and
CMMI (Capability Maturity Model                     related Technology (COBIT), 317
     Integration), 318–319                      cookies, 265
                                                copying data, 35, 237
390   Data Leaks For Dummies

      corporate data, 33, 94–95                smurf attacks, 232
      corporate firewall, 226                  social-engineering attacks, 308
      corporate network connections            spear phishing, 187–188
       choosing, 134                           SQL injection attacks, 260–261
       thin-client technology, 132             targeting corporate information, 42
       virtualizing clients, 133               use of data, 37–38
       VPNs, 131–132                           XSS attacks, 262–264
      costs                                    zippering, 96
       of downtime, 89                        cyber-criminals
       of response, 68                         evolution of, 112–113
      counterfeit credit cards, 75             mentality of, 113
      covert monitoring, 41                    monetary value of data to
      CRCs (Cyclic Redundancy Checks), 269       availability of data, 101–102
      credit-card data, 92, 100, 105             finding data on Web, 102–104
      credit checks, 103                         over lifetime, 104–105
      credit monitoring, 68                      overview, 99
      critical system protection (CSP), 227      popular data, 100–101
      crosscut shredder, 294                   overview, 10–11
      cross-site scripting, 262–264            priorities of, 117
      CSP (critical system protection), 227   Cyclic Redundancy Checks (CRCs), 269
      customer access, 339
      customer churn, 69
      customer communication, 93–94           •D•
      customer compensation, 68               damage limitation, 350
      customer data, 32–33, 95, 103, 160      data acquisition, 207
      customer lists, 105                     data at rest
      customer notification, 351               NAC, 244–245
      customer support, 355–356, 357           overview, 31
      customer-loyalty cards, 92–93           data breaches
      customer-support call centers, 47        regulations for, 50
      cut-and-paste, 129                       sources of, 73–74
      cyber-cafés, 169, 172–173               data center
      cyber-crime                              data availability, 224–225
       clickjacking, 264                       DoS attacks, 231–234
       controlling, 76–77                      encryption
       data corruption, 364–365                 content-based, 236
       DDoS attacks, 231                        difficulty of, 235–236
       dumpster diving, 309                     managing digital rights, 237–238
       e-mail scams, 93                         overview, 234
       flooding, 232                           outsiders in, 339
       law enforcement, 76                     overview, 217–218
       overview, 17–19, 71–75                  protecting server infrastructure
       piggybacking, 308–309                    centralized backup, 230
       session poisoning, 265                   CSP, 227
                                                                                    Index   391
   endpoints, 228–230                            full disclosure, 71–72
   overview, 226–227                             hardware disposal
   servers, 228–230                                destroying electronic data, 281–283
   thin-client technology, 228–230                 overview, 279–280
 unstructured data files, 218–221                  system repair, 283–284
data classification                                without losing data, 283
 consistent, 211–212                             holistic perspective of, 25–27
 DLM/ILM, 206–210                                identifying data sources
 good governance, 59                               answering machines, 287
 overview, 205–206                                 conference calls, 288
data corruption                                    digital cameras, 288
 guarding against, 268–269                         e-mail archives, 284–285
 malicious, 364–365                                facsimiles, 286
 overview, 267–268                                 miscellaneous, 289–290
 performance, 269–270                              photocopiers, 286–287
data deduplication, 222                            printers, 286–287
data feed checks, 269                              remote access, 288–289
data in motion                                     SMS, 285
 NAC, 244                                          VoIP, 287
 overview, 31–32                                   Webcasts, 288
 protecting, 377                                 overview, 9–10, 349–350
data integrity                                   people who cause, 37–42
 Open Source software, 272–273                   rethinking data security
 overview, 271                                     considering options, 85
 periodic review of, 274–275                       monetary value of data, 83–85
 testing, 273                                      overview, 82–83
data loss. See also at-risk data; cyber-crime      responsibility, 85–86
 comprehensive approach to                       risks and consequences of
     counteracting                                 direct losses, 67–68
   evaluating risk, 78                             electronic records, 23–24
   overview, 77–78                                 indirect losses, 68–69
   prospect of fines, 80                           IT risk, 20–23
   protecting IT, 81–82                            total cost, 70–71
   risk of jail time, 80–81                      secrecy about, 379
   understanding damage to reputation, 79        steps to take in event of
 factors involved in                               media, 353–354
   cyber-crime, 17–19                              mobilization, 352–353
   e-commerce, 12–14                               ongoing project, 354–358
   gadgets, loss of, 10–11                         plan creation, 350–352
   ignorance, 19–20, 381                         treating as disaster, 321–322
   information management, 15                   Data Protection Act 1998 — U.K., 43
   messaging boom, 11–12                        Data Protection Directive 1995 — E.U.,
   storage capacity, 14–15                           43–44
   Web 2.0, 16–17                               data retention, 206–207, 210, 223
392   Data Leaks For Dummies

      data security                            data-loss prevention (DLP), 25–26, 60,
       considering options for, 85                  144–145, 196
       data classification                     data-matching technology, 236
         consistent, 211–212                   data-protection laws, 43–44
         DLM/ILM, 206–210                      data-source checking, 273
         overview, 205–206                     date of birth, posting, 369
       e-mail                                  DDoS (distributed DoS) attack, 231
         endpoint security, 183–186            Defined level, CMM, 318
         evolving threats from, 182–183        deleting data, 147, 213, 331–332
         overview, 181–182                     denial-of-service attack. See DoS attack
       hardware appliances, 193–194            Deskstar drive, 140
       messaging systems                       desktop virtualization, 228
         instant messaging, 202–203            destroying electronic data, 281–283
         overview, 197–199                     destructive viruses, 111
         protecting e-mail, 199–200            device-control technology, 116
         Web-based e-mail, 200–202             devices. See also laptops; mobile phones;
         the wrong Dave, 203–205                    PDAs; USB devices
       monetary value of data, 83–85            loss of, 10–11
       overview, 82–83, 179–181, 195–196        management of, 219
       policies for, 59, 83, 138                risk factors, 90–91
       protecting intellectual property, 196   DHCP (Dynamic Host-Configuration
       recognizing potential security holes,        Protocol), 193
           212–215                             DHCP Enforcer, 242–243
       responsibility, 85–86                   digital cameras, 288
       spear phishing, 187–189                 digital rights, managing, 237–238
       wireless security, 190–193              direct losses, 67–68
      data segregation, 344                    Directive on the Protection of Personal
      databases                                     Data, E.U., 58
       bank-account details, 92                disaster recovery (DR), 157, 321
       credit-card data, 92                    discover phase, NAC, 245–246
       encryption of, 235                      discovery
       extracts, 270                            monitoring and enforcement policies,
       restricting access to fields in, 365         144–145
       storage of data on, 34                   moving on from, 329–330
      data-breach notification laws, 58         overview, 59, 327–328
      data-discovery technology, 143–144        technology for, 143–144, 160
      data-feed checking, 273                  disk-based backup, 254
      data-flow diagramming, 296–297           disposal of hardware
      data/information lifecycle management     destroying electronic data, 281–283
           (DLM/ILM), 206–210                   overview, 279–280
      data-loss crisis team                     policy for, 300
       creating, 326–327                        revisiting, 377
       tasks for, 327                           system repair, 283–284
                                                without losing data, 283
                                                                              Index     393
dissolvable agents, 247                  education-and-awareness program,
distributed DoS (DDoS) attack, 231           377–378
distribution lists, 300                  electronic access card, 168
DLM/ILM (data/information lifecycle      Electronic Protected Health Information
    management), 206–210                     (EPHI), 51
DLP (data-loss prevention), 25–26, 60,   electronic records, 23–24
    144–145, 196                         e-mail
DNS (Domain Name System), 232–234         addresses, 93, 101
document disposal, 300                    archives, 284–285
document-matching technology, 236–237     automatic address-search function, 204
Domain Name System (DNS), 232–234         communication via, 93–94
DoS attack (denial-of-service attack)     content-classification software on cellular
 flooding, 232                               phones, 91
 overview, 231–232                        data in motion, 31
 poisoned DNS, 232–234                    database lists, 112
downtime, cost of, 89                     endpoint security, 183–186
DR (disaster recovery), 157, 321          evolving threats from, 182–183
drive-by pharming, 191                    importance of, 11
drops, 101                                overview, 181–182
dumb terminals, 132                       passwords, 101
dumpster diving, 309                      protecting, 199–200
DuPont company, 360                       sensitive data in, 24–25, 171, 300
DVDs, 32, 281. See also CD-ROMs           storage of data in, 34
Dynamic Host-Configuration Protocol       Web-based, 31, 35, 200–202
    (DHCP), 193                          embedded encryption, 255
dynamic IP addresses, 193                employees
                                          behavior policies, 95, 97
•E•                                       education of, 370–371, 379
                                          malicious, 40–41
eavesdropping, 312                        notifying
e-commerce, 12–14                           of data loss, 353
Economist Intelligence Unit, 155            of threats, 114
e-crime. See cyber-crime                  sensitivity of data about, 94
eDRM (enterprise digital rights          encryption keys, 126, 255
     management), 125–126, 135, 238      encryption strategies
education                                 for backup tapes, 252
 about CD-ROM use, 312                    cardholder data protection, 54
 about cyber-cafés, 174                   for CDs, 303
 about evil twin threat, 172              choosing, 127–128
 about paper disposal, 291                for data center
 about phishing, 188                        content-based, 236
 about USB device use, 312                  difficulty of, 235–236
 about XSS attacks, 264                     managing digital rights, 237–238
 of employees, 370–371, 379                 overview, 234
 for new hires, 175
394   Data Leaks For Dummies

      encryption strategies (continued)            EPHI (Electronic Protected Health
       for data on disks, 270                          Information), 51
       for database extracts, 270                  ePrivacy Directive, 50
       eDRM, 125–126                               escape characters, 261
       file-based encryption, 125                  ET software, 151
       full-disk encryption, 124–125               E.U. Directive on the Protection of Personal
       for hardware, 254–256                           Data, 58
       hiding data with, 365                       European Convention on Human Rights, 56
       for Hitachi Deskstar drive, 140             European regulations, 56
       for laptops, 150–151                        European Union regulations
       for mobile devices, 158–159                  common restrictions on processing
       for offsite data, 376                           data, 57
       overview, 123–124                            implications of, 57–58
       on Web sites, 265                            overview, 56
       for Wi-Fi equipment, 192                    “evil twin” threat, 172
      endpoint evaluation technologies, NAC, 243   exhibitions, 170–171
      endpoint security                            Extensible Access Control Markup
       consolidating, 152                              Language (XACML), 61
       control of functionality, 159
       e-mail, 183–186
       encryption technologies                     •F•
         choosing, 127–128                         facsimiles, 286
         eDRM, 125–126                             family education, 385
         file-based encryption, 125                FAQs (Frequently Asked Questions), 356
         full-disk encryption, 124–125             faxes, 286
         overview, 123–124                         Federal Trade Commission, U. S., 85
       keyloggers, 128–129                         file protection, Windows, 365–366
       laptops, 121–123                            File Transfer Protocol (FTP), 201
       network connections, 131–134                file-based encryption, 125, 135
       overview, 75                                filtering
       protecting                                    anti-phishing, 135, 385
         priority, 376                               content, 116, 135
         products for, 134–136                       USB device, 135
         server infrastructure, 228–230            financial data, 92, 94, 100, 103–105
       risks to, 119–122                           financial privacy, 45, 52
       rootkits, 130–131                           Financial Privacy Rule, 52
       virtualization, 167                         financial statements, 104
      enforce phase, NAC, 245–246                  fines, 67–68
      enforcers, NAC, 243                          firewall
      enhancement requests, 342                      attention to, 192
      enterprise digital rights management           compared to IDS, 226
           (eDRM), 125–126, 135, 238                 endpoint protection, 135
      EPAL (Enterprise Privacy Authorization         hardware, 176
           Language), 61
                                                                                 Index   395
  keylogger prevention, 129                    data classification, 59
  overview, 115                                data-loss prevention solutions, 60
  protection by, 179–180                       overview, 58
FireWire, 289                                  record retention and retrieval, 59–60
firmware, 159                                 Governance Risk and Compliance (GRC)
flip chart, 292                                   policy, 332
flooding, 232                                 government classifications, 366–367
fluffing, 281                                 Gramm-Leach-Bliley, 52
Formula 1 teams, 360                          GRC (Governance Risk and Compliance)
fraud, 38, 352                                    policy, 332
free credit monitoring, 47
freebies, 170–171, 174, 311–312
Frequently Asked Questions (FAQs), 356        •H•
FTP (File Transfer Protocol), 201             hacker targets, 74
full disclosure                               hard drives, 281, 286–287
  compliance with, 48–49                      hardware encryption
  cyber-crime and, 71–72                       compression, 255
  overview, 46–48, 50                          encryption keys, 255
  regulations, 51–55                           overview, 254–255
full-disk encryption, 124–125, 128, 135        SaaS, 256
functionality checking, 269, 273              hardware firewall, 176
                                              hardware improvements, 210
•G•                                           hardware-recovery software, 151
                                              health and welfare information, 94, 104
geography                                     Health Insurance Portability and
 location-based access control                    Accountability Act (HIPAA), 51
   changing policies, 166–167                 Her Majesty’s Revenue and Customs
   merging logical and physical security,         (HMRC), 47–48
     167–169                                  hiding data
   overview, 165–166                           information sensitivity and access,
 risks                                            366–367
   conferences, 170–171                        overview, 365–366
   exhibitions, 170–171                        real-time redaction, 367–368
   free USB devices, 170–171, 174             HIPAA (Health Insurance Portability and
   holiday and vacation infections, 173–174       Accountability Act), 51
   Internet cafés, 172                        Hitachi Deskstar drive, 140
   mergers and acquisitions, 171              HMRC (Her Majesty’s Revenue and
   new hires, 175                                 Customs), 47–48
   overview, 169                              holiday infections, 173–174
   working from home, 175–176                 holidays, posting, 369
governance                                    holistic perspective
 auditing for, 332–333                         knowledge and control, 25
 balancing privacy and data protection,        mind map, 26–27
     60–61                                     wide approach, 25–26
396   Data Leaks For Dummies

      home network, locking down, 384              new hires, 175
      Homeland Security Presidential Directive     overview, 41, 325–326
          (HSPD-12), 169                           reducing data, 331–332
      host-based IDS, 226                          of third parties, 343
      HTTP (Hypertext Transfer Protocol), 201    information-security policy, 55, 85–86,
      human-resource data, 94                         338–339. See also data security
                                                 informing customers. See full disclosure
      •I•                                        Initial level, CMM, 318
                                                 in-line blocking, 243
      icons, used in book, 5–6                   inline encryption appliances, 255
      identification                             in-line NAC, 243
        equipment, 168                           insecure business process, 314
        individual, 168, 310                     insider trading, 104
      identities, sale of, 100                   insiders, malicious, 126
      IDS (intrusion-detection system), 116,     instant messaging, 19, 202–203, 285
           135, 225                              Instant Messenger (IM), 32, 182
      IDS anomaly detection, 225–226             Integrity, CIA model, 87
      IDS misuse detection, 225                  intellectual property, 94, 105, 125, 160, 196
      ignorance, 19–20, 379                      internal leakage, 81–82
      ILM (information lifecycle management),    International Organization for
           219–220                                    Standardization/International
      IM (Instant Messenger), 32, 182                 Electrotechnical Commission (ISO/IEC)
      Imation Atom Flash Drive, 140–141               27002, 317–318
      impersonation, 310–311                     international regulations
      implicit trust                               Canada, 55
        analyzing application access, 361–362      Europe, 56
        analyzing user behavior, 362–364           European Union, 56–58
        malicious data corruption, 364–365         United States, 56
        overview, 359–361, 379, 381              international trading, 65
      inactive data, 208                         Internet bandwidth, 356
      incentive programs, 324                    Internet browsers
      incineration, 282                            address bar, 384
      indirect losses, 68–69                       clickjacking, 264
      information lifecycle management (ILM),      cross-site scripting, 262–264
           219–220                                 overview, 261–262
      information management, 15                   plug-ins, 262, 386
      Information Rights Management (IRM), 366     session hijacking, 265
      information risk management, 218           Internet cafés, 169, 172–173
      information technology. See IT             Internet privacy, 45
      information-protection policy              Internet Relay Chat (IRC), 102
        auditing for governance, 332–333         Internet Security Threat Report, 156
        consistency, 329, 381                    Internet-based communication, 32, 35, 182,
        data-loss crisis team, 326–327                202–203. See also e-mail
        discovery, 327–330                       interview techniques, 298–299
                                                                                    Index   397
intrusion-detection system (IDS), 116,      laws. See regulations
     135, 225                               lawsuits, 49, 68
intrusion-prevention system (IPS), 116,     legal department, 122, 350
     135, 226                               legal hold, 332
investigation fees, 68                      legal obligations, 57
iPod, 32                                    legislation. See regulations
IPS (intrusion-prevention system), 116,     lifecycle-management policy, 186
     135, 226                               LinkedIn, 370
IRC (Internet Relay Chat), 102              litigation, 68
IRM (Information Rights Management), 366    live data storage, 331
ISO/IEC (International Organization         locking down
     for Standardization/International        home networks, 384
     Electrotechnical Commission) 27002,      laptops, 149–152
     317–318                                  wireless connection points, 176
IT (information technology)                   wireless routers, 191–193
  management of, 210, 219                   logical archive protection, 257
  security                                  logical audits, 41
   basics of, 114–117                       log-on, 168
   risks, 20–23                             logos, corporate, 93
   threat landscape, 109–112                long-term prevention
IT department, 327, 350, 358                  information-protection policy
ITIL (IT Infrastructure Library), 314–316       auditing for governance, 332–333
                                                consistency, 329
•K•                                             data-loss crisis team, 326–327
                                                discovery, 327–330
keylogger software, 121, 310                    overview, 325–326
                                                reducing data, 331–332
                                              revisiting decisions about, 333–335
•L•
LAN 802.1X Enforcer, 243
laptops
                                            •M•
  company policy for, 174                   M&A (mergers and acquisitions), 44, 94,
  customer data on, 320                         171, 236, 328
  “evil twin” threat, 172                   MAC addresses, 192
  locking down, 149–152                     macro viruses, 111
  loss of, 10, 41–42, 89, 122–123, 170      magnets, 148–149, 282–283
  overview, 121–122                         mail management tool, 151
  personal data on, 383–384                 mailers, 101
  protecting, 123                           mail-security services, 188
  solutions for, 134                        mail-transfer agent (MTA), 200
  traveling with, 122                       malicious hacking, 17
  wireless networks, 191                    malicious insiders, 40–41, 99, 201, 260–261,
law enforcement, 76                             360–362
                                            malware, 113, 174, 263
398   Data Leaks For Dummies

      Managed level, CMM, 318                      over lifetime, 104–105
      managerial security issues, 214–215          overview, 99
      marketing campaigns, 47                      popular data, 100–101
      marketing department, 122, 326, 351        by customer, 84
      massive repositories of structured data    by employee time, 84–85
           (MRSDs), 260                          hourly rate, 84
      MDM (Mobile Device Management)             identifying at-risk data
           solutions, 158                          bank data, 92
      media, dealing with                          corporate data, 94–95
       choosing spokesperson, 353–354              credit cards, 92
       facts, 354                                  customer communication, 93–94
       frequent updates, 354                       customer data, 95
      medical privacy, 45                          customer-loyalty cards, 92–93
      mergers and acquisitions (M&A), 44, 94,      e-mail addresses, 93
           171, 236, 328                           e-mail communication, 93–94
      messaging boom, 11–12                        health and welfare information, 94
      messaging systems. See also e-mail           overview, 91
       instant messaging, 202–203                  zippering, 96
       overview, 197–199                         modeling information
       the wrong Dave, 203–205                     devices, 90–91
      Microsoft Outlook, 204                       markets, 91
      mind map, 26–27                              overview, 87–89
      minnowing, 189                               risk and consequences, 89
      mirroring, 140–141                         overview, 83–84
      misuse detection, IDS, 225                 total cost, 97–98
      mitigating actions, 47                    monitor phase, NAC, 245–246
      Mobile Device Management (MDM)            monitoring
           solutions, 158                        data, 105
      mobile phones                              NAC, 243
       Bluetooth, 161–163                        networks, 54–55
       cameras on, 288                          MORI omnibus survey, 49
       controlling functionality on, 158–161    MRSDs (massive repositories of structured
       e-mail on, 91                                 data), 260
       loss of, 10, 90–91                       MTA (mail-transfer agent), 200
       overview, 153–154                        multiple-user technologies, 16
       protecting, 155–158, 163–164             My Book, 141
       risks and benefits of, 154               MySpace, 11
       SMS, 285
      mobile-device security policies, 154
      modems, 289–290                           •N•
      monetary value of data                    NAC (network access control)
       to criminals                              agents, 247–248
         availability of data, 101–102           control aspect, 219
         finding data on Web, 102–104            data at rest, 244–245
                                                                                   Index    399
 data in motion, 244                         parameterized statements, 261
 endpoint security, 135                      parity, 140
 overview, 116, 239–241, 243–244             partners
 PCI DSS standard, 54                         preventing loss by
nearline storage, 221                           data center, 339
negligent data loss, 39–40                      information-security audits, 338–339
network access control. See NAC                 overview, 337–338
network connections                             SaaS providers, 339–340
 choosing, 134                                  service oriented architectures, 341
 printers, 287                                trust in, 342–345
 thin-client technology, 132                 passive IDS, 226, 245
 virtualizing clients, 133                   passwords
 VPNs, 131–132                                changing for administrator, 192
network intrusion detection, 180              eavesdropping for, 312
network management, 219                       encryption, 123–125, 235
network roaming capabilities, 159             Internet banking, 384
new hires, 175                                mobile devices, 154
NIDS (network-based IDS), 226                 overview, 48–49
notepads, 155                                 protection of, 213
notification, customer, 351–352. See also     strength of, 150
    full disclosure                           during system repair, 284
notification letters, 47, 71                  thin-client systems, 132
                                              usernames, 50
•O•                                          patch management, 156–157, 180
                                             pattern-based data, 237
offsite backup storage, 252                  Pbstealer threat, 155
offsite shredding, 293                       PCI DSS (Payment Card Industry Data
offsite system repair, 283                        Security Standard), 53–55, 65, 270, 319
on-screen keyboards, 129                     PDAs
onsite shredding, 293                         Bluetooth, 161–163
onsite system repair, 283                     controlling functionality on, 158–161
Open Source software, 272–273                 overview, 153–154
Optimized level, CMM, 318                     protecting, 155–158, 163–164
Outlook application, 204                      risks and benefits of, 154
overt system auditing, 41                    peer-to-peer enforcement, 242
overwriting data, 281                        penetration testing, 188, 311
                                             performance, storage, 210
                                             performance risks, IT, 21
•P•                                          perimeter firewall, 180
P3P (Platform for Privacy Preferences), 61   perimeter security, 186
packet-sniffing programs, 201                persistent agents, 247
paired Bluetooth devices, 162                personal activities, 45
parallel ports, 289                          personal data, 55–58, 213
                                             personal firewall, 115, 135, 180
400   Data Leaks For Dummies

      personal identifiable information (PII),      mobile device, 121–122, 154, 174
           11, 44                                   NAC, 243
      Personal Information Protection and           people factor
           Electronic Documents Act (PIPEDA), 55      interview techniques, 298–299
      pharming, 175–176, 191                          overview, 295–296
      phishing                                        work groups, 296–298
       applications, 112                            refining, 330
       context of information, 30                   security, 85–86
       information used for, 369                    shredding, 293
       overview, 18, 111, 182–183                   storage-security, 148–149
       warning customers of, 103                    that put data at risk, 300–304
      phone lines, 355                             policy engine, 205
      phonebooks, 155                              policy-based appliances, 61
      photocopiers, 126–127, 286–287               political affiliations, 45
      physical addresses, 192                      Ponemon Institute, 70–71, 74, 290
      physical audits, 41                          pop-up blocker, 385
      physical laptop-security policy, 121–122     PR (public relations), 326, 351
      Physical standard, HIPAA, 51                 pretexting, 52, 311
      pictures, work site, 95, 97, 368–369         Pretexting Protection rule, 52
      piggybacking, 308–309                        pricing information, 94, 105
      PII (personal identifiable information),     printed data
           11, 44                                   cleaning up after meetings, 292–293
      PINs, mobile device, 154                      overview, 290–291
      PIPEDA (Personal Information Protection       revisiting destruction of, 377
           and Electronic Documents Act), 55        shredding policy, 293–294, 383
      piracy, 103                                   warning signs, 291–292
      Platform for Privacy Preferences (P3P), 61   printers, 286–287
      Plaxo, 370                                   privacy, 45, 51–52, 60–61
      Plug and Play gateway appliances, 194        Privacy Rule, HIPAA, 51
      plug-ins, browser, 262                       proactive threat management, 138
      points of failure, 229                       product-design documents, 94
      poisoned DNS, 232–234                        project office, 352
      policies                                     proof of care, 77
       content-based encryption, 145–146, 236      protection management, 223
       data security, 59, 83, 138                  proxies, 101
       developing, 301                             public relations (PR), 326, 351
       discovery monitoring and enforcement,       purging, 147
           144–145                                 push technology, 144
       e-mail, 201–202
       employee behavior, 95, 97
       encryption-key, 126                         •Q•
       IM, 202–203                                 quarantine, laptop, 151
       information protection, 175                 questions, interview, 298–299
       informing users about, 186
                                                                              Index    401
                                        remote wipe and kill, 160–161
•R•                                     removable media
RAID (Redundant Array of Independent      careless use of, 141–142
     Disks), 140–141                      destroying data on, 146–149
reactive IDS, 226                         evolution of, 139–141
real-time redaction, 367–368              identifying, 376
record retention and retrieval, 59–60     locking down laptops, 149–152
recruiting, cyber-crime, 38               overview, 137–139
redaction technology, 365                 strategies for dealing with
reducing data                               content-based encryption policies,
 archiving, 331                              145–146
 deleting, 331–332                          discovery monitoring and enforcement
 to single instance, 331                     policies, 144–145
Redundant Array of Independent Disks        overview, 142–144
     (RAID), 140–141                        USB ports, 144
re-evaluating procedures, 320–321       repair personnel, 130
regulated industry, 65                  repairing hardware, 283–284
regulations                             Repeatable level, CMM, 318
 audits, 46–48                          reporting restrictions, 270
 changes in, 333                        reports
 DLM, 208–209                             data loss, 76
 full disclosure                          database, 35
   Basel II Accord, 52–53                 incidence, 151
   compliance with, 48–49               reputation damage, 69, 101
   cyber-crime and, 71–72               research and development, malware, 113
   Gramm-Leach-Bliley, 52               Restricted classification level, 367
   HIPAA, 51                            restricted data, 23
   overview, 46–48, 50                  restricted partitions, 365
   PCI DSS, 53–55                       retention management, 223
 international                          retention policy, 331–332
   Canada, 55                           right-to-know principle, 47
   Europe, 56                           ring-fence access, 167, 228
   European Union, 56–58                risk. See at-risk data; data loss; geography
   United States, 56                    risk-assessment tool, 25
 overview, 43–46                        road apples, 311
 passwords, 48                          road warriors, 122, 131, 134, 165
 relevancy, 65                          root access, 130, 284
religious bias, 44
remedial action, 68
remediate phase, NAC, 245–246
                                        •S•
remediation workflow, 164               SaaS (Software as a Service)
remote access, 288–289                   identifying threats, 276
remote administration, 193               overview, 275
402   Data Leaks For Dummies

      SaaS (Software as a Service) (continued)       endpoints, 228–230
       preventing loss by third-party providers,     overview, 226–227
           339–340                                   thin-client computing, 228–230
       securing data from tampering, 276–277       server management, 219
      SaaS (Storage as a Service), 256             Service design, ITIL, 315
      Safe Harbor program, 56                      Service Level Agreement (SLA), 343
      Safeguards Rule, 52                          Service operation, ITIL, 315
      sales                                        service oriented architectures, 341
       bad publicity, 327                          service providers, 343–345
       loss of, 68                                 Service strategy, ITIL, 315
       malware, 113                                Service transition, ITIL, 315
       promotions, 357                             services, sharing, 16
      SB 1386 (U.S. security-breach disclosure     session hijacking, 265
           law), 72                                session key, 265
      scanning, wireless network, 190–191          settlements, 67–68
      scans, laptop, 151                           sexual orientation, 44
      screen scrapers, 75                          share price, 69
      scripting, 264                               Short Message Service (SMS), 19,
      secondary checks, 265                             202–203, 285
      Secret classification level, 366             shredding
      secure networks, 54                            cleaning up after meetings, 292–293
      Secure Socket Layer (SSL) certificate, 234     hard disks, 281
      Secure Socket Layer (SSL) encryption, 265      overview, 147, 290–291
      securing individual computers, 213             personal information, 383
      security, data. See data security              policy for, 293
      security code reviews, 274–275                 revisiting, 377
      security management, 219, 223                  shredders, 294
      security policies, 85–86, 186                  warning signs, 291–292
      security reviews, 23                         signing in, 384
      security risks, IT, 21                       SIS (Single Instance Storage), 331
      Security Standards Rule, HIPAA, 51           skip diving, 309
      security-breach disclosure law (SB 1386),    SLA (Service Level Agreement), 343
           U.S., 72                                sleep mode, 128
      self-audits, 62–64                           smishing, 19
      selling data, 38                             SMS (Short Message Service), 19,
      sensitive data                                    202–203, 285
       identifying, 375–376, 380                   smurf attacks, 232
       M&A process, 171                            social networking
       overview, 366–367                             data loss, 371–372
       policies that risk, 300                       overview, 368–370
       types of, 44–45                               phishing, 370
      serial ports, 289                            social-engineering attacks
      server infrastructure                          contractors, 309–310
       centralized backup, 230                       defined, 18–19, 30, 120
       CSP, 227                                      dumpster diving, 309
                                                                                  Index   403
 eavesdropping, 312                           performance of, 210
 freebies, 311–312                            security policies, 148–149
 impersonation, 310–311                       of sensitive information, 237
 piggybacking, 308–309                       Storage as a Service (SaaS), 256
software                                     Storage Resource Management (SRM), 25
 archive protection, 257                     strip shredder, 294
 distribution of, 156–158                    striping, 140
 updating, 129, 157, 159, 176, 323, 385      structured data, 217
Software as a Service. See SaaS              suppliers
Software Security Engineering Capability      preventing loss by
    Maturity Model (SSE-CMM), 318–319           data center, 339
source code, 94                                 information-security audits, 338–339
spam, 18, 42, 109, 182–183                      overview, 337–338
spear phishing                                  SaaS providers, 339–340
 minnowing, 189                                 service oriented architectures, 341
 overview, 187                                trust in, 342–345
 shields against, 188                        support, malware, 113
 traffic shaping, 188                        support desks, 355–356
 whaling, 189                                surveillance, 168
speech recognition, 129                      suspend mode, 128
spim, 182                                    Symantec Control Compliance Suite, 332
spokesperson, 353–354                        Symantec Internet Security Threat
spreadsheets, 35–36                               Report, 156
spyware, 111, 151                            Symantec MORI omnibus survey, 49
SQL injection attacks                        Symantec Vontu Data Loss Prevention
 overview, 260–261                                software, 329
 preventing, 261                             synchronization, 131
SRM (Storage Resource Management), 25        system auditing, 41
SSE-CMM (Software Security Engineering       system scans, 151
    Capability Maturity Model), 318–319      systemic data loss, 39
SSID, 192
SSL (Secure Socket Layer) certificate, 234
SSL (Secure Socket Layer) encryption, 265    •T•
standards                                    tailgating, 308–309
 choosing, 319                               tape-based backup
 CMMI, 318–319                                 destroying, 281
 COBIT, 317                                    encryption, 255
 ISO/IEC 27002, 317–318                        environment, 253
 ITIL, 314–316                                 overview, 32, 251–253
 need for, 313–314                           TB (terabyte), 139
 PCI DSS, 319                                TCO (total cost of ownership), 210
 SSE-CMM, 318–319                            team building, 350–351
storage                                      Technical standard, HIPAA, 51
 capacity, 14–15                             technology changes, 334–335
 management of, 219, 222–223                 telephone lines, 355
404   Data Leaks For Dummies

      telephones. See mobile phones               unstructured data files
      templates, 61                                content defines value, 220–221
      terabyte (TB), 139                           minimizing number of copies, 221
      test scams, 188                              overview, 34–35, 218–219
      tests, security system, 54–55               updating
      text phishing, 19                            anti-malware software, 159, 385
      thin-client technology, 132, 152, 228–230    anti-virus software, 129, 157, 159, 176, 385
      third-party                                  security-awareness program, 323
        data loss, 337–338                        uptime for data, 210
        functionality checking, 273               U.S. security-breach disclosure law
        trust in, 342–345                              (SB 1386), 72
      threat changes, 334                         USB devices
      threat landscape                             careless use of, 141–142
        evolution of cyber-criminals, 112–113      criminal use of, 128
        mentality of cyber-criminals, 113          destroying data on, 146–149
        overview, 109–112                          evolution of, 139–141
      throttling, 183, 188                         filtering and blocking of, 135
      Time to Live property, 233                   free, 170–171, 174, 311–312
      to-do lists, 155                             locking down laptops, 149–152
      Top Secret classification level, 366         overview, 137–139
      total cost of ownership (TCO), 210           strategies for dealing with
      tracking                                       content-based encryption policies,
        equipment, 168                                 145–146
        individuals, 167                             discovery monitoring and enforcement
      trading, international, 65                       policies, 144–145
      traffic shaping, 183, 188                      overview, 142–144
      transaction details, 105                       USB ports, 144
      transient encryption, 255                    use of, 32
      types, 261                                   viruses on, 170–171, 174
                                                  USB ports, 144
      •U•                                         Use Case, 296–297
                                                  user behavior, analyzing, 362–364
      U. S. Federal Trade Commission, 85          user error, 27
      Unclassified classification level, 367      user privileges, 159
      underground economy, 18, 37–38,             user-level security issues, 212
           100–101, 112                           username, 50
      United Kingdom
       cost per record lost in, 70–71
       criminalization of data loss, 80
                                                  •V•
       Driving Standards Agency records, 256      vacation infections, 173–174
       HMRC data, 47–48, 256                      vacations, posting, 369
       MORI omnibus survey, 49                    virtual LANs, 243
      United States, regulations, 56              virtual machines, 133
      Universal Declaration of Human Rights,      virtual private network (VPN), 131–132,
           Article 12, 45                              159, 172, 289–290
                                                                                 Index   405
virtualization, 133, 167, 194, 228, 371–372   Webcasts, 288
viruses                                       Web-site checker, 385
 encryption and, 146                          WEEE (Waste Electrical and Electronic
 example of, 120                                  Equipment) Regulations, 280
 on free devices, 170–171                     Western Digital My Book, 141
 scanning for on laptops, 151                 whaling, 189
 threat of, 109–112                           whiteboards, 292
vishing, 19                                   Wi-Fi locators, 191
voice phishing, 19                            wikis, 16
VoIP, 287                                     Windows file protection, 365–366
Vontu Data Loss Prevention software, 329      wipe-and-kill functionality, 159
VPN (virtual private network), 131–132,       wireless LAN (WLAN) transmitter, 191
     159, 172, 289–290                        wireless networks, 151, 169–170, 175,
vulnerability scanner, 116                        191, 384
vulnerability-management program, 54          wireless routers, locking down, 191–193
                                              wireless security
•W•                                            drive-by pharming, 191
                                               locking down wireless routers, 191–193
wardriving, 175, 191                           scanning for wireless networks, 190–191
Waste Electrical and Electronic Equipment     WLAN (wireless LAN) transmitter, 191
    (WEEE) Regulations, 280                   work groups, 296–298
Web 2.0, 16–17, 371                           working from home, 175–176
Web applications. See also applications       worms, 111
 Internet browsers                            wrong Dave, the, 203–205
   clickjacking, 264                          WS-Privacy (Web Service Privacy), 61
   cross-site scripting, 262–264
   overview, 261–262
   plug-ins, 262
                                              •X•
   session hijacking, 265                     XACML (Extensible Access Control Markup
 overview, 259                                   Language), 61
 SQL injection attacks, 260–261
Web history, 156
Web Service Privacy (WS-Privacy), 61          •Z•
Web services, 16                              zippering data, 96, 128
Web-based e-mail, 31, 35, 200–202
               Notes
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________
______________________________________

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:11/23/2012
language:Unknown
pages:20