Upload
phungque
View
216
Download
2
Embed Size (px)
Citation preview
5/12/2011
1
Are You Putting Your Time & Business at Risk?
Safe, Smart Computing for the Financial Professional
Larry J. KeatingCEO, No Panic Computing
Advocis Ottawa Professional Development DayOttawa Hellenic Centre Ottawa, OntarioMay 12, 2011
© 2011 No Panic Computing Inc.
Privacy Regulations
Securing Your Computer and Your Information
Addenda:
Secure Computing Checklist
Computer Security Terms and Definitions
AGENDA
2
The role, responsibility and liability of a financial professional with a computer is not that of a consumer.
The information you collect, use and become the legal custodian of creates a greater responsibility requiring a much higher standard of care…
5/12/2011
2
NORM TRAINORCEOThe Covenant Groupwww.covenantgroup.com
3
4
In the News…
5/12/2011
3
5
In the News…
“CoreFlood” Botnet taken down
by U.S. DOJ
Operating for almost a decade
Virus controlling and keylogging 2.3M computers feeding 29 C+C servers
TuCows, Canadian ISP, hosted some of the domains
Fraudulent wire transfer loss examples:
Real estate agency $115,771
Law firm $78,421
Investment services firm $151,201
Individual’s personal acct $90,348
In the News…
5/12/2011
4
7
8
5/12/2011
5
Admin Profile Hack
9
10
5/12/2011
6
Brian ShumakHC Financial Group
11
The Good News…
Properly implemented, secured and managed, computing is far more productive and secure than paper records ever were…
The Bad News…
More and more of your business, your life, is on your computer. It’s more complicated today than it has ever been to protect your information, your business, your clients…
and to be productive.
Poorly managed computing can cause the loss of volumes of critical information in seconds, creating liability and the loss of months or even years of valuable work.
12
5/12/2011
7
Access to Information Act - provides public access to government information under the control of the Government of Canada
The Privacy Act - protects the privacy of individuals with respect to personal information held by a government institution; provides individuals with a right of access to their information.
PIPEDA - an Act to protect the privacy of individuals with respect to personal information held by the private sector
13
Federal Privacy/Access Legislation
PIPEDA: The Personal Information Protection and Electronic Document Act –
Privacy Protections That Directly Affect The Financial Professional
Federally legislated law
Requires you to limit, manage and restrictaccess to all personal information you collect oruse deemed protected by the Act
Security of employee, client, prospect or researchinformation is no longer a nice to have…
14
5/12/2011
8
15
Other Acts of note you may be subject to depending on the nature and geography of your activities or clients:
PIPA - (B.C., AB.) – Personal Information Protection Act (supplants PIPEDA)
Quebec Privacy Act - (PQ) (supplants PIPEDA)
FIPPA - each provincial jurisdiction has its own Freedom of Information andProtection of Privacy (Ontario - www.ipc.on.ca)
PHIPA - Alberta, Manitoba, Saskatchewan and Ontario have specific personal health information acts
HIPAA - (U.S.) - Health Insurance Portability and Accountability Act
U.S. State Acts - Numerous state acts of varying degrees of liability and enforcement
The Patriot Act - (U.S.) National Homeland Security
Privacy Protections That Directly Affect The Financial Professional
Name, address and telephone number*
Age, gender, family and marital status
ID numbers (SIN, Drivers License, etc)
Financial and employment information and history
Medical and health information
Education
What Is Personal Information?
*when present with any of the information below16
5/12/2011
9
“Any data that has been collected in which all personal identifiers
have been removed (making determination of identity impossible) is
not considered personal information,
nor is the name, title, business address or business telephone
number* of an employee of an organization.”
What Is NOT Personal Information?
* Or email address, when previously published anywhere, including a business card 17
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
10 principles form the basis of the Model Code for the Protection of
Personal Information (CAN/CSA-Q830-96; published March 1996; reaffirmed 2001).
18
5/12/2011
10
Ascertain the source of the loss and contain the breach
Recommendations In the Event of a Data Breach
Advise the affected individuals
Advise the Police if you believe a crime was committed in the
loss of the data
Call your lawyer19
Advise the Federal and/or Provincial Privacy
Commissioners’ Office
OPC issues Report
Complainant takes Report in hand to Federal Court, where orders to comply,
penalties, etc., are applied
Disclosure of any offence uncovered is reported to
Attorney General of Canada or applicable Provincial
Attorney General
OPC Investigations
OPC has powers to investigate, including
summoning and enforcing appearance, administration
of oaths, enter any premises at any reasonable time,
converse in private with any person in the organization. Penalties for blocking an
investigation or influencing, harassing employee
witnesses. WhistleBlowingprotection in place.
OPC in some cases of multiple complaints on same breach or privacy
malfeasance may elect to represent (individuals give up right to Federal Court)
Individual files a complaint or OPC becomes aware of
a situation
Incident File opened, OPC pushes for party-to-party resolution (if resolved or
unfounded, no OPC Report issued)
OPC may start an investigation if matter is serious or organization
(respondent) is inadequately responding
20
5/12/2011
11
What personal information do we collect? Why do we collect it? How do we collect it? What do we use it for? Where do we keep it?
How is it secured? Who has access to or uses it?
To whom is it disclosed? When is it disposed of?
Best questions to start with…
…from our Federal Privacy Commissioner 21
Going, going…goneLost notebooks and hacked computers raise call of alarm
22
5/12/2011
12
So What To Do:
Understand your obligations
Secure your computers
Secure your information
Protect yourself from malware
Backup your data
�
23
Securing Your Computer
24
5/12/2011
13
1. Use a strong password / passphrase
At least 10 characters, preferably 15
Use upper and lower case letters, numbers and symbols – morecomplex -- less vulnerable to a dictionary attack
Password: a word or string of characters, sometimes an acronym: mcsi12 - weak Spot123#$% - strong
Passphrase: a memorable sequence of words or phrases: myCATspoti$12!! – very strong
Change your strong password regularly – every 90-120 days
Eventually any password can be breached, given enough time and computing power…
Securing Your Computer
25
2. Use Biometrics
Fingerprint readers allow you to take advantage of strong pass phrases – use long complicated pass phrase as a back up to entry, then use fingerprint reader for easy day-to-day access
Today’s fingerprint readers are very efficient, user-friendly and provide a very high level of security
Securing Your Computer
26
5/12/2011
14
3. Secure your hardware
Consult with your IT Support first, if you have it
Set your system BIOS password using same rules as used for your Windows login
Do not lose this password
Securing Your Computer
27
4. Local Windows Security Policies
Password protect Windows Administrator account
Clear Windows Hibernate file on exit
Windows needs to check for and install operating system updates daily
Apply security patches immediately
Enable Windows firewall and check occasionally to ensure it is still on
Securing Your Computer
28
5/12/2011
15
Securing Your Computer
29
5. Secure your web browser (Internet Explorer, Firefox, etc.)
Delete history on exit
Manage your cookies settings carefully
Delete / clear the cache, temp files, history on exit
Disable website user id / password storage
Apply patches, updates and new versions immediately
6. Configure your computer’s security toolse.g.; HP Protect Tools™
Microsoft Baseline Security Analyzer
7. Use a tool like Windows Washer™ (XP) or CCleaner (Win7) to clean your temp and dormant files
Windows stores copies of your files in temporary locations and Windows Washer clears the storage of these files as a security measure and improves overall system performance
Securing Your Computer
30
5/12/2011
16
Secure Your InformationDefend From Invaders
31
Enable your encryption
Decide what files and folders need to be encrypted
Adjust file and folder properties in Windows Explorer
to enable encryption
Encryption keys need to be stored off-system and
carefully managed
Securing Your Information
32
5/12/2011
17
Defend Against Invaders
Ensure you do not disable the password protection on your wireless router or access point
Purchase a brand name, high quality, anti-virus, anti-spyware suite and keep it up to date
Securing Your Information
33
“Rogue security software was detected on 13.4 million computers (around the world - January-June 2009), which was down from 16.8 million compared to the second half of last year,” Akif said. “This is an improvement, but it still proves to be a significant threat because it still remains the number one (threat) category in the world.”
Security and Intelligence Report, Mohammad Akif, National Security and Privacy Lead, Microsoft Canada
Rogue Security Software
34
5/12/2011
18
What To Consider When PurchasingAnti-malware Software
Proactive protection
Advanced heuristic technology now makes it possible to detect previously unknown viruses as well as new variants of “in-the-wild" viruses that are active and spreading
Non-intrusive operation
Make sure the software doesn't slow down your system, prevent the use of other applications, require frequent user interaction or generate false alarms and frequent help-desk calls
35
Customer Support
The more support the better. Not that you will always need it, but when you need it, you will really need it...
Cost
You get what you pay for, don't compromise on protection
What To Consider When Purchasing Anti-malware Software
36
5/12/2011
19
Phishing AttackThe fraudulent activity of attempting to acquire sensitive information such as user names, passwords, bank account information or credit card details through the Internet via browsing activity, email, or instant messaging often by masquerading as a trustworthy entity
37
An Illegal Phishing Email
38
5/12/2011
20
A Fake RBC Website
39
Secure your InformationBack Up Your Files
40
5/12/2011
21
Secure Your Information
The ultimate failsafe against loss, theft, fire, mechanical failure, human error, viruses, trojans, malware, etc.
Sometimes necessary for regulatory compliance
Make sure your backup will actually restore
Backup
41
Local vs. Online(remote) Backup
Examples of local backup External USB drive, USB stick, DVD, CDs, removable HDD, office server
Advantages of local backupInexpensive, portable, fast file recovery, in some cases easy to implement
42
5/12/2011
22
Local vs. Online(remote) Backup
Disadvantages of local backup
Files usually stored with or near computer – vulnerable to fire or theft
Not typically secure / encrypted
Backup needs to be manually verified, usable, recoverable
Vulnerable to hardware and media failure
Manual process, vulnerable to user error
User discipline required - process breaks down easily
43
Advantages of online backup
Files are stored remotely, not vulnerable to fire, loss or theft
Files are encrypted in storage, more secure
Multiple revisions of all files stored
Typically automatic, does not depend on user compliance or user
discipline
Monitored and managed by online storage vendor
Online access to backup files from any computer using Internet
Explorer
Local vs. Online(remote) Backup
44
5/12/2011
23
Local vs. Online(remote) Backup
Advantages of online backup
System restoration and heal capabilities
Redundant nature makes it less vulnerable to hardware or
media failure
DEAL WITH A REPUTABLE FIRM, MAKE SURE YOU ARE
STORED IN CANADA
45
Local vs. Online(remote) Backup
Disadvantages of online backup
Not all vendors are created equal
Must have Internet access and be online to backup
Some services have storage limitations
Some services have performance issues
Monthly cost
Security of your backup is not in your control
46
5/12/2011
24
Do-It-Yourself vs. Get Help
DIY Get Help Must Do Optional
Automatic File Backup √ √
Anti-virus software √ √
Secure computer √ √
Strong pass phrase √ √
Biometrics √ √
Encryption √ √47
Time to stop and think…
…what is your recovery and continuity plan? 48
What would the impact be to your business if your computers were lost or stolen, or damaged due to mechanical failure, common virus attack or
everyday disaster?
Have you stopped and thought about how you will advise your clients?
How would it effect your professional image?
How you will run your business?
What will you do to get back to work?
5/12/2011
25
Stay up-to-date…
…sign up for our Tips and Security Alerts on the Registration Form in your Information Kit 49
Win a Garmin GPS
50
Enter our draw for a Garmin GPS and receive important security alerts.
Fill out Tips and Security Alerts Registration Form in your info kit and bring it to our booth to be entered
5/12/2011
26
51
� An HP EliteBook™ featuring Intel vPro®, Microsoft Office, ESET®, and NPC DataGuard® backup and security suite
� Automatically encrypted and backed up into Iron Mountain everyday
� A damaged, lost or stolen notebook is replaced with data restored, data destroyed on old notebook, within 48 hours
� Security monitored by certified technicians for intrusions, backup and encryption status, viruses and spyware attacks
� “Single Point of Contact” 24/7/365 IT helpdesk and technical support
No Panic Computing
A professionally configured enterprise class laptop and suite of backup, encryption, security monitoring and customer services in a convenient
monthly lease
Exclusive to Advocis Ottawa
52
Order your NPC by May 31 and receive a
iPad FREE!
5/12/2011
27
Q & A
53
Safe Computing Checklist�Shop for a professional class computer designed for
business
�Remove bloatware, de-clutter system
�Secure the computer hardware
�Configure your operating system for security, turn on Windows updates, configure /delete any user profiles that your computer came with
�Put in a strong passphrase, enable biometrics54
5/12/2011
28
Safe Computing Checklist
�Buy and install anti-virus, anti-spyware, anti-malware software
�Activate and configure your encryption system to protect client data
�Buy and install an adequate backup system, rotate backup, ensure there are off-site copies, or shop for and install a remote on-line backup service, figure out who to trust your data to
55
Safe Computing Checklist�Activate your Windows firewall for various forms of
Internet attacks
�Wonder how you would put it all back together if your computer ever failed
�Manage, monitor and maintain the security and performance of your system
�Test occasionally to ensure your backup will actually restore
� Sign up for NPC Important Security Computing Alerts!56
5/12/2011
29
A Few Technical Terms:Encryption
Scrambling your data against a passwordFirewall
Software that acts as a locked door to prevent unauthorized access to your computer from the potential two-way communication of the Internet
BiometricsVarious forms of using the unique physiology of the user to allow access
CookiesA small piece of text left in the system area of your computer to identify you as a unique visitor to a website, to remember you, to collect data about you
57
Cloud Computing
Rather than process and storing data in an application on your computer, you work on the application on the Internet, on a secure website
A cellular hi-speed wireless network for smartphones and laptops that gives you roaming access at home Internet-like speeds
Virtual Private Network - a secure private network over the Internet for a specific group of people
3G Wireless
VPN – Virtual Private Network
58
5/12/2011
30
Online(remote) backupBackup of your computer information in a pay for use or private external data centre
User ProfileWhen entering a computer, the combination of your computer user name, password and personal settings, stored in a file on the computer
Remote Diagnostic and RepairAn ability to diagnose and repair problems on your computer through your Internet connection
59
MITM Attack (Man-in-the-Middle Attack)An attack whereby someone has surreptitiously inserted themselves into the stream of your email or instant messaging communications. Easy to do in the range of an unencrypted Wi-Fi access point
MalwareViruses, Trojan’s, Spyware – any malicious software that can be put on your computer through email, by visiting certain websites, accepting and opening contaminated files such as pdf’s, Word files, spreadsheets, etc.
60