Keeping Electronic Data Secure

Greg Van Wormer

Assistant Technology Services Director

League of Minnesota Cities

GoToWebinar Technology

Video

Q&A Panel

Resize

Polls

Readme.txt

Not Attorney

More than 20 years IT experience

First server operating system used: Windows NT

3.51

I have used acoustical modems

Colossal Cave Adventure still holds a place in my

heart

Who Are You? (Poll)

Have an IT department

Have an IT consultant

IT professional

Supervise IT professionals

Menace to IT systems

Agenda

What are the threats?

Securing data

How your data can be accessed

Cloud services

Mobile workforce security

Attack Vectors

Weak passwords

Web management consoles

Missing patches

Application vulnerabilities

Social engineering

Attack Vectors

Weak passwords

Web management consoles

Missing patches

Application vulnerabilities

Social engineering

Attack Vectors

Weak passwords

Web management consoles

Missing patches

Application vulnerabilities

Social engineering

Attack Vectors

Weak passwords

Web management consoles

Missing patches

Application vulnerabilities

Social engineering

Attack Vectors

Weak passwords

Web management consoles

Missing patches

Application vulnerabilities

Social engineering

Know what you have (Poll)

Do you have a complete, partial or no inventory of

all connected devices?

Complete

Partial

No

Know what you have

Know what you have

Inventory

List of all “protected” systems/equipment

List of who has access to it

Include who can authorize additional users

Purchase and support information

Document

Policies

More later!

Procedures

Employee departure

Employee setup

Disaster recovery

System patching & testing

Patching systems (Poll)

How are your desktop/laptop/tablet operating

systems kept up to date?

Automatic deployment with no user interaction.

Automatic download, ask for user to install.

Depend on users to update.

What updates?

Patching Systems (ASAP)

ASAP (Within a week of

release)

End user operating

systems

Mainstream end user apps

(Word, etc.)

End user “Free” apps

(Java, Reader, etc.)

Mobile devices

(Smartphones, tablets)

Patching Systems (Quick)

Quick (Within two or three

weeks of release)

Server operating systems

(Windows, VMware, etc.)

Mainstream server

applications (Mail, SQL,

etc.)

Patching Systems (Longer)

Longer (Within two or

three months of release)

Line of business

applications (Billing

applications, etc.)

Customized applications

Hardware (Firmware, etc.)

Limit Access

Based on need

Start with minimal & expand as needed

Have an approval process

Ransomware

It’s out there

Anti-virus not perfect

Few dollars

Initially!

Ransomware: how it works

HR

Public Works

Police

General

Reginold

Ransomware: how it works

HR

Public Works

Police

General

Reginold

Ransomware: how it works

HR

Public Works

Police

General

Reginold

Ransomware: how it works

HR

Public Works

Police

General

Reginold

Ransomware: I’ve got it

Call a pro first thing

Call LMCIT – you may have coverage

Do not shut down systems

Ransomware: Prevention

Only access to what you need

Only admins have local admin

Educate users

Block ads

Filter email

Segment networks

Where do you get your news? (Poll)

TV

Online news sites (web)

Newspaper (actual paper format!)

Social Media (Twitter, Facebook, etc.)

Malware/Viruses

No site is truly safe

Block ads

Advertisements: Wild

Advertisements: Firewall

Advertisements: AdBlock Plus

Advertisements: Monitoring

Advertisements: Monitoring

Network Segment (poll)

Do you segment your guest network from your

city network?

Yes

No

Segment

Policies (Poll)

What is the status of your computer use policy?

Updated in the past year

Updated in the past 5 years

Updated in the past 10 years

Updated more than 10 years ago

Don’t have a policy

Policy

You can’t enforce anything without a policy

Use common language

Make it enforceable (personal use)

Attorney review

Have employees sign it!

Remote Workforce

Address in computer use policy

BYOD or not

What they may access

How they may access

Encryption

All remote devices

Not bad internally either

Penetration Testing

Educate

Computer use

Social Engineering

Wireless

Cloud Computing

Different types

Private cloud

Public cloud

Software as a Service

(SAAS)

Advantages

Disadvantages

Interrogative Statements?

Greg Van Wormer

gvanwormer@lmc.org

For a recording of this webinar, go to: http://www.lmc.org/DataSecurity15