Securing Your Digital Information

Steven was a presenter at the 2017 American Association of Daily Money Mangers conference on Sunday, November 12th, 8:45am - 9:45am.

A copy of his powerpoint presentation can be found here

Overview

In this very digital age we live in, DMMs must be diligent in helping their clients keep their financial information safe. This session will focus on securing digital information online, onsite, offsite, and during electronic communications. Topics will include secure web communication, VPN access, password policies and management, and sharing documents securely. The goal of this session is to inform participants of security best practices for protecting both their clients information as well as their own.

Topics

Concepts & Definitions

Advanced Encryption Standard (AES) An encryption standard being developed by NIST. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm.

Authentication Authentication is the process of confirming the correctness of the claimed identity

Biometrics Biometrics use physical characteristics of the users to determine access.

Brute Force A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.

Business Continuity Plan (BCP) A Business Continuity Plan is the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

Cipher A cryptographic algorithm for encryption and decryption.

Ciphertext Ciphertext is the encrypted form of the message being sent.

Confidentiality Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it.

Cost Benefit Analysis A cost benefit analysis compares the cost of implementing countermeasures with the value of the reduced risk.

Decryption Decryption is the process of transforming an encrypted message into its original plaintext.

Dictionary Attack An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.

Digital Certificate A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

Due Diligence Due diligence is the requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.

Encryption Cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.

Form-Based Authentication Form-Based Authentication uses forms on a webpage to ask a user to input username and password information.

HTTPS When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL.

Hypertext Transfer Protocol (HTTP) The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet.

Incremental Backups Incremental backups only backup the files that have been modified since the last backup.

Integrity Integrity is the need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.

Non-Repudiation Non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.

Phishing The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.

Plaintext Ordinary readable text before being encrypted into ciphertext or after being decrypted.

Public Key The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.

Risk Risk is the product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack.

Risk Assessment A Risk Assessment is the process by which risks are identified and the impact of those risks determined.

Secure Sockets Layer (SSL) A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection.

Security Policy A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

Threat Assessment A threat assessment is the identification of types of threats that an organization might be exposed to.

User Contingency Plan User contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.

Virtual Private Network (VPN) A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

Zero-day attack A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

Zombies A zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way.

Links and Resources

SANS.ORG OUCH Newsletters

If you only wanted to look at one site, I would recommend you read theses newsletters and subscibe to future ones.

Sans.org OUCH! Archives

OUCH! is the world's leading, free security awareness newsletter designed for everyone. Published every month and in multiple languages, each edition is carefully researched and developed by the SANS Securing The Human team, SANS instructors and members of the community. Each issue focuses on and explains a specific topic and actionable steps people can take to protect themselves, their family and their organization.

SANS - Information Security Resources glossary of terms

Publications | US-CERT

The Best Backup Software for Windows

5 Effective Tools to Encrypt Your Secret Files

5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam

Infected! 10 Tips How To Prevent Malware On Your Computer

How to Keep Your Digital Information From Being Hacked

Privacy, Identity & Online Security | Consumer Information

4 Ways to Protect Against the Very Real Threat of Ransomware | WIRED

Warning: Encrypted WPA2 Wi-Fi Networks Are Still Vulnerable to Snooping

Security Awareness Solutions at a Glance

Fraud Watch Network Helps Avoid Scams and Fraud - AARP

Best Practices & How-To Articles | Information Security and Policy

Top 10 Secure Computing Tips | Information Security and Policy

Beating Ransomware: How to Prepare Your Organization on Vimeo

Profile picture

Steve Lyskawa

About me

Steve Lyskawa has been working with computer networks since 1978, including working in network and computer support for Fortune 500 companies in the banking, healthcare, automotive, and network security industries. He is currently employed by one of the premier network security companies in the world. Steve started a
daily money management business in 2016.