Information Security News Alert March 2016
The Secrets of Data Classification ? d e t a l u g e r ? y l n o l a n r e t in ? c i l pub
top
sec
con
f id
ret ?
ent
ial?
priv ate
?
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
The Importance of Data Classification Data classification is essential to knowing how to handle sensitive information and which data requires extra effort to protect. It is based on level of sensitivity and the impact it would have if that data were to be accessed, modified, transmitted, stored or deleted without authorization. In general, data can be classified into one of four sensitivity levels: public, internal use, regulated and confidential or top secret. Public data requires the least amount of safeguards, while top secret data must have highest level of protection. As an exercise, let’s walk through a sample corporate data classification system to give you a better idea of how this works in real life. This is not necessarily our system or any specific system; it’s just a simple example of one way to classify data and get you thinking about the importance of such things! How can you protect data if you don’t know exactly what information you’re trying to protect?
Public
Confidential & Top Secret
Typically, public information is the marketing, PR and image branding content that molds public perception. A website is public, as is social media. A lot of effort can be put into determining what should be public, and then, just as importantly, what information should never be made public.
If this data gets out, it’s a complete catastrophe! Major damage can occur to the company. Lawsuits could rain down. Public confidence could be shattered. Customers and partners may leave in droves. Severe financial pain is all but guaranteed.
Since we count on our staff and partners to be the front lines of defense of our company, part of your security awareness job is to notice when non-public information appears in a public place. This could be in the physical domain, like noticing sensitive financial details left in a public area copy machine. Or, in the cyber domain, such as a customer list on Facebook. If you see something, do something. Do you know how to report a violation of our data classification policy? If not, please ask!
Internal Use Only In this hypothetical case, our second data classification covers NDAs, contracts and business relationships. It also covers employee lists, pricing, some manufacturing processes and other competitive advantages without giving away anything Confidential. A disclosure of this data can be damaging, but not debilitating. There might be a small press frenzy. A stock price dip. The loss of a few customers. It would be painful, but it wouldn’t put a company out of business.
Regulated & PII Regulated data such as health, financial and similar records deserve their own data classification, in some cases. For example, a data breach of regulated or Personally Identifiable Information (PII) can trigger investigations, fines and create a public furor. Data breaches in this area can cost the company hundreds of millions of dollars, with each record averaging $200-$500 per name. It’s also possible that some of the Personally Identifiable Information overlaps with Internal Use Only; in the real world of data classification, the lines are sometimes blurry.
Some people might call this data the Crown Jewels, but no matter its name, we must do our due diligence in protecting it from any unauthorized disclosure. Do you know what our Crown Jewels are? Here are some examples:
◉ ◉ ◉ ◉
Coke formula Snowden documents Source code Manufacturing secrets
◉ ◉ ◉ ◉
Financial reports Intellectual Property Legal Strategies Marketing and Sales Details
PUBLIC INTERNAL USE REGULATED CONFIDENTIAL
THUMB: If data is classified in two levels, uRULE OFalways handle it at the MORE sensitive level.
DATA CLASSIFICATION
AT WORK
If you’re handling our data, you need to know how to keep it safe whether you’re at work, in the office, on the road or telecommuting. The following data classification policies and procedures are vital to protecting the company from: Digital Theft
Physical Theft or Losses Acts of God
Hactivism
Espionage
Data Breaches
Nation-state Attacks
Accidents
We can be the target of criminals or other online adversaries and must always be on guard against potential threats to our information, systems and business operations. Some company data is clearly much more sensitive than other data; check our security policy if you’re unsure. You should also be aware of our company obligations to adhere to mandated privacy and security regulations such as HIPAA, GLBA, SarbOx, PCI-DSS and countless others. If you need a refresher, please ask for assistance. These compliance regulations could have a direct Hffect on how we classify data, and in turn, how you manage that data.
What Kind of Data Do You Use, Store and Transmit? We have several kinds of information to protect, all at various levels of data sensitivity. Do you know what kind of data you use, store and transmit on a regular basis? Do you treat each kind differently?
CRITICAL THINKING EXERCISE:
How might the following types of data be treated? Which employee(s) would have access? Marketing plans Sales projections Intellectual property “Secret Sauce” inventions Trademarks & Copyrights Customer Personally Identifiable Information (PII) Customer activities (non-PII) Partner agreements & deals Customer lists Engineering details Manufacturing problems Unannounced financial results Medical records Background checks & interviews Security procedures Employee PII Contracts
N O I T A C I LASSIF
DATA C
e m o h at
At home, you more than likely have many types of information stored on your computers, mobile devices and in hard copy. In general, this information can be considered either PUBLIC or PRIVATE.
PUBLIC
Anyone can see this information, any time they want. It might as well be posted on any social media site.
PRIVATE
You don’t want anyone seeing this information without your explicit approval. Perhaps there are some texts, photos, documents or emails you might be comfortable with anyone seeing. But if others were made public, you might shrink in embarrassment.
Home Classification Exercise How would you classify the following types of information that most of us have collected over the years? Bonus: Where would they be stored? Kids’ school records Passwords to financial institutions Your family tree Your contacts SAT/ACT scores & college grades Family medical records Bachelor(ette) party photos Family trip videos Upcoming travel schedule User_IDs for social media sites Alcohol purchases Motor vehicle records Criminal history Last 5 addresses
Home ownership Car & Boat Ownership Work history Social security or national ID Skype conversations Texts Phone calls/records Credit scores Tax returns Honeymoon photos Loans Marriage, birth & death certificates Legal actions Insurance Policies
Now, how do you decide what is Public and what is Private? How to Classify? You might want to create a more complex–and accurate– data classification system for your personal life. The method you choose is entirely up to you. No matter what, keep it simple so it’s easy to use and follow. Complexity breeds insecurity. Where is it? Once you have an idea of what information you want to protect, the next step is figuring out where the information you want to protect resides. That sounds simple, but organizations constantly struggle with this fundamental aspect of data classification. USB sticks, desktops, laptops, home networks, media centers, safety deposit boxes, file cabinets, smartphones, backup drives, in the cloud, in your brain… And then think about how many different places any one piece of information might reside!
p’s u P cy a v i r P
DATA PRIVACY INSTRUCTION MANUAL
You need to protect your data and the data that you handle at work. But how do you even go about doing that? Privacy Pup is here to help! He is going to walk you through the steps you can take to avoid data privacy leaks.
ALWAYS FOLLOW POLICY! The advice that follows is intended to be used for general best practices. You should never install or make changes to technology without permission. As always, refer to company policy for more information.
STEP ONE
Install anti-virus and security software.
This is the most important first step in securing you computer and other devices. A device without security software is like a door without a lock; any one could just walk in at anytime.
STEP TWO
Turn on auto-update.
Be sure all your software is set to auto-update, not just your security software. Operating systems and apps have vulnerabilities that are remedied in patches and updates.
STEP THREE
Change your passwords.
Passwords have an expiration date...or, they should. Passwords should be changed often. They should be easy to remember but hard to guess, using a combination of numbers, letters and symbols. Never use the same password for more than one account and never write down or share your passwords.
STEP FOUR
Share less.
Be aware of what you are putting out into the public domain via social media. Manage your security settings so you know who has access to what data, about you and/or your company.
STEP FIVE
Avoid phishing emails.
If it sounds too good to be true, it probably is. Learn to recognize the signs of phishing emails, and who to report them to if necessary. Most important of all, DO NOT CLICK on any link in any suspicious or unusual email, as it is probably a phishing attempt.
STEP SIX
Use a personal VPN on free WiFi.
Public WiFi is very dangerous. To protect yourself from people trying to siphon off your data, you should use a personal VPN on all of your devices when browsing on free public WiFi.
THE HUMAN FIREWALL’S GUIDE TO DATA CLASSIFICATION
onder how Hmm, I w le this and I should h data?
access rights If you need additional please ask! or have any doubts, Notice if any sensitive company information has been made public. REPORT IT immediately! DO NOT POST anything other than public information online without explicit permission. If you think your access rights to our systems and data are MORE than what you need to do your job, please tell your manager ASAP. Never give any company or personal information to people on the phone (or anywhere online) unless you are 100% sure WHO they are and that they have a legitimate need to know. AVOID putting sensitive company documents on personal devices without explicit permission, such as with some BYOD (Bring Your Own Device) programs. AVOID using file sharing or collaboration services for sensitive information unless given permission. Do not remove confidential company documents from the premises without approval, and be sure to take extra precautions to protect them, while ALWAYS following policy. If you see any sensitive documents in public areas (such as copy rooms), give them to your manager IMMEDIATELY. LOOK for shoulder surfers when using your computer or mobile devices, especially in public areas and on public transportation. NEVER attempt to bypass any security controls. They are there for a reason: to protect our data.
Note to self: Know what data and resources you have access to. Know what kinds of data you use. Know how to protect both physical and electronic data. Know and follow our data classification policies. Notice when something seems odd. REPORT ANY & ALL SUSPICIONS IMMEDIATELY!
Please Remember: When it comes to a data classification system, there is no “one size fits all” as every organization (and every family!) has its individual needs. One thing that remains constant, however, is that
DATA CLASSIFICATION IS KEY TO GOOD SECURITY. When you know which data needs to be protected and where it needs to be protected, then you can do a better job of protecting it!
MAKE SURE YOU KNOW AND ALWAYS FOLLOW DATA CLASSIFICATION POLICY AT WORK.
HEADLINE NEWS Microsoft Ended Support for Older Versions of Internet Explorer On January 12, 2016, Microsoft officially ended technical support and security updates for all previous versions of Internet Explorer other than the most recent, IE 11. If you haven’t done so, upgrade immediately! Click here for details on upgrading to the latest version for home, business, or enterprise users. On all software upgrades, ALWAYS FOLLOW POLICY AT WORK. Why is this a big deal? The process of patching and updating software fixes vulnerabilities that are inevitably found as the software is used by millions of people. Criminal Hackers are attempting to find and exploit these vulnerabilities before the company can patch anything, and often do. If older versions of Internet Explorer are no longer updated, that outdated browser is at a high risk to new malware. (If you still don’t understand the true scope of this problem, visit the article to the right about how more than a quarter of all malware was created last year!) On a less threatening level, software updates are also responsible for staying up-to-date with modern advancements in coding, trends and user experience. Out-of-date software can be clunky, slow and more difficult to use than necessary. And with Microsoft also ending tech support for some older versions of their software, no one will be able to help you if something goes wrong with your browser. Again, if you’re still running a version of Internet Explorer that is earlier than version 11 (especially if you’re running earlier than version 8!), please upgrade as soon as possible at home. At work, ask! Using older, unsupported software is a tremendous security risk. Nobody wants to fall victim to viruses, spyware, or other malware!
G
Google @google • Feb 3 Google turns on security alerts for maliciously embedded content that try to trick you into clicking bit.ly/1RaW2jO
T
New York Times @nytimes • Jan 31 How the EU & US protect online data differently. nyti.ms/1WVf7ac
IT
ITProPortal @ITProPortal • Jan 29 More than a quarter of all malware, ever, was created in 2015 bit.ly/1Pc7Pfa
UVA
UVA @UVA • Jan 22 Univ of VA confirmed financial PII exposed as a result of phishing bit.ly/1URtoTU
FDA
U.S. FDA @US_FDA • Jan 15 US FDA released guidance to improve med device security 1.usa.gov/1ZBsYHG
ISC
(ISC)2 @ISC2 • Jan 15 Applications are now open for (ISC) 2’s annual cybersecurity scholarship for women bit.ly/1N7NROg
2
H
Hyatt Tweets • @HyattTweets • Jan 15 Hyatt customer card data breach affected 250 hotels in 50+ countries bit.ly/1mhTUu8
IS
Infosecurity @InfosecurityMag • Jan14 22,000+ USBs left at dry cleaners yearly, 45% never returned bit.ly/1OR2lYj
DS
Daily Sabah @DailySabah • Jan 10 26-yr-old Turkish hacker Onur Kopçak is serving a total of 334 years in prison for phishing bit.ly/1RzokFZ
#infosec