Five steps to securing personal data online Gary Shipsey Managing Director 25 September 2014
Agenda Learn from the mistakes of others and protect personal information online. 1 2 Where does your information go who is responsible for online security? The top 5 risks and what to ask to sort them out. The future privacy impact assessments and privacy by design. 3 2
Who are you? Why are you here? Do you have a website? Do you use web-based services? 3
My favourite colour is My salary is 4
In 2010, I voted for I last visited the Doctor for 5
I have read 50 Shades of Grey My favourite position is 6
Email First name Surname garyshipsey@aal.co.uk Gary Shipsey Animal Testing Support Group Email First name Surname garyshipsey@aal.co.uk Gary Shipsey 7
Genuine email address and name Sell on to a spammer. Passwords Use to guess other passwords. Sensitive information Use to blackmail the person or the organisation. Financial details Use to commit fraud. 8
not personal medical records of women 1. Name 2. Telephone # 3. Date of Birth 4. Address who had undergone treatment at bpas and such records were never at risk ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker. 9
1 Where does your information go? Who is responsible for online security? 10
Newsletters Login Webbased services Details Newsletter Donor / service user data Email Database Backup Member Area Login Member details Member Content Defined personal data / content 11
Newsletters Login Webbased services Details Newsletter Donor / service user data Email Database Backup Member Area Login Member details Member Content Defined personal data / content 12
Newsletters Webbased services Details Newsletter Donor / service user data Email Database Backup Login Member details Member Content Defined personal data / content 13
Who manages your IT? Who manages your website? Internal External (contracted in support service) 14
2 The top 5 risks and what to ask to sort them out 15
1 Check that the forms on your website are set up correctly Smith. Now tell me all the information you have about all the other applications 16
1 Check that the forms on your website are set up correctly SQL injection Structured Query Language a common theme across the many computer-related data breaches Preventing, detecting and addressing threat should be a high priority in comparison to other vulnerabilities. 17
1 Check that the forms on your website are set up correctly Is information entered on our website ever treated as a set of instructions? A B Identify who is responsible for maintaining the source code (will vary depending on whether the application is maintained externally or internally) Use the secure tools provided by the application programming interface (API) in use. 18
2 Passwords and credentials A Have we changed default usernames, passwords and settings? B Do we hold all our passwords securely? No plain text Reminders Hashing & Salting C Do we ensure each and every password is difficult to crack? 19
3 Software and services A Do we keep your software up to date? V2.1.2.36 B Have we removed unused software and services? C Are we sure redundant software and services are fully redundant? 20
4 Know where your data is being stored Reduce risk of personal data being processed in inappropriate locations A Do we have a well designed system and network? Have we clarity on where and how data is processed? Test / live systems You DMZ Separate network zone - provides external services to internet. Lower security. Internet Users / clients / donors Networked zones (segregation by function) Main internal network Staff; volunteers. Higher security. Internal network segments HR Finance Fundraising 21
4 Know where your data is being stored Reduce risk of personal data being processed in inappropriate locations B How do we manage Backups? Onsite Offsite Purpose Access Audit C Do we store data in widely-accessible locations? Secure areas of websites (e.g. Member areas) Must apply specific access restrictions Not just a hidden locations www.example.com/private 22
5 Ensure secure communications across the internet https:// Secure Socket Layer (SSL) Transport Layer Security (TLS) Encryption schemes 23
5 Ensure secure communications across the internet You User / client / donor A Are our communications encrypted? B AND Is the identity of one (or both) of the endpoints trusted / verified? 24
5 Ensure secure communications across the internet You User / client / donor A If the communication is not encrypted information transmitted will be viewable via any system on the route between the two endpoints. 25
5 Ensure secure communications across the internet man-in-the-middle attack You User / client / donor B If there is no assurance of your identity a) Impersonates the secure service that User expects to see. b) User potentially agrees to an untrusted connection. WHY? Because they ignore security warnings (used to seeing them on your site); the site looks almost identical to yours. 26
5 Ensure secure communications across the internet man-in-the-middle attack You User / client / donor B If there is no assurance of your identity c) Impersonator then forwards communication to You (the legitimate service). d) Impersonator can see the communication on the way past. Both User and You are unaware the connection is compromised. 27
5 Ensure secure communications across the internet You User / client / donor B Where the identity of one (or both) of the endpoints needs to be trusted / verified User receives a digital certificate from the server. A valid digital certificate provides assurance to the User that You have satisfied a Certification Authority that You legitimately control the domain name(s). 28
1 Check that the forms on your website are set up correctly 2 Passwords and credentials 3 Software and services 4 Know where your data is being stored 5 Ensure secure communications across the internet 29
3 The future (now)? Privacy Impact Assessments and Privacy by Design 30
What is a Privacy Impact Assessment (PIA)? A process which helps assess privacy risks to individuals in the collection, use and disclosure of information. Helps you to assess and identify any privacy concerns / risks and address them at an early stage, and throughout the project. Enables you to bring forward solutions (or accept risks) Prevents having to bolt on solutions as an expensive afterthought (or fire-fighting issues). Make addressing DPA / privacy part of overall risk assessment / management process of a project / process change. 31
Examples where a PIA should be undertaken Any project or process change with the potential to impact personal privacy and confidentiality due to how personal information will be managed and processed: Bring in a new HR system to manage employee data. Use a third party supplier to deliver marketing. Collect additional data from customers for use on a new project. Permit employees to work from home and/or bring their own devices to work. Share data with other organisations to further your strategic goals. 32
Why should I do a Privacy Impact Assessment? 1. To avoid costs as you will avoid problems being discovered at a later stage, when making changes will be more expensive. 2. To avoid loss of trust and reputation by deploying changes without information security and privacy flaws. 3. To identify and manage risks as part of the overall risk assessment and risk management process of the project/process change 4. To help meeting legal requirements addressing privacy and information security early on will deliver compliance with relevant legislation, i.e. the Data Protection Act 1998. 33
www.protecture.org.uk Gary.Shipsey@Protecture.org.uk 020 3691 5731 34