Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

How to manage your client's data responsibly

25 visualizaciones

Publicado el

In this presentation, we are going to show how you can manage your clients' data responsibly and protecting them from becoming a victim of identity theft.

We will cover:
x How you should store and transfer identity documents for the 100 points checks
x Bad cybersecurity practices
x Bad data management practices
x Good cybersecurity hygiene
x Prudent data disposal practices
x How to remove metadata from sensitive documents when exchanging evidence or sending them to third-parties
x What you should do and how to notify your clients when you get involved in a data breach

Talking to lawyers about cybersecurity is like talking to millennials about superannuation. We promise to give practitioners advice which is practical, relevant and easy to understand.

Publicado en: Derecho
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

How to manage your client's data responsibly

  1. 1. How to manage your client’s data responsibly Protect your clients from fraud, identity theft and confidential information Jeremiah Cruz jeremy@cryptoaustralia.org.au Nick Kavadias nick@cryptoaustralia.org.au Gabor Szathmari gabor@cryptoaustralia.org.aucryptoaustralia.org.au
  2. 2. Who is CryptoAUSTRALIA • A not-for-profit started by security and privacy enthusiasts. • We have nothing to do with BitCoin, so please stop asking. • We are for finding practical ways of dealing with the modern privacy and security challenges. • We are looking for sponsors in order to continue our work and research. • This may be a new concept to lawyers, but we are running these events for free*. * This presentation does not constitute cybersecurity advice.
  3. 3. Self Promotion.. Tonight’s speakers: •Jeremy – Network Security Expert •Nick – Solicitor and Technologist •Gabor – Cybersecurity Expert
  4. 4. We know how to internet… @CryptoAustralia #cryptoaus http://chat.cryptoaustralia.org.au https://fb.me/CryptoStraya Interact with us in the digital world…
  5. 5. What we are covering tonight… 1) Bad practices 2) Password security (2FA and Password reuse) 3) Sharing documents securely 4) Storing documents securely 5) Prudent data disposal practices 6) Physical security (dos and don’ts) 7) What to do post-breach 🙏
  6. 6. Secret: “hackers” log into your webmail
  7. 7. Password hygiene • Websites get hacked. • People reuse same email and password across multiple online accounts. D’oh!
  8. 8. Haveibeenpwned Do you have leaked passwords? https://haveibeenpwned.com/
  9. 9. Haveibeenpwned Leaderboard Today’s winner is …
  10. 10. Meanwhile on SpyCloud... (an unrelated account)
  11. 11. Meanwhile on SpyCloud
  12. 12. Bad client document & personal information management practices • VOI checks • Online document conversion • Document sharing (e.g. Dropbox) • Keeping emails forever • Public Wifi
  13. 13. Bad practices - VOI checks 100 points ID checks – Leaks everywhere • Scan-to-email printers (bonus: unencrypted traffic) • Documents sent/received over emails • Emails are never deleted on the sender/receiver side
  14. 14. Bad practices - VOI checks • Don’t ask for scanned documents to be sent over emails • Rely on VOI providers instead • Secure smartphone app and web portal • https://www.dvs.gov.au/users/Pages/Identity- service-providers.aspx
  15. 15. Bad practices
  16. 16. Bad practices - Online document conversion Online2PDF.com, freepdfconvert.com... • They provide a convenient service to convert documents to PDF
  17. 17. Bad practices - Online document conversion Online2PDF.com, freepdfconvert.com... • Who’s behind the service? • What happens to your documents? • Why would you upload sensitive documents to random strangers?
  18. 18. Online document conversion Convert documents offline with Adobe Professional
  19. 19. Bad practices - Document sharing over emails Problem statement: Your email file attachments and embedder download links remain in your ‘Sent’ email folder forever, waiting for a hacker to login and download them
  20. 20. Bad practices - Document sharing over cloud-based file storage services File sharing with Dropbox, OneDrive, random service: • Download links are valid forever • Mailbox gets hacked → Links are still live
  21. 21. Transferring sensitive documents securely • Send web links instead of file attachments where appropriate • Use expiring web links Services: Google Drive, Sync.com, Tresorit...
  22. 22. Bad practices
  23. 23. Transferring documents securely
  24. 24. Bad practices - Emails are kept forever Keeping all emails for extended period • Limit the damage if the mailbox gets hacked • Set an archive and retention policy and archive emails to a secure third-party service (e.g. Spinbackup, Backupify) • Office 365, G Suite support retention policies
  25. 25. Bad practices
  26. 26. Bad practices - Public Wifi Lots of hacking wizardry: • Password theft via fake login pages • HTTP pages tampered on the fly • Theft of unencrypted sensitive data Just take our advice on the next slide
  27. 27. Public Wifi – Use VPN or a 4G dongle
  28. 28. Good security hygiene What else you can do
  29. 29. Secret: “hackers” log into your webmail
  30. 30. Password hygiene • Websites get hacked. • People reuse same email and password across multiple online accounts. D’oh!
  31. 31. Two-factor authentication Most powerful defence from: •Crappy passwords (Letmein1) •Stolen passwords (phishing) •Leaked passwords (reuse)
  32. 32. Two-factor authentication
  33. 33. Password hygiene – Wallets Remember a single password only • LastPass • 1Password • Dashlane • RoboForm • < Any random password wallet >
  34. 34. Storing documents securely Cloud file storage – Who your adversary is • Hackers? - Dropbox, G Drive, OneDrive + Two-factor authentication turned on • Government? - End-to-end encrypted service: Sync.com, Tresorit • Encrypt your disks, USB flash drives and smartphones • BitLocker - Windows 10 Professional • FileVault – Mac • Android supports disk encryption • On iOS disk encryption is turned on by default
  35. 35. Prudent data disposal practices Laptops, computers: • Magnetic disks: overwrite • DBAN (https://dban.org/) • SSD: Physical destruction • USB flash drives: Physical destruction
  36. 36. Prudent data disposal practices iPhone: Factory reset Android*: 1. Encrypt device 2. Remove storage and SIM cards 3. Factory reset 4. Remove from Google account Phones (SD card): Physical destruction * https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html
  37. 37. Physical security (dos and don’ts)
  38. 38. Physical security (dos and don’ts) • Shredding documents • Diamond cut shredder • Secure document disposal service • Can secure dispose digital media for you • Digital certificates (e.g. PEXA key) •Leave them unplugged when not in use •Cut the built-in smart card in half to dispose
  39. 39. What to do when you get hacked 🙏 • Disconnect your computer from the Internet and stop using it • Notify LawCover - They have an incident response team • Checklist: http://lca.lawcouncil.asn.au/lawcou ncil/images/cyber/CP-What-to- Do.pdf
  40. 40. Summary 1) Use a VOI provider for identity checks 2) Use 2FA and don’t reuse your password 3) Share documents with expiring links 4) Store documents in the cloud securely (2FA) 5) Dispose data securely 6) Shred documents & protect digital certificates 7) Notify LawCover when the house is on fire
  41. 41. Where to get help • Law Council of Australia Cyber Precedent, great learning resource • Law Council cyber-attack checklist • Lawcover crisis management team can help you clean up the mess. • Victim of identity theft, you should contact IDCARE, NFP helping people • Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!
  42. 42. @CryptoAustralia #cryptoaus http://chat.cryptoaustralia.org.au https://fb.me/CryptoStraya Get updates: https://cryptoaustralia.org.au/newsletter Next workshop: https://www.meetup.com/Cybersecurity -for-Lawyers-by-CryptoAUSTRALIA/

×