s data responsibly Protect your clients from fraud identity theft and confidential information Jeremiah Cruz jeremycryptoaustraliaorgau Nick Kavadias nickcryptoaustraliaorgau Gabor Szathmari ID: 794019
Download The PPT/PDF document "How to manage your client" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How to manage your client’s data responsiblyProtect your clients from fraud, identity theft and confidential information
Jeremiah Cruzjeremy@cryptoaustralia.org.auNick Kavadiasnick@cryptoaustralia.org.auGabor Szathmarigabor@cryptoaustralia.org.au
cryptoaustralia.org.au
Slide2Who is CryptoAUSTRALIAA not-for-profit started by security and privacy enthusiasts.
We have nothing to do with BitCoin, so please stop asking.We are for finding practical ways of dealing with the modern privacy and security challenges.We are looking for sponsors in order to continue our work and research. This may be a new concept to lawyers, but we are running these events for free*.* This presentation does not constitute cybersecurity advice.
Slide3Self Promotion..Tonight’s speakers:
Jeremy – Network Security ExpertNick – Solicitor and TechnologistGabor – Cybersecurity Expert
Slide4We know how to internet…
@CryptoAustralia #cryptoaushttp://chat.cryptoaustralia.org.auhttps://fb.me/CryptoStraya
Interact with us in the digital world…
Slide5What we are covering tonight…Bad practices
Password security(2FA and Password reuse)Sharing documents securelyStoring documents securelyPrudent data disposal practicesPhysical security (dos and don’ts)What to do post-breach 🙏
Slide6Secret: “hackers” log into your webmail
Slide7Password hygieneWebsites get hacked.
People reuse same email and password across multiple online accounts. D’oh!
Slide8Haveibeenpwned
Do you have leaked passwords? https://haveibeenpwned.com/
Slide9Haveibeenpwned LeaderboardToday’s winner is …
Slide10Slide11Slide12Slide13Meanwhile on SpyCloud...(an unrelated account)
Slide14Meanwhile on SpyCloud
Slide15Bad client document & personal information management practices VOI checks
Online document conversionDocument sharing (e.g. Dropbox)Keeping emails foreverPublic Wifi
Slide16Bad practices - VOI checks100 points ID checks – Leaks everywhere Scan-
to-email printers (bonus: unencrypted traffic)Documents sent/received over emailsEmails are never deleted on the sender/receiver side
Slide17Bad practices - VOI checksDon’t ask for scanned documents to be sent over emailsRely on VOI providers instead
Secure smartphone app and web portalhttps://www.dvs.gov.au/users/Pages/Identity-service-providers.aspx
Slide18Bad practices
Slide19Bad practices - Online document conversionOnline2PDF.com, freepdfconvert.com...They provide a convenient service to convert documents to PDF
Slide20Slide21Bad practices - Online document conversionOnline2PDF.com, freepdfconvert.com...
Who’s behind the service?What happens to your documents?Why would you uploadsensitive documents to random strangers?
Slide22Online document conversionConvert documents offline
with Adobe Professional
Slide23Bad practices - Document sharing over emailsProblem statement: Your email file attachments and embedder download links
remain in your ‘Sent’ email folder forever, waiting for a hacker to login and download them
Slide24Bad practices - Document sharing over cloud-based file storage servicesFile sharing with Dropbox, OneDrive, random service:
Download links are valid foreverMailbox gets hacked → Links are still live
Slide25Transferring sensitive documents securely Send web links instead of file attachments where appropriate
Use expiring web linksServices: Google Drive, Sync.com, Tresorit...
Slide26Bad practices
Slide27Transferring documents securely
Slide28Bad practices - Emails are kept foreverKeeping all emails for extended period
Limit the damage if the mailbox gets hackedSet an archive and retention policy and archive emails to a secure third-party service(e.g. Spinbackup, Backupify)Office 365, G Suite support retention policies
Slide29Bad practices
Slide30Bad practices - Public WifiLots of hacking wizardry:Password theft via fake login pagesHTTP pages tampered on the fly
Theft of unencrypted sensitive dataJust take our advice on the next slide
Slide31Public Wifi – Use VPN or a 4G dongle
Slide32Good security hygieneWhat else you can do
Slide33Secret: “hackers” log into your webmail
Slide34Password hygieneWebsites get hacked.
People reuse same email and password across multiple online accounts. D’oh!
Slide35Two-factor authenticationMost powerful defence from:
Crappy passwords (Letmein1)Stolen passwords (phishing)Leaked passwords (reuse)
Slide36Two-factor authentication
Slide37Password hygiene – WalletsRemember a single password onlyLastPass
1PasswordDashlaneRoboForm< Any random password wallet >
Slide38Storing documents securely Cloud file storage – Who your adversary is
Hackers? - Dropbox, G Drive, OneDrive + Two-factor authentication turned onGovernment? - End-to-end encrypted service: Sync.com, TresoritEncrypt your disks, USB flash drives and smartphones
BitLocker
- Windows 10 Professional
FileVault
– Mac
Android supports disk encryption
On iOS disk encryption is turned on by default
Slide39Prudent data disposal practicesLaptops, computers:
Magnetic disks: overwriteDBAN (https://dban.org/)SSD: Physical destructionUSB flash drives: Physical destruction
Slide40Prudent data disposal practicesiPhone: Factory reset
Android*:Encrypt deviceRemove storage and SIM cardsFactory resetRemove from Google accountPhones (SD card): Physical destruction* https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html
Slide41Physical security (dos and don’ts)
Slide42Physical security (dos and don’ts)Shredding documentsDiamond cut shredder
Secure document disposal serviceCan secure dispose digital media for youDigital certificates (e.g. PEXA key)Leave them unplugged when not in useCut the built-in smart card in half to dispose
Slide43What to do when you get hacked 🙏Disconnect your computer from the Internet and stop using it
Notify LawCover - They have an incident response teamChecklist: http://lca.lawcouncil.asn.au/lawcouncil/images/cyber/CP-What-to-Do.pdf
Slide44SummaryUse a VOI provider for identity checksUse 2FA and don’t reuse your password
Share documents with expiring linksStore documents in the cloud securely (2FA)Dispose data securelyShred documents & protect digital certificatesNotify LawCover when the house is on fire
Slide45Where to get helpLaw Council of Australia Cyber Precedent, great learning resource
Law Council cyber-attack checklistLawcover crisis management team can help you clean up the mess.Victim of identity theft, you should contact IDCARE, NFP helping peopleHave a conversation with your IT Service Provider, or staff. Use these slides as a talking point!
Slide46@CryptoAustralia
#cryptoaushttp://chat.cryptoaustralia.org.auhttps://fb.me/CryptoStraya
Get updates:
https://
cryptoaustralia.org.au/newsletter
Next workshop:
https://www.meetup.com/Cybersecurity-for-Lawyers-by-CryptoAUSTRALIA/