iMinistry: Website and Internet Security Issues

Ernest Staats Technology DirectorMS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+

erstaats@gcasda.org Resources available @

http://www.es-es.net/2.html

Outline

• iMinistry Why? • Safety Considerations • COPPA

– Does it apply? (so what)– COPPA Requirements – Report all Data Collected (opinion)

• Privacy Policies • Reality of Web 2.0• Information Mining with Google• Keeping Data Secure -- Web 2.0• AV not stopping everything…• Test with Redseal, Security Space, Spi Dynamics

WebInspect, and others • Online Design Tips Information

iMinistry: Why?

• The Consumer Electronics Association of America says that the average American home now has 26 different electronic devices for communication and media. The Consumer Electronics Association of America also tracks sales and consumer references for 53 separate gadgets.1

• 30% of online Americans jack into the Internet wirelessly• 45% of Internet users go online from someplace other than

work or home• 73% of American adults use the Internet • 94% of American teens use the Internet • 42% of American homes have high-speed broadband

connections

Safety Considerations

• Be careful what your online name means or could mean

• Choose your words and photos wisely • Never use full names of anyone under

the age of 18 • Have a media release for everyone who

is going to be in your photos/videos • Everything put online stays online

forever… • Never give out or store personal

information on your website

COPPA Does it Apply?

Children's Online Privacy Protection Act • The rule applies to the following:

– Operators of commercial websites or online services directed to children under 13 that collect personal information from children

– Operators of general audience sites that knowingly collect personal information from children under 13

– Operators of general audience sites that have a separate children's area and that collect personal information from children

COPPA Requirements

• A site must obtain parental consent before collecting, using, or disclosing personal information about a child

• A site must post a privacy policy on the homepage of the website and provide a link to the privacy policy everywhere personal information is collected

• A site must allow parents to revoke their consent and delete information collected from their children

• A site must maintain the confidentiality, security, and integrity of the personal information collected from children

Privacy Policy Must Include

• Types of personal information they collect from kids—name, home address, e-mail address, or hobbies

• How the site will use the information—for example, to market to the child who supplied the information, to notify contest winners, or to make the information available through a child’s participation in a chat room

• Whether personal information is forwarded to advertisers or other third parties

• A contact person at the website Including Phone number, Snail Mail, and Email

Report all Forms of Data Collected

• Network Traffic Logs– In addition to the personal information

described above, our system collects server log data (also called clickstream data) that may include an IP address, the type of browser and operating system used, the time of day visited, the pages viewed and the information requested through searches. We aggregate this data and use it for statistical purposes, helping us to understand, for example, the amount of interest in portions of our Web site and ways to improve the navigation and content of our Web site.

IMAGE RELEASE FORM Sample

• For value received, I hereby consent and authorize the [INSERT ORGANIZATION NAME] (“____”), or its assigns, to use my name and/or the names of my family members who are minors, as listed below, as well as my likeness, photos, videos and other information (or that of family members who are minors) for the purpose of news releases, advertising, publicity, publication or distribution in any manner whatsoever. I further consent to such use in their present form and to any changes, alterations, or additions thereto. I hereby release [INSERT NAME OF ORGANIZATION] from all liability in connection with all such uses.

 

• Dated this day of , 20.

General Guidelines

• Make sure you have a written privacy policy • Make sure you have a media release form as a part of

your privacy policy

• Collect as little information as possible and make sure it is stored safely

• Be careful of what you post online and of what you say to youth online

• You are responsible for everything you POST or collect online

• Young people are being targeted and information collected about them is used to locate them.

• We must be careful what information we post about young people online

MySpace the worry Easily tracked the reality

The Reality of Web2.0 World

Why We Care: Some Statistics

• “…A child goes missing every 40 seconds in the U.S, over 2,100 per day” (OJJDP)

• In 2005 662,196 children were reported lost, runaway, or kidnapped (ncmec)

• 2/3 of all missing children reports were for youths aged 15-17 (ncmec)

• 2/5 missing children ages 15-17 are abducted due to Internet activity (ICAC)

• Do the math--over 2 million teens age 15-17 are abducted due to Internet activity

Information Mining with Google• Google search string

– site:myspace.com “birthday”– site:myspace.com "phone number“– Place name in quotation marks (use variations)

• “First (Jon) Last” -- Legal First (Jonathan) Last”

• Information that the Google Hacking Database identifies:– Advisories and server vulnerabilities – Error messages that contain too much information – Files containing passwords – Sensitive directories – Pages containing logon portals – Pages containing network or vulnerability data such as

firewall logs. http://johnny.ihackstuff.com/ghdb.php

Keeping Data Secure in Web 2.0 world

• Continued Education of Computer Users– Don’t click on strange links (avoid tempt-to-click

attacks)

– Do not release personal information online

– Use caution with IM and SMS (short message service)

– Avoid social networking sites

– Don’t e-mail sensitive information

– Don’t hit “reply” to a received -email containing sensitive information

– Require mandatory VPN (virtual private network) use over wireless networks

Keeping Data Secure in Web 2.0 World

• Host-Based Technology

– Require hard drive encryption on all laptops

– Control the use of portable storage media by managing desktops

– Require the use of personal/desktop firewall software

– Require the use of personal/desktop anti-malware software

– Consider implementing document management systems

Keeping Data Secure in Web 2.0 World

• Network-Based Technology– Deploy network intrusion prevention (IPS)– Consider network admission control (NAC)– Implement information leakage detection and

prevention– Consider IP reputation-based pre-filtering

solutions– Run vulnerability scans on your network

AV test Results on 8-25-07

Results 2 on 8-25-07

Program # Detected Detection %

WebWasher 605,846 99.83%

AVK 2007 604,255 99.56%

AntiVir 603,408 99.42%

F-Secure 594,333 97.93%

Symantec 593,355 97.77%

Kaspersky 592,606 97.64%

Fortinet 589,028 97.06%

Avast! 584,574 96.32%

AVG 583,541 96.15%

Rising 582,772 96.02%

PC Mag posted the results from May 22, 2007AV-Test. In it, 29 antimalware products were tested against 606,901 sets of malware. Products were tuned to their most aggressive detection options

Results 3

Online Design Strategies

1. Define and articulate your PURPOSE

2. Build flexible, extensible gathering PLACES

3. Create meaningful and evolving member PROFILES

4. Design for a range of ROLES

5. Develop a strong LEADERSHIP program

6. Promote cyclic EVENTS

7. Integrate the RITUALS of community life

8. Facilitate member-run SUBGROUPS

9. Build site for quick SCANNING

10. Write text in short chunks CHUNKING

How People Scan Online

iMinistry: Example

Let every worker in the Master's vineyard, study, plan, devise methods, to reach the people where they are. --Ev 122, 123.

• GCA Church