ChicagolandBoard

March 11, 2005, completed the 4th AIIM, COMA, Xplor combined meeting. This year’s theme was Network and Data Security and attracted 110 attendees (pic 1). The attendees were welcomed by Terry Johnson, EDP (pic 2) representing AIIM Wisconsin – The Enterprise Content Management Organization; Steve Mau (pic 3) representing COMA – The Computer Operations Management Organization; and by Hubie Kocurek (pic 4) representing Xplor Chicagoland Chapter – The Organization of the Electronic Document Space. Please see the end of this synopsis for how to register for the May 13, 2005 Xplor Chicagoland Chapter meeting in Downers Grove, Illinois.

The first speaker was Skip Henk, EDP (President & CEO of Xplor International) (pic 5) presenting his thoughts on “Security and the Electronic Document”.

On a daily basis, Skip doesn’t care about document security. Document security is about not having to worry about it.

For the last 20 years, documents have been paper based. Mainly checks, stocks, and other security documents. Technology is available today to thwart most paper document fraud. Going forward, the document has changed. Now a document is not just a piece of paper. A picture can be a document or part of a document. Documents are more complex and there are interactive documents. Document Security today is the quality or state of being secure and engendering a state of freedom from fear or anxiety.

The new challenge today is Identity Theft. The perception of Identity Theft is the procurement of personal information for fraudulent use. The reality is objectionable use of personal information.

Objectionable use of personal information – NO
· Cell phone offers ( Based on phone usage information)
· Mortgage offers (Based on income information)
· US Army recruitment offers ( Based on age information)
· AARP membership offers ( Based on age information)

Objectionable use of personal information – YES
· Sending personal information to you in a document that indicates that you are being tracked.
· Receiving a 1 to 1 marketing piece that contains a picture of the building where you work is a form of identity theft.

Whose problem is it?
· It is your problem
· It is your vendor’s problem
· It is your service provider’s problem

The improper use of personal information is a big problem for the Electronic Documentation industry.

The next speaker was Matt Kestian, MS, CISSP, with Microsoft, (pic 6) speaking on “Microsoft.net and IE Security Provisions”. Matt works with the Microsoft National Security Team.

System Patch 2 (SP2) is essential for those running Windows XP. This patch closes many hacker attack points and doesn’t allow fake images on a web page to remain in their proper location when using Internet Explorer. This is important because Phishing for personal information has gone high tech. Phishers use legitimate looking links and web pages to direct you to fake web sites capturing your personal and financial information.

Hackers today, use Spoofing, Tampering, threat of Information Disclosure, threat of Denial of Service, and Elevation of Privilege to gain access to corporate information or to extort money from companies.

Attack Methodologies used:
· Search for known vulnerabilities
· Exploit vulnerabilities
· Elevate Privileges to take ownership of system
· Download Hacker Tools, Back Doors, and Root Kits into accessed system for later use
· Get through network to Back End Server
· Steal Data
· Clear Tracks and Audit Trails

Defense in Depth – an organized framework for security is required to thwart hackers. A layered portfolio of counter measures reduces the chance of a single point of vulnerability.

A layered portfolio of counter measures consists of:
· Perimeter security
· Network security
· Host security
· Application security
· Data security
· Physical security
· In place Policies, Procedures, and Awareness

A Perimeter Layer compromise could be initiated from a Business Partner’s computer. A Network Layer compromise requires network Security Zones to compartmentalize access and Restricted Access into the network.

It is only 10 to 15 days after a Program Flaw is announced that hackers have written code to exploit the flaw and others have modified the code to be a virus. Originally, hacking was for fun and games. Today, Spam and Spyware are for money.

Microsoft is starting an Application Certification program that will allow Least User Access to install certified programs and not have to go to Administrator level.

Corporate computers can be compromised through a home computer where an employee is logged into the corporate system to do legitimate work. All home computers should have:
· Microsoft XP-SP2 patch installed
· Updated anti-virus software
· Anti- spyware installed

· Using the Mozilla web browser instead of Internet Explorer opens a different set of vulnerabilities and doesn’t add to security

The next speaker was Larry Boettger, CISSP, GSEC (pic 7) from Berbee. Larry spoke on “Cyber Criminal Methods and Prevention Techniques”. On April 26, 2005 Berbee is demonstrating Hacker Methods and Prevention Techniques in Milwaukee, Wisconsin.

How do you know if a new employee or a released employee isn’t still using their previous password? Hackers have a program called Logcrack to break passwords. Proper password precautions are essential.

Cyber Criminal Motives:
· Politics
· Show off expertise
· Personal gratification
· They know they can
· Financial rewards

Cyber Intruder Methods:
· Company web site research
· Information gleaned from user groups
· Sending email with virus or spyware
· Access Call Modems setup by employees to work from home
· Read discarded trash to obtain passwords
· Impersonate someone trusted like a Help Desk person
· Scans of your computer systems
· “War Drive” your wireless network to bypass firewalls

What are the benefits of a Computer Security Assessment?
· Discover vulnerabilities and provide a roadmap for fixes
· Establish a security baseline
· Strengthen security
· Provide Due Diligence
· Provide a formal security audit
· Find weak security areas

Steps to take to increase computer and network security:
· First step is to develop a quick, concise, easy to read and use Security Policy
· Train employees in Security Awareness
· Strong access and authorization controls. Weak passwords are the “Achilles Heel” at most companies.
· Have comprehensive Patch Management on all computer systems
· Assure only needed or updated services are active on each computer system. Be careful of what an application wizard installs.
· Use encryption and digital signatures to protect against forgery and impersonation
· Have a Hacker Incident Policy in place to help responders think clearly and act quickly
· Have a written Disaster Recovery Policy in place that includes a Hacker initiated disaster
· Have Physical Safeguards such as Visitor Badges to eliminate unauthorized people from accessing corporate data

Meeting the ISO-17799 standard covers the following Security Areas:
· Security Policy
· Organizational Security
· Asset Classification and Control
· Personnel Security
· Physical and Environmental Security
· Access Control
· System Development and Maintenance
· Business Continuity Management
· Compliance
· Remember to budget for security remediable costs and to prioritize security risks and security remediation efforts

The next speaker was Dave Pom, Information Assurance Manager with Metavante
(pic 8) presenting: “Information Data Security – Are You Protected?”

Information data security has had to change with the changes in IT infrastructure.

In the late 80’s – early 90’s IT infrastructure consisted of:
· Mainframes only
· Dedicated networks
· Dumb Terminals
· Centralized management

Today the IT infrastructure consists of:
· Public networks
· Multiple protocols
· Powerful desktop computers
· Multiple languages
· De-centralized management

To control and eliminate the multiplicity of security vulnerabilities, there should be a long-term set of Security Policies. Standards should be chosen to support the Security Policies as long as the chosen technology is applicable. Procedures should be developed to provide specific operational steps to provide data security.

What can Security Architectures do?

Security Architecture – Network

- There is no “Silver Bullet”
· Protect data going out of the network as well as data coming into the network

Security Architecture – Server Build
· Develop standard Build Process
· Build in a Trusted Environment
· Eliminate unnecessary patches
· Apply application security
· Install Security Components – Anti-virus and spyware programs
· Scan system for vulnerabilities

Security Architecture – Patching Process
· Determine criteria if patches should be applied during scheduled maintenance or on an emergency basis

Security Architecture – Anti-Malware
· Run anti virus, anti spam, anti spyware programs in the network gateway system and all clients
· Do file integrity checking
· Run Host Intrusion Detection software

What are the Security Trends and Challenges?
· Increased security exposure due to increased complexity and connectivity
· Increased frequency, sophistication, and coordination of security attacks
· Hackers are trying to access banks and infrastructure companies
· Hackers are targeting wireless network vulnerabilities for easier access to corporate networks
· There is a renewed emphasis on security validation and certification
· Application vulnerabilities are being targeted by hackers due to a reduction in server and network vulnerabilities
· Phishing and Pharming attacks are increasing. Hackers use automated hits on fake websites to force the fake site to the top of a Google search

The final speaker was Harry Kohal, Past President of the Wisconsin Association of Computer Crimes Investigators (pic 9). He spoke on “Identity Theft – Securing Your Clients Personal Information”.

What is Identity Theft? It is illegally using another person’s Name, Drivers License, Social Security Number, Address, or Telephone Number without the person’s permission. Identity Theft is a Class D Felony with a fine not to exceed $10,000 or imprisonment not to exceed 10 years or both.

Your company has the same risks as an individual:
· Identity Theft
· Telephone and Utility Theft
· Bank Fraud
· Employment Fraud
· Software Theft

How thieves obtain personal and corporate information:
· Theft of a wallet or purse
· Dumpster Diving
· Inside sources
· Mail Theft
· Online data capture or redirection
· Submitting Change of Address Forms (After the form expires, the Post Office puts the new address on it and returns it to the sender.)
· Finding personal information while inside your home or office
· Shoulder surfing or eavesdropping

What are the effects of Identity Theft?
· The average age of victims is 40
· It is a year before the theft is found out
· California has the highest number of Identity Thefts
· Washington D.C. has the highest per capita rate of Identity Thefts
· The theft is usually discovered when turned down for a loan or receive a letter or call form a Collection Agency
· Interaction with police turns up a criminal record in your name
· It takes 1000 hours of effort and $1,000 or more, not including attorney fees, over a 2 year period to straiten things out

What to do if you personally become an Identity Theft victim:
· Contact the Fraud Department at each of the 3 Credit Agencies
· Obtain your Credit Report from each of the 3 Credit Agencies
· Establish a Victim Report with each of the 3 Credit Agencies and contact creditors

What to do if your company is a victim:
· Contact and work with Law Enforcement
· Implement the Disaster Recovery Plan
· Decide who will be informed and contacted. Will the Media be contacted or not?

How do you protect yourself?
· Manage personal information wisely
· Determine how your information will be used before providing it
· Pay attention to Billing Cycles to see if unknown extra charges have been incurred
· Guard mail from theft
· Put a password on credit cards
· Avoid using your mother’s maiden name as a security word. Birth records are open to the public
· Minimize the number of credit cards and ID you carry to limit their theft or loss
· Do not give out personal information over the telephone
· Shred discarded personal records and documents

The presentations closed with an “Ask the Security Experts” panel moderated by Mike Schultz from Metavante (Far right pic 10). The panel brought back together our presenters and included Ted Jach from Berbee (Far left in pic 11). The crowd view is (pic 12).

Xplor Chicagoland Chapter is collaborating with Xplor International on May 13, 2005 to host a program put on by Interquest. The program will be focused on the Insurance and Finance Industries with topics covering the “Implementation of Color Variable Data with Insurance and Financial applications”. The program will require a $60 Registration Fee and you can register at www.focusedforums.com.


		...the heart of Xplor

	Chicagoland Chapter Events - Review of 3/11/05 Meeting

	March 11, 2005, completed the 4th AIIM, COMA, Xplor combined meeting. This year’s theme was Network and Data Security and attracted 110 attendees (pic 1). The attendees were welcomed by Terry Johnson, EDP (pic 2) representing AIIM Wisconsin – The Enterprise Content Management Organization; Steve Mau (pic 3) representing COMA – The Computer Operations Management Organization; and by Hubie Kocurek (pic 4) representing Xplor Chicagoland Chapter – The Organization of the Electronic Document Space. Please see the end of this synopsis for how to register for the May 13, 2005 Xplor Chicagoland Chapter meeting in Downers Grove, Illinois. The first speaker was Skip Henk, EDP (President & CEO of Xplor International) (pic 5) presenting his thoughts on “Security and the Electronic Document”. On a daily basis, Skip doesn’t care about document security. Document security is about not having to worry about it. For the last 20 years, documents have been paper based. Mainly checks, stocks, and other security documents. Technology is available today to thwart most paper document fraud. Going forward, the document has changed. Now a document is not just a piece of paper. A picture can be a document or part of a document. Documents are more complex and there are interactive documents. Document Security today is the quality or state of being secure and engendering a state of freedom from fear or anxiety. The new challenge today is Identity Theft. The perception of Identity Theft is the procurement of personal information for fraudulent use. The reality is objectionable use of personal information. Objectionable use of personal information – NO · Cell phone offers ( Based on phone usage information) · Mortgage offers (Based on income information) · US Army recruitment offers ( Based on age information) · AARP membership offers ( Based on age information) Objectionable use of personal information – YES · Sending personal information to you in a document that indicates that you are being tracked. · Receiving a 1 to 1 marketing piece that contains a picture of the building where you work is a form of identity theft. Whose problem is it? · It is your problem · It is your vendor’s problem · It is your service provider’s problem The improper use of personal information is a big problem for the Electronic Documentation industry. The next speaker was Matt Kestian, MS, CISSP, with Microsoft, (pic 6) speaking on “Microsoft.net and IE Security Provisions”. Matt works with the Microsoft National Security Team. System Patch 2 (SP2) is essential for those running Windows XP. This patch closes many hacker attack points and doesn’t allow fake images on a web page to remain in their proper location when using Internet Explorer. This is important because Phishing for personal information has gone high tech. Phishers use legitimate looking links and web pages to direct you to fake web sites capturing your personal and financial information. Hackers today, use Spoofing, Tampering, threat of Information Disclosure, threat of Denial of Service, and Elevation of Privilege to gain access to corporate information or to extort money from companies. Attack Methodologies used: · Search for known vulnerabilities · Exploit vulnerabilities · Elevate Privileges to take ownership of system · Download Hacker Tools, Back Doors, and Root Kits into accessed system for later use · Get through network to Back End Server · Steal Data · Clear Tracks and Audit Trails Defense in Depth – an organized framework for security is required to thwart hackers. A layered portfolio of counter measures reduces the chance of a single point of vulnerability. A layered portfolio of counter measures consists of: · Perimeter security · Network security · Host security · Application security · Data security · Physical security · In place Policies, Procedures, and Awareness A Perimeter Layer compromise could be initiated from a Business Partner’s computer. A Network Layer compromise requires network Security Zones to compartmentalize access and Restricted Access into the network. It is only 10 to 15 days after a Program Flaw is announced that hackers have written code to exploit the flaw and others have modified the code to be a virus. Originally, hacking was for fun and games. Today, Spam and Spyware are for money. Microsoft is starting an Application Certification program that will allow Least User Access to install certified programs and not have to go to Administrator level. Corporate computers can be compromised through a home computer where an employee is logged into the corporate system to do legitimate work. All home computers should have: · Microsoft XP-SP2 patch installed · Updated anti-virus software · Anti- spyware installed · Using the Mozilla web browser instead of Internet Explorer opens a different set of vulnerabilities and doesn’t add to security The next speaker was Larry Boettger, CISSP, GSEC (pic 7) from Berbee. Larry spoke on “Cyber Criminal Methods and Prevention Techniques”. On April 26, 2005 Berbee is demonstrating Hacker Methods and Prevention Techniques in Milwaukee, Wisconsin. How do you know if a new employee or a released employee isn’t still using their previous password? Hackers have a program called Logcrack to break passwords. Proper password precautions are essential. Cyber Criminal Motives: · Politics · Show off expertise · Personal gratification · They know they can · Financial rewards Cyber Intruder Methods: · Company web site research · Information gleaned from user groups · Sending email with virus or spyware · Access Call Modems setup by employees to work from home · Read discarded trash to obtain passwords · Impersonate someone trusted like a Help Desk person · Scans of your computer systems · “War Drive” your wireless network to bypass firewalls What are the benefits of a Computer Security Assessment? · Discover vulnerabilities and provide a roadmap for fixes · Establish a security baseline · Strengthen security · Provide Due Diligence · Provide a formal security audit · Find weak security areas Steps to take to increase computer and network security: · First step is to develop a quick, concise, easy to read and use Security Policy · Train employees in Security Awareness · Strong access and authorization controls. Weak passwords are the “Achilles Heel” at most companies. · Have comprehensive Patch Management on all computer systems · Assure only needed or updated services are active on each computer system. Be careful of what an application wizard installs. · Use encryption and digital signatures to protect against forgery and impersonation · Have a Hacker Incident Policy in place to help responders think clearly and act quickly · Have a written Disaster Recovery Policy in place that includes a Hacker initiated disaster · Have Physical Safeguards such as Visitor Badges to eliminate unauthorized people from accessing corporate data Meeting the ISO-17799 standard covers the following Security Areas: · Security Policy · Organizational Security · Asset Classification and Control · Personnel Security · Physical and Environmental Security · Access Control · System Development and Maintenance · Business Continuity Management · Compliance · Remember to budget for security remediable costs and to prioritize security risks and security remediation efforts The next speaker was Dave Pom, Information Assurance Manager with Metavante (pic 8) presenting: “Information Data Security – Are You Protected?” Information data security has had to change with the changes in IT infrastructure. In the late 80’s – early 90’s IT infrastructure consisted of: · Mainframes only · Dedicated networks · Dumb Terminals · Centralized management Today the IT infrastructure consists of: · Public networks · Multiple protocols · Powerful desktop computers · Multiple languages · De-centralized management To control and eliminate the multiplicity of security vulnerabilities, there should be a long-term set of Security Policies. Standards should be chosen to support the Security Policies as long as the chosen technology is applicable. Procedures should be developed to provide specific operational steps to provide data security. What can Security Architectures do? Security Architecture – Network - There is no “Silver Bullet” · Protect data going out of the network as well as data coming into the network Security Architecture – Server Build · Develop standard Build Process · Build in a Trusted Environment · Eliminate unnecessary patches · Apply application security · Install Security Components – Anti-virus and spyware programs · Scan system for vulnerabilities Security Architecture – Patching Process · Determine criteria if patches should be applied during scheduled maintenance or on an emergency basis Security Architecture – Anti-Malware · Run anti virus, anti spam, anti spyware programs in the network gateway system and all clients · Do file integrity checking · Run Host Intrusion Detection software What are the Security Trends and Challenges? · Increased security exposure due to increased complexity and connectivity · Increased frequency, sophistication, and coordination of security attacks · Hackers are trying to access banks and infrastructure companies · Hackers are targeting wireless network vulnerabilities for easier access to corporate networks · There is a renewed emphasis on security validation and certification · Application vulnerabilities are being targeted by hackers due to a reduction in server and network vulnerabilities · Phishing and Pharming attacks are increasing. Hackers use automated hits on fake websites to force the fake site to the top of a Google search The final speaker was Harry Kohal, Past President of the Wisconsin Association of Computer Crimes Investigators (pic 9). He spoke on “Identity Theft – Securing Your Clients Personal Information”. What is Identity Theft? It is illegally using another person’s Name, Drivers License, Social Security Number, Address, or Telephone Number without the person’s permission. Identity Theft is a Class D Felony with a fine not to exceed $10,000 or imprisonment not to exceed 10 years or both. Your company has the same risks as an individual: · Identity Theft · Telephone and Utility Theft · Bank Fraud · Employment Fraud · Software Theft How thieves obtain personal and corporate information: · Theft of a wallet or purse · Dumpster Diving · Inside sources · Mail Theft · Online data capture or redirection · Submitting Change of Address Forms (After the form expires, the Post Office puts the new address on it and returns it to the sender.) · Finding personal information while inside your home or office · Shoulder surfing or eavesdropping What are the effects of Identity Theft? · The average age of victims is 40 · It is a year before the theft is found out · California has the highest number of Identity Thefts · Washington D.C. has the highest per capita rate of Identity Thefts · The theft is usually discovered when turned down for a loan or receive a letter or call form a Collection Agency · Interaction with police turns up a criminal record in your name · It takes 1000 hours of effort and $1,000 or more, not including attorney fees, over a 2 year period to straiten things out What to do if you personally become an Identity Theft victim: · Contact the Fraud Department at each of the 3 Credit Agencies · Obtain your Credit Report from each of the 3 Credit Agencies · Establish a Victim Report with each of the 3 Credit Agencies and contact creditors What to do if your company is a victim: · Contact and work with Law Enforcement · Implement the Disaster Recovery Plan · Decide who will be informed and contacted. Will the Media be contacted or not? How do you protect yourself? · Manage personal information wisely · Determine how your information will be used before providing it · Pay attention to Billing Cycles to see if unknown extra charges have been incurred · Guard mail from theft · Put a password on credit cards · Avoid using your mother’s maiden name as a security word. Birth records are open to the public · Minimize the number of credit cards and ID you carry to limit their theft or loss · Do not give out personal information over the telephone · Shred discarded personal records and documents The presentations closed with an “Ask the Security Experts” panel moderated by Mike Schultz from Metavante (Far right pic 10). The panel brought back together our presenters and included Ted Jach from Berbee (Far left in pic 11). The crowd view is (pic 12). Xplor Chicagoland Chapter is collaborating with Xplor International on May 13, 2005 to host a program put on by Interquest. The program will be focused on the Insurance and Finance Industries with topics covering the “Implementation of Color Variable Data with Insurance and Financial applications”. The program will require a $60 Registration Fee and you can register at www.focusedforums.com. For a PDF copy of these notes, click on the icon.

Chicagoland Chapter Events - Review of 3/11/05 Meeting