Copyright August 2009 – J. Carlton Collins

Information Security for CPAs

Southeastern Accounting ShowJ. Carlton Collins

Information Security for CPAsJ. Carlton Collins, CPA

1. Virus Protection

Top Virus Protection Products

2. Patches & Updates

Windows Updates

Windows XP & Windows Vista Firewalls

3. Password Protected Screen Saver

4. Firewall

5. Configure Your Wireless Routers

Firewall Settings

–Reset password–Turn on Encryption–Broadcast different name (SSID)

6. Encryption Primer

Encrypting Word and Excel Files

Encryption Primer Page 17

All encryption is based on two prime numbers:

About Bits Page 17

It takes 8 Bits to Form a Single Number

40 Bit 12313 1 second

56 Bit 1234513 19 hours

64 Bit 12345613 7 months

128 Bit 1234567891234513 4.3 quadrillion years

4,300,000,000,000,000

4,594,972,986,357,220,000,000,000,000,000,000,000,000,000,000,000

7. Encrypt Your Data Files, Folders & Hard Drives

Protecting Your Hard Drive

1. BIOS Password

2. Windows Password

Carlton Collins

How Thieves beat BIOS &Windows Passwords

1. Remove Drive

2. Insert in another computer as second drive

3. Second drive becomes completely readable

How Thieves beat BIOS & Widnows Passwords

1. Or they use Knoppix

3. Encrypt Files or Folders

1. Must use NTFS (in Windows XP)2. Right click file or folder, select “Properties”3. Select “Advanced”

4. Or Use Vista BitLocker

1. New in Vista

5. Or Use TrueCrypt

Hard drive is encrypted and decrypted on the fly

8. Encrypting Your E-Mail

PGP (Pretty Good Privacy)

E-Mail Encryption Software

E-Mail Encryption Software

E-Mail Encryption Software

E-Mail Encryption Software

9. Use Windows Vista

Why Vista?– I know, I know – the image that Vista stinks– I told people Vista stinks for almost a year, I now

believe otherwise– Vista is the greatest operating system ever written

on the planet– Far more secure than Windows XP– Sees more RAM and processors– Very fast– Instant Search– 3-D Flip

10. Regular Backups

Online Backup

–Carbonite - $50 year–XCentric - Superior

11. Use an Uninterruptible Battery Backup Device

12. Filter Your Searches

13. Strong Passwords

3. Use Strong Passwords Page 28

Happy – 5 minutes to breakHappy44 – 15 minutes to breakhAPP5y44 – Many hours to break

(Microsoft recommends using Upper/lower/special characters)

I recommend the old phone number method:

9126384822Delta4499

delta

delta 4499

912 638 4822 delta 44999126384822delta4499

14. Employee & Customer Background Checks

1. www.trudiligence.com - Many searches with instant results. Free 1 week Trial. 2. www.formi9.com - Electronic I-9s. Expert I-9 Audits. Instant Employment Eligibility Verification. 3. find.intelius.com - $29.95 - Instant Criminal & Background Check, SSN Verification, Sexual offender registry,

and Address trace in one! FCRA compliant. 4. www.Intelius.com - Instant Criminal & Background Check SSN Verification/FCRA (877)974-1500 5. www.CriteriaCorp.com - Screen Employees with Personality, Aptitude, Skills Tests.

www.HireRight.com - Industry's fastest turnaround time. Trusted by Fortune 500. 6. www.infolinkscreening.com - Accurate and compliant employee background checks, drug testing, physical

exams, and Form I-9 eSolutions provided by Kroll. 7. www.sentrylink.com - Instant online results for criminal checks, driving records, and credit reports. FCRA

compliant. National criminal check only $19.95. 8. www.IntegraScan.com/Employee-Screening - $18.95 - Free preliminary results. Instantly check millions of

records - $18.95. Comprehensive state and national background checks. 9. www.backgroundsonline.com - Professional employment background screening, hire with confidence! 10. www.CorporateScreening.com - Medical, Manufacturing, Financial Quality Customized Services 11. www.absolutebackgrounds.com - Provider of online applicant-screening services. 12. www.backgroundcheckgateway.com - Site enables visitors to perform free background checks, using public

records. 13. www.backgroundchecks.com - A service which provides instant desktop delivery of criminal records

information, social security validation and more. 14. www.backgroundsonline.com - Provider of web-based pre-employment screening services and employee

background checks, including criminal, reference, DMV, education and employment verification. 15. www.brainbench.com - Provider of Internet-based applicant testing services, including technical, language and

programmer/analyst aptitude testing. 16. www.corporate-screening.com - Provides national employee and business background online. 17. www.esrcheck.com - Firm offers pre-employment screening services for employers, human resources and

security departments. 18. www.hireright.com - Provider of online pre-employment screening services. 19. www.informus.com - Provides internet-based employee screening. 20. www.sentrylink.com - Instant online results for criminal checks, driving records, and credit reports. FCRA

compliant. National criminal check only $19.95. 21. www.trudiligence.com - Many searches with instant results. Compare vendors. Free 1 week Trial. 22. www.peoplewise.com - Provider of legally compliant, employment screening services over the Internet. 23. www.prsinet.com - Provider of pre-employment screening through background checks. Provides a web based

order and retrieval system. 24. www.reviewnet.net - Provider of Internet-based solutions to attract, screen, interview and retain technology

professionals. www.NetDetective.com

15. Follow Good Computer Disposal Practices

1. Federal Environmental Law - The Resource Conservation and Recovery Act (RCRA) has been updated recently to include guidelines regarding the disposal of computer monitors.

2. Sarbanes Oxley and HIPPA - Sarbanes Oxley and HIPPA laws require that all data be properly removed before hard drives are properly disposed of.

3. Hazardous Materials - Computers contain hazardous materials such as mercury, cadmium (a known carcinogen), and hexavalent chromium (associated with high blood pressure, iron-poor blood, liver disease, and nerve and brain damage in animals).

4. CRT Concerns - Most environmental concerns are associated with monitors. Specifically, a color cathode ray tube (CRT) contains about four to five pounds of lead, which of course is considered hazardous waste according to the EPA.

5. Computers in Landfills Outlawed - California, Massachusetts, and Minnesota have outlawed the disposal of computer waste in landfills.

6. Ponder This - Suppose what might happen if groundwater becomes contaminated and a search for the source finds that your old computer (identified by a control tag or manufacturer’s number) has been discarded nearby. You could be subject to potentially costly criminal and civil litigation (i.e., SARA, formerly CERCLA, litigation). This could happen even if the organization had donated the equipment to a charity or paid a company to recycle it.

7. License Considerations - If you donate your computer, you should evaluate software license agreements to determine if they preclude transfer of the software along with the computer.

16. Use Pick Proof Door Locks

Open any padlock with a beer can - http://www.metacafe.com/watch/yt-1eGxRQlWTrM/open_a_master_padlock_with_a_beer_can/

Learn how locks work http://www.metacafe.com/watch/yt-cuLC9klMsRI/the_visual_guide_to_lock_picking_part_06_of_10/

Open door locks with picking tools http://www.metacafe.com/watch/877739/kwikset_door_lock_picked/ Make your own pick tools http://www.metacafe.com/watch/1029493/home_made_lock_picks/ Pick a padlock with homemade pick tools http://www.metacafe.com/watch/1015152/how_to_open_padlock_lockpicking/

Open door locks with a bump hammer http://www.metacafe.com/watch/yt-zTfEwChCG0U/brockhage_bump_hammer_set/ Open a door lock with a pick gun http://www.metacafe.com/watch/884219/how_to_pick_locks_with_a_lock_pick_gun_lockpicking_tutorial/

Open a car with a tennis ball http://www.metacafe.com/watch/410981/blondie_unlocks_car/ Open car with wood wedge and pole http://www.metacafe.com/watch/1078391/how_to_unlock_car_without_keys/ Open a tubular lock http://www.metacafe.com/watch/1029502/lock_picking_tubular_locks/ Pick a club and pick a car ignition http://www.metacafe.com/watch/1029496/lock_picking_club_and_car_ignition/ Pick tools described http://www.metacafe.com/watch/1363050/lock_picking_with_all_my_sets_tools/ Order picking tools online http://www.lockpicks.com/index.asp?PageAction=VIEWCATS&Category=204 Order a pick gun online http://www.lockpicks.com/index.asp?PageAction=VIEWCATS&Category=215 Order a bump hammer online http://www.lockpicks.com/index.asp?PageAction=VIEWCATS&Category=324 Order car pick tools online

17. Shred Everything

18. Online Security Tests

ShieldsUp! - Port Authority Edition grc.com

Broadband Tests and Tools www.broadbandreports.com/tools

BrowserSpy gemal.dk/browserspy

GFI Email Security Testing Zone www.gfi.com/emailsecuritytest

Hacker Whacker www.hackerwhacker.com

PC Flank www.pcflank.com

PC Pitstop www.pcpitstop.com[Checkup browsercheck.qualys.com

Privacy.net privacy.net/analyze

19. Employee Agreements

1. Users will not violate copyright laws and their fair use provisions through inappropriate reproduction and/or distribution of music (MP3, etc.), movies, computer software, copyrighted text, images, etc.

2. Users shall not use company computers or network facilities to gain unauthorized access

to any computer systems. Using programs intended to gain access to unauthorized systems for any reason or purpose is strictly prohibited.

3. Users shall not connect unauthorized equipment to the company’s network, to include

hubs, routers, printers or other equipment connected to the company’s network directly or via remote attachment.

4. Users shall not make unauthorized attempts to circumvent data protection schemes or

uncover security loopholes. This includes creating and/or running programs that are designed to identify security loopholes and/or decrypt intentionally secure data.

5. Users will not associate unapproved domain name sites with a company owned IP

address.

6. Users will not knowingly or carelessly perform an act that will interfere with the normal operation of computers, terminals, peripherals, or networks.

7. Users will not knowingly or carelessly run or install on any computer system or network,

or give to another user, a program intended to damage or to place excessive load on a computer system or network. This includes, but is not limited to, programs known as computer viruses, Trojan Horses, and worms.

8. Users will refrain from activity that wastes or overloads computing resources. This

includes printing too many copies of a document or using excessive bandwidth on the network.

9. Users will not violate terms of applicable software licensing agreements or copyright

laws.

10. Users will not use company resources for commercial activity, such as creating products or services for sale.

11. Users will not use electronic mail to harass or threaten others, or to send materials that

might be deemed inappropriate, derogatory, prejudicial, or offensive. This includes sending repeated, unwanted e-mail to another user.

12. Users will not use electronic mail on company-owned, or company-sponsored, or

company-provided hardware or services to transmit any information, text, or images that would be deemed offensive, inappropriate, derogatory, prejudicial, or offensive.

20. Periodic Computer Checks

1. Recent Applications 2. Search history 3. Browsing History 4. Cookie History 5. Temporary Internet Files 6. Search for JPGs 7. Recycle Bin 8. Suspicious Password Protected Files 9. Requesting Lost Passwords 10.Review Sent and Received E-Mail 11. Review Deleted E-Mail Folder 12.Review Junk E-Mail Folder 13.Use E-Mail Rules to Track Usage 14.Use E-Mail Server Settings to Track Usage15.Game High Scores 16.Microsoft Coffee

•Key Loggers •Print Monitor Pro (free) •Give Me Do (free) •Desktop Spy (free) •Hardware Keylogger ($60)

•Internet Spy (free) - •Evidence Tracker•Evidence Blaster ($23)

• Tools to help You Track Computer Usage

21. Physical Inventories & Surprise Cash Counts

22. Bolt Down Computer Systems

23. Filter Out Spam

Spam

• Robs you of productivity• Many approaches to reducing spam

– Anti-spam Software - SpamFighter– Outlook Junk Mail Filter– Filter Junk Mail at the Mail Server - GMail– Filter Junk Mail at your Router - Barracuda– Microsoft’s Suggestions

24. Be Wary of Hacking Tools

Hacking & Cracking Tools

• Crackz• Hackz• Warez• Serialz

25. Identity Theft Tips

http://www.asaresearch.com/web/security_identity_theft.htm

Avoid Phishing

How Serious is the Problem?

Organization: National Institute of HealthDate of Theft: February 2008Type of Data Stolen: Patient data for 2,500 patients over a 7 year periodHow Stolen: From an employee’s home

Organization: Davidson County Election Commission - (Nashville, TN)

Date of Theft: December 28, 2007Type of Data Stolen: Names and complete Social Security numbers for

337,000 registered votersHow Stolen: Someone broke into several county offices over

Christmas and stole laptop computers

Organization: Transportation Security Administration (TSA)Date of Theft: August 10, 2006Type of Data Stolen: Social Security numbers, payroll information, and

bank account data for approximately 133,000 employee records

How Stolen: From a government vehicle

Organization: Federal Trade Commission (FTC)Date of Theft: June 22, 2006Type of Data Stolen: Data on about 110 people that was "gathered in

law enforcement investigations”How Stolen: Stolen from a locked vehicle

Organization: Internal Revenue Service (IRS)Date of Theft: June, 2006Type of Data Stolen: 291 employees and job applicants, including

fingerprints, names, Social Security numbers, and dates of birth

How Stolen: In transit on an airline flight

Organization: AICPA Date of Theft: June, 2006Type of Data Stolen: Unencrypted hard drive containing names,

addresses and Social Security numbers of 330,000 AICPA members.

How Stolen: Lost during shipping

Organization: US Government Veterans Affairs AdministrationDate of Theft: May 3, 2006Type of Data Stolen: 26.5 million veterans, their spouses, and active-

duty military personnelHow Stolen: Laptop stolen from employees home

Organization: Citibank Student Loan CorporationDate of Theft: March 8, 2006Type of Data Stolen: Information on 3.9 million customersHow Stolen: Lost in transit while being shipped

A laptop that belonged to an Ernst & Young employee was stolen from a vehicle. The computer contained personal information of 243,000 Hotels.com customers.

American International Group, a major insurance company, became responsible for private data of 970,000 potential customers when their file server and several laptop computers were stolen from its Midwest offices.

An Equifax Inc., company laptop was stolen from a travelling employee. Information compromised included employee names and Social Security numbers.

13,000 District of Columbia employees and retirees were put in danger of identity theft when a laptop belonging ING U.S. Financial Services was stolen from an employee’s home.

A laptop containing debit card information and Social Security numbers of 65,000 persons was stolen from YMCA’s seemingly safe administrative offices.

Four laptop computers containing names, Social Security numbers, and addresses of 72,000 customers were stolen from the Medicaid insurance provider Buckeye Community Health Plan.

A Boeing employee’s laptop was grabbed at an airport, compromising 3,600 employees Social Security numbers, addresses and phone numbers. Again in 2006 Boeing lost an unencrypted computer hard drive which held the names and Social Security numbers of approximately 382,000 workers and former employees, including addresses, phone numbers, birth dates and salary information.

Stolen UC Berkeley laptop exposed personal data of nearly 100,000.

A laptop computer stolen from an MCI employee’s automobile in 2005 included the names and social security numbers of 16,500 MCI employees.

Long List of Documented Thefts of DataVictims Include:

Here’s An Even Bigger List

Organization: Drug Enforcement Agency (DEA)Date of Theft: June 7, 2004Type of Data Stolen: Laptop of DEA InformantsHow Stolen: From the trunk of an Auditor’s car while he was at

a bookstore coffee shop in suburban Washington

PGP (Pretty Good Privacy)

Phil Zimmerman

Is Big Brother Watching You Anyway?

‘Widely Rumored that a master key' exists