350 likes | 468 Views
Damage Control: When Your Security Incident Hits the 6 o’clock News. Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing, Ga Tech Dan Updegrove VP for IT, The U of Texas at Austin. Educause 2003, Anaheim, California Nov 5, 2003.
E N D
Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing, Ga Tech Dan Updegrove VP for IT, The U of Texas at Austin Educause 2003, Anaheim, California Nov 5, 2003
Educause 2003 Abstract • Even carefully deployed security systems aren’t 100% safe. While we work to reduce security exposures, we must also prepare for the day an incident hits the headlines. One way to prepare is to study lessons learned by those who have “been there, done that” —what worked, what didn’t, surprises encountered, surviving the crisis. Goodyear/Clark/Updegrove
When in crisis, plan Marilu Goodyear Vice Provost for Information Services and CIO University of Kansas goodyear@ku.edu
KU INS Data Incident • January 21, 2003 tech staff member reports a compromise on the machine being used to compile SEVIS data for submission • KU Immediately launched technical investigation, determined next day that the SEVIS test file had been taken (as well as rogue activity relating to movies and music) • File contained data from Student Information System extract matching on: • Country of permanent address • Presence of visa information • Included some US students due to mismatches • 1,900 records with this info: Name, Student ID No., Social Security No., Passport No., Country of Origin, Visa Status Goodyear/Clark/Updegrove
Planning in a Crisis • Defined Successful Outcome • Protect our students • University acts, and is viewed as, a responsible organization • Mind map to get major areas of concern • Just kept determining next steps • Based on personal planning model • David Allen, Getting Things Done • www.davidco.com Goodyear/Clark/Updegrove
Organization of Response • Team – Overall Strategy • Vice Provost/CIO • Coordinator of IT Policy • External Relations Staff • IT External Relations Officer • Director of University Relations • Team - Technical • Associate Vice Provost • IT Security Officer • Technical staff who work on system Goodyear/Clark/Updegrove
Organization of Response • Teams – Student Support • Director of Office of International Students and Scholars • Staff in office building INS file • Academic Computing for e-mail communication support • Teams – Legal • Provost • Head, University Counsel • VP/CIO • Coordinator of IT Policy and Planning Goodyear/Clark/Updegrove
Response Activities • Communication with FBI and INS • US Attorney called us after public • Notified State of Kansas Security Officer • Press release, waited to see if it had “legs”, then called a press conference • Student communication: e-mail, Web, one phone number to call for support • Communication with software vendors and SEVIS technical staff Goodyear/Clark/Updegrove
What we did right • Took care of the students • Notified students quickly (four hours) • Provided personal communication for students • Legal Services for Students for identity theft assistance • Open communication strategy • Provost support • Went public quickly (five hours) • Had media savvy admin assistants to deal with phones • Press conference to help deliver our message • Involved students in the press conference Goodyear/Clark/Updegrove
What we did right • Structure of our approach • Involvement of campus players, good team of individuals • Dynamic communication structure of activities and next actions • Technical • Kept vendor name out of press announcements • Notification of other IT professionals about their risk • Work with software vendor to improve system security • Human resources approach: Reward staff for reporting • Failed Forward: Had meetings to review actions, second guess and learn Goodyear/Clark/Updegrove
What we could have done better • Communication with law enforcement • Attention to open records issues in documenting the incident • Incident response procedures more specific • Communication internally to own staff • Staff assumptions of system security • Language with press: Tech, English, Media translation table • Call them, don’t wait until they call you Goodyear/Clark/Updegrove
Recommendations • Preparation Activities • Crisis communication plan • Policy on whether and how to notify individuals affected • Protocol for working with University Relations, Legal Counsel • Prepare communication materials • In the heat of the moment • Determine outcomes • Plan • Act • Communicate Goodyear/Clark/Updegrove
I’m from Internal Auditing, and I’m here to help you… Robert N. Clark, Jr. Director of Internal Auditing Georgia Institute of Technology Rob.Clark@business.gatech.edu
Responding to Info Security Incidents • Information on an incident may come from a variety of sources: • OHR – personnel-related complaint • Legal Affairs – person seeking legal advice • Financial Services – questionable transaction(s) • Campus Police – allegation of illegal behavior • Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection reports, etc. • Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc. • Unit management with concerns over activity, etc. Goodyear/Clark/Updegrove
Responding to Info Security Incidents • Challenge: ensuring a • consistent approach to • dealing with incidents • Risk: If investigation not • handled appropriately or • consistently, puts Institute • at risk • Solution: IA recommended creation of ad-hoc task force • and procedure to address Info Security incidents Goodyear/Clark/Updegrove
http://www.audit.gatech.edu/IAcollabrative2.wmf Goodyear/Clark/Updegrove
Step 1 • Incident is brought to attention of member of mgmt • He/She convenes Ad-Hoc Group [CIO, Chief Audit Executive, Chief Legal Advisor, Director of Information Security, AVP-OHR, Director Homeland Security] • “What do we know now?” • Group shares info to determine other resources that may need to be involved (e.g., AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) • Group determines needed resources Goodyear/Clark/Updegrove
Step 2 • Group makes a determination on the potential outcome • E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? • This determines procedures to be followed in conducting the investigation and standard of evidence to which we should adhere • Also determines whether law enforcement should be notified and/or involved Goodyear/Clark/Updegrove
Step 3 • Group determines who will take the lead in facilitating the • investigation. • This person: • Coordinates efforts, arranges meetings, initiates status reporting • Initiates status reporting to the Office of the President • Determines appropriate custodian of investigation data • Facilitates reporting at the end of investigation Goodyear/Clark/Updegrove
Step 4 • Investigation is conducted following appropriate procedures agreed-to by Group • Regular communication with Group on status, observations, noteworthy issues • Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues Goodyear/Clark/Updegrove
Step 5 • Group re-convenes to: • Evaluate effectiveness of process; • Document “lessons learned”; • Track total cost of incident in time and resources; and • Discuss ways the situation may be prevented in the future, e.g., • Additional audit steps to examine for this elsewhere? • Need for policy enhancement? • Need for additional education/awareness? Goodyear/Clark/Updegrove
Handling a Breach in Security Dan Updegrove VP for Information Technology The University of Texas at Austin d.updegrove@its.utexas.edu
UT Austin SSN Data Theft Chronology • Sun, Mar 2, 7:20 p.m.: Initial observation of high-volume database access from off-campus • Mar 3, a.m.: Law enforcement contacted • Mar 4, p.m.: Evidence points to UT student • Mar 5, p.m.: Two residences searched: Austin, Houston • Mar 5, p.m.: Austin American-Statesman breaks story; UT datatheft website deployed • Mar 14: UT undergraduate student charged • Nov 5: Federal case still pending … Goodyear/Clark/Updegrove
UT Austin SSN: What Happened? • An insecure interface to a UT mainframe database provided access to over 1 million records • A rogue program was written to input 2.6 million sequential SSNs against this interface. • Of these, ~ 50,000 matched, disclosing names of current/former UT Austin students, faculty, staff, admission & job applicants, library patrons; current/former fac/staff at other UT campuses • No evidence to date that SSNs, names misused or disseminated – but it’s impossible to “prove a negative” • UT has attempted to contact all individuals affected Goodyear/Clark/Updegrove
UT Austin SSN: Communications • https://www.utexas.edu/datatheft/ • UT’s public statement • Links to US Attorney statements • Link to email: over 2,000 • Link to data form: over 6,500 • Toll-free hotline: over 3,000 • Press conference, same day story broke in A A-S • U.S. mail to all for whom UT can obtain addresses • Confusion, concern re “data theft” vs. “identity theft” • Total costs of incident exceed $120,000 Goodyear/Clark/Updegrove
UT SSN: Issues, Aftermath • Highlights risk of SSN as University ID • UT Austin Cmte had been addressing this issue • Web front-ends remove “security by obscurity” • Downside of integrated databases • All UT System (15 campuses) central & mission-critical applications undergoing security review • UT System has launched a Security Advisory Cmte and a SSN Task Force Goodyear/Clark/Updegrove
What & When to Disclose? • Should individuals be advised if their data exposed? • What constitutes a “security breach?” • Does any access to root compromise all data on system? • What if all evidence points away from personal data? • Potential for needless panic, versus • Potential for further damage to individuals – and institution – if “data theft” becomes “identify theft” • Public relations implications • Ethical implications • Legal requirements: none in Texas currently, but this may change if current California law is adopted elsewhere Goodyear/Clark/Updegrove
California Civil Code 1798.29 • (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Goodyear/Clark/Updegrove
California 1798.29 (Cont’d) • (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: • (1) Social security number. • (2) Driver's license or California ID Card number. • (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Goodyear/Clark/Updegrove
California 1798.29 (Cont’d) • g) For purposes of this section, "notice" may be provided by one of the following methods: • (1) Written notice, • (2) Electronic notice, • (3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of: • (A) E-mail • (B) Conspicuous posting of the notice on the agency's Web site page • (C) Notification to major statewide media Goodyear/Clark/Updegrove
UC System Response to 1798.29 • University of California System requries its campuses to take • these steps to comply with the new state law that requires • notification of people after a hacker/intruder has viewed • their personal data: • Data Inventory ~ Set up a process to identify: • Where personal information is used and stored. • Who has authority to gain access to and use the data. • The custodian of the data. • An acceptable level of security protection for the data. Goodyear/Clark/Updegrove
UC System Response (Cont’d) • Reporting Requirements: • Campuses must report immediately in writing to UC Assoc VP for Info Res & Communication: Anytime there has been a security breach. • When the incident is closed. The report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security. Source: Chronicle of HE, June 6, 2003 See also: Full text of UC policy Goodyear/Clark/Updegrove
Likely Federal Legislation? • Sen. Feinstein (D-CA) has introduced legislation, “Notification of Risk to Personal Data Act” -- modeled after the California law, with its ambiguities • HB 2262, which amends the 1996 Fair Credit Reporting Act, passed in the House of Representatives Sept. 10, awaits action in the Senate, weaker than some state laws, would reduce individual rights, says PIRG in Daily Texan, 9/25/03 • “You have no privacy; get over it,” S. McNeely, CEO, Sun, 1999 Goodyear/Clark/Updegrove
Existing Federal Legislation • The Privacy Act of 1974 (5 U.S.C. 552A) • Family Educational Rights & Privacy Act (FERPA) of 1974 • Electronic Communications Privacy Act (ECPA) of 1986 • Health Insurance Portability and Accountability Act (HIPPA) of 1996 • Gramm-Leach-Bliley Act, "Privacy of Consumer Financial Information" of 1999 • USA Patriot Act of 2001 Goodyear/Clark/Updegrove
Resources • Ga Tech, “New security measures protect your information,” www.ferstcenter.gatech.edu/boxoffice/security.php • KU, “Protecting your identity:” www.ku.edu/identity/ • UT, datatheft site: www.utexas.edu/datatheft/ • Educause-Internet2 Security Task Force: www.educause.edu/security/ • Privacy Rights Clearinghouse identity theft resources: www.privacyrights.org/identity.htm • Chronicle of Higher Education: www.chronicle.com Goodyear/Clark/Updegrove