1 / 44

Detecting, Protecting, Preventing, and Reporting Computer Breaches

Session # 41. Detecting, Protecting, Preventing, and Reporting Computer Breaches. Ross Hughes | Dec. 2013 U.S. Department of Education 2013 FSA Training Conference for Financial Aid Professionals. http://www.safeinternetbanking.be/en. Agenda. Introduction – There is a problem

hester
Download Presentation

Detecting, Protecting, Preventing, and Reporting Computer Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session # 41 Detecting, Protecting, Preventing, and Reporting Computer Breaches Ross Hughes | Dec. 2013 U.S. Department of Education 2013 FSA Training Conference for Financial Aid Professionals

  2. http://www.safeinternetbanking.be/en

  3. Agenda • Introduction – There is a problem • Risk Identification – The risk to Networks/Data • Risk Management – Source of the risk to Networks/Data • Risk Mitigation – Preventing data loss

  4. Introduction

  5. You Have a Problem • You think that the data you store is worthless to another person therefore protecting it is not worth the effort • The easiest data to steal is data that you don’t know is valuable • The bad guys will come after the data the easiest way that they can get it • You can never second guess the use of data by malicious parties

  6. You Don’t Know What You Don’t Know There’s No Such Thing as Worthless Data • The bad guys gather seemingly worthless bits of data to launch social engineering attacks or use a small piece of information to complete the attack puzzle Compromises Happen All of the Time • Even to companies who take security seriously • Even to companies who do everything reasonable Itmay not be YOUR data but it is YOUR responsibility to protect it

  7. Systems Hacked https://www.privacyrights.org/data-breach/new

  8. It’s Not Just IT’s Problem • YOU assume the risk for the loss of data • IT protects the data to the identified risk level • Data protection, breach prevention MUST be a joint operation for success

  9. Breach Scenario

  10. Virus Infection

  11. There is a Cost for a Compromise

  12. Risk Identification

  13. Risk

  14. Vulnerability • A weakness of an asset or group of assets that can be exploited by one or more threats which reduces a system's information assurance • The intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw • Vulnerabilities and threats together result in risks to the organization that need to be mitigated

  15. Threat • A possible danger that might exploit a vulnerability to breach security and thus cause possible harm • A threat can be either “intentional” (e.g., an individual hacker or a criminal organization) or “accidental" (e.g., a computer malfunction) • Threats take advantage of your vulnerabilities

  16. Vulnerable Software

  17. Who are the Victims • 37% of breaches affected financial organizations • 24% of breaches occurred in retail and restaurants • 20% of network intrusions involved manufacturing, transportation, and utilities • 20% of network intrusions hit information and professional services firms • 38% of breaches impacted larger organizations • 27 countries affected

  18. Who Perpetrated the Breaches

  19. Middle School Phishing

  20. How Do Breaches Occur • 52% some form of hacking • 76% network intrusions exploited weak or stolen credentials • 40% incorporated malware • 35% involved physical attacks • 29% leveraged social tactics • 13% resulted from privilege misuse and abuse • Password cracking by security experts: • Six characters: 12 seconds • Seven characters: 5 minutes • Eight characters: 4 hours

  21. New Threats

  22. Risk Management

  23. What is at Risk?

  24. Risk Management of Networks • There is no one set of best security practices that can be applied across all educational institutions • Any attempt to enforce a one size fits all approach to security our assets may result in under-protection from targeted attacks while over-spending on defending against simpler opportunistic attacks • Complex systems like FSA’s must deploy DEFENSE IN DEPTH

  25. FSA Risk Management of Networks Trending FIREWALLS ZONES Patching Scanning Monitoring Metrics

  26. College and Universities – Network Targets • Current Student and Alumni Information • Widely distributed networks • Admissions • Registrar’s Office • Student Assistance • College Book Store • Health Clinic • Hackers seek diverse information

  27. Hackers

  28. Students (and Parents) Data at Risk • Facebook = share everything (Security questions?) • Very mobile = laptop, iPhone, iPad everywhere • Very trusting = limited password usage, write passwords down • Not organized = often do not track credit cards, “junk” mail • High debt = attractive to foreign actors

  29. Breach Incidents (by Type and #) 29

  30. Social Media Hacks:

  31. Privacy: “The right to be left alone” • Types of privacy • Communications privacy • Physical privacy • Locational privacy • Information privacy • FSA is mostly concerned with “information privacy”—the right of the individual to control what information about them is released

  32. Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.” • Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed • The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

  33. What Is A Privacy Breach A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes. • Includes PII in any format, and whether or not it is a suspected or confirmed loss • Examples of PII breaches: • PII left on the printer or scanner • PII e-mailed without encryption or other protection • PII mailed to the wrong recipient • PII stored on a stolen laptop or thumb drive • PII posted to a public-facing website, etc.

  34. Risk Mitigation WHAT YOU CAN and SHOULD DO

  35. Establish Good Governance • Create policies and procedures for protecting sensitive data and enforce penalties for noncompliance • Identify a privacy official and make sure privacy has a “seat at the table” • Develop a training and awareness program • Publish rules of behavior – Make users sign a “confidentiality contract” • Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc. • Know your inventory of HW, SW, and PII • Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and why • Map out your business process flows - follow the PII

  36. Implement Network Security • Do a self assessment, such as the HEISC inventory * • Use strong passwords and change them often • Ensure essential controls are met • Collect, analyze, and share incident data • Collect, analyze, and share tactical threat intelligence • Emphasize prevention • Ensure patches are current • Focus on better and faster detection • Utilize metrics to drive security practices • Don’t underestimate the determination of your adversary • Evaluate the threat landscape * Higher Education information Security Council (HEISC) http://www.educause.edu

  37. Reduce Your Data Exposure • Enforce a clean desk policy • Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives) • Protect data at the endpoints • USB drives, paper, laptops, smartphones, printers • Destroy your data securely • Do not keep records forever • Limit access to only those with a need to know • Enforce role-based access, least privilege • Practice breach prevention • Analyze breaches from other organizations • Learn from their mistakes • Adjust your policies and procedures accordingly • Please - THINK before you post/send/tweet!

  38. Tips to Safeguard PII • Minimize PII • Collect only PII that you are authorized to collect, and at the minimum level necessary • Limit number of copies containing PII to the minimum needed • Secure PII • Store PII in an appropriate access-controlled environment • Use fictional personal data for presentations or training • Review documents for PII prior to posting • Safeguard PII in any format • Disclose PII only to those authorized • Safeguard the transfer of PII • Do not e-mail PII unless it is encrypted or in a password protected attachment • Alert FAX recipients of incoming transmission • Use services that provide tracking and confirmation of delivery when mailing • Dispose of PII Properly • Delete/dispose of PII at the end of its retention period or transfer it to the custody of the National Archives, as specified by its applicable records retention schedule

  39. Lost Laptop

  40. Teleworking Security • Ideal Situation: Separate home office with door; Dedicated files/cabinets;GFE laptop, VPN/Citrix • Not-So-Ideal Scenarios: Home Computer; Kiosk; Firepass; Local Hard Drive/USB • Non-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords) • If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encrypted • Keep your computer in a secure location; do not leave it unattended/unsecured • If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen) • Encrypt PII/sensitive data when emailing such data (e.g., WinZip encryption)

  41. What Can I Personally Do • Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information • “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII • Follow all Departmental policies and procedures • Think before you hit the “send” button (E-mail is by far the #1 source of breaches) • “Scramble, don’t gamble”—encrypt, encrypt, encrypt • Minimize (or eliminate) the use of portable storage devices • Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.

  42. Summary • Never forget the network and data you connect to • YOUR actions are critical for everyone’s continued security • Follow all security policies and procedures • If you THINK something is wrong, call the help desk or Security, DON’T HESITATE Breach Investigations are costly and not just in $$$$$

  43. Contact Ross C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: (202) 377-3893    Cell: (202) 480-6586 Fax: (202) 275-0907

  44. Questions?

More Related