Presentation on theme: "Ross Hughes | Dec. 2013 U.S. Department of Education 2013 FSA Training Conference for Financial Aid Professionals Detecting, Protecting, Preventing, and."— Presentation transcript:
Ross Hughes | Dec U.S. Department of Education 2013 FSA Training Conference for Financial Aid Professionals Detecting, Protecting, Preventing, and Reporting Computer Breaches Session # 41
Agenda Introduction – There is a problem Risk Identification – The risk to Networks/Data Risk Management – Source of the risk to Networks/Data Risk Mitigation – Preventing data loss 3
You Have a Problem 5 You think that the data you store is worthless to another person therefore protecting it is not worth the effort The easiest data to steal is data that you dont know is valuable The bad guys will come after the data the easiest way that they can get it You can never second guess the use of data by malicious parties
You Dont Know What You Dont Know 6 Theres No Such Thing as Worthless Data The bad guys gather seemingly worthless bits of data to launch social engineering attacks or use a small piece of information to complete the attack puzzle Compromises Happen All of the Time Even to companies who take security seriously Even to companies who do everything reasonable It may not be YOUR data but it is YOUR responsibility to protect it
Systems Hacked 7 October 17, 2013 California State University Sacramento EDUHACK1,800 In August, Sacramento State University was notified that a computer server had been hacked. It contained the Social Security numbers, driver's license numbers, and other personal information of staff members. The cause and extent of the breach were determined in late September and staff members were notified in mid-October. https://www.privacyrights.org/data-breach/new
Its Not Just ITs Problem 8 YOU assume the risk for the loss of data IT protects the data to the identified risk level Data protection, breach prevention MUST be a joint operation for success
Breach Scenario 9
Virus Infection 10 March 16, 2013 Salem State UniversityEDUHACK25,000 A server was found to be infected with a virus. The University computer contained information related to paychecks distributed by the University. Current and former employees who may have been students or staff may have been affected.
There is a Cost for a Compromise 11
Risk Identification 12
Vulnerability 14 A weakness of an asset or group of assets that can be exploited by one or more threats which reduces a system's information assurance The intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw Vulnerabilities and threats together result in risks to the organization that need to be mitigated
Threat 15 A possible danger that might exploit a vulnerability to breach security and thus cause possible harm A threat can be either intentional (e.g., an individual hacker or a criminal organization) or accidental" (e.g., a computer malfunction) Threats take advantage of your vulnerabilities
Vulnerable Software 16 July 30, 2013 University of Delaware Newark, Delaware EDUHACK74,000 Students and staff members may have had their information exposed during a hacking incident. The hacker or hackers were able to exploit a vulnerability in software acquired by a vendor. Names, addresses, Social Security numbers, and university ID numbers were exposed. UPDATE (08/19/2013): An additional 2,000 people were affected. They were not employees but had received payment from the University of Delaware.
Who are the Victims 17 37% of breaches affected financial organizations 24% of breaches occurred in retail and restaurants 20% of network intrusions involved manufacturing, transportation, and utilities 20% of network intrusions hit information and professional services firms 38% of breaches impacted larger organizations 27 countries affected
Who Perpetrated the Breaches 18
Middle School Phishing 19 May 3, 2013 Schoenbar Middle School Ketchikan, Alaska EDUHACKUnknown A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes. At least 18 students were involved. The breach happened when students used software to imitate a legitimate software update on their computers. The students then asked teachers to enter administrative account information so that they could complete the software updates or installations. The phony software then stored teacher credentials. The students were then able to control 300 laptops belonging to other students by using the administrative credentials. The school believes that servers and sensitive information were not exposed.
How Do Breaches Occur 20 52% some form of hacking 76% network intrusions exploited weak or stolen credentials 40% incorporated malware 35% involved physical attacks 29% leveraged social tactics 13% resulted from privilege misuse and abuse Password cracking by security experts: Six characters: 12 seconds Seven characters: 5 minutes Eight characters: 4 hours
New Threats 21
Risk Management 22
What is at Risk? 23
Risk Management of Networks 24 There is no one set of best security practices that can be applied across all educational institutions Any attempt to enforce a one size fits all approach to security our assets may result in under-protection from targeted attacks while over-spending on defending against simpler opportunistic attacks Complex systems like FSAs must deploy DEFENSE IN DEPTH
25 FSA Risk Management of Networks
College and Universities – Network Targets 26 Current Student and Alumni Information Widely distributed networks Admissions Registrars Office Student Assistance College Book Store Health Clinic Hackers seek diverse information
Hackers 27 April 9, 2013 Kirkwood Community College Cedar Rapids, Iowa EDUHACK125,000 Hackers accessed Kirkwood Community College's website and applicant database system on March 13. Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed. People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.
Students (and Parents) Data at Risk 28 Facebook = share everything (Security questions?) Very mobile = laptop, iPhone, iPad everywhere Very trusting = limited password usage, write passwords down Not organized = often do not track credit cards, junk mail High debt = attractive to foreign actors
Breach Incidents (by Type and #) 29 # incidents PII records breached11,783,77680,706,983296,7101,082,749177,3995,906250,650 Total records breached13,632,31080,925,917315,7372,257,796211,8995,906255,219 29
Social Media Hacks: 30 October 19, 2012 The College of St. Scholastica Duluth, MN EDUHACK 28 (No SSNs or financial information exposed) Hackers were able to guess the answers to student account challenge questions. The account passwords of at least 28 students were reset and their account information was most likely accessed. The hackers may have been based in Beijing and most likely gathered the information needed to pass the challenge questions from information on the students' Facebook pages.
Privacy: The right to be left alone 31 Types of privacy Communications privacy Physical privacy Locational privacy Information privacy FSA is mostly concerned with information privacythe right of the individual to control what information about them is released
Personally Identifiable Information (PII) 32 PII is information that can be used to distinguish a persons identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mothers maiden name, etc. Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
What Is A Privacy Breach 33 A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes. Includes PII in any format, and whether or not it is a suspected or confirmed loss Examples of PII breaches: PII left on the printer or scanner PII ed without encryption or other protection PII mailed to the wrong recipient PII stored on a stolen laptop or thumb drive PII posted to a public-facing website, etc.
Risk Mitigation 34 WHAT YOU CAN and SHOULD DO
Establish Good Governance 35 Create policies and procedures for protecting sensitive data and enforce penalties for noncompliance Identify a privacy official and make sure privacy has a seat at the table Develop a training and awareness program Publish rules of behavior – Make users sign a confidentiality contract Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc. Know your inventory of HW, SW, and PII Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and why Map out your business process flows - follow the PII
Implement Network Security 36 Do a self assessment, such as the HEISC inventory * Use strong passwords and change them often Ensure essential controls are met Collect, analyze, and share incident data Collect, analyze, and share tactical threat intelligence Emphasize prevention Ensure patches are current Focus on better and faster detection Utilize metrics to drive security practices Dont underestimate the determination of your adversary Evaluate the threat landscape * Higher Education information Security Council (HEISC)
Reduce Your Data Exposure 37 Enforce a clean desk policy Conduct PII amnesty days (shred paper PII/eliminate PII from local and shared drives) Protect data at the endpoints USB drives, paper, laptops, smartphones, printers Destroy your data securely Do not keep records forever Limit access to only those with a need to know Enforce role-based access, least privilege Practice breach prevention Analyze breaches from other organizations Learn from their mistakes Adjust your policies and procedures accordingly Please - THINK before you post/send/tweet!
Tips to Safeguard PII 38 Minimize PII Collect only PII that you are authorized to collect, and at the minimum level necessary Limit number of copies containing PII to the minimum needed Secure PII Store PII in an appropriate access- controlled environment Use fictional personal data for presentations or training Review documents for PII prior to posting Safeguard PII in any format Disclose PII only to those authorized Safeguard the transfer of PII Do not PII unless it is encrypted or in a password protected attachment Alert FAX recipients of incoming transmission Use services that provide tracking and confirmation of delivery when mailing Dispose of PII Properly Delete/dispose of PII at the end of its retention period or transfer it to the custody of the National Archives, as specified by its applicable records retention schedule
Lost Laptop 39 March 22, 2013 University of Mississippi Medical Center (UMMC) Jackson, MS EDUPORTUnknown A laptop used by UMMC clinicians was discovered missing on January 22. The password-protected laptop contained information from patients who entered the hospital between 2008 and Patient names, Social Security numbers, addresses, diagnoses, medications, treatments, dates of birth, and other personal information may have been exposed. UPDATE (04/25/2013): The laptop may have been lost or stolen in November of 2012.
Teleworking Security 40 Ideal Situation: Separate home office with door; Dedicated files/cabinets;GFE laptop, VPN/Citrix Not-So-Ideal Scenarios: Home Computer; Kiosk; Firepass; Local Hard Drive/USB Non-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords) If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encrypted Keep your computer in a secure location; do not leave it unattended/unsecured If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen) Encrypt PII/sensitive data when ing such data (e.g., WinZip encryption)
What Can I Personally Do 41 Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information Review and reduceinventory your PII and PII data flows, and look for ways to reduce PII Follow all Departmental policies and procedures Think before you hit the send button ( is by far the #1 source of breaches) Scramble, dont gambleencrypt, encrypt, encrypt Minimize (or eliminate) the use of portable storage devices Protect PII on paperenforce a clean desk policy, use secure shredding bins, locked cabinets, etc.
Summary 42 Never forget the network and data you connect to YOUR actions are critical for everyones continued security Follow all security policies and procedures If you THINK something is wrong, call the help desk or Security, DONT HESITATE Breach Investigations are costly and not just in $$$$$
Contact 43 Ross C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: (202) Cell: (202) Fax: (202)