Presentation on theme: "Detecting, Protecting, Preventing, and Reporting Computer Breaches"— Presentation transcript:
1 Detecting, Protecting, Preventing, and Reporting Computer Breaches Session # 41Detecting, Protecting, Preventing, and Reporting Computer BreachesRoss Hughes | Dec U.S. Department of Education 2013 FSA Training Conference for Financial Aid Professionals
5 You Have a ProblemYou think that the data you store is worthless to another person therefore protecting it is not worth the effortThe easiest data to steal is data that you don’t know is valuableThe bad guys will come after the data the easiest way that they can get itYou can never second guess the use of data by malicious parties
6 You Don’t Know What You Don’t Know There’s No Such Thing as Worthless DataThe bad guys gather seemingly worthless bits of data to launch social engineering attacks or use a small piece of information to complete the attack puzzleCompromises Happen All of the TimeEven to companies who take security seriouslyEven to companies who do everything reasonableIt may not be YOUR data but it is YOUR responsibility to protect it
7 Systems Hacked October 17, 2013 California State University Sacramento EDUHACK1,800In August, Sacramento State University was notified that a computer server had been hacked. It contained the Social Security numbers, driver's license numbers, and other personal information of staff members. The cause and extent of the breach were determined in late September and staff members were notified in mid-October.https://www.privacyrights.org/data-breach/new
8 It’s Not Just IT’s Problem YOU assume the risk for the loss of dataIT protects the data to the identified risk levelData protection, breach prevention MUST be a joint operation for success
10 Virus Infection March 16, 2013 Salem State University EDU HACK 25,000 A server was found to be infected with a virus. The University computer contained information related to paychecks distributed by the University. Current and former employees who may have been students or staff may have been affected.
14 VulnerabilityA weakness of an asset or group of assets that can be exploited by one or more threats which reduces a system's information assuranceThe intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flawVulnerabilities and threats together result in risks to the organization that need to be mitigated
15 ThreatA possible danger that might exploit a vulnerability to breach security and thus cause possible harmA threat can be either “intentional” (e.g., an individual hacker or a criminal organization) or “accidental" (e.g., a computer malfunction)Threats take advantage of your vulnerabilities
16 Vulnerable Software July 30, 2013 University of Delaware Newark, DelawareEDUHACK74,000Students and staff members may have had their information exposed during a hacking incident. The hacker or hackers were able to exploit a vulnerability in software acquired by a vendor. Names, addresses, Social Security numbers, and university ID numbers were exposed.UPDATE (08/19/2013): An additional 2,000 people were affected. They were not employees but had received payment from the University of Delaware.
17 Who are the Victims 37% of breaches affected financial organizations 24% of breaches occurred in retail and restaurants20% of network intrusions involved manufacturing, transportation, and utilities20% of network intrusions hit information and professional services firms38% of breaches impacted larger organizations27 countries affected
19 Middle School Phishing May 3, 2013Schoenbar Middle School Ketchikan, AlaskaEDUHACKUnknownA ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes. At least 18 students were involved. The breach happened when students used software to imitate a legitimate software update on their computers. The students then asked teachers to enter administrative account information so that they could complete the software updates or installations. The phony software then stored teacher credentials. The students were then able to control 300 laptops belonging to other students by using the administrative credentials. The school believes that servers and sensitive information were not exposed.
20 How Do Breaches Occur 52% some form of hacking 76% network intrusions exploited weak or stolen credentials40% incorporated malware35% involved physical attacks29% leveraged social tactics13% resulted from privilege misuse and abusePassword cracking by security experts:Six characters: secondsSeven characters: minutesEight characters: hours
24 Risk Management of Networks There is no one set of best security practices that can be applied across all educational institutionsAny attempt to enforce a one size fits all approach to security our assets may result in under-protection from targeted attacks while over-spending on defending against simpler opportunistic attacksComplex systems like FSA’s must deploy DEFENSE IN DEPTH
25 FSA Risk Management of Networks TrendingFIREWALLSZONESPatchingScanningMonitoringMetrics
26 College and Universities – Network Targets Current Student and Alumni InformationWidely distributed networksAdmissionsRegistrar’s OfficeStudent AssistanceCollege Book StoreHealth ClinicHackers seek diverse information
27 Hackers April 9, 2013 Kirkwood Community College Cedar Rapids, Iowa EDUHACK125,000Hackers accessed Kirkwood Community College's website and applicant database system on March 13. Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed. People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.
28 Students (and Parents) Data at Risk Facebook = share everything (Security questions?)Very mobile = laptop, iPhone, iPad everywhereVery trusting = limited password usage, write passwords downNot organized = often do not track credit cards, “junk” mailHigh debt = attractive to foreign actors
29 Breach Incidents (by Type and #) 785146403986PII records breached11,783,77680,706,983296,7101,082,749177,3995,906250,650Total records breached13,632,31080,925,917315,7372,257,796211,899255,21929
30 Social Media Hacks: October 19, 2012 The College of St. Scholastica Duluth, MNEDUHACK28 (No SSNs or financial information exposed)Hackers were able to guess the answers to student account challenge questions. The account passwords of at least 28 students were reset and their account information was most likely accessed. The hackers may have been based in Beijing and most likely gathered the information needed to pass the challenge questions from information on the students' Facebook pages.
31 Privacy: “The right to be left alone” Types of privacyCommunications privacyPhysical privacyLocational privacyInformation privacyFSA is mostly concerned with “information privacy”—the right of the individual to control what information about them is released
32 Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.”Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosedThe level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protectionOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
33 What Is A Privacy Breach A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes.Includes PII in any format, and whether or not it is a suspected or confirmed lossExamples of PII breaches:PII left on the printer or scannerPII ed without encryption or other protectionPII mailed to the wrong recipientPII stored on a stolen laptop or thumb drivePII posted to a public-facing website, etc.
34 WHAT YOU CAN and SHOULD DO Risk MitigationWHAT YOU CAN and SHOULD DO
35 Establish Good Governance Create policies and procedures for protecting sensitive data and enforce penalties for noncomplianceIdentify a privacy official and make sure privacy has a “seat at the table”Develop a training and awareness programPublish rules of behavior – Make users sign a “confidentiality contract”Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc.Know your inventory of HW, SW, and PIIDo you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and whyMap out your business process flows - follow the PII
36 Implement Network Security Do a self assessment, such as the HEISC inventory *Use strong passwords and change them oftenEnsure essential controls are metCollect, analyze, and share incident dataCollect, analyze, and share tactical threat intelligenceEmphasize preventionEnsure patches are currentFocus on better and faster detectionUtilize metrics to drive security practicesDon’t underestimate the determination of your adversaryEvaluate the threat landscape* Higher Education information Security Council (HEISC)
37 Reduce Your Data Exposure Enforce a clean desk policyConduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)Protect data at the endpointsUSB drives, paper, laptops, smartphones, printersDestroy your data securelyDo not keep records foreverLimit access to only those with a need to knowEnforce role-based access, least privilegePractice breach preventionAnalyze breaches from other organizationsLearn from their mistakesAdjust your policies and procedures accordinglyPlease - THINK before you post/send/tweet!
38 Tips to Safeguard PII Minimize PII Safeguard the transfer of PII Collect only PII that you are authorized to collect, and at the minimum level necessaryDo not PII unless it is encrypted or in a password protected attachmentLimit number of copies containing PII to the minimum neededAlert FAX recipients of incoming transmissionUse services that provide tracking and confirmation of delivery when mailingSecure PIIStore PII in an appropriate access- controlled environmentDispose of PII ProperlyUse fictional personal data for presentations or trainingDelete/dispose of PII at the end of its retention period or transfer it to the custody of the National Archives, as specified by its applicable records retention scheduleReview documents for PII prior to postingSafeguard PII in any formatDisclose PII only to those authorized
39 Lost LaptopMarch 22, 2013University of Mississippi Medical Center (UMMC) Jackson, MSEDUPORTUnknownA laptop used by UMMC clinicians was discovered missing on January 22. The password-protected laptop contained information from patients who entered the hospital between 2008 and Patient names, Social Security numbers, addresses, diagnoses, medications, treatments, dates of birth, and other personal information may have been exposed.UPDATE (04/25/2013): The laptop may have been lost or stolen in November of 2012.
40 Teleworking SecurityIdeal Situation: Separate home office with door; Dedicated files/cabinets;GFE laptop, VPN/CitrixNot-So-Ideal Scenarios: Home Computer; Kiosk; Firepass; Local Hard Drive/USBNon-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords)If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encryptedKeep your computer in a secure location; do not leave it unattended/unsecuredIf you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen)Encrypt PII/sensitive data when ing such data (e.g., WinZip encryption)
41 What Can I Personally Do Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information“Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PIIFollow all Departmental policies and proceduresThink before you hit the “send” button ( is by far the #1 source of breaches)“Scramble, don’t gamble”—encrypt, encrypt, encryptMinimize (or eliminate) the use of portable storage devicesProtect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.
42 Breach Investigations are costly and not SummaryNever forget the network and data you connect toYOUR actions are critical for everyone’s continued securityFollow all security policies and proceduresIf you THINK something is wrong, call the help desk or Security, DON’T HESITATEBreach Investigations are costly and notjust in $$$$$
43 ContactRoss C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: (202) Cell: (202) Fax: (202)