Presentation on theme: "Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer."— Presentation transcript:
Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer Portland State University Information Systems Security Association Portland, Oregon September 2010
Agenda Definitions - Incident vs. Breach Scenarios Discussion Next Steps 2
3 Suspected Incident Is it an incident? Incidents require mitigation Incidents may or may not require notification Is it a breach? Breaches require mitigation Breaches require notification All breaches are incidents but not all incidents are breaches
4 What is a Breach? A (reportable) breach is the unauthorized acquisition, access, use, or disclosure of PII in a manner not permitted by law or regulation and which compromises the security and privacy of the PII. Paraphrased from a PHI breach definition by Pepper Hamilton, LLP We are using the term breach to describe all incidents that legally require notification to damaged parties.
5 Relevant Law or Regulation FERPAFERPA: protection of student data FACTA Red Flag RulesFACTA Red Flag Rules: finance Payment Card Industry Data Security StandardPayment Card Industry Data Security Standard: credit cards Gramm-Leach-BlileyGramm-Leach-Bliley (GLB) Act: financial consumers USA Patriot ActUSA Patriot Act: data preservation and wiretapping requests Student and Exchange Visitor Information SystemStudent and Exchange Visitor Information System (SEVIS): international students Higher Education Opportunity ActHigher Education Opportunity Act: record keeping, business processes, and reporting Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability Act (HIPAA): health records HITECH Act HITECH Act – Private Health Information, breach notification and enforcement Digital Millennium Copyright ActDigital Millennium Copyright Act (DMCA): protection of digital media Electronic discoveryElectronic discovery (E-discovery): also Rule 37 of the Federal Rules of Civil ProcedureFederal Rules of Civil Procedure Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act): campus crime State law – e.g. Oregon Identity Theft Protection Act Personally Identifiable Information breach notification State law regarding disclosure of Faculty/Staff records PCI StandardsPCI Standards– credit card and bank account information VISA PA-DSS Best Practices and Validated Applications list Others? Information covered by NDAs, Information protected by export law
6 Breach or Incident? Two methods for Determining if a breach occurred By Definition By Risk of Harm Analysis How do you prove a negative?
7 What if there is no known Harm? A compromise of the security and privacy of personal private information must pose a significant risk of financial, reputational, or other harm to the individual. Use a risk assessment to determine if harm exists. Pepper Hamilton LLP Webinar Not all disclosures will be breaches - it must cross the harm threshold. Overcoming access controls does not constitute a breach by itself. It must lead to a use and disclosure of PPI that is not permitted by law or regulation and it must also cross the “harm threshold.”
8 Were the recipients obligated (by policy or regulation) to protect privacy and security of the information? Can the impact of the disclosure be mitigated? Pre-existing NDAs or other measure which assure no further disclosure Was it returned before improper use could occur? Did forensics investigation find any evidence of improper use, discovery, or distribution? What was disclosed and how much? Risk of Harm Questions
9 No Breach? A Breach has not Occurred if: PII is not stored in the cloud PII is “Secured” (encrypted*) There is Little Risk of Harm Pepper Hamilton, LLP * some states also exempt encoded data
Activity: Putting it in to practice 10 Questions: Is this a breach or incident? What process did you use to make your decision? Who needs to be notified? How? What mitigation may be necessary?
11 Scenarios Suspected incidents A former student reports to you that, using Google, he has found his SSN on one of your systems. A professor reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. A professor discovers that he can see other employee’s home directories. A staff person discovers advising files of current and former students available to view by all authenticated users on web accessible storage service A website hosted in the cloud is de-faced.
12 SSN found via Google One of your former student reports to you that, using Google, he has found his SSN on one of your systems. Data, when stored (2004), was not considered sensitive Some data was not PII but was still sensitive Data was stored on a Listserv which Google crawled IN , some instances were removed from the Listserv But not from Google’s cache of the webpage!
13 SSN Breach-Response SSN Breach-Response Discovery Searched for other, similar PII data Determine where other instances may have been cached (Internet Time Machine, Google, etc.) Short-term mitigation Known PII Data was taken down Google’s cache was flushed Listserv was reconfigured to change all lists to private Notification Met with General Counsel and HR Determined this was a breach (by definition and risk of harm analysis) Briefed executive level Drafted a letter to send to the potential victims For sensitive data not covered by law or regulation, the business owner was given the option to notify or not (subject to executive override) Long-term Mitigation Reviewed lists and deleted all lists that haven’t had activity in 2 years (time- bomb of unnecessary liability) Changed our process to make private the default listserv setting Awareness Discussed posting practices with listserv owner Documented and Responded to users questions from the notification
14 Student ID One of your professors reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. Is it a breach by definition? According to the Dec 2008 FERPA revision, it depends.
15 Student ID “we modified the rule to allow student ID numbers to be disclosed as directory information if they qualify as electronic identifiers” “The regulations will allow an educational agency or institution to disclose as directory information a student’s ID number, user ID or other electronic identifier so long as the identifier functions like a name; that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change will impose no costs and will provide benefits in the form of regulatory relief allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.”
16 Student ID "Directory Information", data that can be made public without *student* permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPA Regulations, Directory Information is "information contained in an education record of a *student* that would not generally be considered harmful or an invasion of privacy if disclosed". Steven Worona In order to treat the student id as directory information, each college must officially declare it to be so and publish the new list of directory information.
17 Exception However, parents and eligible students can opt out of directory information disclosures; those that do will not be able to participate in student services that are delivered in this manner. Which means you may have a student id related breach for a few students even after declaring student identification to be directory information.
18 Student ID Breach-Response Student ID Breach-Response Discovery Interviewed the Professor, determined there was only one instance of the lost data Short-term mitigation None Notification Met with General Counsel, Admissions, Records, and Registration (ARR) and HR Determined this was a breach (by definition) Briefed executive level Drafted a letter to send to the potential victims, by the Professor’s department Long-term Mitigation Pursue including student-id as directory information Awareness Gave presentations about student-ID as directory information. Began discussions with General Counsel and ARR
Small Private College with Law School An Information Technology staff person discovered advising files of 14 current and former students available to view by all authenticated users (only) on our web accessible storage service (Xythos). The files contained high school transcripts and College application materials for our first year advising program. These files contained personally identifying information (SSN and birthdate). Upon finding this information available, the IT staff person immediately made a “copy” of the environment for forensics purposes and then removed the permissions from the files to protect that sensitive information. It was determined that the files were accessible to all authenticated users (and not the general public) for one week. We were not able to determine if the files had been viewed by anyone during that time period. 19
Small Private College with Law School General Counsel advised that we notify the affected 14 individuals per the Oregon notification legislation. The notification happened on September 2 through and certified postal mail, and offered a year of credit monitoring (for which no one took us up on). Post incident: We immediately suspended the first year advising application utilizing the web storage service until the sensitive information could be redacted from the scanned images. Going forward all personally identifying information will be redacted upon scanning. 20
21 College with Law School Response College with Law School Response Discovery IT staff member discovered sensitive files for 14 students were viewable by any authenticated user Short-term mitigation Copy of the environment made for forensics Removed permissions from the sensitive files Analyzed exposure (1 week), unable to determine if anyone viewed the files Suspended the application from using the web storage service until the sensitive information could be redacted from the scanned images Notification Can’t determine risk of harm Met with General Counsel, determined this was a breach Notified users via and postal mail. Offered 1 year of credit monitoring Long-term Mitigation Implement process to redact PII upon scanning. Awareness Additional training may be indicated
22 Missing Access Control A University professor discovers that he can see other employee’s home directories.
23 Access Controls Your staff discovers that six days ago the ACLs on your staff directories/folders were unintentionally modified for a vendor. Inheritance was turned off, which changed all lower level effective permissions. Directories normally protected by restrictive ACLs were modified to permit read-only access by anyone with an active account. Some of the folders definitely contain PII. Audit trail object access was not enabled.
24 Access Controls Ran Spider (from Cornell University) to identify PII at risk One month to scan 10 volumes on the file server. Identified all files accessed during the exposure period. This significantly reduced the number of files at risk as 70.8% of all files were not accessed during the exposure period. Is this a breach or an incident? Regardless we need to mitigate the situation
25 Access Control Incident-Response Discovery Reported by University staff Root cause was analyzed Used Spider to scan affected volumes for PII Short-term mitigation Inheritance and permissions were fixed. Access dates for all files on affected volumes were analyzed to determine scope of risk All affected PII were identified. Notification Met with General Counsel, CIO, contacted Oregon Division of Finance and Corporate Securities Determined this was not a breach (by risk of harm analysis) Sent to users with PII Long-term Mitigation Legacy PII discovery effort Provide secure enterprise storage for future PII. Establish enterprise PKI for encryption infrastructure Publish procedures requiring the use of encryption. Awareness Presentations to HR admins, Executives admins, staff Presentations to technical admin about plans and timetables
26 Website in the Cloud De-faced A website of yours that is hosted in a cloud is defaced. Parts of this website can access sensitive data that is also stored in the Cloud.
27 Website in the Cloud De-faced In January 2010, shortly after President Obama finished his State of the Union address, the webpages of 49 Congressional members were defaced. All of the webpages were managed by GovTrends. GovTrends ironically had the phrase “ You get what you pay for ” on their website. In August 2009, 18 Congressional member websites, also managed by GovTrends, were defaced.
28 Website in the Cloud De-faced Following the August attack, Representative B sent a letter to the CAO (Chief Administrative Officer) of the House, asking for actual details of the attack and a plan for notification of these incidents in the future. Rep. B’s office contacted GovTrends and requested copies of the appropriate logs. GovTrends redirected him to HRIS. HRIS claimed they do not investigate or prosecute since there is no way to track down the criminals responsible for this act.
29 Website in the Cloud De-faced At a Cloud Law Summit Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data- protection issues on cloud contracts. "We're not an insurance company. What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering." Cloud providers shrug off liability for security By Tom Espiner, ZDNet UK, 12 February, :3012 February, :30
30 Cloud Incident Response Cloud Incident Response Discovery Prevented by Vendor refusal to cooperate Short-term mitigation Undetermined - experts claim vendors explanation makes no sense Notification Can’t determine risk of harm. Long-term Mitigation Nothing in the press about it. Awareness Articles on the web
31 Breach Response for Clouds Unlike in-house repositories of information, you cannot assume that you have the right and the authorization to investigate breaches in Clouds You must ensure that your contract with the Cloud vendor permits you this capability. If regulation requires that you protect your data from the Cloud provider then you must encrypt it and ensure that the contract does not contain a provision which would permit the vendor from investigating your content. If the data that you store in the cloud includes FERPA protected data, then the cloud provider must agree to act as a FERPA agent for the university and to protect it as such. Your contract should bind the cloud vendor to meet any regulatory and legal requirements that you are required to meet. Be aware that Law Enforcement may approach your Cloud vendor and demand access to your data even if you have legal reservations about the legality of their request. Surrendering your data to a third party weakens your position that the data is valuable unless you have taken measures to affirm it’s value despite the transfer. These measures might include encrypting the data or contractually binding the cloud vendor to protect the data in accordance with its value or sensitivity. Your contract should explicitly grant your security and administrators the rights that you require regarding monitoring and investigations. For any Cloud user interface, the user should be informed that they should have no expectation of privacy except that required by explicit law or regulation. They should have the user agree that use of the Cloud constitutes consent to monitoring. This would need to be spelled out contractually with your Cloud vendor.
32 Breach Prevention for Clouds You can avoid a breach in the cloud by requiring all data in the cloud to be encrypted. You encrypt the data before storing it You contract the Cloud provider to encrypt your data Full Cloud encryption Individually accountable encryption with a corporate escrow Must gather assurances that the Cloud hosts have sufficient security (SAAP) SAS-70 Must gather assurances that the Cloud application has sufficient security (SAAI) Systrust or SAS-70 Must gather assurances that the Cloud based web application has sufficient security (SAAS) Webtrust, SAS-70, vulnerability assessments or penetration
33 Sample Incident Response Plan Review the exposed material and determine the scope and nature of the incident. Number of unique disclosures or opportunities for disclosure To the best of our ability determine if there is any evidence that the exposed information was accessed. Take actions to limit or eliminate the exposure Arrange a meeting with General Counsel, CIO, and the list owner. Describe the incident, disclosures and the data found during the review. Determine whether the disclosure (or potential disclosure) meets the criteria in the FERPA, GLBA, FISMA, HIPAA, PCI standards, state law or regulation such as the Oregon ID Theft Protection Act. If yes, If no clear evidence of disclosure, determine potential risk of harm Draft and send a response to the individual that identified the disclosure Draft a response to the individuals whose personally identifying information was exposed. Determine the cause of the exposure. Determine permanent solution and implement.
34 Next Steps?
35 Design solutions for PII challenges Whole disk encryption (pgpdisk) Enterprise supported file encryption (a PKI solution) Secure file server (Truecrypt) Personal file encryption (Winzip ) Require network storage Segregate workstations that work with PII No use of home computers. Convert home computer to secure dumb workstation Provide secure laptops for remote use No dual use workstations for sensitive data Search all servers, data bases, workstations for PII Create strategy to let users search for PII on existing home systems. Data Loss Prevention systems (Discovery, Prevention of loss, Protection of the data, Monitoring of PII use)
Remaining Issues 36 How do different states' breach notification laws apply? What is the threshold for victim notification? AG notification? Is a breach insurance policy a good strategy? Should Educause/CIOs pursue agreements for credit monitoring, post-breach forensics, or other services? Should Encryption be required?
Questions Questions 37 Sharon Blanton, PhD Chief Information Officer Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Security Officer Portland State University