3Five Data Breach Statistics Worth Knowing Six months after the Target data breach, the statistics are astonishing.Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, and P.F. Chang’s Chinese Bistro.A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected.There were more than 600 reported data breaches in 2013, a 30 % increase over 2012.The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon Data Breach Investigation Report.Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies.June 19, 2014 Ansley Kilgore
7Why Do They Do It Hacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit )“Kitz” –verified health insurance, SSN, bank account info /logins (account &routing numbers, account type), driver’s license, full name, address, phone, etc.and counterfeit physical documents and hardware related to the identity datain the package (e.g. credit cards, driver’s license, insurance cards, etc.)—-ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc.“Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs)Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.
8Why Do They Do It Fees for Additional Stolen Credentials US credit card with CVV Code– $1 – $2Non-US credit card with CVV– $2 – $10Credit card with full track 2 and PIN– $5 – $50Prestige credit cards (include Platinum, Diamond, Black) with verified available balance– $20 – $400*Online bank account, < $10K— $250 – $1000*Compromised computer– $1 – $100PayPal, verified balance– $20 – $200*Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000** Skype account (premium)– $1 – $10* Some hackers’ prices are based on 4% – 12% of verified current balance ** Rare items are often “parted out’ or fenced separately
9Why Do They Do ItBank Accounts with Attached Accounts –credentials for bank accounts, which also included the credentials for the account associated with the bank account were more valuable; as the scammer can stop the victim from receiving alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct.Bank Accounts with ACH Bill Pay or Wire Transfer Features – additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners’ phone to confirm wire transfers, etc. hurts the value of a stolen account.Compromised computer - bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium.Game Accounts – The biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services — $10/hour) or $1000+ for rare/unique top-level items.
14Your Networks At Risk Current Student and Alumni Information Widely distributed networksAdmissionsRegistrar’s OfficeStudent AssistanceCollege Book StoreHealth ClinicWebsitesHackers seek diverse information and diverse paths
15Students (and Parents) Data at Risk Facebook = share everything (Security questions?)Very mobile = laptop, iPhone, iPad everywhereVery trusting = limited password usage, write passwords downNot organized = often do not track credit cards, “junk” mailHigh debt = attractive to foreign actors
16WHAT YOU CAN and SHOULD DO Risk MitigationWHAT YOU CAN and SHOULD DO
17Establish Good Governance Create policies and procedures for protecting sensitive data and enforce penalties for noncomplianceDevelop a training and awareness programPublish rules of behavior – Make users sign a “confidentiality contract”Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc.Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and whyMap out your business process flows - follow the PII
18Reduce Your Data Exposure Enforce a clean desk policyConduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)Protect data at the endpointsUSB drives, paper, laptops, smartphones, printersDestroy your data securelyDo not keep records foreverLimit access to only those with a need to knowPractice breach preventionAnalyze breaches from other organizationsLearn from their mistakesAdjust your policies and procedures accordinglyPlease - THINK before you post/send/tweet!
19Tips to Safeguard PII Minimize PII Safeguard the transfer of PII Collect only PII that you are authorized to collect, and at the minimum level necessaryDo not PII unless it is encrypted or in a password protected attachmentLimit number of copies containing PII to the minimum neededAlert FAX recipients of incoming transmissionUse services that provide tracking and confirmation of delivery when mailingSecure PIIStore PII in an appropriate access- controlled environmentDispose of PII ProperlyUse fictional personal data for presentations or trainingDelete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention scheduleReview documents for PII prior to postingSafeguard PII in any formatDisclose PII only to those authorized
21Teleworking SecurityNon-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords)If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encryptedKeep your computer in a secure location; do not leave it unattended/unsecuredIf you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen)Encrypt PII/sensitive data when ing such data (e.g., WinZip encryption)
22So, Once Again, All Together Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information“Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PIIFollow all Departmental policies and proceduresThink before you hit the “send” button( is by far the #1 source of breaches)“Scramble, don’t gamble”- encrypt, encrypt, encryptMinimize (or eliminate) the use of portable storage devicesProtect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.
25Who You Gonna CallCall your supervisor, the Help Desk, and Security and tell them exactly what is happeningDon’t delete any files or turn off your system unless Security tells you toSecurity will notify any other organization that should be involvedIf you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center
26What You Should Know https://www.privacyrights.org/
27SummaryBe vigilant. Organizations often only find out about security breaches when they get a call from the police or a customer.Make your people your first line of defense. Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.Keep data on a ‘need to know basis’. Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.Encrypt sensitive data. Then if data is lost or stolen, it’s much harder for a criminal to use.Use two-factor authentication. This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.
28ContactRoss C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: Cell: Fax: FSA Security Operations Center