Presentation on theme: "Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151."— Presentation transcript:
Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151
285 5/7/20152 How many records were reported compromised in 2009? 285 million 662 data breaches reported in 2010, up from 250 reported in 2009
285 5/7/20153 How long does it take to break your password? 6 days to break a reasonably strong password (10 characters) with 5 lowercase, 2 uppercase and 3 numbers. Less than 2 minutes to break an 8 character password with uppercase, lowercase, and numbers More common passwords like "test", "password" or "123" will be cracked instantly. Per SANS statistics
285 5/7/20154 Which country hosts the most phishing attacks? The United States In first half of 2010, the United States hosted 70-80% of all such sites. Second and third place was Hong Kong and China.
285 5/7/20155 The average security breach in 2010 cost the enterprise $7.2 million. The average cost per record was $214.
285 5/7/20156 Do you know where your mobile devices are? 10 to 15 percent of all handheld computers, smart phones, and cell phones are eventually lost by their owners. Losses (theft/other) per 1,000 laptops last year was just under 20.
285 5/7/20157 Cyber Crime Identity theft is the fastest growing crime, according to the Federal Trade Commission. Experts estimate that about 10 million people become victims each year. That means every minute, 19 people become new victims of identity fraud! Drug trafficking has been replaced by identity theft as the number one crime. The major player is now organized crime, responsible for 70% and billions in ill-gotten gains.
285 5/7/20158 In the News: A security firm discovered a botnet responsible for stealing sensitive data from more than 2,500 companies, gov’t agencies, and educational institutions over the past 18 months. The company found a 75GB cache of data that included 68,000 logon credentials, access to systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described it as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines.” Once infected, the botnet can capture everything the victim types (including passwords), files, cookies, usernames, and provides full remote control. Once an endpoint is infected, the attacker then makes their way onto the primary network.
Digital Privacy 5/7/20159
Digital Privacy - Issues Risks Identity theft and fraud Profiling and commercial targeting Personal attacks 5/7/201510
Digital Privacy - Issues Threats Malware* Social networking – many issues Phishing Impersonation Cookies and web bugs Cloud computing (HealthVault, Flickr, Gmail) Data mining Web browsing history Digital trails and retained data 5/7/201511
Digital Privacy - Issues Malware (Malicious Software) Viruses, trojans, worms Root kits, botnets Key loggers and scrapers Spyware, adware, spam 5/7/ “Malware has, in fact, become professionalized. Malware is now coded by professional software developers, often working for organized crime. Malware authors now employ encryption to make detection more difficult, and, in the spirit of the best defense being a good offense, aggressively target and remove security software and even rival malware. This evolution in the nature of malware behavior is forcing security experts to change their approach to security, moving from a threat recognition model to a behavior analysis model.”
Digital Privacy - Issues Did You Know? You can buy on underground Internet: 5/7/ Identity Data $1-$15 Credit Card Numbers $.10-$20 Malware Kits $25 and up
Digital Privacy - Protections Laws and Regulations Electronic Communications Privacy Act Computer Fraud and Abuse Act Identity Theft Enforcement and Restitution Act The Children's Online Privacy Protection Act FERPA HIPAA/HITECH and Health Breach Notification Rule PCI DSS GLBA Red Flags Rule Privacy and Identity Theft Notification Laws USA PATRIOT Act 5/7/201514
Digital Privacy - Protections Electronic Communications Privacy Act Derived from Fourth Amendment protection against unreasonable search and seizure Regulates when and how law enforcement can intercept and use electronic communication Protects electronic and telephone communications from non-government eavesdroppers Amended by USA PATRIOT Act Administered by Department of Justice 5/7/201515
Digital Privacy - Protections Computer Fraud and Abuse Act Prohibits unauthorized use of computers – hacking, implementing malware, data theft, etc. Prohibits trafficking in passwords or other unauthorized means of access Amended by USA PATRIOT Act Administered by Department of Justice 5/7/201516
Digital Privacy - Protections Identity Theft Enforcement and Restitution Act Strengthens federal prosecution of identity theft crimes Makes certain acts felonies that were previously misdemeanors Allows for the restitution of victims of identity theft 5/7/201517
Digital Privacy - Protections Children’s Online Privacy Protection Act Applies to online collection of information from children under 13 Must post easily accessible policy Must obtain parental consent for gathering information from the child Administered by FTC 5/7/201518
Digital Privacy - Protections FERPA – Family Educational Rights and Privacy Act Specifies rights to view educational data Protects against unauthorized disclosure of educational data Requires reasonable and appropriate protection of educational data Administered by Department of Education 5/7/201519
Digital Privacy - Protections HIPAA/HITECH and Health Breach Notification Rule HIPAA – Health Insurance Portability and Accountability Act Applies to health conditions, treatments, and payment Requires enterprises to implement reasonable and appropriate security to protect your information Failure to comply carries fines and criminal penalties Consumers must be notified of security breaches and unauthorized exposure of protected information HIPAA and HITECH – Administered by HHS Health Breach Notification Rule – administered by FTC 5/7/201520
Digital Privacy - Protections HIPAA/HITECH Non-compliance Rite Aid – fined $1 million, 7/2010 – improper disposal of data General Hospital Corp. and Massachusetts General Physicians Organization Inc. – fined $1 million, 2/2011 – document left on subway CVS – fined $2.25 million, 2/2009 – improper disposal of data 5/7/201521
Digital Privacy - Protections PCI DSS – Payment Card Industry Data Security Standard Industry regulation – credit card companies Specifies detailed security measures for merchants handling credit and debit card information Requires levels of compliance verification Stiff fines levied by payment card companies Ability for merchants to take cards can be revoked Administered by individual credit card companies and acquiring banks 5/7/201522
Digital Privacy - Protections PCI – TJX Data Breach 2/2007 Loss of 45 million credit and debit card records $40.9 million settlement with Visa Unsecured wireless 5/7/201523
Digital Privacy - Protections PCI – CardSystems Solutions MasterCard processor 6/2005 Loss of up to 40 million credit card records Lack of reasonable and appropriate security 5/7/201524
Digital Privacy - Protections PCI – HeartLand Payment Systems 1/2009 Loss of tens of millions of credit card records $60 million settlement with Visa Keylogger 5/7/201525
Digital Privacy - Protections Red Flags Rule Part of Fair and Accurate Credit Transactions (FACT) Act Requires financial institutions and creditors to implement an Identity Theft Prevention Program Designed to detect warning signs — or "red flags" — of identity theft in day-to-day operations Examples – alerts from credit agencies or customers of possible identity theft, suspicious customer documents, suspicious personal identifying information, unusual activity on the account Administered by Federal Trade Commission 5/7/201527
Digital Privacy - Protections Privacy and Identity Theft Notification Laws State laws that specify protections and/or notifications for unauthorized disclosure of personally identifiable information (PII) Currently 47 states, first was California, strongest is Massachusetts Georgia law – specifies timely notification to any individuals whose unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person. 5/7/201528
Digital Privacy - Protections USA PATRIOT Act USA PATRIOT Act – Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act Reduced restrictions on law enforcement agencies' ability to search telephone, communications, medical, financial, and other records Expanded access to variety of business records Significantly expanded wiretapping, surveillance, and physical search capabilities, with “intelligence” warrants not requiring probable cause or specific location Weakened privacy rights 5/7/201529
Digital Privacy - Protections What Organizations Do to Protect Your Data Identify risks to sensitive data Implement information security program to ensure adequate protection of sensitive data: – Policies and procedures – Incident response plans – Security awareness – Encryption of sensitive data – Technical security measures Comply with industry standard security practices Comply with applicable laws and regulations 5/7/201530
Digital Privacy - Protections What You Can Do Protect your PII - Personally Identifiable Information Name + SSN, drivers license number, any financial account number, address, phone number Never give it out unless necessary Don’t put it on social media, you can’t take it back Be sure who you’re giving it to Use sniff test 5/7/201531
Digital Privacy - Protections What You Can Do Practice good security Opt out Use strong privacy settings Read policies and agreements Patch and apply upgrades Use current AV and firewalls Use strong passwords Search and surf anonymously Don’t click on anything unsolicited Think – be smart! 5/7/201532
Digital Privacy - Protections What You Can Do Anonymizers Most use proxy servers and multiple relays Tor Network – I2P – ShadowSurf – Startpage – private search engine – Anonymous r ers 5/7/201533