Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011.

Published byLeslie Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011."— Presentation transcript:

1 Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011

2 Agenda About PTAC Latest Threats Data Protection & Cyber Security Responses to Data Protection Data protection Security and Planning – New PTAC Resources!! Questions: Please send your questions in via the chat box window prior to the end of the webinar. 2

3 Privacy TA Center (PTAC) Mission The Privacy TA Center is designed to provide states with: A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems. A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality. A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment. A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information. http://nces.ed.gov/programs/Ptac/Home.aspx

4 4 Data Security Threats Threats to your data: it’s happening it’s focused It’s sophisticated Social Security Numbers/Identity Education Records Employee Data Financial Records Disciplinary Actions Internal Memo’s Medical Information Personal Documents

5 5 Black Hat Conference 2011 5. What is it? A gathering of highly technical information security specialists from the government, corporate, academic and underground researchers to share practical insights of the leading edge discoveries and vulnerabilities in the information security landscape. Sydney University ‘breached student privacy’ (June, 2011)

6 6 Black Hat Conference 2011 6. Cool/Not So Cool Findings: Hackers have found a way to wirelessly manipulate medical devices such as insulin pumps. Attackers have the ability to use drone planes to intercept wireless signals and break into networks and cell phone information A battery exploit was discovered against a major laptop manufacturer so that a hacker could manipulate the settings to stop accepting a charge or overcharge so the battery catches fire or explodes. Sydney University ‘breached student privacy’ (June, 2011) *Sources: www.eweek.com & www.computerworld.comwww.eweek.comwww.computerworld.com

7 7 Black Hat Conference 2011 7. Relevant Findings: Improper SSL implementations leave websites wide-open to attack Less than 1/5 of websites claiming to have SSL have been configured correctly to redirected to SSL for authentication Spear Phishing Attacks for U.S. Government officials with Gmail accounts continue Phishing? An e-mail spoofing fraud attempt that targets a specific organization seeking unauthorized access to confidential data. Copiers/Printers with weak passwords (or with no passwords) can be compromised, allowing the intruder to steal images of documents and/or take control of devices. Digital Shadowing: As companies continue to track your online search and spending habits, the combined information can serve as a potential privacy threat when combined with your social networking sites and/or mobile technologies. Sydney University ‘breached student privacy’ (June, 2011)

8 8 But.. I’m a MAC user.. I’m safe!! 8. Remember the battery exploit? MacBook Pro line of laptops Studies have shown that MAC users aren’t as paranoid as Windows users about security. Some MAC specific recommendations: MAC OSX 10.7 is an upgrade that addresses some serious security vulnerabilities MAC OSX Server has major security issues that should be evaluated before deployment. Apple’s Bonjour file sharing/network discovery protocol has some major security weaknesses on untrusted networks (hotels, public Wi-Fi, guest networks, airports, etc.) Sydney University ‘breached student privacy’ (June, 2011)

9 Social Networking Sites: Are you protected? 9 Malware infects user on Social Network Site (e.g. Twitter, Facebook, Match.com) S t u d e n t D at a Internet facing application

10 Not connected to the internet? Removable Media 10 Policy, user training and monitoring Identity

11 USB (Flash) Drives In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB/Flash drives. Of those, 55% are related to malware infected devices that have introduced malicious code onto corporate networks Recommendation: Employ policies detailing how employees can use these devices to store sensitive/confidential information. 11 Source: Information Week, August 2011

12 12 Data Breaches in the news 12. Yale notifies 43,000 of SSN breach: Yale University is notifying 43,000 individuals that a 1999 computer file containing names and Social Security numbers was inadvertently made accessible to Google Internet searches for 10 months. Persons affected include faculty, staff, students, and about 1200 alumni. Recommendation: Data retention/archive policies and data classification process. North Carolina State research info compromised: Data housed at NCSU that contained private information for about 1800 school children from Wilson and Richmond counties was mistakenly put online. Recommendation: Research agreements/Memorandums of Understanding with explicit instructions on data destruction upon conclusion of the study.

13 13 Cloud Computing 13. Epsilon Data Breach: Millions of customer records within the Epsilon cloud were compromised by using customer email addresses, weak passwords and phishing attacks to steal sensitive data such as financial information or login credentials to other sites. Recommendation: Security policies, and customer training/awareness are even more critical in a cloud computing environment where the outside potential for targeted attacks is greater. Source: CipherCloud.com, August 2011

14 14 The threat is real and affects all industries and information systems Government and Military (FISMA and federal standards) Education (FERPA) Private Sector (hodgepodge) Medical Records (HIPPA) Critical Infrastructure (Water, Gas, Electric) Financial sector (SOX) Home users (none)

15 15 Many ways to Protect Data Physical Security Policy ( What,who, how ) Access Controls Statistical Methods Cyber Security

16 16 Responses to Data Security Federal government has invested heavily in developing standards and implementing solutions. Best source for standards and solutions Private sector has mostly been reactionary Other industries have been uneven, including educational community What can your organization do to improve?

17 17 1)Seek outside resources to support your security team State and federal agencies PTAC Third party vendors Other informational resources (standards and guidelines) Initial and On-going Data Protection Planning NIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,

18 18 New PTAC Resources Security Checklist Data Governance Checklist

19 19 2)Develop and implement a security architecture Map and understand your network Align security capabilities with mission requirements Overlay security tools and capabilities on your network and develop implementation plans 3)Create a security governance structure, responsible for: Reviewing security issues and implementing solutions Champion for resources Responding to incidents 4) Personnel Security and Users Both employees and users should be made aware of security policies Training and awareness 5)Policy Create, update, and enforce Initial and On-going Security Steps

20 20 Tools and Capabilities Physical Security. Make computing resources physically unavailable to unauthorized users. An unlocked server room is an invitation for malicious or accidental damage. Network Mapping. You cannot protect what you do not understand. Network mapping provides a picture of the network (servers, routers, etc) and its connections. Inventory of Assets. The inventory should include both authorized and unauthorized devices used in your computing environment. Authentication. The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are. Provide a layered defense. The most common layers to protect are hosts (individual computers), application, network and perimeter.

21 21 Tools and Capabilities Secure configurations. It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Role based Access Control. Defining specified roles and privileges for users is a required security procedure. Firewalls and Intrusion Detection/Prevention Systems (IDPS) Automated Vulnerability Scanning. When new vulnerabilities (to hardware, operating systems, applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities.

22 22 Tools and Capabilities Patch Management. Patch management is the process of using a strategy and plan for what patches should be applied to which systems at a specified time. Shut down unnecessary services. Each port, protocol, or service is a potential avenue for ingress into your network. Data at rest and mobile devices. When sensitive data is stored on servers, on laptops, or other mobile devices it should be encrypted. Incident Handling. When an incident does occur it is critical to have a process in place to both contain it and fix the problem. Audit and Compliance Monitoring. Audits are used to provide an independent assessment of your data protection capabilities and procedures (See PTAC article on Security Audits) and should be performed periodically.

23 23 Home Users: Stay Safe Online.org

24 24 http://nces.ed.gov/programs/Ptac/Home.aspx PTAC The Privacy Technical Assistance Center is your “one-stop-shop” frequently asked questions links to useful online resources training materials for data administrators and data users regional meetings and lessons learned forums for education stakeholders site visits to state and local education agencies a help desk to respond to inquiries an extension of your LDS team

25 25 http://nces.ed.gov/programs/Ptac/Home.aspx PTAC Publications Coming Soon (Really!) Data Center Consolidation Best Practices Webinar: September 16 th, 2011 1:30-2:30 PM (EST) This webinar focuses on best practice security and privacy considerations for state and local agencies that are in the process of data center consolidation, as well as those agencies considering or planning consolidations. Annual District Notification Requirements FERPA 101 Training – Let your districts know!! Webinar: September 22 nd, 2011 1:30-2:30 PM (EST) This webinar will provide a high-level overview of the Family Educational Rights Privacy Act (FERPA) including definitions and required processes.

26 PTAC Cyber Security Tasks We would like your ideas and thoughts on data protection/cyber security topics that would be helpful to you! 26

27 Questions? Thank you for participating! 27

Download ppt "Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Best Practices for Data Protection and Cyber Security Thursday February 24, 2011 24 th Annual MIS Conference – Austin, TX Mark Hall.

Best Practices for Data Protection and Cyber Security Thursday February 24, th Annual MIS Conference – Austin, TX Mark Hall.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google