Computer, Privacy, and Data Protection Session #40 Computer, Privacy, and Data Protection Ross C. Hughes | Dec. 2014 U.S. Department of Education 2014 FSA Training Conference for Financial Aid Professionals
The World of Data Breaches http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Five Data Breach Statistics Worth Knowing Six months after the Target data breach, the statistics are astonishing. Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, and P.F. Chang’s Chinese Bistro. A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected. There were more than 600 reported data breaches in 2013, a 30 % increase over 2012. The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon Data Breach Investigation Report. Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies. June 19, 2014 Ansley Kilgore
Data Breaches and Hacks
How Do You Do It
How Do You Do It
Why Do They Do It Hacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit ) “Kitz” –verified health insurance, SSN, bank account info /logins (account & routing numbers, account type), driver’s license, full name, address, phone, etc. and counterfeit physical documents and hardware related to the identity data in the package (e.g. credit cards, driver’s license, insurance cards, etc.)—- ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc. “Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, e-mail addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs) Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.
Why Do They Do It Fees for Additional Stolen Credentials US credit card with CVV Code– $1 – $2 Non-US credit card with CVV– $2 – $10 Credit card with full track 2 and PIN– $5 – $50 Prestige credit cards (include Platinum, Diamond, Black) with verified available balance– $20 – $400* Online bank account, < $10K— $250 – $1000* Compromised computer– $1 – $100 PayPal, verified balance– $20 – $200* Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000** Skype account (premium)– $1 – $10 * Some hackers’ prices are based on 4% – 12% of verified current balance ** Rare items are often “parted out’ or fenced separately
Why Do They Do It Bank Accounts with Attached E-mail Accounts –credentials for bank accounts, which also included the credentials for the e-mail account associated with the bank account were more valuable; as the scammer can stop the victim from receiving e-mail alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct. Bank Accounts with ACH Bill Pay or Wire Transfer Features – additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners’ phone to confirm wire transfers, etc. hurts the value of a stolen account. Compromised computer - bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium. Game Accounts – The biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services — $10/hour) or $1000+ for rare/unique top-level items.
And Now: The $100 Server
And They Are Doing It Right Now http://map.ipviking.com/ http://www.fireeye.com/cyber-map/threat-map.html
Risk Management
What is at Risk
Your Networks At Risk Current Student and Alumni Information Widely distributed networks Admissions Registrar’s Office Student Assistance College Book Store Health Clinic Websites Hackers seek diverse information and diverse paths
Students (and Parents) Data at Risk Facebook = share everything (Security questions?) Very mobile = laptop, iPhone, iPad everywhere Very trusting = limited password usage, write passwords down Not organized = often do not track credit cards, “junk” mail High debt = attractive to foreign actors
WHAT YOU CAN and SHOULD DO Risk Mitigation WHAT YOU CAN and SHOULD DO
Establish Good Governance Create policies and procedures for protecting sensitive data and enforce penalties for noncompliance Develop a training and awareness program Publish rules of behavior – Make users sign a “confidentiality contract” Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc. Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and why Map out your business process flows - follow the PII
Reduce Your Data Exposure Enforce a clean desk policy Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives) Protect data at the endpoints USB drives, paper, laptops, smartphones, printers Destroy your data securely Do not keep records forever Limit access to only those with a need to know Practice breach prevention Analyze breaches from other organizations Learn from their mistakes Adjust your policies and procedures accordingly Please - THINK before you post/send/tweet!
Tips to Safeguard PII Minimize PII Safeguard the transfer of PII Collect only PII that you are authorized to collect, and at the minimum level necessary Do not e-mail PII unless it is encrypted or in a password protected attachment Limit number of copies containing PII to the minimum needed Alert FAX recipients of incoming transmission Use services that provide tracking and confirmation of delivery when mailing Secure PII Store PII in an appropriate access- controlled environment Dispose of PII Properly Use fictional personal data for presentations or training Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule Review documents for PII prior to posting Safeguard PII in any format Disclose PII only to those authorized
Teleworking Security
Teleworking Security Non-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords) If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encrypted Keep your computer in a secure location; do not leave it unattended/unsecured If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen) Encrypt PII/sensitive data when e-mailing such data (e.g., WinZip encryption)
So, Once Again, All Together Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII Follow all Departmental policies and procedures Think before you hit the “send” button (E-mail is by far the #1 source of breaches) “Scramble, don’t gamble”- encrypt, encrypt, encrypt Minimize (or eliminate) the use of portable storage devices Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.
If There’s Something Strange
In Your Neighborhood
Who You Gonna Call Call your supervisor, the Help Desk, and Security and tell them exactly what is happening Don’t delete any files or turn off your system unless Security tells you to Security will notify any other organization that should be involved If you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center
What You Should Know https://www.privacyrights.org/ http://www.verizonenterprise.com/DBIR/2014/ http://securityintelligence.com/media/2014-cost-of-data-breach-study-ponemon/
Summary Be vigilant. Organizations often only find out about security breaches when they get a call from the police or a customer. Make your people your first line of defense. Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious. Keep data on a ‘need to know basis’. Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave. Encrypt sensitive data. Then if data is lost or stolen, it’s much harder for a criminal to use. Use two-factor authentication. This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials. Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.
Contact Ross C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: 202-377-3893 Cell: 202-480-6586 Fax: 202-275-0907 FSA Security Operations Center 202-377-4697
Questions?