Data Risk and Security Andrew Roderick Campus Technology Committee – January 21, 2015

2 Shall We Play A Game?

3 Server IT Security Network Endpoint Data drives risk Application

4 Cost of Data Risk Financial: average cost of a data breach is $136 per record (2014 Cost of Cybercrime Study, Ponemon Institute) Trust and Prestige: donors, grant-funding agencies, general community Staff Time: when a breach occurs, paperwork, “special” meetings, process changes, IT work Ethics: University entrusted with oversight of records on behalf of students, faculty, and staff Think about your own personal data in the University and with other institutions.

5 What Is Confidential Data? Passwords, credentials, or PIN’s Social Security Number and Name Birth date + four digits of SSN and Name Credit Card Numbers Tax ID + Name Driver’s License, State ID, Passport Health Insurance Information Medical or Psychological Counseling Records Bank Acct or Debit Card + access code More…. Budget Spreadsheets (pre-2009) Photocopy of CDL or Passport Defensive Drivers Training Anyone? SSN’s for Student Assistant and Staff Payroll Travel Prep or Claims Invoices (Tax ID) Invoices or Vendor Records

6 Do I Have Confidential Data? Probably Every place where users store files, confidential data will be there: File Servers State Workstations Unmanaged Home Workstations Dropbox/Box.com USB Drives

7 Case Study: Financial Risk Six physical servers, one VMWare implementation Multiple services including: O file shares for academic departments (groups) and individuals (faculty and staff) O Multiple domain servers O License servers College of BSS reorganized over three years ago Hardware and services orphaned to some extent Services continued in use

8 Case Study: Financial Risk (cont’d) Individual SharesGroup/Departmental Shares 338 GB98 GB 677,000 files199,000 files 2,500 files with sensitive data1,000 files with sensitive data 173,850 record matches98,347 record matches 272,197 sensitive data records Scenario: assume ¾’s of the matches are false positives = 68,049 and assume that 50% are recurring users = 34,024 34,024 x $136 = $4,627,264

9 Detection and Remediation Analyze Assess Risk Mitigate Risk Migrate De- commission Determine ownership Determine currency of shares, active status Active or non- active Malware/Virus Scans PII Scan Forensics Discovery Clean, Investigate Malware (if any) PII Data Quarantine Purge Repatriate Review need for PII data Cleanse To Security Team With Organization

10 Remediation Considerations In decision-making around how to handle files with PII Data… O Quarantine provides reassurance to end users that data may still be available if they need it (they typically won’t) O Shutdown access to files or refresh changed data later O Process:  Create unaltered copy and remediation copy  Store unaltered copy on encrypted storage  Scan and quarantine “remediation copy”  Quarantined files are replaced with file placeholders  Migrate remediated files (if necessary)  Continued communication with users to review quarantined files  Set purge date for unaltered copy (original data)  Decommission hardware (if necessary)

11 User Involvement What happens when users move their own data? Never purge anything Review it tomorrow/too busy Create a stash in Dropbox or on local computer I need everything Risk: Users do not respond Stash data insecurely

12 Stop Confidential Data from Returning Business Process Change How is confidential data collected? Files? University Systems? Assess current use of confidential data – is it needed for a business requirement? Is there an alternative source? Which teams and which staff require use of confidential data? Remove existing confidential data Cease or limit continued use