1 / 29

Computer, Privacy, and Data Protection

Session #40. Computer, Privacy, and Data Protection. Ross C. Hughes | Dec. 2014 U.S. Department of Education 2014 FSA Training Conference for Financial Aid Professionals. The World of Data Breaches. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks /.

ridenour
Télécharger la présentation

Computer, Privacy, and Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session #40 Computer, Privacy, and Data Protection Ross C. Hughes | Dec. 2014 U.S. Department of Education 2014 FSA Training Conference for Financial Aid Professionals

  2. The World of Data Breaches • http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  3. Five Data Breach Statistics Worth Knowing Six months after the Target data breach, the statistics are astonishing. • Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, and P.F. Chang’s Chinese Bistro. • A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected. • There were more than 600 reported data breaches in 2013, a 30 % increase over 2012. • The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon Data Breach Investigation Report. • Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies. June 19, 2014Ansley Kilgore

  4. Data Breaches and Hacks

  5. How Do You Do It

  6. How Do You Do It

  7. Why Do They Do It Hacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit ) • “Kitz” –verified health insurance, SSN, bank account info /logins (account & routing numbers, account type), driver’s license, full name, address, phone, etc. and counterfeit physical documents and hardware related to the identity data in the package (e.g. credit cards, driver’s license, insurance cards, etc.)—- ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc. • “Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, e-mail addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs) • Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.

  8. Why Do They Do It Fees for Additional Stolen Credentials • US credit card with CVV Code– $1 – $2 • Non-US credit card with CVV– $2 – $10 • Credit card with full track 2 and PIN– $5 – $50 • Prestige credit cards (include Platinum, Diamond, Black) with verified available balance– $20 – $400* • Online bank account, < $10K— $250 – $1000* • Compromised computer– $1 – $100 • PayPal, verified balance– $20 – $200* • Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000**Skype account (premium)– $1 – $10 * Some hackers’ prices are based on 4% – 12% of verified current balance** Rare items are often “parted out’ or fenced separately

  9. Why Do They Do It • Bank Accounts with Attached E-mail Accounts –credentials for bank accounts, which also included the credentials for the e-mail account associated with the bank account were more valuable; as the scammer can stop the victim from receiving e-mail alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct. • Bank Accounts with ACH Bill Pay or Wire Transfer Features – additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners’ phone to confirm wire transfers, etc. hurts the value of a stolen account. • Compromised computer - bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium. • Game Accounts – The biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services — $10/hour) or $1000+ for rare/unique top-level items.

  10. And Now: The $100 Server

  11. And They Are Doing It Right Now http://map.ipviking.com/ http://www.fireeye.com/cyber-map/threat-map.html

  12. Risk Management

  13. What is at Risk

  14. Your Networks At Risk • Current Student and Alumni Information • Widely distributed networks • Admissions • Registrar’s Office • Student Assistance • College Book Store • Health Clinic • Websites • Hackers seek diverse information and diverse paths

  15. Students (and Parents) Data at Risk • Facebook = share everything (Security questions?) • Very mobile = laptop, iPhone, iPad everywhere • Very trusting = limited password usage, write passwords down • Not organized = often do not track credit cards, “junk” mail • High debt = attractive to foreign actors

  16. Risk Mitigation WHAT YOU CAN and SHOULD DO

  17. Establish Good Governance • Create policies and procedures for protecting sensitive data and enforce penalties for noncompliance • Develop a training and awareness program • Publish rules of behavior – Make users sign a “confidentiality contract” • Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc. • Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and why • Map out your business process flows - follow the PII

  18. Reduce Your Data Exposure • Enforce a clean desk policy • Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives) • Protect data at the endpoints • USB drives, paper, laptops, smartphones, printers • Destroy your data securely • Do not keep records forever • Limit access to only those with a need to know • Practice breach prevention • Analyze breaches from other organizations • Learn from their mistakes • Adjust your policies and procedures accordingly • Please - THINK before you post/send/tweet!

  19. Tips to Safeguard PII • Minimize PII • Collect only PII that you are authorized to collect, and at the minimum level necessary • Limit number of copies containing PII to the minimum needed • Secure PII • Store PII in an appropriate access-controlled environment • Use fictional personal data for presentations or training • Review documents for PII prior to posting • Safeguard PII in any format • Disclose PII only to those authorized • Safeguard the transfer of PII • Do not e-mail PII unless it is encrypted or in a password protected attachment • Alert FAX recipients of incoming transmission • Use services that provide tracking and confirmation of delivery when mailing • Dispose of PII Properly • Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule

  20. Teleworking Security

  21. Teleworking Security • Non-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords) • If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encrypted • Keep your computer in a secure location; do not leave it unattended/unsecured • If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen) • Encrypt PII/sensitive data when e-mailing such data (e.g., WinZip encryption)

  22. So, Once Again, All Together • Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information • “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII • Follow all Departmental policies and procedures • Think before you hit the “send” button • (E-mail is by far the #1 source of breaches) • “Scramble, don’t gamble”- encrypt, encrypt, encrypt • Minimize (or eliminate) the use of portable storage devices • Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.

  23. If There’s Something Strange

  24. In Your Neighborhood

  25. Who You Gonna Call • Call your supervisor, the Help Desk, and Security and tell them exactly what is happening • Don’t delete any files or turn off your system unless Security tells you to • Security will notify any other organization that should be involved • If you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center

  26. What You Should Know https://www.privacyrights.org/ http://www.verizonenterprise.com/DBIR/2014/ http://securityintelligence.com/media/2014-cost-of-data-breach-study-ponemon/

  27. Summary • Be vigilant. Organizations often only find out about security breaches when they get a call from the police or a customer. • Make your people your first line of defense. Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious. • Keep data on a ‘need to know basis’. Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave. • Encrypt sensitive data. Then if data is lost or stolen, it’s much harder for a criminal to use. • Use two-factor authentication. This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials. • Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.

  28. Contact Ross C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM FSA Cyber Security Manager Office: 202-377-3893    Cell: 202-480-6586 Fax: 202-275-0907 FSA Security Operations Center 202-377-4697

  29. Questions?

More Related