1 / 0

New Issues in the Air or “What’s Changed in 15 Years”

New Issues in the Air or “What’s Changed in 15 Years”. Russell M. Shumway russ@rmshumway.net. Caveats and disclaimers. I am not a lawyer Nothing I say here should be construed as legal advice Consult your own legal counsel The environment is changing rapidly

shawna
Télécharger la présentation

New Issues in the Air or “What’s Changed in 15 Years”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Issues in the Airor“What’s Changed in 15 Years”

    Russell M. Shumway russ@rmshumway.net
  2. Caveats and disclaimers I am not a lawyer Nothing I say here should be construed as legal advice Consult your own legal counsel The environment is changing rapidly 38.6% of the statistics in this presentation are made up Please see point number 1 again
  3. So what has changed in the last 15 years? Nothing Questions?
  4. 1995 2010 Software is buggy (but maybe not as much) Security is included Sometimes Security features are enabled But disabled by users Users are smarter But the target is moving Software was buggy Security was not included Security features were not enabled Users were clueless
  5. Cloud computing What is the cloud? Buzzword of the day In some respects, a move backwards On-demand computing Utility computing Grid computing
  6. Examples of cloud computing Gmail or Hotmail Flickr or Snapfish Google Docs or Adobe Photoshop Express Rapidshare Online backup Wikis
  7. Benefits of cloud computing Access to supercomputer-level power Someone else maintains servers, storage space Only need an access point, such as thin client, smart phone, or laptop Resources available on demand Resources available anywhere Pay for what you use; cost savings Convenience, flexibility
  8. Challenges of cloud computing Data access Who has access Who can grant access Data control Who has control 3rd party liability Discovery & forensics Disaster recovery Data breaches
  9. What laws apply? PATRIOT Act HIPAA (Health information) Also stimulus act Gramm-Leach-Bliley (Financial institutions) Sarbanes-Oxley (public companies) Fair Credit Reporting Act Electronic Communications Privacy Act International agreements Other nation’s laws (EU data protection directive) State & local laws
  10. Mobile technologies Portable media devices and smart phones Storage capacity increasing Size decreasing Power increasing Data is rarely encrypted or protected
  11. Computer forensics What is Forensics? From forensis, the application of science or technical matter suitable for a public place (court of law) The scientific finding of fact and the collection, preservation, analysis, and presentation of evidence to support facts
  12. Forensics challenges Large media Multi-gigabyte disks (and up) Servers RAID arrays Live examinations When you can’t take it off line Mobile devices Encryption
  13. Data breaches Data Credit cards Personal data Credentials Proprietary data Notification requirements 46 states and DC have some form of notification requirement Compliance requirements Liability
  14. Professional hackers Organized crime Eastern Europe and Africa seem to be predominant Activists Religious, political, ideological State and non-state actors Professional marketplace Buy tools and techniques Sell data and access
  15. Hacking vectors Stolen credentials Poor configuration SQL injections Backdoors Brute force The myth of the zero day exploit
  16. Malware Remote control/backdoor Data capture Credentials Personal/financial data Keyloggers Customization
  17. IDS/Audit logs Not effective in detection Average time from compromise to detection measured in weeks Most likely method of detection is 3rd party reporting Audit LEA Customer Good for investigation 86% of data breaches in a recent study had evidence in their logs
  18. Electronic discovery Discovery process provides opportunity to both parties in litigation to acquire information in support of its case Rules developed, historically, based on paper records Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.” - Black’s Law Dictionary
  19. E-discovery Courts struggled with how to handle electronic information, but have become a lot more savvy and judges are educated. E-discovery has surpassed paper: 95% of business records exist in electronic form E-Discovery includes document metadata When it was created or modified When an email was sent and to whom Production Native Other
  20. E-discovery Challenges Volume Cost Review Types of data Mail Documents Databases & proprietary software
  21. E-discovery & forensics Inaccessible files Deleted data Data location and/or context Duplicate copies Backup and disaster recovery tapes
  22. Virtual worlds Safety, security, privacy Federal privacy obligations (ECPA) State AG safety and C.P. reporting initiatives FTC enforcement Ownership of virtual property Gold or experience farming Sale of virtual property
  23. Future initiatives Legislation Regulation Non-governmental agency requirements
  24. Regulatory Evolution Different players got involved: Non-traditional entities expanding reach with enforcement Scope expanded: Early laws reactive; then became proactive FTC transition from deceptive prong to unfairness prong Now: the federal government is baaaacckk…..
  25. Legislative and regulatory activity Recently passed laws American Recovery and Reinvestment Act (ARRA) of 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (part of the ARRA) Pending legislation Cybersecurity Act of 2010 Regulatory OCC Guidance re application security (OCC 2008-16) HIPAA Security Rule updates (NIST 800-66)
  26. HITECH Act of 2009 More HIPAA enforcement risk Substantially higher penalties State Attorneys General have explicit authority to enforce HIPAA rules Enforcement allowed against individuals employed by healthcare entities Breach notification Business associates
  27. Cybersecurity Act of 2010 Defines critical infrastructure computers Mandatory certifications for security professionals NIST can establish standards for security Mandatory audits Increased funding for research and education Both K-12 and post-secondary Allows president to monitor and shut down critical networks in the event of an attack
  28. New developments in state laws California Massachusetts Nevada
  29. Questions?
More Related