Transcript Privacy vs. Security Breach

Privacy Breach vs. Security Breach
The Great Lakes InfraGard Conference
Securing Our Critical Infrastructures
June 20, 2012
Keith A. Cheresko Principal,
Privacy Associates International LLC
Purpose
•Explore the sometimes murky and confusing world of
data breaches
• Shed light on the differences and similarities of privacy
and security breaches.
• Leave you with a better understanding of the
environment in which we all operate
• Provide actionable ideas to help prevent breaches and
help increase the security for data under our control.
2
Agenda
Terminology
Background
Governing Rules
Practical Suggestions
Questions & (hopefully) Answers
3
Terminology
Personal “of, relating to, or affecting a particular person: private,
individual <personal ambition> <personal financial gain>” Webster
Personal Information (PI) data of, relating to, or affecting a particular person
Personally identifiable Information (PII) data that can be tied to a unique person some of which has
obtain defined legal protection (information relating to an identified
or identifiable individual)
4
Background
5
Statistics
As of June 16, Privacy Clearing House database
lists:
• 562,242,283 records from 3136 data breaches
made public from 2005 to June 2012
• 18,537,734 records in their database from 264
breaches made public so far in 2012
• 6,563,454 records in database from 16
breaches made public in June alone half
reporting unknown amounts
6
Statistics
The Verizon 2012 Data Breach Investigations
Report indicates:
855 incidents resulting in
174,000,000 compromised records
7
Statistics
The Ponemon Institute’s 2011 Cost of Data
Breach Study for US-based companies reports:
$ 194 the average cost per compromised
record and
$5,500,000 average in organizational costs
per event
8
Is a Privacy Breach Different than
a Security Breach?
9
Privacy vs. Security
• To answer, first consider the difference between privacy and
security
• Privacy relates to giving an individual some level of control over his
personally identifiable information (PII)
– Definitions of PII vary, which we will discuss later
– To give the individual some control, privacy is concerned with matters
such as choice, notice, access, data quality, and security as it relates to
PII
• Data security is concerned with the safeguarding of all data, not just
PII
• Privacy broader than security in one sense, security broader than
privacy in another sense
10
What is a Privacy Breach?
Can relate to two situations:
• The unauthorized access to or acquisition of
the kind of PII specified by an applicable law
(security of PII)
• The failure to live up to obligations made with
respect to non-security related aspects of
privacy (notice, choice, access, etc.)
11
What is a Security Breach?
The unauthorized access to or acquisition of anything proprietary:
Buildings, facilities other physical plants,
Computer equipment
Product Inventory
Confidential or secret information
Trade secrets
Intellectual property
Proprietary items
Financial information
Data in paper or electronic data
Personal information of consumers, employees, etc.
Customers lists
12
Should I worry?
Virtually any organization handling PI has the
potential to experience a breach of data (personal or
other type) security. For example, consider the cross
section of reported breaches:
• Retailers – Michaels Stores, Macy’s St. Louis
• Hospitality/food and beverage – Five Guys, Hannaford Bros.
• Education Institutions – University of North Florida, University
of Virginia
• Healthcare Providers – Phoenix Cardiac Surgery, South Shore
Hospital, Charlie Norwood V.A. Medical Center, Financial
Institutions –
• Citi, U.S. Federal Retirement Thrift Saving Plan
13
Who is affected?
•Payment Processors – WHMCS, Heartland Payment
Systems
•Professional Service Providers – Law Firms, Accountants,
Auditors
•Governmental Entities and Agencies – Office of the Texas
Attorney General, City of New Haven, New York State Office
of Children and Family Services
•Internet Service Providers – LinkedIn, eHarmony,
•Utilities
•and on and on and on ---
14
Consequences of a breach?
Depending on the nature, sensitivity, type and volume
of data or other assets compromised it may mean:
• Loss of Intellectual property
• Possible ID theft
• Damage to organization’s reputation
• Legal actions – regulatory and consumer
• Operating and operational inefficiencies
• Increased operating costs
• Organization freeze-up/paralysis
• Lost business from consumer churn business termination
• Adverse impact on market valuation
15
What Are the Governing Rules?
16
U.S. Federal Laws: Privacy and
Information Security
• The Federal Trade Commission Act
• The Gramm Leach Bliley Act
• The Health Information Portability and Accountability Act of 1996
• Health Information Technology for Economic and Clinical Health
• Family Education Rights and Privacy Act of 1974
• Driver's Privacy Protection Act of 1994
• Federal Information Security Management Act of 2002
• Fair and Accurate Credit Transactions Act
17
U.S. Federal Laws: Privacy and
Information Security
• Electronic Communications Privacy Act
• Telephone Consumers Protection Act of 1991
• Privacy Act of 1974
• Computer Security Act of 1987
• E Government Act of 2002
• Children's Online Privacy Protection Act of 1998
• Children's Internet Protection Act
• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
• Uniting and Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001
18
FTC and Consumer Data
• The FTC is empowered through Section 5 of the Federal
Trade Commission Act to address:
– unfair methods of competition in or affecting commerce, and
– unfair or deceptive acts or practices in or affecting commerce
• As noted earlier the failure to live up to one’s own privacy
policy may be deemed a deceptive practice leading to a
privacy breach.
• Also failing to provide adequate data security may be
considered an unfair practice leading to a privacy breach.
19
FTC and Consumer Data
• FTC expects organizations to provide physical, technical, and
administrative security for consumer personal information
• FTC does not expect maximum available security rather
security should be reasonable and appropriate to:
• Organization’s size and complexity
• The nature and scope of its activities
• Sensitivity of the PI
• Risk assessments should be conducted to determine areas of
greatest risk and reasonable safeguards must be implemented
in light of those findings.
20
Gramm-Leach-Bliley (GLBA) Financial
Data Security: Interagency Guidelines
• Law required agencies to adopt security regulations relating to
physical, technical, and administrative safeguards such as the
unauthorized access to, or use of, customer information.
• Results - Interagency Guidelines Establishing Standards for
Safeguarding Customer Information.
– Require written information security plans.
– The plans must assess, manage, and control threats that could result
in unauthorized disclosure of information.
– Encourage adoption of measures appropriate to their circumstances
21
FTC Safeguards Rule
• Design a program to protect against unauthorized access to, or
use of, customer information that could result in “substantial
harm or inconvenience” to customers
• Designate coordinator(s) for the program
• Conduct a risk assessment
– identify internal and external risks to customer information and
– assess the sufficiency of existing safeguards to control the risks
• Design and implement safeguards to control the identified
risks
22
FTC Safeguards Rule
• Regularly test the effectiveness of the safeguards
• Oversee service providers
– Select and retain service providers capable of maintaining
appropriate safeguards
– Require service providers to implement and maintain safeguards
• Evaluate and adjust the program in light of
– regular testing and monitoring,
– material changes in business, or
– other circumstances that have a material impact on the program
23
Protected Health Information
• HIPAA, HITECH and the HIPAA Security Rule establish
national standards for the protection of individuals’
electronic personal health information in the hands of
“covered” entities
• HIPAA requires appropriate administrative, physical, and
technical safeguards, but includes much more specific
mandate under the Security Rule
• HITECH amendments to HIPAA apply the HIPAA Security
Rule directly to business associates. HHS can audit business
associates for compliance and impose civil and criminal
penalties (up to $1.5m) and State AGs can bring separate
actions
24
FERPA, DPPAO FISMA and FACTA
• Family Education Rights and Privacy Act of 1974 (limits disclosures
of educational records maintained by agencies and institutions that
receive federal funding)
• Driver's Privacy Protection Act of 1994 (limits disclosures of personal
information in records maintained by state departments of motor
vehicles)
• Federal Information Security Management Act of 2002 (requires
federal agencies to develop, document and implement agency-wide
program to provide information security)
• Fair and Accurate Credit Transactions Act (Red Flag and Data
Disposal rules)
25
State General Data Security Safeguards
Generally • Apply to any person owning or licensing PII relating to
residents of the state
• Require business implementation and maintenance of
reasonable security procedures and practices for the
protection of PII
• Require appropriate disposal of PII rendering it unreadable or
undecipherable
26
State Data Security Laws
• At least 33 states have laws relating to Social Security numbers
(SSNs) designed primarily for limiting the use of SSNs
• Five states require implementation of policies to protect SSNs
– Connecticut, Michigan, New Mexico, New York, Texas
• Two states have gone farther in specifying required business
security practices
– Massachusetts and Nevada
27
Massachusetts Rule
• Applies to any person who receives, maintains,
processes, or has access to PI about MA residents
• The regulation nominally applies to any entity,
anywhere in the world, holding PI relating to a MA
resident
• The covered PI is defined as an individual’s name in
combination with a SSN, driver’s license number, or
financial account number, credit or debit card
number (with or without password)
28
Massachusetts Rule Requirements
•
•
•
•
•
•
•
•
•
•
•
Performance of Risk Assessments
Development and maintenance of a comprehensive Written Information Security
Program (WISP)
Application of Physical Security controls
Application of Electronic Security controls
Use of Encryption
Selection and Retention of Competent Service Providers
Employee Training
Employee Compliance
Development and maintenance of appropriate policies regarding storage, access,
and transportation of personal information outside business premises
Processes in place preventing terminated employees from accessing personal
information
Documenting responses to breach incidents and post-incident reviews
29
Nevada Encryption Law
• Applies to a business that maintains, handles, collects,
disseminates, or deals with personal information
• Personal information is defined as an individual’s name in
combination with a SSN, driver’s license number, or
financial account number
• Must encrypt electronic transmission (other than fax) to a
person outside the business’ own secure system
• Must encrypt “data storage devices” when they are moved
beyond the logical or physical controls of the business or its
data storage contractor
30
Other Considerations
• Specialty state and local requirements
• Trade Association undertakings
• Payment Card Industry Data Security Standards
• Mobile practices
• Constantly shifting environment
• New uses, applications for data
31
Wait –There’s More
32
Breach Notification Laws
• Designed to help enforce security obligations
– In theory helps consumers protect themselves
– Provides government authorities enforcement opportunities
– Bad PR and breach-associated costs encourage compliance
• Breaches generally triggered by the unauthorized access to,
or acquisition of, PI covered by the law
• Other variables affect whether a breach notification law
applies such as:
– Storage medium involved
– Use of data encryption
33
Federal Breach Notification: (GLBA)
Regulations adopted by financial regulators and
the FTC pursuant to GLBA include breach
notification provisions for unauthorized access
to sensitive customer information held by banks
and other financial institutions.
34
Federal Breach Notification: HIPAA
(HITECH)
• Written notices must be provided within 60 days after
discovery of the breach
– Law enforcement delay if notification would impede a criminal investigation or
damage national security
– Content requirements
• A covered entity must notify:
– HHS of any breach involving more than 500 individuals when it provides
consumer notice
– HHS annually of breaches involving fewer than 500 individuals
– Prominent media in a state of breaches involving more than 500 residents of
the state
35
Federal Breach Notification: HIPAA
(HITECH)
• A Business Associate that discovers a breach must notify the
covered entity
• Similar FTC rule for Vendors of personal health records and
entities offering products or services through Web site of a
vendor of personal health records
36
U.S. State Breach Notification Laws
46 states, District of Columbia, Guam, Puerto Rico and the U.S.
Virgin Islands with laws:
• PI usually covered: name plus SSN, driver’s license number, bank account
information with PIN, or health information (often with an exception when
encrypted), and there are significant state variations of covered PI
• Notice to individuals required in the event of a breach and, in some
instances, notice to credit-reporting agencies and/or regulators (e.g., New
York Attorney General, New Jersey State Police) also specified
• 18 states impose requirements with respect to the content of the
consumer notice
• State Insurance regulators also impose notification requirements on
insurance companies
37
My Head Hurts
What does it all mean?
39
The Hits Keep on Coming With These
Events Recently in the Headlines
•WHMCS Breach May Be Only Tip of the Trouble
•Spokeo to Pay $800,00 to Settle FTC Charges
•Myspace Settles FTC Charges it Misled Millions of Users
•Lax Security at LinkedIn is Laid Bare
•Potential Class Action Targets Emory Healthcare Over Patient Data Breach
•ID Theft in Backyard of Texas Attorney General
•Massachusetts Levies Fine of $15,000 for Stolen Laptop
•HHS Settles Cases with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards
•A Six-Figure Credit Breach at Five Guys
•Information of U.S. Federal Employees Exposed
•South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations
•House Committee to Probe e-Banking Heists
40
What should be done?
41
Privacy and Other Data Security
Breaches
An once of prevention is worth a whole lot more
and a pound of cure
It is not “a once and done” adventure
When the going gets tough the tough get going
Yammar, yammar, yammar ….
42
Practical Considerations
• Basic requirements for data protection are surprisingly
similar, across segments although details do vary
• The concept of technical, physical and administrative
security requirements is almost universal
• Requirement to conduct practical risk assessments of
requirements and vulnerabilities of the organization is also
present in many segments and jurisdictions
• Most laws do not specify technical or physical requirements
beyond requiring that they be reasonable, appropriate or
adequate
43
Inventory your data/asset
What is it?
Where is it?
Where is it going?
Will it visit third parties?
Who needs it to do their work?
How is it used?
How is it gathered and shared?
How is it stored?
What is its final resting place?
Will it be gone for good?
44
Assess Risks/Threats
• Indentify all threats within the realm of possibility to the security of
the data or asset.
• Consider all sources whether:
–
–
–
–
–
–
Internal
External
Natural
Man-made
Innocent
Malicious
• Assess the consequences to the organization should the identified
threat materialize.
• What is the likelihood of the threat/risk materializing?
• What mitigations are there to counter the risk or recover if it occurs?
45
Physical Matters
Physical Security includes
• Facility access controls
• Locks
• Alarms
• guards
• Safeguarding hard copy documents with PI
• Locking filing cabinets
• Clean desk policies
• Securing hardware on which PI is stored
• Computers
• Mobile devices
• Flash drives
• Modems
46
Administrative Measures
Administrative measures includes rules and training applicable to PI
handling such as:
• Ensuring access authorization is only given to individuals with
legitimate purposes
• Authentication rules
• Rules limiting what data can be stored on portable devices such as
laptops, smart phones, thumb drives and other storage media
• Security provisions in supplier contracts
• Security training for those with access to PI
• On-boarding and termination processes
• Policy administration
• Policy enforcement through appropriate disciplinary actions
47
Administrative Measures
Technology use policy
• Blogging and social networking, peer to peer file sharing programs,
remote access, use of laptops
Security breach notification procedure
• How is unauthorized access or acquisition reported?
• Who is on the immediate response team?
Confidentiality policy
• Does it cover confidential information and personal Information?
• Training
• Audit
• Office rules – badging, clear desk and screen locks
• Processes and teams for security incident management
• Downstream controls – contractual and audit controls on data recipients
• Officer, Director, and Employee training
Typical Requirements
•
•
•
•
•
•
•
•
•
Assign responsibility with accountability to a lead person
Conduct risk assessments
Establish comprehensive written policies and procedures
Train employees
Evaluate and then supervise service providers
Execute contracts with service providers
Provide secure disposal
Audit
Create and implement incident response, record retention,
and disaster recovery plans
49
Organization
Dealing with high-level requirements (“reasonable security”)
• Determining what “reasonable security “ is a team effort
• Determination should involve representatives from privacy, IT, legal,
physical security, HR/training, and potentially other functions and
advisors
• Work to determine what safeguards are necessary based on the
specific vulnerabilities of the particular organization (risk analysis) ,
the consequences of a breach and general good security practices.
• Documentation critical
50
Be Prepared
Need for breach preparation
•
•
•
•
•
•
Create an incident response team
Create and document response procedures
Communicate regularly
Seek and obtain senior management support and resource
commitment
Arrange for service providers that will be needed to respond
Document, document, document
51
Evaluate Risky Areas
•
•
•
•
•
•
•
•
•
•
•
Collection of information over the Internet and email
Access to sensitive files by employees and independent contractors
Dispersed systems, data; duplication (and more) of data
Access to credit card, health, financial information
Transmission, storage, and disposal of computerized data, including data contained
on disks and hard drives and equipment disposal
Data to be transmitted to any third party
Storage and disposal of paper records
Data center moves/consolidations
Transfer and use by service provider/outsourcing
Mobile computing and employee owned devices
Logging and monitoring (employees, system access, phones/internet/email)
52
Technical Measures
Technical Security relates to the protection of electronic
information through methods including:
•
•
•
•
•
•
•
Access control: unique user ID, auto logoff, need to know
Monitoring: log-in, movement of ePHI
Audit: who accessed, how and when modified
Encryption: at rest (server, laptop, mobile), in transmission
Authenticating: confirming identity, managing accounts
Firewalls, anti-virus, and anti-spyware protections
Changing default settings and thereafter periodically changing of
(non-default) IDs and passwords for internet facing devices
53
Technical Measures
• Basic rules for employees
–
–
–
–
Do not email sensitive or special PI
Do not access more than that which is needed
Create and use secure documents
Use passwords
• System deployment and approval processes – what needs to
happen before you flip the switch
• Eliminate unnecessary data and keep tabs on what is left
• Monitor and mine event logs
• Ensure essential controls are met: regularly check they remain
so
54
Technical Measures*
Hacking: use of stolen credential
• Use two factor authentication
• Change passwords on suspicion of theft
• Time of use rules
• IP blacklisting
• Restricting administrative connections
* From Verizon 2012 DBIR pgs 63-66
55
Technical Measures*
Malware: Backdoor, command and control
Hacking: Exploitation of backdoor or command and
control channel
•
Egress filtering
•
Use of proxies for outbound traffic
•
IP blacklisting
•
Host IDS or integrity monitoring
•
Restrict user administrative rights
•
Personal firewalls,
•
DLP tools
•
Antivirus, and antispyware tools
•
Web browsing policies
* From Verizon 2012 DBIR pgs 63-66
56
Technical Measures*
Physical Tampering
• Train employees and customers to look for and detect signs of tampering
and to do so through out the day
• Set up and train staff on a procedure for service technicians including a
method to schedule and authenticate technicians and maintenance
vendors
• Push vendor for anti-tamper technology/features or only purchase POS
and Pin devices with anti-tamper technology
* From Verizon 2012 DBIR pgs 63-66
57
Technical Measures*
Keylogger/Form-grabber/spyware
•
•
Restrict Administrative rights
Code signing
•
•
•
•
•
•
•
•
•
•
Use of live boot CDs
Onetime passwords
Anti-virus and anti-spyware
Personal firewalls
Web content filtering and blacklisting
Egress filtering
Host IDS(HIDS) or integrity monitoring
Web browsing policies
Security awareness training
Network segmentation
* From Verizon 2012 DBIR pgs 63-66
58
Technical Measures*
Pretexing (Social Engineering)
• General security awareness training
• Clearly defined policies and procedures
• Train staff to recognize and report suspected pretexting attempts
• Verify suspect requests through trusted methods and channels
• Restrict corporate directories ( and similar sources of information) from
public access
* From 2012 Verizon DBIR pgs 63-66
59
Technical Measures*
Brute-force attack
• Use technical means of enforcing password policies
• Account lockouts
• password throttling
• password cracking tests
• access control lists
• restrict administrative connections
• two factor authentication
• CAPTCHA
* From 2012 Verizon DBIR pgs 63-66
60
Technical Measures*
SQL injection
•
Secure development practices
•
Input validation
•
Use of parameterized and/or stored procedures
•
Adherence to principles of least privilege for database accounts
•
Removal of unnecessary services
•
System hardening
•
Disable output of data base error messages to the client
•
Application vulnerability scanning
•
Penetration testing
•
Web application firewall
* From 2012 Verizon DBIR pgs 63-66
61
Technical Measures*
Unauthorized access via default credentials
•
Change default credentials (prior to deployment)
•
Delete or disable default account
•
Scan for known default passwords (following deployment)
•
Password rotation
•
Inventory of remote administrative services (especially those used by third parties)
•
For third parties: contracts (stipulating password requirements)
•
Consider sharing administrative duties
•
Scan for know default passwords (for assets supported by third parties)
* From 2012 Verizon DBIR pgs 63-66
62
Technical Measures*
Phishing( and endless *ishing variations)
•
General security awareness training
•
Clearly defined policies and procedures
•
Policies regarding use of email for administrative functions
•
Train staff to recognize and report suspected phishing messages
•
Configure email clients to render HTML emails as text
•
Anti-spam
•
Email attachment virus checking and filtering
The slides with an asterisk (*) contain the recommendations from the Verizon 2012 Data Breach
Investigation Report pages 63-66
*From Verizon 2012 DBIR pgs 63-66
63
Breach Incident Processing
•
•
•
•
•
•
•
•
•
Assemble the team and dust off the plan
Stop the bleeding
Determine the injury
Involve those with whom prior arrangements
were made as necessary
Notify as required in an appropriate manner
Report to authorities as required
Document actions and reasons for them
Fix the concern
Evaluate and revise as necessary
Breach Incident Processing
According to Regulatory advice in the event of an incident do:
• Immediately isolate affected systems to prevent further intrusion loss of
data or other damage
• Email traffic may be monitored; Use the telephone or other reasonably
secure means to communicate (VOIP?)
• Notify law enforcement
• Activate all auditing software if not already activated
• Preserve pertinent system logs
• Make backup copies of damages or altered files and keep them securely
• Identify where affected system resides in network topology
• Identify all systems and agencies that connect to affected system
• Identify programs and processes that operate on the affected system,
impact of the disruption and max allowable outage time
• If necessary make arrangements for continuity of services
Don’t delete, move or alter files, contact suspected perp., or do forensic
analysis
Breach Notification
•
•
•
•
Internal processes
Training
Policies and practices
Supplier action implications
Others Countries with Privacy/Security
Rules
•
•
•
•
•
•
•
•
•
•
•
Argentina
Australia
Austria
Belgium
Brazil (Pending)
Bulgaria
Canada
Chile
China (Pending)
Colombia
Costa Rica
(Pending)
• Cyprus
• Czech
Republic
• Denmark
• Ecuador
(Pending)
• Estonia
• Finland
• France
• Germany
• Greece
• Hong Kong
• Hungary
• Iceland
Others with Security Rules
•
•
•
•
•
•
•
•
•
•
•
•
India
Irish Republic
Israel
Italy
Japan
Latvia
Lichtenstein
Lithuania
Luxembourg
Malaysia
Netherlands
New Zealand
•
•
•
•
•
•
•
•
•
•
•
•
Norway
Paraguay
Peru
Philippines (Pending)
Poland
Portugal
Romania
Russia
Serbia
Singapore
Slovakia
Slovenia
Others with Security Rules
•
•
•
•
•
•
•
South Africa (Pending)
South Korea
Spain
Sweden
Switzerland
Taiwan
Thailand (Pending)
•
•
•
•
•
•
•
Tunisia
Turkey (Pending)
UAE (DIFC)
United Kingdom
United States
Uruguay
Vietnam (Pending)
Questions?
Keith A. Cheresko
Privacy Associates International LLC
[email protected]
www.privassoc.com
(248) 535-2819
Contact Information
Keith A. Cheresko
Privacy Associates International LLC
[email protected]
www.privassoc.com
(248) 535-2819