PCI Security and Compliance
CCIA Fall Meeting – 7th October 2011
John Clark
COO,
AGENDA
• ExoIS
• PCI Compliance
– Rules
– Breaches
– Process
– Costs
• Educational Institution – Example
• Achieving Compliance
2
• Based in Silicon Valley
• Operating for 10+ years
• Practices:
– PCI Qualified Security Assessor (QSA)
– PeepSafe Secure Portal
– Information Security and Compliance Services
– Secure Cloud Services
– IT Support Services
www.ExoIS.com
3
PCI (Payment Card Industry)101
•
•
What are Payment Cards?
–
Credit, Debit, and Cash Cards (prepaid)
–
Can be Consumer and Commercial based (Corporate Cards & P-Cards)
Payment Cards Structure and Relationships?
– Payment Card Brands
– Cardholders
– Issuers
– Merchants
– Acquirer (aka Payment Processor)
• Usually the Merchant’s Bank
4
PCI 101 (Continued)
•
Payment Card Transaction Lifecycle
5
What it means to be PCI compliant
The organization must comply with the Payment Card Industry Data
Security Standards (PCI-DSS) for everything that is “In Scope”
Any system that (or any system that is connected to a system that)
stores, processes or transmits cardholder data is considered to be
“In Scope”
The PCI-DSS is a GLOBAL standard that requires that
organizations handling payment card data:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Develop and maintain an information security policy
6
Payment Card
Total cards in circulation in the US in 2010:
-Visa: 397 million
-Mastercard 123 million
7
Cardholder Data and Sensitive Authentication Data
Elements
• Cardholder data is defined as the primary account number (“PAN,” or
credit card number) and other data obtained as part of a payment
transaction, including the following data elements:
– PAN
– Cardholder Name
These data elements must be protected
– Expiration Date
if stored in conjunction with the PAN
– Service Code
– Sensitive Authentication Data:
• (1) full magnetic stripe data
These data elements must not be
• (2) CAV2/CVC2/CVV2/CID
stored after authentication
• (3) PINs/PIN blocks)
• The Primary Account Number (PAN) is the defining factor in the
applicability of PCI DSS requirements and PA-DSS.
• If PAN is not stored, processed, or transmitted, PCI DSS and PA-DSS do not
apply.
8
• Key Areas of PCI DSS:
– Consists of 6 Domains, 12 Core Requirements and around 250 Controls
– Updated annually based on incidents and comments from the PCI
community members
Domains
Requirements
I. Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
II. Protect Cardholder Data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
III. Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
IV. Implement Strong
Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data.
V. Regularly Monitor and
Test Networks
6. Develop and maintain secure systems and applications
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
VI. Maintain an Information 12. Maintain a policy that addresses information security for employees
Security Policy
and contractors
9
What “Merchant Tier / Level” Are You?
Level
Visa
MasterCard
1
Over 6 million Visa
transactions
annually, OR global
merchants identified
as Level 1 by any
Visa Region
Over 6 million Visa
transactions combined
MasterCard and
Maestro annually, OR
any merchant
MasterCard deems to
be Level 1
2
1 million to 6 million
Visa transactions
annually
1 million to 6 million
combined MasterCard
and Maestro
transactions annually
3
20,000 to 1 million
Visa ecommerce
transactions annually
20,000 to 1 million
MasterCard and
Maestro ecommerce
transactions annually
4
Less than 20,000
Visa ecommerce
transactions annually
/ up to 1 million visa
transactions annually
All other MasterCard
merchants
JCB
AMEX
Discover
Over 1 million
JCB
International
transactions
annually
Over 2.5 million AMEX
transactions annually,
OR any merchant
AMEX deems to be
Level 1
Over 6 million Visa
transactions on the
Discover network
annually, OR any
merchant Discover deems
to be Level 1
Less than 1
million JCB
International
transactions
annually
50,000 to 2.5 million
AMEX transactions
annually, OR any
merchant AMEX
deems to be Level 2
1 million to 6 million Visa
transactions on the
Discover network annually
Less than 50,000
AMEX transactions
annually
20,000 to 1 million card
not present (ecommerce)
on the Discover network
annually
All other Discover network
merchants
Note:
Any merchant suffering from a Data Breach is automatically escalated to a Level 1 Merchant
Status, which means annual on site PCI QSA assessments until further notice.
Also:
if you are deemed Level 1 from any Payment Brand you will be Level 1 across the board
All Levels: Quarterly network scan by ASV except for Visa Level 4 & Amex Level 3 (recommended)
10
Payment Card Industry - PCI
• If you store, process or transmit cardholder data you are
contractually required to adhere to the PCI Data Security
Standards (PCI-DSS).
• 85 percent of data breaches occur at Level 4 merchants
• Any data breach results in escalation to Level 1 merchant
(annual, on-site PCI QSA assessments until further notice)
• The fines and compensation imposed from the Payment
Brands – coupled with State and Federal fines – can be
substantial.
11
US Contractual Basis vs Regulatory Basis
Non Compliance to PCI can lead to ramifications at two levels:
Contractual & Regulatory
• Contractual:
– PCI is a contractual obligation and therefore legally binding
– Fines and increased commission levels
– Non compliance / data breaches can cause card processing to be revoked
– Law suits will result from data breaches
– Brands will elevate any company with a breach to Tier 1 Merchant status
for PCI-DSS purposes
• Regulatory:
– Incidents involving Payments Cards can trigger Privacy Laws - Data Breach
Notification – currently required in over 45 states
– Within the USA – if the data breach spans multiple states, it becomes a
Federal issue
12
Largest Credit Card Breach Results in over
$110 Million in Fines
• Heartland Payment Systems (one of
the largest payment processors in U.S.)
has paid over $110 million in fines and
$26 million in legal costs due to a
security breach where hackers stole
data from over 130 million credit and
debit cards.
2008, 2009?
13
Largest Data Breach in Retail
Over $75M in fines / settlements
•
Mag-stripe data involving 65 million Visa cards were exposed, resulting in a
$500,000 fine “due to the seriousness of this security incident and the impact on
the Visa system.” A separate $380,000 fine was imposed for “TJX’s failure to cease
storing prohibited data.” TJX struck a $40.9 million settlement with Visa to
compensate Visa card issuers for breach-related costs.
•
Data from 29 million MasterCard cards exposed. TJX settled with MasterCard for
$24 million.
•
TJ Maxx stores settled charges with 41 states and agreed to pay $9.75 million to
the states and to implement and maintain a comprehensive information security
program, designed to safeguard consumer data and address any weaknesses in
TJX's systems in place at the time of the breach.
2005, 2006, 2007?
14
Data Breaches – Business Impact
Data Breach  Your organization will become a Level 1 Merchant
• Tangible Costs:
– The cost of a data breach for a Level 4 merchant averages $36,000 and
can be as high as $50,000 (or more). In other words, more than enough
to cripple—or even destroy—a small business
• $3 to $10 per card for replacement costs
• $5,000 to $50,000 (or more) in compliance fines
• Loss of revenue from suspension of credit card transactions /
blacklisting
• Additional fines based on the actual fraudulent use of the cards,
which will vary depending on the number of cards exposed
– Average cost per data item lost = $243 (2009 Ponemon Institute)
• Intangible Costs:
– Deployment of mitigation and root cause fixes
– Lost revenue due to negative impact to brand / market share
– Ongoing impact from press coverage on data breaches
15
At 26th September 2011 …..
Running Total of Records Breached = 535,697,538 from
2,702 Data Breaches made public since 2005
http://www.privacyrights.org/sites/default/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf
Note: US figures only
16
Latest Trends in Data Breaches
1. Lost / stolen laptops with data (includes drives / CDs / back-ups, etc.)
2. Vendor / service provider was breached
3. Break-ins / theft of assets – computers / hard copy records
4. External Hacks / Malware into company assets
5. Logical access / user privileges
6. Improper disposal of assets / paper records
17
Typical Security and Compliance Activities
Certification
Health Check
or
Audit
Gap Analysis
Remediation
Projects
Annual
Assessment
Vulnerability
Scanning
Remediation
report
Penetration
Testing
18
Non-technical analogy
You have one leg
shorter than the
other
Health Check
or
Audit
Gap Analysis
Remediation
report
Add 3” to your
left leg
or
take 3” off your
right leg
Get a built-up left
shoe @ $400
or
surgery on your
right leg @ $9,500
Remediation
Projects
Buying and
fitting the
built-up shoe
19
A Typical Educational Institution
(Several Campuses and many separate departments accepting payment cards)
Most likely set of findings:
•
Need policies, procedures and awareness program
•
Multiple collection points (email, fax, phone)
•
Extensive paper trails with no business justification
•
Unknown cardholder data in ‘out of scope’ systems
•
Unsolicited, pervasive email with cardholder data
•
No vendor management
•
Third party e-Commerce sites used to enter cardholder data from
corporate network
20
Understanding PCI Scope
• Consider how many systems can be involved when you
– Take cardholder data over the phone?
– Receive cardholder data by fax?
– Receive cardholder data in email?
– Store, process or transmit cardholder data?
Ask yourself if there is any way to cost effectively reduce or
remove any or all of these applications, systems and
processes from PCI scope?
• Soliciting cardholder data over unsecured messaging systems is
actually PROHIBITED.
21
Security Policies & Administration
• Full Policies and Standards Lifecycle
Management
• Recurring operational security tasks
• Usage policies for critical employee-facing
technologies (email, fax, voice, hard copy)
• Define roles & responsibilities
• Assign ownership
• Employee screening
• Incident Response Program
• Annual Risk Assessments etc
The more the environment is de-scoped or outsourced
the bigger the reduction in overhead!
22
Security Awareness Programs
• A strong security policy sets the security tone for the whole
company and informs employees what is expected of them.
• All employees need to be aware of the sensitivity of data and
their responsibilities for protecting it (training program with
records).
• For the purposes of this requirement, “employees” refers to
full-time and part-time employees, temporary employees and
personnel, and contractors and consultants who are
“resident” on the company’s site.
• Induction, training and campaigns must be ongoing. Most
effective method is CBT (Computer Based Training)
23
Discovery and Removal of Cardholder
Data
• Payment card numbers are most often found in the following
locations:
–
–
–
–
–
Payment server log files
Staff documents (Spreadsheets, Word documents)
Email data files (Inbox and Sent Items)
Application Databases (Flat files, Text Files)
Browser History and File Cache
• Tools exist for identifying payment card information across the
computer systems of an entire organization
• Tools produce a report of this status for use in any security
compliance audit
• Prevent re-contamination (Gateway Filter)
24
Vendor Management
 Develop controls / policies and procedures for reviewing / approving /
audit / de-selection of Vendors / Suppliers that are involved in
capturing / storing / transmitting / disposal of CHD
 Maintain records of annual PCI compliance / certifications for each
vendor.
 Ensure that contractual requirements / purchasing terms and
conditions flow down to the suppliers / vendors and reflect the
appropriate requirements of PCI-DSS
 Maintain a centrally controlled list of Approved Vendors for PCI-DSS
that is available to all departments with FHDA
25
Vendor Security Management Tool
26
Corporate Compliance?
Getting the organization’s In Scope systems and processes into
compliance can be a massive undertaking
The compliance projects usually are:
• Very large (hundreds of man years of effort)
• Time consuming (multiple years in duration)
• Resource intensive (require headcount & specific skill sets)
• Expensive ($$$)
and always are:
• Continuous (never ending)
There is an alternative ……………
27
PCI Compliance Without the Expense of a
New IT Infrastructure
PCI Compliant SaaS solutions allowing organizations to descope entire functions and network segments with minimal
cost and time without requirement to change internal systems
or business processes.
28
PeepSafeTM
• PeepSafeTM is hosted by a fully managed, level 1 PCI DSS
compliant hosting provider. Managed controls include:
–
–
–
–
–
–
–
–
Firewalls and Intrusion Detection
Annual Penetration Testing
Anti-virus and Patch Management
Centralized Logging and Monitoring
Physical Security
Quarterly Scans (internal and external)
SSL Certification
File Integrity Monitoring
(Note: These are ALL controls that would need to be implemented within your
corporate environment if you did not use PeepSafeTM)
29
From At Risk to Out of Scope
PeepSafeTM is a fully managed, secure portal environment.
Using PeepSafeTM to manage internal systems (networks, email,
applications and databases) allows PCI involved systems and
functions to move from “at risk” to “out of scope”.
Exposed Phone
Fax
Email Store
Process
Transmit
Secure
Phone Fax
Email Store
Process Transmit
PeepSafeTM also offers options to move employees’ desktops out of
scope, and even, to move “employees” out of scope
PeepSafeTM can de-scope entire functions and network segments
30
Process
Case Study 1 - Order Entry Without
PeepSafeTM
Browser
Payment
Gateway
Site
PCI Scope
Agent connects to payment gateway to manually enter and process payment information.
31
Case Study 1 - Order Entry With PeepSafe™
PeepSafeTM
Browser
Payment
Gateway
Site
PCI Compliant
SSLVPN
Optional features:
-Disabling of print screen
-Cut and paste disabled between portal
and desktop
-End point security
Virtual keyboard in the PeepSafeTM portal or manual entry of payment information into the
telephone keypad de-scopes the desktop
32
Phone Fax
Email Store
Process
Transmit
Case Study 2 - Receive and Process
Orders Without PeepSafeTM
Browser
Payment
Gateway
Site
Fax
PCI Scope
Agent receives payment data from customers using corporate systems such as email, fax and stores in local file
repositories . They connect to payment gateway from corporate network.
33
Case Study 2 - Receive and Process Orders With
PeepSafeTM
Browser
Payment
Gateway
Site
Fax
PCI Compliant
SSLVPN
SSLVPN
34
In-Bound Gateway Filter
PeepSafe
Browser
Filter
Remote
Desktop
Session
Quarantine
PCI Scope
Mail
Messaging
A Filter monitors traffic and
redirects payment data to an
encrypted Quarantine within
the Portal, thereby ensuring
that the corporate
environment does not get
brought back into scope.
35
In-Bound Gateway Filter: OnPremise
PeepSafe
Browser
Filter
Mail
Remote
Desktop
Session
Quarantine
PCI Scope
Mail
Messaging
A Filter monitors traffic and
redirects payment data to an
encrypted Quarantine within the
Portal, thereby ensuring that the
corporate environment does not get
brought back into scope.
36
PeepSafeTM
• PeepSafeTM internal systems are tested for compliance and
validated according to specific customer needs
• Minimal impact to existing systems
• Minimal changes to existing processes
• Support for multiple existing environments
• Payment gateway agnostic
• Implementation in days (not months/years)
• Optional enhancements to take desktops and even agents out
of scope, including endpoint controls
• Optional training and awareness, SAQ completion and policies
and standards.
37
Password discovered in recent audit:
MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
38
PCI Security and Compliance
SUMMARY
CCIA Fall Meeting – 7th October 2011
•
•
•
•
Evaluate your own PCI situation
De-scope as much as possible
Remove historical prohibited data
Protect your environment (Gateway Filter)
Do it now, do it quickly and keep doing it!
Thank You!
39
Back-up
40
PCI-DSS Periodic
- At Least Daily / Weekly
Daily
– 10.6 Review logs for all system components at least daily. Log reviews must
include those servers that perform security functions like intrusion-detection
system (IDS) and authentication, authorization, and accounting protocol (AAA)
servers (for example, RADIUS).
• Note: Log harvesting, parsing, and alerting tools may be used
Weekly
– 11.5 Verify the use of file-integrity monitoring products within the cardholder
data environment by observing system settings and monitored files, as well as
reviewing results from monitoring activities
• Examples of files that should be monitored:
– System executables
– Application executables
– Configuration and parameter files
– Centrally stored, historical or archived, log and audit files
41
PCI-DSS Periodic
- At Least Quarterly
Quarterly
– 3.1 Verify that policies and procedures include a programmatic (automatic)
process to remove, at least on a quarterly basis, stored cardholder data that
exceeds business retention requirements, or, alternatively, requirements for a
review, conducted at least on a quarterly basis, to verify that stored
cardholder data does not exceed business retention requirements
– 8.5.5 Remove/disable inactive user accounts at least every 90 days
– 8.5.9 Change user passwords at least every 90 days
– 11.1 Test for the presence of wireless access points by using a wireless
analyzer at least quarterly or deploying a wireless IDS/IPS to identify all
wireless devices in use
– 11.2 Run internal and external network vulnerability scans at least quarterly
and after any significant change in the network (such as new system
component installations, changes in network topology, firewall rule
modifications, product upgrades).
• Note: Quarterly external vulnerability scans must be performed by an Approved
Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards
Council (PCI SSC). Scans conducted after network changes may be performed by the
company’s internal staff.
42
PCI-DSS Periodic
- At Least Six Monthly / Annually
Six Monthly
– 1.1.6a Verify that firewall and router configuration standards require review of firewall and router rule sets
at least every six months
– 1.1.6b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months
At Least Annually
– 3.6.4 Verify that key-management procedures are implemented to require periodic key changes at least
annually
– 6.6 Review public-facing web applications via manual or automated application vulnerability security
assessment tools or methods, at least annually and after any changes
– 9.5 Verify that the storage location is reviewed at least annually to determine that back-up media storage is
secure
– 9.5.b Verify that the storage location security is reviewed at least annually.
– 9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually
– 11.3 Perform external and internal penetration testing at least once a year and after any significant
infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network
added to the environment, or a web server added to the environment). These penetration tests must
include the following:
• Network-layer penetration tests
• Application-layer penetration tests
– 12.1.2 Verify that the information security policy includes an annual risk assessment process that identifies
threats, vulnerabilities, and results in a formal risk assessment
– 12.1.3 Verify that the information security policy is reviewed at least annually and updated as needed to
reflect changes to business objectives or the risk environment
– 12.1.6b Verify that employees attend awareness training upon hire and at least annually
– 12.6.2 Verify that the security awareness program requires employees to acknowledge (for example, in
writing or electronically) at least annually that they have read and understand the company’s information
security policy
– 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
– 12.9.2 Test the incident response plan to be implemented in the event of system breach at least annually
43
•
•
•
•
•
PCI DSS – Store / Record
9.1.1 Use video cameras or other access control mechanisms to monitor individual
physical access to sensitive areas. Review collected data and correlate with other
entries. Store for at least three months, unless otherwise restricted by law
9.4.a Verify that a visitor log is in use to record physical access to the facility as well
as for computer rooms and data centers where cardholder data is stored or
transmitted.
9.4.b Verify that the log contains the visitor’s name, the firm represented, and the
employee authorizing physical access, and is retained for at least three months.
9.5 Store media back-ups in a secure location, preferably an off-site facility, such
as an alternate or back-up site, or a commercial storage facility
10.3 Record at least the following audit trail entries for all system components for
each event
–
–
–
–
–
–
•
User identification
Type of event
Date and time
Success or failure indication
Origination of event
Identity or name of affected data, system component, or resource
10.7.b Verify that audit logs are available for at least one year and processes are in
place to restore at least the last three months’ logs for immediate analysis
44
PCI-DSS Sections 1 – 3 - Do Not…
• Allow direct public access between the Internet and any system component in
the cardholder data environment
• Allow any direct routes inbound or outbound for traffic between the Internet
and the cardholder data environment
• Allow internal addresses to pass from the Internet into the DMZ
• Allow outbound traffic from the cardholder data environment to the Internet
• Use vendor-supplied default passwords
– include passwords, simple network management protocol (SNMP) community strings,
and elimination of unnecessary accounts
• Store sensitive authentication data after authorization (even if encrypted)
• Store the full contents of any track from the magnetic stripe
– full track, track, track 1, track 2, and magnetic-stripe data
• Store the card-verification code or value (CVV2)
• Store the personal identification number (PIN) or the encrypted PIN block
• Display full PAN - except for those with a legitimate business need to see full PAN
45
PCI-DSS Sections 4 – 8 - Do Not…
• Send unencrypted PANs by end-user messaging technologies (for example, email, instant messaging, chat)
• Allow production data (live PANs) to be used for testing or development
• Allow users access to system components or cardholder data before
allocating them a unique ID
– Audit trail – log data
• Use group, shared, or generic accounts and passwords
• Allow an individual to submit a new password that is the same as any of the
last four passwords he or she has used
46
PCI-DSS Sections 9 – 12 - Do Not…
• Allow general physical access to publicly accessible network jacks or
wireless access points, gateways, and handheld devices
• Store media containing cardholder data when it is no longer needed for
business or legal reasons
• Dispose of electronic media where cardholder data can be reconstructed
– Utilize a secure wipe program in accordance with industry-accepted standards
for secure deletion, such as degaussing, or physically destroy the media
• Dispose of hard copy records containing CHD / sensitive authentication
data in an unsafe manner (landfill / trash, etc.)
47
Breaches
in
Education
48
• A stolen storage device contained the credit information of
147 parents and freshmen. The device was stolen from a
secure room on November 8.
• Phone numbers, credit card numbers and credit card
expiration dates for participants in the Dartmouth Outdoor
Club First Year Program were on the device.
Possible Mitigation Steps:
Type of Incident: Portable device
Business need for data storage
Storing of non encrypted data
Physical security
Monitoring of access to secure areas
49
• Ohio State revealed a data breach Wednesday that has jeopardized the
identities of 760,000 people and could cost the university $4 million in
fees for investigating the root cause of the breach (this does not include
any provisions for possible law suits / fines)
• The university notified current and former faculty, students, applicants
and others affiliated with the university that hackers had accessed the
server that stored their names, Social Security numbers, dates of birth and
addresses – it does not appear that any financial / credit card information
was breached.
• OSU has had several data breaches in the past.
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
AV programs up to date
Storing of non encrypted data
Track and monitor access – logs / IDS
Password access for mobile devices
50
• The HISD may have experienced a hacking incident over the weekend of
October 24.
• Employees and students were unable to access the Internet, online classes
and email until late Tuesday afternoon.
• Payroll information of workers and academic information of students may
have been compromised along with other personal information.
• Up to 30,000 employees may have been affected with the total number
including students as high as 232,000.
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
AV programs up to date
Storing of non encrypted data
Track and monitor access – logs / IDS
Password access for mobile devices
51
•
•
•
•
Unencrypted files that were placed on the faculty web server exposed student
information.
Student names, Social Security numbers, birth dates, addresses and academic
information were placed on the server in December of 2009. Students who
attended UHWO in Fall of 1994 or graduated between 1988 and 1993 were
affected.
A much larger number of students who attended the University of Hawai'i
Mānoa between 1990 and 1998 were also affected. The files were removed on
October 18 after a privacy group notified the University. The server was
quickly removed from the network. The faculty member who accidentally
placed the file on the server retired before the breach was discovered.
Around 259,000 private records have been exposed by the University of
Hawai'i since 2005.
Possible Mitigation Steps:
Type of Incident: Unintended disclosure
Separation of Test and Production data
Network Segmentation
Asset Management
52
• An unnamed third-party vendor that hosted the organization's jflac.org
website experienced a security incident.
• Customers who made purchases related to Japanese Language Proficiency
Testing for 2009 and 2010 may have had their names, dates of birth and
credit card information accessed.
• The servers containing customer data were shut down and taken offline
after the incident was discovered.
• The incident occurred on or around September 18, 2010 and the
organization aimed to notify all affected customers by October 25.
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
Vendor Management
AV programs up to date
Storing of non encrypted data
Track and monitor access – logs / IDS
Password access for mobile devices
53
• The University of Oklahoma is warning students about a
security breach that may put their personal information at
risk." A laptop was found to be infected with a Trojan that
could have led to the disclosure of sensitive information
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
AV programs up to date
Storing of non encrypted data
Track and monitor access – logs / IDS
Password access for mobile devices
54
• It appears that anyone with a Tech computer account could have accessed
more than 3,000 Social Security numbers over the past four or five years.
Copies of an accounting file were mistakenly stored in two public locations
on the TCC server.
• Many data breaches occur where data is stored on an asset that was not
known to be accessible to other parties – Can be addressed as part of
“Discovery” and “Configuration Management” / “Continuous Compliance”
activities
Possible Mitigation Steps:
Type of Incident: Unintended disclosure
Separation of Test and Production data
Network Segmentation
Asset Management
55
• The University of Hawai‘i at Manoa today began notifying
approximately 53,000 individuals listed in a system database,
housed on a computer server used by the Parking Office, that
a recent security breach may have exposed personal
information—including approximately 40,870 Social Security
numbers and 200 credit card numbers
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
AV programs up to date
Storing of non encrypted data
Network segregation
Firewall
56
• Stolen laptop contains names and Social Security numbers of
unspecified number of graduates
Possible Mitigation Steps:
Type of Incident: Portable device
Business need for data on laptop
Storing of non encrypted data
Network segregation
57
• Names, Social Security numbers, and dates of birth
for 245 available on file server
Type of Incident: Unintended disclosure
Possible Mitigation Steps:
Separation of Test and Production data
58
•
The University of Florida last week revealed that it has notified more than 333,000
people about the potential compromise of their personal data following a system
intrusion at its dental school.
•
•
•
•
It's an incident that is likely to further reinforce the reputation college networks
and systems have of being notoriously insecure environments.
The compromised data included the names, dates of birth, Social Security
numbers, and addresses of current and former College of Dentistry patients dating
back to 1990, as well as information about dental procedures in some cases, the
university said in a statement.
The data had been stored unencrypted in a database on the breached server, it
added.
In addition to the 330,000 people who were notified, another 8,000 individuals
whose current mailing addresses couldn't be found were affected by the intrusion,
according to the statement.
Possible Mitigation Steps:
Type of Incident: Hacking or Malware
AV programs up to date
Storing of non encrypted data
Network segregation
Firewall
59
Password discovered in recent audit:
MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
“Why so
long?”
“Hello! It has to be at
least 8 characters
long and include at
least one capital.”
60