Privacy vs. Security Breach
advertisement
Privacy Breach vs. Security Breach The Great Lakes InfraGard Conference Securing Our Critical Infrastructures June 20, 2012 Keith A. Cheresko Principal, Privacy Associates International LLC Purpose •Explore the sometimes murky and confusing world of data breaches • Shed light on the differences and similarities of privacy and security breaches. • Leave you with a better understanding of the environment in which we all operate • Provide actionable ideas to help prevent breaches and help increase the security for data under our control. 2 Agenda Terminology Background Governing Rules Practical Suggestions Questions & (hopefully) Answers 3 Terminology Personal “of, relating to, or affecting a particular person: private, individual <personal ambition> <personal financial gain>” Webster Personal Information (PI) data of, relating to, or affecting a particular person Personally identifiable Information (PII) data that can be tied to a unique person some of which has obtain defined legal protection (information relating to an identified or identifiable individual) 4 Background 5 Statistics As of June 16, Privacy Clearing House database lists: • 562,242,283 records from 3136 data breaches made public from 2005 to June 2012 • 18,537,734 records in their database from 264 breaches made public so far in 2012 • 6,563,454 records in database from 16 breaches made public in June alone half reporting unknown amounts 6 Statistics The Verizon 2012 Data Breach Investigations Report indicates: 855 incidents resulting in 174,000,000 compromised records 7 Statistics The Ponemon Institute’s 2011 Cost of Data Breach Study for US-based companies reports: $ 194 the average cost per compromised record and $5,500,000 average in organizational costs per event 8 Is a Privacy Breach Different than a Security Breach? 9 Privacy vs. Security • To answer, first consider the difference between privacy and security • Privacy relates to giving an individual some level of control over his personally identifiable information (PII) – Definitions of PII vary, which we will discuss later – To give the individual some control, privacy is concerned with matters such as choice, notice, access, data quality, and security as it relates to PII • Data security is concerned with the safeguarding of all data, not just PII • Privacy broader than security in one sense, security broader than privacy in another sense 10 What is a Privacy Breach? Can relate to two situations: • The unauthorized access to or acquisition of the kind of PII specified by an applicable law (security of PII) • The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.) 11 What is a Security Breach? The unauthorized access to or acquisition of anything proprietary: Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret information Trade secrets Intellectual property Proprietary items Financial information Data in paper or electronic data Personal information of consumers, employees, etc. Customers lists 12 Should I worry? Virtually any organization handling PI has the potential to experience a breach of data (personal or other type) security. For example, consider the cross section of reported breaches: • Retailers – Michaels Stores, Macy’s St. Louis • Hospitality/food and beverage – Five Guys, Hannaford Bros. • Education Institutions – University of North Florida, University of Virginia • Healthcare Providers – Phoenix Cardiac Surgery, South Shore Hospital, Charlie Norwood V.A. Medical Center, Financial Institutions – • Citi, U.S. Federal Retirement Thrift Saving Plan 13 Who is affected? •Payment Processors – WHMCS, Heartland Payment Systems •Professional Service Providers – Law Firms, Accountants, Auditors •Governmental Entities and Agencies – Office of the Texas Attorney General, City of New Haven, New York State Office of Children and Family Services •Internet Service Providers – LinkedIn, eHarmony, •Utilities •and on and on and on --- 14 Consequences of a breach? Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean: • Loss of Intellectual property • Possible ID theft • Damage to organization’s reputation • Legal actions – regulatory and consumer • Operating and operational inefficiencies • Increased operating costs • Organization freeze-up/paralysis • Lost business from consumer churn business termination • Adverse impact on market valuation 15 What Are the Governing Rules? 16 U.S. Federal Laws: Privacy and Information Security • The Federal Trade Commission Act • The Gramm Leach Bliley Act • The Health Information Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health • Family Education Rights and Privacy Act of 1974 • Driver's Privacy Protection Act of 1994 • Federal Information Security Management Act of 2002 • Fair and Accurate Credit Transactions Act 17 U.S. Federal Laws: Privacy and Information Security • Electronic Communications Privacy Act • Telephone Consumers Protection Act of 1991 • Privacy Act of 1974 • Computer Security Act of 1987 • E Government Act of 2002 • Children's Online Privacy Protection Act of 1998 • Children's Internet Protection Act • Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 18 FTC and Consumer Data • The FTC is empowered through Section 5 of the Federal Trade Commission Act to address: – unfair methods of competition in or affecting commerce, and – unfair or deceptive acts or practices in or affecting commerce • As noted earlier the failure to live up to one’s own privacy policy may be deemed a deceptive practice leading to a privacy breach. • Also failing to provide adequate data security may be considered an unfair practice leading to a privacy breach. 19 FTC and Consumer Data • FTC expects organizations to provide physical, technical, and administrative security for consumer personal information • FTC does not expect maximum available security rather security should be reasonable and appropriate to: • Organization’s size and complexity • The nature and scope of its activities • Sensitivity of the PI • Risk assessments should be conducted to determine areas of greatest risk and reasonable safeguards must be implemented in light of those findings. 20 Gramm-Leach-Bliley (GLBA) Financial Data Security: Interagency Guidelines • Law required agencies to adopt security regulations relating to physical, technical, and administrative safeguards such as the unauthorized access to, or use of, customer information. • Results - Interagency Guidelines Establishing Standards for Safeguarding Customer Information. – Require written information security plans. – The plans must assess, manage, and control threats that could result in unauthorized disclosure of information. – Encourage adoption of measures appropriate to their circumstances 21 FTC Safeguards Rule • Design a program to protect against unauthorized access to, or use of, customer information that could result in “substantial harm or inconvenience” to customers • Designate coordinator(s) for the program • Conduct a risk assessment – identify internal and external risks to customer information and – assess the sufficiency of existing safeguards to control the risks • Design and implement safeguards to control the identified risks 22 FTC Safeguards Rule • Regularly test the effectiveness of the safeguards • Oversee service providers – Select and retain service providers capable of maintaining appropriate safeguards – Require service providers to implement and maintain safeguards • Evaluate and adjust the program in light of – regular testing and monitoring, – material changes in business, or – other circumstances that have a material impact on the program 23 Protected Health Information • HIPAA, HITECH and the HIPAA Security Rule establish national standards for the protection of individuals’ electronic personal health information in the hands of “covered” entities • HIPAA requires appropriate administrative, physical, and technical safeguards, but includes much more specific mandate under the Security Rule • HITECH amendments to HIPAA apply the HIPAA Security Rule directly to business associates. HHS can audit business associates for compliance and impose civil and criminal penalties (up to $1.5m) and State AGs can bring separate actions 24 FERPA, DPPAO FISMA and FACTA • Family Education Rights and Privacy Act of 1974 (limits disclosures of educational records maintained by agencies and institutions that receive federal funding) • Driver's Privacy Protection Act of 1994 (limits disclosures of personal information in records maintained by state departments of motor vehicles) • Federal Information Security Management Act of 2002 (requires federal agencies to develop, document and implement agency-wide program to provide information security) • Fair and Accurate Credit Transactions Act (Red Flag and Data Disposal rules) 25 State General Data Security Safeguards Generally • Apply to any person owning or licensing PII relating to residents of the state • Require business implementation and maintenance of reasonable security procedures and practices for the protection of PII • Require appropriate disposal of PII rendering it unreadable or undecipherable 26 State Data Security Laws • At least 33 states have laws relating to Social Security numbers (SSNs) designed primarily for limiting the use of SSNs • Five states require implementation of policies to protect SSNs – Connecticut, Michigan, New Mexico, New York, Texas • Two states have gone farther in specifying required business security practices – Massachusetts and Nevada 27 Massachusetts Rule • Applies to any person who receives, maintains, processes, or has access to PI about MA residents • The regulation nominally applies to any entity, anywhere in the world, holding PI relating to a MA resident • The covered PI is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number, credit or debit card number (with or without password) 28 Massachusetts Rule Requirements • • • • • • • • • • • Performance of Risk Assessments Development and maintenance of a comprehensive Written Information Security Program (WISP) Application of Physical Security controls Application of Electronic Security controls Use of Encryption Selection and Retention of Competent Service Providers Employee Training Employee Compliance Development and maintenance of appropriate policies regarding storage, access, and transportation of personal information outside business premises Processes in place preventing terminated employees from accessing personal information Documenting responses to breach incidents and post-incident reviews 29 Nevada Encryption Law • Applies to a business that maintains, handles, collects, disseminates, or deals with personal information • Personal information is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number • Must encrypt electronic transmission (other than fax) to a person outside the business’ own secure system • Must encrypt “data storage devices” when they are moved beyond the logical or physical controls of the business or its data storage contractor 30 Other Considerations • Specialty state and local requirements • Trade Association undertakings • Payment Card Industry Data Security Standards • Mobile practices • Constantly shifting environment • New uses, applications for data 31 Wait –There’s More 32 Breach Notification Laws • Designed to help enforce security obligations – In theory helps consumers protect themselves – Provides government authorities enforcement opportunities – Bad PR and breach-associated costs encourage compliance • Breaches generally triggered by the unauthorized access to, or acquisition of, PI covered by the law • Other variables affect whether a breach notification law applies such as: – Storage medium involved – Use of data encryption 33 Federal Breach Notification: (GLBA) Regulations adopted by financial regulators and the FTC pursuant to GLBA include breach notification provisions for unauthorized access to sensitive customer information held by banks and other financial institutions. 34 Federal Breach Notification: HIPAA (HITECH) • Written notices must be provided within 60 days after discovery of the breach – Law enforcement delay if notification would impede a criminal investigation or damage national security – Content requirements • A covered entity must notify: – HHS of any breach involving more than 500 individuals when it provides consumer notice – HHS annually of breaches involving fewer than 500 individuals – Prominent media in a state of breaches involving more than 500 residents of the state 35 Federal Breach Notification: HIPAA (HITECH) • A Business Associate that discovers a breach must notify the covered entity • Similar FTC rule for Vendors of personal health records and entities offering products or services through Web site of a vendor of personal health records 36 U.S. State Breach Notification Laws 46 states, District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands with laws: • PI usually covered: name plus SSN, driver’s license number, bank account information with PIN, or health information (often with an exception when encrypted), and there are significant state variations of covered PI • Notice to individuals required in the event of a breach and, in some instances, notice to credit-reporting agencies and/or regulators (e.g., New York Attorney General, New Jersey State Police) also specified • 18 states impose requirements with respect to the content of the consumer notice • State Insurance regulators also impose notification requirements on insurance companies 37 My Head Hurts What does it all mean? 39 The Hits Keep on Coming With These Events Recently in the Headlines •WHMCS Breach May Be Only Tip of the Trouble •Spokeo to Pay $800,00 to Settle FTC Charges •Myspace Settles FTC Charges it Misled Millions of Users •Lax Security at LinkedIn is Laid Bare •Potential Class Action Targets Emory Healthcare Over Patient Data Breach •ID Theft in Backyard of Texas Attorney General •Massachusetts Levies Fine of $15,000 for Stolen Laptop •HHS Settles Cases with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards •A Six-Figure Credit Breach at Five Guys •Information of U.S. Federal Employees Exposed •South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations •House Committee to Probe e-Banking Heists 40 What should be done? 41 Privacy and Other Data Security Breaches An once of prevention is worth a whole lot more and a pound of cure It is not “a once and done” adventure When the going gets tough the tough get going Yammar, yammar, yammar …. 42 Practical Considerations • Basic requirements for data protection are surprisingly similar, across segments although details do vary • The concept of technical, physical and administrative security requirements is almost universal • Requirement to conduct practical risk assessments of requirements and vulnerabilities of the organization is also present in many segments and jurisdictions • Most laws do not specify technical or physical requirements beyond requiring that they be reasonable, appropriate or adequate 43 Inventory your data/asset What is it? Where is it? Where is it going? Will it visit third parties? Who needs it to do their work? How is it used? How is it gathered and shared? How is it stored? What is its final resting place? Will it be gone for good? 44 Assess Risks/Threats • Indentify all threats within the realm of possibility to the security of the data or asset. • Consider all sources whether: – – – – – – Internal External Natural Man-made Innocent Malicious • Assess the consequences to the organization should the identified threat materialize. • What is the likelihood of the threat/risk materializing? • What mitigations are there to counter the risk or recover if it occurs? 45 Physical Matters Physical Security includes • Facility access controls • Locks • Alarms • guards • Safeguarding hard copy documents with PI • Locking filing cabinets • Clean desk policies • Securing hardware on which PI is stored • Computers • Mobile devices • Flash drives • Modems 46 Administrative Measures Administrative measures includes rules and training applicable to PI handling such as: • Ensuring access authorization is only given to individuals with legitimate purposes • Authentication rules • Rules limiting what data can be stored on portable devices such as laptops, smart phones, thumb drives and other storage media • Security provisions in supplier contracts • Security training for those with access to PI • On-boarding and termination processes • Policy administration • Policy enforcement through appropriate disciplinary actions 47 Administrative Measures Technology use policy • Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops Security breach notification procedure • How is unauthorized access or acquisition reported? • Who is on the immediate response team? Confidentiality policy • Does it cover confidential information and personal Information? • Training • Audit • Office rules – badging, clear desk and screen locks • Processes and teams for security incident management • Downstream controls – contractual and audit controls on data recipients • Officer, Director, and Employee training Typical Requirements • • • • • • • • • Assign responsibility with accountability to a lead person Conduct risk assessments Establish comprehensive written policies and procedures Train employees Evaluate and then supervise service providers Execute contracts with service providers Provide secure disposal Audit Create and implement incident response, record retention, and disaster recovery plans 49 Organization Dealing with high-level requirements (“reasonable security”) • Determining what “reasonable security “ is a team effort • Determination should involve representatives from privacy, IT, legal, physical security, HR/training, and potentially other functions and advisors • Work to determine what safeguards are necessary based on the specific vulnerabilities of the particular organization (risk analysis) , the consequences of a breach and general good security practices. • Documentation critical 50 Be Prepared Need for breach preparation • • • • • • Create an incident response team Create and document response procedures Communicate regularly Seek and obtain senior management support and resource commitment Arrange for service providers that will be needed to respond Document, document, document 51 Evaluate Risky Areas • • • • • • • • • • • Collection of information over the Internet and email Access to sensitive files by employees and independent contractors Dispersed systems, data; duplication (and more) of data Access to credit card, health, financial information Transmission, storage, and disposal of computerized data, including data contained on disks and hard drives and equipment disposal Data to be transmitted to any third party Storage and disposal of paper records Data center moves/consolidations Transfer and use by service provider/outsourcing Mobile computing and employee owned devices Logging and monitoring (employees, system access, phones/internet/email) 52 Technical Measures Technical Security relates to the protection of electronic information through methods including: • • • • • • • Access control: unique user ID, auto logoff, need to know Monitoring: log-in, movement of ePHI Audit: who accessed, how and when modified Encryption: at rest (server, laptop, mobile), in transmission Authenticating: confirming identity, managing accounts Firewalls, anti-virus, and anti-spyware protections Changing default settings and thereafter periodically changing of (non-default) IDs and passwords for internet facing devices 53 Technical Measures • Basic rules for employees – – – – Do not email sensitive or special PI Do not access more than that which is needed Create and use secure documents Use passwords • System deployment and approval processes – what needs to happen before you flip the switch • Eliminate unnecessary data and keep tabs on what is left • Monitor and mine event logs • Ensure essential controls are met: regularly check they remain so 54 Technical Measures* Hacking: use of stolen credential • Use two factor authentication • Change passwords on suspicion of theft • Time of use rules • IP blacklisting • Restricting administrative connections * From Verizon 2012 DBIR pgs 63-66 55 Technical Measures* Malware: Backdoor, command and control Hacking: Exploitation of backdoor or command and control channel • Egress filtering • Use of proxies for outbound traffic • IP blacklisting • Host IDS or integrity monitoring • Restrict user administrative rights • Personal firewalls, • DLP tools • Antivirus, and antispyware tools • Web browsing policies * From Verizon 2012 DBIR pgs 63-66 56 Technical Measures* Physical Tampering • Train employees and customers to look for and detect signs of tampering and to do so through out the day • Set up and train staff on a procedure for service technicians including a method to schedule and authenticate technicians and maintenance vendors • Push vendor for anti-tamper technology/features or only purchase POS and Pin devices with anti-tamper technology * From Verizon 2012 DBIR pgs 63-66 57 Technical Measures* Keylogger/Form-grabber/spyware • • Restrict Administrative rights Code signing • • • • • • • • • • Use of live boot CDs Onetime passwords Anti-virus and anti-spyware Personal firewalls Web content filtering and blacklisting Egress filtering Host IDS(HIDS) or integrity monitoring Web browsing policies Security awareness training Network segmentation * From Verizon 2012 DBIR pgs 63-66 58 Technical Measures* Pretexing (Social Engineering) • General security awareness training • Clearly defined policies and procedures • Train staff to recognize and report suspected pretexting attempts • Verify suspect requests through trusted methods and channels • Restrict corporate directories ( and similar sources of information) from public access * From 2012 Verizon DBIR pgs 63-66 59 Technical Measures* Brute-force attack • Use technical means of enforcing password policies • Account lockouts • password throttling • password cracking tests • access control lists • restrict administrative connections • two factor authentication • CAPTCHA * From 2012 Verizon DBIR pgs 63-66 60 Technical Measures* SQL injection • Secure development practices • Input validation • Use of parameterized and/or stored procedures • Adherence to principles of least privilege for database accounts • Removal of unnecessary services • System hardening • Disable output of data base error messages to the client • Application vulnerability scanning • Penetration testing • Web application firewall * From 2012 Verizon DBIR pgs 63-66 61 Technical Measures* Unauthorized access via default credentials • Change default credentials (prior to deployment) • Delete or disable default account • Scan for known default passwords (following deployment) • Password rotation • Inventory of remote administrative services (especially those used by third parties) • For third parties: contracts (stipulating password requirements) • Consider sharing administrative duties • Scan for know default passwords (for assets supported by third parties) * From 2012 Verizon DBIR pgs 63-66 62 Technical Measures* Phishing( and endless *ishing variations) • General security awareness training • Clearly defined policies and procedures • Policies regarding use of email for administrative functions • Train staff to recognize and report suspected phishing messages • Configure email clients to render HTML emails as text • Anti-spam • Email attachment virus checking and filtering The slides with an asterisk (*) contain the recommendations from the Verizon 2012 Data Breach Investigation Report pages 63-66 *From Verizon 2012 DBIR pgs 63-66 63 Breach Incident Processing • • • • • • • • • Assemble the team and dust off the plan Stop the bleeding Determine the injury Involve those with whom prior arrangements were made as necessary Notify as required in an appropriate manner Report to authorities as required Document actions and reasons for them Fix the concern Evaluate and revise as necessary Breach Incident Processing According to Regulatory advice in the event of an incident do: • Immediately isolate affected systems to prevent further intrusion loss of data or other damage • Email traffic may be monitored; Use the telephone or other reasonably secure means to communicate (VOIP?) • Notify law enforcement • Activate all auditing software if not already activated • Preserve pertinent system logs • Make backup copies of damages or altered files and keep them securely • Identify where affected system resides in network topology • Identify all systems and agencies that connect to affected system • Identify programs and processes that operate on the affected system, impact of the disruption and max allowable outage time • If necessary make arrangements for continuity of services Don’t delete, move or alter files, contact suspected perp., or do forensic analysis Breach Notification • • • • Internal processes Training Policies and practices Supplier action implications Others Countries with Privacy/Security Rules • • • • • • • • • • • Argentina Australia Austria Belgium Brazil (Pending) Bulgaria Canada Chile China (Pending) Colombia Costa Rica (Pending) • Cyprus • Czech Republic • Denmark • Ecuador (Pending) • Estonia • Finland • France • Germany • Greece • Hong Kong • Hungary • Iceland Others with Security Rules • • • • • • • • • • • • India Irish Republic Israel Italy Japan Latvia Lichtenstein Lithuania Luxembourg Malaysia Netherlands New Zealand • • • • • • • • • • • • Norway Paraguay Peru Philippines (Pending) Poland Portugal Romania Russia Serbia Singapore Slovakia Slovenia Others with Security Rules • • • • • • • South Africa (Pending) South Korea Spain Sweden Switzerland Taiwan Thailand (Pending) • • • • • • • Tunisia Turkey (Pending) UAE (DIFC) United Kingdom United States Uruguay Vietnam (Pending) Questions? Keith A. Cheresko Privacy Associates International LLC kcheresko@privassoc.com www.privassoc.com (248) 535-2819 Contact Information Keith A. Cheresko Privacy Associates International LLC kcheresko@privassoc.com www.privassoc.com (248) 535-2819
