evesecuref7
advertisement
Jake Bartlett Francis Lam Masha Pryamkova Muna Siddiqi 2 1. Introduction 2. Case Studies 3. Risk definition Why IT Security and Privacy are important Types of risks List of most common risks The Secret Healthcare Company Visa ChoicePoint Summary of Best Practices 3 A risk can be defined as a function of three variables: ◦ the probability that there's a threat ◦ the probability that there are any vulnerabilities ◦ the potential impact A threat is anything (man made or act of nature) that has the potential to cause harm A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset Source: 18 4 Threats Terrorists User Error Pranksters Natural Disasters Criminals Activists Hostile Nations / Groups Spies / Snoops Other Infrastructure Disruptions Vulnerabilities • Flaws in hardware, software, or network elements • Security is constantly playing catch-up to technology • Internet was designed to be open • Systems operating close to capacity • • • • • Increasing use of off-the-shelf software Lack of centralized control Critical Infrastructure interdependencies Standardization of products Expansion of Internet Risks Customer Confidence Lost Potential Damage Critical Operations Halted Services Interrupted Assets Lost Source: 1 Data Corrupted 5 CSI Computer Crime and Security Survey Published by Computer Security Institute since 1995 494 respondents (anonymous) Data for 2007 report is based on 2006 calendar year Source: 14 6 Average annual loss from IT Security incidents reported in 2007 - $345,000 per respondent 2007: 494 respondents Source: 14 7 46% of the organizations experienced a security incident in the past 12 months Source: 14 8 61% of the companies said that their organizations allocated 5 percent or less of their overall IT budget to information security Source: 14 9 Internal External Human Non-Human Intentional Accidental Disclosure, Modification, Destruction, Denial of Use Source: 4 10 Terrorist / hacker attacks Malicious Code / Viruses/ Worms / Trojans Denial of Service Salami attacks Spam Online fraud Identity theft Phishing Social Engineering Dumpster Diving Unauthorized Data Access / Data Theft Industrial Espionage Bad data entry System disruptions due to floods, fires, other natural /industrial disasters 11 Terrorist /hacker attacks Malicious Code / Viruses, Worms, Trojans Denial of Service is an attempt to Salami attacks - make a computer resource unavailable to its intended users a series of minor data-security attacks that together results in a larger attack Spam Online fraud – Phishing - passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication Social Engineering - Dumpster Diving - using online services to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud Identity theft - fraud related to activity in connection with identification documents, authentication features, and information. acquiring sensitive information, such as usernames, manipulating people into performing actions or divulging confidential information sifting through commercial or residential trash to find items that have been discarded for being unusable by their owners, but may be useful to the Dumpster diver Unauthorized Data Access / Data Theft Industrial Espionage Bad data entry System disruptions due to floods, fires, other natural /industrial disasters Source: 18 12 *Top 15 types of incidents Source: 14 13 14 A Fortune 50 company Offers a broad range of medical and specialty products Has approximately 34 million medical members Manages extensive Public Health Information (PHI) This requires high security focus 15 40% of all the health care organizations are not compliant with HIPAA 50% faced attacks from e-mail viruses Encryption of data is limited 48% do not encrypt data during transmission 69% do not encrypt stored data or devices Source: 3 16 Viruses Identity theft (Organized crime) Offshore hacking Spam Phishing –fraudulent information requests Associate carelessness and malicious activity inappropriate sharing of PHI Configuration errors –software or hardware 17 18 Data is collected in large volumes The regulatory environment is highly charged and sensitive Service providers / partner exposures – outsourcing or delegated work Privacy is a signature issue 19 Information Security Obligation HIPAA Breach Notification Statues Section 5 of FTC Act Gramm-Leach-Bliley 20 What does HIPAA stands for? 1. 2. 3. 4. 5. Health Industry Paying All Attorneys Highly Intricate Paperwork in Abundant Amounts High Income Potential for Aggressive Attorneys Huge Increase in Paperwork and Aggravation Act Health Insurance Portability and Accountability Act 21 Developed by the Department of Health and Human Services (HHS) Introduces a set of requirements and standards for the use and dissemination of health care information Requires Health Care Companies to develop information security systems 5 components: The The The The The Privacy Rule --- Protection of PHI, paper and electronic Transactions and Code Sets Rule--- used for claim filing Security Rule --- Electronic Unique Identifiers Rule Enforcement Rule Source: 18 22 Administrative Safeguards Physical Safeguards Electronic Safeguards 23 The Company does not allow: Unnecessary exposure to PHI and protected information Sharing user ID’s or leaving them in view Leaving any PHI in view Disposal and destruction of media containing electronic data is strictly monitored Facility security plans, maintenance records, and visitor sign-in and escorts are highly controlled Contractors or agents are also fully trained on their physical access responsibilities 24 The Company does not: Allow any non certified software on the computers Sell advertisement space on the internet portals Allow direct public access to update the database Allow opening e-mails from unknown people or entities and clicking on links or attachments Allow visiting internet retail and information sharing sites The Company constantly monitors for suspicious or unusual activities –the incident response team quickly eliminates, isolates, and manage any threats 25 Chief Information Security Officer Policy Management Team •Policy Development •Training •Security Education •Process Development Security Risk Management Team •Risk Coordination and Reporting •Data Handling Risk •Vendor Risk management Access Security Team •Encryption operation •Access Risk Assessment •Account Administration Infrastructure Security Team •Protection against Antivirus/ Spam •Network Protection Application Security Team Program Management Team •Integrated •Security Planning application development •Financial Management •Database Security •Communications •Incident Response 26 Budget for IT: 14.3 million Security Budget: 1.2 million, 8% 27 Organization Information Security Team Validation Proactive Monitoring Security Audits Secured Environment Process Appropriate Comprehensive Policies, Standards and Training Technology Secured Infrastructure, Application and Tools Physical Security Protocols 28 Large companies have higher security budget (more than $1 million), have more technology in place, follow more strategic practices, but The larger companies suffer more security breaches and bigger losses According to IT Policy Compliance Group Research, 75% of all data breaches were caused by human errors 29 The Secret Healthcare Company lost an unencrypted CD holding personal and medical information of 75,000 members while sending it to a contractor firm What could the company do to prevent data leak? 30 1. 2. 3. 4. 5. 6. Continue to Develop and Deliver Security Awareness, Training and Education Redesign Policies and Standards Framework and Content Expand Processes and Methodologies to Integrate Security into the Enterprise Create and Deploy Data Protection Practices and Solutions Implement Vendor Management Oversight of Data Management and Contract Compliance Develop Incident Handling Protocols and Manage Responses 31 Continue to apply the right organization model Having consistent policies, procedures, and standards in place Providing ongoing security training Looking for better ways to secure the technology Strengthening the information integrity in more proactive ways Executing the information security strategy 32 'Credit card fraud' is one of many form of Bank fraud that involve credit cards, charge cards, or debit cards Source: 18 34 The fraud begins with either the theft of the physical card or the compromise of the account information A) B) The compromise can occur by many common routes, including something as simple as a store clerk copying sales receipts 35 The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised 40% of U.S. and European consumers have stopped an online transaction due to security concerns Source: 23 36 Since 2005, credit card fraud in the UK and America has increased by 350% on average according to Reuters With credit card crime occurring across state lines, criminals often are never prosecuted because the dollar amounts are too low for local law enforcement to pay for extradition Source: 24 37 The cost of credit and charge card fraud - to card holders and to card companies alike may be as high as $500 million a year Everyone pays for credit and charge card fraud in higher prices, whether or not they are personally defrauded Source: 25 38 Components of Visa’s Security System “12 commandments” PCI Standard “Verified by Visa” Contactless cards Zero Liability Policy 39 In 2000, Visa trumpeted a list of security "best practices" for e-merchants that accept Visa cards ◦ It also announced its intention to verify merchants’ compliance In October 2007 Visa introduced a new set of Payment Application Security Mandates ◦ Merchants now have time till July, 2010 to comply Source: 6, 17 40 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Install and maintain a working firewall Keep application and operating system security patches up to date Encrypt stored credit card data Encrypt data sent across the network Use and regularly update antivirus software Don't use vendor supplied defaults for password security Assign a unique user ID to each person with computer access Track access to data, including read only, by unique ID Regularly test security systems and processes Restrict access to data on a business "need to know" basis Have a management or human resources policy that addresses security in the workplace, such as doing background checks Restrict physical access to authorized employees Source: 6 41 PCI DSS stands for Payment Card Industry Data Security Standard A security standard accepted by all major credit card companies Originally began with 5 different programs, including Visa’s Visa requires its merchants to comply with both PCI and 12 Commandments Source: 18 42 Starting October 2007, Visa introduced penalties for non-compliance with PCI Merchant’s volume of transactions Penalty Effective Date Impact on user > 1 million Visa transactions per year Acquirers for these merchants will see their interchange rate raised a tier October 2007 Acquirers pass their interchange costs on to their merchant clients as part of the discount rate At least 6 million Visa transactions per year Separate monthly fines to the acquirers of noncompliant merchants October 2007 1 to 6 million Visa transactions per year Separate fines January 2008 Acquirers will pass their fine costs along to merchants as well Source: 2 43 In addition to other security measures (PIN, 3digit security code, address matching etc) Visa introduced "Verified by Visa” for online transactions Unique passwords or codes are required during Internet transactions to verify the user's identity According to Visa's own research, 76% of customers wanted a password protected system to enable them to shop on the internet with total peace of mind, and this is the reason we have introduced Verified by Visa" 44 Standard cards Contactless Visa cards Feature a static card verification value written into the magnetic stripe This number is not known to the user and is designed to verify that the card is present during a transaction However, because it never changes, criminals can use stolen data from the magnetic stripe to produce cloned cards that would work until the issuer reissued the card Feature embedded microchips that generate a unique code whenever the cards are used The code is unique to each transaction, which means that criminals who manage to skim card data during a single transaction to create counterfeit cards would have only an old code Source: 13, 21 45 Customer-oriented policy that ensures complete liability protection for all card transactions that take place on the Visa system i. e “You owe nothing in fraudulent transactions” Source: 22 46 Identity Theft is a crime where a criminal assumes someone else's identity in order to profit by fraudulent means Not the same as Credit Card Fraud Source: 8 48 Identity theft is one of the fastest growing crimes in the United States Identity Theft costs almost $53 billion between business and individual victims for all types of reported identity theft ◦ Business victims experienced a total loss of $47.5 billion or an average of $4,800 per business victim per year ◦ Individual victims account for a total loss of $5 billion and $500 per victim annually Americans spent 300 million hours resolving issues related to identity theft Source: TBD 49 Stealing personal information in computer databases (hacking or using Trojan horses) Dumpster diving Phishing Social Engineering Browsing social network sites (MySpace, Facebook etc) for personal details that have been posted by users 50 Company / Institution Date made public Number of records Fidelity National Information Services, Certegy Check Services Inc. July 3, 2007 8.5 million Yale University Aug 8, 2007 10,000 California Public Employees' Retirement System (CalPERS) Aug 22, 2007 445,000 Monster.com Aug 23, 2007 1.6 million University of Michigan School of Nursing Sep 19, 2007 8,585 Gap, Inc. Sep 28, 2007 800,000 Commerce Bank Oct 10, 2007 20 Universities often become victims of data breaches! Source: 10, 19 51 A data aggregation company based in Alpharetta, near Atlanta, Georgia Acts as a private intelligence service to government and industry: combines personal data sourced from multiple public and private databases for sale to the government and the private sector Maintains more than 17 billion records of individuals and businesses, which it sells to an estimated 100,000 clients, including 7,000 federal, state and local law enforcement agencies Source: 8 52 In February 2005 ChoicePoint revealed that sensitive information for at least 114,000 (some sources say 163,000) people had been compromised The breach occurred earlier in 2004, when criminals posed as customers to obtain data No direct technology breach occurred, but media characterized the incident as if one had At least 750 (some sources say 5,000) cases of identity theft as a result of the breach Similar scam perpetrated in 2000 resulted in at least $1 million in fraudulent purchases Source: 7, 8, 20 53 A number of investigations including congress people, the Federal Trade Commission, the US Securities and Exchange Commission and US state attorneys general as well as personal lawsuit ChoicePoint has agreed to pay $15 million: ◦ $ 10 billion fine ◦ $ 5 billion as a fund to help the victims of the identity theft Company must overhaul its security program and submit to independent audits of security procedures every 2 years for the next 20 years Source: 11 54 In April 2007 a Gartner Analyst told USA Today that "ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices“ ◦ Some of the preventive steps included abandoning a line of business worth $20 million because of its potential to risk a future data breach Source: 7, 16 55 5-step action plan for securing data and privacy system proposed by ChoicePoint’s CIO: 1. Governance – Chief Privacy Officer reports to a board that governs privacy and public responsibility 2. Clearly define expected behavior and provide tools to simplify compliance for employees 3. Create data breach response policies and procedures 4. Determine the credentials of those you work with and those who work for you 5. Embrace openness Source: 12 56 57 Legend: Organizational Aspect Security Policy Technical Aspect Organizational Security Access Classification and Control Physical Aspect Access Control Compliance Physical Security System Development and Maintenance Physical and Environmental Security Communications and Operations Management Business Continuity Management Source: 9 58 Journal Articles 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Goles et al., “Dark Screen: An Exercise in Cyber Security” MIS Quarterly Executive, Vol. 4, 2, 2005 Green, J., “Merchants Face a Double Whammy” Cards & Payments, Vol 20,10, 2007 Holmes, A., "The Global State of Information Security 2006; Some things are getting better, slowly, but security practices are still immature and, in some cases, regressing”, CIO, Vol. 19.23, 2006, p.1 Loch, K., Carr, H., Warkentin, M., “Threats to Information Systems: Today's Reality, Yesterday's Understanding” MIS Quarterly, Executive, Vol. 16, 2, 1992 Luftman, J., and McLean, E., “Key Issues for IT Executives,” MIS Quarterly Executive, Vol. 4, 2, 2006, pp. 81-99, 269-286 Messmer, E., “Online Card Fraud Targeted” Network World Vol. 17-34, 2000 McNulty, E., Lee, J., Boni, B., Coghlan, J., Foley, J. “Boss, I Think Someone Stole Our Customer Data”, Harvard Business Review; Vol. 85. 9, 2007, pp.37-50 Miller, M., “Why Europe is Safe from ChoicePoint: Preventing Commercialized Identity Theft Through Strong Data Protection and Privacy Laws” The George Washington International Law Review, Vol. 39, 2, 2007, p.395 Saint-Germain, R., “Information Security Management Best Practice Based on ISO/IEC 17799” The Information Management Journal, Vol. 39, 4, 2005, pp 60-66. Swartz, N., “ID Thieves Targeting Universities” Information Management Journal, VOl 41, 2, 2007, p. 7 Swartz, N., “Data Breach Costs Broker $15 Million” Information Management Journal, Vol. 40,3, 2006, p10. Swartz, N., “ChoicePoint Lessons Learned” , Information Management Journal; Vol 41, 5, 2007, p. 24 Wolfe, D., “Visa Security Idea: Mag Strripe with 'Dynamic' Code” American Banker, Vol. 172, 48, 2007 60 Electronic publications 14. Richardson, R., “CSI Computer Crime and Security Survey 2007”, 15. http://www.gocsi.com/forms/csi_survey.jhtml;jsessionid=W3MH0WN1ZFW0SQSNDLOSKHSCJUNN2JVN , viewed October 1, 2007 “An Introduction to Computer Security: The NIST Handbook”, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf, viewed November 4, 2007 16. Swartz, J., and Acohido, B., “Who's guarding your data in the cybervault?” USA Today , http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-04-01-choicepoint_N.htm, viewed November 1, 2007 17. Vijayan, J.,”What New Visa Security Mandates Mean to You”, PC World, http://www.pcworld.com/businesscenter/article/139048/what_new_visa_security_mandates_mean_fo r_you.html, viewed November 1, 2007 Websites 14. Wikipedia 15. http://www.privacyrights.org/ar/ChronDataBreaches.htm, viewed November 1, 2007 16. http://jurist.law.pitt.edu/paperchase/2006/01/ftc-imposes-record-fine-on-choicepoint.php, viewed November 1, 2007 17. http://www.informationweek.com/security/showArticle.jhtml?articleID=183702491, viewed November, 1 18. http://www.congressionalfcu.org/aboutus/securitycenter/ZeroLiabilityPolicy.pdf, viewed November, 1 61 Websites 19. 20. 21. 22. 23. 24. http://marketwire.com http://today.reuters.com http://techweb.com/wire/security/ (Creditsourceonline.com) (About.com) (identitytheft.gov) 62 Source: 14 63
