Upload
hunter-carney
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Boston • Springfield • Albany
Enter Presentation Title Here
Presenter Name© 2009 Wolf & Company, P.C.
Presentation dateLocation
1Boston • Springfield • Albany
Hackers at the Gate: Protecting your Important
Data
© 2009 Wolf & Company, P.C.
Matt Putvinski, CPA, CISA, CISSP
Northeast Disaster Recovery Information X-ChangeOctober 19, 2009
Wolf’s Risk Management Services• Risk Management Services
• IT Assurance Services– Internal Audit Services– Compliance Services– WolfPAC Solutions
• Risk Management perform work with over 200 organizations
• Diverse experience• WAN & LAN Network Engineering• Regulatory and Legal Services• Various Industry Operations • IT Operations and Management• Software Development• Financial Accounting• Information Security
• Commitment to industry excellence with certifications as CPA, CISA, CIA, CISSP, CRCM, and JD.
Agenda
Data privacy statistics
Data breach costs
Information Security Threats
Data privacy rules and regulations
What is Information Security?
It is the protection from unauthorized:– Access (Confidentiality)– Modification (Integrity)– Destruction (Availability)– Disclosure (Confidentiality)
Why is Information Security Important?
• Need to provide confidentiality, integrity, and availability of information assets:
• To maintain trust, image, credibility: people entrust us with their personal information so that we can help protect them and build a solid foundation for their financial security
• Security Incidents cost $$$$
• For legal compliance: Gramm-Leach-Bliley Act (GLBA)/State Privacy laws
“As we know,There are known knowns.There are things we know we know.We also knowThere are known unknowns.That is to sayWe know there are some thingsWe do not know.But there are also unknown unknowns,The ones we don't knowWe don't know.”
— Donald Rumsfeld, Feb. 12, 2002, Department of Defense news briefing
Last year (10/1/08 – 9/30/09)
498 ‘Reported’ security breaches involving sensitive personal information
Representing approximately 168 million records.
Total records affected for 145 Breaches considered “Unknown”
Source: datalossdb.org
www.privacyrights.org
Security Breaches Summary…
• Stolen laptops / computers• Stolen paper reports• Hacking incidents• Vendor mismanagement• Improper destruction of files• Lost backup tapes• Dishonest employees selling
information
Causes of Data Breaches
5% - Other
10% - Internal Fraud
11% - Lost Media/Documents
15% - Hack by external party
29% - Accidental release
29% - Lost/Stolen Device/Documents
Source: datalossdb.org
What does a breach cost?
Average Cost per Record: $202
Average Cost per Breach: 6.6 Million (Ranged from $613,000 to $32 Million)
Source: Ponemon Institute
Cost Per Record, by Industry
Source: Ponemon Institute
131.1
184
240.4282.1
Retail ConsumerProducts
Financial Healthcare
What’s Trust got to do with it?
If you do not trust a company:77% refuse to buy products or services
72% criticized them to people you know
75% refused to do business with them
34% shared opinion and experiences on the web
Source: Edelman Trust Barometer (2009) – World’s largest public relations firm.
Factors Important to Trust
94% high quality products and services93% treats employees well91% communicates frequently and honestly on
the state of its business91% gives value for money90% strong financial future89% senior leadership that can be trusted86% create and keeps job in my area85% commits time, money, resources to greater
good
Source: Edelman Trust Barometer (2009)
“I’ve done nothing wrong, I can't be responsible for a company I hire.” - Owner
http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/
“The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them. But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions.”
http://www.networkworld.com/news/2009/090209-court-allows-suit-against-bank.html
http://cbs13.com/local/identity.theft.scheme.2.1066693.html
“Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters.”
http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html#more
20
Information Security Threats
Phishing and Pharming
What are they?
Phishing - is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is carried out by e-mail or instant messaging and directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is a type of social engineering.
Pharming - is a hacker’s attack aiming to redirect a website's traffic to another, bogus website. Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Pharming is a type of Bot.
Both phishing and pharming have been used to steal identity information
21
Information Security Threats
Botnets/Zombie Networks
What is it?
Bot - software applications that run automated tasks over the Internet
Zombie – an infected computer
Botnet/Zombie Network – a collection of compromised computers
Bot Herder – an individual or group that develops or obtains Bot’s and sells them to hackers
22
Information Security Threats
Botnets/Zombie Networks
Threats– Data Theft– Keystroke logging– DDoS attacks– Pharming attacks– Viruses, Trojans and Worms– Email spam
Preventive Controls– Install personal firewall– Install anti-virus & anti spyware– Use strong passwords and authentication such as
secure tokens
23
Information Security ThreatsMalware/Mobile Malware
What is it?
Malware - malicious software including computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware
Mobile Malware - attacks portable devices such as lap top computers, cell phones, PDA’s, and Blackberries
24
Information Security Threats
Malware/Mobile Malware
Threats– Theft of email and text messages– Theft of client and employee personal information– Attack on critical systems
Preventive Controls– Encrypt portable devices– Install anti-virus software– Use WiFi and Bluetooth at home or at trusted
locations– Do not save business data on your mobile– Communicate to employees the type of information to
be accessed using these devices
25
Information Security ThreatsOutsourcing
What is it?
Specifically when a third party hosts, manages and/or maintains technology resources
Threats– How safe is the contracted party?
Preventive Controls– Obtain a SAS 70 and copies of audits– Ensure contracts define responsibilities– Obtain certification from vendor
26
Information Security Threats
Social Engineering
What is it?
Low tech form of hacking
Tries to trick individuals into giving out sensitive information
Can be performed in person or via the telephone or email
Social engineers will try to access facilities and play the part of supervisors, employees, vendors or auditors
27
Information Security Threats
Social Engineering
Threats– Unauthorized access to data, systems and sites– Phishing attacks
Preventive Controls– Train staff to be alert of suspicious activity and
unknown individuals– Restrict access to the facility to individuals with a
valid business reason to enter– Enact company policies on when to give out
personal information and passwords– Conduct security awareness campaigns
28
Information Security Threats
Natural Disasters
What are they?
Hurricanes, Tornadoes, Floods, Fires, Etc.
Threats– Loss of data – Loss of systems availability– Loss of site access
Preventive Controls– Backup all files in a remote location/s– Store files on secure online storage sites– Secondary computing environment– Business Continuity Planning
Rules and Regulations
Gramm Leach Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
State Laws
Federal Laws
GLBA
The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule.
Apply to "financial institutions," includes banks, securities firms, insurance companies, and other companies providing many other types of financial products and services to consumers.
PCI DSS
Comprehensive requirements for payment account data security.
– Build and Maintain a Secure Network• Requirement 1: Install and maintain a firewall
configuration to protect cardholder data• Requirement 2: Do not use vendor-supplied defaults
for system passwords and other security parameters – Protect Cardholder Data
• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder
data across open, public networks – Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
PCI DSS– Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
– Regularly Monitor and Test Networks• Requirement 10: Track and monitor all access to
network resources and cardholder data• Requirement 11: Regularly test security systems and
processes – Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
State Laws (New England)
NE states define personal information similarly.
Combination of name and any one or more of the following:
1) Social Security number; 2) Driver's license number or state identification
card number; or 3) Account number, credit or debit card number,
in combination with any required security code, access code or password that would permit access to an individual's financial account
State Laws (New England)
Notification of breach to compromised parties through various communication methods– Substitute notices based on
cost/number of compromised records
In all states, law enforcement agencies may delay notification of breaches if it is deemed that disclosure will impede or compromise an investigation
NE State Laws - Penalties
CT: “unfair trade practice and enforced by Attorney General” (Civil penalties up to $500,000)
ME: Civil violation, not more than $500 per violation, max of $2,500 each day in violation
MA: “The attorney general may bring an action pursuant to section 4 of chapter 93A”
NE State Laws – Penalties (cont.)
NH: If the violation is willful or knowing the court awards as much as 3 times but not less than 2 times of actual damages…as well as the costs of the suit and reasonable attorney’s fees.– Attorney general’s office shall enforce the
provisions
RI: Civil violation not more than $100 per occurrence and not more than $25,000 total
VT: Attorney general and state’s attorney have full authority to investigate, enforce, prosecute, obtain and impose remedies
M.G.L. 93H 201 CMR 17.00 (MA Law)
Goes beyond just notification
Establishes minimum security– 17.03: Duty to Protect and Standards for
Protecting Personal Information– 17.04: Computer System Security
Requirements
Implementation of standards by March 1, 2010
Background– Passed by the Office of Consumer Affairs
and Business Regulation on September 19, 2008
– Originally scheduled to be effective on January 1, 2009. Deadline extended to March 1, 2010.
– One of the first state privacy laws to go beyond requiring notifications.
– Established to make companies assume more ownership of sensitive data and be penalized if they abuse that access
Who is Affected?
Any person who owns, licenses, stores, or maintains personal information about a resident of Massachusetts.
Applies to ANY organization in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state.
What is Covered?Personal Information:
Means a Massachusetts resident’s first name or initial, and last name in combination with one or more of the following:
– Social Security number– Driver’s license or state ID card number– Financial account (not just bank account numbers),
credit / debit card number (with or without security / access codes, PINs, or passwords needed to access the account)
Excludes information lawfully obtained from publicly available information or government records
Includes employee information thus requiring almost all organizations in MA and surrounding states to comply
What is CoveredEmployee Type Information:
– Payroll records
– Health benefits
– Direct deposit records
– 401(k)
Required Elements Designated Employee - One or more
employees must be designated to maintain the information security program (ISP)
‘Written’– ISP must be formally documented
Risk Assessment - ISP must identify and assess reasonably foreseeable risks
– Internal and external– Provide an inventory of sensitive data– Evaluate the effectiveness of the safeguards
currently in place to mitigate such risks
Required Elements
Continuous Employee Security Awareness Training
Disciplinary measures
Preventing terminating employees from accessing records
Third Party Service Providers – ISP must require by contract that the third party
service providers with access to personal information protect it.
Physical Restrictions
Required Elements
Regular Monitoring
Annual update of Security Program
Breach Responses
Required ElementsTechnical controls:
– Security Access Controls – Password controls, access levels, lock out settings.
– Encryption – Encryption of data when residing on portable devices or transported over public networks
– Firewalls - up-to-date firewall protection as well as operating system security patches are installed.
– Malware and Virus Protection - up-to-date malware and virus definitions.
– Employee Training - education and training of employees on the proper use of computer information security systems and the importance of personal information security
– Monitoring - reasonable monitoring of systems for the unauthorized use of or access to personal information
Compliance and Enforcement
Attorney General Enforcement Attorney General may enforce violations of Chapter 93H via actions brought under Chapter 93A
Compliance Standards– Size, scope and type of business *– Amount of resources available to such person *– Amount of personal information stored *– The need for security *
* No guidance on minimum requirements
Federal Laws
Privacy law in draft that could override state laws
9 Bills introduced over the last few years but have not been successful– Consumer Notification– Penalties– Enforcement– Centralized reporting
Matthew Putvinski, CPA, CISA, CISSPDirector – IT Assurance Services617-428-5479
twitter.com/mattputvinski
http://www.linkedin.com/in/mattputvinski
Thank You!