Detecting, Protecting, Preventing, and Reporting Computer

Breaches

Dr. Linda WilbanksU.S. Department of Education

Presentation:

2

• Introduction• Risk Identification – Understanding the risk to Data/Networks • Risk Management – Source of the risk to Data/Networks • Risk Mitigation – Preventing data loss at work and home

• Cyber Crime Terminology

Introduction

3

You HAVE a Problem

4

• People think that the data they store is worthless to another person therefore protecting the data is not worth the effort

• The easiest data to steal is data that people don’t know is valuable

• The bad guys will come after the data the easiest way that they can get it

• You can never second guess the use of data by malicious parties

Hacking Data Loss

5

October 10, 2012

Northwest Florida State CollegeNiceville, FL

EDU HACK 279,000 (At

least 200,050 SSNs exposed)

An internal review revealed a hack of Northwest College servers. One or more hackers accessed at least one folder in the server between May 21, 2012 and September 24, 2012. Over 3,000 employees, 76,000 Northwest College student records, and 200,000 students eligible for Bright Future scholarships in 2005-06 and 2006-07 were affected. Bright Future scholarship data included names, Social Security numbers, dates of birth, ethnicity, and genders. Current and former employees that have used direct deposit anytime since 2002 may have had some information exposed. At least 50 employees had enough information in the folder to be at risk for identity theft.

https://www.privacyrights.org/data-breach/new

You Don’t Know What You Don’t Know

6

There’s No Such Thing as Worthless Data•The bad guys gather seemingly worthless bits of data to launch social engineering attacks or use a small piece of information to complete the attack puzzle

Compromises Happen All of the Time•Even to companies who take security seriously•Even to companies who do everything reasonable

•It’s not YOUR data but it is YOUR responsibility to protect it

It’s NOT just IT’s Problem• YOU assume the risk for

the loss of data

• IT protects the data to the identified risk level

• Data protection, breach prevention MUST be a joint operation for success

7

Breach Scenario

8

• E-mail work from office to home computer• Work on it at home, e-mail it back• Virus from home computer comes with file• Network infected

– Worm takes system down– Bomb deletes data– Trojan sends FSA data externally

Password cracking by security experts:Six characters: 12 secondsSeven characters: 5 minutesEight characters: 4 hours

Component type can influence security

Virus Infection

9

March 16, 2013

Salem State UniversitySalem, MA

EDU HACK 25,000

A server was found to be infected with a virus. The University computer contained information related to paychecks distributed by the University. Current and former employees who may have been students or staff may have been affected.

There is a Cost for a Compromise

When, NOT IF, You Have a Compromise, Data Will be Assumed to be Compromised

Investigations average $300 per user impacted •Data integrity must be examined•PR nightmare and costs to mitigate bad press•Potential loss of federal contracts •Class Action lawsuits possible

•Intruders don’t care whether or not there was damage

10

Risk Identification

11

• Terminology• Potential victim• Potential threat source

Financial Aid At Risk

Risk

12

The potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome sometimes exists (or existed).

Threat

• A possible danger that might exploit a vulnerability to breach security and thus cause possible harm

• A threat can be either “intentional” (i.e., intelligent; e.g., an individual cracker or a criminal organization) or “accidental" (e.g., a computer malfunction, environmental such as an earthquake, or fire) or otherwise a circumstance, capability, action, or event

• Threats take advantage of your vulnerabilities

13

Vulnerability• A weakness of an asset or group of assets that can be exploited by

one or more threats which reduces a system's information assurance

• The intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface

• Vulnerabilities and threats together result in risks to the organization that need to be mitigated

14

Example

• A vulnerability could be a known patch that was not applied

• A threat would be that someone would use that known vulnerability to access data

• Security’s responsibility to ensure all patches are promptly applied based on the risk thus reducing the threat to data loss or compromise

15

Who are the Victims?

16

37% of breaches affected financial organizations (+)24% of breaches occurred in retail and restaurants (-)20% of network intrusions involved manufacturing, transportation, and utilities (+)20% of network intrusions hit information and professional services firms (+)38% of breaches impacted larger organizations27 countries affected

2013 Data Breach Investigations Report (Verizon) results based on 47,000 reported incidents, 621 confirmed data disclosures, 44M compromised records

Who Perpetrated the Breaches?

17

92% perpetrated by outsiders14% committed by insiders (+) 1% business partners 7% multiple parties19% state-affiliated actors (+)

How do Breaches Occur?

18

52% some form of hacking (-)76% network intrusions exploited weak or stolen credentials (-)40% incorporated malware (-)35% involved physical attacks (-)29% leveraged social tactics (+)13% resulted from privilege misuse and abuse

Middle School Phishing

19

May 3, 2013Schoenbar Middle SchoolKetchikan, AK

EDU HACK Unknown

A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes. At least 18 students were involved. The breach happened when students used software to imitate a legitimate software update on their computers. The students then asked teachers to enter administrative account information so that they could complete the software updates or installations. The phony software then stored teacher credentials. The students were then able to control 300 laptops belonging to other students by using the administrative credentials. The school believes that servers and sensitive information were not exposed. The breach occurred around Friday, April 26 and was discovered on Monday, April 29 when students noticed that other students appeared to be controlling student laptops remotely and reported the issue.

Incidents by Type and # Records Breached

20

# incidents 78 51 46 40 39 8 6PII records breached 11,783,776 80,706,983 296,710 1,082,749 177,399 5,906 250,650Total records breached 13,632,310 80,925,917 315,737 2,257,796 211,899 5,906 255,219

Lost While Transporting

21

January 8, 2013Morgan Road Middle SchoolHephzibah, GA

EDU PORT Unknown

An unencrypted flash drive was stolen from a teacher's car. It contained student Social Security numbers and other information.

December 11, 2012Pepperdine UniversityMalibu, CA

EDU PORT 8,300

A University laptop was stolen from an employee's locked car. Pepperdine learned of the theft on November 12, 2012. The laptop may have contained names, Social Security numbers, addresses, and/or dates of birth.UPDATE (12/11/2012): As many as 8,300 people may have been affected. The laptop had been used for work related to the IRS and contained data from as far back as 2008. About 75 percent of the people affected were students

What Commonalities Exist

22

75% financial motives (-)71% targeted user devices (+)54% compromised servers (-)75% opportunistic attacks (-)78% low difficulty69% discovered by external parties66% took months or more to discover (+)

“New” Threats• Bring your own device (BYOD) - the policy of permitting employees to bring

personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications

• Cloud computing - the use of computing resources (hardware and software) which are available in a remote location and accessible over a network (typically the internet). The name comes from the common use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software, and computation

• Big data - collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications

23

23

Risk Management

The identification, assessment, and prioritization of risks

•Identify, characterize threats•Assess the vulnerability of critical assets to specific threats•Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)•Identify ways to reduce those risks•Prioritize risk reduction measures based on a strategy

24

What is at Risk

Networks – is someone on the network, capturing the data?

Data – is it being taken or altered?

25

Risk Management of Networks

There is no one set of best security practices that can be applied across all educational institutions.

Any attempt to enforce an one size fits all approach to securing our assets may result in under-protection from targeted attacks while over-spending on defending against simpler opportunistic attacks.

Complex systems like that at FSA must employ a Defense in Depth methodology.

26

College and Universities – Network Targets• Current student and alumni information• Widely distributed:

AdmissionsRegistrar’s Office Student AssistanceCollege Book StoreHealth Clinic

• Hackers seek diverse information

27

Hackers

April 9, 2013

Kirkwood Community CollegeCedar Rapids, IA

EDU HACK 125,000

Hackers accessed Kirkwood Community College's website and applicant database system on March 13. Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed. People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.

28

FSA Risk Management of Networks

29

Risk Management of DATAFAFSA DATA :•Name•Date of birth•Social Security number•Parents names, dates of birth, Social Security numbers•Citizenship (if not US, then identified)•Tax return information of student and parents

30

FSA Applicants - A Vulnerable PopulationProfile of FSA Applicants• 39% male, 61% female• 43% less than 23 yrs old• 87% do not yet have a B.A.• 62% full-time students• 80% not married• 68% of applicants’ parents not married• 50% of applicants’ parents never went to college• 89% have family income < $40K

31

31

Students (and Parents) at Risk• Facebook = share everything (Security questions?)• Very mobile = casually carry laptop, iPhone, iPad everywhere• Very trusting = limit password usage, write passwords down

anywhere• Not organized = often do not track credit cards, “junk” mail• High debt = attractive to foreign actors

» High risk for data compromise that can result in monetary loss or identify theft

32

Social Media Hacks

October 19, 2012

The College of St. ScholasticaDuluth, MN

EDU HACK

28 (No SSNs or financial information

exposed)

Hackers were able to guess the answers to student account challenge questions. The email account passwords of at least 28 students were reset and their account information was most likely accessed. The hackers may have been based in Beijing and most likely gathered the information needed to pass the challenge questions from information on the students' Facebook pages.

33

Privacy

• “The right to be left alone”• Types of privacy

– Communications privacy– Physical privacy– Locational privacy– Information privacy

• FSA is mostly concerned with “information privacy”—the right of the individual to control what information about them is released

34

Personally Identifiable Information (PII)“PII is information that can be used to distinguish a person’s identity,

e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific

person, such as date and place of birth, mother’s maiden name, etc.”

•Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed

•The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 200735

What Is A Privacy Breach?A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes.

This includes PII in any format, and whether or not it is a suspected or confirmed loss

Examples of PII breaches: PII left on the printer or scanner PII e-mailed without encryption or other protection PII mailed to the wrong recipient PII stored on a stolen laptop or thumb drivePII posted to a public-facing website, etc.

36

Risk Mitigation

What you CAN and SHOULD

do

37

Establish Good Governance• Create policies and procedures for protecting sensitive data and

enforce penalties for noncompliance • Identify a privacy official and make sure privacy has a “seat at the

table” • Develop a training and awareness program. There are lots of good

free stuff available• Publish rules of behavior – Make users sign a “confidentiality contract”• Have a breach response plan that includes roles, responsibilities,

timeframes, call trees, alternates, etc.• Know your inventory of HW, SW, PII • Do you know how much PII you have? Where it is stored (USB drives,

CD-ROMS, etc.), who touches it, and why? • Map out your business process flows—follow the PII

38

Implement Network Security• Utilize the HEISC inventory for self assessment*• Ensure essential controls are met• Collect, analyze, and share incident data• Collect, analyze, and share tactical threat intelligence• Emphasize prevention• Ensure patches are current• Focus on better and faster detection• Utilize metrics to drive security practices• Evaluate the threat landscape• Don’t understand the determination of your advisary

Higher Education information Security Council (HEISC)http://www.educause.edu 39

Guidelines for Strong Passwords• Minimum password length of 12 to 14 characters if permitted• Avoid passwords based on repetition, dictionary words, letter or

number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names, or dates).

• Include numbers, and symbols in passwords if allowed by the system

• If the system recognizes case as significant, use capital and lower-case letters

• Avoid using the same password for multiple sites or purposes• Avoid using something that the public or workmates know you

strongly like or dislike40

Safeguard PII

41

Reduce Your Exposure• Enforce a clean desk policy• Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)• Protect data at the endpoints

– USB drives, paper, laptops, smartphones, printers • Destroy your data securely• Do not keep records forever• Limit access to only those with a need to know

– Enforce role-based access, least privilege• Practice breach prevention:

– Analyze breaches from other organizations– Learn from their mistakes– Adjust your policies and procedures accordingly

• Please—THINK before you post/send/tweet!

42

Lost Laptop

March 22, 2013

University of Mississippi Medical Center (UMMC)Jackson, MS

EDU PORT Unknown

A laptop used by UMMC clinicians was discovered missing on January 22. The password-protected laptop contained information from patients who entered the hospital between 2008 and 2013. Patient names, Social Security numbers, addresses, diagnoses, medications, treatments, dates of birth, and other personal information may have been exposed.

UPDATE (04/25/2013): The laptop may have been lost or stolen in November of 2012.

43

Teleworking Security

Ideal Situation: Separate home office with door; Dedicated files/cabinets;GFE laptop, VPN/Citrix

Not-So-Ideal Scenarios: Home Computer; Kiosk; Firepass; Local Hard Drive/USB

•Non-government issued computer or portable storage device (eg, a USB flash/thumb drive), make sure it has ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords)•To the extent possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device: If you must copy data, make sure the data is encrypted.•Keep your computer in a secure location at all times; do not leave it unattended/unsecured•If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen)•Continue to encrypt PII/sensitive data when emailing such data (eg, using WinZip encryption) 44

So, What Can I Personally Do?

• Only collect and use information that is absolutely necessary, and only

share with those who absolutely need the information• “Review and reduce”—inventory your PII and PII data flows, and look for

ways to reduce PII• Follow all Departmental policies and procedures• Think before you hit the “send” button (E-mail is by far the #1 source of

breaches)• “Scramble, don’t gamble”—encrypt, encrypt, encrypt• Minimize (or eliminate) the use of portable storage devices—they are

breaches waiting to happen• FREE USB/thumb drives are not free• Protect PII on paper—enforce a clean desk policy, use secure shredding

bins, locked cabinets, etc.• Never carry anyone’s social security card

45

Preventing ID Theft Online:

• Keep anti-virus software up-to-date• Speak to your child about:

– strong passwords– phishing schemes– providing personal information on shared computers (e.g.,

libraries) – sharing information on social networks (e.g., Facebook) or with

strangers in chat rooms• Downloading games, apps, and software from unknown sources

46

Pop Quiz

If a college has a data breach do they need to notify the U.S.

Department of Education or Federal Student Aid?

47

Summary• Never forget the network and data you connect to• YOUR actions are critical for everyone’s continued security• Follow all security policies and procedures• If you THINK something is wrong, call the help desk or

Security, DON’T HESITATE

Breach Investigations average $300 per user impacted

48

QUESTIONS?

49

Contact InfoDr. Linda WilbanksChief Information Security OfficerFederal Student AidLinda.Wilbanks@ed.gov

Kathleen StylesChief Privacy OfficerDepartment of EducationKathleen.Styles@ed.gov

50

Cyber Crime Terminology• Malware - malicious software used or created to disrupt computer operation, gather

sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs.

• Computer worm - standalone malware that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

• Trojan horse - a type of malware that masquerades as a legitimate file or helpful program but whose real purpose is to grant a hacker unauthorized access to a computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may used downloads or install via online games or internet-driven applications in order to reach target computers

51

Cyber Crime Terminology (cont.)• Spyware is a type of malware installed on computers that collects information about users

without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware can collect almost any type of data, including personal information, internet surfing habits, user logins, and bank or credit account information.

• Adware or advertising-supported software -any software package which automatically renders advertisements. These advertisements can be in the form of a pop-up. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless.

52