Академический Документы
Профессиональный Документы
Культура Документы
2
FSA Security Initiatives
• Two-factor authentication Mission Statement
• More schools enabling TFA Deliver efficient and cost
effective, and secure technology
• Privileged users especially at risk to enable the business of FSA
4
Definition of a Breach
Privacy breach - when PII is lost or stolen, or is disclosed or otherwise
exposed to unauthorized people for unauthorized purposes.
This includes PII in any format, and whether or not it is a suspected or
confirmed loss
Examples of PII breaches:
PII left on the printer or scanner
PII e-mailed without encryption or other protection
PII mailed to the wrong recipient
PII stored on a stolen laptop or thumb drive
PII posted to a public-facing website, etc.
5
Is It An Incident?
6
Types of Incidents
7
…Or a Breach?
• Data Breach – An incident that
resulted in confirmed
disclosure, not just exposure,
to an unauthorized party, often
used interchangeably with data
compromise.
8
What Happens During a Breach
• $3.79M average cost of a data breach
• $154 cost per lost record ($217 in the U.S.)
• Costs keep going up
• 17 malicious codes hacks, 12 sustained probes/month
• Reissue cards, consumer protection, insurance, liability
• Loss of reputation
9
Data Breach Investigations Report
60% cases: attackers compromise org within
minutes.
Nearly 50% of the people open e-mails and click
on phishing links within the first hour.
A campaign of only10 e-mails yields >90%
chance that at least one person click.
99.9% of the exploited vulnerabilities had been
compromised more than a year after the
vulnerability was published.
Half of vulnerabilities were exploited within two
weeks of posted.
Malware events focus on: financial services,
insurance, retail, utilities, and education.
Source: DBIR 2015
10
Recent Examples of Data Loss
• April 2015 Office of Personnel Management (OPM) breached
and personally identifiable information for ALL federal
employees, past, present, contractors (21.5 million) stolen
• May 15, 2015 College servers breached in two different intrusions,
potential exposure for at least 18,000 people
• October 1, 2014 District-wide phishing attack allowed access to
employees email accounts containing files with personally
identifiable information, potential exposure 1,400
• Target, Home Depot, IRS, Sony
Source: https://www.privacyrights.org/data-breach/new
11
Profiling the Attacker / Threat Vectors
86% perpetrated by outsiders
14% committed by insiders
1% business partners
7% multiple parties
19% state-affiliated actors
12
12
Potential Breach Sources Phone numbers
Passwords?
Informative files
Leave
information
Unlocked screen
13
Laptop Risks
• February 2015 – University laptop was stolen with student roster
information including social security numbers and grade data,
potentially impacting 941 students.
https://www.privacyrights.org/data-breach/new
14
Laptop Loss Examples
• July 8, 2010 – Employee downloaded
files onto a hard drive, connected to Top Mobile Threats:
their home network and the files went 1. Mobile Malware
onto the internet with information of 2. Loss/Theft
current and former students personnel 3. Social Media
files and social security numbers 4. Cloud Storage
• June 9, 2014 – Employee sent an 5. Wi-Fi
attachment unencrypted to 78
employees containing personal
information of college employees,
impacting approximately 1,900 https://www.privacyrights.org/data-breach/new
employees 15
15
FSA Electronic Data Transfer Points
Department of Education
FSA Security follows Department policies and information roles up for Reporting
16
Networks At Risk
• Records of student and loan information
• Wireless networks
• Widely distributed networks
• Admissions
• Registrar’s Office
• Student Assistance
• College Book Store
• Health Clinic
• Websites
• Hackers seek diverse information and diverse paths
17
Your Data At Risk
• Intranet – Internal information, non-public distribution
• Facebook = share everything (Security questions?)
• Very mobile = laptop, iPhone, iPad everywhere
• Very trusting = limited password usage, write passwords down
• Not organized = often do not track credit cards, “junk” mail
• High debt = attractive to foreign actors
18
Breach Responsibility
• YOU (and your organization) assume the risk for the loss of
data
• Cyber Security protects the data to the identified risk level
• Data protection, breach prevention MUST be a joint operation
for success
19
Dear Colleague Letter
• Publication Date: July 29, 2015
• Subject: Protecting Student Information
• Data breaches proliferating
• Cooperation of FSA Partners to implement strong security
policies, controls, and monitoring is critical to protecting
personally identifiable information and ensuring the
confidentiality, security, and integrity of Title IV financial
aid information
20
Legal Obligation to Protect (1 of 2)
• Student Aid Internet Gateway (SAIG) Enrollment Agreement
The institution “[m]ust ensure that all Federal Student Aid applicant information
•
is protected from access by or disclosure to unauthorized personnel.”
• Privacy Act of 1974 (Federal Agencies)
• Gramm-Leach-Bliley Act
• Safeguards Rule
• Applies to financial institutions and those that receive information about the
customers of financial institutions
• Requires institutions to secure customer information and create a written information
security plan that describes program to protect customer information
• State data breach and privacy laws and potentially other laws
21
Legal Obligation to Protect (2 of 2)
• HEA (Higher Education Act)
• Requires institutions to maintain appropriate institutional capability for the sound
administration of the Title IV programs and would include satisfactory policies,
safeguards, monitoring and management practices related to information security
• FERPA (Family Educational Rights and Privacy Act)
• Generally prohibits institutions from having policies or practices that permit the
disclosure of education records or PII contained therein without the written consent
of the student, unless an exception applies. Any data breach resulting from a failure
of an institution to maintain appropriate and reasonable information security policies
and safeguards could also constitute a FERPA violation
• Contractual Agreements per 34 CFR §668.25
• The institution remains liable for any action by its third party servicers
22
Moral Obligation to Protect
• Online Predators
• Identity Theft
• Social Media
23
Passwords are Insecure
• 99.9% of all user-generated Password cracking by security experts:
passwords are insecure Six characters: 12 seconds
• Word-number-punctuation most Seven characters: 5 minutes
Eight characters: 4 hours
commonly cracked ‘complex’
password Password Trivia:
• Solutions are based on two-factor Joshua
authentication I solemnly swear I am up to no good
• The myth of privacy and security Akagi
Setec Astronomy
God, Sex, Love, and Secret
xyzzy
https://www.privacyrights.org/data-breach/new Shibboleth
24
Reduce Data Exposure
• Enforce a clean desk policy
• Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)
• Protect data at the endpoints
o USB drives, paper, laptops, smartphones, printers
25
Tips to Safeguard PII
• Minimize PII • Safeguard the transfer of PII
o Collect only PII that you are authorized to o Do not e-mail PII unless it is encrypted or in a
collect, and at the minimum level necessary password protected attachment
o Limit number of copies containing PII to the o Alert FAX recipients of incoming transmission
minimum needed o Use services that provide tracking and
confirmation of delivery when mailing
• Secure PII
o Store PII in an appropriate access-controlled
• Dispose of PII Properly
environment o Delete/dispose of PII at the end of its
retention period or transfer it to the custody
o Use fictional personal data for presentations
of an archives, as specified by its applicable
or training
records retention schedule
o Review documents for PII prior to posting
o Safeguard PII in any format
o Disclose PII only to those authorized
26
Typical Breach Response
• Employee received PII for someone else
• Debated on what to do, shared it with friends and coworker for advise
• 2-3 days later sent to supervisor
• Supervisor did not see the e-mail for a few days sent to friend in FSA
technology office
• Friend decided to investigate, called person whose PII it was
• Person with PII data called FSA management who called CIO
27
Correct Breach Process
• Call your supervisor, the Help Desk, and Security and tell them exactly
what is happening immediately
• Don’t delete any files or turn off your system unless Security tells you to
• If you need advice or help, call your Federal Student Aid ISSO or the FSA
Security Operations Center or the FSA CISO
28
In closing…
• Only collect and use information that is absolutely necessary, and only share with
those who absolutely need the information
• “Review and reduce”—inventory your PII and PII data flows, and look for ways to
reduce PII
• Follow FSA and Best practice, policies and procedures
• Think before you hit the “send” button (E-mail is by far the #1 source of breaches)
• “Scramble, don’t gamble”- encrypt, encrypt, encrypt
• Minimize (or eliminate) the use of portable storage devices
• Protect PII on paper—enforce a clean desk policy, use secure shredding bins,
locked cabinets, etc.
29
Resources
https://www.privacyrights.org/
http://www.verizonenterprise.com/DBIR/2015/
http://www.ponemon.org
30
Resources
31
Resources
• Cyber Resiliency Reviews
• https://www.us-cert.gov/ccubedvp/self-servicecrr
• Critical Infrastructure Cyber Community Voluntary Program
• https://www.uscert.gov/ccubedvp
• Cybersecurity Information Sharing and Collaboration Program
• https://www.uscert.gov/sites/default/files/c3vp/CISCP_20140523.pdf
• Enhanced Cybersecurity Services
• http://www.dhs.gov/enhancedcybersecurity-services
• Information Sharing and Analysis Organization Rollout
• http://www.dhs.gov/isao
• National Initiative for Cybersecurity Careers and Studies
• http://niccs.uscert.gov
• GEN-15-18: Protecting Student Information
• http://www.ifap.ed.gov/dpcletters/attachments/GEN1518.pdf
• National Vulnerability Database
• https://nvd.nist.gov
32
QUESTIONS?
33