Security & Data Breach Prevention

Transcription

1 Security & Data Breach Prevention A Case Study ChoicePoint Inc (2005) Presenters: David T. Lee Robinson School of Business, Georgia State University Steve Travis - IBM 1

2 There are two types of Risk: - The risk you can afford not to take - The risk you cannot afford not to take Wisdom is knowing the Difference -Robert Holden British psychologist, author 2

3 Reminder of Risk Legal Risk (Criminal, Civil) Financial Risk (Revenues and Costs) Regulatory Risk Reputational Risk ChoicePoint suffered them all!! 3

4 Discussion Agenda ChoicePoint Overview Setting the Stage Defining the Risk The Incident (Fraudulent Data Breach) The Fall-Out The Remediation 4

5 The Headlines ChoicePoint toughens data security, CNN Report: Company will now electronically mask sensitive personal info in aftermath of data breach. ChoicePoint Settles with FTC, Wall Street Journal January 27, 2006, 8:31 AM ChoicePoint Settles Data Security, New York Times By REUTERS Published: June 1, 2007 SEC probing ChoicePoint stock sales, MSNBC Execs sold shares before ID thefts made public 5

6 The Headlines ChoicePoint Security Breach May Affect More Than 140,000 by JACKIE NORTHAM, NPR FTC looks for more victims of ChoicePoint breach JUNE 19, 2007, INFOWORLD FTC Launches Program for ChoicePoint Breach Victims, CIO Magazine The Five Most Shocking Things About the ChoicePoint Data Security Breach May 2005, Data Protection Magazine 6

7 7572/ns/business-us_business/t/secprobing-choicepointstocksales/#.T1zjwDF8DHE watch?v=vrlo8wtz-1y 7

8 Company Overview Publicly Traded (NYSE), sold to Reed Elsevier for $4.0b plus assumption of debt 1997 Spin-out of Equifax Information Services Industry $1.0B in Annual Revenues 3000 Employees - US, Europe CEO, President, CAO, CFO - Profiles 8

9 Setting the Stage Products Reports containing data from Client Files, Pubic Record Sources and 3 rd Parties (i.e. Credit Bureaus) Customers Insurance, Banking, Government, Collections, Private Investigators, Mortgage Cos Data Privacy - FCRA, GLB, DPPA, provider restrictions, Societal Standards Challenge: - Client acceptance (including brokers) - Client access (who could see what) 9

10 Existing Policies Client Acceptance Procedures defined by the Legal Department and Administered by BU Accounting Departments (credentialing dept, defined procedures) Customer Access policies were defined by Product Managers and approved by Legal Department (product audits) Strong Legal and Internal Audit Department, with good working relationship with the business units. 10

11 Defining the Risk How to verify applicant credentials is the represented client legit (St. Farm vs. Dave s Mortgage Co.?) is the applicant associated with the represented client? How to determine if customer use of the data is permissible under FCRA (Credit, Insurance, HR, Debts) How to determine if customer use of the data is for legitimate purposes Rogue users/password theft (Miami/Dade Police) 11

12 So, What Happened in 2005? Nigerian Fraud Ring used legit California business credentials to pass credentialing, gain access as Non- FCRA customer Over several months, ordered 163k reports Was opening and closing accounts customer service noticed suspicious activity Sting was set up, 41-year-old Nigerian citizen, Olatunji Oluwatosin, arrested with five cell phones and three credit cards that belonged to other people. Was later sentenced by the Los Angeles County Superior Court to 16 months in prison 12

13 The Fall-Out California Law called for Notification on Consumers - Media firestorm began (Feb 2005) Poster-Child for Security Breaches Customer demands for explanations were overwhelming Investigations by SEC, FTC, most state s attorneys general Congressional Hearings 3 rd Party data providers implemented contract audits 13

14 The Fall Out Cont. ChoicePoint paid a $15m dollar fine/redress to FTC Signed a Consent Decree with FTC (agreeing to a number of conditions) Signed Consent Decree s with over 40 States Lost over $50m in revenue over next two years SEC investigation revealed nothing 14

15 Immediate Reaction Developed Customer Notification Mgt. Plan Developed Affected Consumer Plan Turned off access to over 20k small business accounts in affected business unit. Evaluated existing credentialing procedures, made improvements, and began re-credentialing 135k customers. Any suspicious account was site visited. Confidential 15

16 Remediation Hired Chief Privacy Officer, reporting to Board, to oversee remediation efforts and address the public Set up a Board Committee on Privacy Centralized all Credentialing, rebuilt processes and automated the entire process (where IBM was helpful) Bolstered Intrusion detection processes Implemented transaction monitoring, with IP blocking 16

17 Remediation Developed a full Security Information Framework using GLB, ISO Standards (i.e. internal access, mobile risks, internet monitoring, physical security, executive security/disaster planning, segmentation of duties/communications, etc.) Proactive User/Password recycling and auto-canceling Bolstered protections in customer contracts, created zones of accountability (i.e. notification rules) Implemented Corporate-wide security training 17 program

18 Considerations moving forward Selling Data is not like selling dresses know your risks and the consequences of the risks Continual evaluation of risks vs. costs of risk avoidance or risk reduction methods Strong working relationships with your business unit partners professional disagreement encouraged Standardization and automation are keys to understanding what happens in your business each day S#!t happens be ready to deal with it!! 18

19 IBM s Involvement Workflow Automation Tools Expertise in the Tools was critical to quickly implementing a new solution 19

20 Customer Credential Verification System Framework Application Studio Visibility Community Management Business Process Management Integration and Transformation Communications and Security 20

21 Customer Credentialing - Solution Footprint State-of-the-art architecture providing allowing a mix of automated and manual steps to verify the quality of new potential customers Data Sources for Validation) Phone Number Core Credentialing Application Suite Services > BPM-centric > Open Standards Support APPROVED Location Communications REJECTED Manual Verification/Phone Business License Owner/Sharholder Info Address IP Origination Faxes Process Flowl Modeler Credential Verification Engine Vendor Credential DB Additional Review FRAUD Suspects Applications On-site Verification Insurance Cetification) Tax ID /W-9 Exception Handling Web Screens for Manual Entry Clue CPS-ONE TWIST. Legal Name/ DBAt 21

22 Security Services Architecture Consistent policy enforcement from perimeter to back-end Provable regulatory compliance Protection of sensitive information Strong authentication of parties to transactions Perimeter Security Identity Management Secure Content Staging Encryption Transport Security Policy Enforcement Access Control Key\Certificate Management Secure Perimeter Services 22

23 Process Automation & Extensibility Business Process Models Graphical configuration of processes and services Version management AFTRouteFTPPUT.bp 23

24 Credentialing User Dashboard Each executive has customiized view into business unit credentialing status. Real-time visibility into transactions Visibility into all incoming and outgoing transactions 24

25 Visibility Drill-down to Detail Resolve Errors Detail to resolve the problem 25

26 best practices security model Business drivers measure value, risk, & economic costs that influence the approach to Security. IT drivers represent technical considerations that affect the trustworthiness of the IT environment. The IBM Security Framework Model comprehensively supports Business and IT drivers for file transfer security and performance. Business Business drivers IT drivers IT drivers IBM drivers IBM Security Security influencing influencing security influencing security influencing security Framework security Framework Model Model Correct & reliable operation Correct & reliable operation Service-level agreements Service-level agreements IT asset value(data) IT asset value(data) Protection of asset value or Protection of asset value or brand image brand image Legal & regulatory Legal & regulatory compliance compliance Contractual obligations Contractual obligations Financial loss and liability Financial loss and liability Critical infrastructure Critical infrastructure Internal and external threats Internal and external threats and threat agents and threat agents IT service management IT service management commitments commitments IT environment complexity IT environment complexity Business environment Business environment complexity complexity Audit and traceability Audit and traceability IT vulnerabilities: IT vulnerabilities: configuration, flaws, exploits configuration, flaws, exploits Security Governance, Risk Security Governance, Risk Management, and Management, and Compliance Compliance People and Identity People and Identity Data and Information Data and Information Application and Process Application and Process Network, Server and Network, Server and Endpoint Endpoint Physical Infrastructure Physical Infrastructure IBM has published a Redbook, Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security, available for download at: IBM Confidential - Internal Use Only

27 Thank you 27