Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc.
Quote of the Day "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 1
Today s Agenda Higher Education Risks Recent Protiviti Investigations Risk Impact Risk Trends What is the Response Institution Response New Legislation What You Should Do 2
Ripped from the headlines 3
Recent Breach Disclosure Reported Breach Professional hacking for profit. UBN sold e-mail lists and user-id passwords for at least $100,000. Backdoors and admin passwords sold at the best price. FBI is trying to shutdown this ring. Hacker used a SQL Injection on the Canada Web-Server SQL command line and guessed a password with admin access Added local Admin user Downloaded and decrypted passwords Download database and upload backdoors Hacker Attack Step SQL Injection Command prompt Guess Admin User-Id Add local admin user Crack passwords for two domain accounts Upload Backdoors Download data Control Which Broke Down Application Input validation Vulnerability detection and correction Penetration Testing SQL User least privilege Logging and Monitoring Password = User-Id Privileged User Logging & Monitoring Needed strong encryption not the LanMan Password Hashing Algorithm Privileged User Activity Logs No Anti-Virus on Servers Data Leakage Detection Database Logs 4
Recent Experience Reported Breach Attackers may have focused efforts on a clients external hiring application (maintained by a 3 rd Party) and escalated their privileges to administrator based on the externally facing applications functionality. Hacker accesses the Web system as a normal user. Hacker forcefully browses administrative pages. As Admin, Added/Modified additional application administrator accounts. Initiated reports displaying passwords and PII. Downloaded reports. Hacker Attack Step Forcefully browse administrative pages without credentials Create Modify Accounts Harvest Accounts Run Reports Containing PII Download data Control Which Broke Down Access controls not enforced on the administrative pages. IIS logs were not configured to detect forceful browsing attempts. System not configured to log account creation or modification events. Passwords were not hashed within the database, and they were displayed to the attacker in clear text. PII such as SSN s were not masked to the administrator. Data Leakage Detection Database Logs 5
What are the risks? The risks are more than just immediate monetary impact: Litigation Reputation Loss Loss of System Availability Lost Productivity Loss of Intellectual Property Regulatory Fines 6
Is education in trouble? Verizon Data Breach Report 2010 7
Threats Summary of Threat Agents (Verizon Data Breach Report 2010) Lost Laptop (35%) System Failure (33%) Other Data Bearing Device (14%) Paper Spill (7%) Lost Media Backup (5%) Cybercrime or Hack (5%) Social Engineering (2%) 8 0 10 20 30 40 Ponemon 2010 Annual Study: Cost of a Data Breach
The Risk Continues to Grow More than 500 million personally-identifiable, customer records have been breached in the US over the past five years. Most of these breaches occurred at companies that are household names. As a result, boards and top executives are demanding reports from their IT and security staff on the effectiveness of security controls within their organizations. Privacy Rights.org Throughout hundreds of investigations over the last four years, one theme emerges as perhaps the most consistent and widespread trend of our entire caseload. Nine out of 10 data breaches involved one of the following: A system unknown to the organization (or business group affected) A system storing data that the organization did not know existed on that system A system that had unknown network connections or accessibility A system that had unknown accounts or privileges We refer to these recurring situations as unknown unknowns and they appear to be the Achilles heel in the data protection efforts of every organization regardless of industry, size, location, or overall security posture. Verizon 2010 Data Breach Investigation Report 9
Who is to Blame? Final Edition Source: Information Week, October 2007 Headline News Theft Of Gap Laptop Puts 800,000 Job Applicants At Risk What really happened The laptop was stolen from one of the retailer's third-party vendors that manages information on job applicants. Ponemon 2009 Annual Study: Cost of a Data Breach 10
Human Factor 11
Mitigation Trends After a data breach, organizations are relying on a combination of people-centric and technology-centric based steps. Ponemon 2009 Annual Study: Cost of a Data Breach 12
The Global Privacy Landscape US Federal: HIPAA 1996, COPPA 1998, Patriot Act 2001, CIPA 2001, GLBA 1999 Canada: PIPEDA European Union: EU Data Protection Directive and Member States Data Protection Laws, Safe Harbor Principles Japan: Guidelines for the Protection of Computer Processed Personal Data UK: Data Protection Act Hong Kong: California: Personal Data Privacy Ordinance SB1, SB1386 Brazil: Argentina: Article 5 of the 1988 Constitution Personal Data Protection Law, Confidentiality of Information Law South Africa: Electronic Communications and Transactions Act Australia: Federal Privacy Amendment Bill 13
A look closer at home 46 states have enacted a breach disclosure law, require notice to customers, employees, and other affected individuals Each state law specifies: Notification guidelines Penalties for failure to disclose Private right of action Exemptions Have established disclosure laws Have NOT established disclosure laws Organizations may not be required to notify individuals when: The breached data is protected by at least 128-bit encryption The breached data elements are not considered protected The breach was stopped before information was wrongfully acquired Other special circumstances (such as national security or law enforcement investigations) exist 14
Next Steps Most breaches occur because of a lack of or deficient controls. For example, encryption of laptops reduces risk significantly Vendor defaults and weak passwords for privileged accounts need to be corrected SQL injection can be detected from vulnerability and penetration testing System patching and configuration management can resolve 90% of vulnerabilities Focus on fundamentals of information security. Data Leakage Prevention Vulnerability Management Detective controls Log Monitoring and IDS Vendor Assessments ( > 30% of data loss involved vendors) Defense in depth (control layers) Logging is required because it is critical while investigating an incident. 15
Contact Information Rocco Grillo, CISSP Managing Director Protiviti Inc. Rocco.Grillo@protiviti.com 212.603.8381