Data Security Threats for School Districts WASBO March 24, 2016
Data Security Everyone is at Risk Threat Environment Attack Vectors Protecting Credentials Overall Data Security Best Practices
Data Security Risks Variety of data security threats Physical lost laptops and mobile devices Administrative rogue employees, careless staff Technical viruses, phishing, malware Breaches are a matter of time not if but when Breach targets not just big companies 2015 - public sector had most security incidents
What is Protected Data? Personally Identifiable Information ( PII ) RCW 19.255.010 data breach notification statute PII = person s first name / initial + last name + SSN Driver s license number / WA ID card number Credit card number with PIN, access code, password, etc. HB 1078 signed by Governor on April 23, 2015 encryption of data removed as blanket safe harbor but if data was encrypted and keys were not taken during breach event, no obligation to notify Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm RCW 42.56.590 breach notice requirement defined for state agencies
What is Protected Data? Protected Health Information ( PHI ) HIPAA Health Insurance Portability and Accountability Act of 1996 PHI defined as Individual identifiers(name, address, DOB, SSN) from which there is a reasonable basis to believe a specific individual can be identified plus: Individual s past, present or future physical or mental health or condition Provision of health care to the individual Past, present or future payment for health care for the individual Covers Health Care Providers and Business Associates
Data Security Costs Data breach / loss costs Forensic Identifying scope of loss Tracking down and closing the point of attack Repairing systems Notification Regulatory agencies Individual data subjects Credit monitoring / repair services Crisis management / PR Damaged reputation Regulatory notification and defense Legal
Data Security Risks Who is Doing This? Outside actors roughly 80% of all attacks Organized crime financial info, credit cards State-sponsored trade secrets, credentials Activists personal info, organizational data Internal threats Disgruntled employees Employee negligence Lost laptops Shared credentials Business partners
Data Security Risks How Do They Get In? External attacks Stolen credentials Weak link poor password quality Phishing The inevitability of the click and launching malware Internal breaches Credential sharing
Stolen Credentials Password Quality Most commonly used passwords 123456 password 12345678 qwerty 12345 123456789 football 1234 User frustration: I have too many passwords to remember! Re-use across multiple platforms
Improving Password Quality What can we do? Require some combination of letters, numbers and symbols Require changing passwords periodically Ensure that passwords aren t written down where anyone can find them
Improving Password Quality Tips for an unusual but memorable password Line from movie use first letter of each word Gentlemen, you can t fight in here, this is the War Room! = GycfihtitWR!
Improving Password Quality Shall we play a game? = Swpag?
Improving Password Quality Other Suggestions Song Titles / Lyrics Famous Speeches I have a dream Only thing we have to fear To be or not to be Stay Away From Childrens or spouse s names Widely known hobbies or interests District / school specific sayings or slogans
Phishing & Malware Email spoofs legitimate company Spear Phishing email is specifically geared towards the recipient The inevitability of a click 23% of recipients open phishing messages 11% click on attachments Campaign of just 10 emails has > 90% chance that one person will ultimately click on the link Phishing has evolved now often involves installation of malware as second stage
Phishing & Malware Issue directly impacts educational sector Verizon 2015 Data Breach Investigations Report Looked at thousands of malware events Data from FireEye, Palo Alto Networks, Lastline, Fortinet Average malware events per week: Financial Services 350 Insurance 575 Retail 801 Utilities 772 Education 2,332
Phishing & Malware Educating users and staff is critical Knowing what to look for Urgency of the email communication Request to revise personal / login information Threat of potential adverse consequences if the information is not revised or updated immediately Actions Delete the email Open a new browser window and check with the actual holder of the account referenced
Credential Sharing A not uncommon practice Risks of misuse are extremely high Potential harms include Unauthorized access to PII or PHI Need for notification Time-consuming investigation and removal of computer systems Reputational harm and loss of parent confidence
Overall Data Security Best Practices Center for Internet Security Critical Security Controls for Effective Cyber Defense Inventory of authorized devices and software Secure configurations for local, networked and mobile devices Continuous vulnerability assessment and remediation Controlled use of administrative privileges Maintenance, monitoring and analysis of audit logs E-mail and web browser protections Malware defenses Limitation and control of network ports, protocols and services Data recovery capability
Overall Data Security Best Practices Center for Internet Security Critical Security Controls for Effective Cyber Defense Secure configurations for network devices Boundary defense - physical safeguards of network Data protection Controlled access on need-to-know basis Wireless access control Account monitoring and control Security skills assessment and training Application software security Incident response and management Penetration tests and red team exercises
Implementing Data Security Best Practices Perform an initial gap assessment What steps have already been implemented and what elements are missing? Develop an implementation roadmap What controls need to be implemented, and who will have implementation responsibility? Implement the first phase of controls Which existing tools can be utilized or repurposed, and what needs to be added? Integrate controls into operations How can new methods be incorporated into existing operations? Report and manage progress At each phase of implementation, ascertain effectiveness
Cyber Insurance Coverage Issues Insurance Law Update April 24, 2015 Questions & Discussion