Data Security Threats for School Districts. WASBO March 24, 2016

Similar documents
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Network Security & Privacy Landscape

plantemoran.com What School Personnel Administrators Need to know

SANS Top 20 Critical Controls for Effective Cyber Defense

Jumpstarting Your Security Awareness Program

Into the cybersecurity breach

Defending Against Data Beaches: Internal Controls for Cybersecurity

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Anatomy of a Privacy and Data Breach

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Network Security & Privacy Landscape

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Cybersecurity: Protecting Your Business. March 11, 2015

Critical Controls for Cyber Security.

THE TOP 4 CONTROLS.

Privacy Rights Clearing House

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

SCAC Annual Conference. Cybersecurity Demystified

The Protection Mission a constant endeavor

Reducing Cyber Risk in Your Organization

BSHSI Security Awareness Training

Security and Privacy

Data Security Incident Response Plan. [Insert Organization Name]

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Looking at the SANS 20 Critical Security Controls

General Security Best Practices

Managing Cyber & Privacy Risks

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Canadian Access Federation: Trust Assertion Document (TAD)

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Information Security Services

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Cybersecurity. Threats to Nonprofits. Chris Debo Senior Manager, IT Audit. August 14, 2014

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

10 Smart Ideas for. Keeping Data Safe. From Hackers

National Cyber Security Month 2015: Daily Security Awareness Tips

Cybersecurity The role of Internal Audit

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

What Data? I m A Trucking Company!

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012

Malware & Botnets. Botnets

Information Security Addressing Your Advanced Threats

Evaluation Report. Office of Inspector General

Top Ten Technology Risks Facing Colleges and Universities

Data Security. The dominant business communication tool

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Data Breach and Senior Living Communities May 29, 2015

CYBERSECURITY INVESTIGATIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

SPICE EduGuide EG0015 Security of Administrative Accounts

SECURITY. Risk & Compliance Services

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

KEY STEPS FOLLOWING A DATA BREACH

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Medical Information Breaches: Are Your Records Safe?

INFORMATION SECURITY FOR YOUR AGENCY

Top 20 Critical Security Controls

Cyber Risk in Healthcare AOHC, 3 June 2015

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Cybersecurity Awareness. Part 1

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

SECURITY 2.0 LUNCHEON

Incident Response. Proactive Incident Management. Sean Curran Director

I ve been breached! Now what?

Research Information Security Guideline

How-To Guide: Cyber Security. Content Provided by

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Best Practices: Reducing the Risks of Corporate Account Takeovers

Computer Security at Columbia College. Barak Zahavy April 2010

Security Management. Keeping the IT Security Administrator Busy

HIPAA Security & Compliance

Procedure Title: TennDent HIPAA Security Awareness and Training

Information Security It s Everyone s Responsibility

HIPAA Compliance Evaluation Report

Protecting critical infrastructure from Cyber-attack

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Data Breach Response Planning: Laying the Right Foundation

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

SHS Annual Information Security Training

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

October 24, Mitigating Legal and Business Risks of Cyber Breaches

5 Steps to Advanced Threat Protection

Check Point and Security Best Practices. December 2013 Presented by David Rawle

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Transcription:

Data Security Threats for School Districts WASBO March 24, 2016

Data Security Everyone is at Risk Threat Environment Attack Vectors Protecting Credentials Overall Data Security Best Practices

Data Security Risks Variety of data security threats Physical lost laptops and mobile devices Administrative rogue employees, careless staff Technical viruses, phishing, malware Breaches are a matter of time not if but when Breach targets not just big companies 2015 - public sector had most security incidents

What is Protected Data? Personally Identifiable Information ( PII ) RCW 19.255.010 data breach notification statute PII = person s first name / initial + last name + SSN Driver s license number / WA ID card number Credit card number with PIN, access code, password, etc. HB 1078 signed by Governor on April 23, 2015 encryption of data removed as blanket safe harbor but if data was encrypted and keys were not taken during breach event, no obligation to notify Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm RCW 42.56.590 breach notice requirement defined for state agencies

What is Protected Data? Protected Health Information ( PHI ) HIPAA Health Insurance Portability and Accountability Act of 1996 PHI defined as Individual identifiers(name, address, DOB, SSN) from which there is a reasonable basis to believe a specific individual can be identified plus: Individual s past, present or future physical or mental health or condition Provision of health care to the individual Past, present or future payment for health care for the individual Covers Health Care Providers and Business Associates

Data Security Costs Data breach / loss costs Forensic Identifying scope of loss Tracking down and closing the point of attack Repairing systems Notification Regulatory agencies Individual data subjects Credit monitoring / repair services Crisis management / PR Damaged reputation Regulatory notification and defense Legal

Data Security Risks Who is Doing This? Outside actors roughly 80% of all attacks Organized crime financial info, credit cards State-sponsored trade secrets, credentials Activists personal info, organizational data Internal threats Disgruntled employees Employee negligence Lost laptops Shared credentials Business partners

Data Security Risks How Do They Get In? External attacks Stolen credentials Weak link poor password quality Phishing The inevitability of the click and launching malware Internal breaches Credential sharing

Stolen Credentials Password Quality Most commonly used passwords 123456 password 12345678 qwerty 12345 123456789 football 1234 User frustration: I have too many passwords to remember! Re-use across multiple platforms

Improving Password Quality What can we do? Require some combination of letters, numbers and symbols Require changing passwords periodically Ensure that passwords aren t written down where anyone can find them

Improving Password Quality Tips for an unusual but memorable password Line from movie use first letter of each word Gentlemen, you can t fight in here, this is the War Room! = GycfihtitWR!

Improving Password Quality Shall we play a game? = Swpag?

Improving Password Quality Other Suggestions Song Titles / Lyrics Famous Speeches I have a dream Only thing we have to fear To be or not to be Stay Away From Childrens or spouse s names Widely known hobbies or interests District / school specific sayings or slogans

Phishing & Malware Email spoofs legitimate company Spear Phishing email is specifically geared towards the recipient The inevitability of a click 23% of recipients open phishing messages 11% click on attachments Campaign of just 10 emails has > 90% chance that one person will ultimately click on the link Phishing has evolved now often involves installation of malware as second stage

Phishing & Malware Issue directly impacts educational sector Verizon 2015 Data Breach Investigations Report Looked at thousands of malware events Data from FireEye, Palo Alto Networks, Lastline, Fortinet Average malware events per week: Financial Services 350 Insurance 575 Retail 801 Utilities 772 Education 2,332

Phishing & Malware Educating users and staff is critical Knowing what to look for Urgency of the email communication Request to revise personal / login information Threat of potential adverse consequences if the information is not revised or updated immediately Actions Delete the email Open a new browser window and check with the actual holder of the account referenced

Credential Sharing A not uncommon practice Risks of misuse are extremely high Potential harms include Unauthorized access to PII or PHI Need for notification Time-consuming investigation and removal of computer systems Reputational harm and loss of parent confidence

Overall Data Security Best Practices Center for Internet Security Critical Security Controls for Effective Cyber Defense Inventory of authorized devices and software Secure configurations for local, networked and mobile devices Continuous vulnerability assessment and remediation Controlled use of administrative privileges Maintenance, monitoring and analysis of audit logs E-mail and web browser protections Malware defenses Limitation and control of network ports, protocols and services Data recovery capability

Overall Data Security Best Practices Center for Internet Security Critical Security Controls for Effective Cyber Defense Secure configurations for network devices Boundary defense - physical safeguards of network Data protection Controlled access on need-to-know basis Wireless access control Account monitoring and control Security skills assessment and training Application software security Incident response and management Penetration tests and red team exercises

Implementing Data Security Best Practices Perform an initial gap assessment What steps have already been implemented and what elements are missing? Develop an implementation roadmap What controls need to be implemented, and who will have implementation responsibility? Implement the first phase of controls Which existing tools can be utilized or repurposed, and what needs to be added? Integrate controls into operations How can new methods be incorporated into existing operations? Report and manage progress At each phase of implementation, ascertain effectiveness

Cyber Insurance Coverage Issues Insurance Law Update April 24, 2015 Questions & Discussion

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information