Breaches: Planning + Recovery = Resiliency (264078789)

8/9/2019 Breaches: Planning + Recovery = Resiliency (264078789)

http://slidepdf.com/reader/full/breaches-planning-recovery-resiliency-264078789 1/48

1

2015 Security Professionals Conference

BREACHES:PLANNING + RECOVERY

=RESILIENCY

!"#$ &'"&()"*+,-"( ./01*$'2 340/* 5 6($7/*8$'2 ") 9,:,$;$

<"#$=>,:,$$?/#1 5 @ABAC DEFGHIBB




2


Session Outline

• J*/7/(-"( K J*/L,*,-"(

– M>*/,' N,(#80,L/

– 6(#/*8',(#$(O 2"1* *$8P8

– 6($7/*8$'2 ") 9,:,$$ Q0,8/ 8'1#2R

• S,0PO*"1(#

•

S*/,0>/8

•

TU,88 V0-"( N,:81$'

•

&(8-'1-"(,U W/8L"(8/ @.28'/+XT,+L18C


Agenda - continued

• JU,(($(O –

&#/(-)2 Y/2 JU,2/*8 K Z/0$8$"( [,P/*8

–

6(#/*8',(#$(O '>/ QJU,$(-\R

– &()"*+,-"( ./01*$'2 J*"O*,+

– &(0$#/(' W/8L"(8/ JU,(

–

S*/,0> W/8L"(8/ K ]"-^0,-"( JU,(

–

T"++1($0,-"(8 JU,( –

T"('*,0'8X&(81*,(0/_



3


Current Trends


“2015 is predicted to be as

bad or worse as more

sensitive and confidential

information and transactions

are moved to the digital

space and becomevulnerable to attack.”



4





5



Verizon’s DBIR Indicators

of Compromise (IoC)

• J>$8>$(O

• `1U(/*,a$U$-/8

• ["a$U/

• [,U:,*/



6



THE RISK FACTOR



7


Assets & Vulnerabilities

• b>,' ,*/ 2"1* $(8-'1-"(c8

,88/'8_

• 9": #" 2"1 QL*$"*$-d/R '>"8/

,88/'8_

• b>,' ,*/ '>/ '>*/,'8 '" '>"8/

,88/'8_


UNIVERSITY OF HAWAII: “CASE STUDY”



8


University of Hawaii System

•

eB 0,+L18/8

• 3(/ W/8/,*0>

6($7/*8$'2

– [f(", @g,O8>$L 0,+L18C

– HBhBBB 8'1#/('8

• M:" S,00,U,1*/,'/

6($7/*8$-/8

– 69 b/8' 3,>1i HFBB

– 69 9$U"i IBBB

•

./7/( T"++1($'2

T"UU/O/8

– 9,:,$;$ TTi jHBB

– 9"("U1U1 TTi IHBB

– Y,L$;"U,($ TTi ABBB

–

Y,1,$ TTi eEBB

–

N//:,*# TTi kkBB

–

[,1$ T"UU/O/i jABB

–

b$(#:,*# TTi HkBB


Information Technology Services

• .28'/+ 340/

• W/L"*' '" '>/ `$0/ J*/8$#/(' ") &()"*+,-"(

M/0>("U"O2 K T>$/) &()"*+,-"( 340/*

• eFBl )1UU -+/ 8',\

• eHB 8'1#/(' /+LU"2//8

•

I O*"1L8i – M/0>("U"O2 &()*,8'*10'1*/

– V0,#/+$0 M/0>("U"O$/8

–

[,(,O/+/(' &()"*+,-"( .28'/+8

– V#+$($8'*,-7/ m*"1L

•

&.3 #$*/0' */L"*' '" `J &M K T&3



9


ITS Responsibilities

• .28'/+G:$#/ $()"*+,-"( 828'/+8 K

8/*7$0/8 – .'1#/(' $()"*+,-"( 828'/+

–

J/*8"((/U 828'/+

–

n$(,(0$,U 828'/+

– Z,', :,*/>"18/ X "L/*,-"(,U #,', 8'"*/

– N/,*($(O +,(,O/+/(' 828'/+

–

o+,$Uh :/ah !"#$%&' )*$*+#)#$& ,',&#)h

0"('*,0' 8/*7$0/8h >/UL #/8Ph #/8P'"L 81LL"*'h

L>"(/ 828'/+h 8$'/ U$0/(8$(O• ]/':"*P &()*,8'*10'1*/

• &()"*+,-"( ./01*$'2


Characteristics & Complexities• o,0> 0,+L18X#/L,*'+/('X1($' $8 Q1($p1/R

• 9$O>U2 #/0/('*,U$d/# – T,+L18/8X#/L,*'+/('8 8/' 1L '>/$* ":( 8/*7/*8 ,(#

8/*7$0/8

– T,( */p1/8' 18/ ") $(8-'1-"(,U #,',

• ]" #$*/0' ,1'>"*$'2 "7/* 0,+L18/8

•

-.& "/ )*$*+# 0 )*!$&*!$ &1# ,',&#)23!"# ,#45!6#, *$" $#&3/47 !$84*,&4.6&.4#



10


The Big Stick!


HAWAI !I STATE LAWS



11


Hawai !i Revised Statutes 487-N

•

Z/^($-"( ") J/*8"(,U &()"*+,-"(i

&(#$7$#1,Uc8 ^*8' (,+/ "* ^*8' $($-,U ,(# U,8'

(,+/ $( 0"+a$(,-"( :$'> ,(2 "(/ "* +"*/

") '>/ )"UU":$(O #,', /U/+/('8h :>/( /$'>/*

'>/ (,+/ "* '>/ #,', /U/+/('8 ,*/ ("'

/(0*2L'/#i –

."0$,U ./01*$'2 ]1+a/*q

–

Z*$7/*c8 U$0/(8/ (1+a/* "* 9,:,$;$ &#/(-^0,-"( ]1+a/*q

–

V00"1(' (1+a/*h 0*/#$' "* #/a$' 0,*# (1+a/*h ,00/880"#/h "* L,88:"*# '>,' :"1U# L/*+$' ,00/88 '" ,($(#$7$#1,Uc8 ̂ (,(0$,U ,00"1('q


HRS Definition of “Breach”Q./01*$'2 a*/,0>R +/,(8 ,( $(0$#/(' ") 1(,1'>"*$d/#

,00/88 '" ,(# ,0p1$8$-"( ") 1(/(0*2L'/# "*

1(*/#,0'/# */0"*#8 "* #,', 0"(',$($(O L/*8"(,U

$()"*+,-"( :>/*/ $UU/O,U 18/ ") '>/ L/*8"(,U

$()"*+,-"( >,8 "001**/#h "* $8 */,8"(,aU2 U$P/U2 '"

"001* ,(# '>,' 0*/,'/8 , *$8P ") >,*+ '" , L/*8"(?

V(2 $(0$#/(' ") 1(,1'>"*$d/# ,00/88 '" ,(#

,0p1$8$-"( ") /(0*2L'/# */0"*#8 "* #,', 0"(',$($(O

L/*8"(,U $()"*+,-"( ,U"(O :$'> '>/ 0"(^#/(-,U

L*"0/88 "* P/2 0"(8-'1'/8 , 8/01*$'2 a*/,0>?



12


HRS Reporting Requirements

• J*"7$#/ ("-0/ '" ,\/0'/# $(#$7$#1,U8 – Z/80*$L-"( ") $(0$#/('

–

M2L/ ") L/*8"(,U $()"*+,-"( $(7"U7/#

–

W/+/#$,-"( ,(# L*/7/(-7/ ,0-"(8 ',P/(

–

T"(',0' L>"(/ (1+a/* )"* ,##$-"(,U $()"*+,-"(

–

V#7$0/ '" ,\/0'/# $(#$7$#1,U

• b*$r/( */L"*' '" 8','/ U/O$8U,'1*/ :$'>$(

':/('2 #,28 ,s/* #$80"7/*2 ") 8/01*$'2a*/,0>


Other Hawai !i State Reporting

Requirements

• [,(#,'"*2 W/L"*-(O ") VUU &()"*+,-"(

.28'/+8 :$'> ./(8$-7/ &()"*+,-"(

• W/L"*' ,UU 828'/+8 0"(',$($(O 8/(8$-7/

$()"*+,-"( ,(# 1L#,'/ '>/ $()"*+,-"( ,'

U/,8' ,((1,UU2



13


UH Information Security Policy

• .28'/+G:$#/ /t/01-7/ L"U$02

•

oH?HeIi ./01*$'2 K J*"'/0-"( ") ./(8$-7/

&()"*+,-"(

• J*"+1UO,'/# $( HBBk

• Z/^($-"( K /t,+LU/8 ") 8/(8$-7/ $()"*+,-"(

•

Z,', 0,'/O"*$d,-"(i L1aU$0h */8'*$0'/#h 8/(8$-7/

K */O1U,'/# @*/0/('U2 /tL,(#/#C

•

W"U/8 K W/8L"(8$a$U$-/8•

n*,+/:"*P )"* 18/ K L*"'/0-"( ") 8/(8$-7/

$()"*+,-"(


Also in UH Policy…• T>,(0/UU"*8 ,(# `$0/ J*/8$#/('8 ,*/

*/8L"(8$aU/ )"* /U$+$(,-(O ,UU

1((/0/88,*2 8'"*,O/ ") L/*8"(,U

$()"*+,-"(

• VU8" */8L"(8$aU/ )"* $+LU/+/(-(O

,LL*"L*$,'/ 8/01*$'2 +/,81*/8 )"*

828'/+8 1(#/* '>/$* L1*7$/: '>,' +18'*/',$( 8/(8$-7/ $()"*+,-"( )"* /88/(-,U

6($7/*8$'2 "L/*,-"(8



14


THE BREACHES


Breaches 1-3:

• S*/,0> uei VL*$U HBBD Y,L$;"U,($ TT v

eEhBBB ,\/0'/#

• S*/,0> uHi [,*0> HBeB 9"("U1U1 TT v jE

,\/0'/#

• S*/,0> uji !1U2 HBeB [f(", v EjhBBB

,\/0'/#



15


#3: Real Costs & Time Spent

• M"',U ") jI L/"LU/ – Z$*/0'"*8h V88"0? Z$*h m/(/*,U T"1(8/Uh 91+,( W/8"1*0/8h

[/#$, W/U,-"(8h ,#+$($8'*,-7/ ,(# '/0>($0,U 8',\

• M"',U ") eDIA >"1*8


July 2010: Executive Directive•

69 J*/8$#/(' $881/# ,( ot/01-7/ Z$*/0-7/ '"

69 ./($"* N/,#/*8>$L @`J8 K T>,(0/UU"*8C

•

j*# P(":( a*/,0> 8$(0/ /(,0'+/(' ") $#/(-'2

'>/s U,:

• Z$*/0'/# /7/*2 /t/01-7/ '" +,P/ $' , L*$"*$'2 '"

L*"'/0' 8/(8$-7/ $()"*+,-"( a/0,18/ ") '>/

>$O>U2 #/0/('*,U$d/# "*O,($d,-"(

•

[18' #/8$O(,'/ , 8$(OU/ $(#$7$#1,U '" "7/*8//1($'c8 $()"*+,-"( L*"'/0-"( ,(# 0"+LU$,(0/

L*"O*,+



16


Executive Directive – cont.

• Z$*/0'/# '>/ #/8$O(,'/# 0,+L18

/t/01-7/ '" /(81*/ )1UU 0"+LU$,(0/

'"i

– W/L"*' J& 828'/+8 @L/* 8','/ U,:C

–

J1*O/ 1((/0/88,*2 ..]8q /(81*/ 0*/#$' 0,*#

L*"0/88$(O $( 0"+LU$,(0/ :$'> 69 L"U$02

–

W/7$/: ,(# 8'*/(O'>/( $('/*(,U 0"('*"U8,*"1(# >,(#U$(O ") 8/(8$-7/ $()"*+,-"(


Breach #4: October 2010

UH West Oahu – 40,000 affected

• 6($7/*8$'2 ("-^/# a2 V,*"( M$'18h J*$7,02

Z$*/0'"* ") '>/ N$a/*'2 T",U$-"(h , ("(G

L*"^' O*"1L a,8/# $( b,8>$(O'"( Z?T?

•

n$U/8 :/*/ #$80"7/*/# 18$(O , m""OU/ 8$'/

8/,*0>

•

n$U/8 :/*/ 1LU",#/# '" , 69b3 ),01U'2

:/a 8/*7/* $( Z/0/+a/* HBBD a2 , ),01U'2+/+a/* :>" a/U$/7/# '>/ 8/*7/* :,8

8/01*/#



17


Google Search Results


http://www.staradvertiser.com/news/breaking/108760734.html



18


http://www.staradvertiser.com/news/20101118_Data_breaches_earn_UH_an_F.html




19


“The purpose of this Act is to strengthen the safeguards for

security breaches of personal information held by government

agencies.”




20


Class Action Lawsuit

Complaint“Seeks an injunction: (a) forbidding UH from violatingthe constitutional rights of its students, faculty and

guests, as protected by the right to privacy of the

United States and Hawaii Constitutions by the

unauthorized released of private information,

including but not limited to SSN and (b) mandatingthat the University of Hawaii take appropriate

measures to ensure the protection of private

information within its possession.”


Class Action Lawsuit – cont.

“Seeks monetary damages to compensate classmembers for expenses including but not limited to

enrollment in credit reporting monitoring

program(s), time spent in monitoring credit reports,

credit card and bank statements, and identity theft

insurance.”



21


Lawsuit Progression &

Timeline•

!1(/ HBeei o()"*0/ U$-O,-"( >"U# "( ,UU

$(7"U7/# /+,$U8 @$( L*"0/88i +$O*,-"( '"

m""OU/C

•

!1(/ HBeei 69 Û/# +"-"( '" #$8+$88

•

!1U2 HBeei 9$# )/4# :4#*61 v '>/s ")

L,L/* #"01+/('8 0"(',$($(O 0*/#$' 0,*#

(1+a/*8 v HEBB ,\/0'/#

•

!1U2XV1O HBeei T"+L$U$(O U$8' ") VNN

,\/0'/# $(#$7$#1,U8 @/8'? "7/* ABB >"1*8

v j ://P8h Al L/"LU/C


Compiling List of Affected

Individuals• .',*'/# :$'> DkhBBBl $(#$7$#1,U */0"*#8

• `/*2 L*"aU/+,-0 v #$# ("' >,7/ /("1O>

$()"*+,-"( '" 1($p1/U2 $#/(-)2 $(#$7$#1,U8

• o,*U2 a*/,0>/8 G L1*O/# 8/(8$-7/ #,', /U/+/('8

• 9,# '" ,r/+L' '" */0*/,'/ #,', )*"+ +1U-LU/

#,', 8"1*0/8

• W/p1$*/# +,(1,U 7$81,U $(8L/0-"( ") w/,0>w

*/0"*# '" 0"**/0' $()"*+,-"( ,(# */+"7/#1LU$0,'/8

• o(#/# 1L :$'> DBhBBBl /U$O$aU/ )"* 0*/#$'

+"($'"*$(O



22


Timeline – cont.

• !,(? HBeHi b"*P$(O "( '/(',-7/ 8/rU/+/('

•

!,(? HBeHi ["-"( )"* J*/U$+$(,*2 VLL*"7,U

") ./rU/+/('

• n/a? eh HBeHi T"1*' >/,*$(O "( ["-"( )"*

J*/U$+$(,*2 VLL*"7,U

•

n/a? eEh HBeHi T*/#$' +"($'"*$(O 8/*7$0/

a/O$(8 +,$U$(O "1' ("-0/8 '" 8$O( 1L )"*

8/*7$0/8q 8/*7$0/8 :"1U# a/O$( VnMoW ^(,U0"1*' ,LL*"7,U


FINALLY SETTLED!•

[,*0> eh HBeHi J1aU$0 ("-^0,-"(i <"$(' L*/88

*/U/,8/h /+,$U aU,8' '" ,UU 69 ),01U'2X8',\X

8'1#/('8h VU1+($ V88"0$,-"(h L"8'8 "(

0,+L18 :/a 8$'/8h (/:8L,L/*8

•

!"# %&' %(&%) *+,"- .//012"- 30",456 7,1

"//5"-8 0595+256:

• H 2/,*8 ") 0"(-(1"18 0*/#$' +"($'"*$(O K &Z

M>/s T"(81U',-"( ,(# W/8'"*,-"( @Y*"UUC•

VLL*"t$+,'/ '"',U 0"8'i xFBBY



23


Lawsuit Lessons Learned

• V881+/ '>,' 0*/#$' +"($'"*$(O :$UU a/

*/p1$*/#

• o(81*/ */0"*#8 0,( a/ 0*"88G:,UP/#

a,0P '" , 1($p1/ $(#$7$#1,U

• n"* 0*/#$' +"($'"*$(O */O$8'*,-"(

L*"0/88h >,7/ ,( Q/t0/L-"(R

L*"0/#1*/ $( LU,0/ @L*"0/88 '" */8"U7/

'>"8/ '>,' '>$(P '>/2 ,*/ /U$O$aU/ K

#/+,(# '" a/ */O$8'/*/#C


Summary Stats from Kroll• V0-7/ [/+a/*8i DeheDH

• &($-,U [/+a/* J,0P/'8i DehHkI

• W/'1*(/# [,$Ui eFheeE

• ["($'"*$(Oi ekhHDA @yeDzC

• T"(81U',-"( T,UU8i jIE

• T*/#$' W/L"*'8i j

• n*,1# T,8/8i F

• &Z .0,(i B



24


Plaintiff’s Motivation?

;<=>?==<@A)

;1' "/ <#/<=# <.4,.# * =*3,.!&>


Evaluation of Cause of

Breaches

• o,0> a*/,0> "001**/# +, 2+1-"B1, 1C ?D

/1-+9#

• T"+L1'/*X8/*7/* 3. "* ,LLU$0,-"(8 ("'

+,$(',$(/#XL,'0>/#

• ./(8$-7/ #,', ("' >,(#U/# $(

,00"*#,(0/ :$'> 69 L"U$02

•

]" #,', */'/(-"( 80>/#1U/• Q.0"L/G0*//LR )"* 18,O/ ") #,',q #,',

P/L' )"* QL"88$aU/R */G18/ U,'/*



25


Information Security

Landscape in 2010•

J*/U$+$(,*2 ,(,U28/8 ") $(0$#/('8i –

b/,P #/8P'"L 0"+L1'/* 8/01*$'2 L*,0-0/8

– &(8/01*/ "L/*,-"(,U L*,0-0/8

– &()"*+,-"( */',$(/# U"(O/* '>,( (//#/#

– T,(("' $#/(-)2 :>" >,8 ,00/88 "* L"88/88$"( ") 69 8/(8$-7/

$()"*+,-"( @$(0U1#$(O '*,0P$(O &WS */p1/8'8C

– ./*7/*8i [$818/# "* ("' +,(,O/# ,LL*"L*$,'/U2

– 69 L"U$02 ("' )"UU":/# "* /t$8'/(0/ 1(P(":(

•

o(# ") HBeBi */',$(/# /t'/*(,U 0"(81U',(' '"

L/*)"*+ ,( $()"*+,-"( 8/01*$'2 L"8'1*/

,88/88+/('


Need to Address• 3U#h 1(18/#h 1((//#/# */L"8$'"*$/8 ")

8/(8$-7/ $()"*+,-"(

• 6(+,(,O/#h 1(+,$(',$(/# 8/*7/*8

• J/*+$88$"( '" 18/ $(8-'1-"(,U 8/(8$-7/

$()"*+,-"( @":(/*8>$L ,(# ,1'>"*$'2C

• N,0P ") ,:,*/(/88 ") L"U$0$/8



26


Already In Place:

• J>,8/# "1' 18/ ") ..]8 ,8 L*$+,*2

$#/(-^/*8

• &#/(-^/# 0,+L18 U/,#/*8>$L )"*

L*"'/0-"( ") 8/(8$-7/ $()"*+,-"(

• &#/(-^/# '/0>($0,U U/,#8 )"*

L*"'/0-"( ") 8/(8$-7/ $()"*+,-"(

•

&(8-'1'/# +,(#,'"*2 */L"*-(O ")*/L"8$'"*$/8 ") 8/(8$-7/ $()"*+,-"(


Ongoing Efforts• V0p1$8$-"( ") &#/(-'2 n$(#/* )"*

80,(($(O )"* 8/(8$-7/ $()"*+,-"(

• .',*'/# Z,', m"7/*(,(0/ $($-,-7/

• &( 0"(',0' :$'> Q)1(0-"(,UR O*"1L8

@J3h n3h V3h +,(,O/*$,UX/t/01-7/

'/,+8h 0,+L18 O*"1L8h #/7/U"L/*8

O*"1L8h /'0?C



27


Consultant: Scope of WorkQM>/ 6($7/*8$'2 ") 9,:,$$ @69C $8 0"++$r/# '"

$+LU/+/(-(O , 828'/+:$#/ $()"*+,-"( 8/01*$'2

L*"O*,+ '" */LU,0/ '>/ 01**/(' #/0/('*,U$d/#

,LL*",0>? M>$8 L*"O*,+ +18' U/7/*,O/ a/8' L*,0-0/8

'" +,t$+$d/ $()"*+,-"( 8/01*$'2 :>$U/ 0"(-(1$(O '"

81LL"*' '>/ L*$(0$LU/8 ") ,0,#/+$0 )*//#"+ ,(#

"L/((/88 0/('*,U '" , 1($7/*8$'2{8 01U'1*/ ,(# +$88$"(?

69 a/U$/7/8 $' /88/(-,U '" a/O$( :$'> ,( $+L,*-,U

/tL/*' ,88/88+/(' '" #/7/U"L , LU,( )"* , >"U$8-0

828'/+:$#/ ,LL*",0>? M>$8 ,88/88+/(' :$UU ,88/88

01**/(' L"U$0$/8h 01**/(' L*,0-0/8 ,(# 01**/(' 0,+L18,:,*/(/88 ,8 '>/ a,8$8 ") */0"++/(#,-"(8 )"*

$+L*"7/+/('8 $( 8/01*$'2 L"U$0$/8h L*,0-0/8 ,(#

/#10,-"(?R


Services Provided:•

W/7$/: /t$8-(O $('/*(,U ,(# /t'/*(,U

#"01+/(',-"( $(0U1#$(O */L"*'8h L"U$0$/8 ,(#

U/O$8U,-"(

• &('/*7$/: P/2 8',P/>"U#/*8

• &#/(-)2 '>/ +,<"* &M 8/01*$'2 $881/8 ),0/# a2

69 ,(# a/8' L*,0-0/8 )"* 8"U1-"(8

•

J*$"*$-d/ 8"U1-"(8 )"* $++/#$,'/ ,0-"(

•

J*"7$#/ */0"++/(#,-"(8 )"* >": 69 8>"1U#$+LU/+/(' , 0"+L*/>/(8$7/ 828'/+:$#/

,LL*",0> '" $()"*+,-"( 8/01*$'2



28


Summary of Findings:

• V 8$O($^0,(' 1(#/*G$(7/8'+/(' $(

$()"*+,-"( 8/01*$'2 */8"1*0/8

• M*2$(O '" "L/*,-"(,UU2 +,(,O/

$()"*+,-"( 8/01*$'2 ,8 , )1UU2 #/G

0/('*,U$d/# ,0-7$'2


Overarching Recommendation

QZ/7/U"L , L*"L/*U2 )1(#/#h

8'*,'/O$0,UU2 "*$/('/#h 1($7/*8$'2G

:$#/ $()"*+,-"( 8/01*$'2 L*"O*,+

'>,' $8 0/('*,UU2 +,(,O/# ,(#

"L/*,'/8 $( 0"UU,a"*,-"( :$'> '>/

+,(2 #/G0/('*,U$d/# 1($'8'>*"1O>"1' '>/ 1($7/*8$'2?R



29


UH Information Security

Program•

M""P :>,' :/ ,*/ ,U*/,#2 #"$(O

•

V##/# 0"(81U',('c8 8L/0$^0 */0"++/(#,-"(8

•

Z/7/U"L 8'*,'/O$0 ,*/,8i – Z,', m"7/*(,(0/ ,(# 37/*8$O>'

–

&()"*+,-"( ./01*$'2 V1#$'8 K W$8P V88/88+/('8

– &()"*+,-"( ./01*$'2 J"U$0$/8 K J*"0/#1*/8

– &#/(-'2 [,(,O/+/(' K V00/88 T"('*"U8

– &()"*+,-"( ./01*$'2 M*,$($(O ,(# V:,*/(/88

•

>rLiXX:::?>,:,$$?/#1X$()"8/0X

$()"8/0L*"O*,+?>'+U


Resulting Projects•

Z,', m"7/*(,(0/ 8'*10'1*/ K Z,', .>,*$(O

*/p1/8' L*"0/#1*/8

– >rLiXX:::?>,:,$$?/#1X,L$8X/LX/HX/HHeE?L#)

•

./*7/* */O$8'*,-"( K 80,(($(O @*,(#"+

,1#$'8C

– >rLiXX:::?>,:,$$?/#1X$'8X8/*7/*X*/O$8'*,-"(X

•

]/':"*P 80,(8 )"* 8/*7/*8 @+,L ,O,$(8'

*/O$8'/*/# 8/*7/*8C•

W/7$/: ") L"U$0$/8

– >rLiXX:::?>,:,$$?/#1X$()"8/0XL"U$0$/8?>'+U



30


Projects - continued

• V1'"+,'/# #/L*"7$8$"($(O 7$, $#/(-'2

+,(,O/+/('

• o7,U1,-"( K $+LU/+/(',-"( ")

,##$-"(,U (/':"*P 8/01*$'2

'/0>("U"O$/8

• T"+LU$,(0/ K W$8P V88/88+/('8 )"*

Q>$O> *$8PR ,*/,


Awareness & Training•

[,(#,'"*2 $()"*+,-"( 8/01*$'2

,:,*/(/88 '*,$($(O )"* 69 /+LU"2//8

:$'> ,00/88 '" 8/(8$-7/ $()"*+,-"( @a2

)1(0-"(C

• T"(7/(/ Q"1'*/,0> O*"1L8Ri ,LLU$0,-"(h

:/ah #,',a,8/ #/7/U"L/*8 '" $()"*+ '>/+

") (/: L"U$0$/8XL*"0/#1*/8 ,(# 8"U$0$'

)//#a,0P "( 1L0"+$(O L*"</0'8•

J*"7$#/ 8L/0$^0 '*,$($(O )"* ',*O/'/#

O*"1L8





32


Technical Security Oversight

• 69 &M ./01*$'2 N/,#8 – Z/8$O(,'/# a2 '>/ 0,+L18 Z,', ./01*$'2 N/,#/*

–

N/,# '/0>($0,U 8',\ "( , 0,+L18

–

ot0/L-"(i [f(", T,+L18 G S&m K

#/0/('*,U$d/#

–

[f(", Z/,(8 K Z$*/0'"*8 #/8$O(,'/# "(/ "*

+"*/ '/0>($0,U 8',\ )*"+ /,0> ") '>/$* 1($'8

–

W/8L"(8$aU/ )"* $+LU/+/(-(O '/0>($0,U 8/01*$'2

L*"0/#1*/8 K ,#7$8$(O '>/$* Z,', ./01*$'2N/,#/*8

–

[//' HGj -+/8 , 2/,*q 8"+/-+/8 :$'> Z.NT


Server Registration• W/O$8'*,-"(X7,U$#,-"( */p1$*/#

,((1,UU2 – J*$+,*$U2 #,',a,8/h :/ah Û/ 8/*7/*8

– Z"/8 8/*7/* 0"(',$( 8/(8$-7/ $()"*+,-"(_

–

.0,( )"* ..]8 K 0*/#$' 0,*# (1+a/*8 :$'> &#/(-'2

n$(#/*

– .0,( )"* 71U(/*,a$U$-/8 :$'> 3L/(`V.

–

W/+/#$,-"( 8','18 */p1$*/# –

J*"7$#/ #/L,*'+/(' K '/0>($0,U 0"(',0'

$()"*+,-"(

–

T,+L18 U/,#/*8>$L +18' Q,LL*"7/R



33


Information Security

Compliance Assessments• &('/*(,U V1#$' ',P$(O U/,#

• m/(/*,U J*"0/88i

–

T"(',0' '>/ */8L/0-7/ 6($' '" #$80188 80"L/

,(# -+$(O?

– T"+LU/-"( ") !"#$%&$"$'& )* +&$,#-.&

/$*)01"-)$ +20.&3 ?

–

T"(#10' +//-(O ,(# 8$'/ 7$8$' :$'> 6($'? –

&()"*+ '>/ 6($' ") "a8/*7,-"(8 X

*/0"++/(#,-"(8


Assessments Status•

b"*P J/*)"*+/# #1*$(O !,(1,*2 v [,*0> HBej

• ./U/0'/# Z/L,*'+/('8X.0>""U8

–

n$(,(0$,U V$# ./*7$0/8 @VUU T,+L18/8C

– T"++1($'2 T"UU/O/8 v ]"(GT*/#$' J*"O*,+8

– !">( V? S1*(8 .0>""U ") [/#$0$(/

• .1*7/28 0"+LU/'/# ,(# 8$'/ 7$8$'8 )"* 3|,>1

1($'8 0"+LU/'/#?

•

[/+" 0"(',$($(O "a8/*7,-"(8 :,8 0$*01U,'/#'" ,UU 1($'8

•

W/L"*' 81a+$r/# '" '>/ S",*# ") W/O/('8



34


Assessment Observations

•

]" O1$#,(0/ "( :>/(X>": '" #"

a,0PO*"1(# 0>/0P8

•

W/0"*# */'/(-"( ") 8/(8$-7/ $()"*+,-"(

$(0"(8$8'/(' ,+"(O */8L"(#/('8

•

6($'8 8-UU 18$(O 8'*$LG01' 8>*/##/*8 "* ("'

8>*/##$(O ,' ,UU

•

]"' ,U:,28 8/01*$(O L>28$0,U L,L/* Û/8

0"(',$($(O 8/(8$-7/ $()"*+,-"(• ]"' ,U:,28 /(0*2L-(O /U/0'*"($0

'*,(8+$88$"( ") 8/(8$-7/ $()"*+,-"(


Internal Audit Next

Assessment•

9&JVV Z/'/*+$(,-"( .1*7/2 – n1*($8>h a$UU "* */0/$7/ L,2+/(' )"* Q>/,U'> 0,*/R_

– M*,(8+$' ,(2 0"7/*/# '*,(8,0-"(8 /U/0'*"($0,UU2_

– 9,7/ ,( ,O*//+/(' :X , 0"7/*/# /(-'2 "* a18$(/88

,88"0$,'/_

–

J/*)"*+/# , *$8P K 71U(/*,a$U$'2 ,88/88+/(' ") /U/0'*"($0

0"7/*/# '*,(8,0-"(8_

• 3) kE 1($'8 81*7/2/#h eI ,*/ L"'/(-,UU2

81a</0' '" 9&JVV•

n"UU":G1L ,88/88+/(' :$UU a/ 0"(#10'/#

•

W/L"*' 81a+$r/# '" S",*# ") W/O/('8



35


CURRENT “BREACH”TRENDS


LAWSUITS APLENTY…



36


Target Class Action Lawsuit

http://bit.ly/QWhOvm


And…

• >rLiXX:::?80+,O,d$(/?0"+X0U,88G

,0-"(G81$'G,$+/#G,'G+000#G)"*G#/U,2/#G

("-^0,-"(G$(Ga*/,0>X,*-0U/XjIjEFD



37


Cyber Insurance/Breach

Response & Remediation?• Z$\/*/(' (,+/8h '2L/8h '/*+8 K /t0U18$"(8

• S12/* a/:,*/}

• ]" 8',(#,*#8i – j*# L,*'2 U$,a$U$'2

– e8' L,*'2 U"88/8

– &(0$#/(' */8L"(8/X+,(,O/+/('X)"*/(8$08

– ]"-^0,-"(X0,UU 0/('/*

–

T*/#$' +"($'"*$(O –

TU,$+8 /tL/(8/8

• Y(": :>,' 2"1 :,(' ,(# (/O"-,'/}


“Organizations without a

robust information security

program, environment or

infrastructure, will pay more

for insurance.”



38


Example Offerings

• ED<= <= A@E .A FA;@G=F!FAE

• ?9; $8 '>/ -+/ '" #" 2"1* */8/,*0>

• b>/( , a*/,0> "001*8h $'c8 M33 NVMo}

– Y*"UU

– S/,dU/2 S*/,0> W/8L"(8/


Kroll.com• >rLiXXP*"UU?0"+X02a/*G8/01*$'2X#,',G

a*/,0>G*/8L"(8/



39





40


Beazley Breach Response

• >rLiXX:::?a/,dU/2?0"+Xaa*

• >rL8iXX:::?a/,dU/2?0"+XZ"01+/('8X

M[SXSSWX

S/,dU/2~SSW~S*"0>1*/~6.?L#) –

W/8L"(8/ '" a*/,0> /7/('8 @("-^0,-"(h 0,UU

0/('/* 8/*7$0/8h */8"U1-"(X+$-O,-"(h JW K 0*$8$8

+,(,O/+/('C

–

j*#

L,*'2 U$,a$U$'2 –

N/O,U 8/*7$0/8X0"+L1'/* )"*/(8$0 8/*7$0/8


Beazley Questionnaire• [,(,O/+/(' ") J*$7,02 otL"81*/8

• T"+L1'/* .28'/+ T"('*"U8

• b/a8$'/ T"('/(' T"('*"U8

• J*$"* &(81*,(0/

• J*$"* TU,$+8 ,(# T$*01+8',(0/8

• .,+LU/ p1/8-"((,$*/ @8/L,*,'/

>,(#"1'C



41


WHAT DOES THIS MEANFOR MY INSTITUTION?

(SO NOW WHAT?)


Due Diligence: Information

Security Program

• 9,7/ , LU,( ,(# L"U$02 @"* L"U$0$/8C '"

L*"'/0' 8/(8$-7/ $()"*+,-"(

• 9,7/ , LU,( '" */#10/ 8/(8$-7/

$()"*+,-"( @,(# /t/01'/ $'}C

• 9,7/ , +/'*$0 "* +/0>,($8+ '" ,88/88

*$8P '" 8/(8$-7/ $()"*+,-"(

•

9,7/ , :,2 '" */L"*' "( '>/ Q.','/ ")&()"*+,-"( ./01*$'2R



42


Response Elements

• W/8L"(8/ -+/ $8 TW&M&TVN

• Y(": 2"1* Yo• #/0$8$"( +,P/*8 K LU,2/*8

• S/ L*/L,*/#i ]"' $) , a*/,0> :$UU "001* v

b>,' :$UU 2"1 #" b9o] $' "001*8_

•

9o&.T &()"*+,-"( ./01*$'2 m1$#/i

>rL8iXX8L,0/8?$('/*(/'H?/#1X#$8LU,2X

HBeI$()"8/01*$'2O1$#/X9"+/

–

Z,', &(0$#/(' ]"-^0,-"( M""UP$' – &(0$#/(' T>/0PU$8' )"* ./(8$-7/ Z,', otL"81*/


EDUCAUSE HEISC Resources

•

9o&.Ti 9$O>/* o#10,-"( &()"*+,-"(

./01*$'2 T"1(0$U

•

&()"*+,-"( ./01*$'2 m1$#/

• >rL8iXX8L,0/8?$('/*(/'H?/#1X#$8LU,2X

HBeI$()"8/01*$'2O1$#/X9"+/ – Z/7/U"L/# K +,$(',$(/# a2 oZ6TV6.o ./01*$'2

b"*P$(O m*"1L K T"++1($'2 [/+a/*8

– [,LL/# '" $(#18'*2 8',(#,*#8i &.3h ]&.Mh T3S&Mh JT&G

Z..h T2a/*8/01*$'2 n*,+/:"*Ph 9&JVV

– J*"7$#/8 , U$a*,*2 ") 7,U1,aU/ Q'""UP$'8R "( , :$#/ 7,*$/'2

") '"L$08

– Q9"' M"L$08R L*"7$#/ -+/U2 $()"*+,-"( "( 01**/('

81a</0'8



43


Plan, Plan, Plan!

•

9,7/ ,( &(0$#/(' W/8L"(8/ JU,(

•

9,7/ , S*/,0> W/8L"(8/ JU,( '>,' $(0U1#/8

, QJWR LU,(i

–

W/L1',-"( [,(,O/+/(' @O/' ,>/,# ") '>/ (/O,-7/

+/#$, 020U/C

–

T"++1($0,-"(8 LU,(8i ot'/*(,U ,(# &('/*(,U

•

J*,0-0/ '>/ LU,(8} @M,aU/'"L /t/*0$8/8q

>,(#8G"( 02a/* 8/01*$'2 #*$UU8C

•

V(,U2d/ V]• $(0$#/('q #/7/U"L +$-O,-"(8'*,'/O2q $(0"*L"*,'/ $('" 2"1* &()"*+,-"(

./01*$'2 J*"O*,+


Address “Plaintiff” Perceptions

& Motivations•

.:$s L1aU$0 */8L"(8/q a/ ,L"U"O/-0 ,(#

/+L,'>/-0q =D@H ED.E I@? >.GFJ

V0P(":U/#O/ '>,' 2"1 ,*/ , 7$0-+?

• T*/#$' +"($'"*$(O $8 /tL/0'/#q >,7/ J"$('8 ")

T"(',0'8 "* */',$(/*8 )"* 0*/#$' +"($'"*$(OX

a*/,0> */8L"(8/ 8/*7$0/8

• ;1 ,14 K85 " 058/1,85 45L/-"45q $) +1U-LU/

a*/,0>/8h +/88,O/ ,LL/,*8 Q*/L/--7/R :$'>(" $+L*"7/+/('8 –

Q6()1UÛU/# J*"+$8/8R @N$a/*'2 T",U$-"( W/L"*'C



44


Doing it “Right”

http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html

2015 Security Professionals Conferencehttp://www.commerce.senate.gov/public/?a=Files.Serve&File_id=b92bba0e-787f-426d-b1ce-14f2c73f9f13



45


What they did…

• .:$s */8L"(8/q ,(("1(0/# a*/,0>

,U+"8' $++/#$,'/U2 ,s/* #$80"7/*2q

L*"7$#/# 0*/#$' +"($'"*$(O 8/*7$0/

,a"1' , ://P U,'/*

• M""P ":(/*8>$Lq J*/8$#/(' ,##*/88/#

'>/ 0"++1($'2

• M*,(8L,*/(' ,a"1' '>/ 8$'1,-"(


Key Steps• n"UU": $(0$#/(' */8L"(8/ L*"0/#1*/

• &#/(-^0,-"(q ]"-)2 P/2 8',P/>"U#/*8

• Z,+,O/ 0"(',$(+/(' K #,', /tL"81*/

,88/88+/('q Z/7/U"L */8L"(8/ K

0"++1($0,-"(8 LU,(

• o*,#$0,-"( K */0"7/*2

•

]"-^0,-"(q Z/7/U"L nV€ v 0"(8$8'/('+/88,O/q JWX[/#$,q T,UU T/('/*

• &(0$#/(' ,(,U28$8 K (/t' 8'/L8



46


Planning for the Breach…

• &#/(-)2 L*"aU/+ ,*/,8

–

b>,' U/# '" , a*/,0> "* :>,' :$UU U/,# '" , a*/,0>

• &#/(-)2 K /(O,O/ P/2 8',P/ >"U#/*8

– b>" >,8 '>/ ,1'>"*$'2 '" ,\/0' (/0/88,*2 0>,(O/8

•

&#/(-)2 :>,' (//#8 '" a/ 0>,(O/#

• Z/7/U"L LU,( K -+/U$(/

• ["-7,-"( )"* L/*+,(/(' 0>,(O/ '" L*/7/('

$(0$#/(' )*"+ */01**$(O –

&#/(-)2 :>,' */8"(,'/8 :$'> 0"*/ L"L1U,-"(8

– Q:>,'c8 $( $' )"* +/_R

•

o7,U1,-"( +/'*$08


Your Plans?• Z" 2"1 >,7/ ,( $(0$#/(' */8L"(8/ LU,(_

• b>,' ,a"1' , a*/,0> */8L"(8/ K

("-^0,-"( LU,(_

• b>" :$UU +,( 2"1* 0,UU 0/('/*_

• Z" 2"1 P(": :>" '" 0"(',0' @,UU ,*/,8 ")

U/,#/*8>$LC_ wV]Zw :>,' '" '/UU '>/+_

•

9": :$UU 2"1 0"++1($0,'/ '" '>/

,\/0'/# $(#$7$#1,U8 ,(# '" '>/ L1aU$0_

@[/#$, 0"++1($0,-"( LU,(C



47


Don’t Forget…

• .L//# $8 ") '>/ /88/(0/q $+L/*,-7/ '"

>,7/ 8:$sh #/0$8$7/ ,0-"(8

• S/ 8$(0/*/U2 ,L"U"O/-0h 0"(0/*(/#h

0,*$(O

• S/8' $) '>/ >$O>/8' *,(P$(O ,#+$($8'*,'"*

$881/8 '>/ ("-0/

•

o(81*/ '>,' ,UU */+/#$,-"( ,0-"(8 ,*/0"+LU/'/# ,(# #"01+/('/#


* Checklist?• &#/(-)2 L*"aU/+ ,*/,8

– b>,' U/# '" , a*/,0> "* :>,' :$UU U/,# '" , a*/,0>

• &#/(-)2 K /(O,O/ P/2 8',P/ >"U#/*8 – b>" >,8 '>/ ,1'>"*$'2 '" ,\/0' (/0/88,*2 0>,(O/8

• &#/(-)2 :>,' (//#8 '" a/ 0>,(O/#

• Z/7/U"L LU,( K -+/U$(/

• ["-7,-"( )"* L/*+,(/(' 0>,(O/ – &#/(-)2 :>,' */8"(,'/8 :$'> 0"*/ L"L1U,-"(8

– Q:>,'c8 $( $' )"* +/_R

• o7,U1,-"( +/'*$08




Jodi ItoUniversity of Hawai!i

Information Security Officer [email protected] • (808) 956-2400

Documents

Breaches: Planning + Recovery = Resiliency (264078789)