Embed Size (px)
Citation preview
Jake BartlettFrancis Lam
Masha PryamkovaMuna Siddiqi
2
1. Introduction Risk definition Why IT Security and Privacy are important Types of risks List of most common risks
2. Case Studies The Secret Healthcare Company Visa ChoicePoint
3. Summary of Best Practices
3
A risk can be defined as a function of three variables:◦ the probability that there's a threat◦ the probability that there are any vulnerabilities◦ the potential impact
A threat is anything (man made or act of nature) that has the potential to cause harm
A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset
4Source: 18
5
Risks
Vulnerabilities• Flaws in hardware, software, or network elements• Security is constantly playing catch-up to technology• Internet was designed to be open• Systems operating close to capacity
• Increasing use of off-the-shelf software • Lack of centralized control• Critical Infrastructure interdependencies• Standardization of products• Expansion of Internet
Threats
User Error
Natural Disasters Hostile Nations
/ Groups
Spies / Snoops
Other Infrastructure Disruptions
Activists CriminalsPrankstersTerrorists
Potential Damage
Customer Confidenc
e Lost
Customer Confidenc
e LostCritical
Operations Halted
Critical Operations Halted
Services Interrupte
d
Services Interrupte
dData
Corrupted
Data Corrupte
dAssets Lost
Assets Lost
Source: 1
CSI Computer Crime and Security Survey Published by Computer Security Institute since
1995 494 respondents (anonymous) Data for 2007 report is based on2006 calendar year
6Source: 14
7
Average annual loss from IT Security incidents reported in 2007 - $345,000 per respondent
2007: 494 respondents
Source: 14
8
46% of the organizations experienced a security incident in the past 12 months
Source: 14
61% of the companies said that their organizations allocated 5 percent or less of their overall IT budget to information security
9Source: 14
Internal External
Human Non-Human
Intentional Accidental
Disclosure, Modification, Destruction, Denial of Use
10Source: 4
11
12Source: 18
13*Top 15 types of incidents
Source: 14
1414
A Fortune 50 company Offers a broad range of medical and
specialty products Has approximately 34 million medical
members Manages extensive Public Health
Information (PHI) This requires high security focus
15
40% of all the health care organizations are not compliant with HIPAA
50% faced attacks from e-mail viruses
Encryption of data is limited 48% do not encrypt data during transmission
69% do not encrypt stored data or devices
16Source: 3
Viruses Identity theft (Organized crime) Offshore hacking Spam Phishing –fraudulent information requests
Associate carelessness and malicious activity -
inappropriate sharing of PHI Configuration errors –software or hardware
17
18
Data is collected in large volumes The regulatory environment is highly
charged and sensitive Service providers / partner exposures –
outsourcing or delegated work Privacy is a signature issue
19
Information Security Obligation HIPAA Breach Notification Statues Section 5 of FTC Act Gramm-Leach-Bliley
20
1. Health Industry Paying All Attorneys
2. Highly Intricate Paperwork in Abundant Amounts
3. High Income Potential for Aggressive Attorneys
4. Huge Increase in Paperwork and Aggravation Act
5. Health Insurance Portability and Accountability Act
What does HIPAA stands for?
21
Developed by the Department of Health and Human Services (HHS)
Introduces a set of requirements and standards for the use and dissemination of health care information
Requires Health Care Companies to develop information security systems
5 components: The Privacy Rule --- Protection of PHI, paper and
electronic The Transactions and Code Sets Rule--- used for claim filing The Security Rule --- Electronic The Unique Identifiers Rule The Enforcement Rule
22Source: 18
Administrative Safeguards Physical Safeguards Electronic Safeguards
23
The Company does not allow:
Unnecessary exposure to PHI and protected information Sharing user ID’s or leaving them in view Leaving any PHI in view
Disposal and destruction of media containing electronic data is strictly monitored
Facility security plans, maintenance records, and visitor sign-in and escorts are highly controlled
Contractors or agents are also fully trained on their
physical access responsibilities
24
The Company does not: Allow any non certified software on the computers
Sell advertisement space on the internet portals
Allow direct public access to update the database
Allow opening e-mails from unknown people or entities
and clicking on links or attachments
Allow visiting internet retail and information sharing sites
The Company constantly monitors for suspicious or unusual activities –the incident response team quickly eliminates, isolates, and manage any threats
25
Chief Information Security Officer
Policy Management
Team
Security Risk Management
Team
Access Security
Team
InfrastructureSecurity
Team
ApplicationSecurity
Team
Program Management
Team
•Policy Development
•Training
•Security Education
•Process Development
•Risk Coordination and Reporting
•Data Handling Risk
•Vendor Risk management
•Incident Response
•Encryption operation
•Access Risk Assessment
•Account Administration
•Protection against Antivirus/Spam
•Network Protection
•Security application development
•Database Security
•Integrated Planning
•Financial Management
•Communications
26
Budget for IT: 14.3 million Security Budget: 1.2 million, 8%
27
Validation Proactive Monitoring
Security Audits
Technology Secured
Infrastructure, Application and
Tools
Technology Secured
Infrastructure, Application and
Tools
Process Appropriate Comprehensive
Policies, Standards and Training
Process Appropriate Comprehensive
Policies, Standards and Training
Organization Information
Security Team
Organization Information
Security Team
Secured Environment
Secured Environment
Physical Security ProtocolsPhysical Security Protocols28
Large companies have higher security budget (more than $1 million), have more technology in place, follow more strategic practices, but
The larger companies suffer more security breaches and bigger losses
According to IT Policy Compliance Group Research, 75% of all data breaches were caused by human errors
29
The Secret Healthcare Company lost an unencrypted CD holding personal and medical information of 75,000 members while sending it to a contractor firm
30
What could the company do to prevent data leak?
1. Continue to Develop and Deliver Security Awareness, Training and Education
2. Redesign Policies and Standards Framework and Content
3. Expand Processes and Methodologies to Integrate Security into the Enterprise
4. Create and Deploy Data Protection Practices and Solutions
5. Implement Vendor Management Oversight of Data Management and Contract Compliance
6. Develop Incident Handling Protocols and Manage Responses
31
Continue to apply the right organization model
Having consistent policies, procedures, and standards in place
Providing ongoing security training Looking for better ways to secure the
technology Strengthening the information integrity
in more proactive ways Executing the information security
strategy
32
'Credit card fraud' is one of many form of Bank fraud that involve credit cards, charge cards, or debit cards
34Source: 18
The fraud begins with either the theft of the physical card or the compromise of the account information
The compromise can occur by many common routes, including something as simple as a store clerk copying sales receipts
A) B)
35
The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised
40% of U.S. and European consumers have stopped an online transaction due to security concerns
36Source: 23
Since 2005, credit card fraud in the UK and America has increased by 350% on average according to Reuters
With credit card crime occurring across state lines, criminals often are never prosecuted because the dollar amounts are too low for local law enforcement to pay for extradition
37Source: 24
The cost of credit and charge card fraud - to card holders and to card companies alike - may be as high as $500 million a year
Everyone pays for credit and charge card fraud in higher prices, whether or not they are personally defrauded
38Source: 25
“12 commandments” PCI Standard “Verified by Visa” Contactless cards Zero Liability Policy
Components of Visa’s Security Components of Visa’s Security SystemSystem
39
In 2000, Visa trumpeted a list of security "best practices" for e-merchants that accept Visa cards
◦ It also announced its intention to verify merchants’ compliance
In October 2007 Visa introduced a new set of Payment Application Security Mandates
◦ Merchants now have time till July, 2010 to comply
40Source: 6, 17
1. Install and maintain a working firewall2. Keep application and operating system security patches up
to date3. Encrypt stored credit card data4. Encrypt data sent across the network5. Use and regularly update antivirus software6. Don't use vendor supplied defaults for password security 7. Assign a unique user ID to each person with computer
access 8. Track access to data, including read only, by unique ID9. Regularly test security systems and processes10. Restrict access to data on a business "need to know" basis11. Have a management or human resources policy that
addresses security in the workplace, such as doing background checks
12. Restrict physical access to authorized employees
41Source: 6
PCI DSS stands for Payment Card Industry Data Security Standard
A security standard accepted by all major credit card companies
Originally began with 5 different programs, including Visa’s
Visa requires its merchants to comply with both PCI and 12 Commandments
42Source: 18
Starting October 2007, Visa introduced penalties for non-compliance with PCI
Merchant’s volume of transactions
Penalty Effective Date
Impact on user
> 1 million Visa transactions per year
Acquirers for these merchants will see their interchange rate raised a tier
October 2007
Acquirers pass their interchange costs on to their merchant clients as part of the discount rate
At least 6 million Visa transactions per year
Separate monthly fines to the acquirers of noncompliant merchants
October 2007
Acquirers will pass their fine costs along to merchants as well1 to 6 million Visa
transactions per year
Separate fines January 2008
43Source: 2
In addition to other security measures (PIN, 3-digit security code, address matching etc) Visa introduced "Verified by Visa” for online transactions
Unique passwords or codes are required during Internet transactions to verify the user's identity
According to Visa's own research, 76% of customers wanted a password protected system to enable them to shop on the internet with total peace of mind, and this is the reason we have introduced Verified by Visa"
44
Standard cards Feature a static card
verification value written into the magnetic stripe
This number is not known to the user and is designed to verify that the card is present during a transaction
However, because it never changes, criminals can use stolen data from the magnetic stripe to produce cloned cards that would work until the issuer reissued the card
45
Contactless Visa cards Feature embedded
microchips that generate a unique code whenever the cards are used
The code is unique to each transaction, which means that criminals who manage to skim card data during a single transaction to create counterfeit cards would have only an old code
Source: 13, 21
Customer-oriented policy that ensures complete liability protection for all card transactions that take place on the Visa system
i. e “You owe nothing in fraudulent transactions”
46Source: 22
Identity Theft is a crime where a criminal assumes someone else's identity in order to profit by fraudulent means
Not the same as Credit Card Fraud
48Source: 8
Identity theft is one of the fastest growing crimes in the United States
Identity Theft costs almost $53 billion between business and individual victims for all types of reported identity theft ◦ Business victims experienced a total loss of $47.5
billion or an average of $4,800 per business victim per year
◦ Individual victims account for a total loss of $5 billion and $500 per victim annually
Americans spent 300 million hours resolving issues related to identity theft
49Source: TBD
Stealing personal information in computer databases (hacking or using Trojan horses)
Dumpster diving Phishing Social Engineering Browsing social network
sites (MySpace, Facebook etc) for personal details that have been posted by users
50
Universities often become victims of data breaches!
51
Company / Institution Date made public
Number of records
Fidelity National Information Services, Certegy Check Services Inc.
July 3, 2007 8.5 million
Yale University Aug 8, 2007 10,000
California Public Employees' Retirement System (CalPERS)
Aug 22, 2007 445,000
Monster.com Aug 23, 2007 1.6 million
University of Michigan School of Nursing Sep 19, 2007 8,585
Gap, Inc. Sep 28, 2007 800,000
Commerce Bank Oct 10, 2007 20
Source: 10, 19
52
A data aggregation company based in Alpharetta, near Atlanta, Georgia
Acts as a private intelligence service to government and industry: combines personal data sourced from multiple public and private databases for sale to the government and the private sector
Maintains more than 17 billion records of individuals and businesses, which it sells to an estimated 100,000 clients, including 7,000 federal, state and local law enforcement agencies
Source: 8
In February 2005 ChoicePoint revealed that sensitive information for at least 114,000 (some sources say 163,000) people had been compromised
The breach occurred earlier in 2004, when criminals posed as customers to obtain data
No direct technology breach occurred, butmedia characterized the incident as if one had
At least 750 (some sources say 5,000) cases of identity theft as a result of the breach
Similar scam perpetrated in 2000 resulted in at least $1 million in fraudulent purchases
53Source: 7, 8, 20
A number of investigations including congress people, the Federal Trade Commission, the US Securities and Exchange Commission and US state attorneys general as well as personal lawsuit
ChoicePoint has agreed to pay $15 million:◦ $ 10 billion fine◦ $ 5 billion as a fund to help the victims of the identity
theft Company must overhaul its security program
and submit to independent audits of security procedures every 2 years for the next 20 years
54Source: 11
In April 2007 a Gartner Analyst told USA Today that "ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices“
◦ Some of the preventive steps included abandoning a line of business worth $20 million because of its potential to risk a future data breach
55Source: 7, 16
5-step action plan for securing data and privacy system proposed by ChoicePoint’s CIO:
1. Governance – Chief Privacy Officer reports to a board that governs privacy and public responsibility
2. Clearly define expected behavior and provide tools to simplify compliance for employees
3. Create data breach response policies and procedures
4. Determine the credentials of those you work with and those who work for you
5. Embrace openness
56Source: 12
57
58
Security Policy
Organizational Security
Access Classification and Control
Compliance
Physical Security
Business Continuity Management
Access Control
Physical and Environmental Security
System Development and Maintenance
Communications and Operations Management
Legend:
Organizational Aspect
Technical Aspect
Physical Aspect
Source: 9
Journal Articles 1. Goles et al., “Dark Screen: An Exercise in Cyber Security” MIS Quarterly Executive, Vol. 4, 2, 20052. Green, J., “Merchants Face a Double Whammy” Cards & Payments, Vol 20,10, 20073. Holmes, A., "The Global State of Information Security 2006; Some things are getting better, slowly,
but security practices are still immature and, in some cases, regressing”, CIO, Vol. 19.23, 2006, p.1 4. Loch, K., Carr, H., Warkentin, M., “Threats to Information Systems: Today's Reality, Yesterday's
Understanding” MIS Quarterly, Executive, Vol. 16, 2, 19925. Luftman, J., and McLean, E., “Key Issues for IT Executives,” MIS Quarterly Executive, Vol. 4, 2, 2006,
pp. 81-99, 269-2866. Messmer, E., “Online Card Fraud Targeted” Network World Vol. 17-34, 2000 7. McNulty, E., Lee, J., Boni, B., Coghlan, J., Foley, J. “Boss, I Think Someone Stole Our Customer Data”,
Harvard Business Review; Vol. 85. 9, 2007, pp.37-508. Miller, M., “Why Europe is Safe from ChoicePoint: Preventing Commercialized Identity Theft Through
Strong Data Protection and Privacy Laws” The George Washington International Law Review, Vol. 39, 2, 2007, p.395
9. Saint-Germain, R., “Information Security Management Best Practice Based on ISO/IEC 17799” The Information Management Journal, Vol. 39, 4, 2005, pp 60-66.
10.Swartz, N., “ID Thieves Targeting Universities” Information Management Journal, VOl 41, 2, 2007, p. 7
11.Swartz, N., “Data Breach Costs Broker $15 Million” Information Management Journal, Vol. 40,3, 2006, p10.
12.Swartz, N., “ChoicePoint Lessons Learned” , Information Management Journal; Vol 41, 5, 2007, p. 24
13.Wolfe, D., “Visa Security Idea: Mag Strripe with 'Dynamic' Code” American Banker, Vol. 172, 48, 2007
60
Electronic publications14.Richardson, R., “CSI Computer Crime and Security Survey 2007”,
http://www.gocsi.com/forms/csi_survey.jhtml;jsessionid=W3MH0WN1ZFW0SQSNDLOSKHSCJUNN2JVN, viewed October 1, 2007
15. “An Introduction to Computer Security: The NIST Handbook”, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf, viewed November 4, 2007
16.Swartz, J., and Acohido, B., “Who's guarding your data in the cybervault?” USA Today , http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-04-01-choicepoint_N.htm, viewed November 1, 2007
17.Vijayan, J.,”What New Visa Security Mandates Mean to You”, PC World, http://www.pcworld.com/businesscenter/article/139048/what_new_visa_security_mandates_mean_for_you.html, viewed November 1, 2007
Websites14.Wikipedia
15.http://www.privacyrights.org/ar/ChronDataBreaches.htm, viewed November 1, 2007
16.http://jurist.law.pitt.edu/paperchase/2006/01/ftc-imposes-record-fine-on-choicepoint.php, viewed November 1, 2007
17.http://www.informationweek.com/security/showArticle.jhtml?articleID=183702491, viewed November, 1
18.http://www.congressionalfcu.org/aboutus/securitycenter/ZeroLiabilityPolicy.pdf, viewed November, 1
61
Websites19.http://marketwire.com
20.http://today.reuters.com
21.http://techweb.com/wire/security/
22.(Creditsourceonline.com)
23.(About.com)
24.(identitytheft.gov)
62
63Source: 14
