Ross C. Hughes | Dec. 2014

U.S. Department of Education

2014 FSA Training Conference for Financial Aid Professionals

Computer, Privacy, and Data Protection

Session #40

The World of Data Breaches

• http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

2

Five Data Breach Statistics Worth Knowing

1.Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, and P.F. Chang’s Chinese Bistro.

2.A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected.

3.There were more than 600 reported data breaches in 2013, a 30 % increase over 2012.

4.The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon Data Breach Investigation Report.

5.Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies.

June 19, 2014 Ansley Kilgore

3

Six months after the Target data breach, the statistics are astonishing.

Data Breaches and Hacks

4

How Do You Do It

5

How Do You Do It

6

Why Do They Do ItHacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit )

• “Kitz” –verified health insurance, SSN, bank account info /logins (account &

routing numbers, account type), driver’s license, full name, address, phone, etc.

and counterfeit physical documents and hardware related to the identity data

in the package (e.g. credit cards, driver’s license, insurance cards, etc.)—-

ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc.

• “Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, e-mail addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs)

• Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.

7

Why Do They Do ItFees for Additional Stolen Credentials

• US credit card with CVV Code– $1 – $2

• Non-US credit card with CVV– $2 – $10

• Credit card with full track 2 and PIN– $5 – $50• Prestige credit cards (include Platinum, Diamond, Black) with

verified available balance– $20 – $400*

• Online bank account, < $10K— $250 – $1000*

• Compromised computer– $1 – $100

• PayPal, verified balance– $20 – $200*• Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000**

Skype account (premium)– $1 – $10

* Some hackers’ prices are based on 4% – 12% of verified current balance** Rare items are often “parted out’ or fenced separately

8

Why Do They Do It

• Bank Accounts with Attached E-mail Accounts –credentials for bank accounts, which also included the credentials for the e-mail account associated with the bank account were more valuable; as the scammer can stop the victim from receiving e-mail alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct.

• Bank Accounts with ACH Bill Pay or Wire Transfer Features – additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners’ phone to confirm wire transfers, etc. hurts the value of a stolen account.

• Compromised computer - bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium.

• Game Accounts – The biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services — $10/hour) or $1000+ for rare/unique top-level items.

9

And Now: The $100 Server

10

And They Are Doing It Right Now

11

http://map.ipviking.com/

http://www.fireeye.com/cyber-map/threat-map.html

Risk Management

12

What is at Risk

13

Your Networks At Risk

14

• Current Student and Alumni Information

• Widely distributed networks• Admissions• Registrar’s Office• Student Assistance• College Book Store• Health Clinic• Websites

• Hackers seek diverse information and diverse paths

Students (and Parents) Data at Risk

15

• Facebook = share everything (Security questions?)

• Very mobile = laptop, iPhone, iPad everywhere

• Very trusting = limited password usage, write passwords down

• Not organized = often do not track credit cards, “junk” mail

• High debt = attractive to foreign actors

Risk Mitigation

16

WHAT YOU CAN

and

SHOULD DO

Establish Good Governance

17

• Create policies and procedures for protecting sensitive data and enforce penalties for noncompliance

• Develop a training and awareness program

• Publish rules of behavior – Make users sign a “confidentiality contract”

• Have a breach response plan that includes roles, responsibilities, timeframes, call trees, alternates, etc.

• Do you know how much PII you have, where it is stored (USB drives, CD-ROMS, etc.), who touches it, and why

• Map out your business process flows - follow the PII

Reduce Your Data Exposure

18

• Enforce a clean desk policy

• Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)

• Protect data at the endpointso USB drives, paper, laptops, smartphones, printers

• Destroy your data securely

• Do not keep records forever

• Limit access to only those with a need to know

• Practice breach preventiono Analyze breaches from other organizationso Learn from their mistakeso Adjust your policies and procedures accordingly

• Please - THINK before you post/send/tweet!

Tips to Safeguard PII

19

Teleworking Security

20

Teleworking Security

21

• Non-government computers or portable storage devices (eg, a USB flash/thumb drive), should have ED-equivalent security controls (eg, antivirus/malware, full disk encryption, session lock, strong passwords)

• If possible, do NOT copy data from the VPN to your hard drive, or to a removable storage device - If you must copy data, make sure the data is encrypted

• Keep your computer in a secure location; do not leave it unattended/unsecured

• If you are teleworking from a public location, make sure no-one else can see what is on your computer screen (consider a privacy screen)

• Encrypt PII/sensitive data when e-mailing such data (e.g., WinZip encryption)

So, Once Again, All Together

22

• Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information

• “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII

• Follow all Departmental policies and procedures

• Think before you hit the “send” button • (E-mail is by far the #1 source of breaches)

• “Scramble, don’t gamble”- encrypt, encrypt, encrypt

• Minimize (or eliminate) the use of portable storage devices

• Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.

If There’s Something Strange

23

In Your Neighborhood

24

Who You Gonna Call• Call your supervisor, the Help Desk, and Security and tell them

exactly what is happening

• Don’t delete any files or turn off your system unless Security tells you to

• Security will notify any other organization that should be involved

• If you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center

25

What You Should Know

26

https://www.privacyrights.org/

http://www.verizonenterprise.com/DBIR/2014/

http://securityintelligence.com/media/2014-cost-of-data-breach-study-ponemon/

Summary

27

• Be vigilant. Organizations often only find out about security breaches when they get a call from the police or a customer.

• Make your people your first line of defense. Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.

• Keep data on a ‘need to know basis’. Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.

• Encrypt sensitive data. Then if data is lost or stolen, it’s much harder for a criminal to use.

• Use two-factor authentication. This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.

• Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.

Contact

28

Ross C. Hughes, CHS, CISA, CISM, CISSP, ECSA, IAM

FSA Cyber Security Manager

Office: 202-377-3893   

Cell: 202-480-6586

Fax: 202-275-0907

FSA Security Operations Center

202-377-4697

Questions?

29