Are Large Scale Data Breaches Inevitable?
-
Upload
wayne-figueroa -
Category
Documents
-
view
19 -
download
0
description
Transcript of Are Large Scale Data Breaches Inevitable?
![Page 1: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/1.jpg)
Are Large Scale Data Breaches Inevitable?
Douglas E. SalaneCenter for Cybercrime Studies
John Jay College of Criminal Justice
Cyber Infrastructure Protection 09City University of New York
City College (CCNY)June 5 2009
![Page 2: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/2.jpg)
Large Scale Breaches
What is a large scale data breach?
Why are they important?
Where do these breaches occur?
![Page 3: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/3.jpg)
Information on Data Breaches
State Breach notification Laws
Federal Breach Notification Laws
Role of State Attorney Generals
Breach notification letters
Civil and criminal prosecutions
Company press releases and announcements
SEC Filings
![Page 4: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/4.jpg)
Organizations that track breaches
Open Security Foundation: DataLoss DB project http://datalossdb.org/
Privacy Rights Clearing House http://www.privacyrights.org/
Federal Trade Commission http://www.ftc.gov
![Page 5: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/5.jpg)
Breach Incidents 2000-2009
![Page 6: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/6.jpg)
Incidents By Breach Type
![Page 7: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/7.jpg)
Incidents Business
![Page 8: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/8.jpg)
Incidents by Data Type
![Page 9: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/9.jpg)
Notable large scale breaches in the Data Aggregation Industry
What is the data aggregation industry?
Who buys information from a data aggregator?
What types of information do these companies provide?
![Page 10: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/10.jpg)
Breaches in the Data Aggregation: methods, costs and consequences
Acxiom breaches 2001-2004
Choice Point breaches 2004
LexisNexis (Accurint) breaches 2005,2007
![Page 11: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/11.jpg)
Breaches in the Retail and Card Payment Industry
What is the card payment processing industry?
Why is this industry targeted and by whom?
What do you do with 45 million credit card numbers?
![Page 12: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/12.jpg)
Breaches in the Retail and Card Payment Processing Industries: methods, costs and consequences
CardSystems Solutions – 45 million card numbers
TJX Companies – 94 million cards
RBS World Pay – 1.5 million financial records
Heartland Payment Systems – 100 million cards
![Page 13: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/13.jpg)
Card Payment Industry
![Page 14: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/14.jpg)
Monetizing the Crime
Carding sites
Cashing on a world-wide basis
Targeted attacks, e.g., scanners and cameras
![Page 15: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/15.jpg)
Breaches and Fraud
Percentage of revenue lost to on-line fraud – about 1.4% for the past six years, 3.6% in 2001
Card present fraud rate continues to decline
ATM fraud is rising(?)
“Identity fraud” is rising (?)
Fraud in international card transactions is unacceptable (One in nine on-line purchases rejected)
![Page 16: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/16.jpg)
Large scale breaches: The costs to businesses
Breach notification costs
Class action suites to recover costs
Loss of confidence by business partners and clients
![Page 17: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/17.jpg)
Remedies
Industry wide attempts at security – PCI DSS in the payment processing industry
Enhanced roles of the chief information security and information privacy officers
The increasing importance of information privacy polices
![Page 18: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/18.jpg)
Challenges
Breach details seldom revealed, even long after the breach.
Until recently, there were no industry wide clearing houses for breach information. (Payments processing Information Sharing Council)
Risks of keeping breach information secret
![Page 19: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/19.jpg)
A few IT Community Challenges
Knowing where the data is
Rapid system wide updating and patching
Integration of legacy systems
Automated fraud detection tools at each level
Implementing end-to-end encryption
Better systems for authorization and auditing
![Page 20: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/20.jpg)
Law Enforcement Challenges
Immediate notification in the event of a breach
Improved intelligence on carding sites and cashing techniques
Critical need for international law enforcement and governmental cooperation
![Page 21: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/21.jpg)
Information Security Policy Challenges
Privacy polices based on need-to-know (limit data collection and retention)
Comingling of systems on public and private networks.
Polices to protect large data repositories
![Page 22: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/22.jpg)
Trends
Breach costs will continue to grow
National Breach Notification Legislation is coming (health care now, other sectors soon.)
Breach notification will give FTC and HHS Dept. more authority to regulate the use of PII.
![Page 23: Are Large Scale Data Breaches Inevitable?](https://reader036.fdocuments.in/reader036/viewer/2022062422/56812bb5550346895d8ff684/html5/thumbnails/23.jpg)
Concluding Remarks
Breach notification laws are changing the way organizations view information security and privacy.
Breaches of PII such as SSNs, names, addresses is especially dangerous for individuals.
More on privacy and data breaches at the Center for Cybercrime Studies