Threats to Personal Data Security - Objetivo · Title: TITLE 44 POINT VERDANA ALL CAPS Author:...

1 © Copyright 2013 EMC Corporation. All rights reserved.

Threats to Personal

Data Security: Causes and Consequences

International Forum on Personal Data Protection: IFAI’s Recommendations, Dec 5th 2013

Davi Ottenheimer Senior Director of Trust


THE FOUR BIG MEGATRENDS IN

INFORMATION TECHNOLOGY TODAY ARE

CLOUD COMPUTING, BIG DATA, SOCIAL

NETWORKING AND MOBILE DEVICES.

ADOPTION AND MATURITY OF THESE

TRENDS MUST FLOAT UPON A SEA OF

JOSEPH TUCCI

TRUST


Intro


Objective

“Reveal causes and impacts of security incidents, such as economic, reputational and integrity damage”

“It's a fundamental principle of copyright law that facts are not copyrightable…”

-EFF 2012

https://www.eff.org/press/releases/eff-wins-protection-time-zone-database


Mexico Privacy Law and Regulations

2010 July 5 “Law” Ley Federal de Protección de Datos Personales en Posesión de los Particulares

2011 December 21 “Regulations” Reglamento de la Ley Federal de Protección de Datos Personales en Posesión

de Particulares

Personal Data and “Sensitive Personal Data”

“Materially affect property or moral rights”

“loss, theft or unauthorized use, modification, access, copying, destruction, damage, or alteration to personal data”


Definitions 1. Breach

“impermissible use or disclosure” that

“poses a significant risk of financial,

reputational, or other harm”

2. Sophisticated Breach

“If you can’t explain it simply, you don’t understand it well enough”

3. Advanced Persistent Breach

Targeted with long-term capabilities

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html


http://www.spiegel.de/fotostrecke/photo-gallery-nsa-hacked-into-mexican-president-s-email-account-fotostrecke-102797-2.html

APB Example: Mexican Office of the President


Breach Data Sources Trustwave

Verizon

Trend Micro

Sophos

McAfee

Symantec

AlienVault

Secunia

Kaspersky

Ponemon

U.S. States (NCSL)

privacyrights.org

Identity Theft Resource Center

HHS.gov

“As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.”

http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html


Inter-Analysis Comparisons 1. Breach Sources

A. Partners 0%, down from 22% in 2010 (Verizon)

B. Partners 76% (Trustwave)

2. Spam Sources A. India 18%, Russia 15% (Trend Micro)

B. US 12%, India 8% : Asia 45%, Europe 26% (Sophos)

3. Most Attacked A. Chile, China, South Korea (Sophos)

B. US, Australia, Canada (Trustwave)* RSA Conference SF 2012: “Message in a Bottle”

* http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf


Intra-Analysis Comparisons 1. Verizon

A. Sophistication, along with speed, was one of the two themes that stood out

B. 78% of initial intrusions rated as low or very low difficulty …little or no specialist skills or resources

2. Trustwave A. Ever-increasing level of sophistication on the part of malware

authors

B. 89% of networks have weak or blank system admin password and 86% of networks have weak or blank database password

http://www.verizonenterprise.com/resources/executivesummary/es_2013-data-breach-investigations-flyers-sophistication_en_xg.pdf http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf


Perspective on Vulnerabilities

https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf

“Measuring vs. Modeling” by Dan Geer and Michael Roytman

Attack Probabilities

2.4% Attacked

CVSS Score 9 or 10 not attacked:

87.8%

NVD


EMC Survey: IT Trust Curve Senior Executive IT Trust Confidence Relative to Their Organization’s Maturity

59%

58%

57%

57%

55%

55%

55%

51%

50%

48%

Financial services

IT and technology

Consulting

Retail and consumer…

Energy

Manf.

Comms, media and ent.

Healthcare

Public sector

Life sciences

54.1

53.9

53.8

51.6

51.1

51.0

49.8

49.4

49.2

46.1

Financial services

Life sciences

IT and technology

Healthcare

Public sector

Manf.

Retail and consumer…

Energy

Comms, media and ent.

Consulting

MATURITY CONFIDENCE

www.emc.com/trustcurve


Causes


Speed Response B

Response

Cover Pivot and Hide

Dwell Time Response Time

Reduce Dwell A

Identification

Intrusion Prevention

Attack

1 STEALTHY LOW AND SLOW 2 TARGETED

SPECIFIC OBJECTIVE 3 INTERACTIVE HUMAN INVOLVEMENT

Reality: Advanced Threats


Perimeters Changing Virtual Data Centers, Cloud Compute and Mobile Users

Dedicated, Vertical Gaps and Stacks

Traditional Data Center Modern Data Center

Dynamic Pools Of Compute & Storage


Perimeters Need Balance With Heuristics

Dedicated, Vertical Gaps and Stacks

Traditional Data Center Modern Data Center

Dynamic Pools Of Compute & Storage

People

Transactions

Data Flow

Challenges – ID and Authenticity

– Complex Relationships

– New and Different Layers

Opportunities with Data – Velocity

– Variety

– Volume

– Vulnerability

Big


Top Four Breach Causes

1. Default or Weak Credentials

2. Lack of Input Filtering (Inclusion, Injection)

3. Excessive Services

4. Wider Scope of Systems (Legacy and New) Unpatched


Four Breach Stages

1. Enumeration – Systems with Vulns

– Vulns on Systems

2. Access and Control

3. Exfiltration – Transfer Stored Data

– Dump Data in Transit

4. Expansion and Repetition


Four Solutions

Advanced Security Operations 1 Identity

Management 2 Fraud and Risk Intelligence 3 Governance,

Risk & Compliance 4


by Respondents if Controls Could Stop Breaches

Five Anticipated Benefits


42%

43%

45%

48%

49%

Reduced cost of application

deployment / time to market

More time for innovation &

analysis

Lower cost of investigation &

response

Lower barrier to information

sharing

Expedited audits & lower

compliance reporting cost


Consequences


Reported Average Per Company

Annual Financial Loss

$585,892 Data Loss

$860,273 Security Breach

$497,037 Downtime



Per Compromised Record

Annual Financial Loss

$159

$117

US

World

http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-exec-summary-2013.en-us.pdf

$233

$215

$207

$78

Healthcare

Financial

Pharma

Retail


Social Game Maker (Facebook)

2009 Breach (SQL injection) – 32M Password/Email Addresses

– All Clear Text, Including Partner Credentials

2011 Ruling

“…plaintiff has sufficiently alleged a general basis for harm…some ascertainable but unidentified ‘value’ and/or property right inherent in the PII…sufficient to allege an actual injury…”

“Materially Affect” Example: RockYou

http://www.scribd.com/doc/53080958/Claridge-v-Rockyou-09-6032-PJH-N-D-Cal-Apr-11-2011


“Materially Affect” Example: Search Engine Indexes (Dorks)

– inurl:-cfg intext:"enable password"

– filetype:ini "[FFFTP]” (pass|passwd|password|pwd)

– filetype:sql “phpmyAdmin SQL Dump” (pass|password|passwd|pwd)

– filetype:sql “PostgreSQL database dump” (pass|password|passwd|pwd)

– inurl:htpasswd filetype:htpasswd

+-------------------------------+

| Word | Count | Of total |

+-------------------------------+

| 123456 | 290729 | 0.8917 % |

| 12345 | 79076 | 0.2425 % |

| 123456789 | 76789 | 0.2355 % |

| password | 59462 | 0.1824 % |

| iloveyou | 49952 | 0.1532 % |

http://risky.biz/sosasta


Certificate System Failure

Response

– Evidence starting 2009 not noticed or investigated

– External alert/pressure

Infrastructure

– Lack of segmentation – all CA servers in one Domain

– Weak Domain administrator password

– Missing patches

– Compromised systems unnoticed (and replicated)

– Lack of centralized logs

Record Keeping (Google certificate serial # not recorded)


Breach Notification: HHS 27,771,823 Affected Since Sept 2009

Hacking

5%

Improper

Disposal

2%

Loss

27%

Other

2%

Theft

50%

Unauthorized

Access

6%

Unknown

8%

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html


Harm “Cost” Relative to US Healthcare

“…costing healthcare industry billions of dollars a year, with employees, mobile devices the weakest link.”

http://www.thefiscaltimes.com/Articles/2010/08/19/The-Cost-of-Diabetes.aspx

http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/232200606/healthcare-data-in-critical-condition.html

“…costing Americans $83 billion a year in hospital fees — 23 percent of total hospital spending.”

Data Breaches

Diabetes

$ 2B

$83B


Harm “Cost” Relative to US Healthcare

Diabetes

23%

Other

77%

Breaches

0%

http://www.cdc.gov/dhdsp/maps/gisx/mapgallery/textonly.html

Diabetes Age >20


Breaches in Five Most Populated States

Incidents

Log


Breaches by Sensitive Data Types

Records

Lin

RSA SF 2009 Presentation: Downward Trend Due to Regulations


“Root of Africa’s Dismal Air-safety Record”

Aviation A Good Model?

1. Low investment, crumbling infrastructure

2. Lax national authorities

3. Minimal air-traffic control or regulation

4. Basic navigational aids (Technology)

http://www.ascendworldwide.com/the_wall_street_journal_15-08-07.pdf


Conclusions


How to Reduce Harm

Governance (GRC)

Advanced Security

Increased Scope


How to Reduce Harm

Executive Oversight

Support Prevention with Detection

Source Mostly Unknown but Social

Expand Scope to Exceptions

Any and Every Asset a Target

– VPNs (Tokens)

– Apple and Android (BYOD)

– Unusual Services (Backdoors)

– Egress Ports (53, 25)

– User Interface (Decisions / Overrides)


Personal Data Security

Depends On

TRUST

@EMCTrustedIT

Threats to Personal Data Security - Objetivo · Title: TITLE 44 POINT VERDANA ALL CAPS Author:...

Documents

Transcript of Threats to Personal Data Security - Objetivo · Title: TITLE 44 POINT VERDANA ALL CAPS Author:...