Boston • Springfield • Albany

Enter Presentation Title Here

Presenter Name© 2009 Wolf & Company, P.C.

Presentation dateLocation

1Boston • Springfield • Albany

Hackers at the Gate: Protecting your Important

Data

© 2009 Wolf & Company, P.C.

Matt Putvinski, CPA, CISA, CISSP

Northeast Disaster Recovery Information X-ChangeOctober 19, 2009

Wolf’s Risk Management Services• Risk Management Services

• IT Assurance Services– Internal Audit Services– Compliance Services– WolfPAC Solutions

• Risk Management perform work with over 200 organizations

• Diverse experience• WAN & LAN Network Engineering• Regulatory and Legal Services• Various Industry Operations • IT Operations and Management• Software Development• Financial Accounting• Information Security

• Commitment to industry excellence with certifications as CPA, CISA, CIA, CISSP, CRCM, and JD.

Agenda

Data privacy statistics

Data breach costs

Information Security Threats

Data privacy rules and regulations

What is Information Security?

It is the protection from unauthorized:– Access (Confidentiality)– Modification (Integrity)– Destruction (Availability)– Disclosure (Confidentiality)

Why is Information Security Important?

• Need to provide confidentiality, integrity, and availability of information assets:

• To maintain trust, image, credibility: people entrust us with their personal information so that we can help protect them and build a solid foundation for their financial security

• Security Incidents cost $$$$

• For legal compliance: Gramm-Leach-Bliley Act (GLBA)/State Privacy laws

“As we know,There are known knowns.There are things we know we know.We also knowThere are known unknowns.That is to sayWe know there are some thingsWe do not know.But there are also unknown unknowns,The ones we don't knowWe don't know.”

— Donald Rumsfeld, Feb. 12, 2002, Department of Defense news briefing

Last year (10/1/08 – 9/30/09)

498 ‘Reported’ security breaches involving sensitive personal information

Representing approximately 168 million records.

Total records affected for 145 Breaches considered “Unknown”

Source: datalossdb.org

www.privacyrights.org

Security Breaches Summary…

• Stolen laptops / computers• Stolen paper reports• Hacking incidents• Vendor mismanagement• Improper destruction of files• Lost backup tapes• Dishonest employees selling

information

Causes of Data Breaches

5% - Other

10% - Internal Fraud

11% - Lost Media/Documents

15% - Hack by external party

29% - Accidental release

29% - Lost/Stolen Device/Documents

Source: datalossdb.org

What does a breach cost?

Average Cost per Record: $202

Average Cost per Breach: 6.6 Million (Ranged from $613,000 to $32 Million)

Source: Ponemon Institute

Cost Per Record, by Industry

Source: Ponemon Institute

131.1

184

240.4282.1

Retail ConsumerProducts

Financial Healthcare

What’s Trust got to do with it?

If you do not trust a company:77% refuse to buy products or services

72% criticized them to people you know

75% refused to do business with them

34% shared opinion and experiences on the web

Source: Edelman Trust Barometer (2009) – World’s largest public relations firm.

Factors Important to Trust

94% high quality products and services93% treats employees well91% communicates frequently and honestly on

the state of its business91% gives value for money90% strong financial future89% senior leadership that can be trusted86% create and keeps job in my area85% commits time, money, resources to greater

good

Source: Edelman Trust Barometer (2009)

“I’ve done nothing wrong, I can't be responsible for a company I hire.” - Owner

http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/

“The obvious solution for many is to simply close all online banking accounts. Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them. But if you insist on making online payments and transfers, the best decision you can make is to stop using Windows to make those transactions.”

http://www.networkworld.com/news/2009/090209-court-allows-suit-against-bank.html

http://cbs13.com/local/identity.theft.scheme.2.1066693.html

“Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters.”

http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html#more

20

Information Security Threats

Phishing and Pharming

What are they?

Phishing - is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is carried out by e-mail or instant messaging and directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is a type of social engineering.

Pharming - is a hacker’s attack aiming to redirect a website's traffic to another, bogus website. Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Pharming is a type of Bot.

Both phishing and pharming have been used to steal identity information

21

Information Security Threats

Botnets/Zombie Networks

What is it?

Bot - software applications that run automated tasks over the Internet

Zombie – an infected computer

Botnet/Zombie Network – a collection of compromised computers

Bot Herder – an individual or group that develops or obtains Bot’s and sells them to hackers

22

Information Security Threats

Botnets/Zombie Networks

Threats– Data Theft– Keystroke logging– DDoS attacks– Pharming attacks– Viruses, Trojans and Worms– Email spam

Preventive Controls– Install personal firewall– Install anti-virus & anti spyware– Use strong passwords and authentication such as

secure tokens

23

Information Security ThreatsMalware/Mobile Malware

What is it?

Malware - malicious software including computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware

Mobile Malware - attacks portable devices such as lap top computers, cell phones, PDA’s, and Blackberries

24

Information Security Threats

Malware/Mobile Malware

Threats– Theft of email and text messages– Theft of client and employee personal information– Attack on critical systems

Preventive Controls– Encrypt portable devices– Install anti-virus software– Use WiFi and Bluetooth at home or at trusted

locations– Do not save business data on your mobile– Communicate to employees the type of information to

be accessed using these devices

25

Information Security ThreatsOutsourcing

What is it?

Specifically when a third party hosts, manages and/or maintains technology resources

Threats– How safe is the contracted party?

Preventive Controls– Obtain a SAS 70 and copies of audits– Ensure contracts define responsibilities– Obtain certification from vendor

26

Information Security Threats

Social Engineering

What is it?

Low tech form of hacking

Tries to trick individuals into giving out sensitive information

Can be performed in person or via the telephone or email

Social engineers will try to access facilities and play the part of supervisors, employees, vendors or auditors

27

Information Security Threats

Social Engineering

Threats– Unauthorized access to data, systems and sites– Phishing attacks

Preventive Controls– Train staff to be alert of suspicious activity and

unknown individuals– Restrict access to the facility to individuals with a

valid business reason to enter– Enact company policies on when to give out

personal information and passwords– Conduct security awareness campaigns

28

Information Security Threats

Natural Disasters

What are they?

Hurricanes, Tornadoes, Floods, Fires, Etc.

Threats– Loss of data – Loss of systems availability– Loss of site access

Preventive Controls– Backup all files in a remote location/s– Store files on secure online storage sites– Secondary computing environment– Business Continuity Planning

Rules and Regulations

Gramm Leach Bliley Act (GLBA)

Payment Card Industry Data Security Standard (PCI DSS)

State Laws

Federal Laws

GLBA

The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule.

Apply to "financial institutions," includes banks, securities firms, insurance companies, and other companies providing many other types of financial products and services to consumers.

PCI DSS

Comprehensive requirements for payment account data security.

– Build and Maintain a Secure Network• Requirement 1: Install and maintain a firewall

configuration to protect cardholder data• Requirement 2: Do not use vendor-supplied defaults

for system passwords and other security parameters – Protect Cardholder Data

• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder

data across open, public networks – Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software

• Requirement 6: Develop and maintain secure systems and applications

PCI DSS– Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know

• Requirement 8: Assign a unique ID to each person with computer access

• Requirement 9: Restrict physical access to cardholder data

– Regularly Monitor and Test Networks• Requirement 10: Track and monitor all access to

network resources and cardholder data• Requirement 11: Regularly test security systems and

processes – Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

State Laws (New England)

NE states define personal information similarly.

Combination of name and any one or more of the following:

1) Social Security number; 2) Driver's license number or state identification

card number; or 3) Account number, credit or debit card number,

in combination with any required security code, access code or password that would permit access to an individual's financial account

State Laws (New England)

Notification of breach to compromised parties through various communication methods– Substitute notices based on

cost/number of compromised records

In all states, law enforcement agencies may delay notification of breaches if it is deemed that disclosure will impede or compromise an investigation

NE State Laws - Penalties

CT: “unfair trade practice and enforced by Attorney General” (Civil penalties up to $500,000)

ME: Civil violation, not more than $500 per violation, max of $2,500 each day in violation

MA: “The attorney general may bring an action pursuant to section 4 of chapter 93A”

NE State Laws – Penalties (cont.)

NH: If the violation is willful or knowing the court awards as much as 3 times but not less than 2 times of actual damages…as well as the costs of the suit and reasonable attorney’s fees.– Attorney general’s office shall enforce the

provisions

RI: Civil violation not more than $100 per occurrence and not more than $25,000 total

VT: Attorney general and state’s attorney have full authority to investigate, enforce, prosecute, obtain and impose remedies

M.G.L. 93H 201 CMR 17.00 (MA Law)

Goes beyond just notification

Establishes minimum security– 17.03: Duty to Protect and Standards for

Protecting Personal Information– 17.04: Computer System Security

Requirements

Implementation of standards by March 1, 2010

Background– Passed by the Office of Consumer Affairs

and Business Regulation on September 19, 2008

– Originally scheduled to be effective on January 1, 2009. Deadline extended to March 1, 2010.

– One of the first state privacy laws to go beyond requiring notifications.

– Established to make companies assume more ownership of sensitive data and be penalized if they abuse that access

Who is Affected?

Any person who owns, licenses, stores, or maintains personal information about a resident of Massachusetts.

Applies to ANY organization in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state.

What is Covered?Personal Information:

Means a Massachusetts resident’s first name or initial, and last name in combination with one or more of the following:

– Social Security number– Driver’s license or state ID card number– Financial account (not just bank account numbers),

credit / debit card number (with or without security / access codes, PINs, or passwords needed to access the account)

Excludes information lawfully obtained from publicly available information or government records

Includes employee information thus requiring almost all organizations in MA and surrounding states to comply

What is CoveredEmployee Type Information:

– Payroll records

– Health benefits

– Direct deposit records

– 401(k)

Required Elements Designated Employee - One or more

employees must be designated to maintain the information security program (ISP)

‘Written’– ISP must be formally documented

Risk Assessment - ISP must identify and assess reasonably foreseeable risks

– Internal and external– Provide an inventory of sensitive data– Evaluate the effectiveness of the safeguards

currently in place to mitigate such risks

Required Elements

Continuous Employee Security Awareness Training

Disciplinary measures

Preventing terminating employees from accessing records

Third Party Service Providers – ISP must require by contract that the third party

service providers with access to personal information protect it.

Physical Restrictions

Required Elements

Regular Monitoring

Annual update of Security Program

Breach Responses

Required ElementsTechnical controls:

– Security Access Controls – Password controls, access levels, lock out settings.

– Encryption – Encryption of data when residing on portable devices or transported over public networks

– Firewalls - up-to-date firewall protection as well as operating system security patches are installed.

– Malware and Virus Protection - up-to-date malware and virus definitions.

– Employee Training - education and training of employees on the proper use of computer information security systems and the importance of personal information security

– Monitoring - reasonable monitoring of systems for the unauthorized use of or access to personal information

Compliance and Enforcement

Attorney General Enforcement Attorney General may enforce violations of Chapter 93H via actions brought under Chapter 93A

Compliance Standards– Size, scope and type of business *– Amount of resources available to such person *– Amount of personal information stored *– The need for security *

* No guidance on minimum requirements

Federal Laws

Privacy law in draft that could override state laws

9 Bills introduced over the last few years but have not been successful– Consumer Notification– Penalties– Enforcement– Centralized reporting

Matthew Putvinski, CPA, CISA, CISSPDirector – IT Assurance Services617-428-5479

mputvinski@wolfandco.com

twitter.com/mattputvinski

http://www.linkedin.com/in/mattputvinski

Thank You!