cheng tang | dec 2015 u.s. department of education 2015 fsa training conference for financial aid...
TRANSCRIPT
Cheng Tang | Dec 2015
U.S. Department of Education
2015 FSA Training Conference for Financial Aid Professionals
What FAAs Need to Know aboutCybersecurity Initiatives, Data Protection, and Identity Theft
Session 43
Agenda
• FSA Technology Office Security Initiatives• Recent Incidents and Breaches• Cybersecurity Initiatives• FAA Guidance
2
FSA Security Initiatives• Two-factor authentication
• More schools enabling TFA• Privileged users especially at risk
• Security Operations Center• Coordinated Government and Industry threat identification• Real-time threat analysis and mitigation• Improved breach and incident response
• FSA ID• Reducing PII• High availability, usage, high reliability
Mission Statement
Deliver efficient and cost effective, and secure technology to enable the business of FSA
3
Why Should I Care as an FAA?• Security• Reputation• Comply with laws and regulations
4
Definition of a BreachPrivacy breach - when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes.
This includes PII in any format, and whether or not it is a suspected or confirmed loss
Examples of PII breaches: PII left on the printer or scanner PII e-mailed without encryption or other protection PII mailed to the wrong recipient PII stored on a stolen laptop or thumb drivePII posted to a public-facing website, etc.
5
Is It An Incident?
Security incident – any event that compromised the confidentiality, integrity, or availability of an information asset.
Example: Suspicious e-mail with links
6
Types of Incidents
7
…Or a Breach?
• Data Breach – An incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party, often used interchangeably with data compromise.
Following links and being redirected to a malicious site
8
What Happens During a Breach• $3.79M average cost of a data breach• $154 cost per lost record ($217 in the U.S.)• Costs keep going up• 17 malicious codes hacks, 12 sustained probes/month• Reissue cards, consumer protection, insurance, liability• Loss of reputation
Source: Ponemon 2015
9
Data Breach Investigations Report 60% cases: attackers compromise org within
minutes. Nearly 50% of the people open e-mails and click
on phishing links within the first hour. A campaign of only10 e-mails yields >90%
chance that at least one person click. 99.9% of the exploited vulnerabilities had been
compromised more than a year after the vulnerability was published.
Half of vulnerabilities were exploited within two weeks of posted.
Malware events focus on: financial services, insurance, retail, utilities, and education.
Source: DBIR 2015
10
Recent Examples of Data Loss
Source: https://www.privacyrights.org/data-breach/new
• April 2015 Office of Personnel Management (OPM) breached and personally identifiable information for ALL federal employees, past, present, contractors (21.5 million) stolen
• May 15, 2015 College servers breached in two different intrusions, potential exposure for at least 18,000 people
• October 1, 2014 District-wide phishing attack allowed access to employees email accounts containing files with personally identifiable information, potential exposure 1,400
• Target, Home Depot, IRS, Sony
11
Profiling the Attacker / Threat Vectors
12
86% perpetrated by outsiders
14% committed by insiders
1% business partners
7% multiple parties
19% state-affiliated actors
12
Potential Breach Sources
13
Informative files
Phone numbers
Passwords?
Leave information
Unlocked screen
Laptop Risks• February 2015 – University laptop was stolen with student roster
information including social security numbers and grade data, potentially impacting 941 students.
• July 2014 – College unencrypted laptop was stolen from a staff member’s office with personal information of approximately 20,000 current and former students and faculty members.
https://www.privacyrights.org/data-breach/new
14
Laptop Loss Examples
15
• July 8, 2010 – Employee downloaded files onto a hard drive, connected to their home network and the files went onto the internet with information of current and former students personnel files and social security numbers
• June 9, 2014 – Employee sent an attachment unencrypted to 78 employees containing personal information of college employees, impacting approximately 1,900 employees
Top Mobile Threats:1.Mobile Malware2.Loss/Theft3.Social Media4.Cloud Storage5.Wi-Fi
https://www.privacyrights.org/data-breach/new
15
FSA Electronic Data Transfer Points
Federal Partners – FSA Shares Data with:
Social Security Administration (SSA)
Internal Review Service (IRS)
Veterans Administration VA)
Department of Justice (DOJ)
Department of Homeland Security (DHS)
Health & Human Services (HHS)
Department of EducationFSA Security follows Department policies and information roles up for Reporting
FSA External Partners – Loan & Grant Disbursement and Management
Guarantee Agencies (GA) - 29
Private Collection Agencies (PCA) - 30
Title IV Servicers (TIVAS) - 5
Not for Profit (NFP) - 8
FSA Major Applications and Interfaces
Business Solutions ~12
Supporting Applications ~6
Web Applications ~6
IT Infrastructure ~6
Customers
Parents and Students
Schools and Universities
Financial Assistance Requests & Determination
Financial Assistance &
Debt Collection
Eligibility & Verification
16
Networks At Risk
17
• Records of student and loan information• Wireless networks• Widely distributed networks
• Admissions• Registrar’s Office• Student Assistance• College Book Store• Health Clinic• Websites
• Hackers seek diverse information and diverse paths
18
• Intranet – Internal information, non-public distribution• Facebook = share everything (Security questions?)• Very mobile = laptop, iPhone, iPad everywhere• Very trusting = limited password usage, write passwords down• Not organized = often do not track credit cards, “junk” mail• High debt = attractive to foreign actors
Your Data At Risk
Breach Responsibility
• YOU (and your organization) assume the risk for the loss of data
• Cyber Security protects the data to the identified risk level• Data protection, breach prevention MUST be a joint operation
for success
19
Dear Colleague Letter
• Publication Date: July 29, 2015• Subject: Protecting Student Information• Data breaches proliferating• Cooperation of FSA Partners to implement strong security
policies, controls, and monitoring is critical to protecting personally identifiable information and ensuring the confidentiality, security, and integrity of Title IV financial aid information
20
Legal Obligation to Protect (1 of 2)• Student Aid Internet Gateway (SAIG) Enrollment Agreement
• The institution “[m]ust ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.”
• Privacy Act of 1974 (Federal Agencies)• Gramm-Leach-Bliley Act
• Safeguards Rule• Applies to financial institutions and those that receive information about the customers
of financial institutions• Requires institutions to secure customer information and create a written information
security plan that describes program to protect customer information
• State data breach and privacy laws and potentially other laws
21
Legal Obligation to Protect (2 of 2)• HEA (Higher Education Act)
• Requires institutions to maintain appropriate institutional capability for the sound administration of the Title IV programs and would include satisfactory policies, safeguards, monitoring and management practices related to information security
• FERPA (Family Educational Rights and Privacy Act)• Generally prohibits institutions from having policies or practices that permit the
disclosure of education records or PII contained therein without the written consent of the student, unless an exception applies. Any data breach resulting from a failure of an institution to maintain appropriate and reasonable information security policies and safeguards could also constitute a FERPA violation
• Contractual Agreements per 34 CFR §668.25• The institution remains liable for any action by its third party servicers
22
Moral Obligation to Protect
• Online Predators• Identity Theft• Social Media
23
Passwords are Insecure• 99.9% of all user-generated
passwords are insecure • Word-number-punctuation most
commonly cracked ‘complex’ password
• Solutions are based on two-factor authentication
• The myth of privacy and security
Password cracking by security experts:Six characters: 12 secondsSeven characters: 5 minutesEight characters: 4 hours
https://www.privacyrights.org/data-breach/new
Password Trivia:JoshuaI solemnly swear I am up to no goodAkagiSetec AstronomyGod, Sex, Love, and SecretxyzzyShibboleth
24
Reduce Data Exposure
25
• Enforce a clean desk policy• Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives)• Protect data at the endpoints
o USB drives, paper, laptops, smartphones, printers • Destroy your data securely• Do not keep records forever• Limit access to only those with a need to know• Practice breach prevention
o Analyze breaches from other organizationso Learn from their mistakeso Adjust your policies and procedures accordingly
• Please - THINK before you post/send/tweet!
Tips to Safeguard PII
26
Typical Breach Response• Employee received PII for someone else• Debated on what to do, shared it with friends and coworker for advise• 2-3 days later sent to supervisor• Supervisor did not see the e-mail for a few days sent to friend in FSA
technology office• Friend decided to investigate, called person whose PII it was• Person with PII data called FSA management who called CIO
27
• Call your supervisor, the Help Desk, and Security and tell them exactly what is happening immediately
• Don’t delete any files or turn off your system unless Security tells you to
• Don’t send the files/data in question to anyone
• If you need advice or help, call your Federal Student Aid ISSO or the FSA Security Operations Center or the FSA CISO
28
Correct Breach Process
29
• Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information
• “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII
• Follow FSA and Best practice, policies and procedures
• Think before you hit the “send” button (E-mail is by far the #1 source of breaches)
• “Scramble, don’t gamble”- encrypt, encrypt, encrypt
• Minimize (or eliminate) the use of portable storage devices
• Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.
In closing…
30
https://www.privacyrights.org/
http://www.verizonenterprise.com/DBIR/2015/
http://www.ponemon.org
Resources
Resources
• National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html)
• NIST Special Publication 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST Special Publication 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations
• NIST Special Publication 800-30 Rev 1 Guide for Conducting Risk Assessments• NIST Special Publication 800-171 Protecting Controlled Unclassified Information in
Nonfederal Information Systems and Organizations• ISO/IEC 27001 Information Security Management (International Organization
for Standardization/International Electrotechnical Commission)• http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
31
• Cyber Resiliency Reviews• https://www.us-cert.gov/ccubedvp/self-servicecrr
• Critical Infrastructure Cyber Community Voluntary Program• https://www.uscert.gov/ccubedvp
• Cybersecurity Information Sharing and Collaboration Program• https://www.uscert.gov/sites/default/files/c3vp/CISCP_20140523.pdf
• Enhanced Cybersecurity Services• http://www.dhs.gov/enhancedcybersecurity-services
• Information Sharing and Analysis Organization Rollout• http://www.dhs.gov/isao
• National Initiative for Cybersecurity Careers and Studies• http://niccs.uscert.gov
• GEN-15-18: Protecting Student Information• http://www.ifap.ed.gov/dpcletters/attachments/GEN1518.pdf
• National Vulnerability Database• https://nvd.nist.gov
32
Resources
QUESTIONS?
33