information security office - sandissandis.org/.../03/itconf_security_bryanjohnson.pdf ·...
TRANSCRIPT
Information Security Office
• Bryan Johnson | CISO
What do these have in common?
Breaches NOT IF BUT WHEN!
“42% of businesses had to deal with a data breach last year, and they cost $1.23 million on average…”. — K. Labs, 2018
“31% of global data breaches led to employees getting laid off from their jobs”... — K. Labs, 2018
Potential or Actual Which one is not like the others?
Name of Covered Entity State Covered Entity Type
Individuals Affected
Breach Submission
Date Type of Breach
Location of Breached
Information
Business Associate Present
AccuDoc Solutions, Inc. NC Business Associate 2,652,537 11/27/2018
Hacking / IT Incident
Network Server Yes
Iowa Health System d/b/a UnityPoint Health IA
Business Associate 1,421,107 7/30/2018
Hacking / IT Incident Email Yes
Employees Retirement System of Texas TX Health Plan 1,248,263 10/15/2018
Unauthorized Access /
Disclosure Other No
CA Department of Developmental Services CA Health Plan 582,174 4/6/2018 Burglary Paper/Films No
CNO Financial Group, Inc. IN Health Plan 566,217 10/25/2018
Unauthorized Access /
Disclosure Other No
Where to begin?
Privacy Training
Information Security (technical)
Security Awareness Training
Privacy Understanding the data we use…
What is secure, what is insecure
What are the OCR Exceptions
1. Name 2. Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code) 3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of
death, and exact age if over 89) 4. Telephone numbers 5. FAX number 6. Social Security number 7. Medical record number 8. Health plan beneficiary number 9. Account number 10. Online Account – User Name or Email Address, in combination with a password or security question and answer 11. Certificate/license number 12. Any vehicle or other device serial number 13. Device identifiers or serial numbers 14. Web URL 15. IP address 16. Finger or voice prints 17. Photographic images 18. Any other unique identifying number, characteristic, or code (e.g. UCI ) 19. Vehicle license plate number (effective January 2016)
NOTE: In California unauthorized disclosure of an individual’s “Name” and any other “notice-triggering” data element (in blue, underlined & bold) is considered a reportable breach.
Note: Item #19 Vehicle license plate number is not a Federal personal individual identifying data element.
19 Individual Identifiers
Comparison of Secured versus Unsecured PHI
Encrypt It’s the only authorized way to prevent a
breach!
It’s cheap to deploy!
Consequences!
Technical Controls These are often the simplest to put in place to help minimize the risk to our organizations.
Cyber Attacks
• The number of unique “cyberincidents” in the 2nd quarter of 2018 was 47% higher than the number from a year previous. 54% are targeted, rather than part of mass campaigns. • Positive Technologies
• Socially engineered malware provides the No. 1 method of attack.
• Ransomware Increasing • In 2017 the FBI’s Internet Crime Complaint Center
received 1,783 ransomware complaints that cost victims over $2.3M. These represent only the attacks reported.
Email is the # 1 Method for Hackers to Infiltrate Your Computer / Network
Email filters have a 10 – 15% failure rate!
I’m in! heh, heh, heh!
Sample of Phishing Email
Actual address of Chase Privacy Operations
Sense of Urgency
Link can either load malware or take you to fake website asking for sensitive information
Spoofing (CEO Fraud) Cybercriminals spoof company email accounts and impersonate executives.
Then they to try and fool an employee into executing things like:
Unauthorized wire transfers Sending out confidential tax information Making gift card purchases and sending gift card number and PIN# to hacker.
Also make messages seem “Urgent”
Advanced Threat
Protection
Threat Vectors – wireless keyboards
• KeySniffer
• Attacker can see all keystrokes a victim types, such as login, password, credit card numbers, etc. – in clear text
• Can hack from hundreds of feet away using less that $100 of equipment
• Wireless keyboard manufacturers affected: HP, Toshiba, Kensington, Radio Shack, etc.
• Solution
• Switch to wired or Bluetooth enabled keyboards with strong encryption
• AES 128+
Bad USB Attack (Cable Injectors)
USB cable that injects keystrokes – cable becomes “Hit Device”
Could be what looks like a charging cable (USB to micro USB cable)
• When plugged in, keystrokes are injected that cause the computer to become “controlled” by a remote hacker
• Can be triggered by time, Bluetooth, GSM, etc. or by immediate engagement
Other “Hit Devices”:
Weaponized Mice
• Giveaways or gifts, door prizes, etc. Capable of infecting the computer
EPP End Point Protection
Staff Training
Securing The Human
80% of breaches originate from simple mistakes.
What’s new @ DDS
• Bryan – Chief Information Security Officer (CISO)
• Beth – Privacy Officer (PO)
• Nate – Security Engineering (Tech Sec Officer)
Existing ISO Staff
• Graeme Cook – Security Training
• John Hansen – Security Training
• Andrew Fong – Security Operations
We’ve Grown
New Security Staff
The Curriculum Security Awareness 101 – (45min)
Privacy Training – (45min)
Information Security (Risk Mitigation / Technical Controls / Physical) – (45min)
Security Awareness 101
What is Information Security
Why it is important to protect our information assets
How do we protect them
What is an Incident or Data Breach
• How do they happen
• Intentional
• Unintentional
• How to prevent them
• What to do if they occur
Privacy Training
What is Privacy
What information is protected under Privacy laws
HIPAA, CA Consumer Privacy Act of 2018, FISMA
How these laws affect us
Rights, responsibilities and consequences
Data breaches
What is a data breach?
How they happen
How to prevent them
What to do if there is a breach
Information Security - Technical
What is Information Security
What is risk
How do we assess risk
• Information System Security Plans (ISSPs)
How do we mitigate risk
• Administrative controls
• Policies, Regulations, Training, Security Awareness program
• Logical controls
• Access, IPS/IDS, proxy servers, firewalls, routers
• Physical controls
• Fences, lighting, door locks, securing computing devices and confidential documents
Available Training Dates
• DDS ISO Staff will be available…
• Beginning this summer (July 2019)
Contact DDS ISO ( [email protected] )
Cleanup Items Technical Bulletins
- TB479 – RC Contacts
- TB747 – Breach Reporting
Thank You to the following RC’s:
• South Central Los Angeles
• Westside
• Valley Mountain
• San Gabriel/Pomona
• East Bay
• Far Northern
• San Andreas
• Orange County
• Redwood Coast
• North Bay
Questions?