recent breach cases of the opc malcolm townsend, it ...€¦ · owasp top 10 (2013) a1 injection a2...
TRANSCRIPT
![Page 1: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/1.jpg)
Recent Breach
Cases of the OPC Malcolm Townsend,
IT Research Analyst, CISSP
![Page 2: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/2.jpg)
Overview
• Background
• OPC Mandate
• Current Trends
• Privacy Breach Cases
• Lessons Learned
• How to prepare for a privacy breach
![Page 3: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/3.jpg)
Background
• My role at the OPC
• Privacy Breaches – often have technological component
• Examples encountered at the OPC include
Websites, applications
lost/stolen mobile devices
unencrypted portable devices and
unpatched systems
![Page 4: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/4.jpg)
![Page 5: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/5.jpg)
![Page 6: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/6.jpg)
OPC Mandate
• Oversight
Investigates complaints under the Privacy Act (Federal Government) and PIPEDA (Private Sector)
Negotiates and persuades to find solutions
Makes recommendations based on findings
• Public Education/Guidance
![Page 7: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/7.jpg)
The 10 Privacy Principles
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10.Challenging Compliance
![Page 8: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/8.jpg)
![Page 9: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/9.jpg)
Current Trends• 63% of data breaches –weak,
default or stolen passwords
• 30% of people open phishing messages—12% click on attachments
• 83% of compromises took weeks or longer to discover
• 75% of breaches are detected by someone else
• 85% of exploits come from top 10 vulnerabilities
![Page 10: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/10.jpg)
Current Trends
Entries DatabaseHashing
AlgorithmCategory Dump date
58, 848, 308 ModBSolutions.
com
No passwords Business 2016-10
11, 872 NewMiniClub.nl MD5(phpBB3) Agriculture 2016-10
1, 922 NVPC.nl Plaintext Plastic
Surgery
2016-10
![Page 11: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/11.jpg)
![Page 12: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/12.jpg)
![Page 13: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/13.jpg)
Current Trends
2016 Cost of Data Breach Study: Canada
Average cost per stolen record: 278 CA$
Average cost of data breach: 6.03 M CA$
Mean time to detect and contain an incident: 239 days
![Page 14: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/14.jpg)
Some cases
![Page 15: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/15.jpg)
ESDC Hard drive (Privacy Act)
• Safeguards
– Physical
– Policies
– Technical
– Administrative
![Page 16: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/16.jpg)
![Page 17: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/17.jpg)
![Page 18: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/18.jpg)
• Data Disclosed
![Page 19: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/19.jpg)
Location of Ashley Madison Users
![Page 20: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/20.jpg)
Investigative Team
• Joint Investigation between Australia and Canada
• Multidisciplinary team:Investigators
Lawyers
Technical Analysts
![Page 21: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/21.jpg)
Timeline
?
Attacker Initial Access
12 July 2015
ALM detects Breach
20 July 2015
ALM reports breach to OPC
18 and 20 Aug. 2015
Stolen info published on Web
21 Aug. 2015
Commissioner Initiated
Complaint (CIC)
22 Aug. 2016
OPC-OAIC Final Report
2017
Compliance Agreement
![Page 22: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/22.jpg)
Consent and
transparency
![Page 23: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/23.jpg)
Findings -Safeguards
ALM’s security was lacking the following key elements:
appropriate safeguards in the circumstances;
a coherent and adequate governance framework;
an explicit risk management process;
properly documented information security policies or practices; and
adequate staff training
![Page 24: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/24.jpg)
Findings – Other principles
• Retention
• Accuracy
• Consent and transparency
![Page 25: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/25.jpg)
Case( 2014-004)- Data Processor
![Page 26: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/26.jpg)
Privacy Breach Lessons Learned
–Improve Safeguards
![Page 27: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/27.jpg)
Safeguards Lessons Learned- Use Industry
Best Practices
![Page 28: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/28.jpg)
TOP 5 out of 20 CIS Controls
*https://www.cisecurity.org/critical-controls.cfm
![Page 29: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/29.jpg)
OWASP ToP 10 (2013)
A1 Injection
A2 Broken Authentication
and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
![Page 30: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/30.jpg)
OWASP ToP 10 (2013)
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known
Vulnerabilities
A10 UnvalidatedRedirects and
Forwards
![Page 31: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/31.jpg)
![Page 32: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/32.jpg)
How to Prepare For a Privacy Breach
• You need a Breach Response Plan
• Think about your team (insource or outsource) and its leader
• Train your staff
• Review data retention and destruction policies
• Review security policies
• Know the law
![Page 33: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/33.jpg)
Key factors that should alert
organizations of greater risk of a breachUniversal
• Organizations in same sectors where breaches have been reported
• Vulnerabilities that are being exploited in software packages, applications or tools used by the organization, reported in the news
Organizational
• Sudden changes in reported scanning/logging
• People as a threat vector
• Mergers and acquisitions
• Sudden staff turnover
• Planned layoffs
• Boom economy
![Page 34: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/34.jpg)
In Summary
• Understand implications of Laws, Regulations and Policy Instruments applicable to your organization
• Ensure privacy and security controls are in place during the system life cycle
• Importance of complying with organisationalpolicies and procedures
• Ensure your controls meet your organizational objectives
• Prepare yourself for a breach
![Page 35: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/35.jpg)
Don’t be the next victim!
![Page 36: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/36.jpg)
• Privacy Toolkit: A Guide for Businesses and Organizations
• Getting Accountability Right with a Privacy Management Program
• Ten Tips for Reducing the Likelihood of a Data Breach
• Key Steps for Organizations Responding to a Privacy Breach
• Securing Personal Information: A Self-Assessment Tool for Organizations
• Investigations into businesses
OPC Resources:
![Page 37: Recent Breach Cases of the OPC Malcolm Townsend, IT ...€¦ · OWASP ToP 10 (2013) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure](https://reader035.vdocuments.net/reader035/viewer/2022070813/5f0d2c3d7e708231d43907bc/html5/thumbnails/37.jpg)
www.priv.gc.ca
@PrivacyPrivee
1-800-282-1376