Upload File

threats to your data baron rodriguez/mark hall ptac webinar series: august 22, 2011

  • Home
  • Documents
  • Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011
27
Threats To Your Data Baron Rodriguez/Mark Hall PTAC Webinar Series: August 22, 2011

Upload: leslie-hoover

Post on 30-Dec-2015

217 views

Category:

Documents


3 download

Report

TRANSCRIPT

  • Threats To Your DataBaron Rodriguez/Mark HallPTAC Webinar Series: August 22, 2011

  • AgendaAbout PTACLatest ThreatsData Protection & Cyber SecurityResponses to Data ProtectionData protection Security and Planning New PTAC Resources!!Questions: Please send your questions in via the chat box window prior to the end of the webinar.

    *

  • Privacy TA Center (PTAC) MissionThe Privacy TA Center is designed to provide states with: A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems.A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.A focal point for queries and responses to the privacy-related needs of State Education Agencies (SEAs), Local Education Agencies (LEAs), and Institutions of Higher Education (IHEs) in a confidential, safe environment.A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information.http://nces.ed.gov/programs/Ptac/Home.aspx

  • *Data Security Threats Threats to your data: its happeningits focusedIts sophisticatedSocial Security Numbers/IdentityEducation RecordsEmployee DataFinancial Records

    Disciplinary ActionsInternal MemosMedical InformationPersonal Documents

  • *Black Hat Conference 2011*. What is it?

    A gathering of highly technical information security specialists from the government, corporate, academic and underground researchers to share practical insights of the leading edge discoveries and vulnerabilities in the information security landscape.

    Sydney University breached student privacy (June, 2011)

  • *Black Hat Conference 2011*. Cool/Not So Cool Findings:

    Hackers have found a way to wirelessly manipulate medical devices such as insulin pumps. Attackers have the ability to use drone planes to intercept wireless signals and break into networks and cell phone information A battery exploit was discovered against a major laptop manufacturer so that a hacker could manipulate the settings to stop accepting a charge or overcharge so the battery catches fire or explodes.

    Sydney University breached student privacy (June, 2011)*Sources: www.eweek.com & www.computerworld.com

  • *Black Hat Conference 2011*. Relevant Findings:

    Improper SSL implementations leave websites wide-open to attackLess than 1/5 of websites claiming to have SSL have been configured correctly to redirected to SSL for authentication Spear Phishing Attacks for U.S. Government officials with Gmail accounts continuePhishing? An e-mail spoofing fraud attempt that targets a specific organization seeking unauthorized access to confidential data. Copiers/Printers with weak passwords (or with no passwords) can be compromised, allowing the intruder to steal images of documents and/or take control of devices. Digital Shadowing: As companies continue to track your online search and spending habits, the combined information can serve as a potential privacy threat when combined with your social networking sites and/or mobile technologies.

    Sydney University breached student privacy (June, 2011)

  • *But.. Im a MAC user.. Im safe!!*. Remember the battery exploit?

    MacBook Pro line of laptops

    Studies have shown that MAC users arent as paranoid as Windows users about security.

    Some MAC specific recommendations:

    MAC OSX 10.7 is an upgrade that addresses some serious security vulnerabilities MAC OSX Server has major security issues that should be evaluated before deployment. Apples Bonjour file sharing/network discovery protocol has some major security weaknesses on untrusted networks (hotels, public Wi-Fi, guest networks, airports, etc.)

    Sydney University breached student privacy (June, 2011)

  • Social Networking Sites: Are you protected?*Malware infects user on Social Network Site (e.g. Twitter, Facebook, Match.com)Student DataInternet facing application

  • Not connected to the internet? Removable Media*Policy, user training and monitoringIdentity

  • USB (Flash) DrivesIn the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB/Flash drives.Of those, 55% are related to malware infected devices that have introduced malicious code onto corporate networksRecommendation: Employ policies detailing how employees can use these devices to store sensitive/confidential information.*Source: Information Week, August 2011

  • *Data Breaches in the news*.

    Yale notifies 43,000 of SSN breach: Yale University is notifying 43,000 individuals that a 1999 computer file containing names and Social Security numbers was inadvertently made accessible to Google Internet searches for 10 months. Persons affected include faculty, staff, students, and about 1200 alumni. Recommendation: Data retention/archive policies and data classification process. North Carolina State research info compromised: Data housed at NCSU that contained private information for about 1800 school children from Wilson and Richmond counties was mistakenly put online. Recommendation: Research agreements/Memorandums of Understanding with explicit instructions on data destruction upon conclusion of the study.

  • *Cloud Computing*.

    Epsilon Data Breach: Millions of customer records within the Epsilon cloud were compromised by using customer email addresses, weak passwords and phishing attacks to steal sensitive data such as financial information or login credentials to other sites.

    Recommendation: Security policies, and customer training/awareness are even more critical in a cloud computing environment where the outside potential for targeted attacks is greater.Source: CipherCloud.com, August 2011

  • *The threat is real and affects all industries and information systemsGovernment and Military (FISMA and federal standards)

    Education (FERPA)

    Private Sector (hodgepodge)

    Medical Records (HIPPA)

    Critical Infrastructure (Water, Gas, Electric)

    Financial sector (SOX)

    Home users (none)

  • *Many ways to Protect Data

  • *Responses to Data Security Federal government has invested heavily in developing standards and implementing solutions. Best source for standards and solutions

    Private sector has mostly been reactionary

    Other industries have been uneven, including educational community

    What can your organization do to improve?

  • *Seek outside resources to support your security teamState and federal agenciesPTACThird party vendorsOther informational resources (standards and guidelines)

    Initial and On-going Data Protection PlanningNIST Special Pub 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information,

  • *New PTAC ResourcesSecurity Checklist

    Data Governance Checklist

  • *Develop and implement a security architectureMap and understand your networkAlign security capabilities with mission requirementsOverlay security tools and capabilities on your network and develop implementation plans

    Create a security governance structure, responsible for:Reviewing security issues and implementing solutionsChampion for resourcesResponding to incidents

    4) Personnel Security and UsersBoth employees and users should be made aware of security policiesTraining and awareness

    Policy Create, update, and enforceInitial and On-going Security Steps

  • *Tools and Capabilities

    Physical Security. Make computing resources physically unavailable to unauthorized users. An unlocked server room is an invitation for malicious or accidental damage.

    Network Mapping. You cannot protect what you do not understand. Network mapping provides a picture of the network (servers, routers, etc) and its connections.

    Inventory of Assets. The inventory should include both authorized and unauthorized devices used in your computing environment.

    Authentication. The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are.

    Provide a layered defense. The most common layers to protect are hosts (individual computers), application, network and perimeter.

  • *Tools and CapabilitiesSecure configurations. It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security.

    Role based Access Control. Defining specified roles and privileges for users is a required security procedure.

    Firewalls and Intrusion Detection/Prevention Systems (IDPS)

    Automated Vulnerability Scanning. When new vulnerabilities (to hardware, operating systems, applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities.

  • *Tools and CapabilitiesPatch Management. Patch management is the process of using a strategy and plan for what patches should be applied to which systems at a specified time.

    Shut down unnecessary services. Each port, protocol, or service is a potential avenue for ingress into your network.

    Data at rest and mobile devices. When sensitive data is stored on servers, on laptops, or other mobile devices it should be encrypted.

    Incident Handling. When an incident does occur it is critical to have a process in place to both contain it and fix the problem.

    Audit and Compliance Monitoring. Audits are used to provide an independent assessment of your data protection capabilities and procedures (See PTAC article on Security Audits) and should be performed periodically.

  • *Home Users: Stay Safe Online.org

  • *http://nces.ed.gov/programs/Ptac/Home.aspx PTACThe Privacy Technical Assistance Center is your one-stop-shop frequently asked questionslinks to useful online resourcestraining materials for data administrators and data usersregional meetings and lessons learned forums for education stakeholderssite visits to state and local education agenciesa help desk to respond to inquiriesan extension of your LDS team

  • *http://nces.ed.gov/programs/Ptac/Home.aspx PTAC Publications Coming Soon (Really!)Data Center Consolidation Best Practices Webinar: September 16th, 2011 1:30-2:30 PM (EST)This webinar focuses on best practice security and privacy considerations for state and local agencies that are in the process of data center consolidation, as well as those agencies considering or planning consolidations.

    Annual District Notification Requirements FERPA 101 Training Let your districts know!! Webinar: September 22nd, 2011 1:30-2:30 PM (EST)This webinar will provide a high-level overview of the Family Educational Rights Privacy Act (FERPA) including definitions and required processes.

  • PTAC Cyber Security Tasks

    We would like your ideas and thoughts on data protection/cyber security topics that would be helpful to you!*

  • Questions?

    Thank you for participating!*

    Summary: Safeguarding data and protecting privacy in a digital age is challenging. We are globally connected and share similar privacy and data protection challenges with other parts of the U.S. government and private sector. This session will cover realworld experiences across the U.S. government, healthcare, and financial institutions. Your contribution is critical to sharing knowledge and experiences surrounding the privacy challenges faced by education organizations at the federal, state, and local levels. *Speaking Notes:**Speaking Notes:

    *Speaking Notes:

    *Speaking Notes:

    *Speaking Notes:

    SSL: When you see the padlock on the screen, most of us expect that our data is safe. It actually turns out that many websites are still transmitting the passwords you enter in plain text, making your password vulnerable.

    Copiers/Printers: Solution: Regularly review printers, and other appliances equipped as web servers and disable unused functions. Put strong passwords in place.

    **Speaking Notes:

    The introduction of social media has brought an influx of new potentially hazardous applications to the workplace. While social media is being used for many positive purposes such as parent/student updates, school news, etc., attackers are using fake or malicious applications as a gateway to access sensitive information. Some organizations have restricted the use of these sites in the workplace, but minimally, it is recommended that part of your information security program contains a user awareness training on the use of these types of sites around harmful applications, links, and caution when sharing personal confidential information through these sites.*Speaking Notes: A hacker attacks your computer, (or you use an already infected thumb drive) and the virus propagates to any thumb drive inserted in your computer. If the thumb drive is used in your work environment as well, it can then infect that system too. Data can be downloaded to the drive and when you use it again on your home computer, then information is sent to the hacker. The hacker will analyze the information and can 1) write code that is more targeted to your work network, 2) use information collected to publicize the data breach, 3) try to blackmail an individual, or 4) target financial transaction, bank accounts, or loan servicing operations for monetary gain (in combination with the PII that is associated with those accounts).

    Ive seen this in action in my home. My daughter borrowed a USB drive from a friend which contained a trojan virus. Fortunately, my security firewall notified me (actually sent me a page) and I had my daughter remove that drive immediately from our computer. I did a thorough analysis to see if any damage had been done to the computer or any information had been shared.. Fortunately the virus had been quarantined. *Past organizations we used encrypted USB drives. If the drives were stolen and password attempts exceeded a certain threshold, the drive was automatically destroyed. Some organizations do not allow outside USB drives to be brought in to their network.*As we discuss data breaches, please understand the intent is not to point out individual organizations or companies, but rather to learn of recent events and have a better understanding of ways to prevent those incidents from occurring in our respective organizations.

    NC: The data, which was gathered from 2003 to 2006 as part of a research study on classroom practices, includes names, Social Security numbers and dates of birth for students at Gardners Elementary School in Elm City, Wells Elementary School in Wilson and Ashley Chapel Elementary School in Rockingham, which has since been closed. (August 2011)

    **Speaking Notes:

    Protecting data can take many forms. These include Physical security (protecting access to a building, room or storing files in a safe), Policy (which may detail what data can be collected and who is allowed to access which data elements), Access controls (which are technical mechanisms that restrict access to data without the proper credentials), Statistical data protection (which employs different methods to hide collected data to protect individuals privacy ) and Cyber Security (which utilizes a variety of technical approaches to protect data resident on networks, whether at rest or in motion). *I cant emphasize training and policy enough. Make sure that you work closely with your human resources department to make information security a priority for employee responsibilities, job descriptions, and incident response handling. I also highly recommend you work with your public information officer or communications office to ensure they are part of the process for incident response.*Inventory of Assets/Network Mapping: Remember the printer compromise discovered by Black Hat folks? Understanding the devices on your network is critical to understanding your potential vulnerabilities. For instance, you may discover that there are servers being run on your network that may not be getting patched or may not be securing information in a secure manner. This may seem obvious, but in past organizations Ive been with, we found several program offices running servers, wireless access points, and other potential entry points without the ability to truly manage those devices and make them secure. Auditing your network and devices should be a critical component of your information security plan.*Patch Management: Many organizations have regularly scheduled evenings for devices to be patched and restarted minimizing impact on employees.

    Mobile devices: Best practice is to have encrypted devices.*Its also important that your staff carries their information security practices to their home. Helping your employees understand and recognize threats to their home computing environment can only help them in their practices at work. This is an example of a website that provides families with online tips and guidance. *Speaking Notes: PTAC provides timely information on privacy, confidentiality, and security practices and updated guidance through privacy and security resources such as:issue briefs and white papers, including technical briefs from the U.S. Department of Education

    *Speaking Notes: *


P&T ADVANCE COMMITTEE (PTAC) Georgia Tech NSF ADVANCE Conference April 20, 2004 David L. McDowell, PTAC Chair

2015 Early Childhood Privacy and Confidentiality Workshop February 4, 2015 Baron Rodriguez, PTAC Director Frank Miller, Deputy Director FPCO (DoED) Joyce

PTAC Mcquay units 571159

Macomb Regional PTAC - files.ctctcdn.comfiles.ctctcdn.com/78b0adef401/c933ec12-e5af-4dbf-9... · Director, Macomb Regional PTAC IMPACT Macomb Regional PTAC From the Director … April

Record of the Pharmacology and Therapeutics Advisory … · 2020-02-20 · 3 1. The role of PTAC, PTAC Subcommittees and meeting records This meeting record of PTAC is published in

Ptac-om Rsan Final4 Low

Transcript: Data Sharing Under FERPA...Transcript: Data Sharing Under FERPA Slide 1: Baron Rodriguez: Welcome to the U.S. Department of Education & PTAC webinar entitled “Data Sharing

Privacy Technical Assistance Center (PTAC) 101 · 8/19/2013  · Presentation Overview PTAC Introduction & Mission PTAC Technical Assistance – Infographics ... •PTAC 101 webinar

Family Educational Rights and Privacy Act (FERPA) Statute: 20 U.S.C. § 1232(g) Regulations: 34 CFR Part 99 Baron Rodriguez Allison Camara PTAC July18-22,

Agenda 2013 Region 5 PTAC Meeting

Ohio Procurement Technical Assistance Centers (PTAC). 2020 PTAC Center... · 2019-08-23 · Ohio Procurement Technical Assistance Centers (PTAC) Calendar Year 2020 . Request for Proposals

BARON BARON COUNTER DUCA LORD - connubia.com

Privacy Technical Assistance Center (PTAC)—Frequently Asked Questions Emily Anthony, NCES Baron Rodriguez, AEM Anthony Bargar, ESS Tom Szuba, QIP FAQs

PTAC - Federal Government Contracting 101

Ptac proposal

Welcome to PTAC

Capabilities Statements WA PTAC

Carte Final 2008 PTAC Indrumar Lab

Baron Rodriquez, PTAC Director Corey Chatis, Missy ... · Corey Chatis, State Support Team Missy Cochenour, State Support Team Robin Nelson, DaSy Center . 2 Welcome & Introductions

2016 PTAC Presentation 160307 - Approved Full Presentation ...targetsales.com/wp-content/uploads/2016/08/Cat-LG-PTAC-Installation-Service...Title: 2016 PTAC Presentation 160307 - Approved

PTAC pārskats par 2015. gadu

PTAC ComfortPacPresentation

Doing Business with the Govt, PTAC

2008 Nomenclature Cross Reference Guide For PTAC/PTHP ...friedrich.gear.host/documents/ptac/2008_PTAC... · 2008 Nomenclature Cross Reference Guide For PTAC/PTHP Accuracy Based on

Basic Proposal Writing, PTAC

PTAC Public Meeting Transcript - ASPE

PTAC Final Report 2015-11-17

Ptac presentation uae_2016_v1

RED BARON BELL BARON BELL MR BARON RED AQHA …mackenzieranch.com/pdf/2013/H5_Catalog2013_web_horses.pdf · 38 RED BARON BELL BARON BELL (Baron Reed) MR BARON RED QUEEN VALLERINA

PTAC Series - EMI RetroAire

REPLACEMENT & RETROFIT PTAC - Ice-Air

Physician-Focused Payment Models: PTAC Proposal ......Proposal Submissions section of the ASPE PTAC website. Note: While PTAC will use the Secretary’s 10 criteria to review all proposals,

PTAC : 26T / 33T PTRA : 44T / 60T

Packaged Terminal Air Conditioner (PTAC)manuals.frigidaire.com/prodinfo_pdf/Specsheets/FRP12ETT2R_0116_EN.pdfAir Conditioner (PTAC) ACCESSRIES FR_PTAC_ACC 01/16 Electrical Subbases

Packaged Terminal Air Conditioner (PTAC)manuals.frigidaire.com/prodinfo_pdf/Specsheets/FRP15ETT2A_0811_E… · Packaged Terminal Air Conditioner (PTAC) ... General Electric Amana