1

New Issues in the Airor

“What’s Changed in 15 Years”

Russell M. Shumway

russ@rmshumway.net

2

Caveats and disclaimers

» I am not a lawyer– Nothing I say here should be construed as legal advice

» Consult your own legal counsel» The environment is changing rapidly» 38.6% of the statistics in this presentation are made up» Please see point number 1 again

3

So what has changed in the last 15 years?

» Nothing

» Questions?

4

1995» Software was buggy

» Security was not included

» Security features were not enabled

» Users were clueless

2010» Software is buggy

– (but maybe not as much)

» Security is included– Sometimes

» Security features are enabled– But disabled by users

» Users are smarter– But the target is moving

5

Cloud computing

» What is the cloud?– Buzzword of the day– In some respects, a move backwards

» On-demand computing» Utility computing» Grid computing

6

Examples of cloud computing

» Gmail or Hotmail» Flickr or Snapfish» Google Docs or Adobe Photoshop Express» Rapidshare» Online backup» Wikis

7

Benefits of cloud computing

» Access to supercomputer-level power» Someone else maintains servers, storage space» Only need an access point, such as thin client, smart phone, or laptop» Resources available on demand» Resources available anywhere» Pay for what you use; cost savings» Convenience, flexibility

8

Challenges of cloud computing

» Data access– Who has access– Who can grant access

» Data control– Who has control

» 3rd party liability» Discovery & forensics» Disaster recovery» Data breaches

9

What laws apply?

» PATRIOT Act» HIPAA (Health information)

– Also stimulus act

» Gramm-Leach-Bliley (Financial institutions)» Sarbanes-Oxley (public companies)» Fair Credit Reporting Act» Electronic Communications Privacy Act» International agreements» Other nation’s laws (EU data protection directive)» State & local laws

10

Mobile technologies

» Portable media devices and smart phones– Storage capacity increasing– Size decreasing– Power increasing– Data is rarely encrypted or protected

11

Computer forensics

» What is Forensics?– From forensis, the application of science or technical matter suitable for a

public place (court of law)– The scientific finding of fact and the collection, preservation, analysis, and

presentation of evidence to support facts

12

Forensics challenges

» Large media– Multi-gigabyte disks (and up)– Servers– RAID arrays

» Live examinations– When you can’t take it off line

» Mobile devices» Encryption

13

Data breaches

» Data– Credit cards– Personal data– Credentials– Proprietary data

» Notification requirements– 46 states and DC have some form of notification

requirement

» Compliance requirements» Liability

14

Professional hackers

» Organized crime– Eastern Europe and Africa seem to be predominant

» Activists– Religious, political, ideological

» State and non-state actors» Professional marketplace

– Buy tools and techniques– Sell data and access

15

Hacking vectors

» Stolen credentials» Poor configuration

– SQL injections– Backdoors– Brute force

» The myth of the zero day exploit

16

Malware

» Remote control/backdoor» Data capture

– Credentials– Personal/financial data– Keyloggers

» Customization

17

IDS/Audit logs

» Not effective in detection– Average time from compromise to detection measured in

weeks– Most likely method of detection is 3rd party reporting

• Audit• LEA• Customer

» Good for investigation– 86% of data breaches in a recent study had evidence in their

logs

18

Electronic discovery

» Discovery process provides opportunity to both parties in litigation to acquire information in support of its case

» Rules developed, historically, based on paper records

Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.”

- Black’s Law Dictionary

19

E-discovery

» Courts struggled with how to handle electronic information, but have become a lot more savvy and judges are educated.

» E-discovery has surpassed paper:– 95% of business records exist in electronic form– E-Discovery includes document metadata

• When it was created or modified• When an email was sent and to whom

» Production– Native– Other

20

E-discovery

» Challenges– Volume– Cost– Review

» Types of data– Mail– Documents– Databases & proprietary software

21

E-discovery & forensics

» Inaccessible files» Deleted data» Data location and/or context» Duplicate copies» Backup and disaster recovery tapes

22

Virtual worlds

» Safety, security, privacy– Federal privacy obligations (ECPA)– State AG safety and C.P. reporting initiatives– FTC enforcement

» Ownership of virtual property– Gold or experience farming– Sale of virtual property

23

Future initiatives

» Legislation

» Regulation

» Non-governmental agency requirements

24

Regulatory Evolution

» Different players got involved:– Non-traditional entities expanding reach with enforcement

» Scope expanded:– Early laws reactive; then became proactive– FTC transition from deceptive prong to unfairness prong

» Now: the federal government is baaaacckk…..

25

Legislative and regulatory activity

» Recently passed laws– American Recovery and Reinvestment Act (ARRA) of 2009– Health Information Technology for Economic and Clinical Health (HITECH)

Act of 2009 (part of the ARRA)» Pending legislation

– Cybersecurity Act of 2010 » Regulatory

– OCC Guidance re application security (OCC 2008-16)– HIPAA Security Rule updates (NIST 800-66)

26

HITECH Act of 2009

» More HIPAA enforcement risk– Substantially higher penalties– State Attorneys General have explicit authority to enforce HIPAA rules– Enforcement allowed against individuals employed by healthcare entities

» Breach notification» Business associates

27

Cybersecurity Act of 2010

» Defines critical infrastructure computers» Mandatory certifications for security professionals» NIST can establish standards for security

– Mandatory audits» Increased funding for research and education

– Both K-12 and post-secondary» Allows president to monitor and shut down critical networks in the event

of an attack

28

New developments in state laws

» California

» Massachusetts

» Nevada

29

Questions?