Breach vs. Incident – a Guided Breach vs. Incident – a Guided DiscussionDiscussion

Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAPChief Information Officer Chief Information Security Officer

Portland State University

Information Systems Security Association

Portland, OregonSeptember 2010

AgendaAgenda

Definitions - Incident vs. BreachScenariosDiscussionNext Steps

2

3

Suspected IncidentSuspected Incident

• Is it an incident?• Incidents require mitigation• Incidents may or may not require notification

• Is it a breach?• Breaches require mitigation• Breaches require notification

All breaches are incidents but not all incidents are breaches

4

What is a Breach?What is a Breach?

A (reportable) breach is the unauthorized acquisition, access, use, or disclosure of PII in a manner not permitted by law or regulation and which compromises the security and privacy of the PII.

Paraphrased from a PHI breach definition by Pepper Hamilton, LLP

We are using the term breach to describe all incidents that legally require notification to damaged parties.

5

Relevant Law or RegulationRelevant Law or Regulation

FERPA: protection of student dataFACTA Red Flag Rules: financePayment Card Industry Data Security Standard: credit cardsGramm-Leach-Bliley (GLB) Act: financial consumers USA Patriot Act: data preservation and wiretapping requestsStudent and Exchange Visitor Information System (SEVIS): international studentsHigher Education Opportunity Act: record keeping, business processes, and reportingHealth Insurance Portability and Accountability Act (HIPAA): health recordsHITECH Act – Private Health Information, breach notification and enforcementDigital Millennium Copyright Act (DMCA): protection of digital mediaElectronic discovery (E-discovery): also Rule 37 of the Federal Rules of Civil ProcedureJeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act): campus crimeState law – e.g. Oregon Identity Theft Protection Act

Personally Identifiable Information breach notificationState law regarding disclosure of Faculty/Staff recordsPCI Standards– credit card and bank account informationVISA PA-DSS Best Practices and Validated Applications list Others? Information covered by NDAs, Information protected by export law

6

Breach or Incident?Breach or Incident?

Two methods for Determining if a breach occurred• By Definition• By Risk of Harm Analysis

• How do you prove a negative?

7

What if there is no known What if there is no known Harm?Harm?

A compromise of the security and privacy of personal private information must pose a significant risk of financial, reputational, or other harm to the individual.

Use a risk assessment to determine if harm exists.

Pepper Hamilton LLP Webinar

Not all disclosures will be breaches - it must cross the harm threshold.

Overcoming access controls does not constitute a breach by itself. It must lead to a use and disclosure of PPI that is not permitted by law or regulation and it must also cross the “harm threshold.”

8

Were the recipients obligated (by policy or regulation) to protect privacy and security of the information?Can the impact of the disclosure be mitigated?

Pre-existing NDAs or other measure which assure no further disclosure

Was it returned before improper use could occur?Did forensics investigation find any evidence of improper use, discovery, or distribution?

What was disclosed and how much?

Risk of Harm QuestionsRisk of Harm Questions

9

No Breach?No Breach?

A Breach has not Occurred if:

PII is not stored in the cloudPII is “Secured” (encrypted*)There is Little Risk of Harm

Pepper Hamilton, LLP

* some states also exempt encoded data

Activity: Putting it in to practiceActivity: Putting it in to practice

10

Questions:

Is this a breach or incident?What process did you use to make your decision?Who needs to be notified? How?What mitigation may be necessary?

11

ScenariosScenariosSuspected incidents

• A former student reports to you that, using Google, he has found his SSN on one of your systems.• A professor reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. • A professor discovers that he can see other employee’s home directories. • A staff person discovers advising files of current and former students available to view by all authenticated users on web accessible storage service• A website hosted in the cloud is de-faced.

12

SSN found via GoogleSSN found via Google

One of your former student reports to you that, using Google, he has found his SSN on one of your systems.

• Data, when stored (2004), was not considered sensitive• Some data was not PII but was still sensitive• Data was stored on a Listserv which Google crawled• IN 2005-2007, some instances were removed from the Listserv

• But not from Google’s cache of the webpage!

13

SSN Breach-ResponseSSN Breach-ResponseDiscovery• Searched for other, similar PII data• Determine where other instances may have been cached (Internet Time Machine, Google,

etc.)Short-term mitigation• Known PII Data was taken down• Google’s cache was flushed• Listserv was reconfigured to change all lists to privateNotification • Met with General Counsel and HR

• Determined this was a breach (by definition and risk of harm analysis)• Briefed executive level• Drafted a letter to send to the potential victims• For sensitive data not covered by law or regulation, the business owner was given the

option to notify or not (subject to executive override)Long-term Mitigation• Reviewed lists and deleted all lists that haven’t had activity in 2 years (time- bomb of unnecessary liability)• Changed our process to make private the default listserv settingAwareness • Discussed posting practices with listserv owner• Documented and Responded to users questions from the notification

14

Student IDStudent IDOne of your professors reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers.

Is it a breach by definition?

According to the Dec 2008 FERPA revision, it depends.

15

Student IDStudent ID“we modified the rule to allow student ID numbers to be disclosed as directory information if they qualify as electronic identifiers”

“The regulations will allow an educational agency or institution to disclose as directory information a student’s ID number, user ID or other electronic identifier so long as the identifier functions like a name; that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change will impose no costs and will provide benefits in the form of regulatory relief allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.”

16

Student IDStudent ID"Directory Information", data that can be made public without *student* permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPARegulations, Directory Information is "information contained in an education record of a *student* that would not generally be considered harmful or an invasion of privacy if disclosed".

Steven Worona

In order to treat the student id as directory information, each college must officially declare it to be so and publish the new list of directory information.

17

ExceptionException

However, parents and eligible students can opt out of directory information disclosures; those that do will not be able to participate in student services that are delivered in this manner.

Which means you may have a student id related breach for a few students even after declaring student identification to be directory information.

18

Student ID Breach-ResponseStudent ID Breach-Response

Discovery• Interviewed the Professor, determined there was only one instance of the lost dataShort-term mitigation• NoneNotification • Met with General Counsel, Admissions, Records, and Registration (ARR) and HR

• Determined this was a breach (by definition)• Briefed executive level• Drafted a letter to send to the potential victims, by the Professor’s department

Long-term Mitigation• Pursue including student-id as directory informationAwareness • Gave presentations about student-ID as directory information.• Began discussions with General Counsel and ARR

Small Private College with Law Small Private College with Law SchoolSchool

An Information Technology staff person discovered advising files of 14 current and former students available to view by all authenticated users (only) on our web accessible storage service (Xythos). The files contained high school transcripts and College application materials for our first year advising program. These files contained personally identifying information (SSN and birthdate).

Upon finding this information available, the IT staff person immediately made a “copy” of the environment for forensics purposes and then removed the permissions from the files to protect that sensitive information. It was determined that the files were accessible to all authenticated users (and not the general public) for one week. We were not able to determine if the files had been viewed by anyone during that time period.

19

Small Private College with Law Small Private College with Law SchoolSchool

General Counsel advised that we notify the affected 14 individuals per the Oregon notification legislation. The notification happened on September 2 through email and certified postal mail, and offered a year of credit monitoring (for which no one took us up on). Post incident: We immediately suspended the first year advising application utilizing the web storage service until the sensitive information could be redacted from the scanned images. Going forward all personally identifying information will be redacted upon scanning.

20

21

College with Law School College with Law School ResponseResponse

Discovery• IT staff member discovered sensitive files for 14 students were viewable by any

authenticated userShort-term mitigation• Copy of the environment made for forensics• Removed permissions from the sensitive files• Analyzed exposure (1 week), unable to determine if anyone viewed the files • Suspended the application from using the web storage service until the sensitive

information could be redacted from the scanned imagesNotification • Can’t determine risk of harm• Met with General Counsel, determined this was a breach• Notified users via email and postal mail. • Offered 1 year of credit monitoringLong-term Mitigation• Implement process to redact PII upon scanning. Awareness • Additional training may be indicated

22

Missing Access ControlMissing Access Control

A University professor discovers that he can see other employee’s home directories.

23

Access ControlsAccess ControlsYour staff discovers that six days ago the ACLs on your

staff directories/folders were unintentionally modified for a vendor.

• Inheritance was turned off, which changed all lower level effective permissions.

• Directories normally protected by restrictive ACLs were modified to permit read-only access by anyone with an active account.

• Some of the folders definitely contain PII.• Audit trail object access was not enabled.

24

Access ControlsAccess ControlsRan Spider (from Cornell University) to identify PII at risk• One month to scan 10 volumes on the file server.• Identified all files accessed during the exposure period.

This significantly reduced the number of files at risk as 70.8% of all files were not accessed during the exposure period.

Is this a breach or an incident?

Regardless we need to mitigate the situation

25

Access Control Incident-ResponseAccess Control Incident-ResponseDiscovery• Reported by University staff• Root cause was analyzed• Used Spider to scan affected volumes for PIIShort-term mitigation• Inheritance and permissions were fixed.• Access dates for all files on affected volumes were analyzed to determine scope of risk• All affected PII were identified.Notification • Met with General Counsel, CIO, • contacted Oregon Division of Finance and Corporate Securities• Determined this was not a breach (by risk of harm analysis)• Sent email to users with PII Long-term Mitigation• Legacy PII discovery effort• Provide secure enterprise storage for future PII. • Establish enterprise PKI for encryption infrastructure• Publish procedures requiring the use of encryption. Awareness • Presentations to HR admins, Executives admins, staff• Presentations to technical admin about plans and timetables

26

Website in the Cloud De-facedWebsite in the Cloud De-faced

A website of yours that is hosted in a cloud is defaced. Parts of this website can access sensitive data that is also stored in the Cloud.

27

Website in the Cloud De-facedWebsite in the Cloud De-faced

In January 2010, shortly after President Obama finished his State of the Union address, the webpages of 49 Congressional members were defaced. All of the webpages were managed by GovTrends. GovTrends ironically had the phrase “You get what you pay for” on their website.

In August 2009, 18 Congressional member websites, also managed by GovTrends, were defaced.

28

Website in the Cloud De-facedWebsite in the Cloud De-faced

Following the August attack, Representative B sent a letter to the CAO (Chief Administrative Officer) of the House, asking for actual details of the attack and a plan for notification of these incidents in the future.

Rep. B’s office contacted GovTrends and requested copies of the appropriate logs. GovTrends redirected him to HRIS. HRIS claimed they do not investigate or prosecute since there is no way to track down the criminals responsible for this act.

29

Website in the Cloud De-facedWebsite in the Cloud De-faced

At a Cloud Law Summit Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.

"We're not an insurance company. What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering."

Cloud providers shrug off liability for securityBy Tom Espiner, ZDNet UK, 12 February, 2010 13:30

30

Cloud Incident ResponseCloud Incident Response

Discovery• Prevented by Vendor refusal to cooperateShort-term mitigation• Undetermined - experts claim vendors explanation makes no senseNotification • Can’t determine risk of harm.Long-term Mitigation• Nothing in the press about it.Awareness • Articles on the web

31

Breach Response for CloudsBreach Response for Clouds

Unlike in-house repositories of information, you cannot assume that you have the right and the authorization to investigate breaches in Clouds

You must ensure that your contract with the Cloud vendor permits you this capability.

If regulation requires that you protect your data from the Cloud provider then you must encrypt it and ensure that the contract does not contain a provision which would permit the vendor from investigating your content.

If the data that you store in the cloud includes FERPA protected data, then the cloud provider must agree to act as a FERPA agent for the university and to protect it as such.

Your contract should bind the cloud vendor to meet any regulatory and legal requirements that you are required to meet.

Be aware that Law Enforcement may approach your Cloud vendor and demand access to your data even if you have legal reservations about the legality of their request.

Surrendering your data to a third party weakens your position that the data is valuable unless you have taken measures to affirm it’s value despite the transfer. These measures might include encrypting the data or contractually binding the cloud vendor to protect the data in accordance with its value or sensitivity.

Your contract should explicitly grant your security and administrators the rights that you require regarding monitoring and investigations.

For any Cloud user interface, the user should be informed that they should have no expectation of privacy except that required by explicit law or regulation. They should have the user agree that use of the Cloud constitutes consent to monitoring. This would need to be spelled out contractually with your Cloud vendor.

32

Breach Prevention for CloudsBreach Prevention for Clouds

You can avoid a breach in the cloud by requiring all data in the cloud to be encrypted.

You encrypt the data before storing itYou contract the Cloud provider to encrypt your data

Full Cloud encryptionIndividually accountable encryption with a corporate escrow

Must gather assurances that the Cloud hosts have sufficient security (SAAP)SAS-70

Must gather assurances that the Cloud application has sufficient security (SAAI)Systrust or SAS-70

Must gather assurances that the Cloud based web application has sufficient security (SAAS)Webtrust, SAS-70, vulnerability assessments or penetration

33

Sample Incident Response PlanSample Incident Response Plan

Review the exposed material and determine the scope and nature of the incident.Number of unique disclosures or opportunities for disclosureTo the best of our ability determine if there is any evidence that the exposed information was accessed.Take actions to limit or eliminate the exposure

Arrange a meeting with General Counsel, CIO, and the list owner. Describe the incident, disclosures and the data found during the review. Determine whether the disclosure (or potential disclosure) meets the criteria in the FERPA, GLBA, FISMA, HIPAA, PCI standards, state law or regulation such as the Oregon ID Theft Protection Act.

If yes, If no clear evidence of disclosure, determine potential risk of harm

Draft and send a response to the individual that identified the disclosureDraft a response to the individuals whose personally identifying information was exposed.Determine the cause of the exposure. Determine permanent solution and implement.

34

Next Steps?Next Steps?

Acquire PII Search Tools

Design Solutions for PII Challenges

Search for legacy PII

Create strategy for searching PII at

home

Create Awareness campaign for PII

removal

Establish a PII Incident Response

team

Determine Breach thresholds and Risk of Harm

criteria

Develop PII template reponse letters to reporting

individual

Secure known legacy PII

Create PII Awareness campaign

Monitor for new PIIDesign Monitoring

strategy

Gather info about pockets of legacy

PII

Create Awareness campaign for PII removal at home

Develop staff communications for departmental

involvementDevelop PII

template reponse letters to the

harmed individuals

Develop Reporting and record

keeping process

Sustaining operations

35

Design solutions for PII Design solutions for PII challengeschallenges

• Whole disk encryption (pgpdisk)• Enterprise supported file encryption (a PKI solution)• Secure file server (Truecrypt)• Personal file encryption (Winzip ) • Require network storage• Segregate workstations that work with PII • No use of home computers.• Convert home computer to secure dumb workstation• Provide secure laptops for remote use• No dual use workstations for sensitive data• Search all servers, data bases, workstations for PII• Create strategy to let users search for PII on existing home systems.• Data Loss Prevention systems (Discovery, Prevention of loss, Protection of the data, Monitoring of PII use)

Remaining IssuesRemaining Issues

36

How do different states' breach notification laws apply?

What is the threshold for victim notification? AG notification?  

Is a breach insurance policy a good strategy? 

Should Educause/CIOs pursue agreements for credit monitoring, post-breach forensics, or other services?

Should Encryption be required?

QuestionsQuestions

37

Sharon Blanton, PhD Chief Information Officer sblanton@pdx.edu

Craig Schiller, CISSP-ISSMP, ISSAPChief Information Security Officer craigs@pdx.edu

Portland State University