Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security...
-
Upload
carol-payne -
Category
Documents
-
view
219 -
download
1
Transcript of Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security...
Digital Privacy:
Laws, Rights, and Protections
Deborah A. Robinson, CISSPChief Information Security OfficerGeorgia Perimeter College
04/18/23 1
285
04/18/23 2
How many records were reported compromised in 2009?285 million662 data breaches reported in 2010, up from 250 reported in 2009
285
04/18/23 3
How long does it take to break your password?6 days to break a reasonably strong password (10 characters) with 5 lowercase, 2 uppercase and 3 numbers.
Less than 2 minutes to break an 8 character password with uppercase, lowercase, and numbers
More common passwords like "test", "password" or "123" will be cracked instantly.
Per SANS statistics
285
04/18/23 4
Which country hosts the most phishing attacks?
The United States
In first half of 2010, the United States hosted 70-80% of all such sites. Second and third place was Hong Kong and China.
285
04/18/23 5
The average security breach in 2010 cost the enterprise $7.2 million. The average cost per record was $214.
285
04/18/23 6
Do you know where your mobile devices are?
10 to 15 percent of all handheld computers, smart phones, and cell phones are eventually lost by their owners.
Losses (theft/other) per 1,000 laptops last year was just under 20.
285
04/18/23 7
Cyber Crime
Identity theft is the fastest growing crime, according to the Federal Trade Commission.
Experts estimate that about 10 million people become victims each year. That means every minute, 19 people become new victims of identity fraud!
Drug trafficking has been replaced by identity theft as the number one crime. The major player is now organized crime, responsible for 70% and billions in ill-gotten gains.
285
04/18/23 8
In the News:
A security firm discovered a botnet responsible for stealing sensitive data from more than 2,500 companies, gov’t agencies, and educational institutions over the past 18 months.
The company found a 75GB cache of data that included 68,000 logon credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described it as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines.”
Once infected, the botnet can capture everything the victim types (including passwords), files, cookies, usernames, and provides full remote control. Once an endpoint is infected, the attacker then makes their way onto the primary network.
Digital Privacy
04/18/23 9
Digital Privacy - Issues
Risks Identity theft and fraud Profiling and commercial
targeting Personal attacks
04/18/23 10
Digital Privacy - Issues
Threats Malware* Social networking – many issues Phishing Impersonation Cookies and web bugs Cloud computing (HealthVault, Flickr,
Gmail) Data mining Web browsing history Digital trails and retained data
04/18/23 11
Digital Privacy - Issues
Malware(Malicious Software)
Viruses, trojans, worms Root kits, botnets Key loggers and scrapers Spyware, adware, spam
04/18/23 12
“Malware has, in fact, become professionalized. Malware is now coded by professional software developers, often working for organized crime. Malware authors now employ encryption to make detection more difficult, and, in the spirit of the best defense being a good offense, aggressively target and remove security software and even rival malware. This evolution in the nature of malware behavior is forcing security experts to change their approach to security, moving from a threat recognition model to a behavior analysis model.”
Digital Privacy - Issues
Did You Know?You can buy on underground Internet:
04/18/23 13
Identity Data
$1-$15
Credit Card Numbers$.10-$20
Malware Kits
$25 and up
Digital Privacy - Protections
Laws and Regulations Electronic Communications Privacy Act Computer Fraud and Abuse Act Identity Theft Enforcement and Restitution Act The Children's Online Privacy Protection Act FERPA HIPAA/HITECH and Health Breach Notification
Rule PCI DSS GLBA Red Flags Rule Privacy and Identity Theft Notification Laws USA PATRIOT Act
04/18/23 14
Digital Privacy - Protections
Electronic Communications Privacy Act Derived from Fourth Amendment protection against
unreasonable search and seizure Regulates when and how law enforcement can
intercept and use electronic communication Protects electronic and telephone communications
from non-government eavesdroppers Amended by USA PATRIOT Act Administered by Department of Justice
04/18/23 15
Digital Privacy - Protections
Computer Fraud and Abuse Act Prohibits unauthorized use of computers –
hacking, implementing malware, data theft, etc. Prohibits trafficking in passwords or other
unauthorized means of access Amended by USA PATRIOT Act Administered by Department of Justice
04/18/23 16
Digital Privacy - Protections
Identity Theft Enforcement and Restitution Act
Strengthens federal prosecution of identity theft crimes
Makes certain acts felonies that were previously misdemeanors
Allows for the restitution of victims of identity theft
04/18/23 17
Digital Privacy - Protections
Children’s Online Privacy Protection Act Applies to online collection of information
from children under 13 Must post easily accessible policy Must obtain parental consent for gathering
information from the child Administered by FTC
04/18/23 18
Digital Privacy - Protections
FERPA – Family Educational Rights and Privacy Act
Specifies rights to view educational data Protects against unauthorized disclosure of
educational data Requires reasonable and appropriate protection
of educational data Administered by Department of Education
04/18/23 19
Digital Privacy - Protections
HIPAA/HITECH and Health Breach Notification Rule HIPAA – Health Insurance Portability and Accountability
Act Applies to health conditions, treatments, and payment Requires enterprises to implement reasonable and
appropriate security to protect your information Failure to comply carries fines and criminal penalties Consumers must be notified of security breaches and
unauthorized exposure of protected information HIPAA and HITECH – Administered by HHS Health Breach Notification Rule – administered by FTC
04/18/23 20
Digital Privacy - Protections
HIPAA/HITECH Non-compliance Rite Aid – fined $1 million, 7/2010 – improper
disposal of data General Hospital Corp. and Massachusetts
General Physicians Organization Inc. – fined $1 million, 2/2011 – document left on subway
CVS – fined $2.25 million, 2/2009 – improper disposal of data
04/18/23 21
Digital Privacy - Protections
PCI DSS – Payment Card Industry Data Security Standard
Industry regulation – credit card companies Specifies detailed security measures for merchants
handling credit and debit card information Requires levels of compliance verification Stiff fines levied by payment card companies Ability for merchants to take cards can be revoked Administered by individual credit card companies
and acquiring banks
04/18/23 22
Digital Privacy - Protections
PCI – TJX Data Breach 2/2007 Loss of 45 million credit and debit card
records $40.9 million settlement with Visa Unsecured wireless
04/18/23 23
Digital Privacy - Protections
PCI – CardSystems Solutions MasterCard processor 6/2005 Loss of up to 40 million credit card records Lack of reasonable and appropriate security
04/18/23 24
Digital Privacy - Protections
PCI – HeartLand Payment Systems 1/2009 Loss of tens of millions of credit card records $60 million settlement with Visa Keylogger
04/18/23 25
Digital Privacy - Protections
GLBA – Gramm Leach Bliley Act The Financial Privacy Rule – governs collection and disclosure of
customers’ personal financial information by financial institutions and other companies that receive the information with specific privacy policy requirements
The Safeguards Rule – requires financial and other institutions to design, implement, and maintain safeguards (security) to protect customer information
Pretexting protection – reduces chances of someone gaining unauthorized access to customer information by impersonation, phishing, social engineering, etc.
Weak enforcement and compensation mechanisms Administered by Federal Trade Commission
04/18/23 26
Digital Privacy - Protections
Red Flags Rule Part of Fair and Accurate Credit Transactions (FACT) Act Requires financial institutions and creditors to implement
an Identity Theft Prevention Program Designed to detect warning signs — or "red flags" — of
identity theft in day-to-day operations Examples – alerts from credit agencies or customers of
possible identity theft, suspicious customer documents, suspicious personal identifying information, unusual activity on the account
Administered by Federal Trade Commission
04/18/23 27
Digital Privacy - Protections
Privacy and Identity Theft Notification Laws State laws that specify protections and/or
notifications for unauthorized disclosure of personally identifiable information (PII)
Currently 47 states, first was California, strongest is Massachusetts
Georgia law – specifies timely notification to any individuals whose unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person.
04/18/23 28
Digital Privacy - Protections
USA PATRIOT Act USA PATRIOT Act – Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act
Reduced restrictions on law enforcement agencies' ability to search telephone, e-mail communications, medical, financial, and other records
Expanded access to variety of business records Significantly expanded wiretapping, surveillance, and
physical search capabilities, with “intelligence” warrants not requiring probable cause or specific location
Weakened privacy rights
04/18/23 29
Digital Privacy - Protections
What Organizations Do to Protect Your Data Identify risks to sensitive data Implement information security program to ensure
adequate protection of sensitive data:– Policies and procedures– Incident response plans– Security awareness– Encryption of sensitive data– Technical security measures
Comply with industry standard security practices Comply with applicable laws and regulations
04/18/23 30
Digital Privacy - Protections
What You Can DoProtect your PII - Personally Identifiable
Information Name + SSN, drivers license number, any financial account
number, address, phone number Never give it out unless necessary Don’t put it on social media, you can’t take it back Be sure who you’re giving it to Use sniff test
04/18/23 31
Digital Privacy - Protections
What You Can DoPractice good security Opt out Use strong privacy settings Read policies and agreements Patch and apply upgrades Use current AV and firewalls Use strong passwords Search and surf anonymously Don’t click on anything unsolicited
Think – be smart!
04/18/23 32
Digital Privacy - Protections
What You Can Do
Anonymizers Most use proxy servers and multiple relays Tor Network – www.torproject.org I2P – www.i2p2.de ShadowSurf – www.shadowsurf.com Startpage – private search engine – www.startpage.com Anonymous remailers
04/18/23 33
Digital Privacy
Report problems!!!
04/18/23 34
Information Security
04/18/23 35