1 © Copyright 2013 EMC Corporation. All rights reserved.
Threats to Personal
Data Security: Causes and Consequences
International Forum on Personal Data Protection: IFAI’s Recommendations, Dec 5th 2013
Davi Ottenheimer Senior Director of Trust
2 © Copyright 2013 EMC Corporation. All rights reserved.
THE FOUR BIG MEGATRENDS IN
INFORMATION TECHNOLOGY TODAY ARE
CLOUD COMPUTING, BIG DATA, SOCIAL
NETWORKING AND MOBILE DEVICES.
ADOPTION AND MATURITY OF THESE
TRENDS MUST FLOAT UPON A SEA OF
JOSEPH TUCCI
TRUST
3 © Copyright 2013 EMC Corporation. All rights reserved.
Intro
4 © Copyright 2013 EMC Corporation. All rights reserved.
Objective
“Reveal causes and impacts of security incidents, such as economic, reputational and integrity damage”
“It's a fundamental principle of copyright law that facts are not copyrightable…”
-EFF 2012
https://www.eff.org/press/releases/eff-wins-protection-time-zone-database
5 © Copyright 2013 EMC Corporation. All rights reserved.
Mexico Privacy Law and Regulations
2010 July 5 “Law” Ley Federal de Protección de Datos Personales en Posesión de los Particulares
2011 December 21 “Regulations” Reglamento de la Ley Federal de Protección de Datos Personales en Posesión
de Particulares
Personal Data and “Sensitive Personal Data”
“Materially affect property or moral rights”
“loss, theft or unauthorized use, modification, access, copying, destruction, damage, or alteration to personal data”
6 © Copyright 2013 EMC Corporation. All rights reserved.
Definitions 1. Breach
“impermissible use or disclosure” that
“poses a significant risk of financial,
reputational, or other harm”
2. Sophisticated Breach
“If you can’t explain it simply, you don’t understand it well enough”
3. Advanced Persistent Breach
Targeted with long-term capabilities
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
7 © Copyright 2013 EMC Corporation. All rights reserved.
http://www.spiegel.de/fotostrecke/photo-gallery-nsa-hacked-into-mexican-president-s-email-account-fotostrecke-102797-2.html
APB Example: Mexican Office of the President
8 © Copyright 2013 EMC Corporation. All rights reserved.
Breach Data Sources Trustwave
Verizon
Trend Micro
Sophos
McAfee
Symantec
AlienVault
Secunia
Kaspersky
Ponemon
U.S. States (NCSL)
privacyrights.org
Identity Theft Resource Center
HHS.gov
“As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.”
http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
9 © Copyright 2013 EMC Corporation. All rights reserved.
Inter-Analysis Comparisons 1. Breach Sources
A. Partners 0%, down from 22% in 2010 (Verizon)
B. Partners 76% (Trustwave)
2. Spam Sources A. India 18%, Russia 15% (Trend Micro)
B. US 12%, India 8% : Asia 45%, Europe 26% (Sophos)
3. Most Attacked A. Chile, China, South Korea (Sophos)
B. US, Australia, Canada (Trustwave)* RSA Conference SF 2012: “Message in a Bottle”
* http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
10 © Copyright 2013 EMC Corporation. All rights reserved.
Intra-Analysis Comparisons 1. Verizon
A. Sophistication, along with speed, was one of the two themes that stood out
B. 78% of initial intrusions rated as low or very low difficulty …little or no specialist skills or resources
2. Trustwave A. Ever-increasing level of sophistication on the part of malware
authors
B. 89% of networks have weak or blank system admin password and 86% of networks have weak or blank database password
http://www.verizonenterprise.com/resources/executivesummary/es_2013-data-breach-investigations-flyers-sophistication_en_xg.pdf http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
11 © Copyright 2013 EMC Corporation. All rights reserved.
Perspective on Vulnerabilities
https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf
“Measuring vs. Modeling” by Dan Geer and Michael Roytman
Attack Probabilities
2.4% Attacked
CVSS Score 9 or 10 not attacked:
87.8%
NVD
12 © Copyright 2013 EMC Corporation. All rights reserved.
EMC Survey: IT Trust Curve Senior Executive IT Trust Confidence Relative to Their Organization’s Maturity
59%
58%
57%
57%
55%
55%
55%
51%
50%
48%
Financial services
IT and technology
Consulting
Retail and consumer…
Energy
Manf.
Comms, media and ent.
Healthcare
Public sector
Life sciences
54.1
53.9
53.8
51.6
51.1
51.0
49.8
49.4
49.2
46.1
Financial services
Life sciences
IT and technology
Healthcare
Public sector
Manf.
Retail and consumer…
Energy
Comms, media and ent.
Consulting
MATURITY CONFIDENCE
www.emc.com/trustcurve
13 © Copyright 2013 EMC Corporation. All rights reserved.
Causes
14 © Copyright 2013 EMC Corporation. All rights reserved.
Speed Response B
Response
Cover Pivot and Hide
Dwell Time Response Time
Reduce Dwell A
Identification
Intrusion Prevention
Attack
1 STEALTHY LOW AND SLOW 2 TARGETED
SPECIFIC OBJECTIVE 3 INTERACTIVE HUMAN INVOLVEMENT
Reality: Advanced Threats
15 © Copyright 2013 EMC Corporation. All rights reserved.
Perimeters Changing Virtual Data Centers, Cloud Compute and Mobile Users
Dedicated, Vertical Gaps and Stacks
Traditional Data Center Modern Data Center
Dynamic Pools Of Compute & Storage
16 © Copyright 2013 EMC Corporation. All rights reserved.
Perimeters Need Balance With Heuristics
Dedicated, Vertical Gaps and Stacks
Traditional Data Center Modern Data Center
Dynamic Pools Of Compute & Storage
People
Transactions
Data Flow
Challenges – ID and Authenticity
– Complex Relationships
– New and Different Layers
Opportunities with Data – Velocity
– Variety
– Volume
– Vulnerability
Big
17 © Copyright 2013 EMC Corporation. All rights reserved.
Top Four Breach Causes
1. Default or Weak Credentials
2. Lack of Input Filtering (Inclusion, Injection)
3. Excessive Services
4. Wider Scope of Systems (Legacy and New) Unpatched
18 © Copyright 2013 EMC Corporation. All rights reserved.
Four Breach Stages
1. Enumeration – Systems with Vulns
– Vulns on Systems
2. Access and Control
3. Exfiltration – Transfer Stored Data
– Dump Data in Transit
4. Expansion and Repetition
19 © Copyright 2013 EMC Corporation. All rights reserved.
Four Solutions
Advanced Security Operations 1 Identity
Management 2 Fraud and Risk Intelligence 3 Governance,
Risk & Compliance 4
20 © Copyright 2013 EMC Corporation. All rights reserved.
by Respondents if Controls Could Stop Breaches
Five Anticipated Benefits
www.emc.com/trustcurve
42%
43%
45%
48%
49%
Reduced cost of application
deployment / time to market
More time for innovation &
analysis
Lower cost of investigation &
response
Lower barrier to information
sharing
Expedited audits & lower
compliance reporting cost
21 © Copyright 2013 EMC Corporation. All rights reserved.
Consequences
22 © Copyright 2013 EMC Corporation. All rights reserved.
Reported Average Per Company
Annual Financial Loss
$585,892 Data Loss
$860,273 Security Breach
$497,037 Downtime
www.emc.com/trustcurve
23 © Copyright 2013 EMC Corporation. All rights reserved.
Per Compromised Record
Annual Financial Loss
$159
$117
US
World
http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-exec-summary-2013.en-us.pdf
$233
$215
$207
$78
Healthcare
Financial
Pharma
Retail
24 © Copyright 2013 EMC Corporation. All rights reserved.
Social Game Maker (Facebook)
2009 Breach (SQL injection) – 32M Password/Email Addresses
– All Clear Text, Including Partner Credentials
2011 Ruling
“…plaintiff has sufficiently alleged a general basis for harm…some ascertainable but unidentified ‘value’ and/or property right inherent in the PII…sufficient to allege an actual injury…”
“Materially Affect” Example: RockYou
http://www.scribd.com/doc/53080958/Claridge-v-Rockyou-09-6032-PJH-N-D-Cal-Apr-11-2011
25 © Copyright 2013 EMC Corporation. All rights reserved.
“Materially Affect” Example: Search Engine Indexes (Dorks)
– inurl:-cfg intext:"enable password"
– filetype:ini "[FFFTP]” (pass|passwd|password|pwd)
– filetype:sql “phpmyAdmin SQL Dump” (pass|password|passwd|pwd)
– filetype:sql “PostgreSQL database dump” (pass|password|passwd|pwd)
– inurl:htpasswd filetype:htpasswd
+-------------------------------+
| Word | Count | Of total |
+-------------------------------+
| 123456 | 290729 | 0.8917 % |
| 12345 | 79076 | 0.2425 % |
| 123456789 | 76789 | 0.2355 % |
| password | 59462 | 0.1824 % |
| iloveyou | 49952 | 0.1532 % |
http://risky.biz/sosasta
26 © Copyright 2013 EMC Corporation. All rights reserved.
Certificate System Failure
Response
– Evidence starting 2009 not noticed or investigated
– External alert/pressure
Infrastructure
– Lack of segmentation – all CA servers in one Domain
– Weak Domain administrator password
– Missing patches
– Compromised systems unnoticed (and replicated)
– Lack of centralized logs
Record Keeping (Google certificate serial # not recorded)
27 © Copyright 2013 EMC Corporation. All rights reserved.
Breach Notification: HHS 27,771,823 Affected Since Sept 2009
Hacking
5%
Improper
Disposal
2%
Loss
27%
Other
2%
Theft
50%
Unauthorized
Access
6%
Unknown
8%
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
28 © Copyright 2013 EMC Corporation. All rights reserved.
Harm “Cost” Relative to US Healthcare
“…costing healthcare industry billions of dollars a year, with employees, mobile devices the weakest link.”
http://www.thefiscaltimes.com/Articles/2010/08/19/The-Cost-of-Diabetes.aspx
http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/232200606/healthcare-data-in-critical-condition.html
“…costing Americans $83 billion a year in hospital fees — 23 percent of total hospital spending.”
Data Breaches
Diabetes
$ 2B
$83B
29 © Copyright 2013 EMC Corporation. All rights reserved.
Harm “Cost” Relative to US Healthcare
Diabetes
23%
Other
77%
Breaches
0%
http://www.cdc.gov/dhdsp/maps/gisx/mapgallery/textonly.html
Diabetes Age >20
30 © Copyright 2013 EMC Corporation. All rights reserved.
Breaches in Five Most Populated States
Incidents
Log
31 © Copyright 2013 EMC Corporation. All rights reserved.
Breaches by Sensitive Data Types
Records
Lin
RSA SF 2009 Presentation: Downward Trend Due to Regulations
32 © Copyright 2013 EMC Corporation. All rights reserved.
“Root of Africa’s Dismal Air-safety Record”
Aviation A Good Model?
1. Low investment, crumbling infrastructure
2. Lax national authorities
3. Minimal air-traffic control or regulation
4. Basic navigational aids (Technology)
http://www.ascendworldwide.com/the_wall_street_journal_15-08-07.pdf
33 © Copyright 2013 EMC Corporation. All rights reserved.
Conclusions
34 © Copyright 2013 EMC Corporation. All rights reserved.
How to Reduce Harm
Governance (GRC)
Advanced Security
Increased Scope
35 © Copyright 2013 EMC Corporation. All rights reserved.
How to Reduce Harm
Executive Oversight
Support Prevention with Detection
Source Mostly Unknown but Social
Expand Scope to Exceptions
Any and Every Asset a Target
– VPNs (Tokens)
– Apple and Android (BYOD)
– Unusual Services (Backdoors)
– Egress Ports (53, 25)
– User Interface (Decisions / Overrides)
36 © Copyright 2013 EMC Corporation. All rights reserved.
Personal Data Security
Depends On
TRUST
@EMCTrustedIT
Top Related