The experience of a large database security breach jim davis associate vice chancellor cio
Download
1 / 28

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on
  • Presentation posted in: General

Securing California. The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO. What Does it Feel Like. Denial --> Acceptance Technical --> Personal Local --> Institutional [lost laptop different] Comfortable --> Vulnerable No longer the same. Agenda.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Securing California

The Experience of a Large Database Security BreachJim Davis Associate Vice Chancellor & CIO


What Does it Feel Like

  • Denial --> Acceptance

  • Technical --> Personal

  • Local --> Institutional [lost laptop different]

  • Comfortable --> Vulnerable

  • No longer the same


Agenda

  • Decision to notify

  • Notification

  • Email, Letters, Call Center, Website, Media, Calls

  • People, People, People

  • Aftermath

  • Lessons Learned


UCLA Security Incident

Attack detected November 21, 2006

Incident Response Plan put into action

  • Took server offline

  • Appropriate notifications and engaged FBI

  • Began forensic analysis of logs

    Sophisticated attack, activity concealed


UCLA Security Incident

Compromised database contained records for 803,000 persons

  • Current & Former Students (UCLA)

  • Current & Former Employees (UCLA, UCOP, UCM)

  • Applicants (UCLA)

  • Parents of Financial Aid Applicants (UCLA)

    Contained Names & SSNs

  • No Drivers License, Credit Card or Bank Account numbers


Decision to Notify

  • Notification authority rests with CIO

  • Well-established incident response protocol

  • The decision panel

    • ISO

    • IPO

    • Dir responsible for breached database operation

    • Campus network architect

    • Legal counsel

    • UC IPO


Determining the Threshold for Security Breach Notification

  • Primary notification criteria


The Important Additional Criteria

The University of California recommends consideration of these additional factors:


Decision Tensions

  • Big difference in impact on institution between 10’s 000 vs. 100’s 000 of notifications

  • Big difference in logistics to notify between 10’s 000 and 100’s 000

  • Wait too long to notify, not responsive

  • Wait too long to notify, lose capacity to manage relationships

  • Notify too quickly, not prepared to manage relationships

  • Notify too many, too quickly unnecessary alarm

  • Informed people protect themselves better

  • UCLA’s philosophical position on individual privacy is to keep people informed


Notification Logistics

  • Notification process project managed by executive lead of unit

    • Federated environment

    • Policy puts primary resource burden on unit

  • Notification logistics and execution team

    • Unit Executive Head

    • Dir responsible for breached database operation

    • CIO

    • ISO

    • IPO

    • Campus network architect

    • Legal counsel

    • Media and communications

  • Functioned like an emergency response team


The Decision Chart

Notification Decision

Notification Process

800 K

Notification

#

Notification

Effort

800K Notification

Decision

Large Notification

Logistics Decision

Week 1

Week 2

Week 3

Week 4


Notification

Decided to notify 803,000

  • Email, US Mail

    • Addresses for 70%

  • Press releases and media reports

    • News outlets California, nation and world

    • LA Times, NY Times, AP, CNN, all local TV stations

  • www.identityalert.ucla.edu

  • 26 Call Centers, 1600 Operators

    • 1000 calls/hour initially

    • 35,000 calls received to date

    • 400 follow-up calls

  • Reached 75-80% of affected population

    • Institutional relationship maintained


Scripting for A Call Center

  • Script must be precise, thorough and ‘bullet – proof’

  • Script and operators must be amenable to immediate corrections and enhancements

  • Script must allow for quick and simple coding into a database


Adjusting the Script:

Original Script Greeting:

“Thank you for calling the UCLA Identity Alert Hotline. I would like to assist you. UCLA knows that this incident has caused concern, and I want to provide you with the information and suggest steps you can take to protect yourself from the possibility of identity theft. So that I can better assist, can you please tell me whether you received notification from the university or whether you heard about the call center from news media reports?”

Script 1 hour Later:

“Thank you for calling the UCLA Identity Alert Hotline. How may I help you?”


Call Center Statistics:December 2006 – August 2007


http://www.identityalert.ucla.edu/

Gwen’s website slides here


http://www.identityalert.ucla.edu/what_you_can_do.htm

Gwen’s website slides here


Identity Alert Web Statistics:December 2006 – September 2007 (and 1/07-9/07)


Need for Escalation Path

  • Call center serves specific role:

  • Validation, resource referral and data collection

  • BUT…

  • Callers are frightened, frustrated, angry, panicked, indignant, hurt and

  • Need to know more details

  • Need to speak with a UCLA representative who can respond knowledgeably, accurately and honestly

  • Need empathy

  • Need reassurance and assistance regarding next steps


Individual Relations

  • The largest group

    • Felt violated, anxious

    • Wanted a live person

      • Answers

      • Reassurance

      • Clarification

      • Empathy

  • Smaller group

    • Information & answers

  • 2% angered and distraught

    • Demanded to speak UCLA official

    • 600 individual calls


“Angry, Irate, Distraught”:Examples of Escalation Call Questions

“How did UCLA let this happen?”

“The last letter I received from UCLA was a rejection letter, and now I get this. Why was I in your database?”

“I just got a letter! Does that mean my identity has been stolen?”

“Who was fired? I want to know who’s responsible for this!”

“This is tremendously upsetting and it’s time-consuming to fix. How is UCLA going to make this right for me?”

“My child got this letter, and he was killed last year. What should I do?”


Post Notification Chart

Notification Decision

Notification Process

Compliance

Reviews

800 K

Notification

#

Notification

Effort

Decision to

Contact 28,600

Week 4

Week 5

Week 6

Week 7


Follow-up Letter

Personalized


Breach Aftermath

  • Policy and compliance reviews - no compliance issues

    • UC Office of General Counsel

    • State Attorney General

    • UC Board of Regents

  • SSN policies - no compliance issues

    • Sparked broader initiatives at state and federal levels on use of SNNs

    • State representative and judiciary

    • FTC

  • Notification laws - Senator Feinstein

  • Constituency relations

    • Relations with university generally retained

    • No identity theft directly attributable


Reducing Retention of Personal Data

Every SSN had a requirement

  • Financial Aid reporting

  • Federal Tax Relief Act tuition tax credit

  • Test scores

  • National Student Clearinghouse

  • IRS & EDD

  • Identity Matching


UC-wide Information Security

  • Policy development and communication:

    - UC Electronic Information Security Policy

    - Stewardship of Electronic Information Resources

  • Compliance strategies: (e.g. HIPAA, California Security Breach legislation, Payment Card Industry data security, security rider for vendor contracts)

  • Shared resources: (E.g. UC Security web site; security software & professional services agreements; UC security experts work group)

  • Information collection and dissemination:

    - Tracking security breaches and sharing information

    - Raising awareness of the importance of information security


Lessons Learned

  • Independent and objective panel for deliberations about whom to notify

  • Provisions for confidentiality

  • Ensure the call center and web site are ready when notification begins

  • Spend time setting up the call center

  • Notify through different channels

  • Only solid information will cut


In the end it’s personal

Notify if YOU would want to be notified

Notify as YOU would want to be notified

Sincerity Drives the Day


ad
  • Login