1 / 30

What FAAs Need to Know about Cybersecurity Initiatives, Data Protection, and Identity Theft

Session 48. What FAAs Need to Know about Cybersecurity Initiatives, Data Protection, and Identity Theft. Theon Dam | Nov-Dec 2016 U.S. Department of Education 2016 FSA Training Conference for Financial Aid Professionals. Agenda. Purpose Key Terms Recent Incidents and Breaches

myrnal
Download Presentation

What FAAs Need to Know about Cybersecurity Initiatives, Data Protection, and Identity Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 48 What FAAs Need to Know aboutCybersecurity Initiatives, Data Protection, and Identity Theft Theon Dam | Nov-Dec 2016 U.S. Department of Education 2016 FSA Training Conference for Financial Aid Professionals

  2. Agenda • Purpose • Key Terms • Recent Incidents and Breaches • Comply with Laws and Regulations • Minimize Risks • Cost of Breach • FAA Guidance

  3. Purpose • To provide risk management guidance on IT security to institutions of higher education as they are obligated to: • Protect data used in all aspects of the administration of the Title IV Federal student financial aid programs • Protect all breaches resulting in loss of PII data to FSA

  4. Definition of Key Terms Security incident – any event that compromised the confidentiality, integrity, or availability of an information asset. Example: Suspicious email with links

  5. Definition of Key Terms • Privacy breach - when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people for unauthorized purposes. • This includes PII in any format, and whether or not it is a suspected or confirmed loss • Examples of PII breaches: • PII left on the printer or scanner • PII emailed without encryption or other protection • PII mailed to the wrong recipient • PII stored on a stolen laptop or thumb drive • PII posted to a public-facing website, etc.

  6. Definition of Key Terms • Data Breach– An incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party, often used interchangeably with data compromise. Following links and being redirected to a malicious site

  7. Data Breach • April 2015: Office of Personnel Management (OPM) was hacked resulting in two major breaches and over four million PII was stolen. Later investigation (June-August 2015) revealed a second breach occurred (May-August 2014) resulting in a breach of 21.5 million individuals (federal employees, contractor, others) • Main reason, hackers gained access due to lack of Two Factor Authentication (TFA)

  8. Resulting Actions • June 2015: United States Chief Information Officer (CIO) Tony Scott responded to the data breach by launching a 30-day Cyber Security Sprint to improve federal cybersecurity and protect IT systems against evolving threats. • The federal CIO instructed all federal agencies to immediately take a number of steps to further protect information and assets and improve the resilience of federal networks.

  9. Resulting Actions • Heightened awareness of cyber security enforcement • New federally mandated policies, procedures, requirements • Applicable to any organizations that uses or transmits federal data NO EXCEPTION FOR SECURITY ENFORCEMENT

  10. FSA Security Initiatives • Two Factor Authentication (TFA) • More schools enabling TFA • Privileged users especially at risk • Intruders can easily steal or guess usernames and passwords and use them to gain access to your networks and stored information • FSA ID • Reducing PII • High availability, usage, high reliability

  11. Data Breach Investigations Report • 60% cases: attackers compromise org within minutes. • Nearly 50% of the people open emails and click on phishing links within the first hour. • A campaign of only10 emails yields >90% chance that at least one person click. • 99.9% of the exploited vulnerabilities had been compromised more than a year after the vulnerability was published. • Half of vulnerabilities were exploited within two weeks of posted. • Malware events focus on: financial services, insurance, retail, utilities, and education. • 2016 Report: 89% of breaches had a financial or espionage motive Source: DBIR 2015/2016

  12. Potential Breach Sources Phone numbers Passwords? Informative files Leave information Unlocked screen

  13. Networks At Risk • Records of student and loan information • Wireless networks • Widely distributed networks • Admissions • Registrar’s Office • Student Assistance • College Book Store • Health Clinic • Websites • Hackers seek diverse information and diverse paths

  14. Network Risks • February 2016 – hacker was able to penetrate a university’s network resulting in a breach of 63,000 student information. https://www.privacyrights.org/data-breach/new

  15. Student and Parent Data at Risk • Social Media = (Facebook, Twitter, LinkedIn) • Mobile Devices = (laptop, cellphones, tablets) • Lost/Stolen Devices • Weak passwords and password written down in a unsecure location • Public Wi-Fi provides easy compromise of credentials and data • Improper disposal of mail with PII information

  16. Breach Responsibility • YOU (and your organization) assume the risk for the loss of data • Cyber Security protects the data to the identified risk level • Data protection, breach prevention MUST be a joint operation for success • WE have an obligation to the students and parents to protect their PII information

  17. Your Obligation To Protect PII Data Dear Colleague Letter • Publication Date: July 29, 2015 • Subject: Protecting Student Information • Data breaches proliferating • Cooperation of FSA Partners to implement strong security policies, controls, and monitoring is critical to protecting personally identifiable information and ensuring the confidentiality, security, and integrity of Title IV financial aid information

  18. Legal Obligation to Protect PII Data • Student Aid Internet Gateway (SAIG) Enrollment Agreement • The institution “must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” • Privacy Act of 1974 (Federal Agencies) • HEA (Higher Education Act) • Gramm-Leach-Bliley Act • Safeguards Rule • Applies to financial institutions and those that receive information about the customers of financial institutions • Requires institutions to secure customer information and create a written information security plan that describes program to protect customer information

  19. Legal Obligation to Protect PII Data • HEA (Higher Education Act) • Requires institutions to maintain appropriate institutional capability for the sound administration of the Title IV programs and would include satisfactory policies, safeguards, monitoring and management practices related to information security • FERPA (Family Educational Rights and Privacy Act) • Generally prohibits institutions from having policies or practices that permit the disclosure of education records or PII contained therein without the written consent of the student, unless an exception applies. Any data breach resulting from a failure of an institution to maintain appropriate and reasonable information security policies and safeguards could also constitute a FERPA violation

  20. Passwords are Insecure • 99.9% of all user-generated passwords are insecure • Word-number-punctuation most commonly cracked ‘complex’ password • Solutions are based on two factor authentication • The myth of privacy and security • Password cracking by security experts: • Six characters: 12 seconds • Seven characters: 5 minutes • Eight characters: 4 hours https://www.privacyrights.org/data-breach/new 20

  21. Reduce Data Exposure • Enforce a clean desk policy • Conduct PII “amnesty” days (shred paper PII/eliminate PII from local and shared drives) • Protect data at the endpoints • USB drives, paper, laptops, smartphones, printers • Destroy your data securely • Do not keep records forever • Limit access to only those with a need to know • Practice breach prevention • Analyze breaches from other organizations • Learn from their mistakes • Adjust your policies and procedures accordingly • Please - THINK before you post/send/tweet!

  22. Tips to Safeguard PII • Minimize PII • Collect only PII that you are authorized to collect, and at the minimum level necessary • Limit number of copies containing PII to the minimum needed • Secure PII • Store PII in an appropriate access-controlled environment • Use fictional personal data for presentations or training • Review documents for PII prior to posting • Safeguard PII in any format • Disclose PII only to those authorized • Safeguard the transfer of PII • Do not email PII unless it is encrypted or in a password protected attachment • Alert FAX recipients of incoming transmission • Use services that provide tracking and confirmation of delivery when mailing • Dispose of PII Properly • Delete/dispose of PII at the end of its retention period or transfer it to the custody of an archives, as specified by its applicable records retention schedule

  23. Typical Breach Response • Employee received PII for someone else • Debated on what to do, shared it with friends and coworker for advise • 2-3 days later sent to supervisor • Supervisor did not see the email for a few days sent to friend in FSA Technology Office • Friend decided to investigate, called person whose PII it was • Person with PII data called FSA management who called CIO

  24. Correct Breach Process • Call your supervisor, the Help Desk, and Security and tell them exactly what is happening immediately • Don’t delete any files or turn off your system unless Security tells you otherwise • Don’t send the files/data in question to anyone • Supervisor, Help Desk and/or Security must notify FSA at CPSSAIG@ed.gov

  25. Cost of Breaches • Costs (keep going up) • $4 million average cost of a data breach (up 29% since 2013) • $158 cost per lost record ($221 in the U.S.) • Appointing a security SME (CISO) save $7.00 per record • Reissue cards, consumer protection, insurance, liability • Loss of reputation Source: Ponemon.org (2016)

  26. In closing… • Only collect and use information that is absolutely necessary, and only share with those who absolutely need the information • “Review and reduce”—inventory your PII and PII data flows, and look for ways to reduce PII • Follow FSA and Best practices,policies, and procedures • Think before you hit the “send” button (Email is by far the #1 source of breaches) • “Scramble, don’t gamble”- encrypt, encrypt, encrypt • Minimize (or eliminate) the use of portable storage devices • Protect PII on paper—enforce a clean desk policy, use secure shredding bins, locked cabinets, etc.

  27. Resources https://www.privacyrights.org/ http://www.verizonenterprise.com/DBIR/2016/ http://www.ponemon.org

  28. Resources • National Institute of Standards and Technology (NIST) Special Publications (http://csrc.nist.gov/publications/PubsSPs.html) • NIST Special Publication 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST Special Publication 800-53 Rev 4Security and Privacy Controls for Federal Information Systems and Organizations • NIST Special Publication 800-30 Rev 1 Guide for Conducting Risk Assessments • NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations • ISO/IEC 27001Information Security Management (International Organization for Standardization/International Electrotechnical Commission) • http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

  29. Resources • Cyber Resiliency Reviews • https://www.us-cert.gov/ccubedvp/self-servicecrr • Critical Infrastructure Cyber Community Voluntary Program • https://www.uscert.gov/ccubedvp • Cybersecurity Information Sharing and Collaboration Program • https://www.uscert.gov/sites/default/files/c3vp/CISCP_20140523.pdf • Enhanced Cybersecurity Services • http://www.dhs.gov/enhancedcybersecurity-services • Information Sharing and Analysis Organization Rollout • http://www.dhs.gov/isao • National Initiative for Cybersecurity Careers and Studies • http://niccs.uscert.gov • GEN-15-18: Protecting Student Information • http://www.ifap.ed.gov/dpcletters/attachments/GEN1518.pdf • National Vulnerability Database • https://nvd.nist.gov

  30. QUESTIONS?

More Related