Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Recent Breach
Cases of the OPC Malcolm Townsend,
IT Research Analyst, CISSP
Overview
• Background
• OPC Mandate
• Current Trends
• Privacy Breach Cases
• Lessons Learned
• How to prepare for a privacy breach
Background
• My role at the OPC
• Privacy Breaches – often have technological component
• Examples encountered at the OPC include
Websites, applications
lost/stolen mobile devices
unencrypted portable devices and
unpatched systems
OPC Mandate
• Oversight
Investigates complaints under the Privacy Act (Federal Government) and PIPEDA (Private Sector)
Negotiates and persuades to find solutions
Makes recommendations based on findings
• Public Education/Guidance
The 10 Privacy Principles
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10.Challenging Compliance
Current Trends• 63% of data breaches –weak,
default or stolen passwords
• 30% of people open phishing messages—12% click on attachments
• 83% of compromises took weeks or longer to discover
• 75% of breaches are detected by someone else
• 85% of exploits come from top 10 vulnerabilities
Current Trends
Entries DatabaseHashing
AlgorithmCategory Dump date
58, 848, 308 ModBSolutions.
com
No passwords Business 2016-10
11, 872 NewMiniClub.nl MD5(phpBB3) Agriculture 2016-10
1, 922 NVPC.nl Plaintext Plastic
Surgery
2016-10
Current Trends
2016 Cost of Data Breach Study: Canada
Average cost per stolen record: 278 CA$
Average cost of data breach: 6.03 M CA$
Mean time to detect and contain an incident: 239 days
Some cases
ESDC Hard drive (Privacy Act)
• Safeguards
– Physical
– Policies
– Technical
– Administrative
• Data Disclosed
Location of Ashley Madison Users
Investigative Team
• Joint Investigation between Australia and Canada
• Multidisciplinary team:Investigators
Lawyers
Technical Analysts
Timeline
?
Attacker Initial Access
12 July 2015
ALM detects Breach
20 July 2015
ALM reports breach to OPC
18 and 20 Aug. 2015
Stolen info published on Web
21 Aug. 2015
Commissioner Initiated
Complaint (CIC)
22 Aug. 2016
OPC-OAIC Final Report
2017
Compliance Agreement
Consent and
transparency
Findings -Safeguards
ALM’s security was lacking the following key elements:
appropriate safeguards in the circumstances;
a coherent and adequate governance framework;
an explicit risk management process;
properly documented information security policies or practices; and
adequate staff training
Findings – Other principles
• Retention
• Accuracy
• Consent and transparency
Case( 2014-004)- Data Processor
Privacy Breach Lessons Learned
–Improve Safeguards
Safeguards Lessons Learned- Use Industry
Best Practices
TOP 5 out of 20 CIS Controls
*https://www.cisecurity.org/critical-controls.cfm
OWASP ToP 10 (2013)
A1 Injection
A2 Broken Authentication
and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
OWASP ToP 10 (2013)
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known
Vulnerabilities
A10 UnvalidatedRedirects and
Forwards
How to Prepare For a Privacy Breach
• You need a Breach Response Plan
• Think about your team (insource or outsource) and its leader
• Train your staff
• Review data retention and destruction policies
• Review security policies
• Know the law
Key factors that should alert
organizations of greater risk of a breachUniversal
• Organizations in same sectors where breaches have been reported
• Vulnerabilities that are being exploited in software packages, applications or tools used by the organization, reported in the news
Organizational
• Sudden changes in reported scanning/logging
• People as a threat vector
• Mergers and acquisitions
• Sudden staff turnover
• Planned layoffs
• Boom economy
In Summary
• Understand implications of Laws, Regulations and Policy Instruments applicable to your organization
• Ensure privacy and security controls are in place during the system life cycle
• Importance of complying with organisationalpolicies and procedures
• Ensure your controls meet your organizational objectives
• Prepare yourself for a breach
Don’t be the next victim!
• Privacy Toolkit: A Guide for Businesses and Organizations
• Getting Accountability Right with a Privacy Management Program
• Ten Tips for Reducing the Likelihood of a Data Breach
• Key Steps for Organizations Responding to a Privacy Breach
• Securing Personal Information: A Self-Assessment Tool for Organizations
• Investigations into businesses
OPC Resources:
www.priv.gc.ca
@PrivacyPrivee
1-800-282-1376