Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Understanding Sensitive Data and the Cyber Security Concerns
1
Presented by: Scott Partelow, Managing Consultant for Enterprise SolutionsSword & Shield Enterprise Security, Inc.
Sensitive Data Types2
What is considered sensitive information?
• Protected Health Information• Payment Card Industry (PCI) Information• Personally Identifiable Information• Export Controlled Research• Sensitive Institutional Data• Attorney/Client Privilege
Protected Healthcare Information (PHI) 3
Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA).
Past, present, or future physical or mental health or condition of an individual.
Provision of health care to the individual by a covered entity (for example, hospital or doctor).
Past, present, or future payment for the provision of health care to the individual.
PHI is individually identifiable health information that relates to the:
Payment Card Information4
Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards
VisaMastercardAmerican Express Discover Card JCB
Personally Identifiable Information5
Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person
PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Export Controlled Research6
Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.
Formulas for ExplosivesSatellite InformationCertain Software
Military Electronics Biological Agents
Sensitive Institutional Data7
Company investments Company merger and acquisition plansSoftware source codeEngineering plansBlueprints and building plans
Unauthorized disclosure may have serious adverse effects on an entity’s reputation, resources, or services or on individuals
Attorney Client Privilege8
Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney.
Data Breaches9
Data breaches can have a negative effect on your organization in several different ways.
Cost of Containment
Cost of Notification
Cost of Remediation
Data Breaches, continued…10
Data breaches can have a negative effect on your organization in several different ways.
Brand Strength
Negative Publicity
Upset Customers
Insider Threats and Sensitive Data loss11
• As the name implies, it is a threat with access to the inside.• Active and Passive
• Passive is typically due to poor training• Active is typically out of malice
• Reasons for insider threat:• Sudden reversal of financial situation or a sudden repayment of large debts or
loans • Being disgruntled to the point of wanting to retaliate• Repeated or unrequired work outside of normal duty hours • Bringing an unauthorized electronic device into a controlled area • Making threats to the safety of people or property
• Reportable Behaviors:• Information Collection• Information Transmittal• Foreign Influence
Recent Insider Threat Example
12
Insider
NSA Air Gapped Network
Air Gap Override
Some Interesting Statistics13
Interesting Statistics Cont.. 14
Social Engineering
15
• Human Hacking• Exploits the human factor and often bypasses technology and expensive
equipment• Types:
• Phishing• Whaling • Dumpster Diving• Pretexting• Baiting• Tailgating
External Threats to Sensitive Data
Phishing16
• (Spear) Phishing is one of the most common vectors• Email is sent to get the recipient to perform one or both of the actions:
• Accuracy and Aptitude of the email vary• Often display bad grammar• Sometimes spoofed• Frequently use shortened URLs (i.e. bit.ly)• Typically try to convey urgency or authority
• Pretexting and Vishing• Somewhat popular• Like phishing, but in a phone call
• SMiShing is growing in popularity
What is Malware?17
• Malware is Malicious Software• Malware behaves differently from one variant or flavor to another• Sometimes detectable; Others not• Sometimes poses as something useful• Poses bigger threats:
• Data exfiltration• Ransomware• Damage to system• Damage to reputation
• Motives• Same as most cyber attacks• Opportunity• Financial• Organized Crime• Nation-state• Hacktivism
How much would you pay to keep your secret a secret?OR
How much would you pay to have access to your own data?
18
Strategies for Protecting Sensitive Information19
• Training Staff• Defined Policies and Procedures• Incident Response Program• Technical Controls• End point Protection Including Whitelisting• Patch Management Strategy• Testing the Environment
Security Awareness Training should be frequent and contain up-to-date information
20
Understanding the need to protect sensitive information should always be a topic
Develop, Implement and Train on Policies and Procedures21
Develop and Test the Incident Response Program22
Activities in the Incident Response Program
o Preparationo Detection and Investigationo Initial Responseo Containmento Eradication and Recoveryo Notificationo Closure and Post-Incident Activityo Documentation and Evidence Handlingo Tabletop Testing
Implement Strong Technical Controls23
o Strong Access Controls (Concept of Least Privilege)o Defense in Depth Security and Network Architectureo Data Encryptiono Endpoint Protectiono Application Whitelistingo Aggressive Patch Management o SIEM Technologyo Consider Security Enclaves
24
25