understanding the sensitive data you keep - eteba · protected health information (phi) is defined...

Understanding Sensitive Data and the Cyber Security Concerns

1

Presented by: Scott Partelow, Managing Consultant for Enterprise SolutionsSword & Shield Enterprise Security, Inc.

Sensitive Data Types2

What is considered sensitive information?

• Protected Health Information• Payment Card Industry (PCI) Information• Personally Identifiable Information• Export Controlled Research• Sensitive Institutional Data• Attorney/Client Privilege

Protected Healthcare Information (PHI) 3

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA).

Past, present, or future physical or mental health or condition of an individual.

Provision of health care to the individual by a covered entity (for example, hospital or doctor).

Past, present, or future payment for the provision of health care to the individual.

PHI is individually identifiable health information that relates to the:

Payment Card Information4

Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards

VisaMastercardAmerican Express Discover Card JCB

Personally Identifiable Information5

Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person

PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Export Controlled Research6

Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.

Formulas for ExplosivesSatellite InformationCertain Software

Military Electronics Biological Agents

Sensitive Institutional Data7

Company investments Company merger and acquisition plansSoftware source codeEngineering plansBlueprints and building plans

Unauthorized disclosure may have serious adverse effects on an entity’s reputation, resources, or services or on individuals

Attorney Client Privilege8

Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney.

Data Breaches9

Data breaches can have a negative effect on your organization in several different ways.

Cost of Containment

Cost of Notification

Cost of Remediation

Data Breaches, continued…10

Data breaches can have a negative effect on your organization in several different ways.

Brand Strength

Negative Publicity

Upset Customers

Insider Threats and Sensitive Data loss11

• As the name implies, it is a threat with access to the inside.• Active and Passive

• Passive is typically due to poor training• Active is typically out of malice

• Reasons for insider threat:• Sudden reversal of financial situation or a sudden repayment of large debts or

loans • Being disgruntled to the point of wanting to retaliate• Repeated or unrequired work outside of normal duty hours • Bringing an unauthorized electronic device into a controlled area • Making threats to the safety of people or property

• Reportable Behaviors:• Information Collection• Information Transmittal• Foreign Influence

Recent Insider Threat Example

12

Insider

NSA Air Gapped Network

Air Gap Override

Some Interesting Statistics13

Interesting Statistics Cont.. 14

Social Engineering

15

• Human Hacking• Exploits the human factor and often bypasses technology and expensive

equipment• Types:

• Phishing• Whaling • Dumpster Diving• Pretexting• Baiting• Tailgating

External Threats to Sensitive Data

Phishing16

• (Spear) Phishing is one of the most common vectors• Email is sent to get the recipient to perform one or both of the actions:

• Accuracy and Aptitude of the email vary• Often display bad grammar• Sometimes spoofed• Frequently use shortened URLs (i.e. bit.ly)• Typically try to convey urgency or authority

• Pretexting and Vishing• Somewhat popular• Like phishing, but in a phone call

• SMiShing is growing in popularity

What is Malware?17

• Malware is Malicious Software• Malware behaves differently from one variant or flavor to another• Sometimes detectable; Others not• Sometimes poses as something useful• Poses bigger threats:

• Data exfiltration• Ransomware• Damage to system• Damage to reputation

• Motives• Same as most cyber attacks• Opportunity• Financial• Organized Crime• Nation-state• Hacktivism

How much would you pay to keep your secret a secret?OR

How much would you pay to have access to your own data?

18

Strategies for Protecting Sensitive Information19

• Training Staff• Defined Policies and Procedures• Incident Response Program• Technical Controls• End point Protection Including Whitelisting• Patch Management Strategy• Testing the Environment

Security Awareness Training should be frequent and contain up-to-date information

20

Understanding the need to protect sensitive information should always be a topic

Develop, Implement and Train on Policies and Procedures21

Develop and Test the Incident Response Program22

Activities in the Incident Response Program

o Preparationo Detection and Investigationo Initial Responseo Containmento Eradication and Recoveryo Notificationo Closure and Post-Incident Activityo Documentation and Evidence Handlingo Tabletop Testing

Implement Strong Technical Controls23

o Strong Access Controls (Concept of Least Privilege)o Defense in Depth Security and Network Architectureo Data Encryptiono Endpoint Protectiono Application Whitelistingo Aggressive Patch Management o SIEM Technologyo Consider Security Enclaves

24

25