cyberthreats and dataflows - dealing with an ... · 9/21/2011 · • physical safety at risk •...
TRANSCRIPT
Cyberthreats and DataFlows - Dealing with an
Interconnected World
Orrie Dinstein Chief Privacy Leader and Senior IP & IT Counsel
GE Capital
CT Privacy Forum Hartford, Sept 2011
The rise of the Hactivist
Cyber threats Motivation Threat
• Espionage
• Strategic or
political advantage
• Terrorism
• Data theft
• War
• Working ability jeopardized
• Physical safety at risk
• Loss of productivity
• Loss of sensitive data
• Reputational damage
• Corporate
espionage
• Financial gain
• Identify theft
• Loss of sensitive data
• Decreased
competitiveness
• Reputational damage
• Business
disruption
• Harassment
• Vandalism
• Fame/PR
• Identify theft
• Personal information and
nonpublic data made
public
• Competitiveness
jeopardized
• Reputational damage
Nation States & Terrorists (cyber-war)
Cyber-criminals
Hactivists
(Anonymous; Wikileaks)
The IMF
The U.S. Senate The CIA’s main public website The website of InfraGard, an organization affiliated with the FBI The U.K.'s Serious Organised Crime Agency Arizona’s Dept of Public Safety Fox.com PBS Sony Pictures Bethesda Softworks, a Maryland game maker
porn website pron.com websites belonging to the Brazilian government and energy giant Petrobras Nintendo Booz Allen Hamilton Monsanto The Turkish government NATO the Italian Cybercrime agency Austrian broadcaster ORF
U.S. government contractor Mantech International Corp. Murdoch’s paper The Sun, directing visitors to a fake article claiming he died Fox News Twitter account - falsely tweeting that President Obama had been killed the Twitter account for PayPalUK
The Threats
Malware (virus; worm; spyware; Trojan; backdoor; rootkit; keystroke logger)
Scareware
P2P accounts
Scams; Spoofing of accounts
Social engineering
Botnets/zombies (DDoS attacks)
SPAM (also in use in VoIP [SPIT] and IM [SPIM])
Phishing (spear phishing and whaling)
Social Networking threats
• Social networking is becoming the preferred way to interact/connect and becoming a massive repository of personal data
• Increased capability on portable devices and networks
• Convergence of Personal and Business Data
• Increased Software/Hardware Vulnerabilities
• Organized Crime and Targeted Attacks
• Social Engineering
• Password crackers
• Social engineering
• Internet attacks (SQL injection; XSS)
Hacks
Anatomy of a hack – HBGary Federal is taken down by Anonymous
Step 1: SQL injection attack – generated emails, usernames and passwords; passwords were encrypted
Step 2: password crack (Rainbow tables) [weak algorithm and short passwords]
Step 3: reuse of passwords allowed access to other machines and to CEO’s email
Step 4: elevation of privileges flaw allowed root access
to some machines Step 5: emails to admin allowed to get access to other
necessary servers where remote root access is denied
Prevention
• Policies
• Data classification
• Training and awareness campaigns
• Manage third parties/contractors
• Encryption
• Access controls
• Multi-Factor authentication
• Network monitoring
It all starts with knowing where your data sits
and what your data flows are
EASIER SAID THAN DONE!!!
Multiple End-Point Storage Devices iPhones and other PDAs iPads and other tablets Digital Cameras Thumb Drives CD/DVD Drives Smart peripherals Personal devices Employee mobility – remote access
Increasingly complex environment
Managing Data Flows
18 Globalization of Privacy Status of Data Protection Laws around the world
Blue – Comprehensive Data Protection Law Enacted
Orange – No omnibus law but lots of sectoral and state laws
Red – Pending Effort to Enact Law
White – No Law
New
law
New
regs
U.S. •Limited sectoral Legislation •Primarily self-regulated
APEC/Canada • Stronger privacy laws and regulatory oversight • Minimal administrative requirements
EU • Strong global legislation • Strict regulatory environment • Administrative burdens • Strict enforcement
Global privacy regimes
The E.U.
“Transfer” defined broadly; includes mere remote read-only
access to EU-based data
Transfers within the EU – allowed, but subject to formalities;
needs to be legally justified
Transfer outside the EU/EEA, only to countries that offer
“adequate” protection: Switzerland, Argentina, Canada, Israel,
some islands you never heard of, and U.S. [“Safe-Harbor”
members] or subject to legal justification
Transfers to “inadequate countries” require special
exceptions and justifications
EUDPD – data transfers
Data transfer justifications
Justifications for transfers to inadequate countries: Data controller obtains “informed consent” of data
subject requires “unambiguous” consent
explicit consent for sensitive data, and transfers outside the EU
Under statutory exceptions (very narrowly drafted) [e.g., Transfer “necessary for the performance of a contract”]
Under a Contract C2C (model/ICC) C2P (ICC) specific contract
Under Binding Corporate Rules Aggregate/anonymous data
Binding Corporate Rules Internal codes of conduct Only apply to multinational organizations transferring personal
information outside the EEA, but within their group of cos. Requires approval from all relevant EU data protection
authorities – Lead Authority system established and 2/3 of the EU countries have accepted it
Applications for authorization must include: Evidence that the measures are binding, internally & externally Details of a data protection audit plan A description of processing and flows of information A description of the data protection safeguards in place Details of a mechanism for reporting and recording changes
Model checklists, standard application forms and BCR frameworks have been compiled by the WP29
Removes the onerous obligations of executing model contracts for every transfer
BCR’s drawbacks
Approval process is difficult and time consuming
Lead Authority selection is key – DPA attitudes and resources devoted to BCR’s vary
Some Member States’ national law (e.g. Portugal) do not support the concept of unilateral decision making and so cannot approve BCR
The WP29 Guidelines may be taken as rigid templates by some DP authorities.
Substantial changes in an organization’s structure are likely to trigger a requirement for a revised authorization
U.S. Model vs. EU Model:
U.S. E.U.
Scope Sectoral Comprehensive
Focus Notice Core rights
Notices General
Opt out
Detailed
Opt in
Approvals None Many
Transfers Unrestricted Approvals
Enforcement Decentralized Centralized
Fines Significant Low in most countries
APEC (Asia Pacific Economic Cooperation)
Created an information privacy framework with 9 privacy principles (consistent with OECD Guidelines):
Preventing harm
Integrity
Notice
Security
Collection limitation
Access and correction
Uses of personal information
Accountability
Choice
Endorsed by 21 member economies in November 2004
Operationalizing data flows
Europe
Solving the data flows
Are your int’l data flows point to point?
U.S. – Asia: contracts, accountability
U.S. – Canada: accountability
U.S. – EU: assess your options
Truly global data flows – need global solutions
Corporate Privacy Rules [BCR in EU]
Keep personal data local
Global Consents
World Wide Web of contracts
Data flow checklist
Do you know what data is going to be transferred
Do you know where it is going from and where to
Do you know who might see the data along the way
Did you get all necessary approvals
Did you vet the security, taking into account the nature of the data and the manner of transmission
Do you have contracts in place with vendors and
suppliers involved in the data transfer and do the contracts have the necessary privacy clauses
Do you have an incident response plan and team in case data gets lost or stolen
Orrie Dinstein [email protected]
QUESTIONS?