Data Risk and Security
Andrew Roderick
Campus Technology Committee – January 21, 2015
Shall We Play A Game?
2
IT Security
Server
Application
Network
Data drives risk
3
Endpoint
Cost of Data Risk
• Financial: average cost of a data breach is $136
per record (2014 Cost of Cybercrime Study, Ponemon Institute)
• Trust and Prestige: donors, grant-funding
agencies, general community
• Staff Time: when a breach occurs, paperwork,
“special” meetings, process changes, IT work
• Ethics: University entrusted with oversight of
records on behalf of students, faculty, and staff
Think about your own personal data in the
University and with other institutions.
4
What Is Confidential Data?
SSN’s for
Student
Assistant
and Staff
Payroll
• Passwords, credentials, or PIN’s
• Social Security Number and Name
• Birth date + four digits of SSN and
Name
• Credit Card Numbers
• Tax ID + Name
Budget Spreadsheets (pre-2009)
Defensive
Drivers
Training
Anyone?
• Driver’s License, State ID, Passport
Travel
Prep or
Claims
Photocopy of CDL or Passport
• Health Insurance Information
Invoices
or Vendor
Records
• Medical or Psychological Counseling
Records
• Bank Acct or Debit Card + access code
• More….
5
Invoices (Tax ID)
Do I Have Confidential Data?
Every place where users
store files, confidential data
will be there:
• File Servers
• State Workstations
• Unmanaged Home
Workstations
• Dropbox/Box.com
• USB Drives
6
Probably
Case Study: Financial Risk
• Six physical servers, one VMWare implementation
• Multiple services including:
O
O
O
file shares for academic departments (groups) and
individuals (faculty and staff)
Multiple domain servers
License servers
• College of BSS reorganized over three years ago
• Hardware and services orphaned to some extent
• Services continued in use
7
Case Study: Financial Risk (cont’d)
Individual Shares
Group/Departmental Shares
338 GB
98 GB
677,000 files
199,000 files
2,500 files with sensitive data
1,000 files with sensitive data
173,850 record matches
98,347 record matches
272,197 sensitive data records
Scenario:
assume ¾’s of the matches are false positives = 68,049
and assume that 50% are recurring users = 34,024
34,024 x $136 = $4,627,264
8
Detection and Remediation
Analyze
Assess
Risk
Migrate
Discovery
•
Determine
ownership
• Determine
currency of
shares, active
status
Active or nonactive
Mitigate
Risk
•
•
•
Malware/Virus
Scans
PII Scan
Forensics
Cleanse
•
•
With
Organization
•
9
Decommission
Clean, Investigate
Malware (if any)
PII Data
• Quarantine
• Purge
• Repatriate
Review need for PII
data
To Security
Team
Remediation Considerations
• In decision-making around how to handle files with
PII Data…
O
O
O
Quarantine provides reassurance to end users that data
may still be available if they need it (they typically won’t)
Shutdown access to files or refresh changed data later
Process:
 Create unaltered copy and remediation copy
 Store unaltered copy on encrypted storage
 Scan and quarantine “remediation copy”

Quarantined files are replaced with file placeholders
 Migrate remediated files (if necessary)
 Continued communication with users to review quarantined
files
 Set purge date for unaltered copy (original data)
 Decommission hardware (if necessary)
10
User Involvement
What happens when users move
their own data?
• Never purge anything
• Review it tomorrow/too busy
• Create a stash in Dropbox or
on local computer
• I need everything
Risk:
• Users do not respond
• Stash data insecurely
11
Stop Confidential Data from Returning
Business Process Change
• How is confidential data collected? Files?
University Systems?
• Assess current use of confidential data – is it
needed for a business requirement? Is there an
alternative source?
• Which teams and which staff require use of
confidential data?
Remove existing
confidential data
12
Cease or limit
continued use