Netflix - Information Technology

profiledidosld
kroenke_emis7e_ChExt141.pdf

1

Data Breaches

Chapter Extension 14

ce14-2

Study Questions

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

Q1: What is a data breach?

Q2: How do data breaches happen?

Q3: How should organizations respond to data breaches?

Q4: What are the legal consequences of a data breach?

Q5: How can data breaches be prevented?

2

ce14-3

Q1: What is A Data Breach?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

• Data breach – Unauthorized person views, alters, or steals secured data

• 1+ billion people affected in past 5 years, 75% of breaches happened in US

• Average cost of a single data breach $3.5 million • Average costs per stolen record

Healthcare ($359), Pharmaceutical ($227 Communications industries ($177)

Education ($294) Financial ($206)

ce14-4

Costs of Handling a Data Breach

Direct Costs

• Notification

• Detection

• Escalation

• Remediation

• Legal fees and consultation

Indirect Costs • Loss of reputation • Abnormal customer

turnover • Increased customer

acquisition activities • Additional $3.3 million

per incident in US

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

3

ce14-5

What Are the Odds?

• More likely to lose smaller amounts of data than larger amounts of data  22% chance of losing 10,000 records over any 24-month

period  <1% chance of losing 100,000 records over same period

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-6

Well-known Data Breaches

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

4

ce14-7

Why Do Data Breaches Happen?

• 67% are hackers trying to make money from: – Personally identifiable information (PII)  Names, addresses, dates of birth, Social Security

numbers, credit card numbers, health records, bank account numbers, PINs, email addresses

• Rogue internal employees

• Credit card fraud, identity theft, extortion, industrial espionage

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-8

Q2: How Do Data Breaches Happen?

• Attack vectors – Phishing scam – Trick users into donating funds for a natural disaster – Exploit new software vulnerability

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

5

ce14-9

Hitting Target

• Lost 40 million credit and debit card numbers to attackers (Dec. 18, 2013)

• Less than a month later, announced additional 70 million customer names, emails, addresses, phone numbers stolen – Total 98 million customers affected

• Stolen from point-of-sale (POS) systems at Target retail stores

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-10

How Did They Do It?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

6

ce14-11

The Damage

• Attackers sold about 2 million credit card numbers and PINs for about $26.85 each (total $53.7 million)

• Sold in batches of 100,000 card numbers

• Cost Target $450 million – Upgraded POS terminals to support chip-and-PIN enabled cards – Increased insurance premiums, legal fees, credit card processors

settlement, pay for consumer credit monitoring, regulatory fines – Lost sales, 46% drop in next quarter revenues

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-12

Collateral Damage

• Credit unions and banks – Spent more than $200 million issuing new cards

• Consumers – Enrolled in credit monitoring, continually watch their credit,

and fill out paperwork if fraudulent charges appear on statements

• Increased insurance premiums, stricter controls, and more system auditing for organizations similar to Target

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

7

ce14-13

Q3: How Should Organizations Respond To Data Breaches?

• Respond Quickly – Stop hackers from doing more damage  Exfiltration or illegally transferring data out

– Immediately notify affected users

• Plan for a Data Breach – Walkthroughs, business continuity planning, computer

security incident response team (CSIRT)

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-14

Q3: How Should Organizations Respond To Data Breaches? (cont'd)

• Get experts to perform an effective forensic investigation

• Identify additional technical and law enforcement professionals needed

• Be honest about the breach

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

8

ce14-15

Best Practices for Notifying Users of a Data Breach

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-16

Q4: What Are The Legal Consequences of a Data Breach?

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

9

ce14-17

Regulatory Laws Govern the Secure Storage of Data in Certain Industries • Federal Information Security Management Act (FISMA)

– Requires security precautions for government agencies

• Gramm-Leach-Bliley Act (GLBA), a.k.a., Financial Services Modernization Act – Requires data protection for financial institutions

• Health Information Portability and Accountability Act (HIPAA) – Requires data protection for healthcare institutions

• Payment Card Industry Data Security Standard (PCI DSS) – Governs secure storage of cardholder data

• Family Educational Rights and Privacy Act (FERPA) – Provides protection for student education records

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

ce14-18

Q5: How Can Data Breaches Be Prevented?

• Use countermeasures software or procedures to prevent an attack

• Better phishing detection software

• Better authentication (i.e., multifactor authentication

• Network intrusion detection system (NIDS) to examine traffic passing through internal network

• Data loss prevention systems (DLP) to prevent sensitive data from being released to unauthorized persons

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .

10

ce14-19

Q5: How Can Data Breaches Be Prevented? (cont'd) • Appoint a chief information security officer (CISO) to ensure

sufficient executive support and resources

C o p y r i g h t © 2 0 1 7 P e a r s o n E d u c a t i o n , I n c .