1 the experience of a large database security breach jim davis associate vice chancellor & cio...
Post on 23-Dec-2015
216 Views
Preview:
TRANSCRIPT
1
The Experience of a Large Database Security Breach
Jim Davis Associate Vice Chancellor & CIO
Securing California
2
What Does it Feel Like
Denial --> Acceptance
Technical --> Personal
Local --> Institutional [lost laptop different]
Comfortable --> Vulnerable
No longer the same
3
Agenda
Decision to notify Notification Email, Letters, Call Center, Website, Media, Calls People, People, People Aftermath Lessons Learned
4
UCLA Security Incident
Attack detected November 21, 2006
Incident Response Plan put into action• Took server offline• Appropriate notifications and engaged FBI• Began forensic analysis of logs
Sophisticated attack, activity concealed
5
UCLA Security Incident
Compromised database contained records for 803,000 persons
• Current & Former Students (UCLA)• Current & Former Employees (UCLA, UCOP, UCM)• Applicants (UCLA)• Parents of Financial Aid Applicants (UCLA)
Contained Names & SSNs • No Drivers License, Credit Card or Bank Account
numbers
6
Decision to Notify
Notification authority rests with CIOWell-established incident response protocolThe decision panel
ISO IPO Dir responsible for breached database operation Campus network architect Legal counsel UC IPO
7
Primary notification criteria
Determining the Threshold for Security Breach Notification
Factors
A-1. Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information.
A-2. Indications that the information has been downloaded or copied, for example: an ftp log that contains the name of a file containing notice triggering information.
A-3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
8
The Important Additional Criteria
The University of California recommends consideration of these additional factors:
Factors
B – 1. Duration of exposure.
B – 2. Indications that any download or copy activity has occurred, even if there is no specific evidence that there was a download or copy of data subject to the law.
B – 3. The extent to which the compromise indicates a directed attack, such as a pattern showing the machine itself was specifically targeted.
B – 4. Indication that the attack intended to seek and collect personal information.
9
Decision Tensions
Big difference in impact on institution between 10’s 000 vs. 100’s 000 of notifications
Big difference in logistics to notify between 10’s 000 and 100’s 000
Wait too long to notify, not responsive Wait too long to notify, lose capacity to manage
relationships Notify too quickly, not prepared to manage relationships Notify too many, too quickly unnecessary alarm Informed people protect themselves better UCLA’s philosophical position on individual privacy is to
keep people informed
10
Notification Logistics
Notification process project managed by executive lead of unit
Federated environment Policy puts primary resource burden on unit
Notification logistics and execution team Unit Executive Head Dir responsible for breached database operation CIO ISO IPO Campus network architect Legal counsel Media and communications
Functioned like an emergency response team
11
The Decision Chart
Week 1 Week 2 Week 3 Week 4
800 K
Notification Decision
Notification Process
Large NotificationLogistics Decision
800K NotificationDecision
NotificationEffort
Notification#
12
Notification
Decided to notify 803,000 • Email, US Mail
• Addresses for 70%
• Press releases and media reports• News outlets California, nation and world• LA Times, NY Times, AP, CNN, all local TV stations
• www.identityalert.ucla.edu
• 26 Call Centers, 1600 Operators 1000 calls/hour initially 35,000 calls received to date 400 follow-up calls
• Reached 75-80% of affected population Institutional relationship maintained
13
Scripting for A Call Center
Script must be precise, thorough and ‘bullet – proof’
Script and operators must be amenable to immediate corrections and enhancements
Script must allow for quick and simple coding into a database
14
Adjusting the Script:
Original Script Greeting:“Thank you for calling the UCLA Identity Alert Hotline. I
would like to assist you. UCLA knows that this incident has caused concern, and I want to provide you with the information and suggest steps you can take to protect yourself from the possibility of identity theft. So that I can better assist, can you please tell me whether you received notification from the university or whether you heard about the call center from news media reports?”
Script 1 hour Later:“Thank you for calling the UCLA Identity Alert Hotline.
How may I help you?”
15
Call Center Statistics:December 2006 – August 2007
16
http://www.identityalert.ucla.edu/
Gwen’s website slides here
17
http://www.identityalert.ucla.edu/what_you_can_do.htm
Gwen’s website slides here
18
Identity Alert Web Statistics:December 2006 – September 2007 (and 1/07-9/07)
19
Need for Escalation Path
Call center serves specific role:
Validation, resource referral and data collection
BUT…Callers are frightened, frustrated, angry, panicked, indignant, hurt and
• Need to know more details• Need to speak with a UCLA representative who can
respond knowledgeably, accurately and honestly• Need empathy• Need reassurance and assistance regarding next steps
20
Individual Relations
The largest group Felt violated, anxious Wanted a live person
Answers Reassurance Clarification Empathy
Smaller group Information & answers
2% angered and distraught Demanded to speak UCLA official 600 individual calls
21
“Angry, Irate, Distraught”:Examples of Escalation Call Questions
“How did UCLA let this happen?”
“The last letter I received from UCLA was a rejection letter, and now I get this. Why was I in your database?”
“I just got a letter! Does that mean my identity has been stolen?”
“Who was fired? I want to know who’s responsible for this!”
“This is tremendously upsetting and it’s time-consuming to fix. How is UCLA going to make this right for me?”
“My child got this letter, and he was killed last year. What should I do?”
22
Post Notification Chart
Week 4 Week 5 Week 6 Week 7
800 K
Notification Decision
Notification Process
NotificationEffort
Notification#
Decision toContact 28,600
Compliance
Reviews
23
Follow-up Letter
Personalized
24
Breach Aftermath
Policy and compliance reviews - no compliance issues UC Office of General Counsel State Attorney General UC Board of Regents
SSN policies - no compliance issues Sparked broader initiatives at state and federal levels on use of SNNs State representative and judiciary FTC
Notification laws - Senator Feinstein
Constituency relations Relations with university generally retained No identity theft directly attributable
25
Reducing Retention of Personal Data
Every SSN had a requirement• Financial Aid reporting• Federal Tax Relief Act tuition tax credit• Test scores• National Student Clearinghouse• IRS & EDD• Identity Matching
26
UC-wide Information Security
Policy development and communication: - UC Electronic Information Security Policy
- Stewardship of Electronic Information Resources Compliance strategies:
(e.g. HIPAA, California Security Breach legislation, Payment Card Industry data security, security rider for vendor contracts)
Shared resources: (E.g. UC Security web site; security software & professional services agreements; UC security experts work group)
Information collection and dissemination:
- Tracking security breaches and sharing information - Raising awareness of the importance of information security
27
Lessons Learned
Independent and objective panel for deliberations about whom to notify
Provisions for confidentialityEnsure the call center and web site are
ready when notification beginsSpend time setting up the call centerNotify through different channelsOnly solid information will cut
28
In the end it’s personal
Notify if YOU would want to be notified
Notify as YOU would want to be notified
Sincerity Drives the Day
top related