1 new issues in the air or “what’s changed in 15 years” russell m. shumway [email protected]
TRANSCRIPT
![Page 2: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/2.jpg)
2
Caveats and disclaimers
» I am not a lawyer– Nothing I say here should be construed as legal advice
» Consult your own legal counsel» The environment is changing rapidly» 38.6% of the statistics in this presentation are made up» Please see point number 1 again
![Page 3: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/3.jpg)
3
So what has changed in the last 15 years?
» Nothing
» Questions?
![Page 4: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/4.jpg)
4
1995» Software was buggy
» Security was not included
» Security features were not enabled
» Users were clueless
2010» Software is buggy
– (but maybe not as much)
» Security is included– Sometimes
» Security features are enabled– But disabled by users
» Users are smarter– But the target is moving
![Page 5: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/5.jpg)
5
Cloud computing
» What is the cloud?– Buzzword of the day– In some respects, a move backwards
» On-demand computing» Utility computing» Grid computing
![Page 6: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/6.jpg)
6
Examples of cloud computing
» Gmail or Hotmail» Flickr or Snapfish» Google Docs or Adobe Photoshop Express» Rapidshare» Online backup» Wikis
![Page 7: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/7.jpg)
7
Benefits of cloud computing
» Access to supercomputer-level power» Someone else maintains servers, storage space» Only need an access point, such as thin client, smart phone, or laptop» Resources available on demand» Resources available anywhere» Pay for what you use; cost savings» Convenience, flexibility
![Page 8: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/8.jpg)
8
Challenges of cloud computing
» Data access– Who has access– Who can grant access
» Data control– Who has control
» 3rd party liability» Discovery & forensics» Disaster recovery» Data breaches
![Page 9: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/9.jpg)
9
What laws apply?
» PATRIOT Act» HIPAA (Health information)
– Also stimulus act
» Gramm-Leach-Bliley (Financial institutions)» Sarbanes-Oxley (public companies)» Fair Credit Reporting Act» Electronic Communications Privacy Act» International agreements» Other nation’s laws (EU data protection directive)» State & local laws
![Page 10: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/10.jpg)
10
Mobile technologies
» Portable media devices and smart phones– Storage capacity increasing– Size decreasing– Power increasing– Data is rarely encrypted or protected
![Page 11: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/11.jpg)
11
Computer forensics
» What is Forensics?– From forensis, the application of science or technical matter suitable for a
public place (court of law)– The scientific finding of fact and the collection, preservation, analysis, and
presentation of evidence to support facts
![Page 12: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/12.jpg)
12
Forensics challenges
» Large media– Multi-gigabyte disks (and up)– Servers– RAID arrays
» Live examinations– When you can’t take it off line
» Mobile devices» Encryption
![Page 13: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/13.jpg)
13
Data breaches
» Data– Credit cards– Personal data– Credentials– Proprietary data
» Notification requirements– 46 states and DC have some form of notification
requirement
» Compliance requirements» Liability
![Page 14: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/14.jpg)
14
Professional hackers
» Organized crime– Eastern Europe and Africa seem to be predominant
» Activists– Religious, political, ideological
» State and non-state actors» Professional marketplace
– Buy tools and techniques– Sell data and access
![Page 15: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/15.jpg)
15
Hacking vectors
» Stolen credentials» Poor configuration
– SQL injections– Backdoors– Brute force
» The myth of the zero day exploit
![Page 16: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/16.jpg)
16
Malware
» Remote control/backdoor» Data capture
– Credentials– Personal/financial data– Keyloggers
» Customization
![Page 17: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/17.jpg)
17
IDS/Audit logs
» Not effective in detection– Average time from compromise to detection measured in
weeks– Most likely method of detection is 3rd party reporting
• Audit• LEA• Customer
» Good for investigation– 86% of data breaches in a recent study had evidence in their
logs
![Page 18: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/18.jpg)
18
Electronic discovery
» Discovery process provides opportunity to both parties in litigation to acquire information in support of its case
» Rules developed, historically, based on paper records
Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.”
- Black’s Law Dictionary
![Page 19: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/19.jpg)
19
E-discovery
» Courts struggled with how to handle electronic information, but have become a lot more savvy and judges are educated.
» E-discovery has surpassed paper:– 95% of business records exist in electronic form– E-Discovery includes document metadata
• When it was created or modified• When an email was sent and to whom
» Production– Native– Other
![Page 20: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/20.jpg)
20
E-discovery
» Challenges– Volume– Cost– Review
» Types of data– Mail– Documents– Databases & proprietary software
![Page 21: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/21.jpg)
21
E-discovery & forensics
» Inaccessible files» Deleted data» Data location and/or context» Duplicate copies» Backup and disaster recovery tapes
![Page 22: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/22.jpg)
22
Virtual worlds
» Safety, security, privacy– Federal privacy obligations (ECPA)– State AG safety and C.P. reporting initiatives– FTC enforcement
» Ownership of virtual property– Gold or experience farming– Sale of virtual property
![Page 23: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/23.jpg)
23
Future initiatives
» Legislation
» Regulation
» Non-governmental agency requirements
![Page 24: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/24.jpg)
24
Regulatory Evolution
» Different players got involved:– Non-traditional entities expanding reach with enforcement
» Scope expanded:– Early laws reactive; then became proactive– FTC transition from deceptive prong to unfairness prong
» Now: the federal government is baaaacckk…..
![Page 25: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/25.jpg)
25
Legislative and regulatory activity
» Recently passed laws– American Recovery and Reinvestment Act (ARRA) of 2009– Health Information Technology for Economic and Clinical Health (HITECH)
Act of 2009 (part of the ARRA)» Pending legislation
– Cybersecurity Act of 2010 » Regulatory
– OCC Guidance re application security (OCC 2008-16)– HIPAA Security Rule updates (NIST 800-66)
![Page 26: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/26.jpg)
26
HITECH Act of 2009
» More HIPAA enforcement risk– Substantially higher penalties– State Attorneys General have explicit authority to enforce HIPAA rules– Enforcement allowed against individuals employed by healthcare entities
» Breach notification» Business associates
![Page 27: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/27.jpg)
27
Cybersecurity Act of 2010
» Defines critical infrastructure computers» Mandatory certifications for security professionals» NIST can establish standards for security
– Mandatory audits» Increased funding for research and education
– Both K-12 and post-secondary» Allows president to monitor and shut down critical networks in the event
of an attack
![Page 28: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/28.jpg)
28
New developments in state laws
» California
» Massachusetts
» Nevada
![Page 29: 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net](https://reader035.vdocument.in/reader035/viewer/2022062802/56649e985503460f94b9b0b9/html5/thumbnails/29.jpg)
29
Questions?