Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway

Published byMitchell Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway"— Presentation transcript:

1 1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway russ@rmshumway.net

2 2 Caveats and disclaimers »I am not a lawyer –Nothing I say here should be construed as legal advice »Consult your own legal counsel »The environment is changing rapidly »38.6% of the statistics in this presentation are made up »Please see point number 1 again

3 3 So what has changed in the last 15 years? »Nothing »Questions?

4 4 1995 »Software was buggy »Security was not included »Security features were not enabled »Users were clueless 2010 »Software is buggy –(but maybe not as much) »Security is included –Sometimes »Security features are enabled –But disabled by users »Users are smarter –But the target is moving

5 5 Cloud computing »What is the cloud? –Buzzword of the day –In some respects, a move backwards »On-demand computing »Utility computing »Grid computing

6 6 Examples of cloud computing »Gmail or Hotmail »Flickr or Snapfish »Google Docs or Adobe Photoshop Express »Rapidshare »Online backup »Wikis

7 7 Benefits of cloud computing »Access to supercomputer-level power »Someone else maintains servers, storage space »Only need an access point, such as thin client, smart phone, or laptop »Resources available on demand »Resources available anywhere »Pay for what you use; cost savings »Convenience, flexibility

8 8 Challenges of cloud computing »Data access –Who has access –Who can grant access »Data control –Who has control »3rd party liability »Discovery & forensics »Disaster recovery »Data breaches

9 9 What laws apply? »PATRIOT Act »HIPAA (Health information) –Also stimulus act »Gramm-Leach-Bliley (Financial institutions) »Sarbanes-Oxley (public companies) »Fair Credit Reporting Act »Electronic Communications Privacy Act »International agreements »Other nation’s laws (EU data protection directive) »State & local laws

10 10 Mobile technologies »Portable media devices and smart phones –Storage capacity increasing –Size decreasing –Power increasing –Data is rarely encrypted or protected

11 11 Computer forensics »What is Forensics? –From forensis, the application of science or technical matter suitable for a public place (court of law) –The scientific finding of fact and the collection, preservation, analysis, and presentation of evidence to support facts

12 12 Forensics challenges »Large media –Multi-gigabyte disks (and up) –Servers –RAID arrays »Live examinations –When you can’t take it off line »Mobile devices »Encryption

13 13 Data breaches »Data –Credit cards –Personal data –Credentials –Proprietary data »Notification requirements –46 states and DC have some form of notification requirement »Compliance requirements »Liability

14 14 Professional hackers »Organized crime –Eastern Europe and Africa seem to be predominant »Activists –Religious, political, ideological »State and non-state actors »Professional marketplace –Buy tools and techniques –Sell data and access

15 15 Hacking vectors »Stolen credentials »Poor configuration –SQL injections –Backdoors –Brute force »The myth of the zero day exploit

16 16 Malware »Remote control/backdoor »Data capture –Credentials –Personal/financial data –Keyloggers »Customization

17 17 IDS/Audit logs »Not effective in detection –Average time from compromise to detection measured in weeks –Most likely method of detection is 3 rd party reporting Audit LEA Customer »Good for investigation –86% of data breaches in a recent study had evidence in their logs

18 18 Electronic discovery »Discovery process provides opportunity to both parties in litigation to acquire information in support of its case »Rules developed, historically, based on paper records Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.” - Black’s Law Dictionary

19 19 E-discovery »Courts struggled with how to handle electronic information, but have become a lot more savvy and judges are educated. »E-discovery has surpassed paper: –95% of business records exist in electronic form –E-Discovery includes document metadata When it was created or modified When an email was sent and to whom »Production –Native –Other

20 20 E-discovery »Challenges –Volume –Cost –Review »Types of data –Mail –Documents –Databases & proprietary software

21 21 E-discovery & forensics »Inaccessible files »Deleted data »Data location and/or context »Duplicate copies »Backup and disaster recovery tapes

22 22 Virtual worlds »Safety, security, privacy –Federal privacy obligations (ECPA) –State AG safety and C.P. reporting initiatives –FTC enforcement »Ownership of virtual property –Gold or experience farming –Sale of virtual property

23 23 Future initiatives »Legislation »Regulation »Non-governmental agency requirements

24 24 Regulatory Evolution »Different players got involved: –Non-traditional entities expanding reach with enforcement »Scope expanded: –Early laws reactive; then became proactive –FTC transition from deceptive prong to unfairness prong »Now: the federal government is baaaacckk…..

25 25 Legislative and regulatory activity »Recently passed laws –American Recovery and Reinvestment Act (ARRA) of 2009 –Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (part of the ARRA) »Pending legislation –Cybersecurity Act of 2010 »Regulatory –OCC Guidance re application security (OCC 2008-16) –HIPAA Security Rule updates (NIST 800-66)

26 26 HITECH Act of 2009 »More HIPAA enforcement risk –Substantially higher penalties –State Attorneys General have explicit authority to enforce HIPAA rules –Enforcement allowed against individuals employed by healthcare entities »Breach notification »Business associates

27 27 Cybersecurity Act of 2010 »Defines critical infrastructure computers »Mandatory certifications for security professionals »NIST can establish standards for security –Mandatory audits »Increased funding for research and education –Both K-12 and post-secondary »Allows president to monitor and shut down critical networks in the event of an attack

28 28 New developments in state laws »California »Massachusetts »Nevada

29 29 Questions?

Download ppt "1 New Issues in the Air or “What’s Changed in 15 Years” Russell M. Shumway"

Similar presentations

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Cloud Computing EDT 7860. Cloud Computing Overview Cloud Computing can be defined as a network of applications, services, and infrastructure that are.

Cloud Computing EDT Cloud Computing Overview Cloud Computing can be defined as a network of applications, services, and infrastructure that are.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.
Ethical Issues in Data Security Breach Cases www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
E-Discovery for System Administrators Russell M. Shumway.

E-Discovery for System Administrators Russell M. Shumway.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Dino Tsibouris (614) 360-1160 Information Security – What’s New In the Law?

Dino Tsibouris (614) Information Security – What’s New In the Law?
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Addition to Networking.  There is no unique and standard definition out there  Cloud Computing is a general term used to describe a new class of network.

Addition to Networking.  There is no unique and standard definition out there  Cloud Computing is a general term used to describe a new class of network.

Similar presentations

Ads by Google