yxwvutsrponmlkihgfedcbaYWUTSRPONMLKIHFEDCBA How Big is Your Digital Footprint? Can U Help? FISSEA Mark Loepker Defense-wide Information Assurance Program Office of the DoD Chief Information Officer Office of the Secretary of Defense
Today’s Discussion: DoD’s Challenges It is Up to Us to Find Opportunities 2
How Can You… The warfighter expects and deserves access to information – from any device, anywhere, anytime… Measure What U Can’t C? 12/8/2015 3
4 …and this is HOW & WHERE we fight
bersecurity Must Not Stifle Innovation proving information security while … Increasing information sharing efficiency Enhancing mission effectiveness Progressing towards compatibility Boosting collaboration Ensuring Confidentiality, Integrity, Availability, Non-repudiation & Authentication Think For A Change: The Cycle of Innovation
bersecurity: What Keeps DoD Up @ Night? Digital Persona Protection ider Threat/Continuous Monitoring Commercial Mobile Devices DIB/Supply Chain Management Cloud Services Cyber Workforce Sh d R ibili i O C ll i Ch ll
Digital Persona Protection mbers of the DoD are coming under attack in cyber D CIO is developing a directive assigning responsibilities & outlining procedures v eraging the lessons learned from past incidents Proposes 2 types of coverage (both consent-based): ctive - Protection of DoD-affiliated individuals for whom a ble threat has been identified & determined to be due to ation w/ DoD ctive - Pre-emptive protection of selected senior DoD onnel
DPP Risk & Mitigation Matrix Courses of Action ual Web ‐ based Education & Awareness Employee procured Commercial Credit Monitoring (e.g. LifeLock) Government ‐ procured Commercial Credit Monitoring (e.g. LifeLock) ( g ) Government ‐ subsidized Insurance (e.g. Liability Insurance) Government ‐ procured Unavoidable online risk Commercial Limited Personal PII and technical assistance Government/LE Limited Personal PII and technical assistance Government ‐ procured Commercial Full ‐ Service Personal PII and technical assistance Government/LE Full ‐ Service Personal PII and technical ustry assistance High Medium Low Risk Level Move from REACTIVE to PROACTIVE!
as follows: ywvutsrponmlkjihgfedcbaI USG defines PII nformation which can be used to distinguish or trace n individual's identity , such as their name, social ecurity number biometric records, etc. alone , or , w hen combined with other personal or identifying nformation which is linked or linkable to a specific ndividual, such as date and place of birth, mother ’s maiden name, etc.
PII as follows: ywvutsrponmlkjihgfedcbaI mean yutsrponmlihgfedcbaSIFEA EU defines ersonal data' shall any information relating to ('data n identified or identifiable natural person ubject'); an identifiable person is one who can be d entified, directly or indirectly , in particular by reference o an identification number or to one or more factors pecific to his physical, physiological, mental, conomic, cultural or social identity;
where in the World is Your PII Stored? In the Cloud?
em: m: Credit Reporting Agencies ial Risk ial Risk : They sell data points of your credit file e e of Risk: Experia, Equifax Trans-Union C C redit bureaus sells PII to 300 outside firms/Overseas/No US law evel: vel: High (ties directly to physical address) ons: ns: uiring your 3 credit reports to iring your 3 credit reports to review for errors and fraud ure re your credit profile from internal and external threats not sell or ot sell or share records through marketing for un for un authorized access UNKNOWN - $$$$$
em: Medical Records ial Risk: T hey sell data points of your credit file e of Risk: Medical Information Bureau (MIB) Outlets All of your medical history in one repository /Access life and medical Ins evel: High (your health details, physical address, family members) ons: uire your medical report to see what it contains/Review for errors/fraud ure your medical profile file from unauthorized access y Access to your Medical Record for a given time UNKNOWN - $$$$$
tem: em: Drivers License & Drivers License & Motor Vehicle Bureaus Records Motor Vehicle Bureaus Records tial Risk: ial Risk: They sell every data point of your file They sell every data point of your file e of of Ri Risk: k: Your State’s Driver’s License & Your State’s Driver’s License & Motor Vehicle Department Motor Vehicle Department Most States rely on the selling of your data for their budgets Most States rely on the selling of your data for their budgets evel: vel: High High (ties direc (ties direc tly to physical address, desc ript riptio ion, fac facial image al image ons ns: : uest your State not sell your records est your State not sell your records nitor for for unau unauth th orized access UNKNOWN UNKN OWN - $$$$$
em: m: Real Property & Real Property & Tax Assessor Records ial Risk ial Risk : They sell data points of your credit file e of of Risk Risk : Your independent City’s Reco rd Office/State Government rd Office/State Government Your Indepen our Indepen dent City Sells your records and sends a copy to the state the state l where they sell your record where they sell your record evel: vel: High (ties directly to High (ties directly to physical address) ons: ns: ues est your City & State not t your City & State not sell your records ove your records ove your records from the official public facing website. UNKNOWN - UNKNOWN - $$$$$
em: m: Voters Records Voters Records ial Risk ial Risk: : They They sell data points of sell data points of your credit file your credit file e of of Risk Risk: : Your indepen Your indepen dent city’s voters record office city’s voters record office Name, address, SSN, Party Affiliation, Voting History ame, address, SSN, Party Affiliation, Voting History evel: vel: High (ties directly to High (ties directly to physical address) & Other PII & Other PII ons: ns: ues est your Voter’s t your Voter’s Registration Registration office not sell your records office not sell your records ove from ove from public facing websites public facing websites UNKNOWN - UNKNOWN - $$$$$ $$$$
em: m: Passport Records Passport Records ial Risk: ial Risk : Insider Thre Insider Thre at? The DS-11/Application - c ontains not ontains not only your only your I I but also emergen but also emergen cy contacts linking others to you e of of Risk Risk: : Depart Depart ment of State PIERS System and DHS’s Cust and DHS’s Custom and om and r Patrol Secon Patrol Second d ary Screening at Airports 100s of 00s of doc documented unauthorized a mented unauthorized a ccess/compromise leaked outside leaked outside evel: vel: High (ties directly to High (ties directly to physical address, other PII and Emergen and Emergency ICE y ICE ons: ns: quest S uest State Department to ate Department to have an ea rly warning placed on rly warning placed on your records your records any unauthorized ac any unauthorized ac cess both within the PIERS system and hard copy pull the PIERS system and hard copy pull UNKNOWN - UNKNOWN - $$$$$
em: Credit Reporting Agencies ial Risk: Insider Threat; 80% of fact find ers and server staff=contractors ers and server staff=contractors e of Risk: US Census Bureau Most US Census employees and contractors have a minimal National y Check/Spotty- the amount of PII and relatives PII exposed is profound exposed is profound evel: High (ties directly to PII) ons: quest the Census Bureau to have an early warning placed on your records your records any unauthorized access quest the Census Bureau not share or sell your PII UNKNOWN - $$$$$
em: m: Cre Cre dit Cards ial Risk ial Risk : Insider Risk-Main/Backup servers in multiple countries /US Law? /US Law? e of of Risk Risk : Nothing makes one more “place & time predictable” then the time predictable” then the e record of record of where and when you charge on your card- also a major major ce ce into ID into ID Theft Credit bureaus redit bureaus sells PII to 300 outside firms/Overseas/No US law law evel vel: : High (ties into PII High (ties into PII and place & time predictability) ons: ns: ues est your credit card t your credit card firms to place an early warning on your record for your record for nauthorized intern authorized intern al access + DO NOTshare or sell your PII. UNKNOWN - UNKNOWN - $$$$$
em: Internet Service Providers (ISP) ial Risk: Insider Threat: Many Telephony employees have released mer profile records (credit information) along with call logs e of Risk: Your ISP & their Partners Records reveal who occupies the residence , artifact s about your laptop s about your laptop residue of your internet transmissions & determines you are HOME? evel: High (ties into PII, place/time & time predictability & address ons: Request ISP place an early warning on your record for any horized internal access and to not sell your data even to “trusted partners “trusted partners” ” UNKNOWN - $$$$$
Recommend
More recommend