Equifax, the FTC Act, and Vulnerability Scanning
1 like•363 views
The document discusses the evolving regulatory landscape regarding data security and vulnerability management, emphasizing the Federal Trade Commission's focus on companies that fail to protect consumer information. It highlights key regulations, such as the FTC Act and HIPAA, and the need for reasonable security measures that include risk assessments and patch management. Additionally, it addresses the challenges posed by open-source software vulnerabilities and the importance of proactive vulnerability management strategies.
Equifax, the FTC Act, and Vulnerability Scanning
- 1. Equifax, the FTC Act, and Vulnerability Scanning July 2017
- 2. Regulatory Frameworks and the FTC Regulatory Expectations Open Source Considerations Proactive Vulnerability Management Agenda
- 3. You May Have Heard About Equifax…
- 5. Increasing regulatory scrutiny • Force of law and penalties • Expanding and overlapping Common Goals • Focus on protecting sensitive information • Documented responsibilities and processes • Require visibility to risks (e.g., vulnerability assessments) Regulatory Landscape is Expanding and Overlapping GLBA Sarbanes - Oxley
- 6. • Section 5 of the Federal Trade Commission Act • Food and Drug Administration (“FDA”) Guidance on Cybersecurity in Medical Devices • European Union • General Data Protection Regulation (GDPR) • Proposed Regulation on Privacy and Electronic Communications But It Doesn’t End There…
- 7. • California and Massachusetts • Information security standards applicable to entities that maintain information about their residents, regardless of where the entity itself is located. • New York and others • Regulate a business’ request for, and retention of, social security numbers. • 48 States • Data breach notification statutes, with different standards • Many States • State Attorneys General also enforce “Baby FTC Acts” for privacy and security concerns. • Follow HIPAA with respect to the treatment of health information Plus, State Law Must Be Considered
- 8. Section 5 – The Federal Trade Commission Act
- 9. Traditionally, the United States Federal Trade Commission (“FTC”) & others pursued the company that stored the data it collected from consumers (e.g., a merchant) for not doing what they said they’d do. Over time, the focus has shifted to failures to keep up with the advantages and challenges changes in technology present. With mobile devices, increasingly the consumer is storing & creating lots of data on one device. And regulatory focus is shifting to holding the makers of devices and apps for failing to properly secure data . . . FTC Enforcement is Evolving
- 10. Theory of liability: Entity committed an “unfair or deceptive” practice in violation of FTC Act § 5 by virtue of its data practices • Data practices allegedly are unfair when: •They are not reasonably calculated to protect consumer from theft or use is harmful to consumer and •They caused, or are likely to cause, substantial consumer injury that consumers could not have reasonably avoided. • Data practices allegedly are deceptive if: • The targeted entity made a material representation or omission regarding its information security that is likely to mislead a consumer, acting reasonably, to the consumer’s detriment. Section 5 of the FTC Act
- 11. Physician surgically inserts a medical device that monitors certain body functions into patient. Device uses a cellular signal to transmit recorded body function data directly to physician. Information is populated into an electronic patient record retained by the physician. Manufacturer has remote access to device(s) and information on it and transmitted to physician to provide technical support. Manufacturer does not store or retain any of the patient’s information. Scenario 1: Medical Device Stores Patient Information
- 12. HIPAA • Manufacturer is not a covered entity, but may be a business associate FTC • Information security vulnerability may give rise to FTC scrutiny. FDA • FDA cybersecurity requirements continue to govern device safety and information security. State Law • If Manufacturer receives or maintains consumer information (whether or not considered health care information), it will be subject to state law security and privacy requirements. EU: • GDPR privacy and security requirements apply to devices in EU patients • Device data transmission will need to comply with the EU Proposed Regulation. Scenario 1: Medical Device Stores Patient Information
- 14. HIPAA restricts the ability of covered entities and business associates to use or disclose protected health information (“PHI”) without patient authorization, except under circumstances prescribed by regulation. HIPAA A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
- 15. PCI-DSS 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. <snip> This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release. <snip> This requirement applies to applicable patches for all installed software.
- 16. HIPAA + FTC Act + FDA Regulations + State laws + Enforcement actions + . . . . What is the FTC (and others) looking for? }=
- 17. LabMD & In re Accretive Health • Security is important, and FTC will fill regulatory “gaps” HTC • Don’t distribute platforms with basic security flaws Snapchat • Know the features of the platform your app is on Goldenshore Technologies • Don’t abuse the platform’s features Trendnet - The Internet of Things needs to be secure Fandango & Credit Karma • Don’t disable security, and think about possible man-in-middle attacks • And protect “Sensitive Information,” not just PII FTC Enforcement Actions Themes
- 18. Regulators set a baseline expectation: Companies “should implement reasonable security.” “Reasonable Security” includes: • Building Security into devices at outset – “security by design” • Conduct privacy or security risk assessment • Minimize data collected and retained • Test security before product launch • Adopting strong internal security program, including • Tone from top & training • Overseeing service providers and supply chain’s ability to meet security requirements • Implementing reasonable access controls on devices • For more complex systems, adopting “defense-in-depth” security architecture • Monitoring products throughout life cycle • Including patching known vulnerabilities (to extent feasible) What Constitutes Reasonable Security?
- 19. Human Error “… the individual who is responsible for communicating in the organization to apply the patch, did not,” Richard Smith Oral Testimony How Did Equifax Mess Up? Technical Error On March 15, Equifax’s information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability. Richard Smith Written Testimony
- 22. Open Source is Widely Used Across All Industries
- 23. Vulnerabilities in Open Source Are Common
- 24. Why Open Source is “Different” for Attackers Open Source Licensing and Support OPEN SOURCE IS USED EVERYWHERE VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE STEPS TO EXPLOIT READILY AVAILABLE Information Available to Attackers
- 25. Bad Guys Have Quotas Too (Non-Targeted Attacks) Rational Choice Theory • Criminals make a conscious, rational choice to commit crimes • Behavior is a personal choice made after weighing costs and benefits of available alternatives • The path of least resistance will be taken • Solution: Patch early Source: Kenna Security
- 27. Vendor Patches • Schedule updates as deemed necessary Vulnerability assessments • Ad hoc internal assessments • “Continuous monitoring” (daily scans) Vulnerability assessment (VA) tools focus on: • System configurations • Operating systems (including Linux) • Commercial applications (Office, Adobe, Oracle, etc.) How Do Organizations Handle This Today?
- 28. Popular Tools • Nessus (Tenable) • Nexpose (Rapid7) • QualysGuard (Qualys) How Well Do VA Tools Cover Open Source? 2015 • NVD – 2,186 CVE disclosed in open source • Nessus - Roughly 500 plug-ins generated • Focus on major components and OS • Lots of overlapping rules • 34 rules for Poodle • 14 for Freak • 205 for Linux • 35 for Red Hat • 42 for SuSE • 25 for Ubuntu • 33 for Fedora • 28 for Debian • 14 for CentOS • 11 for Mandriva
- 29. What if the Automotive Market Treated Recalls Like Open Source Users Treat Vulnerabilities? Quantified Unquantified
- 30. A Software Bill of Materials Solves the Problem • Components and serial numbers • Unique to each vehicle VIN • Complete analysis of open source components* • Unique to each project or application • Security, license, and operational risk surfaced
- 31. • Section 5 of the FTC Act can cover “white space” not addressed by other regulatory standards • Patching requirements are not limited to patches delivered to you for commercial software • Vulnerability Assessment tools are valuable, but • Don’t cover custom software • Don’t maintain knowledge of components • A Bill of Materials solves the issue of visibility, but updating the components remains a requirement Key Takeaways
- 32. Questions?