Atjaunināt sīkdatņu piekrišanu

Data Breach and Encryption Handbook [Mīkstie vāki]

3.67/5 (6 ratings by Goodreads)
Edited by
  • Formāts: Paperback / softback, 328 pages, height x width x depth: 255x178x15 mm, weight: 631 g
  • Izdošanas datums: 16-Apr-2012
  • Izdevniecība: American Bar Association
  • ISBN-10: 1604429895
  • ISBN-13: 9781604429893
Citas grāmatas par šo tēmu:
  • Mīkstie vāki
  • Cena: 127,97 €*
  • * Šī grāmata vairs netiek publicēta. Jums tiks paziņota lietotas grāmatas cena
  • Šī grāmata vairs netiek publicēta. Jums tiks paziņota lietotas grāmatas cena.
  • Daudzums:
  • Ielikt grozā
  • Pievienot vēlmju sarakstam
Data Breach and Encryption HandbookPalielināt
  • Formāts: Paperback / softback, 328 pages, height x width x depth: 255x178x15 mm, weight: 631 g
  • Izdošanas datums: 16-Apr-2012
  • Izdevniecība: American Bar Association
  • ISBN-10: 1604429895
  • ISBN-13: 9781604429893
Citas grāmatas par šo tēmu:
Permanent link: https://www.kriso.lv/db/9781604429893.html
Keywords:

This book takes an in-depth look at the issue of escalating data breaches and their legal ramifications. It focuses on the law and its implications, encryption technology, recognized methods of resolving a breach, and many related aspects of information security. The book also examines a number of the major data breach incidents from a variety of legal and technology perspectives, and provides instructive graphics to illustrate the methodologies hackers use to cause these breaches.

Preface xiv
Acknowledgments xviii
About the Editor xix
About the Authors xx
PART I Crisis in Information Security
1(54)
Chapter 1 Cybercrime and Escalating Risks
3(14)
Expanding Global Cybersecurity Threats
4(3)
Advanced Persistent Threats
4(1)
IM DDOS Botnet
4(1)
Zeus Trojan
5(1)
Kneber Botnet
6(1)
Aurora Botnet and the Google Attack
7(1)
Data Breach Risks
7(1)
Aggregated Electronic Information at Risk
8(5)
Credit Card, Driver's License, Bank Account, and Social Security Numbers
8(1)
Medical Records
9(1)
Tax and Financial Records
10(1)
Law Firm Records
10(1)
Mortgages and Consumer Loans
11(1)
Mergers and Acquisitions
12(1)
Cloud Computing
12(1)
New Technologies, New Risks
13(2)
Mobile Devices
13(1)
Mobile Marketing
14(1)
Peer-to-Peer File Sharing
14(1)
Failed Security
15(2)
The State of Information Security in the 21st Century?
15(2)
Chapter 2 Despite the Alarming Trends, Data Breaches Are Preventable
17(14)
Alarming Trends
17(1)
Data Breach Incidents by Industry
18(4)
Number of Records Breached by Industry
20(1)
Millions of Medical Records Breached
20(2)
Causes of Data Breaches
22(5)
Lost and Stolen Computers, Laptops, and Portable Devices
23(1)
Improper Disposal of Paper Documents
23(2)
Accidental Exposure
25(1)
Insider Threats
25(2)
Hacker Attacks
27(1)
What Information Has Been Compromised in Data Breaches?
27(1)
Data Breaches Can and Must Be Prevented
28(1)
Action Plan to Prevent Data Breaches---Encryption Considerations
29(2)
Chapter 3 The Aftermath of Data Breaches: Potential Liability and Damages
31(18)
Introduction
31(3)
Liability and Damages Resulting from Major Data Breaches
34(12)
TJX
34(4)
Heartland Payment Systems
38(2)
RBS WorldPay
40(1)
Hannaford Bros.
40(3)
Discount Shoe Warehouse (DSW)
43(1)
CardSystems Solutions
44(1)
Data Breaches Continue
45(1)
Role of Security Standards
46(1)
Criminal Prosecutions
47(1)
Conclusion
47(2)
Chapter 4 The Underground World of Online Identity Theft: An Overview
49(6)
PART II Anatomy of the Major Data Breaches
55(32)
Chapter 5 Encrypted Records---Failed Security
57(30)
How a Hacker Attack Unfolds
59(1)
The Basics of Payment Card Processing
60(1)
Heartland: Transmission of Sensitive Data in the Clear
61(3)
What Sensitive Information Was Stolen?
62(1)
Anatomy of the Breach
62(2)
Hannaford: Security Failures at Critical Junctures
64(2)
What Sensitive Information Was Stolen?
64(1)
Anatomy of the Breach
64(2)
RBS WorldPay: Vulnerable Network
66(3)
What Sensitive Information Was Stolen?
66(1)
Anatomy of the Breach
66(3)
TJX: Sensitive Data in the Clear, Weak Encryption, Unprotected Encryption Key
69(4)
What Sensitive Information Was Stolen?
70(1)
Anatomy of the Breach
70(3)
DSW: Unsecured Network, Weak Passwords
73(2)
What Sensitive Information Was Stolen?
73(1)
Anatomy of the Breach
74(1)
Web Newsroom: Unprotected Encryption Key
75(2)
What Sensitive Information Was Stolen?
76(1)
Anatomy of the Breach
76(1)
Guidance Software: Unencrypted Database Records
77(2)
What Sensitive Information Was Stolen?
77(1)
Anatomy of the Breach
77(2)
CardSystems: Failure to Apply a Firewall, Maintain Virus Definitions, and Use Strong Passwords
79(3)
What Sensitive Information Was Stolen?
80(1)
Anatomy of the Breach
80(2)
Criminal Prosecutions
82(1)
Better Security Practices?
83(4)
End-to-End Encryption
83(1)
Payment Processors Information Sharing Council
84(1)
"Military Industrial Strength" Security
84(1)
Security Lessons Learned
84(3)
PART III Law
87(88)
Chapter 6 Ambiguities in State Security Breach Notification Statutes
89(14)
The Basic Obligation
90(2)
What Is Covered Personal Data?
92(1)
What Is a Security Breach?
93(1)
What Is Encrypted Data?
94(3)
When Does a Breach Trigger the Obligation to Notify?
97(1)
Who Is an Employee or Agent?
98(2)
What Assumptions Can/Should You Make?
100(3)
Chapter 7 State Data Breach Notification Laws and the Duty to Provide Information Security
103(12)
Nevada: Professionally Based Security Standards
103(2)
Massachusetts: Risk-Based Approach
105(8)
What Personal Information Is Covered?
106(1)
What Is a Security Breach?
106(1)
What Is Encrypted Data?
107(1)
What Data Must Be Encrypted?
108(1)
What Is the Duty to Report a Known Security Breach or Unauthorized Use of Personal Information?
108(1)
What Are the Requirements for Security Breach Notifications?
109(1)
What Is a Comprehensive Information Security Program?
109(1)
Written Information Security Plan
110(1)
Computer Security System Requirements
110(2)
Records Disposition
112(1)
Verification of Third-Party Service Providers
112(1)
Compliance
112(1)
Maryland and New Jersey: Information Security Statutes
113(1)
Breach of Health Information
113(1)
Affirmative Security Measures
113(2)
Chapter 8 HITECH: The First Federal Data Breach Notification Law
115(28)
Overview
115(2)
Breach of Protected Health Information
116(1)
Concept of a "Safe Harbor"
116(1)
Standards Issued by NIST
117(1)
Role of the Federal Trade Commission
117(1)
What Is a Breach?
117(12)
General Definitions
117(2)
Rebuttable Presumption of Unauthorized Access
119(1)
Limiting PHI and Access to the "Minimum Necessary"
120(1)
The Concept of "Harm" and Risk Assessments
121(2)
Risk Assessment
123(1)
"Risk Assessment" as a Tool for Determining Harm---A Critique
124(1)
Exceptions to the "Breach Rule"
125(1)
Limitations of Notification Requirements
126(2)
Heightened HIPAA Enforcement Under HITECH
128(1)
Summary
129(1)
What Is Unsecured Protected Health Information?
129(4)
Encryption and Destruction
129(2)
"Safe Harbor"
131(2)
When Does a Breach Trigger Notice Obligations?
133(1)
What Are the Requirements for Breach Notification?
134(7)
Who Must Be Notified?
134(1)
When Must Notice Be Provided?
134(1)
What Form of Notice Is Required?
135(1)
What Is the Content of the Notification?
135(1)
Who Is Covered by the Breach Notification Requirements?
136(3)
What Personal Information Is Covered?
139(2)
Health Care Breach Challenges Remain
141(2)
Chapter 9 Breach Notification and Encryption: A Global Perspective
143(32)
Notification Obligations: Overview
143(3)
Data Protection Requirements: Overview
146(4)
Notification and Encryption Requirements by Country
150(1)
Argentina
150(1)
Australia
151(1)
Austria
152(1)
Belgium
152(3)
Brazil
155(1)
Canada
155(2)
Chile
157(1)
China (PRC)
157(1)
Colombia
157(1)
Czech Republic
158(1)
Egypt
159(1)
France
159(1)
Germany
160(1)
Hong Kong
161(1)
Hungary
162(1)
Indonesia
162(1)
Italy
162(1)
Japan
163(1)
Malaysia
164(1)
Mexico
165(1)
Netherlands
166(1)
Philippines
167(1)
Poland
167(1)
Russia
168(1)
Singapore
168(1)
Spain
169(1)
Sweden
170(1)
Switzerland
171(1)
Taiwan
171(1)
Thailand
171(1)
United Kingdom
172(1)
Vietnam
173(2)
PART IV Technology
175(64)
Chapter 10 Encryption: The Basics
177(14)
Encryption Overview
177(4)
Cryptographic Algorithms
178(1)
Key Management
179(2)
Applying Encryption
181(3)
In-Flight Versus At-Rest Encryption
181(1)
SNIA Position on Encryption
181(1)
Point of Encryption
182(1)
Factors to Consider
183(1)
Encryption and Key Management Guidance
184(4)
Encryption
185(1)
Guidance for Key Management
186(2)
An Approach to Implementing Encryption
188(2)
Step 1 Understand Confidentiality Drivers
188(1)
Step 2 Classify the Data Assets
188(1)
Step 3 Inventory Data Assets
189(1)
Step 4 Perform Data Flow Analysis
189(1)
Step 5 Determine the Appropriate Points of Encryption
189(1)
Step 6 Design the Encryption Solution
189(1)
Step 7 Begin Data Realignment
189(1)
Step 8 Implement Solution
189(1)
Step 9 Activate Encryption
190(1)
Summary
190(1)
Chapter 11 Encryption Best Practices
191(10)
Encryption Fundamentals
191(2)
NIST and the AES Encryption Standard
193(1)
What Can Go Wrong with Encryption?
194(2)
Short Encryption Key Lengths
194(1)
The Key Itself Is Not a Completely Random Number
194(1)
The Encryption Key Is Compromised
194(1)
Layered Encryption
195(1)
Encrypting the Keys
195(1)
Hardware Encryption Protection
195(1)
Access to the Encryption Keys
196(2)
A Key Protects Other Keys
196(1)
Multi-Factor Authentication
196(1)
Public Key Cryptography
197(1)
Public Key Cryptosystems
197(1)
Critical Encryption Measures
198(3)
Chapter 12 Circumventing Data Encryption: Password Vulnerabilities
201(6)
Passwords and Data Encryption
201(1)
Shared Secrets
202(1)
Biometrics, Two-Factor Authentication, and One-Time Passwords
203(1)
Password Attacks
204(2)
Prevention
206(1)
Chapter 13 Managing Cryptographic Keys
207(10)
Associated Standards and Standards Committees
207(1)
Introduction to Enterprise Key Management Infrastructure
208(1)
The Key Management Lifecycle
209(4)
Creation
209(1)
Backup
210(1)
Deployment
211(1)
Monitoring
211(1)
Rotation
211(1)
Expiration
212(1)
Archiving a Key
213(1)
Destruction
213(1)
Other Considerations
213(3)
Exercise Key Management Processes
214(1)
Dual Control and Separation of Duties
214(1)
Key Escrow
214(1)
Product Interoperability
214(1)
Catastrophic Failure
215(1)
Using Encryption for Virtual Shredding
215(1)
Proper Key Management
216(1)
Chapter 14 The Self-Encrypting Drive
217(10)
Basic Characteristics
219(3)
Variations on the Basic Self-Encrypting Drive
222(2)
Common Concerns
224(1)
Future Capabilities Defined by the TCG Specifications
224(1)
What the Future of Encrypted Data May Hold
224(3)
Chapter 15 Encryption Technologies: A Practical Assessment
227(12)
Choices for Hiding Information
227(1)
Encryption Algorithms: An Historical Perspective
228(1)
Factors to Be Considered in Making Encryption Decisions
229(1)
Media That Can or Should Be Encrypted
229(1)
Advanced Encryption Standard
230(1)
Encryption with Web Browsers
230(2)
Hardware Versus Software Encryption
232(4)
Hardware Encryption
232(1)
Software Encryption
232(1)
Some Available Encryption and Decryption Software
232(2)
Examples of File Software Encryption
234(2)
Key Management
236(3)
PART V Response
239(46)
Chapter 16 Security Best Practices: The Watchword Is Prioritize!
241(14)
21st Century Information Security Challenges
241(2)
Failed Security
243(1)
Data Breaches Can and Must Be Prevented
243(1)
Where to Begin?
244(4)
National Institute of Standards and Technology Guidelines
244(1)
ISO/IEC 27000-series Standards
245(1)
COBIT
246(1)
National Identity Management Strategy
247(1)
The Security Response
248(5)
Twenty Critical Controls for Effective Cyberdefense: Consensus Audit
248(1)
Top 25 Most Dangerous Software Errors
249(1)
Insider Threats Must Be Countered
250(1)
Payment Card Industry Data Security Standard
251(2)
Cloud Security
253(1)
Now Is the Time to Become Serious About Information Security
253(2)
Chapter 17 Responding to Data Breaches
255(10)
Report Immediately to a Designated Internal Contact Any Discovered or Suspected Breach
256(1)
Investigate Any Reports Promptly and Thoroughly
256(1)
Stop the Source of the Breach and the Associated Harm
257(1)
Evaluate Your Legal Obligations Regarding the Incident
257(2)
Strategize Communications About the Incident
259(1)
Help the Data Subjects
259(1)
Identify Internal Policies and Procedures That Should Be Immediately Changed
260(1)
Notify the Affected Data Subjects and Other Relevant Entities Where Warranted
260(2)
Evolve Practices and Procedures on an Ongoing Basis
262(3)
Chapter 18 Technology to Prevent Data Leaks
265(6)
Protection at the Data Level
265(3)
Rogue Devices and Software
267(1)
Access Control
267(1)
Data Protection
267(1)
Tools for DLP Risk Mitigation
268(2)
Effective Data Security Is Required
270(1)
Chapter 19 Insurance Protection for Security Breaches
271(14)
Types of Insurance Potentially Applicable to Liability or Loss from a Security Breach
271(9)
Overview
271(1)
First-Party Property Insurance
272(1)
Business-Interruption Insurance
273(1)
Fidelity Insurance and Bonds
274(1)
Electronic Funds Transfer Insurance
274(1)
Third-Party Liability Insurance
275(1)
General Liability Insurance
275(2)
Media Liability Insurance
277(1)
Directors and Officers and Fiduciary Liability Insurance
277(2)
Errors and Omissions Insurance
279(1)
Cyberrisk Insurance Coverage
280(1)
Types of Exposures Covered
280(1)
First-Party Versus Third-Party Coverage
280(1)
Role of Auditing and Loss Prevention
281(1)
Risk-Management Tips
281(1)
Tips for Purchasing Insurance
281(1)
Tips for Making Claims
281(4)
All Claims
282(1)
Claims Under Liability Insurance Policies
282(1)
Claims Under First-Party Insurance Policies
282(3)
Appendix A Security Breach Notification Laws 285(4)
Appendix B Summary of Data Breach Notification and Encryption Laws 289(20)
Appendix C Resources 309(8)
Index of Important Cases 317(2)
Index 319