SEC 110_Assignment_3 1
Assignment 3-1: Data Security Principles
DataCase Studies
Instructions: Choose one of the case studies: PlayStation, OPM, Anthem, Stuxnet, or WannaCry. Read about the hack and take notes before the class session.
Files or Resources Needed:
2011 PlayStation Network outage. (2020, September 14). Wikipedia. https://en.wikipedia.org/w/index.php?title=2011_PlayStation_Network_outage&oldid=978362330
Anthem medical data breach. (2020, October 4). Wikipedia. https://en.wikipedia.org/w/index.php?title=Anthem_medical_data_breach&oldid=981810315
Office of Personnel Management data breach. (2020, August 3). Wikipedia. https://en.wikipedia.org/w/index.php?title=Office_of_Personnel_Management_data_breach&oldid=970940496
Stuxnet. (2020, September 29). Wikipedia. https://en.wikipedia.org/w/index.php?title=Stuxnet&oldid=980878642
WannaCry ransomware attack. (2020, October 8). Wikipedia. https://en.wikipedia.org/w/index.php?title=WannaCry_ransomware_attack&oldid=982463497
what complete
Write four ideas from the article you believe are critically important to protecting personal data online. You can quote the article or summarize it. Then write your reaction to the text. Ideas and information to consider:
What kind of data was revealed in the hack you read about?
How many people were involved or affected?
How much data or information was stolen or lost?
How is or how could that data be used to help/harm individuals (real-world impacts such as a loss of service, lost ability to refine, etc.)?
The Text (Quote or Summary) | My Reaction to the Text |
"much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life." (Wanna Cry) | This quote from the text emphasizes how crucial software updates and patches are. When building software how a system is updated and patched for users should be considered. Web hosted software has an advantage over traditional software because updates can be rolled out automatically and in real time. |
"However, on June 13, 2015, OPM spokesman Samuel Schumach said that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."" (OPM Data Breach) | This quote was pulled from the text because it emphasizes that even our federal government can have unsecure systems and networks vulnerable to attacks. |
"Anthem was not required by law to encrypt the data.[11] However, Anthem faced several civil class-action lawsuits, which were settled in 2017 at a cost of $115 million. Anthem did not admit any wrongdoing in the settlement.[12]" (Anthem Breach) | I pulled this quote from the text because it highlights the legal responsibility a company has when a breach occurs. Not encrypting user data should be illegal if said data is sensitive and violates hipa. Encrypting data offers another level of security if certain accounts are breached. |
"Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool" (Sony Breach) | The malware that spread through Sonys' network was a type of worm that would send back log data to the attacks origin. After brute forcing into an account it would listen for data, put in a lightweight backdoor that is less noticeable then a regular one, and software to destroy data on the hard drive. |
hipa breach Activity
Instructions: Go to the HIPAA Breach Portal https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf and complete the steps listed below. Note the different types of breaches, the different locations of the breached information, and number of affected individuals.
STEP 1 Covered entities
Select two of the Covered Entities in your state from the list. Enter the name of these covered entities in the first column in the table below.
Step 2 Date of Breach
In the second column, enter the date that the breach information was reported (not the date of the actual breach).
STEP 3 Type of breach
In the third column “Type of Breach,” identify the type of breach for each entity.
Step 4 Individuals Affected
In the fourth column “Number of Individuals Affected,” enter the number of individuals the breach affected or impacted for each entity.
Step 5 Location of the Breach information
In the final column “Location of the Breach Information,” input the location of the breach for each entity.
Name of Covered Entities | Date Breach Reported | Type of Breach | Number of Individuals Affected | Location of the Breach Information |
| 08/09/2022 | Unauthorized Access/Disclosure | 584 | Vermont |
2.Lamoille Health Partners | 08/11/2022 | Hacking/IT Incident | 59381 | Vermont |
Analysis
The biggest differences between these two breaches is one was caused by unauthorized access and the other was result of a Hacking incident. The hacking breach was able to obtain a lot more data in a shorter period of time. Many health care providers don't take action to protect user data and secure their systems.
state breach Activity
Instructions: Complete steps one through three.
Files or Resources Needed: Data Breach Notification Laws: Data Breach Disclosure Laws per State website https://www.itgovernanceusa.com/data-breach-notification-laws
step 1 Data breach notification laws
Select 2 states, find and read those states Data Breach Notification Laws: Data Breach Disclosure Laws per State website https://www.itgovernanceusa.com/data-breach-notification-laws
STEP 2 Read the scenario
On May 1st 2020, an unauthorized person accessed XYZ company servers using credentials found on the website “Have I been Pwned.” The data accessed included 499 records containing private personal information such as fingerprints. To the best of the knowledge provided by the ongoing investigation, the data accessed did not include any names, addresses, username/passwords, driver’s license numbers, or social security numbers.
Step 3: Compare and Contrast
Compare and contrast how each state would or would notify residents and whether there are any penalties.
Record your findings in the table by entering the name of the state and answering each question for each state. (in table on next page)
States: | Is resident notification required? (yes/no/maybe) | What are the penalties? |
1.Vermont | Yes | I could not find any specific legal consequence. Of course reputation and trust with customers drops significantly after a breach. |
2.Connecticut | Yes | I could not find any specific legal consequence. Of course reputation and trust with customers drops significantly after a breach. |
Last updated