Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PII is a PITA

Keith Casey
September 28, 2023

PII is a PITA

In this session, let’s look at the mechanics of identifying and eliminating phone numbers, credit cards, email addresses, and the other things that are more risk than they’re worth.

There are two constants in software development: every app will eventually read email and our security/compliance teams will definitely not like our next idea. While we can’t avoid reading email, we can work to make peace with our security team by considering their requirements earlier in our work.

So let’s rethink our approach. Instead of collecting everything and hoping for the best, let’s acknowledge the risks and be thoughtful about what we capture.

Keith Casey

September 28, 2023
Tweet

More Decks by Keith Casey

Other Decks in Technology

Transcript

  1. z 10 years Cyber Security Tenable Phantom Splunk Pangea Michael

    Weinberger BD & Partners 20 years APIs, Security, Antics Twilio Okta ngrok Pangea Keith Casey Product Manager
  2. PII is a PITA • Why it’s a Problem •

    Size of the Problem • Steps to Fix the Problem Agenda
  3. There are two constants in software development: every app will

    eventually read email and our security team will not like our next idea and off by one errors Software Development 101 2 Constants
  4. Why it Matters • Customer Impact • Reputational Loss •

    Financial Loss • Legal Consequences Problem The Consequences
  5. Where did they fail? Problem Panera Breach Panera made key

    mistakes: • Full profile data • Used sequential user IDs • Unsecured endpoint • No monitoring, rate limiting, or emergency stops Ref: https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
  6. Where did they fail? Problem BA Breach BA made key

    mistakes: • Full credit card details • Minimal tracking & controls over web assets Ref: https://www.wired.com/story/british-airways-hack-details/
  7. Where did they fail? Problem Equifax Breach Equifax made key

    mistakes: • Full profile data • Used sequential user IDs • Minimally endpoint • No monitoring, rate limiting, or emergency stops Ref: https://www.nytimes.com/2019/07/22/business/equifax-settlement.html
  8. Becoming compliant is hard and takes a lot of time,

    especially when you build an application from scratch! • GDPR • SOC2 • PCI • HIPAA • ISO27001 Problem Regulatory
  9. Practices Steps at Every Stage But often you still need

    to collect, store, and use the data
  10. Dealing with Credit Card Numbers - 4111 1111 1111 1111

    - 4111111111111111 Practice Limit Collection
  11. Dealing with Phone Numbers - (512) 555-1212 - 5125551212 -

    15125551212 - +15125551212 Practice Limit Collection
  12. 1. Log sensitive activity 2. Understand what is normal 3.

    Adapt with new apps and systems Logging Safely & Securely
  13. Facebook’s mistakes: • Logged all data • Unencrypted Bad Logging

    Problem Panera Breach Ref: https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
  14. T-Mobile’s mistakes • Centralized Logging • Actionable Good Logging Problem

    Panera Breach Ref: https://techcrunch.com/2018/08/24/t-mobile-says-hackers-stole-customer-data-in-data-breach/
  15. T-Mobile’s mistakes • Centralized Logging • Actionable Good Logging Problem

    Panera Breach Ref: https://techcrunch.com/2018/08/24/t-mobile-says-hackers-stole-customer-data-in-data-breach/
  16. PII is a PITA • Huge Problem - Size, Scope,

    Consequences • Huge Costs - Financial, Legal, Reputation • (Technically) Simple Fixes Recap