Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Bug Bounties,
Ransomware, and
Other Cyber Hype
for Legal Counsel
MCCA Global TEC Forum
April 13, 2018
Casey Ellis | Chairm...
The Scope of the Problem
What the World Economic Forum Thinks about Us (US)
Where Do Cyberattacks Rank?
Source: World Economic Forum Global Risks 2018
(Sobering) Statistics
Data Breaches Continue to Mount
Source: The Breach Level Index, available at, http://breachlevelinde...
Biggest Breaches (2008-2009)
Source: The Breach Level Index, available at, http://breachlevelindex.com
Biggest Breaches (2016-2017)
Anatomy of a Typical External (Hack) Attack
Nation State
Organized
Crime
Hacktivists
Initial
Compromise
Establish
Foothold...
Anatomy of a Typical Company Response
Data Access
Data Acquisition
Initial Triage
Forensic
Investigation
Notifications
PR/...
Common Cost Components
Initial Response Costs Business Losses
Security consultants Lost revenue
Forensic imaging Drop in s...
Transformative Costs
Source: Cybersecurity Ventures and Herjavec Group (2017)
“The greatest transfer of economic wealth in...
Brand Impact = As (or More) Important than Other Costs
74.8%
72.5%
80%
of consumers worry about the security of their pers...
Companies are Under-Resourced / Staffed / Funded
“Cybersecurity has a serious talent shortage”
Source: Frost & Sullivan, C...
What is Legal’s Role? Lack of Tech Literacy Doesn’t Help
“Lawyers don’t need to be coders, they just need not be Luddites”...
What is Legal’s Role? Tech Competence is Part of the Job
A lawyer shall provide competent representation to a client…”
Com...
Bug Bounties and
“Security Researchers”
Researchers Are Trying to Help . . . Right?
Source: Bugcrowd
Bug Bounty 101 – How it Works
Bug Bounty – Is there a Code of Conduct?
“Is there Honor Among ‘Security Researchers’”?
 Many security researchers have “...
Bug Bounty Programs = A Force Multiplier for Companies
“It Takes a Crowd”
Lack of Resources + expanding attack surfaces = ...
Third-Party Managed Bug Bounty Programs
Program Types
Service Elements
Source: Bugcrowd
Designing Your Own Bug Bounty?
The Department of Justice outlines a
framework for designing a “vulnerability
disclosure pr...
Do Bug Bounties Increase Legal Breach Notifications?
Phase 1 Identification, Scoping and Severity Assessment
Phase 2 Escal...
• How real is the legal risk around known security vulnerabilities?
• Researchers can, and do, go public
• Researchers can...
What’s the Game Plan?
• How should we address security researchers who call or email (especially on a
Friday before a holi...
Ransomware
Ransomware: What is it?
Ransomware: What does it look like?
The visual appearance of a ransomware attack may vary widely
• Format of the ransom no...
Ransomware: How it works
Rapid Acceleration
Number of Ransomware Attacks Worldwide (in millions)
Source: Statistica
The No More Ransom Project
Approach “Free” Tools With Caution
Should you pay?
“The FBI does not support paying a
ransom to the adversary…..
Paying a ransom does not guarantee the
victi...
“Dude, stop crying.”
Generation of rookie hackers emerges
In the past, we were often engaging directly with the malware de...
Do companies actually pay?
Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
How do (can) you pay?
• Does your company/client have a bitcoin wallet?
– Your vendor does!
• Managed ransomware response:...
If you decide to pay . . .
Call The Professionals
The transaction goes the smoothest when the
incident response team is br...
Horror Stories
Do Not Try This At Home
When victims try to engage themselves, they may accidentally antagonize the
attacke...
Consequences and
Protective Measures
What is the legal framework?
Civil or criminal
liability for
hacking
Contractual
duties re:
security and/or
breach
notific...
Are “Bugs” and “Ransomware” Notifiable Breach Events???
• Statutes
– State statutes (plus D.C., Guam, P.R., V.I.); trigger...
What have regulators said about Ransomware?
“[A] breach has occurred because the [data] encrypted by the ransomware
was ac...
Board Members Under Fire
SEC and DOJ Investigations
Incident Response (IR) Planning
Do you have an IR Team? An IR Plan? Have you practiced?
Identify
Triage &
Contain
Analyze ...
Other Key Elements of Proactive Cybersecurity Programs
• Executive CISO or equivalent function responsible for cybersecuri...
Other Key Elements (cont’d)
• Inclusion of cybersecurity-related provisions and audit rights in vendor and business
partne...
Discussion
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Ha terminado este documento.
Descárguela y léala sin conexión.
Próximo SlideShare
What to Upload to SlideShare
Siguiente
Próximo SlideShare
What to Upload to SlideShare
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Descargar para leer sin conexión

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

MCCA Global TEC Forum
April 13, 2018

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo
  • Sé el primero en recomendar esto

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

  1. 1. Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018 Casey Ellis | Chairman, Founder & CTO – Bugcrowd Elizabeth Cookson | Senior Analyst, Cyber – KIVU Consulting Jake Heath | Partner, Intellectual Property – Orrick LLP Moderator: Tony Kim | Partner, Cyber, Privacy & Data Innovation – Orrick LLP
  2. 2. The Scope of the Problem
  3. 3. What the World Economic Forum Thinks about Us (US)
  4. 4. Where Do Cyberattacks Rank? Source: World Economic Forum Global Risks 2018
  5. 5. (Sobering) Statistics Data Breaches Continue to Mount Source: The Breach Level Index, available at, http://breachlevelindex.com
  6. 6. Biggest Breaches (2008-2009) Source: The Breach Level Index, available at, http://breachlevelindex.com
  7. 7. Biggest Breaches (2016-2017)
  8. 8. Anatomy of a Typical External (Hack) Attack Nation State Organized Crime Hacktivists Initial Compromise Establish Foothold Escalate Privileges Internal Recon Lateral Movement Maintain Presence Malicious Insiders Network Perimeter Financial gain Cyber-extortion Cyber-espionage Competitive advantage Disruption Political Revenge Whistleblower WHY? Internal Damage Ransomware Data Access Data Acquisition
  9. 9. Anatomy of a Typical Company Response Data Access Data Acquisition Initial Triage Forensic Investigation Notifications PR/Communications Law Enforcement Systems Remediation Insurance Recovery Public Disclosures Governance Auditors Regulator Investigations Lawsuits Customer Demands Remedies or Settlements
  10. 10. Common Cost Components Initial Response Costs Business Losses Security consultants Lost revenue Forensic imaging Drop in stock value Restoring service / security upgrades Loss of customer confidence Customer Costs Legal Claims Breach notification Litigation (e.g., consumer or employee class action / shareholder derivative) costs and settlement payouts Identity theft problem Defense of government proceedings Credit monitoring Government fines or penalties Customer inducements PCI/Card brand assessments
  11. 11. Transformative Costs Source: Cybersecurity Ventures and Herjavec Group (2017) “The greatest transfer of economic wealth in history” 2015 2021 $6 trillion $3 trillion Global annual cybercrime costs estimated to grow from $3 trillion to $6 trillion by 2021 Includes estimated costs for: • Damage and destruction of data • Stolen money/fraud/embezzlement • Lost productivity/disruption to operations • Theft of IP, personal data, financial data • Forensic investigation • Restoration and remediation • Reputational harm
  12. 12. Brand Impact = As (or More) Important than Other Costs 74.8% 72.5% 80% of consumers worry about the security of their personal information. Temkin Group "Consumer Benchmark Survey" of consumers don’t believe organizations care about their private data and keeping it safe and secure. HyTrust Inc., the Cloud Security Automation Company 56% 40% 29% Political Action (sign a petition, contact a politician Stop/Reduce Technology Use Social Activity (post to social media, write an op-ed or letter) Actions your customers take when you falter of consumers believe failure to keep customer information secure has a significant negative impact on trust in a company. Edelman Trust Barometer: Financial Services Industry Source: Edelman Proprietary Study, 2014
  13. 13. Companies are Under-Resourced / Staffed / Funded “Cybersecurity has a serious talent shortage” Source: Frost & Sullivan, Center for Cyber Safety and Education (2017) 2017 2022 1.8 million worker shortfall in information security Too few information security workers in my department The most common reason given for this phenomenon is lack of qualified personnel Companies may be looking in the wrong places for talent in this space: • 87% of cyber workers did NOT start in cyber • 30% of cyber workers came from non-IT and non- Engineering background • Disconnect: Managers deeply value communication and analytical skills vs. Candidates predictably prioritize high technical skills
  14. 14. What is Legal’s Role? Lack of Tech Literacy Doesn’t Help “Lawyers don’t need to be coders, they just need not be Luddites” * • Techno-phobia • Continued view of cyber as primarily an IT or InfoSec function • Belief that lawyers should get involved after a breach happens (e.g., breach notification laws), or only in preparing to respond for a breach vs. preventive/mitigation measures • Belief that companies (good guys) can never keep pace with the bad guys in terms of funding, skill, or innovation * “Luddite” = (1) bands of English workers who destroyed machinery that they believed was threatening their jobs; (2) person opposed to new technology
  15. 15. What is Legal’s Role? Tech Competence is Part of the Job A lawyer shall provide competent representation to a client…” Comment 8 to Model Rule of Professional Conduct 1.1: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)
  16. 16. Bug Bounties and “Security Researchers”
  17. 17. Researchers Are Trying to Help . . . Right?
  18. 18. Source: Bugcrowd Bug Bounty 101 – How it Works
  19. 19. Bug Bounty – Is there a Code of Conduct? “Is there Honor Among ‘Security Researchers’”?  Many security researchers have “day jobs,” so they are not out to extort or otherwise disadvantage companies  If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality  Transparency with respect to payment levels for bug severity levels, and level of documentation that must be shown for payment  Security researchers are “rated,” so reputation matters!
  20. 20. Bug Bounty Programs = A Force Multiplier for Companies “It Takes a Crowd” Lack of Resources + expanding attack surfaces = more opportunity for adversaries.  Bug Bounty programs are used by many uber-sophisticated companies, and even the federal government  In 2 weeks, per company, security researchers typically find: Source: Bugcrowd
  21. 21. Third-Party Managed Bug Bounty Programs Program Types Service Elements Source: Bugcrowd
  22. 22. Designing Your Own Bug Bounty? The Department of Justice outlines a framework for designing a “vulnerability disclosure program” to address the concerns that such activity might violate the Computer Fraud and Abuse Act (18 U.S.C. 1030). See https://www.justice.gov/criminal-ccips/page/file/983996/download
  23. 23. Do Bug Bounties Increase Legal Breach Notifications? Phase 1 Identification, Scoping and Severity Assessment Phase 2 Escalation and Deployment of IR Resources Phase 3 Investigation and Remediation Phase 4 Notification and Other External Communications Phase 5 Post-Incident Analysis and Preparation 1. Statutory duty to notify customers? Legal 2. Contractual duty to notify? Legal 3. “Voluntary” notification? Transparency • Generally, triggered on unauthorized “access” or “acquisition” of PI • 47 U.S. state laws + territories • HHS OCR / PCI / Interagency Guidelines • Rest-of-world • Contractual duties override statutory or regulatory duties on notification • Includes “quasi” contracts such as Privacy Policy and Terms of Use, Marketing, Advertising • Forensics are often inconclusive, which leads to a multi- factor decision tree • Voluntary notice scenarios based on facts, risk mitigation, ethical considerations Corporate Incident Response Plan Phases
  24. 24. • How real is the legal risk around known security vulnerabilities? • Researchers can, and do, go public • Researchers can, and do, report to regulatory agencies • Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities alone – even if there’s been no “data breach” – FTC Litigation: D-Link case – FTC/FCC: Stagefright inquiries to mobile device makers – SEC OCIE: Craig Scott Capital case – Litigation (both ways): St. Jude Medical / Muddy Waters case Is there Liability for a “Mere” Security Vulnerability?
  25. 25. What’s the Game Plan? • How should we address security researchers who call or email (especially on a Friday before a holiday at 4:50 pm)? – Who should interact with the researcher? – Should you email or call, or both? – Do you ever acknowledge the vulnerability? Do you pay them? – Do you keep them updated on the status of your investigation, remediation? • Very helpful to have internal game plan for security researcher engagement, including how and who will make decision on payment • IR Planning – Legal and PR/crisis communications should be briefed and ready – Consideration of incorporating into IR plan, or parallel protocol
  26. 26. Ransomware
  27. 27. Ransomware: What is it?
  28. 28. Ransomware: What does it look like? The visual appearance of a ransomware attack may vary widely • Format of the ransom note • File extension • Disk-level ransomware vs. file-level ransomware • Scrambled filename vs. intact filename
  29. 29. Ransomware: How it works
  30. 30. Rapid Acceleration Number of Ransomware Attacks Worldwide (in millions) Source: Statistica
  31. 31. The No More Ransom Project
  32. 32. Approach “Free” Tools With Caution
  33. 33. Should you pay? “The FBI does not support paying a ransom to the adversary….. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom…… Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”
  34. 34. “Dude, stop crying.” Generation of rookie hackers emerges In the past, we were often engaging directly with the malware developer, who could help with software bugs and hiccups With rookie hackers, the tool is either poorly written and / or the actors are unable to help troubleshoot decryption issues
  35. 35. Do companies actually pay? Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
  36. 36. How do (can) you pay? • Does your company/client have a bitcoin wallet? – Your vendor does! • Managed ransomware response: • Vendor takes over communications with attacker (often in attacker’s native language) – Vendor obtains and validates (tests) ransomware decryption tool – Vendor assists in negotiating down the ransom amount – Vendor fronts payment to attacker, in many circumstances – Vendor assists with actual/live decryption and remediation
  37. 37. If you decide to pay . . . Call The Professionals The transaction goes the smoothest when the incident response team is brought in early
  38. 38. Horror Stories Do Not Try This At Home When victims try to engage themselves, they may accidentally antagonize the attacker, or give up information that reveals their identity
  39. 39. Consequences and Protective Measures
  40. 40. What is the legal framework? Civil or criminal liability for hacking Contractual duties re: security and/or breach notification Laws requiring security measures Notification to individuals and regulators Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks
  41. 41. Are “Bugs” and “Ransomware” Notifiable Breach Events??? • Statutes – State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a resident of the state; triggered on “access” or “acquisition” of PI elements – Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS) • Contracts – Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.) – Almost always define “breaches” more broadly than statutes • Industry Rules (e.g., Payment Card Industry – PCI) • SEC public company disclosures (e.g., Form 8-K) • Client’s Internal Policies and Procedures
  42. 42. What have regulators said about Ransomware? “[A] breach has occurred because the [data] encrypted by the ransomware was acquired … and thus is a ‘disclosure’” where security incident defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” 45 C.F.C. 162.402. Special focus on results of forensic analysis and risk assessment “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” -- (Then) Chairwoman Edith Ramirez (2016) Failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
  43. 43. Board Members Under Fire
  44. 44. SEC and DOJ Investigations
  45. 45. Incident Response (IR) Planning Do you have an IR Team? An IR Plan? Have you practiced? Identify Triage & Contain Analyze & Investigate Remove & Recover Prepare Corporate IR Plan Cross- Functional IR Team Cross-Functional IR Team Key Internal Members IR Team Leader Executive Liaison General Counsel/Legal Privacy Officer IT Security Physical Security Corp. Communications Customer Support Human Resources Risk Management Key External Members Outside Counsel Forensics Crisis Communications Investor Relations Vendors (mail house, call center, credit monitoring)
  46. 46. Other Key Elements of Proactive Cybersecurity Programs • Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee • Inventory of data and network assets subject to attack (e.g., data map, network map) • Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic) • Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., ISACs) • Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc. • Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity access management, etc. . . . and other bare minimum protective controls
  47. 47. Other Key Elements (cont’d) • Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance • Implementation of training programs for employees and security team on cybersecurity awareness and response • Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk • Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc. • Explicity consideration of evolving scenarios like Bug Bounties and Ransomware – and how they fit into, or necessitate adjustments to, company’s security breach incident response plan (IRP)
  48. 48. Discussion

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018

Vistas

Total de vistas

639

En Slideshare

0

De embebidos

0

Número de embebidos

3

Acciones

Descargas

1

Compartidos

0

Comentarios

0

Me gusta

0

×