ACEDS-ACFCS Cybersecurity Webcast
•Descargar como PPTX, PDF•
4 recomendaciones•896 vistas
ACEDS-ACFCS Cybersecurity Webcast - 2-26-15
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (19)
Destacado
Destacado (20)
Similar a ACEDS-ACFCS Cybersecurity Webcast
Similar a ACEDS-ACFCS Cybersecurity Webcast (20)
Más de Logikcull.com
Más de Logikcull.com (20)
Último
Último (20)
ACEDS-ACFCS Cybersecurity Webcast
- 1. Life’s A Breach: Surviving Your Next Cyber-Attack Garry A. Pate Director Stout Risius Ross, Inc. Robert C. Ludolph Of Counsel Pepper Hamilton LLP Members OnlyMembers Only
- 4. Robert C. Ludolph Of Counsel Pepper Hamilton LLP +1.248.359.7368 ludolphr@pepperlaw.com Garry A. Pate Director Stout Risius Ross +1.248.432.1304 gpate@srr.com Members Only
- 5. Members Only Attack From Within High level executive placed on leave to investigate a series of improprieties. Executive keeps company laptop and iPhone on which he stored sensitive customer information, proprietary trade secrets and personal data on employees. Computer returned with 40,000 documents deleted but e- mails to competitor are found. General Counsel engages outside counsel who retains forensic investigator.
- 6. Members Only What is Your Cyber-Security Strategy? Who Is In Charge? Who Do You Notify? Do You Take Any Legal Action? What Is This Going to Cost? And many more questions.
- 8. Members Only Target Breach: Tip of the Iceberg
- 9. Members Only Who Are Your Cyber Threats? Nuisance hacker Social engineering Disgruntled workers Employee/third party theft – Customer lists – IP theft cases Criminal enterprises – Advanced persistent threats – State-sponsored enterprises – cyber warfare
- 10. Members Only Is Your Law Firm the Worst Line of Defense? Banks demand that law firms harden cyber attack defenses Wall Street Journal October 26, 2014 Law Firms Are Pressed on Security for Data New York Times March 26, 2014
- 11. Members Only That’s Where the Money Is. Law firms are a rich target,” said FBI's assistant special agent in charge of the Pittsburgh field office. “They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting.” Unprepared law firms vulnerable to hackers Pittsburgh Tribune Review September 13, 2014
- 12. Members Only Can Your Law Firm Keep A Secret? FBI began warning New York law firms in 2009: "We have hundreds of law firms that we see increasingly being targeted by hackers.“ Cybersecurity company Mandiant claims that in 2011, around 80 major U.S. law firms were hacked. Ransomware hackers pose threat to B.C. law firms CBC News January 12, 2015
- 13. Members Only Will You Know When the Attack Begins?
- 14. Members Only Target system compromised for 19 consecutive days. Information of 110 Million people compromised. 11 GB of data stolen. Target Breach
- 15. Members Only Target Breach: Consequences – $100M effort to move to chip-based payment cards – $5M campaign to raise awareness on cybersecurity issues – Fourth-quarter profit slumped 46% while revenue slid 5.3% – Reputational damage – $61 million in hacking-related expenses – VP Technology / CIO / CEO resign
- 16. Members Only Target Breach: Actions – Notification to customers by email and online posts – 1 year of free credit monitoring for all customers – 1 year of free identity theft protection for all affected customers – 10% discount offered to all shoppers on December 21 and 22 – Increase fraud detection on REDcards – Launched retail industry cybersecurity and data privacy initiative
- 17. Members Only Duty to Warn: Data Breach Law and Regulatory Requirements State Privacy Laws – Data breach notification legislation. – Identity theft legislation including protection of Social Security Numbers. – State legislation on protection of personal information broader than federal (CA, MA, NV).
- 18. Members Only Alphabet Soup of the Duty to Warn: Data Breach Law and Regulatory Requirements Federal requirements on content and timeframe of data breach notification: Office of the Comptroller of Currency (OCC) Federal Deposit Insurance Corporation (FDIC) Department of Health and Human Services (HHS) Federal Trade Commission (FTC) US Securities and Exchange Commission (SEC) New regulations are coming
- 19. Members Only At What Cost? $233
- 20. Members Only Target –40 Million credit cards Home Depot – 56 Million accounts eBay – 145 Million customers Anthem – 80 Million social security numbers You Do the Math
- 21. Members Only “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” Donald Rumsfeld
- 22. Members Only Challenges Fraud and cyber crime now powers a multi-billion dollar economy Defacements and Denial of Service attacks Targeted Threats and Advanced Persistent Threats Inconsistent information practices across the enterprise lead to pockets of vulnerability. Lack of employee education and awareness leads to vulnerability Unauthorized collection and use of customer information Loss of control over personal information and marketing lists
- 23. Members Only Key Information Security Challenges Who Are The Attackers?
- 24. Members Only Key Information Security Challenges Perimeter Defense is Insufficient New Technology = New Exploits Rootkits Morphing Malware Zero-Days Insider Threats
- 25. Members Only Advanced Persistent Threat Second-largest health insurer in the United States Accessed PII of 80 million customers Hackers stole names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses of Anthem customer data Hackers may have been inside the Anthem network more than a month before being detected
- 26. Members Only Advanced Persistent Threat World famous Hollywood studio Hackers stole over 100TB of data Leaked online some of Sony’s unreleased films, highly sensitive and confidential information - like passwords and executives' salaries, and even threatened employees and their families Went unnoticed for weeks until computers were paralyzed Not the first time Sony has struggled with cybersecurity
- 27. Members Only Human Error Apple Data Breach
- 28. Members Only Human Error 2012 Super Bowl Champion New York Giants Bank of Montreal
- 29. Members Only Supervisory Control and Data Acquisition (SCADA) Large scale industrial and manufacturing plants. Maroochy Shire
- 30. Members Only Law Firm Data Breach China-based hackers were looking to derail the $40 billion acquisition of the world’s largest potash producer Hackers exploited the networks of seven different law firms as well as Canada’s Finance Ministry and the Treasury Board Chinese effort to invalidate the takeover as part of the global competition for natural resources Stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations
- 31. Members Only Law Firm Data Breach Los Angeles, CA law firm Series of Trojan emails (spear-phishing ) appeared to be from members of the firm but in reality were designed to steal data from the firm’s network Each email contained a link or attachment that would download malware In 2011, the firm was representing a leading provider of blocking and filtering software programs in a $2.2 billion lawsuit against Chinese computer firms, software makers, and the Chinese government Forensic analysis revealed that the Trojan emails were linked to Chinese servers. The malware was not released. No compromise to its system.
- 32. Members Only Emerging Strategies Shifting the focus away from building robust defensive systems Neutralizing cybersecurity threats once attackers are inside the networks The median length of time that attackers lurk inside a victim’s network is 229 days Protecting high value information = high price tag
- 33. Members Only NIST Cybersecurity Framework Core Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
- 34. Members Only Critical Cyber Risk Management Take every report seriously – Suspicious email/internet activity – Malware/phishing programs Be aware of employee activity – Off-boarding process Know your partners and third party contacts
- 35. Members Only Key Considerations for Policies and Procedures – Privacy Policy Clear and conspicuous Say what you do and do what you say – BYOD Policy – Information Security Policy – Business Continuity Plan – Security Audits – check and double check!
- 36. Members Only Steps to Improving Cybersecurity Program Step 1: Prioritize and Scope – Identify business/mission objectives and systems and assets that support the business line. Step 2: Orient – Identify threats to and vulnerabilities of systems and assets, regulatory requirements, and overall risk approach. Step 3: Create a Current Profile – Identify which outcomes are being achieved.
- 37. Members Only Steps to Improving Cybersecurity Program Step 4: Conduct a Risk Assessment – Analyze the likelihood of a cybersecurity event and the impact that the event could have on the organization. Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps – Create a prioritized action plan to address those gaps between the Current Profile and the Target Profile. Step 7: Implement Action Plan – Monitor its current cybersecurity practices against the Target Profile.
- 38. Members Only Practical Steps: Post Incident Activity – 3 R’s Review – Incident response team model – Policies/procedure Revise – Tools and resources – Training of employees Reevaluate – Integrity of third parties systems – Documentation and reports
- 39. Members Only Managing Cyber Breaches Report and Post-Mortem “Elite Eight” Recommendations – Eliminate unnecessary data; keep tabs on what’s left. – Perform regular checks to ensure that essential controls are met. – Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness. – Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection. – Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology. – Regularly measure things like “number of compromised systems” and “meantime to detection”, and use these numbers to drive better practices. – Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security. – Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
- 40. Members Only AT&T Connected Car Vision 2014
- 41. Members Only Contact Information Robert C. Ludolph Of Counsel Pepper Hamilton LLP +1.248.359.7368 ludolphr@pepperlaw.com Garry A. Pate Director Stout Risius Ross, Inc. +1.248.432.1304 gpate@srr.com
Notas del editor
- Hello and welcome to this Barbri Professional Associations Webcast, Life`s a Breach: Surviving Your Next Cyber-Attack. I am Robert Hilson of the Association of Certified E-Discovery Specialists, and I’d like to welcome both members of ACEDS and those of our sister association, ACFCS, who are joining us today. We are really excited to have both audiences here to discuss an issue that poses enormous challenges to both e-discovery and financial crime professionals. I am joined today by two excellent presenters who I will introduce in a moment. But first, if you will humor me for brief announcements.
- First, and this is something I am really looking forward to. ACEDS will be holding its annual conference September 29 to 30 at the Gaylord National Resort in Washington, DC. A live certification prep course will preceed the conference, as always, on the 28th. And we expect another first-class show. We’ve already announced a number of prominent speakers, including the federal judges you see on your screen. Judge Thomas Vanaskie, who sits on the Third Circuit Court of Appeals, and Ret. US magistrate Judge Nan Nolan, who has been involved in some of the most prominent e-discovery cases, will also present. ACEDS members get the best rates on the conference, and if you are thinking about joining, I encourage you to register before the super early bird pricing expires.
- Alright, let’s get started. I am very pleased to introduce our experts for the day. Robert Ludolph is an employment litigator who leads the Labor and Employment Practice Group of the Detroit office of Pepper Hamilton. He is a also a member of the firm’s Privacy, Security and Data Protection Practice Group as well as the Non-Compete and Trade Secrets Practice Team. At Pepper, he concentrates his practice on defending corporate clients in discrimination, employment contract and employee retirement income litigation, representing management in labor relations matters, and advising organizations on health and privacy law issues. He also advises clients on non-competition and non-solicitation agreements and has supervised investigations of misappropriated proprietary information and workplace misconduct. Bob, it`s a pleasure to have you here. Thanks for joining us. Bob is joined by Garry Pate, a director in the e-discovery practice within the Dispute Advisory & Forensics Services Group at Stout Risius Ross. He has a background in Computer Forensics, E-Discovery, internal investigations, database management, document automation, scanning coding and extensive experience working with business owners, attorneys and federal, state, and local government/law enforcement across the United States. A 16 year veteran of the legal field, he has extensive experience managing e-discovery projects from collection through production in complex litigation involving issues such as IP theft, business technology, copyrights, patents, trademarks and numerous other disputes. Garry also gave an excellent interview to ACEDS on data breach mitigation last week that you can listen to now at ACEDS.org. Garry, thanks a lot for being here. Before we begin, I want to encourage everyone on the call to ask questions. You can chat them to us in the questions box that you see on the right of your screen and we will get to them at the end of the presentation if time allows.
- Sources: Ponemon Institute True Cost of Compliance Study (2013),Cost of a Data Breach Report (2013) http://www.mentisoftware.com/rescs_data_breach_statistics.html Types of Breaches: Lost Devices – lost, discarded or stolen laptop, PDA, Smartphone, etc. (one of top causes of data breaches) Physical Loss – lost, discarded or stolen paper records Exposure – information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail Insider – someone with legitimate access either intentionally or negligently breaches information (e.g., employee or contractor) Hacking/Malware – electronic entry by an outside party, malware and spyware Unauthorized Access – lost, discarded or stolen password or physical access card or weak password requirements
- Three law firms hacked by extortionists using malware to lock files and demand ransom fee The Law Society of British Columbia had some files stolen by a hacker. He then encrypted those files, and demanded payment in exchange for giving access back. He used the powerful Cryptowall Virus and gave the firm 12 hours to pay the fee to have the encryption removed. If the firm was unable to pay the fee within that time, he would double it. If payment was not received within 30 days, he would permanently break the files. Fortunately, this firm had backups available, so they got up and running quickly. However, many law firms are not adequately protected against hacking, so this firm may be the exception rather than the rule. And for the record, hackers like this demand payment in the virtual currency called “Bitcoin.” If they receive payments this way, they’re untraceable.
- Your network will be breached. This is a stark reality of the world in which we operate and do business. Each week brings new threats and reports of compromised networks and lost data. Like it or not, it is a simple fact that no organization is immune. Consider this -- the 2013 Data Breach Investigations Report, conducted by Verizon, found the following commonalities across 47,000 security incidents and 621 data breaches reported in 2013. Your team’s ability to quickly identify the breach, stop the exfiltration of data and classified material, and remediate real threats can have an enormous impact on your organization’s risk, cost, and exposure. But when dealing with today’s threats, staying on top of network security becomes increasingly challenging and putting in place best pracices for managing cyber breaches can be the difference between containing an attack and letting it wreak havoc in your systems.
- System compromised from November 27 until December 15. Information taken includes: full credit card number, expiration date, security code, name, mailing address, phone number and email address.
- Uniqueness of retail industry breaches target the consumer’s information more than the company’s many people susceptible loss of trust of the consumer in the company all but 17M of the costs will be borne by insurance. Consequences are typical of such breaches, as noted by the SEC guidance (described below): Remediation costs can be substantial with negative consequences including, but not limited to: liability for stolen assets or information repairing system damage that may have been caused increased cybersecurity protection costs lost revenues resulting from unauthorized use of proprietary information lost revenues from failure to retain or attract customers following an attack; Litigation; and Reputational damage.
- REDcard is the Target credit or debit card. Retail industry cybersecurity and data privacy initiative – Initiative by RILA – Retail Industry Leaders Association Enhance existing cybersecurity and privacy efforts System Wide Collaboration - eek to forge a partnership with the other members of the payments ecosystem to collaborate on long-term, comprehensive solutions to the threats Formation of a Retail Cybersecurity Leaders Council - senior retail executives responsible for cybersecurity, will aim to improve industry-wide cybersecurity by sharing threat information and discussing effective security solutions in a trusted forum Federal Data Breach Notification Legislation - engage with lawmakers to develop federal data security breach notification legislation that sets a national baseline Federal Cybersecurity Legislation -engage with policymakers to help develop federal cybersecurity legislation, including support for appropriate information-sharing mechanisms between the private and public sectors Eliminate the Mag-Stripe - urge that it be phased out in favor of the better technology widely used throughout the world
- HHS – notification for breach of unsecured PHI should be prompt and by not later than within 60 days There is an exception if law enforcement determines that providing the notice would impede a criminal investigation or cause damage to national security. In the event of a law enforcement exception, the delay is for a length of time requested in writing or for 30 days from an oral request. Should be in plain language. Avoid including sensitive information in the notice itself Should include: a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known a description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code) the steps an individual should take to protect him/herself from potential harm resulting from the breach a brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, and e-mail address, Web site, or postal address
- Ponemon institute http://www.bankinfosecurity.com/interviews/data-breach-i-1953/op-1 Average Costs - $5.85 Million
- Israel was involved in the development of Stuxnet – a virus targeting industrial plant facilities. a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads on its own, often over a computer network. This worm was an unprecedentedly masterful and malicious piece of code that attacked in three phases. First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. The worm’s authors could thus spy on the industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant. (Iran has not confirmed reports that Stuxnet destroyed some of its centrifuges.)
- Three key groups of actors commit cyber attacks. Each has different motivations and tactics, but the net effect of their actions is disruption, financial loss and damage to reputations. By understanding their characteristics you can be better prepared and reduce your risk.
- With new technologies come new exploits. Advanced threats like rootkits, morphing malware, zero-days, and insider threats are rarely caught by perimeter security solutions that rely on signature-based algorithms to detect known threats. But when the threat is constantly changing, brand new, or simply unknown to your perimeter security frontline, it goes undetected, much like when the infiltration is caused by an insider whose credentials give them access to your network or sensitive data. Today’s cyber attackers will not be stopped at the perimeter. Many of them are already past your firewall, whether you have found them yet or not.
- FireEye, 229 days is the median length of time attackers lurk inside their victim's computers before being detected or revealing themselves.Hackers stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history. If you don't know where the important information is, all you have to do is attach yourself to the right people in the organization and the information will come to you.
- In 2011, the company's PlayStation Network was compromised by hackers who stole the personal information of millions of gamers and knocked the network offline for weeks. Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
- Recon (social engineering) on public sites.
- Shredded paper containing personal information and records, including Social Security numbers and medical records. Thumb drive BMO Harris – 14yr old kids do internet research to find admin pw for atms using operators manual online. told teachers. A Winnipeg BMO branch got an unlikely security tip from two 14-year-olds when the pair managed to get into an ATM’s operating system during their lunch break last Wednesday. The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store. They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer. The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.
- He used his insider knowledge to access that system remotely and release hundreds of thousands of gallons of sewage. The relative ease with which a terrorist IT attack could be used to cripple infrastructure was shown three years after Maroochydore in the US when the Slammer worm infiltrated an Ohio nuclear power plant and other power facilities. Research later showed the worm had infected the system through such innocuous points of entry as a contractor's IT line, which affected a power plant computer, a virtual private network affecting a power company's SCADA system, a laptop that attacked a petroleum plant control system and a modem that shut down a paper plant.
- Could be your name on the building. Could lead to unrecoverable loss of reputation. Not all cyberattacks originate in China — in fact, it often is difficult to determine points of origin because attacks are routed through a number of intermediate computers. The Mandiant report noted that the scale and logistics of recent attacks suggest that they may be state-sponsored, although the company has no way of proving that.
- Could be your name on the building. Could lead to unrecoverable loss of reputation. Because technology-savvy attorneys recognized the emails as potentially compromising, the malware was not released. The law firm believes that there was no compromise to its system. Not only can hackers gain access to a firm’s networks through phishing, it can also hack into a firm’s cloud storage programs, making this popular document-storage program particularly vulnerable to attacks.
- Now, as hackers routinely overwhelm such defenses, experts say cybersecurity is beyond due an overhaul.Neutralize attackers once they're inside networks rather than fixating on trying to keep them out. Experts aren't recommending organizations stop deploying perimeter defenses such as antivirus software or firewalls that weed out vanilla threats. But they say a strategy that could be likened to laying traps is needed to counter the sophisticated hacks that can cause huge losses. Part of the reason is greater concern with meeting regulatory requirements for security than improving security itself. The weakness of relying on a firewall is that it's like building a fence around a housing complex but not hiring a guard to patrol the interior streets, Cybersecurity professionals have begun to shift their focus away from building robust defensive systems. While perimeter defenses continue to be a key component of network security, neutralizing cybersecurity threats once attackers are inside the networks may be a more effective strategy. According to FireEye, the median length of time that attackers lurk inside a victim’s network is 229 days. As we mentioned earlier, the Target breach took place because a third party vendor had access to Target’s corporate environment. Sound practice dictates that firms require vendors to provide risk assessments and that the identified risk be included into contracts. Examples include training materials and policies and procedures.
- Privacy Policy Clear and conspicuous True consent not too long – 76 days to read all privacy policies; most are very long not too hard – average reading level is 4th grade; average level of policy is 12th grade- recommended is 8th grade clickthrough and not broweswrap notify of amendments get consent for material amendments Say what you do and do what you say accuracy is often more important than the content – 3 recent FTC settlement agreements CreditKarma & Fandango – stated that the transferred information would be protected by SSL certificate which had been disabled and this wasn’t checked. Didn’t help that this was done by a third party since this wasn’t audited/checked with the third party
- The organization can use the Framework to create a cybersecurity program use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement Through the creation of a Current Profile, organizations can examine the extent to which they are achieving the outcomes described in the Core Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect, Detect, Respond, and Recover. An organization may find that it is already achieving the desired outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an organization may determine that it has opportunities to (or needs to) improve. The organization can use that information to develop an action plan to strengthen existing cybersecurity practices and reduce cybersecurity risk/
- Check whether: incident policies, procedures and plans were properly followed the incident response tools and internal and external resources were adequate the incident response team model and structure functioned well when responding to the incident the incident handler training and education were adequate the incident documentation and reports were sufficient whether the identified measures of success were met.
- At this point, your incident response team should consult relevant data breach-notification regulations and policies for each of the industries in which your organization does business. Your legal, IT, public relations, and executive teams should have a breach-notification plan in place and be ready to take the appropriate steps when you present your incident report to them. Your report will be vital to all concerned with business reputation, viability, and operations. It is highly advisable to be as clear and non-technical as possible in your reporting. If your report cannot be understood by key stakeholders, the value you are contributing will not be recognized. Be sure to include a sunset or post-mortem report, which is a list of lessons learned from the incident, including: • What the organization intended or planned to do • What went right • What went wrong • What can be improved upon. Consider modifying existing incident response plans and/or company policies to reflect any lessons learned from each cyber breach.
- Information security breaches are inevitable, and the sooner your organization adopts a posture based on this assumption, the more prepared it will be to contain and remediate the damage they may cause. The speed at which you identify the breach, halt progress of infectious malware, stop access and exfiltration of sensitive data, and remediate the threat will make significant difference in controlling risk, costs, and exposure during an incident. Knowing these six essential steps to incident response can greatly increase your success in managing a cyber breach.