• No results found

Are you prepared for a Data Breach

N/A
N/A
Protected

Academic year: 2021

Share "Are you prepared for a Data Breach"

Copied!
55
0
0

Loading.... (view fulltext now)

Full text

(1)

© 2015 McGladrey LLP. All Rights Reserved.

October 2015

(2)

Introduction

Incident statistics

IT security controls

-

Preventative

-

Detective

-

Corrective

Incident response tasks & investigative hurdles

Mitigating costs and risks

Administrative and technical controls

Cyber liability insurance

(3)
(4)

Andy Obuchowski - Director

Summary of Experience

Frederick Howell provides services and solutions for clients in preparation of and in

response to matters involving data breach investigations, cyber security and incident

responses, digital forensic analyses, electronically stored information (ESI) collection and

intellectual property theft. With this wide range of experience, he delivers industry-leading

technical and consultative expertise to law firms, corporations and government agencies.

Fred is member of several organizations including HTCIA, ISSA and Infragard. He has

lectured across the country on matters relating to cyber security, digital forensics, and

cyber crime matters.

Representative Experience

• Prior to joining McGladrey, Mr. Howell worked for the Bose Corporation’s Information

Security team working on security projects and initiatives, risk assessments and

developing business relationships, project plans, and policies/procedures surrounding

data privacy and digital forensics.

• Prior to Bose, he consulted Fortune 500 companies on matters relating to information

security, regulatory compliance and digital forensics. He developed client service

offerings related to HIPAA and digital forensics data collection and analysis.

• He worked for the New Hampshire and Massachusetts Attorney General’s Offices for 17

years where he conducted white collar crime and computer forensic investigations.

• He is an adjunct professor in the graduate Information Assurance program at

Northeastern University in Boston, Massachusetts, where he teaches system forensics.

Phone:

617.241.1219

Email:

fred.howell@mcgladrey.com

Certifications:

CISSP

ACE

(5)
(6)

The pace of data breaches is increasing

JP Morgan Chase – 70 plus million

Home Depot

Target

Neiman Marcus

(7)

Data breach statistics

6

2014 Verizon Data Breach Report
(8)

Security statistics

Four most prevalent attack vectors

1. Hacking

• “Traditional” hacking is used post-breach not

as the original entry point

• Current methods focus on web apps and

browser plugins

2. Malware

• Finding and purchasing non-detectable

malware in the underground market is trivial

• Modern anti-virus is an 80-20 proposition at

best

3. Social Engineering

• Why bother to do all the heavy lifting involved

with “hacking” when you can just ask

someone to do something for you?

• While there is a technical component the

attack is against human nature

(9)
(10)

Cost of Data Breach

Operational Cost

Public Relations Cost

Legal Costs

-

Fines

-

Penalties

-

Civil litigation Costs

Government entities – Federal and State

Financial institutions – banks and card issuers

(11)

Ponemon and IBM

Have a done a Study in 2014

(12)

Security statistics

And now for some boring numbers

Breaches detected in first 24 hours

1%-2%

Breaches with data loss in first 24 hours

60% - 68%

Breaches detected by an external 3

rd

party

71% - 92%

Breaches undetected for two years or more

>14%

Average days to discovery

87-210

(13)
(14)

Purpose of Preventive Controls

If we had a data breach would

we know?

Once we knew – what are we

going to do?

-

Do we have a plan?

-

Is our plan comprehensive

enough to deal with the potential

public outcry and media storm?

(15)

Objective of this session

Raise your awareness

Provide you with a roadmap for putting

together a plan that answers these

questions

-

Identify key stakeholders

-

Stages of a data breach

-

Key goals during each stage

-

Approaches to an effective response plan

(16)

What is a computer security incident?

Any unlawful, unauthorized, or unacceptable action

that involves a computer system or computer

network

Security Incidents Include

-

Malware attacks including – Spyware, Phishing

and Spear Phishing, APT (Advanced Persistent

Threats)

-

Theft by insiders

-

Unauthorized intrusions

(17)

What are the goals of Incident Response?

To respond with a coordinated and cohesive response

-

Prevents a disjointed response

-

Confirms or dispels whether an incident occurred

-

Establishes proper retrieval and handling of evidence

-

Protects privacy rights established by law and policy

-

Minimizes disruption of business and network

(18)

What are the goals of Incident Response?

Accurate reports and useful recommendations

Rapid detection and containment

Minimizes exposure and compromise of data

Protect your organization’s reputation and assets

Educates senior management

Promotes rapid detection

-

Lessons learned

-

Policy changes

(19)

The cost goes beyond the breach

Mandatory audits

Litigation can linger on for years

Increased Information Security costs

Damage to

-

Brand

-

Sales

(20)

Preparing for a Data Breach

Take the initiative

-

Executive sponsorship

-

Commitment

Resources

-

Time

-

Appropriate Personnel

-

Funding

(21)

Where do you begin

There are lots of resources available

-

NIST

– National Institute of Standards and

Training

-

DHS

– Department of Homeland Security

-

White House

– Cyber Security website

-

CERT

– Computer Emergency Response Team

(22)

Excellent free resources

Best Practices for Seizing Evidence: A Pocket Reference Guide for First

Responders

-

www.secretservice.gov/forensics.shtml

Searching and Seizing Computers and Obtaining Electronic Evidence in

Criminal Investigations

-

www.usdoj.gov/criminal/cybercrime/s&smanual 2002.htm

Field Guidance on New Authorities that relate to Computer Crime and

Electronic Evidence enacted in the USA Patriot Act of 2001

-

www.usdoj.gov/criminal/cybercrime/PatriotAct.htm

S

ysAdmin,

A

udit,

N

etworking, and

S

ecurity -

http://www.sans.org/

Computer Emergency Response Team -

http://www.cert.org/incident-management/

(23)

Form a Cross Functional Team

Senior Management

Legal

Corporate Security

Information Technology

Business

Human Resources

Public Relations

(24)

Phases of Data Breach

Detection

Investigation

Response

Remediation

Lessons Learned

(25)

Detection

Finding out you have lost data

-

Data can be lost in a variety of ways

-

Lost or stolen laptops or mobile phones

-

Lost or stolen back up media

(26)

Detection – Information Security

IDS – Intrusion Detection Systems

-

SIEM – Security Information and Event Management

- QRadar

FIM – File Integrity Monitoring Systems

-

Tripwire

FW – Firewall activity

AV – Anti-Virus Alerts

Service Desk Calls

-

Users

(27)

-Other ways to find out

Third parties

– call and ask you to stop hacking

their network

Government agencies

– DHS, USSS and FBI

Internet

– hackers load the data up on servers for

(28)

Detection – Is this an incident

Did you lose data?

How much data and exactly what type?

Is the data loss ongoing?

Who knows about the data loss?

This information is going to guide the next phases

of the response

(29)

Transition from Detection to Incident Response

Process Detection into Incident Response

-

Investigation

Once data loss has been confirmed the IR

Team will be activated

Priority One – determine the extent of the loss

(30)

Investigation

Critical questions – many are repeats

-

What type of data was accessed and lost

-

Number of data records

-

What systems and business process are affected

-

How was the data accessed

-

How long has the activity been going on

(31)

Investigation / Response

Legal and Regulatory Issues

-

PCI requires notification

-

State Data Breach notification laws – 47 states

-

Public Relations – need to address inquiries

Press

Public

Government – Federal and State regulatory

and law enforcement

(32)

Investigation / Response

Investigation may continue for sometime and

additional facts may surface over time

-

These facts may materially alter your response

Public relations

-

Depending on the circumstances it may be

desirable to put out prepared statements to the

press and the public

Status of data breach investigation

Actions the company is taking as a result

(33)

Response – Public Relations

Internal Public Relations

-

Are they capable of dealing with

-

Channels – Media inquiries, Telephone calls,

Internet, Social Media

-

Volume – can they handle customer inquiries via

phone and web

-

Can they deliver status updates in timely

manner

(34)

Response – Public Relations

External third party contractors

-

Equipped to deal with crisis situation

-

Can assist Legal and Public Relations with

messaging

-

Have call centers in place that can ramp up quickly

-

Website templates

-

Notification capabilities

Printing letters

(35)

Remediation

Returning to normal state

-

Stop the bleeding – data loss

-

Quantify the loss

-

Secure your information systems

(36)

Repairing the damage to the brand

For customers

-

Credit monitoring

-

Credit repair

-

Litigation services for any victimized by ID Theft

Company Image

-

Good will gestures

-

Awareness Outreach to customers on data

protection

(37)

Lessons learned – Follow up

Action Plan by team

Infrastructure and security

-

Assigned an owner who is responsible for the fix

-

Given adequate resources to address problems

-

Required to provide regularly scheduled updates

until resolution

(38)
(39)

38

Today’s Topic: Security Controls

(40)

Purpose of Preventive Controls

Preventive controls are designed

to keep incidents from occurring

in the first place

Preventive controls only serve as

a deterrent against unauthorized

access

Often times we are too focused on preventive controls and

too trusting of their efficacy

For a program to be successful, these controls must be

(41)

© 2015 McGladrey LLP. All Rights Reserved.

Purpose of Detective Controls

40

Detective controls are designed to

identify and alert on malicious or

unauthorized activity

Provide support for post-incident

activities (corrective controls)

Allow an organization to understand

its compliance state or adherence to

operational control sets (e.g. change

management)

To be successful, deploying

detective controls must be done with

some framework in mind (e.g. data

classification)

Preventative Control

(42)

Understanding Corrective Controls

Corrective controls are designed to limit the

scope of an incident and mitigate

unauthorized activity

Provide support for preparing for future

post-incident activities

Allows an organization to understand how

to improve its preventative and corrective

controls moving forward

Corrective controls are not always technical.

They are also categorized as physical (door

locks), procedural (incident response), and

Preventative Control

Corrective Control

Detective Controls

(43)
(44)
(45)

Incident Response

44

Containment and Preservation

Is my staff appropriately trained to handle an information security

incident? Do they have the skill sets to conduct a forensic

investigation? Have we been through this type of incident before?

Do we know where our data is physically located?

Ask

yourself:

The initial objective is to learn about your organization and IT

infrastructure and incident

-

What actions have been performed to date?

-

What information did the attacker ask for and what did he receive?

-

What known systems/information did the attacker access?

-

Are there any remote tracking or wiping tools installed on the device?

-

Does an employee have remote access to network?

-

Do logs show unusual network activity or failed login attempts?

Identifying potential evidence sources followed by the

preservation/collection of data.

Incident Response Tasks

Investigative Hurdles

(46)

Incident Response

Evidence Collection

Evidence sources:

Network Servers and Applications

Computer system memory

Firewall, VPN, Email, Building Access Logs

Network and system backups

Information from third-party providers (Cloud services)

Video surveillance

Incident Response Tasks

Investigative Hurdles

(47)

Investigative hurdles

46

Trust but verify

Is my staff appropriately trained to handle an

information security incident? Do they have the skill sets

to conduct a forensic investigation?

Ask

yourself:

Investigating “Unknowns”

-

Unable to identify appropriate resources

-

Third-party providers and custom applications

Evidence preservation – afterthought

-

Deleted digital evidence – expands scope/risk of harm

-

Lack of documentation, misconfigured applications, log

retention

Data pooling

-

Human capital, accounting, user share data combined

Data quality

Non-standardized data formats

Manual review for protected information

Incident Response Tasks

Investigative Hurdles

(48)
(49)

Mitigating costs & risks

48

Administrative tasks

Organizational Programs

-

Written Information Security Program (WISP)

-

Vendor management

-

Business continuity & disaster recovery plans

Specific Preparation Tasks

-

IT risk assessment

-

Incident response plan

-

Mock incident response drills

-

Security awareness training

Response

-

Documentation

• How was the incident discovered? Who performed what action?

what? When did the change or event occur? What was the result?

Incident Response Tasks

Investigative Hurdles

(50)

Mitigating costs & risks (con’t)

Technical tasks

Data segregation

-

Data classification/identification program

Network and application patch management

Backup and archiving solutions

-

Access to data backup and offsite facilities

-

Test archiving solutions (email, data vaults)

-

Speed of exports, change in file properties, search functionality

Network vulnerability testing

Enterprise monitoring solutions

-

Event logging (VPN, file audit, network access, building access)

-

Data Loss Prevention (DLP) solutions

Incident Response Tasks

Investigative Hurdles

(51)
(52)

Risk Financing for Data Breach Exposures

Not if, but when!

Data breach events may result in significant costs

More damage is caused by a poor response to a data reach than by

the data breach itself

Insurance provides important balance sheet protection – and is ideal

for difficult to predict events that create large losses

An insurance carrier can provide significant expertise in order to

facilitate an effective and efficient response

(53)

© 2015 McGladrey LLP. All Rights Reserved.

Insurance Overview

Security & Privacy Liability

-

Judgments, settlements and defense costs for a claim seeking damages from a loss,

theft or unauthorized disclosure of information

Regulatory Defense & Penalties

Payment Card Industry (PCI) Fines and penalties

-

Contractual fines and assessments for a failure to maintain PCI data security

standards

Breach Response Costs

-

Expenses for: Computer forensics, notifications, credit monitoring, pre-claim legal,

call center services and public relations

Other coverage options typically available

-

Media Liability

-

Business Interruption

-

Data Protection

(54)

Questions and contact information

Frederick J. Howell, MBA, MSISM, CISSP

Manager

, Security and Privacy Services

McGladrey, LLP

80 City Square

Boston, MA 02129

(O) 617.271.1520

(M) 781.831.2767

(E) fred.howell@mcgladrey.com

Experience the power of being understood.

SM

www.mcgladrey.com

(55)

McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and

consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and

distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and

omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo,

The power of being understood, Power comes

from being understood

and

Experience the power of being understood

are trademarks of McGladrey LLP.

© 2015 McGladrey LLP. All Rights Reserved.

McGladrey LLP

One South Wacker Drive

Suite 800

Chicago, IL 60606

800.274.3978

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/ www.secretservice.gov/forensics.shtml www.usdoj.gov/criminal/cybercrime/s&smanual 2002.htm www.usdoj.gov/criminal/cybercrime/PatriotAct.htm http://www.sans.org/ http://www.cert.org/incident-management/ http://www.dhs.gov/topic/cybersecurity#

References

Related documents

Also, by delaying preparations until a breach occurs, the organization surrenders its bargaining power when engaging the various breach response service providers it may

Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Security Awareness Training.. - Security

Personal Data Notification & Protection Act  Designed to preempt state notification laws. except regarding victim protection

• as expected, our method prevents undesirable drastic reduction of the model : when reducing a set of 100 data sources (i.e. 1800 components on average), we obtain 40

eRisks Incident Response Roadmap INCIDENT A security/privacy breach occurs NOTIFY Notify LAUW immediately 1800 – BREACH (273224) ALERT Execute internal incident response plan

Nigel has in-depth knowledge of cyber security, information security, business risk, data breach incident response, digital forensics, business continuity, cyber warfare, cyber

When a major security incident involving a high volume of sensitive personal information occurs, legal counsel has a central role to play in coordinating the response to

Proposition 6: Those organizations building alliances and achieving coordination by sharing information and plans with external stakeholders prior to a crisis will experience