• No results found

Are you prepared for a Data Breach


Academic year: 2021

Share "Are you prepared for a Data Breach"


Loading.... (view fulltext now)

Full text


© 2015 McGladrey LLP. All Rights Reserved.

October 2015



Incident statistics

IT security controls







Incident response tasks & investigative hurdles

Mitigating costs and risks

Administrative and technical controls

Cyber liability insurance


Andy Obuchowski - Director

Summary of Experience

Frederick Howell provides services and solutions for clients in preparation of and in

response to matters involving data breach investigations, cyber security and incident

responses, digital forensic analyses, electronically stored information (ESI) collection and

intellectual property theft. With this wide range of experience, he delivers industry-leading

technical and consultative expertise to law firms, corporations and government agencies.

Fred is member of several organizations including HTCIA, ISSA and Infragard. He has

lectured across the country on matters relating to cyber security, digital forensics, and

cyber crime matters.

Representative Experience

• Prior to joining McGladrey, Mr. Howell worked for the Bose Corporation’s Information

Security team working on security projects and initiatives, risk assessments and

developing business relationships, project plans, and policies/procedures surrounding

data privacy and digital forensics.

• Prior to Bose, he consulted Fortune 500 companies on matters relating to information

security, regulatory compliance and digital forensics. He developed client service

offerings related to HIPAA and digital forensics data collection and analysis.

• He worked for the New Hampshire and Massachusetts Attorney General’s Offices for 17

years where he conducted white collar crime and computer forensic investigations.

• He is an adjunct professor in the graduate Information Assurance program at

Northeastern University in Boston, Massachusetts, where he teaches system forensics.









The pace of data breaches is increasing

JP Morgan Chase – 70 plus million

Home Depot


Neiman Marcus


Data breach statistics


2014 Verizon Data Breach Report

Security statistics

Four most prevalent attack vectors

1. Hacking

• “Traditional” hacking is used post-breach not

as the original entry point

• Current methods focus on web apps and

browser plugins

2. Malware

• Finding and purchasing non-detectable

malware in the underground market is trivial

• Modern anti-virus is an 80-20 proposition at


3. Social Engineering

• Why bother to do all the heavy lifting involved

with “hacking” when you can just ask

someone to do something for you?

• While there is a technical component the

attack is against human nature


Cost of Data Breach

Operational Cost

Public Relations Cost

Legal Costs






Civil litigation Costs

Government entities – Federal and State

Financial institutions – banks and card issuers


Ponemon and IBM

Have a done a Study in 2014


Security statistics

And now for some boring numbers

Breaches detected in first 24 hours


Breaches with data loss in first 24 hours

60% - 68%

Breaches detected by an external 3



71% - 92%

Breaches undetected for two years or more


Average days to discovery



Purpose of Preventive Controls

If we had a data breach would

we know?

Once we knew – what are we

going to do?


Do we have a plan?


Is our plan comprehensive

enough to deal with the potential

public outcry and media storm?


Objective of this session

Raise your awareness

Provide you with a roadmap for putting

together a plan that answers these



Identify key stakeholders


Stages of a data breach


Key goals during each stage


Approaches to an effective response plan


What is a computer security incident?

Any unlawful, unauthorized, or unacceptable action

that involves a computer system or computer


Security Incidents Include


Malware attacks including – Spyware, Phishing

and Spear Phishing, APT (Advanced Persistent



Theft by insiders


Unauthorized intrusions


What are the goals of Incident Response?

To respond with a coordinated and cohesive response


Prevents a disjointed response


Confirms or dispels whether an incident occurred


Establishes proper retrieval and handling of evidence


Protects privacy rights established by law and policy


Minimizes disruption of business and network


What are the goals of Incident Response?

Accurate reports and useful recommendations

Rapid detection and containment

Minimizes exposure and compromise of data

Protect your organization’s reputation and assets

Educates senior management

Promotes rapid detection


Lessons learned


Policy changes


The cost goes beyond the breach

Mandatory audits

Litigation can linger on for years

Increased Information Security costs

Damage to






Preparing for a Data Breach

Take the initiative


Executive sponsorship







Appropriate Personnel




Where do you begin

There are lots of resources available



– National Institute of Standards and




– Department of Homeland Security


White House

– Cyber Security website



– Computer Emergency Response Team


Excellent free resources

Best Practices for Seizing Evidence: A Pocket Reference Guide for First




Searching and Seizing Computers and Obtaining Electronic Evidence in

Criminal Investigations


www.usdoj.gov/criminal/cybercrime/s&smanual 2002.htm

Field Guidance on New Authorities that relate to Computer Crime and

Electronic Evidence enacted in the USA Patriot Act of 2001








etworking, and


ecurity -


Computer Emergency Response Team -



Form a Cross Functional Team

Senior Management


Corporate Security

Information Technology


Human Resources

Public Relations


Phases of Data Breach





Lessons Learned



Finding out you have lost data


Data can be lost in a variety of ways


Lost or stolen laptops or mobile phones


Lost or stolen back up media


Detection – Information Security

IDS – Intrusion Detection Systems


SIEM – Security Information and Event Management

- QRadar

FIM – File Integrity Monitoring Systems



FW – Firewall activity

AV – Anti-Virus Alerts

Service Desk Calls




-Other ways to find out

Third parties

– call and ask you to stop hacking

their network

Government agencies



– hackers load the data up on servers for


Detection – Is this an incident

Did you lose data?

How much data and exactly what type?

Is the data loss ongoing?

Who knows about the data loss?

This information is going to guide the next phases

of the response


Transition from Detection to Incident Response

Process Detection into Incident Response



Once data loss has been confirmed the IR

Team will be activated

Priority One – determine the extent of the loss



Critical questions – many are repeats


What type of data was accessed and lost


Number of data records


What systems and business process are affected


How was the data accessed


How long has the activity been going on


Investigation / Response

Legal and Regulatory Issues


PCI requires notification


State Data Breach notification laws – 47 states


Public Relations – need to address inquiries



Government – Federal and State regulatory

and law enforcement


Investigation / Response

Investigation may continue for sometime and

additional facts may surface over time


These facts may materially alter your response

Public relations


Depending on the circumstances it may be

desirable to put out prepared statements to the

press and the public

Status of data breach investigation

Actions the company is taking as a result


Response – Public Relations

Internal Public Relations


Are they capable of dealing with


Channels – Media inquiries, Telephone calls,

Internet, Social Media


Volume – can they handle customer inquiries via

phone and web


Can they deliver status updates in timely



Response – Public Relations

External third party contractors


Equipped to deal with crisis situation


Can assist Legal and Public Relations with



Have call centers in place that can ramp up quickly


Website templates


Notification capabilities

Printing letters



Returning to normal state


Stop the bleeding – data loss


Quantify the loss


Secure your information systems


Repairing the damage to the brand

For customers


Credit monitoring


Credit repair


Litigation services for any victimized by ID Theft

Company Image


Good will gestures


Awareness Outreach to customers on data



Lessons learned – Follow up

Action Plan by team

Infrastructure and security


Assigned an owner who is responsible for the fix


Given adequate resources to address problems


Required to provide regularly scheduled updates

until resolution



Today’s Topic: Security Controls


Purpose of Preventive Controls

Preventive controls are designed

to keep incidents from occurring

in the first place

Preventive controls only serve as

a deterrent against unauthorized


Often times we are too focused on preventive controls and

too trusting of their efficacy

For a program to be successful, these controls must be


© 2015 McGladrey LLP. All Rights Reserved.

Purpose of Detective Controls


Detective controls are designed to

identify and alert on malicious or

unauthorized activity

Provide support for post-incident

activities (corrective controls)

Allow an organization to understand

its compliance state or adherence to

operational control sets (e.g. change


To be successful, deploying

detective controls must be done with

some framework in mind (e.g. data


Preventative Control


Understanding Corrective Controls

Corrective controls are designed to limit the

scope of an incident and mitigate

unauthorized activity

Provide support for preparing for future

post-incident activities

Allows an organization to understand how

to improve its preventative and corrective

controls moving forward

Corrective controls are not always technical.

They are also categorized as physical (door

locks), procedural (incident response), and

Preventative Control

Corrective Control

Detective Controls


Incident Response


Containment and Preservation

Is my staff appropriately trained to handle an information security

incident? Do they have the skill sets to conduct a forensic

investigation? Have we been through this type of incident before?

Do we know where our data is physically located?



The initial objective is to learn about your organization and IT

infrastructure and incident


What actions have been performed to date?


What information did the attacker ask for and what did he receive?


What known systems/information did the attacker access?


Are there any remote tracking or wiping tools installed on the device?


Does an employee have remote access to network?


Do logs show unusual network activity or failed login attempts?

Identifying potential evidence sources followed by the

preservation/collection of data.

Incident Response Tasks

Investigative Hurdles


Incident Response

Evidence Collection

Evidence sources:

Network Servers and Applications

Computer system memory

Firewall, VPN, Email, Building Access Logs

Network and system backups

Information from third-party providers (Cloud services)

Video surveillance

Incident Response Tasks

Investigative Hurdles


Investigative hurdles


Trust but verify

Is my staff appropriately trained to handle an

information security incident? Do they have the skill sets

to conduct a forensic investigation?



Investigating “Unknowns”


Unable to identify appropriate resources


Third-party providers and custom applications

Evidence preservation – afterthought


Deleted digital evidence – expands scope/risk of harm


Lack of documentation, misconfigured applications, log


Data pooling


Human capital, accounting, user share data combined

Data quality

Non-standardized data formats

Manual review for protected information

Incident Response Tasks

Investigative Hurdles


Mitigating costs & risks


Administrative tasks

Organizational Programs


Written Information Security Program (WISP)


Vendor management


Business continuity & disaster recovery plans

Specific Preparation Tasks


IT risk assessment


Incident response plan


Mock incident response drills


Security awareness training




• How was the incident discovered? Who performed what action?

what? When did the change or event occur? What was the result?

Incident Response Tasks

Investigative Hurdles


Mitigating costs & risks (con’t)

Technical tasks

Data segregation


Data classification/identification program

Network and application patch management

Backup and archiving solutions


Access to data backup and offsite facilities


Test archiving solutions (email, data vaults)


Speed of exports, change in file properties, search functionality

Network vulnerability testing

Enterprise monitoring solutions


Event logging (VPN, file audit, network access, building access)


Data Loss Prevention (DLP) solutions

Incident Response Tasks

Investigative Hurdles


Risk Financing for Data Breach Exposures

Not if, but when!

Data breach events may result in significant costs

More damage is caused by a poor response to a data reach than by

the data breach itself

Insurance provides important balance sheet protection – and is ideal

for difficult to predict events that create large losses

An insurance carrier can provide significant expertise in order to

facilitate an effective and efficient response


© 2015 McGladrey LLP. All Rights Reserved.

Insurance Overview

Security & Privacy Liability


Judgments, settlements and defense costs for a claim seeking damages from a loss,

theft or unauthorized disclosure of information

Regulatory Defense & Penalties

Payment Card Industry (PCI) Fines and penalties


Contractual fines and assessments for a failure to maintain PCI data security


Breach Response Costs


Expenses for: Computer forensics, notifications, credit monitoring, pre-claim legal,

call center services and public relations

Other coverage options typically available


Media Liability


Business Interruption


Data Protection


Questions and contact information

Frederick J. Howell, MBA, MSISM, CISSP


, Security and Privacy Services

McGladrey, LLP

80 City Square

Boston, MA 02129

(O) 617.271.1520

(M) 781.831.2767

(E) fred.howell@mcgladrey.com

Experience the power of being understood.




McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and

consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and

distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and

omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo,

The power of being understood, Power comes

from being understood


Experience the power of being understood

are trademarks of McGladrey LLP.

© 2015 McGladrey LLP. All Rights Reserved.

McGladrey LLP

One South Wacker Drive

Suite 800

Chicago, IL 60606


http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/ www.secretservice.gov/forensics.shtml www.usdoj.gov/criminal/cybercrime/s&smanual 2002.htm www.usdoj.gov/criminal/cybercrime/PatriotAct.htm http://www.sans.org/ http://www.cert.org/incident-management/ http://www.dhs.gov/topic/cybersecurity#


Related documents

Also, by delaying preparations until a breach occurs, the organization surrenders its bargaining power when engaging the various breach response service providers it may

Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Security Awareness Training.. - Security

Personal Data Notification & Protection Act  Designed to preempt state notification laws. except regarding victim protection

• as expected, our method prevents undesirable drastic reduction of the model : when reducing a set of 100 data sources (i.e. 1800 components on average), we obtain 40

eRisks Incident Response Roadmap INCIDENT A security/privacy breach occurs NOTIFY Notify LAUW immediately 1800 – BREACH (273224) ALERT Execute internal incident response plan

Nigel has in-depth knowledge of cyber security, information security, business risk, data breach incident response, digital forensics, business continuity, cyber warfare, cyber

When a major security incident involving a high volume of sensitive personal information occurs, legal counsel has a central role to play in coordinating the response to

Proposition 6: Those organizations building alliances and achieving coordination by sharing information and plans with external stakeholders prior to a crisis will experience