Data Breach Lessons Learned. June 11, 2015

Data Breach Lessons Learned

2 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Introduction

John Adams, CISM, CISA, CISSP

Associate Director – Security & Privacy

Powerful Insights. Proven Delivery.®

410.707.2829

[email protected]

Kevin Hsiao, CISSP, PCI QSA

Manger – Security & Privacy

Powerful Insights. Proven Delivery.®

571.382.7236

[email protected]

@kkhsiao

Table of Contents

Key Statistics

4

Breach & Identity Theft Prevention

12

Key Statistics

Top Government Data Breaches

6 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

2015 In the News

Cost of Lost Records

Source: Per capita Cost

According to the Ponemon Cost of Data Breach Study, Danish and US entities experienced the higher costs at $195 and

$201, respectively. Both countries paid the highest value per compromised record for data breaches caused by malicious and

criminal attacks: nearly $246 and $215 per record.

The costs of data breaches are very different for each sector. Heavily regulated industries such as healthcare,

pharmaceutical and financial services had the highest per capita data breach cost ($145).

8 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Data Breaches Statistics

Source:

Social Media Today

Identity Theft Data Breach Statistics

40%

34%

10%

9%

7%

0%

97%

0%

1%

2%

Industry

Business

Medical/Healthcare

Banking/Credit/Financial

Educational

Government/Military

270 Breaches To Date

102,372,157 Records To Date

2015 is seeing a significant increase in

healthcare related breaches. Health data is

more valuable because credit cards can be

cancelled, most health data can not.

10 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Cause of Data Breaches

Frequency of Incident Classification Patterns with

Confirmed Data Breaches (n=1,598)

1.0%

3.1%

3.3%

8.1%

9.4%

10.6%

18.0%

18.8%

28.5%

0.0%

10.0%

20.0%

30.0%

Denial of service

payment card skimmers

physical theft/loss

miscellaneous errors

web app attacks

insider misuse

cyber-espionage

crimeware

pos intrusions

Data Breaches Consequences

Data breaches have major consequences for both the corporations and consumers; companies in particular can face

severe repercussions on their business.

•

F

INANCIAL

L

OSS

- caused by the data breach, and reputational

damages are another serious consequence of these incidents. Major

data breaches usually are subject to extensive media coverage, and in

some cases the victim organizations could be subject to a class action

lawsuit filed by its clients. Further expenses related to a data breach

cover detection, escalation, notification and incident response.

•

L

OSS OF

T

RUST

- customers could lose trust in the company, choosing

to change service providers that in some cases could also be a direct

competitor.

•

Customer Impact

- customers are also impacted by incidents; clients

in fact are probably most exposed to the cybercrime, which can use

the victim’s personal details for fraudulent activities (e.g. Spear

phishing attack, banking frauds, social engineering, debit/credit

frauds).

•

Multiple Fraud Opportunities

- Increasing the consequence of data

breaches is a user’s habit to use the same credentials over different

accounts and web services.

Private companies and government entities need to improve their cyber

strategies to prevent these kind of incidents. Unfortunately, security is still

perceived as a supplementary cost to reduce; the budget to execute an

organization’s security strategy and mission is usually far less than what it is

needed.

Breach & Identity Theft

Prevention

Profiling Threat Actors

14 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Security Triad

The CIA (Confidentiality, Integrity, and Availability) triad of information security is an information security benchmark model

used to evaluate the information security of an organization. The CIA triad of information security implements security using

three key areas related to information systems including confidentiality, integrity and availability.

•

Ensures privacy and that the

data is only available to the

trusted parties that require

access to the data.

•

Information is organized in

terms of who should have

access and what level of

access should be granted.

Confidentiality

•

Data integrity refers to the

certainty that the data are

not tampered with during or

after submission.

•

It is the certainty that the

data will not be modified or

destroyed by unauthorized

parties.

Integrity

•

Stored information is

available when it is needed.

•

In order for a system to

demonstrate availability, it

must have ability to store,

process, and transmit the

data as required.

Availability

Top Government Data Breaches

16 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Endpoint Security Spending Forecast

Source:

Ponemon Institute 2014 State of the Endpoint

Data Discovery

Source:

PWC

•

Engage the business units and the data owners in the data

discovery process.

•

Locate the data, determine what kind of information it is,

identify its current storage state (that is, whether it is held in

the clear, or stored in an obfuscated state such as

encryption, truncation, or tokenization), and the risk it may

present.

•

Combine top-down and bottom-up approaches to add

specificity to the known high-risk data areas, while also

finding the unknown sensitive data risks.

•

Use a wide variety of tools — from leading applications to

custom designed programs — to find high-risk data stored

in multiple locations as cost effectively, efficiently, and

accurately as possible.

•

Results from the high-risk data discovery process should

help address information vulnerabilities with thorough

details, customized reports, data categorization, and risk

assessments that can be used to design improvements and

remediation action plans.

18 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Defense in Depth

Compliance does not equal security!

Defense in depth is the coordinated

use of multiple security counter

measures to protect the integrity of

the information assets in an

enterprise.

If a hacker gains access to a

system, defense in depth minimizes

the adverse impact and gives

administrators and engineers time

to deploy new or updated counter

measures to prevent recurrence.

Physical Security

User Awareness

Firewalls and

IDS/IPS

Logical Access

Anti-Virus

Patch

Management

Device

Configuration

Source: http://searchsecurity.techtarget.com/definition/defense-in-depth

20 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Breach Kill Chain

Persistent

Attack

Initial

Attack

Vector

Establish

Foothold

Identify

Interesting

Data

Malware

Propagation

Exfiltrate

Data

Breach Kill Chain

The attack can be disrupted at any point in the kill chain. Ideally, a company will

have controls at each point to create a defense in depth strategy. Breach Kill

Chain model shows, cyber attacks can and do incorporate a broad range of

malevolent actions, from spear phishing and espionage to malware and data

exfiltration that may persist undetected for an indefinite period.

Security Capability Maturity Model (CMM)

2) Due

Diligence

1) Ad-Hoc

3) Controlled

4) Well

Managed

5) World

Class

ROI realized

Management

dashboard of KPI’s

Security strategy

Active monitoring

Employee awareness

Security policies

Defined security

requirements, roles,

procedures and

policies

Lack of defined policies

and standards

Security Governance

Continuous external

monitoring

Annual IRP testing

2-Factor authentication

VA and penetration

testing

IDS/IPS monitoring

Unrestricted Internet

access

Insecure protocols

Firewalls, ACL, DMZ

Encrypted connections

External

Vulnerability

Network Access Control

(NAC)

DLP tools fine-tuned

Internal IDS/IPS

DLP tools implemented

Network segmentation

Centralized patch

management

Network authentication

Restricted file shares

Little or no restrictions

between key internal

resources

Internal Vulnerability

Biometric access controls

Breach notification

Background checks

Key-card access

controls

Perimeter fencing

Security cameras Data

center environmental

controls

Locked consoles

Little to no physical

controls in place

22 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Keep in Mind

•

“Simple or intermediate” controls will prevent many attacks

•

Expensive tools and large initiatives are often

not

required

•

How effectively does the team “block and tackle?”

Focus on the Fundamentals

•

Determine what threats are most relevant to the consumer organization

•

Is the sensitive data a target of interest or opportunity?

•

What security incidents or frauds have occurred at competitors or business partners?

Industry and Business Specific Risk Assessments

•

Many breaches involve several vulnerabilities

•

Maintain a “defense-in-depth” posture

Keep in Mind (Continued)

•

Bring the “not on my watch mentality” every day

•

Information security and fraud risk management programs

are continuous and on-going functions

•

Security and fraud risk management programs must have a

Plan – Do – Check – Act approach

Focus on the Fundamentals

•

Must extend beyond traditional topics such as password

sharing to also include:

–

Current industry-specific threat vectors

–

Phishing

–

Social engineering tactics

–

Privacy

–

Technical as well as non-technical audiences

Awareness and Training

P

LAN

A

CT

Develop an Incident Response Plan

These days it is popular to say “not if, but when…”, it is more prudent

to say “if it happens, how will we respond…” An Incident Response

Plan (IRP) should be the process that guides your actions through a

potential breach…

26 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Develop an Incident Response Plan

•Define what an incident is and how to proceed based on severity

•IR Team - IS, IT, Legal, PR, Execs, Loss Prevention

•Define roles and responsibilities, assign primary & backup, all contact info

•Communication – who needs to be contacted, prepare public statements, legal must review all

communication

Preparation

•Develop an information security program conduct risk assessments

•Stay abreast of latest security threats

•Implement security controls to detect & prevent breaches (AV, IPS, DLP, SIEM, Vulnerability Scans,

Encryption)

•Validate incidents and assign severity

Detection & Analysis

•Determine how to contain and minimize an incident before it happens

•Use tools to collect evidence to learn and to prepare for litigation

•Understand how to recover systems through malware removal, system reimaging, reviewing & resetting

user and administrator accounts

•Reconcile the integrity of data from pre and post incident

Containment & Recovery

•Review entire incident and conduct a “Lessons Learned” training

•Improve security posture, incident plan & procedures

Post Incident

Act Quickly and Sensibly …The First 24 Hours

Notify law enforcement

, if needed, after consulting with legal counsel and upper management.

Record the date and time

when the breach was discovered, as well as the current date and time when response

efforts begin, i.e. when someone on the response team is alerted to the breach.

Interview those involved

in discovering the breach and anyone else who may know about it. Document the

consumer investigation.

Stop additional data loss

. Take affected machines offline but do not turn them off or start probing into the

computer until the consumer forensics team arrives.

Secure the premises

around the area where the data breach occurred to help preserve evidence.

Alert and activate everyone

on the response team, including external resources, to begin executing the

consumer preparedness plan.

Document everything

known thus far about the breach: Who discovered it, who reported it, to whom was it

reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what

systems are affected, what devices are missing, etc.

Review protocols

regarding disseminating information about the breach for everyone involved in this early

stage.

Assess priorities and risks

based on what the consumer know about the breach

Bring in forensics firm

to begin an in-depth investigation.

28 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Cyber Insurance – A way to transfer breach risk

• Not intended to cover all costs

Mitigate catastrophic loss

• Understand your risk tolerance

• Insurance not intended to replace security controls

• Conduct due diligence to match policy with needs

Match policy to needs

• Some policies only cover costs

• Insurance providers are now offering other services –

customer notification, forensic analysis, legal services

Consider policies that include services

Questions

John Adams, CISM, CISA, CISSP

Associate Director – Security & Privacy

Powerful Insights. Proven Delivery.®

410.707.2829

[email protected]

Kevin Hsiao, CISSP, PCI QSA

Manger – Security & Privacy

Powerful Insights. Proven Delivery.®

571.382.7236

[email protected]

@kkhsiao

30 © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RHI"). RHI is a publicly-traded company and as such,

the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to

the consumer Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of the consumer