Post on 12-Aug-2015
transcript
“We live in a world where our national security is threatened by cyber terrorists, and where private enterprise is forced to respond to cyber theft of intellectual property on a daily basis. The Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, we will not stand on the sidelines.”
—Jim Darsigny, Chief Information Officer, Brown Rudnick
‘It doesn’t take a genius to walk into an unsecured office and walk out with printed information or a laptop.’ THERE
IS ALWAYS A WAY IN.”
CYBERSECURITY WILL BECOME A COST CENTERTHERE MUST BE BOARDROOM INVESTMENT
TECHNOLOGY IS VITAL
$7.5 MILLION
LACK OF SECURITY
INDIRECT• BRAND DEVALUATION
• LOSS OF CLIENTS
• LITIGATION
DIRECT• INFORMATION LOSS
• BUSINESS DISRUPTION
• REVENUE LOSS
• EQUIPMENT DAMAGES
ILTA FINDINGS
76 PERCENT OF FIRMS DO NOT USE OR REQUIRE TWO-FACTOR AUTHENTICATION.
72 PERCENT OF FIRMS DO NOT ISSUE ENCRYPTED USB DRIVES. 64 PERCENT OF FIRMS DO NOT AUTOMATICALLY ENCRYPT CONTENT-
BASED EMAIL. 56 PERCENT OF FIRMS DO NOT ENCRYPT LAPTOPS. 90 PERCENT OF FIRMS DO NOT USE ANY LAPTOP TRACKING
TECHNOLOGY. 61 PERCENT OF FIRMS DO NOT HAVE INTRUSION DETECTION TOOLS. 64 PERCENT OF FIRMS DO NOT HAVE INTRUSION PREVENTION TOOLS.
14% of respondents to an American Bar Association technology survey said their firms had experienced some type of security breach or theft this year.
FIRST STEPS IN AN ENTERPRISE SECURITY PROGRAM
HIRE CSO BUDGET FOR STAFF
TO GET SERIOUS ABOUT LAW FIRM CYBERSECURITY, ATTORNEYS HAVE TO AWAKEN TO THE REALITY OF CYBERSECURITY RISK, AND BEGIN TO EMBRACE AND COOPERATIVELY IMPLEMENT SOLUTIONS.
EXERCISE GOVERNANCE OVER DIGITAL ASSETS FIRM MANAGEMENT MUST
DEFINE SECURITY ROLES AND RESPONSIBILITIES, DEVELOP TOP-LEVEL POLICIES AND EXERCISE OVERSIGHT.
SET THE “TONE FROM THE TOP” AND ISSUE HIGH-LEVEL POLICIES REGARDING THE PRIVACY AND SECURITY OF FIRM DATA. THIS INCLUDES THE USE OF ENCRYPTION
VENDOR MANAGEMENT
INCIDENT RESPONSE
HAVING A WELL-REHEARSED INCIDENT RESPONSE PLAN IS CRITICAL. IT MUST SPECIFY WHO WILL BE NOTIFIED, WITHIN WHAT TIME FRAME, WHAT DOCUMENTATION MUST BE KEPT, WHO IS DESIGNATED TO SPEAK ABOUT THE INCIDENT AND WHO HAS AUTHORITY TO MAKE CERTAIN DECISIONS ABOUT THE INVESTIGATION
LAW FIRMS ARE THEIR OWN WORST ENEMY
LAWYER ACCEPTANCE
FOCUS
INSIDER MISUSE
COMMUNICATION MISUSE
DATA LEAKAGE DATA THEFT
CYBERSECURITY RECOMMENDATIONS
• INVENTORY THE FIRM’S SOFTWARE SYSTEMS AND DATA, AND ASSIGN OWNERSHIP AND CATEGORIZATIONS OF RISK.
• DEPLOY NEEDED SECURITY TECHNOLOGIES INCLUDING ENCRYPTION, INTRUSION DETECTION AND PREVENTION AND MONITORING
• IDENTIFY POINTS OF CONTACT WITH LAW ENFORCEMENT, INTERNET SERVICE PROVIDERS AND THE COMMUNICATIONS COMPANIES THAT SERVICE THE FIRM
• CONDUCT THIRD-PARTY VULNERABILITY SCANS,
PENETRATION TESTS AND MALWARE SCANS
IDENTIFY AND DOCUMENT SECURITY CONTROLS.
ESTABLISH SECURITY CONFIGURATION SETTINGS, ACCESS CONTROLS AND LOGGING.
DEVELOP SECURITY POLICIES AND PROCEDURES TO SUPPORT THE SECURITY PLAN AND TECHNOLOGIES.
DEVELOP CONTRACTUAL SECURITY REQUIREMENTS FOR OUTSOURCING VENDORS, CLOUD PROVIDERS OR OTHER ENTITIES
***DEVELOP INCIDENT RESPONSE, BUSINESS CONTINUITY OR DISASTER RECOVERY PLANS***
CONDUCT REGULAR REVIEWS OF THE SECURITY PROGRAM AND UPDATE AS NECESSARY.
ITEMS TO THINK ABOUTFOREIGN THREATS
FOREIGN THREATS ARE FOR DESTRUCTIVE INTENT
NOISY NUISANCE ATTACKS COMPARED TO DESTRUCTIVE
CHINESE “AXIOM” ADVANCED PERSISTENT THREAT THAT CAN BE DEVASTATING TO CRITICAL INFRASTRUCTURE
BAD ACTORS
GOING ON OFFENSE
CYBERMERCENARY LEADS YOU TO SLIPPERY SLOPE OF LIABILITY
ACTIVE DEFENSE COMPARED TO OFFENSIVE DEFENSE IS DANGEROUS
CYBER COMPETITIVE ADVANTAGE CAN LEAD YOU TO PROBLEMS WHY NOT COLLABORATE AMONG FIRMS
INFORMATION SHARING LEGISLATION IN CONGRESS
ISAC INFORMATIONS SHARING AND ANALYSIS CENTER—BE ACTIVE
WHY AREN’T WE…
FINANCIAL INSTITUTIONS SPENDING 2B IN CYBER COSTS
DIFFERENCE BETWEEN VOLUNTARY AND REGULATORY IMPLEMENTATION
NIST SENIOR ADVISOR-ADAM SEDGEWICK
ADMIRAL MIKE ROGERS
One thing is very clear: Most organizations’ cybersecurity programs do not rival the persistence, tactical skills, and technological prowess of today’s cyber adversaries.
69%of US executives are worried that cyber threats will impact growth.
82%of companies with high-performing security practices collaborate with others to deepen their knowledge of security and threat trends
59%of respondents said that they were more concerned about cybersecurity threats this year than in the past
49%of all respondents have a plan for responding to insider threats.
$2,500per employeeMedian maximum amount that banking and finance organizations invest in cybersecurity.$400 per employeeMedian maximum amount that the SMB market invests in cybersecurity.
Cybercrime is a clear, present, and permanent danger. While it’s a permanent condition, however, the actors, threats, and techniques are very dynamic.”— Tom Ridge,CEO of Ridge Global and first secretary of the US Department of Homeland Security
The NIST Cybersecurity Framework may be voluntary, but it offers potential advances for organizations across industries.