Date post: | 16-Jul-2015 |
Category: |
Law |
Upload: | robbie-hilson |
View: | 188 times |
Download: | 0 times |
Life’s A Breach: Surviving Your Next Cyber-Attack
Garry A. Pate
Director
Stout Risius Ross, Inc.
Robert C. Ludolph
Of Counsel
Pepper Hamilton LLP
Members OnlyMembers Only
Visit ediscoveryconference.com
Visit FinancialCrimeConference.com
KEYNOTE
Robert C. Ludolph
Of Counsel
Pepper Hamilton LLP+1.248.359.7368
Garry A. Pate
Director
Stout Risius Ross+1.248.432.1304
Members Only
Members Only
Attack From Within
High level executive placed on leave to investigate a series of improprieties.
Executive keeps company laptop and iPhone on which he stored sensitive customer information, proprietary trade secrets and personal data on employees.
Computer returned with 40,000 documents deleted but e-mails to competitor are found.
General Counsel engages outside counsel who retains forensic investigator.
Members Only
What is Your Cyber-Security Strategy?
Who Is In Charge?
Who Do You Notify?
Do You Take Any Legal Action?
What Is This Going to Cost?
And many more questions.
Members Only
Real Threats?
Members Only
Target Breach: Tip of the Iceberg
Members Only
Who Are Your Cyber Threats?
Nuisance hacker
Social engineering
Disgruntled workers
Employee/third party theft
– Customer lists
– IP theft cases
Criminal enterprises
– Advanced persistent threats
– State-sponsored enterprises – cyber warfare
Members Only
Is Your Law Firm the Worst Line of Defense?
Banks demand that law firms harden cyber attack defenses
Wall Street Journal October 26, 2014
Law Firms Are Pressed on Security for Data New York Times March 26, 2014
Members Only
That’s Where the Money Is.
Law firms are a rich target,” said FBI's assistant special agent in charge of the Pittsburgh field office. “They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting.”
Unprepared law firms vulnerable to hackers Pittsburgh Tribune Review September 13, 2014
Members Only
Can Your Law Firm Keep A Secret?
FBI began warning New York law firms in 2009:
"We have hundreds of law firms that we see increasingly being targeted by hackers.“
Cybersecurity company Mandiant claims that in 2011, around 80 major U.S. law firms were hacked.
Ransomware hackers pose threat to B.C. law firms
CBC News January 12, 2015
Members Only
Will You Know When the Attack Begins?
Members Only
Target system compromised for 19 consecutive days.
Information of 110 Million people compromised.
11 GB of data stolen.
Target Breach
Members Only
Target Breach: Consequences
– $100M effort to move to chip-based payment cards
– $5M campaign to raise awareness on cybersecurity issues
– Fourth-quarter profit slumped 46% while revenue slid 5.3%
– Reputational damage
– $61 million in hacking-related expenses
– VP Technology / CIO / CEO resign
Members Only
Target Breach: Actions
– Notification to customers by email and online posts
– 1 year of free credit monitoring for all customers
– 1 year of free identity theft protection for all affected customers
– 10% discount offered to all shoppers on December 21 and 22
– Increase fraud detection on REDcards
– Launched retail industry cybersecurity and data privacy initiative
Members Only
Duty to Warn:
Data Breach Law and Regulatory Requirements
State Privacy Laws
– Data breach notification legislation.
– Identity theft legislation including protection of Social
Security Numbers.
– State legislation on protection of personal information
broader than federal (CA, MA, NV).
Members Only
Alphabet Soup of the Duty to Warn: Data Breach Law and Regulatory Requirements
Federal requirements on content and timeframe of data breach
notification:
Office of the Comptroller of Currency (OCC)
Federal Deposit Insurance Corporation (FDIC)
Department of Health and Human Services (HHS)
Federal Trade Commission (FTC)
US Securities and Exchange Commission (SEC)
New regulations are coming
Members Only
At What Cost?
$233
Members Only
Target –40 Million credit cards
Home Depot – 56 Million accounts
eBay – 145 Million customers
Anthem – 80 Million social security numbers
You Do the Math
Members Only
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are
also unknown unknowns. There are things we don't know we don't know.”
Donald Rumsfeld
Members Only
Challenges
Fraud and cyber crime now powers a multi-billion dollar economy
Defacements and Denial of Service attacks
Targeted Threats and Advanced Persistent Threats
Inconsistent information practices across the enterprise lead to pockets of vulnerability.
Lack of employee education and awareness leads to vulnerability
Unauthorized collection and use of customer information
Loss of control over personal information and marketing lists
Members Only
Key Information Security Challenges
Who Are The Attackers?
Members Only
Key Information Security ChallengesPerimeter Defense is Insufficient
New Technology = New Exploits
Rootkits
Morphing Malware
Zero-Days
Insider Threats
Members Only
Advanced Persistent Threat
Second-largest health insurer in the United States
Accessed PII of 80 million customers
Hackers stole names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses of Anthem customer data
Hackers may have been inside the Anthem network more than a month before being detected
Members Only
Advanced Persistent Threat
World famous Hollywood studio
Hackers stole over 100TB of data
Leaked online some of Sony’s unreleased films, highly sensitive and confidential information - like passwords and executives' salaries, and even threatened employees and their families
Went unnoticed for weeks until computers were paralyzed
Not the first time Sony has struggled with cybersecurity
Members Only
Human Error
Apple Data Breach
Members Only
Human Error
2012 Super Bowl Champion New York Giants
Bank of Montreal
Members Only
Supervisory Control and Data Acquisition
(SCADA)
Large scale industrial and manufacturing plants.Maroochy Shire
Members Only
Law Firm Data Breach
China-based hackers were looking to derail the $40 billion acquisition of the world’s largest potash producer
Hackers exploited the networks of seven different law firms as well as Canada’s Finance Ministry and the Treasury Board
Chinese effort to invalidate the takeover as part of the global competition for natural resources
Stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations
Members Only
Law Firm Data Breach
Los Angeles, CA law firm
Series of Trojan emails (spear-phishing ) appeared to be from members of the firm but in reality were designed to steal data from the firm’s network
Each email contained a link or attachment that would download malware
In 2011, the firm was representing a leading provider of blocking and filtering software programs in a $2.2 billion lawsuit against Chinese computer firms, software makers, and the Chinese government
Forensic analysis revealed that the Trojan emails were linked to Chinese servers.
The malware was not released. No compromise to its system.
Members Only
Emerging Strategies
Shifting the focus away from building robust defensive systems
Neutralizing cybersecurity threats once attackers are inside the networks
The median length of time that attackers lurk inside a victim’s network is 229 days
Protecting high value information = high price tag
Members Only
NIST Cybersecurity Framework Core
Identify– Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and
capabilities.
Protect– Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect– Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond– Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover– Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities
or services that were impaired due to a cybersecurity event.
Members Only
Critical Cyber Risk Management
Take every report seriously
– Suspicious email/internet activity
– Malware/phishing programs
Be aware of employee activity
– Off-boarding process
Know your partners and third party contacts
Members Only
Key Considerations for Policies and Procedures
– Privacy Policy
Clear and conspicuous
Say what you do and do what you say
– BYOD Policy
– Information Security Policy
– Business Continuity Plan
– Security Audits – check and double check!
Members Only
Steps to Improving Cybersecurity Program
Step 1: Prioritize and Scope
– Identify business/mission objectives and systems and assets that support the business line.
Step 2: Orient
– Identify threats to and vulnerabilities of systems and assets, regulatory requirements, and overall risk approach.
Step 3: Create a Current Profile
– Identify which outcomes are being achieved.
Members Only
Steps to Improving Cybersecurity Program
Step 4: Conduct a Risk Assessment
– Analyze the likelihood of a cybersecurity event and the impact that the event could have on the organization.
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
– Create a prioritized action plan to address those gaps between the Current Profile and the Target Profile.
Step 7: Implement Action Plan
– Monitor its current cybersecurity practices against the Target Profile.
Members Only
Practical Steps: Post Incident Activity – 3 R’s
Review
– Incident response team model
– Policies/procedure
Revise
– Tools and resources
– Training of employees
Reevaluate
– Integrity of third parties systems
– Documentation and reports
Members Only
Managing Cyber BreachesReport and Post-Mortem
“Elite Eight” Recommendations– Eliminate unnecessary data; keep tabs on what’s left.
– Perform regular checks to ensure that essential controls are met.
– Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
– Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.
– Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
– Regularly measure things like “number of compromised systems” and “meantime to detection”, and use these numbers to drive better practices.
– Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
– Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
Members Only
Contact Information
Robert C. LudolphOf CounselPepper Hamilton [email protected]
Garry A. PateDirectorStout Risius Ross, Inc. +1.248.432.1304 [email protected]