Life’s A Breach: Surviving Your Next Cyber-Attack

Garry A. Pate

Director

Stout Risius Ross, Inc.

Robert C. Ludolph

Of Counsel

Pepper Hamilton LLP

Members OnlyMembers Only

Visit ediscoveryconference.com

Visit FinancialCrimeConference.com

KEYNOTE

Robert C. Ludolph

Of Counsel

Pepper Hamilton LLP+1.248.359.7368

ludolphr@pepperlaw.com

Garry A. Pate

Director

Stout Risius Ross+1.248.432.1304

gpate@srr.com

Members Only

Members Only

Attack From Within

High level executive placed on leave to investigate a series of improprieties.

Executive keeps company laptop and iPhone on which he stored sensitive customer information, proprietary trade secrets and personal data on employees.

Computer returned with 40,000 documents deleted but e-mails to competitor are found.

General Counsel engages outside counsel who retains forensic investigator.

Members Only

What is Your Cyber-Security Strategy?

Who Is In Charge?

Who Do You Notify?

Do You Take Any Legal Action?

What Is This Going to Cost?

And many more questions.

Members Only

Real Threats?

Members Only

Target Breach: Tip of the Iceberg

Members Only

Who Are Your Cyber Threats?

Nuisance hacker

Social engineering

Disgruntled workers

Employee/third party theft

– Customer lists

– IP theft cases

Criminal enterprises

– Advanced persistent threats

– State-sponsored enterprises – cyber warfare

Members Only

Is Your Law Firm the Worst Line of Defense?

Banks demand that law firms harden cyber attack defenses

Wall Street Journal October 26, 2014

Law Firms Are Pressed on Security for Data New York Times March 26, 2014

Members Only

That’s Where the Money Is.

Law firms are a rich target,” said FBI's assistant special agent in charge of the Pittsburgh field office. “They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting.”

Unprepared law firms vulnerable to hackers Pittsburgh Tribune Review September 13, 2014

Members Only

Can Your Law Firm Keep A Secret?

FBI began warning New York law firms in 2009:

"We have hundreds of law firms that we see increasingly being targeted by hackers.“

Cybersecurity company Mandiant claims that in 2011, around 80 major U.S. law firms were hacked.

Ransomware hackers pose threat to B.C. law firms

CBC News January 12, 2015

Members Only

Will You Know When the Attack Begins?

Members Only

Target system compromised for 19 consecutive days.

Information of 110 Million people compromised.

11 GB of data stolen.

Target Breach

Members Only

Target Breach: Consequences

– $100M effort to move to chip-based payment cards

– $5M campaign to raise awareness on cybersecurity issues

– Fourth-quarter profit slumped 46% while revenue slid 5.3%

– Reputational damage

– $61 million in hacking-related expenses

– VP Technology / CIO / CEO resign

Members Only

Target Breach: Actions

– Notification to customers by email and online posts

– 1 year of free credit monitoring for all customers

– 1 year of free identity theft protection for all affected customers

– 10% discount offered to all shoppers on December 21 and 22

– Increase fraud detection on REDcards

– Launched retail industry cybersecurity and data privacy initiative

Members Only

Duty to Warn:

Data Breach Law and Regulatory Requirements

State Privacy Laws

– Data breach notification legislation.

– Identity theft legislation including protection of Social

Security Numbers.

– State legislation on protection of personal information

broader than federal (CA, MA, NV).

Members Only

Alphabet Soup of the Duty to Warn: Data Breach Law and Regulatory Requirements

Federal requirements on content and timeframe of data breach

notification:

Office of the Comptroller of Currency (OCC)

Federal Deposit Insurance Corporation (FDIC)

Department of Health and Human Services (HHS)

Federal Trade Commission (FTC)

US Securities and Exchange Commission (SEC)

New regulations are coming

Members Only

At What Cost?

$233

Members Only

Target –40 Million credit cards

Home Depot – 56 Million accounts

eBay – 145 Million customers

Anthem – 80 Million social security numbers

You Do the Math

Members Only

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are

also unknown unknowns. There are things we don't know we don't know.”

Donald Rumsfeld

Members Only

Challenges

Fraud and cyber crime now powers a multi-billion dollar economy

Defacements and Denial of Service attacks

Targeted Threats and Advanced Persistent Threats

Inconsistent information practices across the enterprise lead to pockets of vulnerability.

Lack of employee education and awareness leads to vulnerability

Unauthorized collection and use of customer information

Loss of control over personal information and marketing lists

Members Only

Key Information Security Challenges

Who Are The Attackers?

Members Only

Key Information Security ChallengesPerimeter Defense is Insufficient

New Technology = New Exploits

Rootkits

Morphing Malware

Zero-Days

Insider Threats

Members Only

Advanced Persistent Threat

Second-largest health insurer in the United States

Accessed PII of 80 million customers

Hackers stole names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses of Anthem customer data

Hackers may have been inside the Anthem network more than a month before being detected

Members Only

Advanced Persistent Threat

World famous Hollywood studio

Hackers stole over 100TB of data

Leaked online some of Sony’s unreleased films, highly sensitive and confidential information - like passwords and executives' salaries, and even threatened employees and their families

Went unnoticed for weeks until computers were paralyzed

Not the first time Sony has struggled with cybersecurity

Members Only

Human Error

Apple Data Breach

Members Only

Human Error

2012 Super Bowl Champion New York Giants

Bank of Montreal

Members Only

Supervisory Control and Data Acquisition

(SCADA)

Large scale industrial and manufacturing plants.Maroochy Shire

Members Only

Law Firm Data Breach

China-based hackers were looking to derail the $40 billion acquisition of the world’s largest potash producer

Hackers exploited the networks of seven different law firms as well as Canada’s Finance Ministry and the Treasury Board

Chinese effort to invalidate the takeover as part of the global competition for natural resources

Stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations

Members Only

Law Firm Data Breach

Los Angeles, CA law firm

Series of Trojan emails (spear-phishing ) appeared to be from members of the firm but in reality were designed to steal data from the firm’s network

Each email contained a link or attachment that would download malware

In 2011, the firm was representing a leading provider of blocking and filtering software programs in a $2.2 billion lawsuit against Chinese computer firms, software makers, and the Chinese government

Forensic analysis revealed that the Trojan emails were linked to Chinese servers.

The malware was not released. No compromise to its system.

Members Only

Emerging Strategies

Shifting the focus away from building robust defensive systems

Neutralizing cybersecurity threats once attackers are inside the networks

The median length of time that attackers lurk inside a victim’s network is 229 days

Protecting high value information = high price tag

Members Only

NIST Cybersecurity Framework Core

Identify– Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and

capabilities.

Protect– Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services

Detect– Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond– Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover– Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities

or services that were impaired due to a cybersecurity event.

Members Only

Critical Cyber Risk Management

Take every report seriously

– Suspicious email/internet activity

– Malware/phishing programs

Be aware of employee activity

– Off-boarding process

Know your partners and third party contacts

Members Only

Key Considerations for Policies and Procedures

– Privacy Policy

Clear and conspicuous

Say what you do and do what you say

– BYOD Policy

– Information Security Policy

– Business Continuity Plan

– Security Audits – check and double check!

Members Only

Steps to Improving Cybersecurity Program

Step 1: Prioritize and Scope

– Identify business/mission objectives and systems and assets that support the business line.

Step 2: Orient

– Identify threats to and vulnerabilities of systems and assets, regulatory requirements, and overall risk approach.

Step 3: Create a Current Profile

– Identify which outcomes are being achieved.

Members Only

Steps to Improving Cybersecurity Program

Step 4: Conduct a Risk Assessment

– Analyze the likelihood of a cybersecurity event and the impact that the event could have on the organization.

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

– Create a prioritized action plan to address those gaps between the Current Profile and the Target Profile.

Step 7: Implement Action Plan

– Monitor its current cybersecurity practices against the Target Profile.

Members Only

Practical Steps: Post Incident Activity – 3 R’s

Review

– Incident response team model

– Policies/procedure

Revise

– Tools and resources

– Training of employees

Reevaluate

– Integrity of third parties systems

– Documentation and reports

Members Only

Managing Cyber BreachesReport and Post-Mortem

“Elite Eight” Recommendations– Eliminate unnecessary data; keep tabs on what’s left.

– Perform regular checks to ensure that essential controls are met.

– Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.

– Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.

– Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.

– Regularly measure things like “number of compromised systems” and “meantime to detection”, and use these numbers to drive better practices.

– Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.

– Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.

Members Only

AT&T Connected Car Vision 2014

Members Only

Contact Information

Robert C. LudolphOf CounselPepper Hamilton LLP+1.248.359.7368ludolphr@pepperlaw.com

Garry A. PateDirectorStout Risius Ross, Inc. +1.248.432.1304 gpate@srr.com