Are you prepared for a Data Breach

Transcription

1 Are you prepared for a Data Breach October 2015

2 Agenda Introduction Incident statistics IT security controls - Preventative - Detective - Corrective Incident response tasks & investigative hurdles Mitigating costs and risks Administrative and technical controls Cyber liability insurance 1

3 Introduction

4 Andy Obuchowski - Director Summary of Experience Frederick Howell provides services and solutions for clients in preparation of and in response to matters involving data breach investigations, cyber security and incident responses, digital forensic analyses, electronically stored information (ESI) collection and intellectual property theft. With this wide range of experience, he delivers industry-leading technical and consultative expertise to law firms, corporations and government agencies. Fred is member of several organizations including HTCIA, ISSA and Infragard. He has lectured across the country on matters relating to cyber security, digital forensics, and cyber crime matters. Phone: fred.howell@mcgladrey.com Certifications: CISSP ACE Representative Experience Prior to joining McGladrey, Mr. Howell worked for the Bose Corporation s Information Security team working on security projects and initiatives, risk assessments and developing business relationships, project plans, and policies/procedures surrounding data privacy and digital forensics. Prior to Bose, he consulted Fortune 500 companies on matters relating to information security, regulatory compliance and digital forensics. He developed client service offerings related to HIPAA and digital forensics data collection and analysis. He worked for the New Hampshire and Massachusetts Attorney General s Offices for 17 years where he conducted white collar crime and computer forensic investigations. He is an adjunct professor in the graduate Information Assurance program at Northeastern University in Boston, Massachusetts, where he teaches system forensics. He also teaches at Worcester Polytechnic Institute and Curry College in their graduate and undergraduate programs in information security, computer forensics, and computer crime investigations. 20

5 Incident Statistics

6 The pace of data breaches is increasing JP Morgan Chase 70 plus million Home Depot Target Neiman Marcus Others DBLoss.org

7 Data breach statistics 2014 Verizon Data Breach Report 6

8 Security statistics Four most prevalent attack vectors 1. Hacking Traditional hacking is used post-breach not as the original entry point Current methods focus on web apps and browser plugins 2. Malware Finding and purchasing non-detectable malware in the underground market is trivial Modern anti-virus is an proposition at best 3. Social Engineering Why bother to do all the heavy lifting involved with hacking when you can just ask someone to do something for you? While there is a technical component the attack is against human nature 4. Physical Loss Rare occurrence but significant impact 7

9 DBLoss.Org

10 Cost of Data Breach Operational Cost Public Relations Cost Legal Costs - Fines - Penalties - Civil litigation Costs Government entities Federal and State Financial institutions banks and card issuers Customer law suits

11 Ponemon and IBM Have a done a Study in

12 Security statistics And now for some boring numbers Breaches detected in first 24 hours 1%-2% Breaches with data loss in first 24 hours 60% - 68% Breaches detected by an external 3 rd party 71% - 92% Breaches undetected for two years or more >14% Average days to discovery Average total cost per breach $5,407,820 Average insurance payouts $954,253 - $3.5M 11

13 Ask Yourself These Questions

14 Purpose of Preventive Controls If we had a data breach would we know? Once we knew what are we going to do? - Do we have a plan? - Is our plan comprehensive enough to deal with the potential public outcry and media storm? - Can we execute the plan? 13

15 Objective of this session Raise your awareness Provide you with a roadmap for putting together a plan that answers these questions - Identify key stakeholders - Stages of a data breach - Key goals during each stage - Approaches to an effective response plan 14

16 What is a computer security incident? Any unlawful, unauthorized, or unacceptable action that involves a computer system or computer network Security Incidents Include - Malware attacks including Spyware, Phishing and Spear Phishing, APT (Advanced Persistent Threats) - Theft by insiders - Unauthorized intrusions Data Loss that could include customer PII

17 What are the goals of Incident Response? To respond with a coordinated and cohesive response - Prevents a disjointed response - Confirms or dispels whether an incident occurred - Establishes proper retrieval and handling of evidence - Protects privacy rights established by law and policy - Minimizes disruption of business and network - Allows for criminal and civil action against perpetrators

18 What are the goals of Incident Response? Accurate reports and useful recommendations Rapid detection and containment Minimizes exposure and compromise of data Protect your organization s reputation and assets Educates senior management Promotes rapid detection - Lessons learned - Policy changes - Better coordination

19 The cost goes beyond the breach Mandatory audits Litigation can linger on for years Increased Information Security costs Damage to - Brand - Sales Cost of organizational change

20 Preparing for a Data Breach Take the initiative - Executive sponsorship - Commitment Resources - Time - Appropriate Personnel - Funding

21 Where do you begin There are lots of resources available - NIST National Institute of Standards and Training - DHS Department of Homeland Security - White House Cyber Security website - CERT Computer Emergency Response Team - Organizations SANS, ISSA, ISACA, HTCIA

22 Excellent free resources Best Practices for Seizing Evidence: A Pocket Reference Guide for First Responders - Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations htm Field Guidance on New Authorities that relate to Computer Crime and Electronic Evidence enacted in the USA Patriot Act of SysAdmin, Audit, Networking, and Security - Computer Emergency Response Team - Department of Homeland Security -

23 Form a Cross Functional Team Senior Management Legal Corporate Security Information Technology Business Human Resources Public Relations

24 Phases of Data Breach Detection Investigation Response Remediation Lessons Learned

25 Detection Finding out you have lost data - Data can be lost in a variety of ways - Lost or stolen laptops or mobile phones - Lost or stolen back up media - External storage media with sensitive data

26 Detection Information Security IDS Intrusion Detection Systems - SIEM Security Information and Event Management - QRadar FIM File Integrity Monitoring Systems - Tripwire FW Firewall activity AV Anti-Virus Alerts Service Desk Calls - Users - Customers

27 Other ways to find out Third parties call and ask you to stop hacking their network Government agencies DHS, USSS and FBI Internet hackers load the data up on servers for the world to access

28 Detection Is this an incident Did you lose data? How much data and exactly what type? Is the data loss ongoing? Who knows about the data loss? This information is going to guide the next phases of the response

29 Transition from Detection to Incident Response Process Detection into Incident Response - Investigation Once data loss has been confirmed the IR Team will be activated Priority One determine the extent of the loss Strategy will be based off the findings

30 Investigation Critical questions many are repeats - What type of data was accessed and lost - Number of data records - What systems and business process are affected - How was the data accessed - How long has the activity been going on - Who was the perpetrator

31 Investigation / Response Legal and Regulatory Issues - PCI requires notification - State Data Breach notification laws 47 states - Public Relations need to address inquiries Press Public Government Federal and State regulatory and law enforcement

32 Investigation / Response Investigation may continue for sometime and additional facts may surface over time - These facts may materially alter your response Public relations - Depending on the circumstances it may be desirable to put out prepared statements to the press and the public Status of data breach investigation Actions the company is taking as a result How to get additional information

33 Response Public Relations Internal Public Relations - Are they capable of dealing with - Channels Media inquiries, Telephone calls, Internet, Social Media - Volume can they handle customer inquiries via phone and web - Can they deliver status updates in timely manner

34 Response Public Relations External third party contractors - Equipped to deal with crisis situation - Can assist Legal and Public Relations with messaging - Have call centers in place that can ramp up quickly - Website templates - Notification capabilities Printing letters Custom to your situation multi-lingual capable

35 Remediation Returning to normal state - Stop the bleeding data loss - Quantify the loss - Secure your information systems - Fix any holes in your security and operations

36 Repairing the damage to the brand For customers - Credit monitoring - Credit repair - Litigation services for any victimized by ID Theft Company Image - Good will gestures - Awareness Outreach to customers on data protection - Following up on all promises

37 Lessons learned Follow up Action Plan by team Infrastructure and security - Assigned an owner who is responsible for the fix - Given adequate resources to address problems - Required to provide regularly scheduled updates until resolution

38 IT Security Controls

39 Today s Topic: Security Controls Security controls can be preventive, detective or corrective by nature 38

40 Purpose of Preventive Controls Preventive controls are designed to keep incidents from occurring in the first place Preventive controls only serve as a deterrent against unauthorized access Often times we are too focused on preventive controls and too trusting of their efficacy For a program to be successful, these controls must be implemented with a plan for them to fail 39

41 Purpose of Detective Controls Detective controls are designed to identify and alert on malicious or unauthorized activity Preventative Control Provide support for post-incident activities (corrective controls) Allow an organization to understand its compliance state or adherence to operational control sets (e.g. change management) To be successful, deploying detective controls must be done with some framework in mind (e.g. data classification) Detective Control 40

42 Understanding Corrective Controls Corrective controls are designed to limit the scope of an incident and mitigate unauthorized activity Detective Controls Preventative Control Provide support for preparing for future post-incident activities Allows an organization to understand how to improve its preventative and corrective controls moving forward Corrective controls are not always technical. They are also categorized as physical (door locks), procedural (incident response), and legal or regulatory (policies) Corrective Control 41

43 Incident Response & Hurdles

44 Incident Response & Investigation Process 43

45 Incident Response Containment and Preservation Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks The initial objective is to learn about your organization and IT infrastructure and incident - What actions have been performed to date? - What information did the attacker ask for and what did he receive? - What known systems/information did the attacker access? - Are there any remote tracking or wiping tools installed on the device? - Does an employee have remote access to network? - Do logs show unusual network activity or failed login attempts? Identifying potential evidence sources followed by the preservation/collection of data. Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? Have we been through this type of incident before? Do we know where our data is physically located? 44

46 Incident Response Evidence Collection Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Evidence sources: Network Servers and Applications Computer system memory Firewall, VPN, , Building Access Logs Network and system backups Information from third-party providers (Cloud services) Video surveillance Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? Have we been through this type of incident before? Do we know where our data is physically located? 45

47 Investigative hurdles Trust but verify Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Investigating Unknowns - Unable to identify appropriate resources - Third-party providers and custom applications Evidence preservation afterthought - Deleted digital evidence expands scope/risk of harm - Lack of documentation, misconfigured applications, log retention Data pooling - Human capital, accounting, user share data combined Data quality Non-standardized data formats Manual review for protected information Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? 46

48 Mitigating Costs & Risks

49 Mitigating costs & risks Administrative tasks Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Organizational Programs - Written Information Security Program (WISP) - Vendor management - Business continuity & disaster recovery plans Specific Preparation Tasks - IT risk assessment - Incident response plan - Mock incident response drills - Security awareness training Response - Documentation How was the incident discovered? Who performed what action? what? When did the change or event occur? What was the result? 48

50 Mitigating costs & risks (con t) Technical tasks Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Data segregation - Data classification/identification program Network and application patch management Backup and archiving solutions - Access to data backup and offsite facilities - Test archiving solutions ( , data vaults) - Speed of exports, change in file properties, search functionality Network vulnerability testing Enterprise monitoring solutions - Event logging (VPN, file audit, network access, building access) - Data Loss Prevention (DLP) solutions Ask yourself: Is our company sensitive data on the same server as our employee home directories? Have we tested the input and output or our backup/archiving solution? Are there logs available to show who has accessed our network in the past week? Do we know what files they accessed? 49

51 Cyber Liability Insurance

52 Risk Financing for Data Breach Exposures Not if, but when! Data breach events may result in significant costs More damage is caused by a poor response to a data reach than by the data breach itself Insurance provides important balance sheet protection and is ideal for difficult to predict events that create large losses An insurance carrier can provide significant expertise in order to facilitate an effective and efficient response - Not the insurer s first rodeo!

53 Insurance Overview Security & Privacy Liability - Judgments, settlements and defense costs for a claim seeking damages from a loss, theft or unauthorized disclosure of information Regulatory Defense & Penalties Payment Card Industry (PCI) Fines and penalties - Contractual fines and assessments for a failure to maintain PCI data security standards Breach Response Costs - Expenses for: Computer forensics, notifications, credit monitoring, pre-claim legal, call center services and public relations Other coverage options typically available - Media Liability - Business Interruption - Data Protection - Cyber Extortion

54 Questions and contact information Frederick J. Howell, MBA, MSISM, CISSP Manager, Security and Privacy Services McGladrey, LLP 80 City Square Boston, MA (O) (M) (E) Experience the power of being understood. SM 53

55 McGladrey LLP is the U.S. member of the RSM International ( RSMI ) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP. McGladrey LLP One South Wacker Drive Suite 800 Chicago, IL