TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Transcription

1

2 TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures

3 Trends/Victimology

4 ADVERSARY CLASSIFICATIONS

5 SOCIAL ENGINEERING DATA SOURCES

6 COVERT INDICATORS - METADATA METADATA data providing information about one or more aspects of the data

7 SOCIAL ENGINEERING ATTACKS - Real - Attacker

8 PHISHING ATTACKS

9 PHISHING

10 Phishing

11 Targeted Attacks: Spear Phishing Targeted phishing attack appears to originate from employer, friend or other trusted source Spear phishing attacks have further evolved, implementing short URL redirection and no file attachments

12

13 RANSOMWARE - CRYPTOLOCKER

14 POINT OF SALE MALWARE

15 Incident Response

16 DAY ONE

17 DAMAGE ASSESSMENT What Happened? Who Did it? What was stolen? How did this happen. and who dropped the ball

18 OVERALL CONSIDERATIONS IR Who, What, How and How Long! Evidence Preservation/Analysis Detailed Investigation Attribution? Remediation Tactical (Quick Hits) Strategic Disclosures PII/PCI Breached Compliance (SEC, SOX, etc ) Federal and State Requirements Law Enforcement Referral

19

20 RESPONSE TEAM COMPONENTS IT Security Legal LE Forensic Experts Outside Counsel

21

22 PRACTICAL INCIDENT RESPONSE Data Enumeration and Preservation Implement Real Time Network Monitoring IT Employee and C-level Interviews Review Existing IT Security Policy and Network Architecture

23 INVESTIGATIVE METHODOLOGY Network Monitoring Malware Analysis Host Based Analysis Financial/Data Trail Interviews/Motivation

24 TYPICAL INVESTIGATIVE RESULTS Attacker Has Long Term and Unfettered Access to the Network Defined Penetration, Reconnaissance and Exfiltration Stages Targeted Attack Proprietary Intellectual Property Stolen

25 TYPICAL ATTACKER METHODOLOGY Compromise Employee User Account Escalate to Administrator Privileges Reconnaissance and Network Enumeration Develop Network Persistence Target and Exfiltrate Data

26 Remediation

27 REMEDIATION Tactical Strategic

28 IDENTITY AND ACCESS MANAGEMENT Perform an Entitlement Review Use Security Groups to Good Effect Principle of Least Privilege Avoid Shared Administrator Accounts

29 REMEDIATION - QUICK HITS PASSWORD MANAGEMENT Reprinted from

30 REMEDIATION QUICK HITS Limit External Network Access Secure Desktop vs. VPN Access Limit Remote Desktop Protocol (Int/Ext) Multi-Factor Authentication

31 THIRD PARTY VENDOR SECURITY Focus on Operational Uptime Limited Attention to Security Tend to Lack Common Security Standards Varied Incident Response (if any) Limited to No Audits/Assessments

32

33 LIMITATIONS OF BLACK-BOX SOLUTIONS Set it and Forget it Solutions Do Not Work!

34 LIMITATIONS OF SIGNATURE-BASED DEFENSE zwshell.exe a69c8eafbc60343bf9cd1d3ad3 zwshell.exe 18801e3e7083bc2928a275e212a5590e zwshell.exe 85df6b3e2c1a4c6ce20fc8080e0b53e9

35 Strategic

36 SECURITY RISK ASSESSMENT Threat Risk & Risk Factors Mitigation Controls

37 INFORMATION LIFECYCLE Creation Disposal Transmission Intellectual Property Storage Reproduction Physical Transport

38 INFORMATION SECURITY CONSIDERATIONS Governance, Compliance and Risk Strategies Security vs. Operations Incident Response and Detection Data Loss Prevention and Vulnerability Management Data Categorization and Enumeration Identity and Access Management

39 TOOL BASED STRATEGY? Technical Controls Operations Governance Most Data Breaches Occur Based Upon This Strategy!

40 MOST EFFECTIVE STRATEGY TO MITIGATE RISK! Governance Operations Technical Controls

41 Disclosure, Privilege & Litigation

42 REGULATORY REQUIREMENTS - A LEGAL ISSUE 48 State Breach Notification Laws Compromises security, confidentiality or integrity FTC Section 5; Gramm-Leach-Bliley Act; HIPAA; Payment Card Industry (PCI); DFARS requirement for contractors

43 REGULATORY REQUIREMENTS - A LEGAL ISSUE SEC Guidelines; material developments, or matters significant enough that an investor would want to know about; 10-K/10-Q/8-K Disclosure of successful breaches Disclosure of ability to defend against cyber attacks No disclosure of generic risk EU Data Protection Directive;

44 2014 BREACH RELATED COSTS IN THE U.S. Activity Cost Average Detection & Escalation Cost $417,700 Average Notification Cost $509,237 Average Post Breach Costs apart from Notification Costs $1,599,996 Average Lost Business Cost $3,324,959 Average Cost Per Record $195 Average Number of Records 29,087 Average Total Organizational Cost $5,850,000 Source: Ponemon Institute Research Report, 2014 Cost of a Data Breach Study: Global Analysis, May 2014

45 LITIGATION Litigation - Now a consequence of a data breach class action lawsuits Damages/Standing Split within circuits Injury may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing. Edwards v. First American Corp, (9 th Cir. 2010). Supreme Court Cert was improvidently granted (6/28/12)

46 LITIGATION Federal Statutes Wiretap Act Stored Communications Act Video Privacy Protection Act Violation of one s statutory rights under the SCA has been held to be a concrete injury. Pleading Stage General factual allegations of injury resulting from defendant s conduct deemed sufficient. Exorbitant discovery costs before dispositive motions.

47 LIABILITY PROTECTION Data Retention Policy Encryption Cyber Insurance Policies Safety Act Certification Provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies - whether they are products or services.

48 ROLE OF OUTSIDE COUNSEL Wrap your investigation or assessment in PRIVILEGE! Preserving work product and the attorney-client privilege; Handled high profile problems before? Knows litigation and media implications you ll face? Essential where litigation is anticipated or inevitable; Retaining consultants, including PR; Interacting with LE and regulatory authorities; Interviewing witnesses.

49 THANK YOU Steve Kim Managing Director Jeffrey S. Miller Special Agent Jason Smolanoff Vice President Raymond O. Aghaian Partner