The Top Ten Cybersecurity Considerations To Take To Your Management

Transcription

1 The Top Ten Cybersecurity Considerations To Take To Your Management Presented at the ISSA Mid-Atlantic Security Conference September 1, 2015 Presented by: Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection Practice

2 The Top Ten Eleven Cybersecurity Considerations To Take To Your Management Presented at the ISSA Mid-Atlantic Security Conference Presented by: Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection Practice September 1, 2015

3 Disclaimer Nothing we discuss today constitutes legal advice. For any specific questions, seek the independent advice of your attorney. Furthermore, lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsumautem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla 3

4 Obligatory Agenda Question: How can you get buy in from, and assist, your company in overseeing a cybersecurity plan? Agenda: Brief FUD session Discussion of corporate duties Some things to consider LIVELY Q&A throughout 4

5 FUD, liability, and other scary stuff

6 So what s happening out there? Poorly designed applications and software Greater sophistication of attacker Use of third party tools and suites that aren t secure Failure to properly investigate and contain an incident Incorrect/ill-advised statements to third-parties Failure to provide timely or complete breach notice Breached contractual provisions Potential liability resulting from alleged third party damages as a result of breach of your systems Threats to critical infrastructure leading to potential exposure Reputational and other non-monetary harms 6

7 Cybersecurity Threats Some statistics and observations: According to recent studies: 80% of total value of the F500 consists of IP and other intangibles 76% of scanned commercial websites had vulnerabilities, 20% of which were critical Number of data breaches increased 23% Average annualized cost of cyber attacks to US. companies was $11.6 million a 78% increase since 2009 Many types of business are targeted, not just large corporations Types of cyber attacks depend on what type of data is stored and the attacker s motivation. 7

8 Time to Impact vs. Time to Discover Verizon, Data Breach Investigation Report 8

9 Board Level Duties A board member s fiduciary duties are determined by several different sources: State fiduciary duty laws State and federal data security laws Regulations or best practices specific to certain industries such as securities trading, payment card issuance, and government contracting. The duties regarding data security can be broken into two broad categories: (1) duty to provide reasonable security for corporate data (2) the duty to disclose security breaches 9

10 State Law Fiduciary Duties Derivative suits related to cybersecurity are based on two theories of fiduciary duty: (1) Duty of care: the board made a decision with regard to cybersecurity that was ill-advised or negligent Board decisions are generally protected under the business judgment rule unless a court finds the board acted in bad faith or irrationally. Most companies have adopted charter provisions that protect directors from personal liability for a duty of care breach. (2) Duty of loyalty: the board failed to act in the face of a reasonably known threat. What constitutes a reasonable cybersecurity plan? Directors are liable for failing to ensure that a reasonable information and reporting system exists, or failing to monitor such a system once it is in place. 10

11 Derivative Suits for Cyber Attacks Shareholders have responded to attacks with derivative suits against the board for failing in their fiduciary duties. TJX Companies (2007): theft of payment card numbers and personal information of at least 45.7 million customers over approximately 18 months Heartland Payment Systems, Inc. (2009): intercept of unencrypted payment card information sent to Heartland from outside vendors for authorization Wyndham Worldwide Corporation (2014): three separate data breaches of personal and financial information of over 600,000 customers Target Corporation (2014): worst data breach in retail history theft of personal and financial data of up to 110 million customers 11

12 Industry Standards Payment Card Industry Standard: The Payment Card Industry Data Security Standard (PCI DSS) includes 12 overall requirements: Maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords. Protect stored cardholder data. Encrypt cardholder data sent across open networks. Protect systems against malware and update anti-virus s/w. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need to know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for all personnel. 12

13 Industry Standards NIST Framework for Improving Critical Infrastructure Cybersecurity Core Elements Present key cybersecurity outcomes that are aligned with activities known to manage cybersecurity risk mapped to existing standards and guidelines Allow for common discussions about cybersecurity across a range of stakeholders. Distributed across the core functions of Identify, Protect, Detect, Respond and Recover, and are further broken down into subcategories. Implementation Tiers Reflect how an organization implements the Framework Core functions and categories and manages its risk. Partial - has not implemented a formal process. Risk-Informed - uses a threat-aware risk management process. Repeatable- regularly utilizes/updates its process. Adaptive - utilizes predictive mechanisms. Basically, a self-assessment. Framework Profiles The actual alignment of an organization s implementation of standards and practices with the Core Elements of the Framework. A Current Profile can be determined and compared to a Target Profile. 13

14 Where can security help management?

15 Proposition Information Security Tiger Team OK, so it s not an original name but the idea makes sense Distinctly identified, cross functional team of professionals Responsible for recommending and implementing reasonable security practices 15

16 Infosecurity Tiger Team - Organization President/COO CTO IT Manager Marketing Manager Chief Privacy Officer Engineering Manager CISSP/Auditor General Counsel/Outside Counsel 16

17 Infosecurity Tiger Team - Responsibilities Proactive TRA (Threat and Risk Assessment) Policy Development Risk Management Security Deployment Penetration Testing Training of Organization Others? 17

18 Infosecurity Tiger Team - Responsibilities Reactive Respond to Network Attacks Public Relations Respond to Media Inquiries Customer Reassurance Handle Employee Security Breaches Others? 18

19 Table Top Exercise (TTX) A Tiger Team Tool Goal: Identify issues to be resolved and best practices to incorporate into response plans. Example TTX: Consider existing response plans, policies and procedures for: a cyber terrorism incident; supporting and identifying actions required to meet immediate needs during a cyber terrorism incident; prioritizing the repair or replacement of CI; and supporting recovery operations Evaluate coordination efforts (SOPs, communications and decision support mechanisms) and incident response; and Identify public-private partnerships for info-sharing to improve cyber incident management. 19

20 Breach Investigations Required notifications Ethical duties regarding third party information Protecting privilege during internal investigation Hiring of third party forensic investigators Common interest agreements when third parties want privileged information

21 Incident Response Plan Advance planning is critical for effectively responding to a data breach. An Incident Response Plan should include: Contact information for IT, Legal, and other reps on Incident Response Team; Initial data breach investigation/response procedures; Steps for determining whether notification is necessary; Steps for determining who to notify; Breach notification procedures and language for the relevant audiences; Procedures for handling PR/media relations, including: Preparing statements for company officials; Training employees and call center reps to answer questions about the breach; and Steps to take after the breach response is complete. 21

22 Focus Everyone on Questions with Legal Significance What data was compromised? What was damaged? What was the source of the compromise? Is the company still vulnerable? Have we investigated diligently? Has the company breached any contracts? Have any vendors breached contracts with the company? What can and must the company do going forward to address any residual/persistent threats? Should we disclose? To whom? And how? 22

23 Why Go to Law Enforcement? Demonstrates that the company is the victim of a crime With a victim, law enforcement generally more interested in rights of the entity rather than treating negatively Law enforcement may share helpful information regarding the intrusion and the intruders Law enforcement may provide a safe-harbor to an institution allowing it to delay notifying individuals whose personal information may have been compromised Contribute to body of knowledge regarding the intruder The involvement of law enforcement may help company better deal with certain risks and costs

24 But What Else is There? Loss of control over the process and data Law enforcement often overworked Slightly greater potential for public disclosure Potential for foreign law enforcement involvement and sharing of company data

25 Best of All Worlds (to the extent you can say that in this context and it isn t cheap ) Hire a forensic investigator via outside law firm Maintain privilege Operates in your best interest Find someone who works closely with law enforcement If PCI implications, you will be required to hire a separate PFI (PCI Forensic Investigator) No privilege Operates in best interest of card association(s) Engage with law enforcement Establish good working relationship

26 Specific Resources Secret Service FBI Department of Justice Local law enforcement FTC page on data breach response: ss/data-breach.html

27

28 How Should You Handle the Press? Again, a consistent message is critical. Get out in front of bad news help make the story about investigation and remediation, not what led to the breach. Avoid consumers receiving notice being the initial source for the story. Monitor news stories, blogs, social networking sites, etc., for any discussion of the breach. Consider potential legal claims and regulatory actions to lessen the likelihood of an investigation by regulators. 28

29 Mergers and Acquisitions, IPOs, etc. Don t forget deal activity. Diligence activities should determine whether the other party: has in place appropriate security measures properly secures their data throughout the transaction has had any significant data breaches has disclosed any data breaches From Bloomberg: Digital intruders are increasingly targeting information about high-stakes business deals -- from mergers and acquisitions to joint ventures to long-term supply agreements -- and companies routinely conceal these breaches from the public, say government officials and security companies.

30 Recent developments dunh, dunh, dunh

31 Recent Developments - FTC On June 30, 2015, FTC released a 10 Lessons guidance document: "Start with security." Control access to data sensibly." Require secure passwords and authentication." Store sensitive personal information securely and protect it during transmission." Segment your network and monitor who is trying to get in and out." Secure remote access to your network." Apply sound security practices when developing new products." Make sure your service providers implement reasonable security measures." Put procedures in place to keep your security current and address vulnerabilities that may arise." Secure paper, physical media, and devices. 31

32 Recent Developments - FCC Three privacy-related actions in all of 2014, involving robocalls, violations of do-not-text requests, and unlawful marketing $10M in October 2014 enforcement actions against two companies Two carriers provided subsidized phone service to low income consumers and retained a third party vendor for data storage Data was stored in clear and accessible via the Internet FCC found violation of Sec. 222(a) (failure to protect CPNI) and Sec. 201(b) (the failure to notify was unjust or unreasonable practices) $25M in April 8, 2015 enforcement action against AT&T Call center employees in Mexico, Columbia, and Philippines acquiring names and partial SSNs, then unlocking stolen AT&T phones that FCC again found violations of Sec. 222 and Sec. 201(b) "As today s action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers" 32

33 Recent Developments SEC Division of Investment Management Recommendations concerning three broad areas of a firm s cyber posture: Conduct regular assessments of cyber activities (including cataloging of information, threat analysis, security controls, and governance structure) Create a cybersecurity strategy for the firm Implement the strategy, including policies, procedures, and training Language from the NIST Framework ( take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks )

34 Recent Developments - DoJ Cybersecurity Unit April of 2015: released Best Practices for Victim Response and Reporting of Cyber Incidents Before an attack: identify crown jewels, put actionable plan into place, ensure legal counsel is familiar with cyber issues, engage with LE, and do info sharing Once an attack occurs: assess and contain damage, collect all relevant information, and notify all required parties ttachments/2015/04/29/criminal_division_guidance_on_ best_practices_for_victim_response_and_reporting_cy ber_incidents.pdf 34 34

35 Wrap up

36 Recommendations What should the management team, board of directors, and security function be focused on when deploying a security program? 1. Create Governance Structure 2. Research Threats 3. Prioritize Information Assets 4. Perform a Risk Analysis 5. Create a Security Protection Plan Tied to a Technology Acquisition Strategy 6. Engage Third Parties Appropriately (legal, technical, procedural) 7. Request Regular Updates and Adjust Accordingly 8. Test the Response Plan 9. Maintain Appropriate Insurance Coverage 10. Provide Regular Cybersecurity Training for Employees, Vendors, and Other Third Parties 11. Stay informed learn, learn, learn (including RAND report from 1964) 36

37 Paul Baran On Distributed Communications RAND Corporation, 1964 [t]he present Memorandum is a consideration of the security aspects of a system of the type proposed, in which secrecy is of paramount importance [and where] we should fully anticipate the existence of "spies" within our ostensibly secure communications secrecy protection structure; hence our primary interest should be in raising the "price" of espied information to a level which becomes excessive. 37

38 Wrap Up Final Thoughts and Questions? Anyone want to become a lawyer?

39 Thank you for attending!

40 Thank You Randy V. Sabett, J.D., CISSP Vice Chair, Privacy & Data Protection practice group