Shady RATs, Topiaries, and Other Curious Creatures: A Lawyer's Look at InfoSec 2011

Transcription

1 Shady RATs, Topiaries, and Other Curious Creatures: A Lawyer's Look at InfoSec 2011 Presented by: Melissa L. Markey, Esq. Hall, Render, Killian, Heath & Lyman, PLLC 201 West Big Beaver Rd, Suite 1200 Troy, Michigan (248) Hall, Render, Killian, Heath & Lyman, P.C.

2 Operation Shady Rat Image from:

3 Operation Night Dragon Image from:

4 Hacked security firm closes its doors

5 The Insecurity Epidemic

6 Actors

7 Risks Biggest Risk for Security? Mobile Devices Particularly if user-supplied Permitted user downloads increase risk Insiders Employees, contractors and customers Malice, carelessness and ignorance Social engineering works! Poor Computing Hygiene 60% of Adobe running unpatched; Sony had unpatched servers Default admin passwords

8 Risks SANS Top Cybersecurity Risks Unpatched software Vulnerable Internet-facing machines Remotely exploitable OS vulnerabilities Increasing zero-day hacks

9 Challenges Unique Legal Challenges Evidence can be ephemeral Investigations are complicated and detailed No-one knows you are a dog on the Internet Transactions cross national boundaries Traditional laws are inadequate International cooperation is spotty Involvement of nation-states as players

10 Challenges - Evidence Evidence is ephemeral and hard to collect Have effective human resources and IT policies regarding access and right to investigate devices including personal devices if you permit business use Have a computer incident response plan Include a qualified technology lawyer Consider the need to collect and preserve evidence when responding to computer incidents Train and exercise your incident response plan Build relationships with law enforcement now

11 Crossing International Boundaries Traditionally, nations and states are permitted to exercise jurisdiction over only a limited area Geographic Challenges Multinational Issues Impact on its citizens, whether within or outside the geographic limits of the state Extra-territorial conduct intended to have an impact internally Extra-territorial conduct which poses a threat to national security Limited by a "reasonableness" test However, access to actors is always an issue, even if jurisdiction exists

12 U.N. Proposal China and Russia have jointly proposed U.N. International Code of Conduct for International Security international norms and rules governing state action in cyberspace cooperate in combating criminal and terrorist activities which use [computers] and curbing dissemination of information which incites terrorism, secessionism, extremism, or undermines other nations political, economic, and social stability, [or] spiritual and cultural environment

13

14 Sources of Computer Law Applicable Laws Contract law Trade Secret law Computer-specific law Ex: CFAA, Electronic Communications Privacy Act, Wire Fraud Act Privacy and Security laws Data Breach laws Other Fraud Trespass

15 Some Major Computer Laws Computer Fraud and Abuse Act Prohibits access to computers without or in excess of authorization; transmission of harmful code Multiple different infractions; multiple different penalties Protects computers engaged in interstate or foreign commerce; federal computers; financial computers; medical computers Criminal and Civil penalties Secret Service has jurisdiction

16 Some Major Computer Laws Digital Millennium Copyright Act Prohibits circumvention of technical protective measures and tampering with integrity of copyright management information Exceptions: Nonprofit libraries for purchasing decisions Interoperability Encryption research Protecting minors Personal privacy Security testing

17 CAN-SPAM Act Still More Laws Prohibits false or misleading header information Electronic Communications Privacy Act Stored Communications Act Gramm-Leach-Bliley Act, Title V Sarbanes-Oxley Act 404 HSPD 7 Homeland Security Act of 2002 USA Patriot Act Consumer Protection Acts

18 Other Sources of Trouble State laws Computer-specific Identity Theft Acts Breach Notification Laws PCI DSS

19 CFAA Cases TOS Violations - a violation of CFAA? U.S. v. Nosal: Employee who violated clear restrictions on use of computer network exceeded authorized access U.S. v. Rodriguez: SSA employee who had rightful access to confidential SSA information violated CFAA when looked up acquaintances in violation of SSA policy U.S. v. Drew: CFAA misdemeanor provisions unconstitutionally vague in cyberbullying case, where allegations were based in violation of TOS

20 CFAA Cases Impact of Non-Compete and Non-Disclosure Agreements U.S. v Zhang: Where employee had rightful access to database, and downloaded confidential information prior to leaving job, no CFAA violation. Access was permissible; non-compete, trade secret, and nondisclosure agreements governed use. Accenture, LLP v Sidhu: [A]ccess is not established by employers policies, but by the extent the employer makes the computer system available to the employee.

21 CFAA Cases Not everyone agrees U.S. v John: the concept of exceeds authorized access may include exceeding the purposes for which access is authorized Yoder & Frey Auctioneers, Inc. v. Equipmentfacts, LLC Where former customer gained access to website without authorization and posted negative comments about vendor and placed bids for equipment for which it then failed to pay, a claim was stated under the CFAA for consequential damages due to interruption of service

22 Contract Cases Kairoff v. Dropbox, Inc.; Wong v. Dropbox, Inc. TOS promised data protection Allege Dropbox employees had access to customer files; alleges inadequate security procedures FTC complaint

23 Not a case

24 Regulatory Enforcement FTC Ceridian Consent Order stored personal information in clear, readable text indefinitely on its network without a business need Phil Flora Settlement Order Use of gov in address is deceptive unless you are a government agency Enjoined from sending unsolicited text messages Must include notice of right to opt-out and physical address for sender

25 Regulatory Actions Mitigating and protecting against botnets DHS and Department of Commerce want to hear from you! Comments due November 4

26 Data Breach Notification

27 Breach Notification Breach Disclosure "without unreasonable delay" What is "too long" to disclose? Epsilon disclosed within 48 hours of knowledge of breach Citigroup waited 3 weeks Wellpoint 2-3 months Paid a fine of $100,000 for undue delay Unofficially, anything over 30 days is undue.

28 Costs of Breach Sony data breaches: $1-2 Billion Dept. Veterans Affairs: 17.6 million affected; $25-30 Million Heartland Payment Systems: $140 Million SAIC: Undetermined (4.9 Million Tricare beneficiaries) Cignet Health: $4.3 Million regulatory fine Mass. General: $1 Million regulatory fine Average cost of breach: $ per record

29 Cyber Insurance The value of insurance What does it cover? Lost or corrupted data Repairs to network Notification costs Loss of income from DDOS/other outage Crisis management coverage Rogue employees Note some newer exclusions: Unencrypted media Not properly patched/updated

30 Cybercrime 2 nd Annual Cost of Cybercrime Study (ArcSight and Ponemon) median annualized cost of cyber crime for 50 organizations in our study is $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company companies in our study experienced 72 successful attacks per week and more than one successful attack per company per week most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks

31 E-Discovery Spoliation -- failure to preserve sanctions continue to grow Requires preparation well before a suit is filed Requires effective communication between technical and legal experts Don't forget ESI on outsourced machines The role of forensics

32 EU Cookies Image from:

33 EU Cookies Requires consent for websites to place cookies on computers Great concern about tracking cookies Consent must be clear and unambiguous After receiving clear and comprehensive information about the purpose of the cookie Cookies that are strictly necessary to process a particular transaction are permitted, but cannot remain after the transaction is completed Requires each country to adopt law Applies to EU websites we think

34 QUESTIONS?

35 THANK YOU!!!