The Mile High Denver Chapter of ARMA welcomes you to our virtual meeting!
March 18 th Meeting ediscovery and Social Media -- What Records Managers Need to Know By: Kelly Twigger Americans spend an average of 7.6 hours per month on social media. The use of social media for marketing has supplanted traditional forms of media as businesses can reach millions more consumers via social media at a tiny fraction of the cost. New platforms come online weekly, and users flock to them faster than an organization can say firewall. We'll discuss the implications of social media on information management, open records and ediscovery and talk about the types of policies and guidelines to consider in accepting the use of social media and working to educate your users on its potential implications for your organization. Presenter Kelly Twigger is a Principal at ESI Attorneys, an Information Law and ediscovery law firm in Colorado, Kelly is equally at home on the basketball court and in court, likely a testament to her undying tenacity, love for strategic sports, and an uncanny eye for game-winning strategies. She calls the shots like she sees them (she s blunt and brutally honest), and like any great athlete, attorney, or coach, thinks six moves ahead in order to create plays that don t just work they shine.
Annual MHD Spring Seminar April 15, 2014 Mark your calendars! Invite your colleagues! This all day event will be amazing! This year we are excited to again, offer a two-track seminar. The seminar includes an amazing keynote from Travis White on Innovation. Stay tuned to our website, http://www.armadenver.org/, for more information! Where : PPA Event Center, 2105 Decauter St., Denver, Colorado 80211
Why Should Information Managers Care About Hackers? Patrick Cunningham, CIP, FAI Motorola Solutions, Inc. February 18, 2014
Agenda What are the new threats and risks? Cyberthreats 101 Insiders Disasters Defending the organization Attributes of information Using risk appropriately
Cyberthreats 101 Adversaries Types Methods
NEW COMPUTER SECURITY THREATS Hacking of DuPont, Johnson & Johnson, GE Were Google-Type Attacks HACKING Hackers Penetrate Nasdaq Computers CYBER CRIME CYBER ESPIONAGE Google Hack Attack Was Ultra Sophisticated UK Infrastructure Faces Cyber Threat, Says GCHQ Chief
Adversaries Script Kiddies The traditional teenager in the basement thrill seeker, notoriety, peer recognition Hacktivists Anonymous political orientation, disruptive Cyber-criminals Direct financial motivation State-sponsored or Professional Espionage, trade secret theft, disruption of critical infrastructure
Types of Cyberthreats Basic malware Viruses, trojan horses, botnets Crimeware Password and credential stealing, key loggers Advanced malware Stealthy, custom-written software incorporating aspects of the above, but designed to be undetectable Any adversary can use any level of malware even the script kiddie can access advanced malware ultimately, what the adversary does with the access they gain is what determines how they are classified
Methods / Vectors of Attack Social Engineering Phishing Spear phishing Whaling Website poisoning Advertising poisoning Infected downloads Porn and warez are now generally seen to be vectors for malware Mobile devices and social media increasing targets and vectors
Advanced Persistent Threat Mandiant coined APT as... What is APT? Group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks.... Conventional information security defenses don t work. The attackers successfully evade anti-virus, network intrusion detection and other best practices. APT is a methodology, not a type of attack Best estimates are that there are 25+ groups that are associated with APT style campaigns
Targeted Attack Methodology Attacker researches his target Social Engineering Victim Clicks on link Attacker http://example.com/abc.html Attacker creates custom email Victim Slides taken from Symantec Slides related to Google Aurora attack Jan 2010
Targeted Attack Methodology Payload Install and Execution http://example.com/abc.html Victim Malicious Server Backdoor Program Malicious Server Confidential Information Attacker Slides taken from Symantec Slides related to Google Aurora attack Jan 2010
What is Unique About the APT? Method of entry Exploits Malware Spread Traditional Attack Generic email to large numbers of people. Hit or miss with no targets. Known vulnerabilities, typically unpatched in some machines One size fits all. Typically already on commercial virus checker signature lists Random spread to as many machines as possible, via email lists, or open ports, etc. Targets of opportunity. Advanced Persistent Threat - Research on personal details of targets - Selective spear phishing custom, tailored emails Unknown Zero-day exploits; no vendor patch exists Custom code not found on virus signature lists. Adversary monitors virus checker and modifies their code once it has been identified commercially. Manual, controlled spread to targeted machines based on research (e.g. key-logging of infected machines) External Command & control systems Communications Single server Control Server to infected units. Detectable and blockable with current tools Multiple paths to multiple control points Duration of attack Days or weeks Years, i.e. Persistent Infected units initiate communications with control server. Communications Infrequent and not detectable. Use web site, HTTS, Gmail, etc. Communications encrypted to avoid monitoring/detection Adversary Motive Script kiddies, thrill seeker, or limited criminal element Denial of Service (DOS), ID theft, public recognition Well organized, well funded, organized crime or nation state sponsored Serious theft of intellectual property, large financial gain, injection of malware in to products
Are You Oversharing?
Loose Lips and All That
Insiders This is what an insider threat looks like. Hanjuan Jin, February, 2007. Education: University of Science and Technology of China, University of Notre Dame, Illinois Institute of Technology Naturalized United States Citizen Employed by Motorola, 1998 to 2007 Guilty, Theft of Trade Secrets, 2012
Defending the Organization Against the Insider Threat
Today s Defensive Methods Data Loss Prevention (DLP) Key words provided by the business (code words and other unique identifiers) Includes classification flags Continual watch on outbound email and Internet traffic Data Classification Default classification in document management systems Anomaly Detection in EDMS High volume downloads High volume searches Searches out of bounds File Sharing Websites High volume downloads / uploads Anomalous behavior identification
Future Defensive Methods Anomaly Detection High volume data transfers High numbers of virus infections High volume of login failures Network connections from at risk IP addresses (i.e. competitors) Geolocation anomalies Improbable physical locations over time Source IP address of concern (competitors) End point DLP implementation Additional mandatory templates for highly sensitive documents Phone home capability for highly sensitive documents
So Why Should a Records Manager Care About This? How long does your retention schedule say to retain security logs? Are you aware that the technology exists to capture every bit of data going to or from your organization s network? Who knows (or should know) where the records are? Do you know where your organization s crown jewels reside? Are you a target for the bad guys? Are your records management systems?
Disasters The traditional range of disasters continue to be a focus for risk assessment Most organizations must now also consider: Malware and outages due to malware cleanup Cloud outages Data privacy breaches Third party provider outages Impacts to mobile workforce The attack surface is increasing exponentially
Attributes of Information The new role for records management means incorporating a variety of attributes into information stores and indices to enable better protection and risk identification
Attributes Record series / category / retention period Vital record flag Data privacy / PII / PHI flag PCI flag Security classification Crown jewels?
Speaking About Risk Effectively What is the likelihood of something happening? What is the real impact to the business? What is the cost to solve the issue? What is the cost if nothing is done? Does your organization have appropriate insurance coverage?
Communicating Risk Don t overplay the risk Look at the risks from the point of view of senior management If a risk is going to be accepted, have a formal process to communicate the risk and get signoff on the risk at the appropriate level Have a focus on materiality at what point is a loss reportable?
Takeaways Understand the threats to your organization Meet your Information Security team and work with them Consider adding other attributes to an EDMS or to any system tracking records Look at risk in a big picture way
Questions?