Are you prepared for a Data Breach October 2015
Agenda Introduction Incident statistics IT security controls - Preventative - Detective - Corrective Incident response tasks & investigative hurdles Mitigating costs and risks Administrative and technical controls Cyber liability insurance 1
Introduction
Andy Obuchowski - Director Summary of Experience Frederick Howell provides services and solutions for clients in preparation of and in response to matters involving data breach investigations, cyber security and incident responses, digital forensic analyses, electronically stored information (ESI) collection and intellectual property theft. With this wide range of experience, he delivers industry-leading technical and consultative expertise to law firms, corporations and government agencies. Fred is member of several organizations including HTCIA, ISSA and Infragard. He has lectured across the country on matters relating to cyber security, digital forensics, and cyber crime matters. Phone: 617.241.1219 Email: fred.howell@mcgladrey.com Certifications: CISSP ACE Representative Experience Prior to joining McGladrey, Mr. Howell worked for the Bose Corporation s Information Security team working on security projects and initiatives, risk assessments and developing business relationships, project plans, and policies/procedures surrounding data privacy and digital forensics. Prior to Bose, he consulted Fortune 500 companies on matters relating to information security, regulatory compliance and digital forensics. He developed client service offerings related to HIPAA and digital forensics data collection and analysis. He worked for the New Hampshire and Massachusetts Attorney General s Offices for 17 years where he conducted white collar crime and computer forensic investigations. He is an adjunct professor in the graduate Information Assurance program at Northeastern University in Boston, Massachusetts, where he teaches system forensics. He also teaches at Worcester Polytechnic Institute and Curry College in their graduate and undergraduate programs in information security, computer forensics, and computer crime investigations. 20
Incident Statistics
The pace of data breaches is increasing JP Morgan Chase 70 plus million Home Depot Target Neiman Marcus Others DBLoss.org
Data breach statistics 2014 Verizon Data Breach Report 6
Security statistics Four most prevalent attack vectors 1. Hacking Traditional hacking is used post-breach not as the original entry point Current methods focus on web apps and browser plugins 2. Malware Finding and purchasing non-detectable malware in the underground market is trivial Modern anti-virus is an 80-20 proposition at best 3. Social Engineering Why bother to do all the heavy lifting involved with hacking when you can just ask someone to do something for you? While there is a technical component the attack is against human nature 4. Physical Loss Rare occurrence but significant impact 7
DBLoss.Org
Cost of Data Breach Operational Cost Public Relations Cost Legal Costs - Fines - Penalties - Civil litigation Costs Government entities Federal and State Financial institutions banks and card issuers Customer law suits
Ponemon and IBM Have a done a Study in 2014 http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/
Security statistics And now for some boring numbers Breaches detected in first 24 hours 1%-2% Breaches with data loss in first 24 hours 60% - 68% Breaches detected by an external 3 rd party 71% - 92% Breaches undetected for two years or more >14% Average days to discovery 87-210 Average total cost per breach $5,407,820 Average insurance payouts $954,253 - $3.5M 11
Ask Yourself These Questions
Purpose of Preventive Controls If we had a data breach would we know? Once we knew what are we going to do? - Do we have a plan? - Is our plan comprehensive enough to deal with the potential public outcry and media storm? - Can we execute the plan? 13
Objective of this session Raise your awareness Provide you with a roadmap for putting together a plan that answers these questions - Identify key stakeholders - Stages of a data breach - Key goals during each stage - Approaches to an effective response plan 14
What is a computer security incident? Any unlawful, unauthorized, or unacceptable action that involves a computer system or computer network Security Incidents Include - Malware attacks including Spyware, Phishing and Spear Phishing, APT (Advanced Persistent Threats) - Theft by insiders - Unauthorized intrusions Data Loss that could include customer PII
What are the goals of Incident Response? To respond with a coordinated and cohesive response - Prevents a disjointed response - Confirms or dispels whether an incident occurred - Establishes proper retrieval and handling of evidence - Protects privacy rights established by law and policy - Minimizes disruption of business and network - Allows for criminal and civil action against perpetrators
What are the goals of Incident Response? Accurate reports and useful recommendations Rapid detection and containment Minimizes exposure and compromise of data Protect your organization s reputation and assets Educates senior management Promotes rapid detection - Lessons learned - Policy changes - Better coordination
The cost goes beyond the breach Mandatory audits Litigation can linger on for years Increased Information Security costs Damage to - Brand - Sales Cost of organizational change
Preparing for a Data Breach Take the initiative - Executive sponsorship - Commitment Resources - Time - Appropriate Personnel - Funding
Where do you begin There are lots of resources available - NIST National Institute of Standards and Training - DHS Department of Homeland Security - White House Cyber Security website - CERT Computer Emergency Response Team - Organizations SANS, ISSA, ISACA, HTCIA
Excellent free resources Best Practices for Seizing Evidence: A Pocket Reference Guide for First Responders - www.secretservice.gov/forensics.shtml Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations - www.usdoj.gov/criminal/cybercrime/s&smanual 2002.htm Field Guidance on New Authorities that relate to Computer Crime and Electronic Evidence enacted in the USA Patriot Act of 2001 - www.usdoj.gov/criminal/cybercrime/patriotact.htm SysAdmin, Audit, Networking, and Security - http://www.sans.org/ Computer Emergency Response Team - http://www.cert.org/incident-management/ Department of Homeland Security - http://www.dhs.gov/topic/cybersecurity#
Form a Cross Functional Team Senior Management Legal Corporate Security Information Technology Business Human Resources Public Relations
Phases of Data Breach Detection Investigation Response Remediation Lessons Learned
Detection Finding out you have lost data - Data can be lost in a variety of ways - Lost or stolen laptops or mobile phones - Lost or stolen back up media - External storage media with sensitive data
Detection Information Security IDS Intrusion Detection Systems - SIEM Security Information and Event Management - QRadar FIM File Integrity Monitoring Systems - Tripwire FW Firewall activity AV Anti-Virus Alerts Service Desk Calls - Users - Customers
Other ways to find out Third parties call and ask you to stop hacking their network Government agencies DHS, USSS and FBI Internet hackers load the data up on servers for the world to access
Detection Is this an incident Did you lose data? How much data and exactly what type? Is the data loss ongoing? Who knows about the data loss? This information is going to guide the next phases of the response
Transition from Detection to Incident Response Process Detection into Incident Response - Investigation Once data loss has been confirmed the IR Team will be activated Priority One determine the extent of the loss Strategy will be based off the findings
Investigation Critical questions many are repeats - What type of data was accessed and lost - Number of data records - What systems and business process are affected - How was the data accessed - How long has the activity been going on - Who was the perpetrator
Investigation / Response Legal and Regulatory Issues - PCI requires notification - State Data Breach notification laws 47 states - Public Relations need to address inquiries Press Public Government Federal and State regulatory and law enforcement
Investigation / Response Investigation may continue for sometime and additional facts may surface over time - These facts may materially alter your response Public relations - Depending on the circumstances it may be desirable to put out prepared statements to the press and the public Status of data breach investigation Actions the company is taking as a result How to get additional information
Response Public Relations Internal Public Relations - Are they capable of dealing with - Channels Media inquiries, Telephone calls, Internet, Social Media - Volume can they handle customer inquiries via phone and web - Can they deliver status updates in timely manner
Response Public Relations External third party contractors - Equipped to deal with crisis situation - Can assist Legal and Public Relations with messaging - Have call centers in place that can ramp up quickly - Website templates - Notification capabilities Printing letters Custom to your situation multi-lingual capable
Remediation Returning to normal state - Stop the bleeding data loss - Quantify the loss - Secure your information systems - Fix any holes in your security and operations
Repairing the damage to the brand For customers - Credit monitoring - Credit repair - Litigation services for any victimized by ID Theft Company Image - Good will gestures - Awareness Outreach to customers on data protection - Following up on all promises
Lessons learned Follow up Action Plan by team Infrastructure and security - Assigned an owner who is responsible for the fix - Given adequate resources to address problems - Required to provide regularly scheduled updates until resolution
IT Security Controls
Today s Topic: Security Controls Security controls can be preventive, detective or corrective by nature 38
Purpose of Preventive Controls Preventive controls are designed to keep incidents from occurring in the first place Preventive controls only serve as a deterrent against unauthorized access Often times we are too focused on preventive controls and too trusting of their efficacy For a program to be successful, these controls must be implemented with a plan for them to fail 39
Purpose of Detective Controls Detective controls are designed to identify and alert on malicious or unauthorized activity Preventative Control Provide support for post-incident activities (corrective controls) Allow an organization to understand its compliance state or adherence to operational control sets (e.g. change management) To be successful, deploying detective controls must be done with some framework in mind (e.g. data classification) Detective Control 40
Understanding Corrective Controls Corrective controls are designed to limit the scope of an incident and mitigate unauthorized activity Detective Controls Preventative Control Provide support for preparing for future post-incident activities Allows an organization to understand how to improve its preventative and corrective controls moving forward Corrective controls are not always technical. They are also categorized as physical (door locks), procedural (incident response), and legal or regulatory (policies) Corrective Control 41
Incident Response & Hurdles
Incident Response & Investigation Process 43
Incident Response Containment and Preservation Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks The initial objective is to learn about your organization and IT infrastructure and incident - What actions have been performed to date? - What information did the attacker ask for and what did he receive? - What known systems/information did the attacker access? - Are there any remote tracking or wiping tools installed on the device? - Does an employee have remote access to network? - Do logs show unusual network activity or failed login attempts? Identifying potential evidence sources followed by the preservation/collection of data. Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? Have we been through this type of incident before? Do we know where our data is physically located? 44
Incident Response Evidence Collection Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Evidence sources: Network Servers and Applications Computer system memory Firewall, VPN, Email, Building Access Logs Network and system backups Information from third-party providers (Cloud services) Video surveillance Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? Have we been through this type of incident before? Do we know where our data is physically located? 45
Investigative hurdles Trust but verify Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Investigating Unknowns - Unable to identify appropriate resources - Third-party providers and custom applications Evidence preservation afterthought - Deleted digital evidence expands scope/risk of harm - Lack of documentation, misconfigured applications, log retention Data pooling - Human capital, accounting, user share data combined Data quality Non-standardized data formats Manual review for protected information Ask yourself: Is my staff appropriately trained to handle an information security incident? Do they have the skill sets to conduct a forensic investigation? 46
Mitigating Costs & Risks
Mitigating costs & risks Administrative tasks Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Organizational Programs - Written Information Security Program (WISP) - Vendor management - Business continuity & disaster recovery plans Specific Preparation Tasks - IT risk assessment - Incident response plan - Mock incident response drills - Security awareness training Response - Documentation How was the incident discovered? Who performed what action? what? When did the change or event occur? What was the result? 48
Mitigating costs & risks (con t) Technical tasks Incident Response Tasks Investigative Hurdles Mitigating Costs & Risks Data segregation - Data classification/identification program Network and application patch management Backup and archiving solutions - Access to data backup and offsite facilities - Test archiving solutions (email, data vaults) - Speed of exports, change in file properties, search functionality Network vulnerability testing Enterprise monitoring solutions - Event logging (VPN, file audit, network access, building access) - Data Loss Prevention (DLP) solutions Ask yourself: Is our company sensitive data on the same server as our employee home directories? Have we tested the input and output or our email backup/archiving solution? Are there logs available to show who has accessed our network in the past week? Do we know what files they accessed? 49
Cyber Liability Insurance
Risk Financing for Data Breach Exposures Not if, but when! Data breach events may result in significant costs More damage is caused by a poor response to a data reach than by the data breach itself Insurance provides important balance sheet protection and is ideal for difficult to predict events that create large losses An insurance carrier can provide significant expertise in order to facilitate an effective and efficient response - Not the insurer s first rodeo!
Insurance Overview Security & Privacy Liability - Judgments, settlements and defense costs for a claim seeking damages from a loss, theft or unauthorized disclosure of information Regulatory Defense & Penalties Payment Card Industry (PCI) Fines and penalties - Contractual fines and assessments for a failure to maintain PCI data security standards Breach Response Costs - Expenses for: Computer forensics, notifications, credit monitoring, pre-claim legal, call center services and public relations Other coverage options typically available - Media Liability - Business Interruption - Data Protection - Cyber Extortion
Questions and contact information Frederick J. Howell, MBA, MSISM, CISSP Manager, Security and Privacy Services McGladrey, LLP 80 City Square Boston, MA 02129 (O) 617.271.1520 (M) 781.831.2767 (E) fred.howell@mcgladrey.com Experience the power of being understood. SM www.mcgladrey.com 53
McGladrey LLP is the U.S. member of the RSM International ( RSMI ) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP. McGladrey LLP One South Wacker Drive Suite 800 Chicago, IL 60606 800.274.3978 www.mcgladrey.com