CYBERSECURITY INVESTIGATIONS

CYBERSECURITY INVESTIGATIONS Planning & Best Practices May 4, 2016 Lanny Morrow, EnCE Managing Consultant lmorrow@bkd.com Cy Sturdivant, CISA Managing Consultant csturdivant@bkd.com Michal Ploskonka, CPA Senior Managing Consultant mploskonka@bkd.com 1

TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & email address All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar AGENDA Historical perspective on cyber threats 2016 cyber threat landscape Types of data & industries at risk Current regulatory environment Best practices in cybersecurity preparedness & monitoring Incident response strategies 2

HISTORICAL PERSPECTIVE Actors Thrill seekers Pioneers Teenagers Organized crime rings State sponsored 3

CHARACTERISTICS OF CYBERCRIMINALS Skilled Persistent Sophisticated Tactical Well funded Difficult to detect Evolving Technical attacks not needed Can use deceivingly simple methods (K.I.S.S) Use of social engineering e.g., Business Email Compromise EVOLUTION OF CYBER THREATS Approach Viruses Trojans Email account hijacking Social engineering End Result Disruption Identity theft Loss of public trust Loss of proprietary information Monetary gain/loss 4

2016 CYBER THREAT LANDSCAPE CYBER THREAT LANDSCAPE The United States is extremely well connected 87% of the population use the internet The country ranks 2 nd globally for online business-to-consumer transactions Cyberattack is ranked as the # 1 risk for doing business in the U.S., followed by data fraud or theft. Constantly evolving technology Rapid increase in the number of connected devices Rapid increase in the volume of stored data Especially unstructured data Source: the Global Risks Report 2016, published by the World Economic Forum 5

There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. Robert Mueller, FBI Director on Cyber Threat Landscape TOP FIVE CYBERCRIMES 1. Tax-Refund Fraud 2. Corporate Account Takeover 3. Identity Theft 4. Theft of Sensitive Data 5. Theft of Intellectual Property Source: American Institute of CPAs October 2013 study 6

RECENT DEVELOPMENTS Notable data breaches 2013 Target ($252 M in initial costs) 2014 Home Depot ( $43 M by end of 2014) 2015 U.S. Office of Personnel Management, Anthem, IRS, Experian (T-Mobile Customers), Ashley Madison 2016 Hyatt Hotels, Trump Hotel Collection, FDIC, Mossack Fonseca (Panama Papers) Business email compromise Wire/ACH losses W-2 information Ransomware BUSINESS EMAIL COMPROMISE Banks are not the focus of the simpler schemes From October 2013 to December 2014, nonbank businesses lost $215 M through compromised email attacks From January 2015 to August 2015, business losses due to business email compromise increased to $800 M (of which $747 M in the U.S.) Combined worldwide losses due to BEC exceed $2.3 B as of April 2016 Source: Internet Crime Complaint Center (FBI) - Public Service Announcements: https://www.ic3.gov/media/2015/150122.aspx, http://www.ic3.gov/media/2015/150827-1.aspx 7

TYPES OF DATA & INDUSTRIES AT RISK DATA AT RISK Credit/debit card information via POS systems Potential Protected Health Information (PHI) Employee data (PII) Social Security numbers Connectivity to health provider networks via pharmacies User names & passwords Intellectual property Blueprints Business plans Trade secrets, etc. 8

INDUSTRIES AT RISK Targets Businesses Financial institutions/banks Insurance companies Retailers Health care providers Manufacturers Critical industries Governments Law firms Individuals Everyone Key executives & decision makers Accounting & finance Privileged users CURRENT REGULATORY ENVIRONMENT 9

REGULATORY ENVIRONMENT Computer Fraud and Abuse Act (18 U.S.C 1030) of 1986 Many cyber crimes prosecuted under traditional statutes States provide penalties for crimes perpetrated by use of computers or perpetrated against computers State security breach notification laws REGULATORY ENVIRONMENT Regulatory requirements may vary by industry FTC Section 5(a) provides consumer protection Health Insurance Portability and Accountability Act (HIPAA) Federal Financial Institutions Examination Council (FFIEC) SEC Division of Investment Management Guidance No. 2015-02 10

BEST PRACTICES IN CYBERSECURITY PREPAREDNESS & MONITORING CYBERSECURITY PREPAREDNESS UTILIZING THE NIST FRAMEWORK NIST Framework Helps identify & prioritize actions for reducing cybersecurity risk Tool for aligning policy, business & technological approaches to managing that risk Enables organizations to apply principles & best practices of risk management to improve cybersecurity & secure critical infrastructure 11

NIST FRAMEWORK CORE FUNCTIONS NIST Core Functions Standard cybersecurity controls Five functions 22 categories or subdivisions 98 subcategories Form operational culture that addresses cybersecurity risks NIST FRAMEWORK OVERVIEW http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 12

IDENTIFY Identify Functions are foundational. These controls help an organization understand how to manage cybersecurity risk to systems, assets, data & capabilities. Relating these to a business context is critical for prioritizing efforts Categories Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Protect Functions are the safeguards that ensure delivery of critical infrastructure services. In terms of ensuring resilience, these safeguards help to limit or contain the impact of a cybersecurity event. Categories: Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology 13

DETECT Detect Functions identify the occurrence of a cybersecurity event Categories Anomalies & Events Security Continuous Monitoring Detection Processes RESPOND Respond Functions allow an organization to take action on a detected cybersecurity event. The goal of Respond Functions is to contain the impact of a cybersecurity event & remediate vulnerabilities Categories Response Planning Communications Analysis Mitigation Improvements 14

RECOVER Recover Functions are for resilience planning particularly the restoration of capabilities or services impaired by a cybersecurity event Categories Recovery Planning Improvements Communications CYBERSECURITY PREPAREDNESS EFFORTS Discuss cybersecurity issues with the Board & Senior Management on a regular basis, at least quarterly Evaluate evolving cyber threats & vulnerabilities in the risk assessment process for the technologies you use & the products & services you offer Ensure accountability is assigned to those who make business decisions that may introduce new cyber risks Ensure ongoing employee awareness training is kept up to date & provided on a routine basis 15

DEVELOP A CYBERSECURITY PROGRAM A cybersecurity program should integrate all aspects of an institutions existing programs. Be sure to utilize what you already have Overall Information Security Program Business Continuity & Disaster Recovery, including capacity & performance planning Incident Response & Crisis Management Plans Third-Party Risk Management CYBERSECURITY BEST PRACTICES Board & Senior Management Responsibilities, Duties & Best Practices Ensure adequate strategic plans & budgetary resources are provided Ensure the information security officer has adequate authority, resources & independence Ensure threat intelligence & collaboration is timely, ongoing, risk focused, reported & actionable Develop attainable, measurable & repeatable processes to mitigate risks Incorporate cybersecurity into the risk-based audit plan Maintain accurate asset inventories & be aware of ports of entry (you can t protect what you don t know exists) Ensure enterprisewide awareness training is performed (educate & motivate) Ensure BIA, BCP/DR, information security & incident response policies & procedures address cybersecurity Include cyber elements in annual disaster recovery tests 16

CYBERSECURITY BEST PRACTICES Use e-mail filters, Internet Protocol (IP) filtering & data file integrity checks Use encryption to protect confidential data Implement data loss prevention controls (USB ports, email, etc.) Do not use default or weak passwords (12 alphanumeric & complex) Track, report, independently test & update security patches based on a risk priority schedule (Microsoft & non-microsoft patches) Rename network admin accounts, separate production & admin login privileges & do not share network admin login credentials Control executable file authorities (least privileged access) Conduct internal & external vulnerability scans to ensure systems are hardened Update anomaly detection tools regularly & understand configurations Use log analyzers (Security Information & Event Management SIEM tools) to wade through the false positives & assign responsibility for log review INCIDENT RESPONSE STRATEGIES 17

BREACH RESPONSE STRATEGIES Identify Crown Jewels Plan before something bad happens Set a response protocol Establish an internal response team Identify your external resources in advance Legal counsel (notification requirements) IT security experts Digital forensics Public Relations CANDIDATES FOR DREAM TEAM IT & risk management Operations management External counsel Internal counsel Law enforcement Insurance company Data center Outside Consultants: -Incident response -Digital forensics -Forensic investigations 18

Assemble team & designate leader Classify/ declare the incident Determine notification requirements Investigate & document Contain damage RESPONSE PROTOCOL Recover & build on experience PRESERVATION DURING AN INCIDENT Locking down systems is first priority Second priority is to forensically preserve affected systems Phishing schemes for ransomware, wire transfers or information harvesting Very low likelihood of tracing to offender Inside job or collusion More likely to be traced Forensic preservation involves creating full image copies of affected systems Insurance companies often require some level of investigation & expert opinion Forensic documentation is key Interviews by experienced professionals to ascertain chain of events & identify potential inside issues 19

INVESTIGATION PHASE Investigate & document Collect, analyze, protect & preserve evidence Chain of custody rules Inventory compromised systems & information Document date, time, system, detailed event description, contact information, identification of the asset, etc. Identify & document threat actor tactics, techniques & procedures Report all findings to the incident response team This information may be valuable to law enforcement NEVER TOO PREPARED Need backups for each team member Perpetually updated contact information Review vendors (contracts, policies, contacts, bonding, security) Fire drill Unexpected test incident to test systems. Superior to other forms of testing Unique tests dumpster diving the trash, after-hours workstation checks, periodic fake phishing emails, installed software, internet history, USBs, etc. Education & culturalization of diligence 20

SPECIAL TOPICS IN CYBERSECURITY RANSOMWARE Best Practices Entry point often phishing Education is key to preventing the fatal click In lieu of payment, restore from backups Backup policy should include special class of essential operating items. These should be backed up daily Restoring from a smaller set of essential files saves lots of time & money, reduces down time Notify local law enforcement, this is particular focus right now Paying the ransom will only encourage future attempts 21

THEFT OF TRADE SECRETS Not necessarily a cybersecurity attack but same consequences Employee(s) compromise sensitive, proprietary or intellectual property-type information Motivation is often to open a competing business, join with a competitor, damage reputation or to sell information to others Common methods include (1) removable device, (2) email or (3) upload to cloud storage Monitoring systems should accommodate internet & email activity involving file uploads or transfers Periodic email review or flagging particular keywords recommended Whitelisting USB devices recommended More common than DoS attacks & other types of threats, but far less understood or planned for CYBER INSURANCE Policies relatively new Everyone needs one (backstop essential) Consider types of losses Business interruption Additional expenses Your financial losses Losses to third parties Negotiate coverages 22

RESOURCES National Institute of Standards & Technology s Framework for Improving Critical Infrastructure Cybersecurity FTC s Start with Security Guide Best Practices for Victim Response & Reporting of Cyber Incidents drafted by the Cybersecurity Unit of the U.S. Department of Justice (Computer Crime & Intellectual Property Section) Internet Crime Complaint Center Secret Service Electronic Crimes Task Force QUESTIONS? 23

CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org. The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars. CPE CREDIT CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com 24

THANK YOU! FOR MORE INFORMATION Lanny Morrow 816.221.6380 lmorrow@bkd.com Cy Sturdivant 615.988.3600 csturdivant@bkd.com Michal Ploskonka 630.282.9495 mploskonka@bkd.com 25