CYBERCRIME AND INFORMATION GOVERNANCE ARE YOU PREPARED? Anthony Diana, Reed Smith LLP Scott Lashway, MassMutual Stephen Ramey, Navigant Consulting
ARE YOU PREPARED?» Your security operations center is monitoring your network and identifies anomalies in the company s network traffic. Large volume of data is being transferred outside your organization to foreign IP address Your company does not conduct business in that country The outbound data is being transferred from your Domain Controller Domain Controller is a governing server typically not used for business productivity, rather it controls authentication and access for user accounts and machines through a network domain Page 2
ARE YOU PREPARED - QUESTIONS» Questions Who should be included in the planning process? Do you have a response plan or at a minimum, someone who can help? What types of policies or documentation are in place for your company? Sensitive data maps? Crown jewels, regulated information, pre-released earnings reports, etc. Infrastructure map? Budgeting? Are you aware of your data types and understand breach notification laws? Page 3
ARE YOU PREPARED - BENEFITS» Legal has a role to play in planning» Incident Response Plan and Team The team and plan should be viewed as a cost avoidance vehicle Organization during a chaos Predefined call list for event management Includes Incident Responders, Forensic Investigators, external counsel, Cyber Insurer, Breach Coach, Law Enforcement Liaison, and Public Relations Liaison» Data Schema Sensitive Data Map Identifies by system the business function and the data type(s) that should be on the system Breach notification laws Sensitive data has varying notification requirements Personally Identifiable Information varies by State Health information is regulated by HIPAA Credit Card information is regulated by its Industry Page 4
WHEN IS CORPORATE POLICY NOT ENOUGH?» During the investigation, digital forensic analysis identified the network breach occurring from an employee s computer after a link was clicked from a personal email account. After clicking the link, malware was downloaded to the employee s work computer and installed itself through a zero-day exploit Your company has a strict Acceptable Use Policy ( AUP ) prohibiting the use of personal email on the company network The AUP also prohibits the use of non-approved technologies for transferring files The investigation also identified the following: Several employees use sites such as Dropbox or Google Drive to share company information Several employee computers stored files with sensitive information outside of the approved database environments for that data Page 5
CORPORATE POLICY - QUESTIONS» Questions: As an organization, what have you done to increase awareness about policies? Do you have a policy committee who actively reviews policies annually to update? Do you use an anonymous hotline to report non-compliant behavior? What is your vendor management policy? Have you audited your vendors? Page 6
CORPORATE POLICY - BENEFITS» End user awareness benefits Annual or Semi-annual training requirement on policies requiring the end user to sign off on successful completion Enforce a mandatory policy for first or second time offenders to take an advanced security awareness training Learn directly from employees about individuals who bypass security protocols Ex. Utilizing unencrypted removable media, non-company approved servers» Vendor Management benefits Establish security controls and protocols to third parties connecting to your systems Provide access to only necessary information Review or evaluate at least once a year, if not more Include third parties in security awareness training Page 7
PERSONAL DEVICES EVOLVED» Google Glasses, Drones, iwatch, Fit Bit and Mobile Devices are increasingly popular with many early adopters. They also present complications to current acceptable use policies. Potentially provide a new attack vector for nefarious actors to access information about employees and gain access to companies networks Data privacy considerations for these devices Another potential storage device to misplace when storing company data Page 8
PERSONAL DEVICES EVOLVED - QUESTIONS» Questions: Are your company s decisions makers and legal teams properly educated on the technologies and security risks? What are some considerations on expectation of privacy for these devices? Should our policy committee meet more frequently than once a year to account for the rapid release of these new devices? How can my company prevent [or encourage] the use of these devices within the organization? Page 9
PERSONAL DEVICES EVOLVED - BENEFITS» Encourage thorough and proper planning to minimize rushed fixes Impact to business: security vs. reality What are the risks?» Breakdown the communication walls Teach talk and legalese can be difficult to understand Educate lawyers, senior management and executive boards about security systems» Emerging technologies Stimulates creativity through application of use Minimizes the amount of devices one employee needs to carry Increases productivity with constantly connected employees In some instances, they can reduce operating costs Ex. Amazon researching deliveries with drones Page 10
QUESTIONS?
APPENDIX Additional Material
FRAMEWORKS» National Institute of Standards and Technology (NIST) Agency of the US Department of Commerce Mission: Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life Special Publications: http://csrc.nist.gov/publications/pubssps.html» International Organization for Standardization (ISO) Independent, non-governmental membership organization World s largest developer of International Standards http://www.iso.org/iso/home/about.htm Page 13
READING MATERIALS» Regulatory Mandates in the USA Gramm-Leach-Bliley Act https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Health Insurance Portability and Accountability Act (HIPAA / HITECH) http://www.hhs.gov/ocr/privacy/ Sarbanes-Oxley Act of 2002 http://www.soxlaw.com/ Individual State Breach requirements http://www.ncsl.org/research/telecommunications-and-information-technology/security-breachnotification-laws.aspx PCI DSS https://www.pcisecuritystandards.org/security_standards/» Blue Team Handbook: Incident Response Edition, Don Murdoch, 2014» IC3 Public Service Announcement on security concerns with connected devices Ex. Smart TVs, Smart Thermostats, fitness devices, etc http://www.ic3.gov/media/2015/150910.aspx Page 14
EXECUTIVE ORDERS» Cybersecurity Sanctions (2015)» Private Sector Cybersecurity Information Sharing (2015)» Improving the Security of Consumer Financial Transactions (2014)» Improving Critical Infrastructure Cybersecurity (2013) Cybersecurity Framework Information sharing Identification of critical infrastructure for which a cybersecurity attack could have catastrophic effects Agencies to determine whether existing regulations are sufficient and take regulatory action to address deficiencies Use of the federal procurement process to encourage contractors to enhance information security practices Page 15
END Page 16