Educa&onal Event Spring 2015 Cyber Security - Implications for Records Managers Art Ehuan
Risk to Corporate Information The protection of mission dependent intellectual property, or proprietary data critical to the ongoing operation of a company, should be of high interest to corporate executives.
Risk to Corporate Information PROTECTED HEALTH INFORMATION PERSONAL IDENTIFIABLE INFORMATION TM INTELLECTUAL PROPERTY & TRADE SECRETS COMPANY FINANCIAL RECORDS CORPORATE ENTITY SENSITIVE INTERNAL DOCUMENTS
Where Does Stolen Information Go?
Where Does Stolen Information Go?
Cyber Threat Actors (Past) Cyber threats in the past were more localized in nature. o Cyber crime in the past mostly involved unsophisticated attacks to deface websites of corporations and governments o Notoriety and bragging rights were the primary drivers for this malicious behavior o Minimal involvement of Organized Crime and Nation State actors
Cyber Threat Actors (Now) Corporations have a Myriad of Cyber Criminals to contend with o Hacker groups are interested in data for fraud purposes and sale to other criminals o Organized Crime groups are involved in enterprise level activity to target and steal any and all types of data o Nation-States cyber actors are increasingly targeting corporations for their information o Regardless of the size of the business, there are no organizations that are immune from cyber attack o The Cybercrime wave is here.
Cyber Threat Actors (Now)
How are Corporations Breached? Compromise of corporate information by intruders/insiders 30% of malicious breaches occur via SQL injection 28% of malicious breaches occur via targeted attacks 27% of malicious breaches occur via advanced malware Organizations that suffered malicious breaches credited a lack of in-house expertise as the main reason for failing to prevent breaches.
Priority for Securing the Corporation Identifying cyber threats to your company is crucial This should not be your company s breach notification process.
Priority for Securing the Corporation o To protect information, a corporation must know/ understand what data they manage or store, who is authorized to access the information, how it must be protected and how is must be disposed of when no longer required for business operations o Information classification provides the framework by which information can be categorized by criticality to the corporation and the controls to protect from unauthorized access or disclosure o Information classification should be implemented in a manner that is easy to understand and implement o If information is no longer required for business operations or regulatory/legal requirements, disposed of it
Priority for Securing the Corporation
Priority for Securing the Corporation o From the outside of your enterprise, it is assumed that security is effective until proven otherwise. o Our approach can be in full view of your staff to limit the potential for unexpected results. o A breach through testing is better than an unexpected one by adversaries.
Priority for Securing the Corporation Reconnaissance and Iden,fica,on Control Evalua,on Scanning and Discovery Post Exploita,on Exploita,on and Compromise Escala,on of Privileges
Priority for Securing the Corporation o Patch and configuration management is one of the most underappreciated facets of information security o Proper patch management can provide a significant reduction in a corporations risk profile by eliminating known vulnerabilities to the organization o A process driven configuration management should be established and adhered to in strict fashion to reduce risk
Priority for Securing the Corporation o Corporations that do not manage the Administrator / Root accounts within their environment are exposing their information to extensive risk of exploitation o Restricting the number and role of Administrator and Root accounts is critical o The first, second and third goal of each and every cyber attack is to acquire Root or Administrator access to systems o Root and Administrator access provide a malicious actor with the keys to the kingdom
Secure the Supplier/Vendor Chain o Suppliers and vendors that have access to the corporate network must be vetted for cyber security controls to ensure they can not be used to access your data without authorization o Require through contractual language that suppliers/vendors protect your data o Audit or access suppliers/vendors to verify that data is being protected o Only provide the access that is required for the supplier/vendor to provide services o ISO 27036 is the international standard for supplier relationships
Board and CEO Awareness 1. Who is ultimately responsible for Cyber Security in your organization? Is it buried in IT or at Board level? 2. Do you have a cyber security strategy that is aligned with your business strategy, and is it updated according to evolving needs? 3. Where and what are the most critical assets? How does management determine which assets are critical? 4. Do you have a documented, up to date and regularly tested incident response plan? How are you monitoring and reporting on cyber security incidents (24/7?) and how has the number of breeches changed over the last 18 months? Have any been disclosed to Regulators? 5. How much would a cyber security breach impact the organization, and can management demonstrate the rationale behind its assessment? 6. Does your internal Cyber Security leadership team, include expertise in HR, PR, Legal, Marketing/CRM and Risk in addition to IT? Have they and the Board been through a cyber Simulation Practice workshop? 7. Are you managing Cyber Risk on your corporate Risk Register and how has the threat level changed over the last 18 months? 8. Have you ever conducted a company-wide security awareness program? 9. Is cyber security covered in your contracts with third parties? How do you assess their level of preparation? 10. What measures have you introduced in the event of a breach of Payment Card Information (PCI), Personal Identifiable Information (PII) or Protected Health Information (PHI) and regulatory requirements to report.
o o Art Ehuan Art Ehuan is a Managing Director with Alvarez & Marsal's Global Forensic and Dispute Services in San Antonio, Texas. He is a strategic information security specialist with more than 20 years of experience working with U.S. and international clients and governments. Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in nation-state strategic advisory services, including incident response, digital investigations, data protection and e-discovery, for corporate and government agencies, and provides domestic and global thought leadership on these topics. Mr. Ehuan also serves as a lecturer on cyber crime for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program. o Mr. Ehuan has received industry credentials including: EnCase Certified Examiner (EnCE ), Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP) and Certified Forensics Computer Examiner (CFCE). He also maintains the Information Assessment Methodology (IAM) credentials with the National Security Agency (NSA). o o Managing Director, Alvarez & Marsal aehuan@alvarezandmarsal.com +1 571 331 7763 Mr. Ehuan was previously an Adjunct Professor and Lecturer at George Washington University, Georgetown University and Duke University, where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno- Security s Guide to E-Discovery and Digital Forensics from Elsevier Publishing. Mr. Ehuan earned a bachelor of arts degree from the University of California, Los Angeles. He graduated with a master of science in Management from Rensselaer Polytechnic Institute.