TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures

Trends/Victimology

ADVERSARY CLASSIFICATIONS

SOCIAL ENGINEERING DATA SOURCES

COVERT INDICATORS - METADATA METADATA data providing information about one or more aspects of the data

SOCIAL ENGINEERING ATTACKS www.strozfriedberg.com - Real www.strozfreidberg.com - Attacker

PHISHING ATTACKS

PHISHING

Phishing

Targeted Attacks: Spear Phishing Targeted phishing attack E-mail appears to originate from employer, friend or other trusted source Spear phishing attacks have further evolved, implementing short URL redirection and no file attachments

RANSOMWARE - CRYPTOLOCKER

POINT OF SALE MALWARE

Incident Response

DAY ONE

DAMAGE ASSESSMENT What Happened? Who Did it? What was stolen? How did this happen. and who dropped the ball

OVERALL CONSIDERATIONS IR Who, What, How and How Long! Evidence Preservation/Analysis Detailed Investigation Attribution? Remediation Tactical (Quick Hits) Strategic Disclosures PII/PCI Breached Compliance (SEC, SOX, etc ) Federal and State Requirements Law Enforcement Referral

RESPONSE TEAM COMPONENTS IT Security Legal LE Forensic Experts Outside Counsel

PRACTICAL INCIDENT RESPONSE Data Enumeration and Preservation Implement Real Time Network Monitoring IT Employee and C-level Interviews Review Existing IT Security Policy and Network Architecture

INVESTIGATIVE METHODOLOGY Network Monitoring Malware Analysis Host Based Analysis Financial/Data Trail Interviews/Motivation

TYPICAL INVESTIGATIVE RESULTS Attacker Has Long Term and Unfettered Access to the Network Defined Penetration, Reconnaissance and Exfiltration Stages Targeted Attack Proprietary Intellectual Property Stolen

TYPICAL ATTACKER METHODOLOGY Compromise Employee User Account Escalate to Administrator Privileges Reconnaissance and Network Enumeration Develop Network Persistence Target and Exfiltrate Data

Remediation

REMEDIATION Tactical Strategic

IDENTITY AND ACCESS MANAGEMENT Perform an Entitlement Review Use Security Groups to Good Effect Principle of Least Privilege Avoid Shared Administrator Accounts

REMEDIATION - QUICK HITS PASSWORD MANAGEMENT Reprinted from http://xkcd.com/936/

REMEDIATION QUICK HITS Limit External Network Access Secure Desktop vs. VPN Access Limit Remote Desktop Protocol (Int/Ext) Multi-Factor Authentication

THIRD PARTY VENDOR SECURITY Focus on Operational Uptime Limited Attention to Security Tend to Lack Common Security Standards Varied Incident Response (if any) Limited to No Audits/Assessments

LIMITATIONS OF BLACK-BOX SOLUTIONS Set it and Forget it Solutions Do Not Work!

LIMITATIONS OF SIGNATURE-BASED DEFENSE zwshell.exe 093640a69c8eafbc60343bf9cd1d3ad3 zwshell.exe 18801e3e7083bc2928a275e212a5590e zwshell.exe 85df6b3e2c1a4c6ce20fc8080e0b53e9

Strategic

SECURITY RISK ASSESSMENT Threat Risk & Risk Factors Mitigation Controls

INFORMATION LIFECYCLE Creation Disposal Transmission Intellectual Property Storage Reproduction Physical Transport

INFORMATION SECURITY CONSIDERATIONS Governance, Compliance and Risk Strategies Security vs. Operations Incident Response and Detection Data Loss Prevention and Vulnerability Management Data Categorization and Enumeration Identity and Access Management

TOOL BASED STRATEGY? Technical Controls Operations Governance Most Data Breaches Occur Based Upon This Strategy!

MOST EFFECTIVE STRATEGY TO MITIGATE RISK! Governance Operations Technical Controls

Disclosure, Privilege & Litigation

REGULATORY REQUIREMENTS - A LEGAL ISSUE 48 State Breach Notification Laws Compromises security, confidentiality or integrity FTC Section 5; Gramm-Leach-Bliley Act; HIPAA; Payment Card Industry (PCI); DFARS requirement for contractors

REGULATORY REQUIREMENTS - A LEGAL ISSUE SEC Guidelines; material developments, or matters significant enough that an investor would want to know about; 10-K/10-Q/8-K Disclosure of successful breaches Disclosure of ability to defend against cyber attacks No disclosure of generic risk EU Data Protection Directive;

2014 BREACH RELATED COSTS IN THE U.S. Activity Cost Average Detection & Escalation Cost $417,700 Average Notification Cost $509,237 Average Post Breach Costs apart from Notification Costs $1,599,996 Average Lost Business Cost $3,324,959 Average Cost Per Record $195 Average Number of Records 29,087 Average Total Organizational Cost $5,850,000 Source: Ponemon Institute Research Report, 2014 Cost of a Data Breach Study: Global Analysis, May 2014

LITIGATION Litigation - Now a consequence of a data breach class action lawsuits Damages/Standing Split within circuits Injury may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing. Edwards v. First American Corp, (9 th Cir. 2010). Supreme Court Cert was improvidently granted (6/28/12)

LITIGATION Federal Statutes Wiretap Act Stored Communications Act Video Privacy Protection Act Violation of one s statutory rights under the SCA has been held to be a concrete injury. Pleading Stage General factual allegations of injury resulting from defendant s conduct deemed sufficient. Exorbitant discovery costs before dispositive motions.

LIABILITY PROTECTION Data Retention Policy Encryption Cyber Insurance Policies Safety Act Certification Provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies - whether they are products or services.

ROLE OF OUTSIDE COUNSEL Wrap your investigation or assessment in PRIVILEGE! Preserving work product and the attorney-client privilege; Handled high profile problems before? Knows litigation and media implications you ll face? Essential where litigation is anticipated or inevitable; Retaining consultants, including PR; Interacting with LE and regulatory authorities; Interviewing witnesses.

THANK YOU Steve Kim Managing Director skim@strozfriedberg.com 310-623-3306 Jeffrey S. Miller Special Agent Jason Smolanoff Vice President jsmolanoff@strozfriedberg.com 310-623-3303 Raymond O. Aghaian Partner raghaian@mckennalong.com 213.243.6160