Corporate Cyber Attacks: Managing Risk to Avoid Reputation Harm
1. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â1
GOOD. SMART.BUSINESS. PROFIT.
TM
2. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â2
CORPORATE CYBERATTACKS: MANAGING RISK
TO AVOID REPUTATIONAL HARM
September 18, 2014
3. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â3
Chelsie Chmela
Events Manager
Chelsie.Chmela@ethisphere.com
We encourage you to engage during the Q&A portion of todayâs webcast by using
the âSubmit Questionâ button located within your West LegalEdcenter experience
or the Chat Box in ReadyTalk
HOST
QUESTIONS
MATERIALS Included in your registration:
⢠Event recording and deck: West LegalEdcenter provides on-demand event
access for 180 days or until the end of your subscription, if sooner. Ethisphere
will provide the recording and presentation deck following the live event to
ReadyTalk attendees.
3
4. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â4
Stuart Levi
Partner
Skadden, Arps, Slate Meagher & Flom LLP & Affliates
Devon Kerr
Senior Consultant
Mandiant
SPEAKING TODAY
5. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â5
Beijing
Boston
Brussels
Chicago
Frankfurt
Hong Kong
Houston
London
Los Angeles
Moscow
Munich
New York
Palo Alto
Paris
SĂŁo Paulo
Shanghai
Singapore
Sydney
Tokyo
Toronto
Washington, D.C.
Wilmington
Privacy and Cybersecurity 2014:
The Current State of Affairs
â˘Presented by
â˘Stuart Levi
6. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â6
PRIVACY V. CYBERSECURITY
⢠Privacy policy
compliance
⢠Big data mining
⢠Privacy regulations
⢠Internet of things
⢠Do not track
⢠Location data
⢠Global enforcement
Privacy
7. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â7
PRIVACY V. CYBERSECURITY
⢠Data breaches
⢠Non-data cyber theft
⢠Denial of service attacks
⢠Compliance with security
policies
⢠NIST guidelines
Cybersecurity
8. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â8
PRIVACY V. CYBERSECURITY
Government Spying
⢠Snowden revelations
⢠Access to records through
public companies
⢠Government monitoring
⢠Global implications
9. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â9
PRIVACY V. CYBERSECURITY
PRIVACY CYBERSECURITY
Government
spying
Data
Breaches
Increased
demands
for
privacy
regulation
10. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â10
THE REALITY COMPANIES FACE TODAY
⢠Data breaches and cyberattacks are increasingly common.
⢠More companies are considered âtargets of choice.â
⢠A large segment of the security community has adopted
an âassume youâve been breachedâ mentality.
⢠Attacks are from:
â Hackers looking to profit
â State-sponsored organizations
â Hackers looking to wreak havoc
11. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â11
THE REALITY COMPANIES FACE TODAY
⢠Attacks are not limited to personal information:
â Theft of intellectual property
â Theft of business information
â Denial of service attacks
⢠No industry is immune from attack.
⢠Rapid detection has become as important as threat prevention.
â Each day the threat is not detected, the level of damage and harm increases
⢠Locating the source of the harm is becoming more difficult
12. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â12
THE REALITY COMPANIES FACE TODAY
⢠Informative statistics from the Verizon 2013 Data Breach
Investigations Report:
â 78% of intrusions were rated as âlow difficultyâ
â 69% discovered by external parties
â 66% took multiple months to discover
â 75% are considered opportunistic attacks
â 80% involved authentication based attacks
⢠Each statistic presents a potential liability risk.
13. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â13
KEY LEGAL THREATS TODAY
⢠FTC enforcement activity
â âMisleadingâ consumers by âpromisingâ industry-standard or robust security
â Inadequate security protection
⢠Shareholder litigation
â For any cybersecurity loss (not just data breaches)
Âť Denial of service
Âť Loss of intellectual property or confidential information
⢠Data breach class actions
14. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â14
THE RESPONSE CLOCK HAS
ACCELERATED
HISTORICAL PRACTICE
COMPANIES OFTEN
DELAYED NOTICE UNTIL
FULL FORENSIC
ANALYSIS WAS DONE
Âť Provided time to formulate a
response and manage PR,
communications and legal
Âť Companies often hopeful that
forensics analysis would reveal
notice was not required
Âť Sometimes delay was required
by law enforcement,
but this was the exception
15. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â15
THE RESPONSE CLOCK HAS
ACCELERATED
⢠Today, companies face a new and pressing reality:
â Privacy advocates/activists
Âť Learning of breaches and threatening to go public if the
company does not disclose
Âť Generally unsympathetic to pleas that the company
needs more time to formulate its response
â Insurance plans may require prompt notice
16. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â16
DATA SECURITY CLASS ACTIONS
ARE ON THE RISE
⢠Plaintiffsâ lawyers are looking to cash in on the increase in
data security breaches at retailers, banks and other
institutions.
⢠Their tool of choice: large-scale class actions based around
theories of alleged damage to consumersâ privacy.
⢠While relatively few cases have been filed so far, the number
will undoubtedly grow.
17. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â17
THE FTC AND PLAINTIFF
LAWYERS NEED A HOOK
⢠The company failed to install or implement adequate
security protections.
â Were there internal or consultant recommendations that were ignored?
⢠The company âmisledâ customers about the level of its security.
⢠The companyâs procedures or policies were lacking or not followed.
â Security policies
â Vendor policies
⢠C-suite and/or board was not adequately kept apprised of
security procedures.
⢠The company took too long to provide notice of a data breach or to
respond to an attack
18. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â18
KEY TAKEAWAY
The goal of every company today should be to
eliminate as many of these hooks as possible
19. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â19
STEPS EVERY COMPANY
SHOULD BE TAKING TODAY
⢠Privacy audit and implementation
⢠Risk assessment
⢠Establish a rapid response team
⢠Testing
⢠Privacy by design
⢠Evaluate insurance coverage
20. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â20
PRIVACY AUDITS
⢠Typically performed by a law firm and/or external consultant
â External advisers see issues that are hidden to
companies
Âť View each issue from a âwhat ifâ lawsuit perspective
â âGood factâ in the event of a litigation
â External advisers have the benefit of seeing best
practices at other companies
â Provides regulators with comfort
21. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â21
PRIVACY AUDITS
⢠Key Steps:
â Where is data coming into the company?
â How is data used and what controls are in place?
â How are security decisions made and implemented?
â Do internal and external privacy policies align with actual practice?
Âť Very often they do not
â What is the company saying about its security practices?
â What is the company disclosing in its public filings?
â How are company executives and board members kept informed?
â How mature is the privacy program?
â What sort of training/retraining is provided?
⢠Critical Step: Need to act on audit recommendations
22. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â22
RISK ASSESSMENT
⢠What types of personal information could be compromised?
⢠Is there a risk of confidential information being compromised?
⢠What is the potential for lost business?
⢠Is there a potential for regulatory scrutiny?
⢠Is there a potential for fines and penalties?
⢠What is the potential for damage to reputation/loss
of trust/media publicity?
23. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â23
ESTABLISHING A RAPID RESPONSE TEAM
⢠Critical in a world where you may lose control of
the response timing
⢠Key stakeholders will bring unique and important perspectives
â IT, legal, security, PR/communications, HR, risk management,
corporate management, government relations
⢠Scrambling to figure out the team once an incident occurs is
inefficient and dramatically increases the risk of a misstep
⢠Create a playbook of how incidents will be handled
⢠Understand the data breach notification requirements
⢠Understand SEC disclosure obligations
24. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â24
TESTING
⢠Critical to test your incident response plan at least
semi-annually
â Consider different scenarios
⢠Consider creating a report of areas to improve
â But assess the risks of creating such a report
⢠Assess roles and responsibilities
â Did people leave?
â Was there any internal restructuring?
â Were new systems implemented?
25. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â25
TESTING
⢠Update process documents
⢠Review third-party vendor contacts
Âť PR
Âť Forensics
Âť Notification
Âť Legal
â Are these still the right contacts?
⢠Any changes to law
26. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â26
PRIVACY BY DESIGN
⢠Area of focus for the FTC
Âť Companies should maintain comprehensive data management procedures
throughout the life cycle of their products and services
⢠Now a critical area for risk mitigation
⢠Key ideas:
â Proactive not reactive
â Privacy embedded into the design process
â Visibility and transparency within the organization
â Privacy and security as part of the corporate culture
27. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â27
EVALUATE INSURANCE COVERAGE
CRITICAL AREAS OF
CYBER INSURANCE
â Network security liability (third
party)
â Privacy liability (third party)
â Professional liability (third party)
â Notification costs
â Regulatory defense
â Data loss/recreation
â Business Interruption
28. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â28
Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates
29. Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 â How to Prepare Today and Respond Tomorrow â29
Devon Kerr Senior Consultant
30. Š Copyright 2010
ď§ Introductions
ď§ Overview
ď§ Building an investigation-ready environment
ď§ During an intrusion
ď§ Post-incident activities
ď§ Q&A
Introduction Slide
30
31. Š Copyright 2010
All information is derived from MANDIANT
observations in non-classified
environments
Some information has been sanitized to
protect our clientsâ interests
Important note
31
32. Š Copyright 2010
DEVON KERR
ď§ Former IT operations (10+
years)
ď§ Lead investigator and
forensic analyst
ď§ Develop internal training for
Mandiant consultants
ď§ More than15 investigations
this year
32
Introductions
33. Š Copyright 2010
ď§ Build an investigation-ready environment:
â Logging and monitoring
â Fundamental security controls
â Important procedures
Preparing for a breach
33
34. Š Copyright 2010
ď§ Before the breachâŚ
â Centralize logs and alerts into a unified dashboard
ď§ Consolidation reduces effort and increases efficiency
ď§ Collect logs for user logins of all kinds
ď§ Increase the amount of logs retained
ď§ Make sure you can actually get the logs out of the system
â Implement application whitelisting on all critical
systems
ď§ Ensures that only approved software will run
ď§ Easiest and cheapest way to slow down an attacker
ď§ Good for detecting attackers if you centralize these logs, too!
Investigation readiness
34
35. Š Copyright 2010
ď§ Before the breachâŚ(continued)
â Know where your data is
ď§ Intellectual property, financial data, competitive business data
(sales, marketing, business logic)
ď§ Know the role of critical systems
â Identify Internet points of presence
ď§ Egress points for user Internet access
ď§ VPN devices
ď§ Direct connections to service providers and partners
ď§ DMZs
â Patch operating system and third party software
ď§ Critical vulnerabilities should be patched within 2 days
Investigation readiness
35
36. Š Copyright 2010
ď§ Before the breachâŚ(continued)
â Harden the environment
ď§ Block network traffic leaving your environment that doesnât
have a known business purpose
ď§ Strengthen systems administration by using dedicated
management systems
ď§ Identify all users with admin-level privileges and revoke those
rights
ď§ Domain administrators shouldnât use privileged accounts for
regular computer and network activities â only administration
ď§ Implement a second factor of authentication, like a token, for
remote access (VPN)
Investigation readiness
36
37. Š Copyright 2010
ď§ Facilitating the investigation
â Respond to requests quickly
ď§ Identifying the function of a system
ď§ Identifying all systems which may contain a specific type of
data (PII, finacial records, etc)
ď§ Be able to search logs on-demand
ď§ Ex: search all log sources for an IP address
ď§ Be able to share logs with investigators
ď§ Ex: provide a copy of all VPN logs
During an incident
37
38. Š Copyright 2010
ď§ Remediating
â Work with investigators to develop a remediation plan
that includes short-term tactical and longer-term
strategic objectives
ď§ Block malicious IP addresses
ď§ Sinkhole malicious domain names
ď§ Take infected systems offline and rebuild
ď§ Perform an enterprise password reset
ď§ âŚ
During an incident
38
39. Š Copyright 2010
ď§ When the smoke clears
â Determine notification requirements based on incident
type, jurisdiction, and industry
â Develop a coordinated message for the public
ď§ Understand that the public may include clients, regulatory
bodies, and shareholders
â Conduct a lessons learned exercise
â Develop metrics
ď§ Time from incident to detection, detection to investigation,
detection to remediation, etc
ď§ Review metrics after each incident
Post-incident activities
39
43. Š Copyright 2010
This webcast and all future Ethisphere webcasts are
available complimentary and on demand for BELA
members. BELA members are also offered complimentary
registration to Ethisphereâs Global Ethics Summit and
other Summits around the world.
For more information on BELA contact:
Laara van Loben Sels
Senior Director, Engagement Services
laara.vanlobensels@ethisphere.com
480.397.2663
Business Ethics Leadership
Alliance (BELA)
44. Š Copyright 2010
October 30, 2014
Cyber-Security, IP Theft and Data Breaches:
Practical Steps to Protect Corporate Assets
Internally and with Third Parties
All upcoming Ethisphere events can be found
at:
http://ethisphere.com/events/
PLEASE JOIN US FOR
If you work in a classified environment, you may recognize some of the information we present today. MANDIANT observed everything weâll talk about in non-classified environments, and weâve changed some of it to protect our clients.