Cybersecurity: The New Priority for Business

Samantha Barriga
Michelle Bradley (Jan. 2016)
Katelyn Bounds
Nathan Dorschner
Brenna Finley Erdmann
Eythan Frandle
Ayn Gates
Barry Gronke
Matthew Hartranft (Jan. 2016)
Mitchell Hamline School of Law | 2April 27, 2016
2015-2016 MHSL Business Certificate Graduates
Sarah Holm
Abigail Lambert
Keith Larson
John Meyer
Ben Pflueger
Jungmin Ro
Briar Schnuckel
Ellen Tovo-Dwyer

“As I enter my final semester at Mitchell Hamline, it’s easy to list all of the
ways that the Law and Business program has guided and shaped my time
here.
I’ve been able to focus on my learning and development priorities both
academically and professionally through the program’s courses, networking
events, and externships. The coursework required for the Certificate along
with the variety of available elective offerings provide challenging and fulfilling
preparation for the “real world” expectations of business or corporate law.
Pursuit of the Law and Business Certificate was one of the best choices I’ve
made during law school. I’m proud to be finishing the Certificate this semester
and I will value the academic and professional experiences and connections
I’ve established through the program for years to come.”
-- Mitchell Hamline Student

Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC
CLE Event Code 218968
Cybersecurity: The New Priority for Business

Valspar’s Story
Andy Ubel
Chief Intellectual Property Counsel
Valspar Corporation

A) There is really nothing you can do. IP protection in China is difficult
to obtain and this employee didn’t sign a “non-compete” agreement.
The manager should call HR and have them look for a replacement.
B) The employee should be terminated immediately. Computer access
by this employee should be severed and the employee’s laptop and
phone collected and quarantined. An immediate investigation should
be undertaken to assess whether any sensitive data has been
downloaded by the employee.
C) Fire the CIO when he tells you they don’t know if anything was taken,
because no logs are kept.
D) Fire anyone else that is nearby.
Answers

David Wen Lee was Valspar’s “#2
Technical Employee” in our Consumer
paints division.
Without any warning, he announced one
Monday morning that he was quitting. He
wouldn’t say where he was going.
Valspar faced this exact situation

Valspar had typical “security readiness.”
Like most companies Valspar had security
against outside intrusions (more about that
later), but little security against a “trusted
employee.”
Security wasn’t properly focused

Mitchell Hamline School of Law | 7
Lee was sent home the day he resigned. A
co-worker was asked to look at his
computer and see if there were any clues
as to where he might be headed.
We quickly uncovered some irregularities.
But we had no smoking gun at this point.
Our immediate response
April 27, 2016

Mitchell Hamline School of Law | 8
A co-worker looked at some “invisible files” and
uncovered a log file for a unauthorized program called
“Synch Toy.”
Lee had copied 44 Gigabytes of our sensitive data onto
an external hard drive.
We called the FBI for help. This was mid-day on
Wednesday.
We learned that David Lee was booked on a flight to
China in less than 10 days!
We got lucky
April 27, 2016

Lee’s Arrest

Lee’s theft woke us up.
Our IT systems were built with only a basic perimeter
security focus and little internal security.
1. Trusted insiders could steal a lot of information –
because they had wide access.
2. Outsiders, if they could get past the perimeter defenses,
would also be able to steal a lot of information.
Valspar’s new state of “readiness”
THIS MODEL IS OBVIOUSLY FLAWED

• Denial of Service attacks
• Hactivists
• “Insider” trade secret theft
• “Outsider” Cyber-thefts
– “APT” theft of information
• TS
• PII
• Etc.
– Bank transaction theft
– Ransomware
CyberSecurity – Attack Categories

• APT is an advanced hacking technique that permits an outsider to
infect a computer network and download sensitive data without
detection.
• APT hackers are well organized and will target specific company’s
data in exchange for a fee.
• APT hacking is a professional and profitable business.
• APT is not some bored teenager in his bedroom.
Advanced Persistent Threat –”APT”

Security measures were grouped in four main categories:
• Data Security
• End Point Device Security
• Network Security
• Policy & Training
“Points” are awarded when certain security measures
have been achieved.
Security “Scorecard”

NIST Cybersecurity Framework”

Classify
• Special Control
• Confidential
• Internal Use Only
• Public
Protect
• “Need-to-know” access
• Focus on important Trade Secrets
Report
• Monitoring / security tool
Identify & Protect

After you identify and classify your most important
information you will then still need to identify all the
ways that that information moves throughout your
organization.
This will not be easy ….
Classification is only the first step

“DLP” - Data Loss Prevention
ACTIVITY
What is the User
Doing With It?
DISCOVERY
What & where is
Sensitive Data?
DESTINATION
Where Is the
Data Going?
CONTROL
What action is
appropriate?
Classification
-Persistent
-Inheritance
Context
-Location
-Type
- User
Content
-Similarity
-Keyword
-Dictionary
Email
-Attach
-Copy/Paste
-Compose/Send
Files
-Move
-Copy/Paste
-Burn/Print
-Upload
Application Data
-View
-Delete
-Modify
Devices
Applications
Networks
Printers
Internet
Recipients
Incident Alert
- Detection
Prompt User
- Intent/Educate
Warn User
- Awareness
Encrypt Data
- Protection
Block Action
- Prevention

22
Digital Guardian
3. Download/Sync
Digital
Guardian
• Monitoring
• Controls
• Classification
• Encryption
Windows Workstations
Encrypt
Encrypt
Block
Prompt/
Justify
1. Extract
Windows File Servers
2. At Rest
Block

Sensitive data is accessed using “end point” devices.
MOST companies configure these devices with
negligible security and hackers can exploit known
weaknesses to gain access to these devices.
• Step 1 - BUILD a secure image for PCs, mobile
devices, and servers.
• Step 2 - MAINTAIN the secure configuration.
– Lock down the Admin Rights;
– Prevent the use of unauthorized software; and
– Patch the OS on a regular basis.
• Step 3 – DEPLOY the secure image on all
machines.
– Don’t trust the BYOD model.
End Point Device Security (Protect)

• Step 1 - BLOCK unauthorized devices (not just users) from gaining
network access through VPN, wireless and LAN connections.
• Step 2 - DEPLOY a secure configuration for firewalls, routers and
switches.
• Step 3 - ENABLE an Intrusion Prevention System that ALERTS
security in real time as to any anomalous traffic.
• Step 4 - DEPLOY a Security Event Incident Management tool where
all switch, router, firewall and critical server and database logs can be
analyzed.
Network Security – (Detect)

• Step 1 - PUBLISH simplified corporate policies – that are
SUPPORTED by the CEO.
• Step 2 - DEVELOP a robust incident response team.
• Step 3 - DESIGN and CONDUCT periodic penetration testing
and auditing.
Policy and Physical Security (Respond/Recover)

Information security is basically “free.”
Properly secured IT systems will:
• Be streamlined (with fewer different “versions” of software);
• Be more cost effective (deployment of software will take less
testing); and
• Require less field service.
Some good news

Cybersecurity is not about
Security
It is About Trust: Growth and Market Value
Ken Morris, J.D.
Redpoint Advisors
knectIQ Inc.

Forget any and all national/state data security
regulations and frameworks. Any computing
device capable of storing, processing,
receiving or transmitting PII/PHI/M2M
identifying information or other valuable
enterprise information will be targeted.
Bottom Line: Meeting a statutory, regulatory
or compliance provision is often suboptimal
when it comes to protecting PII/PHI/M2M
identifying or other valuable enterprise
information.

Usability

Source: 2015 Accenture Digital Consumer Survey

TRUST AS A SERVICE
• Managed security is still primarily a traditional security approach
– Proactive, learning systems instead of traditional reactive models
• Security needs new champions – beyond the CISO and CRO
– Board level leadership
• Innovation is nice but execution is what matters
– Anyone or any organization that touches the enterprise must be involved in
maintaining a trusted environment
• Satisfaction with Security is an Illusion (most enterprises in reactionary mode)
– Frame cybersecurity as a risk management matter
• Digital trust requires a commitment to an ecosystem approach
– Every entity in the ecosystem secures identifying and sensitive information
• Customer expectations, the growth of threat surfaces in mobile and the IoT are
disruptors that traditional and conventional cybersecurity approaches do not
adequately address.
– Agility and adaptability become paramount

Sender generates UID.
De-identified
encrypted data
sent with hashed
and salted UID.
Validation & authentication
Receiver removes salt from
transmitted UID. Generates
local UID.
Compare UID’s.
If matched, receive data,
authenticate, accept data,
eliminate UID’s.
A COMPLEMENTARY PROTOCOL
• NO SINGLE USE TOKENS
• NO STORED KEYS OR
CERTIFICATES
• UNIQUE & CONSISTENT
IDENTIFIER
• HARDENS
AUTHENTICATION
• ENABLES OPTIMAL USE
OF CONNECTED
DEVICES & DATA
Patent Pending…

CONSIDERATIONS
• Establish and Enforce Cyber Governance
– IAM
• Strong passwords
• MFA (Multi-factor authentication)
• Role based access
– Board led “security as risk management “ policy development
– Risk stratify digital and data assets
• Identify Vulnerabilities
• Protect the “Crown Jewels”
• Identify and monitor Threats
– Active, heuristic threat learning AI based platforms
• Collect, Analyze and Report Relevant Threat and Incident Information
• Do you have a “Trust as a Service Ecosystem”
– Vendors
– Suppliers
– Other affiliate business partners (professional services: outside counsel,
consulting firms, etc.)
– Customers
• Plan and Respond!

Investing in Preparation:
The Incident Response Process
Reducing business impact through an efficient
incident response process.
Charlotte Tschider, J.D.
Cybersimple Security, LLC

Is it a Data Breach?
Day 1, 11:45 AM
“Jay Stellant” has gathered information from social media about your company, a
provider of online timecard software. Jay calls your organization’s help desk, and
convinces the operator that Jay is a business associate of your organization. The
help desk operator gives Jay the director of finance’s business information.
Day 2, 9:00 AM
Jay calls the large business customers for your organization listed on your Website
and marketing materials, posing as the finance director for your organization and
is referred to their respective procurement departments.
Jay mentions that your organization has not yet received payment for their
subscription, and access to your software will be removed if payment is not
transferred within the next two business days. Jay provides an offshore account
number registered with your business name and provides an e-mail address that
is similar, but different from the finance director’s e-mail address.

Day 3, 10:30 AM
The procurement contact searches records and discovers that your organization
has already been paid. He fears that the wrong account number was used for
payment and sends an email to Jay’s false email address arranging a phone call.
Jay calls the procurement contact and asks to validate the account number on
record and an associated PIN. Jay now has one of your organization’s bank
account numbers.

Day 3, 12:30 PM
Jay sends an email to a finance supervisor for your company they discovered on
LinkedIn, after validating from a public Facebook account that the director of
finance is currently on vacation.
Jay sends an email, using a convincing email signature from his e-mail address
and listing the account number he gathered from the customer, mentioning that
he is validating the correct account numbers for payment purposes with one of
your customers, and would like to review the full account list directly in the
system but needs the user ID/password. He states that he is on vacation, and that
he needs this information as soon as possible.
Knowing the finance director is actually on vacation and wanting to impress him,
the finance supervisor sends the log-on information for the system to Jay, a
system that is managed by a third party and accessible outside of the corporate
network.

Day 3, 5:30 PM
By the end of the day, the finance supervisor feels a bit unsettled with sending
the e-mail earlier, and he decides to talk to his manager about the director’s
request. The finance manager, who usually receives requests from the finance
director, knows this is not typical behavior.
The finance manager reports the situation immediately through the employee
relations hotline.
Day 4, 9:00 AM
An incident manager on the IT security team receives the report and calls the
finance manager to gather more information. Together, they call the bank
managing accounts, and the bank confirms that substantial amounts of money
have been transferred to an offshore account.
WHAT HAPPENS NEXT?

• Introduction to Incident Response
• Incident Response, the Law, and Industry
• The Incident Response Process
• The Incident Response Plan
• The Incident Response Management Team
• Collaborating with Government Officials
• Data Breach Obligations
• Key Takeaways
Agenda

DEFINING INCIDENT
An occurrence that actually or
potentially results in adverse
consequences to an information
system or the information that the
system processes, stores, or
transmits and that may require
a response action to mitigate the
consequences.
Introduction to Incident Response
An “Incident” includes potential future data breaches before they are
confirmed and other adverse consequences.
Incidents may affect the confidentiality of information, availability of
information, or integrity of information.

DEFINING DATA BREACH
The unauthorized movement or
disclosure of sensitive
information to a party, usually
outside the organization, that is
not authorized to have or see the
information.
“Sensitive information” can be interpreted differently depending on industry,
but state data breach notification statutes usually apply to personal
information.
TERMINOLOGY MATTERS!

AN EFFECTIVE INCIDENT RESPONSE PROCESS:
• Can identify potential incidents through tools and self-reporting quickly,
reducing or avoiding damage
• Centralizes reporting for fast escalation and decision-making
• Does not define a situation too early; focuses on information gathering
• Prioritizes communication strategy, both external and internal
• Enables retention of accurate information for future litigation, involving civil
and criminal liability
Incident response is a collaborative process, including a variety of business
leaders and government, depending on the incident.

Incident Response, the Law, and Industry
Organization Type Requirement*
Financial Institutions Interagency Guidance under the Gramm-Leach-Bliley Act
requires a security breach response program.
Healthcare HIPAA
Covered Entities
The HIPAA Security Rule at 45 CFR § 164.308(a)(6)(i)
requires a covered entity to “identify and respond to
suspected or known security incidents.”
Government Contractors Government contractors may be required to follow NIST
guidelines within a government contract under FISMA.
Organizations with
customers in specific
states/territories
51 U.S. state and territory data breach notification
statutes require notification upon discovery of a
reasonably suspected data breach.
Retailers/
Organizations Accepting
Payment Cards
Payment Card Industry requirements specify
“implement[ion of] an incident response plan [and to] be
prepared to respond immediately to a system breach.”
*Contracts may also require incident response efforts and notification.

The Incident Response Process
Plan
Detect
Contain
Notify
Recover
Improve
• One employee should be
responsible for Incident
Response.
• Cybersecurity controls should
be in place to detect intrusion
and unauthorized use.
• The Incident Response Team
should use repeatable
procedures to contain and
preserve incident details.
• Continuous learning is critical to
timely response.

An Incident Response Plan Should Include:
• Mission, strategies, and goals statements
• Organizational approach
• Details of senior leadership involvement and approval
• Approach for communication within and outside the organization
• References to procedures (which then include checklists, technical
processes, forms, or playbooks)
• Effectiveness metrics
• Maturity Roadmap
The Incident Response Plan
Incident response plans should be tested at least annually. Tabletop exercises
and true readiness testing ensure plans are useful during an incident.

The Incident Response Management Team
CEO
Chief Information
Security Officer
General Counsel
Chief Information
Officer
Public Relations
Chief Risk Officer
(or CFO)
Incident Response
Manager
Human
Relations
Marketing
Technology
Architect
Internal
Communications
External
Counsel
CORE INCIDENT
RESPONSE TEAM
ADDITIONAL
TEAM MEMBERS

Collaborating with Government Officials
ADVANTAGES DISADVANTAGES
• Officials may be able to “connect
the dots” across other information
sources
• Early assistance with correct
forensic procedures
• May reduce damage with more
complete, efficient response
• Benefit of the doubt if
administrative action taken
• Better positioned to stop a
particular actor from attacking
again
• Future partnership and information
sharing
• Once engaged, the government will
typically take control to manage a
situation
• Administrative agency notification
may be required sooner than an
organization might feel comfortable
• Disclosing information to the
government may necessitate
involvement of external counsel
earlier in the process

Data breach notification obligations may include:
• Administrative agencies overseeing federal regulations to which the
organization must comply (i.e. FTC, FCC, OCR, OMB)
• Affected consumers under specific regulations (e.g. HIPAA)
• Shareholders, if a data breach is considered “material”
• Customers or insurers that are owed notification under contract
Based on affected person’s residence, notification to:
• International authorities (e.g. the EU Data Protection Authorities)
• Consumers whose personal information has likely been compromised in a
state with a statute requiring notification
• Major credit monitoring agencies and state AGs when required
• The media as an alternative to direct consumer notice over a specific
volume
Data Breach Obligations

• Incident response is an effective risk management technique to
protect organizational assets.
• Incident response plans must be exercised to ensure they are
effective when used.
• Organizations must include executives early in the incident
response process.
• Organizations should decide government involvement on a case-
by-case basis.
• Organizations must be reasonably certain of exposure before
labeling an incident a “data breach.”
Key Takeaways

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEMS, Interagency Guidelines
Establishing Information security Standards (AUG. 2, 2013),
HTTPS://WWW.FEDERALRESERVE.GOV/BANKINFOREG/INTERAGENCYGUIDELINES.HTM.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Computer Security Incident
Handling Guide, Special Publication 800-61-Revision 2 (Aug 2012),
http:dx.doi.org/10.6028/NIST.SP.800-61r2.
NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES, A Glossary of
Common Cybersecurity Terminology, https://niccs.us-cert.gov/glossary.
NATIONAL CONFERENCE OF STATE LEGISLATURES, Security Breach Notification Laws
(Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx.
UNITED STATES COMPUTER EMERGENCY READINESS TEAM, US-CERT Federal
Incident Notification Guidelines (Oct. 1, 2014), https://www.us-
cert.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
More Information

Panel Discussion and Q&A
Program Faculty
• Professor Sharon Sandeen — Mitchell Hamline School of Law
• Andy Ubel – Chief Intellectual Property Counsel, Valspar Corp.
• Ken Morris – Senior Advisor, RedPoint Advisors
• Charlotte Tschider — Owner/Principal, Cybersimple Security, LLC

Cybersecurity: The New Priority for Business

Cybersecurity: The New Priority for Business

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybersecurity: The New Priority for Business

Similar to Cybersecurity: The New Priority for Business (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity: The New Priority for Business