1. Life’s A Breach: Surviving Your Next
Cyber-Attack
Garry A. Pate
Director
Stout Risius Ross, Inc.
Robert C. Ludolph
Of Counsel
Pepper Hamilton LLP
Members OnlyMembers Only
4. Robert C. Ludolph
Of Counsel
Pepper Hamilton LLP
+1.248.359.7368
ludolphr@pepperlaw.com
Garry A. Pate
Director
Stout Risius Ross
+1.248.432.1304
gpate@srr.com
Members Only
5. Members Only
Attack From Within
High level executive placed on leave to investigate a
series of improprieties.
Executive keeps company laptop and iPhone on which he
stored sensitive customer information, proprietary trade
secrets and personal data on employees.
Computer returned with 40,000 documents deleted but e-
mails to competitor are found.
General Counsel engages outside counsel who retains
forensic investigator.
6. Members Only
What is Your Cyber-Security Strategy?
Who Is In Charge?
Who Do You Notify?
Do You Take Any Legal Action?
What Is This Going to Cost?
And many more questions.
9. Members Only
Who Are Your Cyber Threats?
Nuisance hacker
Social engineering
Disgruntled workers
Employee/third party theft
– Customer lists
– IP theft cases
Criminal enterprises
– Advanced persistent threats
– State-sponsored enterprises – cyber warfare
10. Members Only
Is Your Law Firm the Worst Line of Defense?
Banks demand that law firms harden
cyber attack defenses
Wall Street Journal October 26, 2014
Law Firms Are Pressed on Security for
Data New York Times March 26, 2014
11. Members Only
That’s Where the Money Is.
Law firms are a rich target,” said FBI's assistant special
agent in charge of the Pittsburgh field office. “They don't
have the capabilities and the resources to protect
themselves. Within their systems are a lot of the sensitive
information from the corporations that they represent.
And, therefore, it's a vulnerability that the bad guys are
trying to exploit, and are exploiting.”
Unprepared law firms vulnerable to hackers
Pittsburgh Tribune Review September 13, 2014
12. Members Only
Can Your Law Firm Keep A Secret?
FBI began warning New York law firms in 2009:
"We have hundreds of law firms that we see increasingly being
targeted by hackers.“
Cybersecurity company Mandiant claims that in 2011,
around 80 major U.S. law firms were hacked.
Ransomware hackers pose threat to B.C. law firms
CBC News January 12, 2015
14. Members Only
Target system
compromised for 19
consecutive days.
Information of 110 Million
people compromised.
11 GB of data stolen.
Target Breach
15. Members Only
Target Breach: Consequences
– $100M effort to move to chip-based payment cards
– $5M campaign to raise awareness on cybersecurity issues
– Fourth-quarter profit slumped 46% while revenue slid 5.3%
– Reputational damage
– $61 million in hacking-related expenses
– VP Technology / CIO / CEO resign
16. Members Only
Target Breach: Actions
– Notification to customers by email and online posts
– 1 year of free credit monitoring for all customers
– 1 year of free identity theft protection for all affected customers
– 10% discount offered to all shoppers on December 21 and 22
– Increase fraud detection on REDcards
– Launched retail industry cybersecurity and data privacy initiative
17. Members Only
Duty to Warn:
Data Breach Law and Regulatory Requirements
State Privacy Laws
– Data breach notification legislation.
– Identity theft legislation including protection of Social
Security Numbers.
– State legislation on protection of personal information
broader than federal (CA, MA, NV).
18. Members Only
Alphabet Soup of the Duty to Warn:
Data Breach Law and Regulatory Requirements
Federal requirements on content and timeframe of data breach
notification:
Office of the Comptroller of Currency (OCC)
Federal Deposit Insurance Corporation (FDIC)
Department of Health and Human Services (HHS)
Federal Trade Commission (FTC)
US Securities and Exchange Commission (SEC)
New regulations are coming
20. Members Only
Target –40 Million
credit cards
Home Depot – 56 Million
accounts
eBay – 145 Million
customers
Anthem – 80 Million social
security numbers
You Do the Math
21. Members Only
“There are known knowns. These are things we know that we know. There are known
unknowns. That is to say, there are things that we know we don't know. But there are
also unknown unknowns. There are things we don't know we don't know.”
Donald Rumsfeld
22. Members Only
Challenges
Fraud and cyber crime now powers a multi-billion dollar economy
Defacements and Denial of Service attacks
Targeted Threats and Advanced Persistent Threats
Inconsistent information practices across the enterprise lead to
pockets of vulnerability.
Lack of employee education and awareness leads to vulnerability
Unauthorized collection and use of customer information
Loss of control over personal information and marketing lists
24. Members Only
Key Information Security Challenges
Perimeter Defense is Insufficient
New Technology = New Exploits
Rootkits
Morphing Malware
Zero-Days
Insider Threats
25. Members Only
Advanced Persistent Threat
Second-largest health insurer in the United States
Accessed PII of 80 million customers
Hackers stole names, birthdays, medical IDs, social security
numbers, street addresses, e-mail addresses of Anthem customer
data
Hackers may have been inside the Anthem network more than a
month before being detected
26. Members Only
Advanced Persistent Threat
World famous Hollywood studio
Hackers stole over 100TB of data
Leaked online some of Sony’s unreleased films, highly sensitive
and confidential information - like passwords and executives'
salaries, and even threatened employees and their families
Went unnoticed for weeks until computers were paralyzed
Not the first time Sony has struggled with cybersecurity
30. Members Only
Law Firm Data Breach
China-based hackers were looking to derail the $40 billion
acquisition of the world’s largest potash producer
Hackers exploited the networks of seven different law firms as well
as Canada’s Finance Ministry and the Treasury Board
Chinese effort to invalidate the takeover as part of the global
competition for natural resources
Stolen data can be worth tens of millions of dollars and give the
party who possesses it an unfair advantage in deal negotiations
31. Members Only
Law Firm Data Breach
Los Angeles, CA law firm
Series of Trojan emails (spear-phishing ) appeared to be from
members of the firm but in reality were designed to steal data from
the firm’s network
Each email contained a link or attachment that would download
malware
In 2011, the firm was representing a leading provider of blocking and
filtering software programs in a $2.2 billion lawsuit against Chinese
computer firms, software makers, and the Chinese government
Forensic analysis revealed that the Trojan emails were linked to
Chinese servers.
The malware was not released. No compromise to its system.
32. Members Only
Emerging Strategies
Shifting the focus away from building robust defensive systems
Neutralizing cybersecurity threats once attackers are inside the
networks
The median length of time that attackers lurk inside a victim’s
network is 229 days
Protecting high value information = high price tag
33. Members Only
NIST Cybersecurity Framework Core
Identify
– Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and
capabilities.
Protect
– Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect
– Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond
– Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover
– Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities
or services that were impaired due to a cybersecurity event.
34. Members Only
Critical Cyber Risk Management
Take every report seriously
– Suspicious email/internet activity
– Malware/phishing programs
Be aware of employee activity
– Off-boarding process
Know your partners and third party contacts
35. Members Only
Key Considerations for Policies and Procedures
– Privacy Policy
Clear and conspicuous
Say what you do and do what you say
– BYOD Policy
– Information Security Policy
– Business Continuity Plan
– Security Audits – check and double check!
36. Members Only
Steps to Improving Cybersecurity Program
Step 1: Prioritize and Scope
– Identify business/mission objectives and systems and assets that support
the business line.
Step 2: Orient
– Identify threats to and vulnerabilities of systems and assets, regulatory
requirements, and overall risk approach.
Step 3: Create a Current Profile
– Identify which outcomes are being achieved.
37. Members Only
Steps to Improving Cybersecurity Program
Step 4: Conduct a Risk Assessment
– Analyze the likelihood of a cybersecurity event and the impact that the
event could have on the organization.
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
– Create a prioritized action plan to address those gaps between the
Current Profile and the Target Profile.
Step 7: Implement Action Plan
– Monitor its current cybersecurity practices against the Target Profile.
38. Members Only
Practical Steps: Post Incident Activity – 3 R’s
Review
– Incident response team model
– Policies/procedure
Revise
– Tools and resources
– Training of employees
Reevaluate
– Integrity of third parties systems
– Documentation and reports
39. Members Only
Managing Cyber Breaches
Report and Post-Mortem
“Elite Eight” Recommendations
– Eliminate unnecessary data; keep tabs on what’s left.
– Perform regular checks to ensure that essential controls are met.
– Collect, analyze and share incident data to create a rich information source that can drive security program
effectiveness.
– Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can
greatly assist defense and detection.
– Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes,
and technology.
– Regularly measure things like “number of compromised systems” and “meantime to detection”, and use these
numbers to drive better practices.
– Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to
security.
– Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of
the intelligence and tools at your disposal.
41. Members Only
Contact Information
Robert C. Ludolph
Of Counsel
Pepper Hamilton LLP
+1.248.359.7368
ludolphr@pepperlaw.com
Garry A. Pate
Director
Stout Risius Ross, Inc.
+1.248.432.1304
gpate@srr.com
Hinweis der Redaktion
Hello and welcome to this Barbri Professional Associations Webcast, Life`s a Breach: Surviving Your Next Cyber-Attack. I am Robert Hilson of the Association of Certified E-Discovery Specialists, and I’d like to welcome both members of ACEDS and those of our sister association, ACFCS, who are joining us today. We are really excited to have both audiences here to discuss an issue that poses enormous challenges to both e-discovery and financial crime professionals.
I am joined today by two excellent presenters who I will introduce in a moment. But first, if you will humor me for brief announcements.
First, and this is something I am really looking forward to. ACEDS will be holding its annual conference September 29 to 30 at the Gaylord National Resort in Washington, DC. A live certification prep course will preceed the conference, as always, on the 28th. And we expect another first-class show. We’ve already announced a number of prominent speakers, including the federal judges you see on your screen. Judge Thomas Vanaskie, who sits on the Third Circuit Court of Appeals, and Ret. US magistrate Judge Nan Nolan, who has been involved in some of the most prominent e-discovery cases, will also present. ACEDS members get the best rates on the conference, and if you are thinking about joining, I encourage you to register before the super early bird pricing expires.
Alright, let’s get started. I am very pleased to introduce our experts for the day.
Robert Ludolph is an employment litigator who leads the Labor and Employment Practice Group of the Detroit office of Pepper Hamilton. He is a also a member of the firm’s Privacy, Security and Data Protection Practice Group as well as the Non-Compete and Trade Secrets Practice Team. At Pepper, he concentrates his practice on defending corporate clients in discrimination, employment contract and employee retirement income litigation, representing management in labor relations matters, and advising organizations on health and privacy law issues. He also advises clients on non-competition and non-solicitation agreements and has supervised investigations of misappropriated proprietary information and workplace misconduct.
Bob, it`s a pleasure to have you here. Thanks for joining us.
Bob is joined by Garry Pate, a director in the e-discovery practice within the Dispute Advisory & Forensics Services Group at Stout Risius Ross. He has a background in Computer Forensics, E-Discovery, internal investigations, database management, document automation, scanning coding and extensive experience working with business owners, attorneys and federal, state, and local government/law enforcement across the United States. A 16 year veteran of the legal field, he has extensive experience managing e-discovery projects from collection through production in complex litigation involving issues such as IP theft, business technology, copyrights, patents, trademarks and numerous other disputes. Garry also gave an excellent interview to ACEDS on data breach mitigation last week that you can listen to now at ACEDS.org.
Garry, thanks a lot for being here.
Before we begin, I want to encourage everyone on the call to ask questions. You can chat them to us in the questions box that you see on the right of your screen and we will get to them at the end of the presentation if time allows.
Sources: Ponemon Institute True Cost of Compliance Study (2013),Cost of a Data Breach Report (2013)
http://www.mentisoftware.com/rescs_data_breach_statistics.html
Types of Breaches:
Lost Devices – lost, discarded or stolen laptop, PDA, Smartphone, etc. (one of top causes of data breaches)
Physical Loss – lost, discarded or stolen paper records
Exposure – information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
Insider – someone with legitimate access either intentionally or negligently breaches information (e.g., employee or contractor)
Hacking/Malware – electronic entry by an outside party, malware and spyware
Unauthorized Access – lost, discarded or stolen password or physical access card or weak password requirements
Three law firms hacked by extortionists using malware to lock files and demand ransom fee
The Law Society of British Columbia had some files stolen by a hacker. He then encrypted those files, and demanded payment in exchange for giving access back.
He used the powerful Cryptowall Virus and gave the firm 12 hours to pay the fee to have the encryption removed. If the firm was unable to pay the fee within that time, he would double it. If payment was not received within 30 days, he would permanently break the files.
Fortunately, this firm had backups available, so they got up and running quickly. However, many law firms are not adequately protected against hacking, so this firm may be the exception rather than the rule.
And for the record, hackers like this demand payment in the virtual currency called “Bitcoin.” If they receive payments this way, they’re untraceable.
Your network will be breached. This is a stark reality of the world in which we operate and do business. Each week brings new threats and reports of compromised networks and lost data. Like it or not, it is a simple fact that no organization is immune. Consider this -- the 2013 Data Breach Investigations Report, conducted by Verizon, found the following commonalities across 47,000 security incidents and 621 data breaches reported in 2013.
Your team’s ability to quickly identify the breach, stop the exfiltration of data and classified material, and remediate real threats can have an enormous impact on your organization’s risk, cost, and exposure. But when dealing with today’s threats, staying on top of network security becomes increasingly challenging and putting in place best pracices for managing cyber breaches can be the difference between containing an attack and letting it wreak havoc in your systems.
System compromised from November 27 until December 15.
Information taken includes: full credit card number, expiration date, security code, name, mailing address, phone number and email address.
Uniqueness of retail industry breaches
target the consumer’s information more than the company’s
many people susceptible
loss of trust of the consumer in the company
all but 17M of the costs will be borne by insurance.
Consequences are typical of such breaches, as noted by the SEC guidance (described below):
Remediation costs can be substantial with negative consequences including, but not limited to:
liability for stolen assets or information
repairing system damage that may have been caused
increased cybersecurity protection costs
lost revenues resulting from unauthorized use of proprietary information
lost revenues from failure to retain or attract customers following an attack;
Litigation; and
Reputational damage.
REDcard is the Target credit or debit card.
Retail industry cybersecurity and data privacy initiative –
Initiative by RILA – Retail Industry Leaders Association
Enhance existing cybersecurity and privacy efforts
System Wide Collaboration - eek to forge a partnership with the other members of the payments ecosystem to collaborate on long-term, comprehensive solutions to the threats
Formation of a Retail Cybersecurity Leaders Council - senior retail executives responsible for cybersecurity, will aim to improve industry-wide cybersecurity by sharing threat information and discussing effective security solutions in a trusted forum
Federal Data Breach Notification Legislation - engage with lawmakers to develop federal data security breach notification legislation that sets a national baseline
Federal Cybersecurity Legislation -engage with policymakers to help develop federal cybersecurity legislation, including support for appropriate information-sharing mechanisms between the private and public sectors
Eliminate the Mag-Stripe - urge that it be phased out in favor of the better technology widely used throughout the world
HHS – notification for breach of unsecured PHI should be prompt and by not later than within 60 days
There is an exception if law enforcement determines that providing the notice would impede a criminal investigation or cause damage to national security. In the event of a law enforcement exception, the delay is for a length of time requested in writing or for 30 days from an oral request.
Should be in plain language.
Avoid including sensitive information in the notice itself
Should include:
a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
a description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code)
the steps an individual should take to protect him/herself from potential harm resulting from the breach
a brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches
contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, and e-mail address, Web site, or postal address
Ponemon institute
http://www.bankinfosecurity.com/interviews/data-breach-i-1953/op-1
Average Costs - $5.85 Million
Israel was involved in the development of Stuxnet – a virus targeting industrial plant facilities.
a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads on its own, often over a computer network.
This worm was an unprecedentedly masterful and malicious piece of code that attacked in three phases. First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. The worm’s authors could thus spy on the industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant. (Iran has not confirmed reports that Stuxnet destroyed some of its centrifuges.)
Three key groups of actors commit cyber attacks. Each has different motivations and tactics, but the net effect of their actions is disruption, financial loss and damage to reputations. By understanding their characteristics you can be better prepared and reduce your risk.
With new technologies come new exploits. Advanced threats like rootkits, morphing malware, zero-days, and insider threats are rarely caught by perimeter security solutions that rely on signature-based algorithms to detect known threats.
But when the threat is constantly changing, brand new, or simply unknown to your perimeter security frontline, it goes undetected, much like when the infiltration is caused by an insider whose credentials give them access to your network or sensitive data. Today’s cyber attackers will not be stopped at the perimeter. Many of them are already past your firewall, whether you have found them yet or not.
FireEye, 229 days is the median length of time attackers lurk inside their victim's computers before being detected or revealing themselves.Hackers stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history.
If you don't know where the important information is, all you have to do is attach yourself to the right people in the organization and the information will come to you.
In 2011, the company's PlayStation Network was compromised by hackers who stole the personal information of millions of gamers and knocked the network offline for weeks. Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
Recon (social engineering) on public sites.
Shredded paper containing personal information and records, including Social Security numbers and medical records.
Thumb drive
BMO Harris – 14yr old kids do internet research to find admin pw for atms using operators manual online. told teachers. A Winnipeg BMO branch got an unlikely security tip from two 14-year-olds when the pair managed to get into an ATM’s operating system during their lunch break last Wednesday.
The Grade 9 students, Matthew Hewlett and Caleb Turon, used an ATM operators’ manual they found online to get into the administrator mode of an ATM at a Safeway grocery store. They saw how much money was in the machine, how many transactions there had been and other information usually off-limits for the average bank customer. The BMO branch manager called security to follow up on what the teenagers had found, and even wrote them a note to take back to school as explanation for why they were late getting back to class.
He used his insider knowledge to access that system remotely and release hundreds of thousands of gallons of sewage.
The relative ease with which a terrorist IT attack could be used to cripple infrastructure was shown three years after Maroochydore in the US when the Slammer worm infiltrated an Ohio nuclear power plant and other power facilities. Research later showed the worm had infected the system through such innocuous points of entry as a contractor's IT line, which affected a power plant computer, a virtual private network affecting a power company's SCADA system, a laptop that attacked a petroleum plant control system and a modem that shut down a paper plant.
Could be your name on the building. Could lead to unrecoverable loss of reputation.
Not all cyberattacks originate in China — in fact, it often is difficult to determine points of origin because attacks are routed through a number of intermediate computers. The Mandiant report noted that the scale and logistics of recent attacks suggest that they may be state-sponsored, although the company has no way of proving that.
Could be your name on the building. Could lead to unrecoverable loss of reputation. Because technology-savvy attorneys recognized the emails as potentially compromising, the malware was not released. The law firm believes that there was no compromise to its system.
Not only can hackers gain access to a firm’s networks through phishing, it can also hack into a firm’s cloud storage programs, making this popular document-storage program particularly vulnerable to attacks.
Now, as hackers routinely overwhelm such defenses, experts say cybersecurity is beyond due an overhaul.Neutralize attackers once they're inside networks rather than fixating on trying to keep them out.
Experts aren't recommending organizations stop deploying perimeter defenses such as antivirus software or firewalls that weed out vanilla threats. But they say a strategy that could be likened to laying traps is needed to counter the sophisticated hacks that can cause huge losses.
Part of the reason is greater concern with meeting regulatory requirements for security than improving security itself.
The weakness of relying on a firewall is that it's like building a fence around a housing complex but not hiring a guard to patrol the interior streets,
Cybersecurity professionals have begun to shift their focus away from building robust defensive systems. While perimeter defenses continue to be a key component of network security, neutralizing cybersecurity threats once attackers are inside the networks may be a more effective strategy. According to FireEye, the median length of time that attackers lurk inside a victim’s network is 229 days.
As we mentioned earlier, the Target breach took place because a third party vendor had access to Target’s corporate environment. Sound practice dictates that firms require vendors to provide risk assessments and that the identified risk be included into contracts. Examples include training materials and policies and procedures.
Privacy Policy
Clear and conspicuous
True consent
not too long – 76 days to read all privacy policies; most are very long
not too hard – average reading level is 4th grade; average level of policy is 12th grade- recommended is 8th grade
clickthrough and not broweswrap
notify of amendments
get consent for material amendments
Say what you do and do what you say
accuracy is often more important than the content – 3 recent FTC settlement agreements
CreditKarma & Fandango – stated that the transferred information would be protected by SSL certificate which had been disabled and this wasn’t checked. Didn’t help that this was done by a third party since this wasn’t audited/checked with the third party
The organization can use the Framework to
create a cybersecurity program
use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement
Through the creation of a Current Profile, organizations can examine the extent to which they are achieving the outcomes described in the Core Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect, Detect, Respond, and Recover. An organization may find that it is already achieving the desired outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an organization may determine that it has opportunities to (or needs to) improve. The organization can use that information to develop an action plan to strengthen existing cybersecurity practices and reduce cybersecurity risk/
Check whether:
incident policies, procedures and plans were properly followed
the incident response tools and internal and external resources were adequate
the incident response team model and structure functioned well when responding to the incident
the incident handler training and education were adequate
the incident documentation and reports were sufficient
whether the identified measures of success were met.
At this point, your incident response team should consult relevant data breach-notification
regulations and policies for each of the industries in which your organization does business. Your
legal, IT, public relations, and executive teams should have a breach-notification plan in place and be
ready to take the appropriate steps when you present your incident report to them.
Your report will be vital to all concerned with business reputation, viability, and operations. It is
highly advisable to be as clear and non-technical as possible in your reporting. If your report cannot
be understood by key stakeholders, the value you are contributing will not be recognized.
Be sure to include a sunset or post-mortem report, which is a list of lessons learned from the
incident, including:
• What the organization intended or planned to do
• What went right
• What went wrong
• What can be improved upon.
Consider modifying existing incident response plans and/or company policies to reflect any lessons
learned from each cyber breach.
Information security breaches are inevitable, and the sooner your organization adopts a posture based on this assumption, the more prepared it will be to contain and remediate the damage they may cause. The speed at which you identify the breach, halt progress of infectious malware, stop access and exfiltration of sensitive data, and remediate the threat will make significant difference in controlling risk, costs, and exposure during an incident. Knowing these six essential steps to incident response can greatly increase your success in managing a cyber breach.