SlideShare ist ein Scribd-Unternehmen logo

2014 ota databreach3

Meg Weber
Meg Weber
1 von 28
Downloaden Sie, um offline zu lesen
The Shock of a Data Loss Incident - Who are you going to call? Craig Spiezle Executive Director Online Trust Alliance
2013 Lowlights • ~2160 data loss incidents • 89% of data loss incidents could have been prevented • 822 million records exposed • 31% of incidents were due to insider threats or mistakes • 21% of the incidents were the result of physical loss • 76% were the result of weak or stolen account credentials • 29% of compromises were via social engineering © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 2 Sources: Publically disclosed incidents and data published by Microsoft, Open Security Foundation, Privacy Rights Clearinghouse, Risk Based Security, Verizon & Symantec
Day 1 – Panic & Denial
Day 2 – Confusion & Chaos
Day 3 – Communications
Laws of Data • Your company includes “covered information” • You have regulatory requirement(s) • You will have a data incident • If you are unprepared it will cost you ▫ Direct expenses ▫ Remediation ▫ Partners ▫ Brand ▫ Business Shock © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 6
Evolution as we become a data driven society Data Classification & Personal Info © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 7
Data Collection Considerations © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 8
Self Assessment 1. Do you understand regulatory requirements? 2. What data attributes do you collect? How and where is it stored? 3. Is the business purpose for collecting this data still valid? 4. Are your encryption processes representative of best practices? 5. Do you have a 24/7 incident response team in place? 6. Are you prepared to communicate? 7. Do you follow generally accepted security & privacy best practices? 8. Does your privacy policy reflect your collection and sharing practices? 9. Do you know who to contact in the event of a breach? 10. Can you sign off on a plan affirming you have adopted best practices? © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 9
Being Unprepared for an Incident
Not just “consumer data” • Consumer & Employee Data ▫ Unencrypted computer, “stolen? ▫ Lapse in policy requiring encryption of all laptops © 2014. All rights reserved. Online Trust Alliance (OTA) Slide 11
Credit Cards & Beyond
Requires a Holistic View ▫ Part of your DNA. ▫ Ongoing review - controls & polices ▫ Stewardship is everyone’s responsibility. © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 13
Security Best Practices (page 9) 1. Email Authentication & DMARC 2. Always On SSL 3. User Access & Password Management 4. Data & Disk Encryption 5. Automatic Patch Management 6. Router & Access Point encryption 7. BYOD Management Plan © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 14
Forensics Mistakes (page 12) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 15
• Secure and protect the physical integrity of evidence and ensure any systems impacted by a breach are only accessible to investigators and law enforcement. Track the chain of custody of the evidence, who collects the evidence, who transfers it and where it is stored. • Preserve and store all critical log files in a secure location, including web client and server operating systems, application, mail, firewall, IDS,VPN and Netflow. Due to rotation schedules, the saving of critical logs need to happen as soon as possible. • Contact law enforcement and your attorney. It’s critical that forensics be performed by experts, and that your organization does not do anything to compromise the data or chain of custody. • Disk image capture/evidence preservation should strongly be considered before placing machines back online for law enforcement monitoring purposes. • Review internal remediation plans and policies. • Document everything that has been done on the impacted systems since the incident was detected. Forensics Best Practices (Appendix E) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 16
1. Want to ensure you do not tip off the intruder. The attacker could become hostile, destroy logs and create additional back doors. You may be asked to limit your discussions. If so, take advantage of a law enforcement request to delay statutory data breach notifications. 2. Preserve and collect evidence. Do not turn off your computers since that will result in the loss of volatile memory (disconnecting briefly from the Internet may be okay). They will ask for technical data, to include network- and host-based incident logs and up-to- date network topology maps. 3. Will want to get a better sense of potential insider and external threats. They might ask you about disgruntled current/former employees, in addition to the ability of well- meaning, unsuspecting employees to have used infected thumb drives, clicked bad website links, or opened spoofed emails. 4. May want your direct investigative assistance. This could include use of government tools and even be asked to engage in communications with the attacker. Source: “What to Expect When Working With Cyber Cops” Security Magazine, Dec. 1, 2013 Working with Cyber Cops “CC” © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 17
Communications & Messaging (page 19) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 18
Notification
Communications • Internal Communications • Partner Communications • Phone scripts • On-hold messages • Spokesperson Training • Email & Letter Templates • Web site FAQ • Multi-Lingual Support • Media Monitoring Services © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 20
Your Mailing Domain © 2014. All rights reserved. Online Trust Alliance (OTA) Slide 21
KickStarter • Mailed from their top level domain • Within 72 hours of notification • Humble, reassuring • Complies with California notification requirements • Have adopted “some” email authentication best practices. On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system. No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account. While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one. As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part. We’re incredibly sorry that this happened.We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.
When announcing you’ve had a breach… • Target – “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.” •Global Payments – “The Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost.” •Adobe – “As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts.” •Epsilon – “Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.” •Gawker Media – “You may be angry and upset about what has happened. You have a right to be. We're upset, too, and deeply embarrassed about the breach…here's your chance to ask questions about your commenting accounts, vent, or just help each other with issues you have.” © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 23
International Considerations Do you know where your users reside? • What is an incident? • What is required for notification? • When do you need to advise regulatory authorities • What is appropriate remediation?
Regulatory Considerations • Beyond FTC Section 5 • Definition of Covered Information • Notification & Timing ▫ Regulators vs Users • Pre-emption of State Laws • Ability of State AG’s to Enforce • Perhaps modeled off of CAN-SPAM & COPPA • Safe Harbor for best practices
Management Considerations 1. Regulatory Requirements 2. Re-validate Business Requirements 3. Data Inventory – Where & Who? 4. Data collection activities 5. Points of vulnerability & risk 6. Status of incident response team 7. Communication preparedness 8. Internal Coordination 9. Training - Employees & Vendors 10. Status of documentation © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 26
Summary – Key Principles • Acknowledge the data you collect contains one or more forms of PII or sensitive data. • Accept you will experience a data loss incident or breach. • Understand your company falls under multiple government regulations requiring notice and remedies. • Being unprepared can significantly add to the direct and indirect costs including management resources and lost productivity. • A data incident can result in significant damage to your business’s brand reputation. © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 27
• 2014 Data Protection & Breach Incident Planning https://otalliance.org/breach • Email Integrity & Security https://otalliance.org/eauth • Public Policy - https://otalliance.org/initiatives/public-policy • 2014 Online Trust Honor Roll - https://otalliance.org/HonorRoll • Ad & Content Publishing Integrity - https://otalliance.org/resources/advertising-integrity-fraud • admin@otalliance.org +1 425-455-7400 Resources - update © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 28

Empfohlen

Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 

Empfohlen

Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breachesxband
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
State of indiana case study
State of indiana case studyState of indiana case study
State of indiana case studyMeg Weber
 
2012 March Luncheon: Education Summit
2012 March Luncheon: Education Summit2012 March Luncheon: Education Summit
2012 March Luncheon: Education SummitMeg Weber
 

Weitere ähnliche Inhalte

Was ist angesagt?

Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Withum
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breachesxband
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 

Was ist angesagt? (20)

Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
Preventing Data Breaches
Preventing Data BreachesPreventing Data Breaches
Preventing Data Breaches
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 

Andere mochten auch

State of indiana case study
State of indiana case studyState of indiana case study
State of indiana case studyMeg Weber
 
2012 March Luncheon: Education Summit
2012 March Luncheon: Education Summit2012 March Luncheon: Education Summit
2012 March Luncheon: Education SummitMeg Weber
 
Technology Development Center Introduction
Technology Development Center IntroductionTechnology Development Center Introduction
Technology Development Center IntroductionMeg Weber
 
TAG Luncheon: A+ Washington
TAG Luncheon: A+ WashingtonTAG Luncheon: A+ Washington
TAG Luncheon: A+ WashingtonMeg Weber
 
TAG Luncheon: Lean: FastCap Style
TAG Luncheon: Lean: FastCap StyleTAG Luncheon: Lean: FastCap Style
TAG Luncheon: Lean: FastCap StyleMeg Weber
 
Future of cyber in the board room: Michael Cockrill Presents
Future of cyber in the board room: Michael Cockrill PresentsFuture of cyber in the board room: Michael Cockrill Presents
Future of cyber in the board room: Michael Cockrill PresentsMeg Weber
 
TAG Luncheon: 2012 Tax Update
TAG Luncheon: 2012 Tax UpdateTAG Luncheon: 2012 Tax Update
TAG Luncheon: 2012 Tax UpdateMeg Weber
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secureMeg Weber
 
Can we be faster than disaster bill boyd
Can we be faster than disaster bill boydCan we be faster than disaster bill boyd
Can we be faster than disaster bill boydMeg Weber
 
Online Trust Alliance Recommendations
Online Trust Alliance RecommendationsOnline Trust Alliance Recommendations
Online Trust Alliance RecommendationsMeg Weber
 
Cyber risk scorecards
Cyber risk scorecardsCyber risk scorecards
Cyber risk scorecardsMeg Weber
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)Meg Weber
 
TAG Luncheon: Center for Innovation
TAG Luncheon: Center for InnovationTAG Luncheon: Center for Innovation
TAG Luncheon: Center for InnovationMeg Weber
 
TAG Luncheon: State of Technology
TAG Luncheon: State of TechnologyTAG Luncheon: State of Technology
TAG Luncheon: State of TechnologyMeg Weber
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 

Andere mochten auch (18)

State of indiana case study
State of indiana case studyState of indiana case study
State of indiana case study
 
2012 March Luncheon: Education Summit
2012 March Luncheon: Education Summit2012 March Luncheon: Education Summit
2012 March Luncheon: Education Summit
 
Technology Development Center Introduction
Technology Development Center IntroductionTechnology Development Center Introduction
Technology Development Center Introduction
 
Deber de ingles
Deber de inglesDeber de ingles
Deber de ingles
 
TAG Luncheon: A+ Washington
TAG Luncheon: A+ WashingtonTAG Luncheon: A+ Washington
TAG Luncheon: A+ Washington
 
TAG Luncheon: Lean: FastCap Style
TAG Luncheon: Lean: FastCap StyleTAG Luncheon: Lean: FastCap Style
TAG Luncheon: Lean: FastCap Style
 
Future of cyber in the board room: Michael Cockrill Presents
Future of cyber in the board room: Michael Cockrill PresentsFuture of cyber in the board room: Michael Cockrill Presents
Future of cyber in the board room: Michael Cockrill Presents
 
TAG Luncheon: 2012 Tax Update
TAG Luncheon: 2012 Tax UpdateTAG Luncheon: 2012 Tax Update
TAG Luncheon: 2012 Tax Update
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Reasons to be secure
Reasons to be secureReasons to be secure
Reasons to be secure
 
Can we be faster than disaster bill boyd
Can we be faster than disaster bill boydCan we be faster than disaster bill boyd
Can we be faster than disaster bill boyd
 
Online Trust Alliance Recommendations
Online Trust Alliance RecommendationsOnline Trust Alliance Recommendations
Online Trust Alliance Recommendations
 
Cyber risk scorecards
Cyber risk scorecardsCyber risk scorecards
Cyber risk scorecards
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcement
 
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)
2012 April Luncheon: Get Your Match On (Finding and Keeping the Talent You Need)
 
TAG Luncheon: Center for Innovation
TAG Luncheon: Center for InnovationTAG Luncheon: Center for Innovation
TAG Luncheon: Center for Innovation
 
TAG Luncheon: State of Technology
TAG Luncheon: State of TechnologyTAG Luncheon: State of Technology
TAG Luncheon: State of Technology
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 

Ähnlich wie 2014 ota databreach3

A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsgppcpa
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...Financial Poise
 
Are You Prepared For a Data Breach
Are You Prepared For a Data BreachAre You Prepared For a Data Breach
Are You Prepared For a Data BreachBrian Heidelberger
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantClio - Cloud-Based Legal Technology
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerZitaAdlTrk
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Gain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldQualys
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessLucy Denver
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...James Fisher
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Shawn Tuma
 

Ähnlich wie 2014 ota databreach3 (20)

nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
 
Are You Prepared For a Data Breach
Are You Prepared For a Data BreachAre You Prepared For a Data Breach
Are You Prepared For a Data Breach
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in Danger
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
Gain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless World
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 

Mehr von Meg Weber

Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessMeg Weber
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security GuidanceMeg Weber
 
FCC Guidelines on Cyber Security
FCC Guidelines on Cyber SecurityFCC Guidelines on Cyber Security
FCC Guidelines on Cyber SecurityMeg Weber
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS GuidelinesMeg Weber
 
Cybersecurity brochure flyer version-small
Cybersecurity brochure flyer version-smallCybersecurity brochure flyer version-small
Cybersecurity brochure flyer version-smallMeg Weber
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4Meg Weber
 
5 questions ce os should ask about cyber risks
5 questions ce os should ask about cyber risks5 questions ce os should ask about cyber risks
5 questions ce os should ask about cyber risksMeg Weber
 
Welcome to the Cyber Risk Summit
Welcome to the Cyber Risk SummitWelcome to the Cyber Risk Summit
Welcome to the Cyber Risk SummitMeg Weber
 
WCC Programs Overview
WCC Programs OverviewWCC Programs Overview
WCC Programs OverviewMeg Weber
 
Audit summary from security solutions and ovation tech
Audit summary from security solutions and ovation techAudit summary from security solutions and ovation tech
Audit summary from security solutions and ovation techMeg Weber
 
Jb hunt case study
Jb hunt case studyJb hunt case study
Jb hunt case studyMeg Weber
 
Nemours case study nemours embraces app innovation with mobile iron
Nemours case study nemours embraces app innovation with mobile ironNemours case study nemours embraces app innovation with mobile iron
Nemours case study nemours embraces app innovation with mobile ironMeg Weber
 
Mark Anderson on Cyber Security
Mark Anderson on Cyber SecurityMark Anderson on Cyber Security
Mark Anderson on Cyber SecurityMeg Weber
 
Jimmy johns infractions
Jimmy johns infractionsJimmy johns infractions
Jimmy johns infractionsMeg Weber
 
2014 Economic Forecast: Leadership's Role in a Changing Economy
2014 Economic Forecast: Leadership's Role in a Changing Economy2014 Economic Forecast: Leadership's Role in a Changing Economy
2014 Economic Forecast: Leadership's Role in a Changing EconomyMeg Weber
 

Mehr von Meg Weber (15)

Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security Guidance
 
FCC Guidelines on Cyber Security
FCC Guidelines on Cyber SecurityFCC Guidelines on Cyber Security
FCC Guidelines on Cyber Security
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS Guidelines
 
Cybersecurity brochure flyer version-small
Cybersecurity brochure flyer version-smallCybersecurity brochure flyer version-small
Cybersecurity brochure flyer version-small
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
5 questions ce os should ask about cyber risks
5 questions ce os should ask about cyber risks5 questions ce os should ask about cyber risks
5 questions ce os should ask about cyber risks
 
Welcome to the Cyber Risk Summit
Welcome to the Cyber Risk SummitWelcome to the Cyber Risk Summit
Welcome to the Cyber Risk Summit
 
WCC Programs Overview
WCC Programs OverviewWCC Programs Overview
WCC Programs Overview
 
Audit summary from security solutions and ovation tech
Audit summary from security solutions and ovation techAudit summary from security solutions and ovation tech
Audit summary from security solutions and ovation tech
 
Jb hunt case study
Jb hunt case studyJb hunt case study
Jb hunt case study
 
Nemours case study nemours embraces app innovation with mobile iron
Nemours case study nemours embraces app innovation with mobile ironNemours case study nemours embraces app innovation with mobile iron
Nemours case study nemours embraces app innovation with mobile iron
 
Mark Anderson on Cyber Security
Mark Anderson on Cyber SecurityMark Anderson on Cyber Security
Mark Anderson on Cyber Security
 
Jimmy johns infractions
Jimmy johns infractionsJimmy johns infractions
Jimmy johns infractions
 
2014 Economic Forecast: Leadership's Role in a Changing Economy
2014 Economic Forecast: Leadership's Role in a Changing Economy2014 Economic Forecast: Leadership's Role in a Changing Economy
2014 Economic Forecast: Leadership's Role in a Changing Economy
 

2014 ota databreach3

  • 1. The Shock of a Data Loss Incident - Who are you going to call? Craig Spiezle Executive Director Online Trust Alliance
  • 2. 2013 Lowlights • ~2160 data loss incidents • 89% of data loss incidents could have been prevented • 822 million records exposed • 31% of incidents were due to insider threats or mistakes • 21% of the incidents were the result of physical loss • 76% were the result of weak or stolen account credentials • 29% of compromises were via social engineering © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 2 Sources: Publically disclosed incidents and data published by Microsoft, Open Security Foundation, Privacy Rights Clearinghouse, Risk Based Security, Verizon & Symantec
  • 3. Day 1 – Panic & Denial
  • 4. Day 2 – Confusion & Chaos
  • 5. Day 3 – Communications
  • 6. Laws of Data • Your company includes “covered information” • You have regulatory requirement(s) • You will have a data incident • If you are unprepared it will cost you ▫ Direct expenses ▫ Remediation ▫ Partners ▫ Brand ▫ Business Shock © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 6
  • 7. Evolution as we become a data driven society Data Classification & Personal Info © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 7
  • 8. Data Collection Considerations © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 8
  • 9. Self Assessment 1. Do you understand regulatory requirements? 2. What data attributes do you collect? How and where is it stored? 3. Is the business purpose for collecting this data still valid? 4. Are your encryption processes representative of best practices? 5. Do you have a 24/7 incident response team in place? 6. Are you prepared to communicate? 7. Do you follow generally accepted security & privacy best practices? 8. Does your privacy policy reflect your collection and sharing practices? 9. Do you know who to contact in the event of a breach? 10. Can you sign off on a plan affirming you have adopted best practices? © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 9
  • 10. Being Unprepared for an Incident
  • 11. Not just “consumer data” • Consumer & Employee Data ▫ Unencrypted computer, “stolen? ▫ Lapse in policy requiring encryption of all laptops © 2014. All rights reserved. Online Trust Alliance (OTA) Slide 11
  • 12. Credit Cards & Beyond
  • 13. Requires a Holistic View ▫ Part of your DNA. ▫ Ongoing review - controls & polices ▫ Stewardship is everyone’s responsibility. © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 13
  • 14. Security Best Practices (page 9) 1. Email Authentication & DMARC 2. Always On SSL 3. User Access & Password Management 4. Data & Disk Encryption 5. Automatic Patch Management 6. Router & Access Point encryption 7. BYOD Management Plan © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 14
  • 15. Forensics Mistakes (page 12) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 15
  • 16. • Secure and protect the physical integrity of evidence and ensure any systems impacted by a breach are only accessible to investigators and law enforcement. Track the chain of custody of the evidence, who collects the evidence, who transfers it and where it is stored. • Preserve and store all critical log files in a secure location, including web client and server operating systems, application, mail, firewall, IDS,VPN and Netflow. Due to rotation schedules, the saving of critical logs need to happen as soon as possible. • Contact law enforcement and your attorney. It’s critical that forensics be performed by experts, and that your organization does not do anything to compromise the data or chain of custody. • Disk image capture/evidence preservation should strongly be considered before placing machines back online for law enforcement monitoring purposes. • Review internal remediation plans and policies. • Document everything that has been done on the impacted systems since the incident was detected. Forensics Best Practices (Appendix E) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 16
  • 17. 1. Want to ensure you do not tip off the intruder. The attacker could become hostile, destroy logs and create additional back doors. You may be asked to limit your discussions. If so, take advantage of a law enforcement request to delay statutory data breach notifications. 2. Preserve and collect evidence. Do not turn off your computers since that will result in the loss of volatile memory (disconnecting briefly from the Internet may be okay). They will ask for technical data, to include network- and host-based incident logs and up-to- date network topology maps. 3. Will want to get a better sense of potential insider and external threats. They might ask you about disgruntled current/former employees, in addition to the ability of well- meaning, unsuspecting employees to have used infected thumb drives, clicked bad website links, or opened spoofed emails. 4. May want your direct investigative assistance. This could include use of government tools and even be asked to engage in communications with the attacker. Source: “What to Expect When Working With Cyber Cops” Security Magazine, Dec. 1, 2013 Working with Cyber Cops “CC” © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 17
  • 18. Communications & Messaging (page 19) © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 18
  • 20. Communications • Internal Communications • Partner Communications • Phone scripts • On-hold messages • Spokesperson Training • Email & Letter Templates • Web site FAQ • Multi-Lingual Support • Media Monitoring Services © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 20
  • 21. Your Mailing Domain © 2014. All rights reserved. Online Trust Alliance (OTA) Slide 21
  • 22. KickStarter • Mailed from their top level domain • Within 72 hours of notification • Humble, reassuring • Complies with California notification requirements • Have adopted “some” email authentication best practices. On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system. No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account. While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one. As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part. We’re incredibly sorry that this happened.We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.
  • 23. When announcing you’ve had a breach… • Target – “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause. The privacy and protection of our guests’ information is a matter we take very seriously and we have worked swiftly to resolve the incident.” •Global Payments – “The Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost.” •Adobe – “As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts.” •Epsilon – “Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.” •Gawker Media – “You may be angry and upset about what has happened. You have a right to be. We're upset, too, and deeply embarrassed about the breach…here's your chance to ask questions about your commenting accounts, vent, or just help each other with issues you have.” © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 23
  • 24. International Considerations Do you know where your users reside? • What is an incident? • What is required for notification? • When do you need to advise regulatory authorities • What is appropriate remediation?
  • 25. Regulatory Considerations • Beyond FTC Section 5 • Definition of Covered Information • Notification & Timing ▫ Regulators vs Users • Pre-emption of State Laws • Ability of State AG’s to Enforce • Perhaps modeled off of CAN-SPAM & COPPA • Safe Harbor for best practices
  • 26. Management Considerations 1. Regulatory Requirements 2. Re-validate Business Requirements 3. Data Inventory – Where & Who? 4. Data collection activities 5. Points of vulnerability & risk 6. Status of incident response team 7. Communication preparedness 8. Internal Coordination 9. Training - Employees & Vendors 10. Status of documentation © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 26
  • 27. Summary – Key Principles • Acknowledge the data you collect contains one or more forms of PII or sensitive data. • Accept you will experience a data loss incident or breach. • Understand your company falls under multiple government regulations requiring notice and remedies. • Being unprepared can significantly add to the direct and indirect costs including management resources and lost productivity. • A data incident can result in significant damage to your business’s brand reputation. © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 27
  • 28. • 2014 Data Protection & Breach Incident Planning https://otalliance.org/breach • Email Integrity & Security https://otalliance.org/eauth • Public Policy - https://otalliance.org/initiatives/public-policy • 2014 Online Trust Honor Roll - https://otalliance.org/HonorRoll • Ad & Content Publishing Integrity - https://otalliance.org/resources/advertising-integrity-fraud • admin@otalliance.org +1 425-455-7400 Resources - update © 2014 All rights reserved. Online Trust Alliance (OTA) Slide 28