Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

ACEDS-ACFCS Cybersecurity Webcast

ACEDS-ACFCS Cybersecurity Webcast - 2-26-15

  • Soyez le premier à commenter

ACEDS-ACFCS Cybersecurity Webcast

  1. 1. Life’s A Breach: Surviving Your Next Cyber-Attack Garry A. Pate Director Stout Risius Ross, Inc. Robert C. Ludolph Of Counsel Pepper Hamilton LLP Members OnlyMembers Only
  2. 2. Visit ediscoveryconference.com
  3. 3. Visit FinancialCrimeConference.com KEYNOTE
  4. 4. Robert C. Ludolph Of Counsel Pepper Hamilton LLP +1.248.359.7368 ludolphr@pepperlaw.com Garry A. Pate Director Stout Risius Ross +1.248.432.1304 gpate@srr.com Members Only
  5. 5. Members Only Attack From Within  High level executive placed on leave to investigate a series of improprieties.  Executive keeps company laptop and iPhone on which he stored sensitive customer information, proprietary trade secrets and personal data on employees.  Computer returned with 40,000 documents deleted but e- mails to competitor are found.  General Counsel engages outside counsel who retains forensic investigator.
  6. 6. Members Only What is Your Cyber-Security Strategy?  Who Is In Charge?  Who Do You Notify?  Do You Take Any Legal Action?  What Is This Going to Cost? And many more questions.
  7. 7. Members Only Real Threats?
  8. 8. Members Only Target Breach: Tip of the Iceberg
  9. 9. Members Only Who Are Your Cyber Threats?  Nuisance hacker  Social engineering  Disgruntled workers  Employee/third party theft – Customer lists – IP theft cases  Criminal enterprises – Advanced persistent threats – State-sponsored enterprises – cyber warfare
  10. 10. Members Only Is Your Law Firm the Worst Line of Defense? Banks demand that law firms harden cyber attack defenses Wall Street Journal October 26, 2014 Law Firms Are Pressed on Security for Data New York Times March 26, 2014
  11. 11. Members Only That’s Where the Money Is. Law firms are a rich target,” said FBI's assistant special agent in charge of the Pittsburgh field office. “They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting.” Unprepared law firms vulnerable to hackers Pittsburgh Tribune Review September 13, 2014
  12. 12. Members Only Can Your Law Firm Keep A Secret? FBI began warning New York law firms in 2009: "We have hundreds of law firms that we see increasingly being targeted by hackers.“ Cybersecurity company Mandiant claims that in 2011, around 80 major U.S. law firms were hacked. Ransomware hackers pose threat to B.C. law firms CBC News January 12, 2015
  13. 13. Members Only Will You Know When the Attack Begins?
  14. 14. Members Only  Target system compromised for 19 consecutive days.  Information of 110 Million people compromised.  11 GB of data stolen. Target Breach
  15. 15. Members Only Target Breach: Consequences – $100M effort to move to chip-based payment cards – $5M campaign to raise awareness on cybersecurity issues – Fourth-quarter profit slumped 46% while revenue slid 5.3% – Reputational damage – $61 million in hacking-related expenses – VP Technology / CIO / CEO resign
  16. 16. Members Only Target Breach: Actions – Notification to customers by email and online posts – 1 year of free credit monitoring for all customers – 1 year of free identity theft protection for all affected customers – 10% discount offered to all shoppers on December 21 and 22 – Increase fraud detection on REDcards – Launched retail industry cybersecurity and data privacy initiative
  17. 17. Members Only Duty to Warn: Data Breach Law and Regulatory Requirements  State Privacy Laws – Data breach notification legislation. – Identity theft legislation including protection of Social Security Numbers. – State legislation on protection of personal information broader than federal (CA, MA, NV).
  18. 18. Members Only Alphabet Soup of the Duty to Warn: Data Breach Law and Regulatory Requirements Federal requirements on content and timeframe of data breach notification:  Office of the Comptroller of Currency (OCC)  Federal Deposit Insurance Corporation (FDIC)  Department of Health and Human Services (HHS)  Federal Trade Commission (FTC)  US Securities and Exchange Commission (SEC) New regulations are coming
  19. 19. Members Only At What Cost? $233
  20. 20. Members Only Target –40 Million credit cards Home Depot – 56 Million accounts eBay – 145 Million customers Anthem – 80 Million social security numbers You Do the Math
  21. 21. Members Only “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” Donald Rumsfeld
  22. 22. Members Only Challenges  Fraud and cyber crime now powers a multi-billion dollar economy  Defacements and Denial of Service attacks  Targeted Threats and Advanced Persistent Threats  Inconsistent information practices across the enterprise lead to pockets of vulnerability.  Lack of employee education and awareness leads to vulnerability  Unauthorized collection and use of customer information  Loss of control over personal information and marketing lists
  23. 23. Members Only Key Information Security Challenges Who Are The Attackers?
  24. 24. Members Only Key Information Security Challenges Perimeter Defense is Insufficient New Technology = New Exploits Rootkits Morphing Malware Zero-Days Insider Threats
  25. 25. Members Only Advanced Persistent Threat  Second-largest health insurer in the United States  Accessed PII of 80 million customers  Hackers stole names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses of Anthem customer data  Hackers may have been inside the Anthem network more than a month before being detected
  26. 26. Members Only Advanced Persistent Threat  World famous Hollywood studio  Hackers stole over 100TB of data  Leaked online some of Sony’s unreleased films, highly sensitive and confidential information - like passwords and executives' salaries, and even threatened employees and their families  Went unnoticed for weeks until computers were paralyzed  Not the first time Sony has struggled with cybersecurity
  27. 27. Members Only Human Error Apple Data Breach
  28. 28. Members Only Human Error 2012 Super Bowl Champion New York Giants Bank of Montreal
  29. 29. Members Only Supervisory Control and Data Acquisition (SCADA) Large scale industrial and manufacturing plants. Maroochy Shire
  30. 30. Members Only Law Firm Data Breach  China-based hackers were looking to derail the $40 billion acquisition of the world’s largest potash producer  Hackers exploited the networks of seven different law firms as well as Canada’s Finance Ministry and the Treasury Board  Chinese effort to invalidate the takeover as part of the global competition for natural resources  Stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations
  31. 31. Members Only Law Firm Data Breach  Los Angeles, CA law firm  Series of Trojan emails (spear-phishing ) appeared to be from members of the firm but in reality were designed to steal data from the firm’s network  Each email contained a link or attachment that would download malware  In 2011, the firm was representing a leading provider of blocking and filtering software programs in a $2.2 billion lawsuit against Chinese computer firms, software makers, and the Chinese government  Forensic analysis revealed that the Trojan emails were linked to Chinese servers.  The malware was not released. No compromise to its system.
  32. 32. Members Only Emerging Strategies  Shifting the focus away from building robust defensive systems  Neutralizing cybersecurity threats once attackers are inside the networks  The median length of time that attackers lurk inside a victim’s network is 229 days  Protecting high value information = high price tag
  33. 33. Members Only NIST Cybersecurity Framework Core  Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.  Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services  Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.  Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.  Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
  34. 34. Members Only Critical Cyber Risk Management  Take every report seriously – Suspicious email/internet activity – Malware/phishing programs  Be aware of employee activity – Off-boarding process  Know your partners and third party contacts
  35. 35. Members Only Key Considerations for Policies and Procedures – Privacy Policy  Clear and conspicuous  Say what you do and do what you say – BYOD Policy – Information Security Policy – Business Continuity Plan – Security Audits – check and double check!
  36. 36. Members Only Steps to Improving Cybersecurity Program  Step 1: Prioritize and Scope – Identify business/mission objectives and systems and assets that support the business line.  Step 2: Orient – Identify threats to and vulnerabilities of systems and assets, regulatory requirements, and overall risk approach.  Step 3: Create a Current Profile – Identify which outcomes are being achieved.
  37. 37. Members Only Steps to Improving Cybersecurity Program  Step 4: Conduct a Risk Assessment – Analyze the likelihood of a cybersecurity event and the impact that the event could have on the organization.  Step 5: Create a Target Profile  Step 6: Determine, Analyze, and Prioritize Gaps – Create a prioritized action plan to address those gaps between the Current Profile and the Target Profile.  Step 7: Implement Action Plan – Monitor its current cybersecurity practices against the Target Profile.
  38. 38. Members Only Practical Steps: Post Incident Activity – 3 R’s Review – Incident response team model – Policies/procedure Revise – Tools and resources – Training of employees Reevaluate – Integrity of third parties systems – Documentation and reports
  39. 39. Members Only Managing Cyber Breaches Report and Post-Mortem  “Elite Eight” Recommendations – Eliminate unnecessary data; keep tabs on what’s left. – Perform regular checks to ensure that essential controls are met. – Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness. – Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection. – Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology. – Regularly measure things like “number of compromised systems” and “meantime to detection”, and use these numbers to drive better practices. – Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security. – Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
  40. 40. Members Only AT&T Connected Car Vision 2014
  41. 41. Members Only Contact Information Robert C. Ludolph Of Counsel Pepper Hamilton LLP +1.248.359.7368 ludolphr@pepperlaw.com Garry A. Pate Director Stout Risius Ross, Inc. +1.248.432.1304 gpate@srr.com