Security Breaches: How to Prepare and Respond

Transcription

1 Security Breaches: How to Prepare and Respond

2 BIOS SARAH A. SARGENT Sarah is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and data privacy, specifically with respect to compliance planning and data breach response. CHRIS KIMMEL Chris Kimmel ACE, CHPA, CISSP, GCFA the Security Incident Manager at Associated Bank in Green Bay, Wisconsin. Chris has over eight years experience within the field specializing in Security Incident Response, Penetration Testing, and Risk Management. Chris has led the response for hundreds of Information Security Breaches

3 AGENDA What is a data security breach? What should you do to prepare for a breach? What steps do you need to take when a breach happens? What laws are implicated in breach response? What are the latest trends?

4 WHAT IS A SECURITY BREACH? Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.

5 COMMON TYPES OF BREACHES Social Engineering Business Compromise Spoofed s Accidental Disclosures Ransomware Cryptojacking Stolen & Lost Devices Denial of Service Insider Threat

6 Cybercrime Value of PII, credit cards, SSN Trade Secrets Nation-state actors Impact critical infrastructure Steal intelligence Theft of Trade Secrets Hacktivism Extortion MOTIVATIONS

7 READINESS VS. RESPONSE Readiness is preparing your organization for an incident before it occurs: Business Impact Assessments Data Classification Policies and Procedures Training Response is the process of handling an incident once a threat event is identified: Identification / Verification Notification / Escalation Containment / Eradication Recovery Lessons Learned

8 INCIDENT RESPONSE PROCESS

9 HOW TO PREPARE FOR A BREACH Make a Plan Assign Roles and Responsibilities Determine Notification and Escalation Timings Practice the Plan Training

10 HOW TO RESPOND: DETECTION & CONTAINMENT Keep calm! Ensure all key personnel / 3 rd party support are available and assisting Gather / Verify scope of Incident Contain the incident Is the goal immediate remediation or monitoring? Eradicate the Incident once goals are achieved Initiate and cooperate with forensic investigation if necessary

11 HOW TO RESPOND: DOCUMENTATION Preserve records Pull insurance policies, relevant contracts, bank information (if wire fraud) Control communications internally and externally Utilize attorney-client privilege

12 HOW TO RESPOND: REMEDIATION Recover systems & data to the extent possible Determine notification obligations under state, federal, and international law Analyze contractual obligations & make required notifications

13 HOW TO RESPOND: WRAP UP Team meeting to discuss lessons learned Review policies and adjust accordingly Create action list for security improvements

14 FEDERAL, STATE, AND INTERNATIONAL LAW Health Insurance Portability and Accountability Act; Gramm- Leach-Bliley Act All fifty (50) states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification to individuals of security breaches involving personally identifiable information. General Data Protection Regulation (European Union); Canada s Personal Information Protection and Electronic Documents Act

15 BREACH NOTIFICATIONS STATE MATTERS Organizational footprint matters. If you have a location in Washington State and Wisconsin, the reporting laws can be different. Texas requires anyone providing notice in Texas to notify all individuals regardless of state Most organizations will conform to the strictest laws and apply that precedence for all impacted records

16 DIFFERENCES IN LAW Definition of Personally Identifiable Information or Personal Data Definition of breach: access or acquired Notice to consumer reporting agencies Timeline of notices Language of notices Notice to state agencies

17 EXAMPLE - NOTIFICATION TO REGULATORS (WASHINGTON) Washington State Any person or business required to notify more than 500 Washington residents as a result of a single breach shall, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the attorney general. The person or business shall also provide to the attorney general the number of Washington consumers affected by the breach, or an estimate if the exact number is not known. Notice to the attorney general shall be made in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered, unless at the request of law enforcement or due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

18 EXAMPLE NOTIFICATION TO REGULATORS (WISCONSIN) Notice, without unreasonable delay, to consumer reporting agencies is required for any breach requiring notification to more than 1,000 individuals.

19 TRENDS 68% of breaches took months or longer to discover Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified 4% of people will click on any given phishing campaign Statistics taken from 2018 Verizon Breach Report, available at mary_en_xg.pdf (accessed on 11/16/2018)

20 TRENDS 94% of security incidents and 90% of confirmed data breaches fall into nine incident classification patterns 76% of breaches were financially motivated Statistics taken from 2018 Verizon Breach Report, available at mary_en_xg.pdf (accessed on 11/16/2018)

21 QUESTIONS? THANK YOU