CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Transcription

1 CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised TUESDAY, MAY 24, 2011 Alston & Bird LLP PricewaterhouseCoopers Silverpop

2 Data Breach Seminar Alston & Bird May 24, 2011 Presented by Kimberly Peretti, PricewaterhouseCoopers LLP

3 Agenda Cyber threat landscape Anatomy of a targeted cyber attack Trends PwC March

4 Cyber threat Landscape Who are they & what do they want PwC March

5 Targeted cyber intrusions Who are they PwC March

6 Targeted cyber intrusions What do they want PwC March

7 Profile of Cyber Criminals the Albert Gonzalez conspiracies In the US Young kids Self-taught computer skills Self-taught bankers Drugs No formal education after high school In Eastern Europe Young kids with privileged backgrounds Smart investors Best formal computer training programs PwC 6

8 Insider Threat Data theft/leakage vectors PwC January

9 Insider Threat Influencers 1. Foreign intelligence services 2. Corrupt competitors 3. WikiLeaks web sites 4. Personal financial distress 5. Notification of lay-off 6. Work disenchantment 7. Unresolved work conflict Statistics say 1. Digital > physical 2. Onsite > remote access 3. Normal business hours > off hours PwC 4. Theft committed within days of departure March

10 Anatomy of a targeted cyber attack SoP PwC March

11 PwC March

12 Trends PwC March

13 Assume a state of compromise Targeted attacks cannot be prevented Response/ Resolution Planning/ Training Stakeholders Core Team Lessons learned/ Remediation Cyber threat intelligence Investigative Team Legal IT Finance Other Sr Execs Others Incident Team Leader Support staff Updates to stakeholders Technical Team Leader Technologists/ SMEs Post - incident threat assessment Cyber Incident Management Lifecycle PwC Cyber Incident Management Team 12

14 Cyber forensics Evidence integrity On site Transportatio n Storage Computer Forensics Malware Forensics Cyber Forensics Evidence analysis Forensic tools Documented procedures Documented findings Evidence collection Forensic tools Photos Log Chain of Custody Network Forensics Live Memory Forensics PwC 13

15 Cyber threat intelligence USSS ECTF DHS US-CERT FBI Infragard Spam Analysis Industry working groups Commercial 3rd Party Sources PwC Network Traffic Analysis Malware Analysis Cyber Threat Intelligence Log Analysis 14

16 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

17 CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised The Art and Science of Breach Notification May 24, 2011

18 Security Incident Management Process Detection Escalation Investigation Notification Remediation

19 Why in the world would we want to disclose a breach to the public? California 2002 (effective 2003) Political No-Brainer 47 states, DC and Puerto Rico Federal standards for the financial services (GLB Act) and healthcare (HIPAA / HITECH Act) industries PCI Data Security Standard Comprehensive federal legislation proposed

20 Do we have to notify? Unauthorized Third Party Access Personal Information Encryption and Other Security Measures Gramm-Leach-Bliley Act - Sensitive NPI HITECH Act PCI Data Security Standard Payment card information

21 Sequencing of Notice Internal Investigation and Forensic Analysis Law Enforcement Regulator Community State Authorities and Credit Bureaus Affected Persons Non-required states Sub-Class of Persons at Risk GLB, HIPAA and PCI DSS Press Release and Securities Considerations

22 The Notice Direct written notice or substitute notice Describe the incident (MA makes this more difficult) Describe the type of PI involved in the breach (MA standard) Telephone contact information Tips to reduce risk of identity theft (MA Security Freeze) Credit bureau information GLB, HIPAA and PCI DSS

23 Strategy and Logistics Threat Status and Systems Hardening Public Relations Strategy Communication Channels Credit Monitoring Service Printing and Publishing the Letters

24 The Response Q&A Monitoring and Escalation of Contacts Regulator Contacts Network and Systems Monitoring

25 Outsourcers and Other Vendors Supplier duty to notify the customer by statute Notification and related obligations by contract Timing Disclosure to others Audit rights Allocation of risk and liability

26 Checklist Form an Internal Response Team to coordinate management of and response to the incident Perform investigation Third party forensic investigation support Detailed chronological investigation report Develop a public relations strategy Assess NYSE/Nasdaq and SEC disclosure requirements Establish call center resources Notification standards, sequencing, delivery and response Risk remediation/process improvement plan

27 CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised Full Spectrum Legal Issues in a Network Intrusion May 24, 2011 Atlanta, Georgia

28

29

30

31

32

33

34

35

36

37

38

39 Title Insert text Insert text Insert text