Hacking and Cyber Espionage September 19, 2013 Prophylactic and Post-Breach Concerns for In-House Counsel Raymond O. Aghaian, McKenna Long & Aldridge LLP Elizabeth (Beth) Ferrell, McKenna Long & Aldridge LLP Janine Sarti, Palomar Health Peter Garza, Forensic West Legal Solutions, DTI mckennalong.com 1
Raymond O. Aghaian Partner, McKenna Long and Aldridge LLP Ray Aghaian is a partner in the Los Angeles office of McKenna Long & Aldridge where he serves as co-chair of the firm's cybersecurity practice. His experience in the area of cybersecurity has been recognized by leading news outlets such as The Wall Street Journal and The Washington Post. Mr. Aghaian previously served as a federal prosecutor in the cyber crimes division of the U.S. Department of Justice. Mr. Aghaian advises clients in assessing and securing their computer systems, mitigating the risk of liability, ensuring compliance with cybersecurity standards, responding to a cyber attack and complying with mandatory disclosure and notification requirements after a data breach. 2
Elizabeth (Beth) Ferrell Partner, McKenna Long and Aldridge LLP Elizabeth (Beth) Ferrell is a Partner at McKenna Long & Aldridge LLP in the Washington, DC office. Ms. Ferrell is co-chair of the firm s Cybersecurity Practice, and counsels clients on cybersecurity legislative and regulatory developments, cybersecurity requirements for government contractors, the development of effective cybersecurity compliance programs and incident response plans, DoD s pilot cybersecurity program for defense industrial base entities, and protecting the integrity of contractor supply chains. Ms. Ferrell conducts internal investigations of cyber incidents, and defends contractors when threatened with government monetary claims or possible default termination arising from alleged failure to comply with cyber requirements or after a cyber incident. Ms. Ferrell is Vice-Chair in the ABA Public Contract Law Section s Cybersecurity, Privacy & Data Protection Committee. 3
Janine Sarti Janine Sarti serves as the Chief Legal Officer of Palomar Health in San Diego, California. As Chief Legal Officer, Ms. Sarti is called upon on various issues related to transactional, regulatory, employment law, medical staff, contractual needs, and clinical ethics. She has been a general counsel for health systems for her entire legal career and has worked closely with the information technology department on matters relating to data privacy and cybersecurity. 4
Peter Garza Managing Director West Coast Forensics, Legal Solutions, DTI Peter has worked as a computer forensics expert in civil litigation since 1999. He has performed computer forensics analysis in hundreds of litigation cases and also computer intrusion investigations, working in a consulting, testifying or neutral expert capacity. Before joining DTI, Peter worked with the government as a Special Agent with the Naval Criminal Investigative Service (NCIS) specializing in computer forensics, computer counterintelligence and computer intrusion ( hacker ) investigations. 5
Agenda Nature of the Threat Prophylactic Measures to Mitigate Cybersecurity Risk Custom-Tailored Solutions for Cybersecurity Risk Management Post Breach Measures In Response to a Data Breach Wrap Up and Questions 6
A Multi-Dimensional Threat Disruptive vs. Destructive Theft of Personal or Financial Data, Marketing Data or Intellectual Property APT - Foreign Statesponsored Espionage Loosely Affiliated Hackers Internal threats / employees 7
Who is at Risk? Cybersecurity Threats Affect Nearly Every Industry and Market Sector Including: 8
Why Should In House Counsel Care? Not a week passes without hearing of a cyber attack Experts say that virtually every major company has suffered an intrusion (even if they are unaware of the breach) Changing landscape of cyber laws and regulations (compliance obligations) Cyber incident risks: Loss of data (e.g., customer data) Theft of IP (cyber espionage is direct threat to US economic interests up to $250B in losses) Disruption/denial of service Reporting obligations under state and federal law Potential liability: FTC, third party actions, shareholder suits, etc. Adverse impact on public opinion and confidence Exposing internal confidential data to government inspection and scrutiny 9
Data Breach Cost Average cost per incident: Most costly breach: $8.9 million vs. 6.75 million in 2010 $46 million Least costly breach: $1,400,000 Denial of service, malicious insiders and web-based attacks: Information theft represents the highest external cost: 58% of all cybercrime costs. These remain the most costly form of data breaches due to additional investigation and consulting fees. Includes trade secrets, source code, customer information and employee records. Also includes cost of data breach notification. Source: Ponemon Institute, U.S. Cost of a Data Breach Study, 2012 at http://www.ponemon.org/data-security 10
The Threat Your Users/Employees Social engineering Email with links Clean up your computer Antivirus Email attachments Malware Botnets 11
The Threat - Mobile Devices Does your corporation allow BYOD? Is the use of passwords enforced? Is there a MDM in place Malicious Apps Vulnerable Apps 12
The Threat - Social Media Hackers troll social media For reconnaissance when targeting an organization Also for information to compromise the user Social engineering Malicious links Malware Worms 13
Pre-Breach Considerations IDS, IPS, Firewalls Security and system logs Aggregating log data (SIEM) Splunk Security policy PHI, PCI Data retention policy Service agreements (e.g. Cloud) Encryption Penetration Testing 14
Understanding Your Platform What standards are you governed by Select a standard, or subset of a standard NIST FIPS ISO CAG 15
Pre-Breach Considerations Have a breach response plan in place Who has ownership of each system in your organization Who is notified Arrange for communication off-network Be ready to address the media Know which laws and regulations will apply 16
Responding to an Incident Have a system administrator or IT security person start a written log of what occurred. Record detection Describe preservation efforts Detail recovery efforts Identify responders Decide if you watch intruder or lock them out Begin remediation. 17
Intrusion Incident Forensics Vital to Record processes running in live memory Quick review of aggregated logs (SIEM) may payoff big here Obtaining a forensic image of relevant systems a must. Forensic analysis an iterative process Confirm compromise Was administrator level access obtained What unauthorized activity was performed What data was exfiltrated from corporate environment 18
Notification Obligations HIPPA PHI - Individually identifiable health information State Breach Notification Statutes PCI DSS Payment Card Industry Data Security Standard SEC Other Contractual Obligations FTC 19
For more information contact: Raymond O. Aghaian raghaian@mckennalong.com Elizabeth (Beth) Ferrell eferrell@mckennalong.com Janine Sarti Janine.Sarti@palomarhealth.org Peter Garza PGarza@dtiglobal.com Copyright 2012 by McKenna Long & Aldridge No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise without the permission of Integreon. This document provides an outline of a presentation and is incomplete without the accompanying oral commentary and discussion. 20