1 Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event January 18, 2018
2 Today s Panel: Adam Cottini, Moderator Managing Director, Cyber Liability Practice, Arthur J. Gallagher Winston Krone Global Managing Director, KIVU Forensic Consulting Kim Holmes Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters, the Doctors Company Group Sean Hoar Partner & Chair, Data Privacy & Cybersecurity Practice, Lewis Brisbois
Issue Awareness
4 Issue Awareness: Employee Awareness: Privacy & Security Training Vendor Contract Review & Indemnification
Technology Products & Services
Putting Technology to work BEFORE a Cyber Event Occurs: 6 Network Assessment Penetration Testing Endpoint Security New Generation Antivirus
7 Network Assessment (aka Vulnerability Assessment) As technology changes, hackers constantly develop new attack methods plus the occasional steroid injection from The ShadowBrokers. Vulnerability Assessment = identifying and quantifying the weaknesses in a system, e.g.: Technical (e.g. open ports in a firewall or unpatched software) Organizational (e.g. poorly assigned access controls or failure to draft or implement security policies). Using scanning tools and tailored questionnaires/ sampling: identify weaknesses within a system; grade those vulnerabilities (from severe to mild) to prioritize remediation; and create baselines to compare with future assessments
8 Vulnerability Assessments pros & cons The Good 1. Easy to run frequently automated 2. Spots when things fall apart 3. Chance for high level review (including configuration, access controls) The Bad 1. Requires baseline if you ve been operating insecurely, but lucky so far, then your baseline is poor your assessment thinks everything s good 2. Doesn t measure external risk factors and changes to technology
9 Penetration Testing Pen testing - a controlled attack (internal or external) on the network to find and exploit any existing vulnerability. When Kivu performs a pen test, we employ ethical hacker protocols : Typically at normal user level, in an attempt to gain admin privileges Also use social engineering and phishing Employ the tricks we ve learnt responding to the latest attacks. Objective of the pen test is to report back on: how we successfully infiltrated the vulnerabilities that allowed access how to remediate these problems (CRUCIAL)
10 Penetration Testing Pros & Cons The Good 1. Does not depend on baseline or pre-existing misconceptions by the client 2. Can be tailored to the specific industry/ sector 3. We (almost) always get in it s a good wakeup call The Bad 1. Expense 2. We (almost) always get in leading to disbelief, shock, denial 3. Requires predefined parameters and experienced operators to avoid BI
11 Endpoint Security Endpoint Detection and Response (EDR) Typically EDR tools use agents to collect multiple data sources from endpoints, and stored evidence in central database. Looking for malware (or vulnerabilities) on an endpoint device Feeding data to a SIEM (analysis tool/ dashboard)
12 Endpoint Security The Good 1. Catches attacks, especially where employees accessing Internet via workstations 2. Depending on level/time of analysis, can catch anomalous activity The Bad 1. Cascade of expense SIEM, analysis, constant review 2. Vulnerable to zero day attacks, technical changes 3. Misses threats not aimed at endpoints (e.g. credential compromise)
13 Endpoint Security Alternatives to Traditional EDR tools: 1. Agent-less scanning Tailored to catch/search specific areas Does not require baseline to identify suspicious artifacts Does not need continued maintenance System agnostic 2. Move to dummy stations/ virtualization/ third party services
14 New Generation Antivirus Signature v. Behavioral Analysis Catches the low hanging fruit Consistently fails to stop attacks including ransomware Move to tools that identify suspicious behavior (reconnaissance, exfiltration) and then work backwards to find the source. Monitoring v. Configuration
Identity & Credit Monitoring
Why Consider Identity/Credit Monitoring BEFORE a Cyber Event Occurs? 16 In the wake of the recent Equifax breach, let s consider What specific services and support are available from your preferred identity/credit monitoring service provider to affected individuals for helping them address identity theft issues in the wake of a data breach? Not all identity/credit monitoring services are created equal Consider identity/credit monitoring services - BEFORE YOU HAVE TO
Incident Response Planning
18 Wrapping it all Up with Incident Response Planning Review current digital threats to inform planning process Conduct foundational assessment of information security framework Review applicable critical security controls Identify type, location and security of sensitive data Identify key internal stakeholders for organizational response HR, Communications/Marketing, Financial, Risk/Compliance, IT, Legal, etc. Identify external resources to assist with response Outside counsel, forensics, consumer remediation, public relations, etc.
19 Wrapping it all Up with Incident Response Planning Create plan, mapped to NIST SP 800-61 Plan to test the plan Implement plan to enable applicable security controls Implement, as appropriate, continuous monitoring for vulnerabilities, and process for periodic testing of vulnerabilities Implement employee privacy and network security awareness training Implement vendor contract review process Implement proactive identity theft & credit monitoring
Questions? Adam Cottini, adam.cottini@ajg.com Kim Holmes, Kimberly.holmes@tdcspecialty.com Winston Krone, wkrone@kivuconsulting.com Sean Hoar, Sean.Hoar@lewisbrisbois.com