Cyber Due Diligence: Understanding the New Normal in Corporate Risk Gillian Stacey, Davies Ward Phillips & Vineberg LLP Donald Good, Navigant Consulting Peter Gronvall, Navigant Consulting 8:30 to 10:00 a.m. EDT October 19, 2017
CYBER DUE DILIGENCE CONFRONTING THE CHALLENGES OF TODAY S NEW NORMAL 2
TABLE OF CONTENTS SECTION 1: Why cyber diligence, and When? SECTION 2: Today s Landscape: Cyber and Information Security SECTION 3: The Depth of Necessary Diligence: Deep/Dark Web SECTION 4: Cyber Diligence: Truly the Best Course to Adopt Today 3
CYBER DILIGENCE: WHY & WHEN? 4
WHY? THE DRIVERS IN TODAY S ENVIRONMENT Why is a cyber-focused approach necessary in today s legal due diligence scenarios? Corporate Health - Keep corporate information safe - Protect employees - Ensure sound M&A transactions - Establish safe contracts with others Legal - Risk management - Ensure smart spend for infosec Regulatory - Non-discretionary requirements - Many more jurisdictions likely to follow Insurance - Demonstrate good practices in the event of claims - Minimize premiums on cyber policies Compliance - Cornerstone of GDPR preparation - Satisfy standards and guidance from: HIPAA DFARS PCI DSS OCC Shareholders and the C-Suite Non-discretionary Board requirements 5
THE WHEN? AS IT RELATES TO CYBER INTELLIGENCE Pre-breach: Establish Corporate Health - Address the potential risk before an event - Identify the roles and accountability/communication plan Reacting to a Breach: A Common Scenario - Manage and recover from an incident - Include Media Relations, the C-Suite, outside counsel, maybe law enforcement M&A / Transactional Scenarios - Know the cyber risk of the merger partner/acquisition target - Explore the expanded vendor supply chain New Normal: We are as strong as our weakest link Ensuring Business Health: Examining Existential Risks - Contract requirements - Audit - Physical and virtual security; looking for insider threat vulnerabilities 6
CYBER AND INFORMATION SECURITY: TODAY S LANDSCAPE 7
TODAY S CYBER THREATS Hacktivists Criminal Insider Nation State 8
A TYPICAL ATTACK LIFE CYCLE Source: http://www.ritholtz.com/blog/wp-content/uploads/2013/02/attack-life-cycle.png 9
MOST COMMON BREACHES / ATTACKS Ransomware Business Email Compromise Office365 Compromise POS Employee-Created Vulnerabilities W-2 and Human Resource Data Vendor Vulnerabilities 10
2016 IN REVIEW: RIFE WITH ATTACK THREATS Symantec Information Security Threat Report, 2017 11
MAY 2017 - WANNACRY Ransomware that infected over 200,000 machines within three days Represented a new type of attack - Exploited known Windows vulnerability - Self-propagated - No user actions required Relatively low payment rate High cost to remediate We were still lucky 12
WHAT CAN HAPPEN AFTER THE FIRST INCIDENT Aftershock password attacks - Reverberations of 2014 Yahoo! and other breaches (LinkedIn, Amazon vendors, etc.) - Billions of credentials available Continued evolution of attacks - More attacks on IoT devices Industrial Control Systems - More targeted attacks - Integration of machine learning - Broader damage and more difficult recovery A sizable increase in Nation State involvement - Cyber attacks evolve from tools of espionage to tools of attack - Responses will evolve from technical defence to include policy, diplomatic, law enforcement, and economic components 13
THE WEB IT IS BIGGER THAN WE THINK BUT WE HAVE TO GO THERE 14
THE WEB IS FAR MORE THAN MEETS THE EYE (OR THE USER) Surface Web - Most familiar - Accessible to search engines and standard browsers - From <1% 4% of all web data Deep Web - All web pages that search engines cannot find - User databases, webmail, data behind paywall - Most web data reside here Dark Web - Encrypted network - Inaccessible to traditional search engines or browsers - Very small amount of web data 15
INSIDE THE DEEP WEB & DARK WEB http://www.tech4pub.com/2014/02/26/infographic-deep-web/ Symantec Information Security Threat Report, 2017 16
DARK WEB - USES AND CHALLENGES Legitimate Use in Censored Countries - Access to Western News and Culture Netflix Facebook - Anonymous organization for social activism Criminal Enterprises - Cyber attack tool and strategy exchanges - Stolen intellectual property - Stolen corporate secrets - Silk Road - Terrorism - Pornography - Human Trafficking - State-Sponsored Attacks: planning and execution 17
CYBER DILIGENCE: SURVEILLING FOR CYBER RISK 18
CYBER DILIGENCE: THE REALITY It s not a matter of if you will be breached; it is a matter of when. - Often-Stated Information Security proverb You ve probably already been compromised, you just don t know it. - Bob Anderson, former Executive Director of the FBI, currently Managing Director, Navigant Consulting, Inc. 19
THE REACH OF CYBER DILIGENCE Risk Assessments - Deep/dark web, and peer-to-peer web surveillance for known corporate data/documents/passwords/rogue-employee behaviour Incident Readiness Assessments - Analysis of policies, infrastructure, hardware, software - Gap analysis - Recommendations - Selection of best-in-breed solutions Event Readiness Testing - Table top exercises - Red team simulations/walk through - Penetration testing - End-point monitoring Incident Response - Computer forensics, data breach analytics, data exfiltration assessment, noticing requirements, patching and affirmation of breach solution 20
AN INTELLIGENT CYBER DILIGENCE MODEL Prepare for risk readiness - Continuous network and perimeter monitoring Scope the potential risk of incidents/problems - Triage - Identify - Dive Contain the risk - Learn how the network was breached - Feedback into threat intelligence - Block and segregate network locations as needed Eradicate the issue - Patch entry points - Optimize enterprise password management - Remove malware/vulnerabilities Recover systems as necessary - Restore systems from backups - Enlist counsel as needed Debrief key stakeholders Debrief Preparation Recover Scope Eradicate Contain 21
CYBER DILIGENCE ASSESSMENT Navigant deploys a customized, five (5) phased approach in support of each engagement that utilizes industry standards and best practices to help identify and manage risk, and achieve a compliance-oriented, mature incident-readiness state. Phase 1: Project Initiation Phase 2: Build Data Inventory Phase 3: Execute Information Security Assessment Phase 4: Enhance Privacy Disclosures Phase 5: Close Gaps and Transition to Future State Key Activities & Deliverables Governance Set up Program Management structure, communications and overall cadence Engage Team Conduct kick off with Navigant team and develop project status and tracking tools. Knowledge Transfer Partner with client to transfer data-centric knowledge Current State Gather information associated with existing data management processes Data Inventory Documentation Interviews Strategic Road Map Develop and gain approval on the road map Review of Network, Devices, and IT Schema Analyze network security protocols and credentials - CI360, etc. Breach Determination and Log Analysis Assess usage patterns, configuration, and security measures Consent Enhance processes and procedures to comply with necessary requirements Data Updates Build processes to find, update, or delete data, and test process DPIA Create data protection impact assessment Table Top Exercises Test process of receiving requests from data subjects; incident readiness planning Close Gaps Develop processes to close gaps or ensure plan is in place to close all open gaps Transition Train organization to matinan platform and schedule drift check sessions 22
THE BROADER BUSINESS NETWORK Vendors/Supply Chain - Third-party relationships may pose potential threat to security - Effective risk management requires comprehensive tools and processes to handle those threats Point of Sale Industrial Control Systems (ICS) - SCADA applications 23
VENDOR RELATIONSHIPS: ASSESSMENTS Integrate into pre-breach assessments Include vendor network: - In risk register - In response plans - As part of monitoring topology Leverage: - Agreements - Rights to audit - Third-party solutions 24
THANK YOU PETER GRONVALL Managing Director 202-973-7238 peter.gronvall@navigant.com DON GOOD Director 202-481-8349 don.good@navigant.com navigant.com 25
Questions? 26
Thank you Gillian Stacey Davies Ward Phillips & Vineberg LLP 416.367.6934 gstacey@dwpv.com Donald Good Navigant Consulting 202.481.8349 donald.good@navigant.com Peter Gronvall Navigant Consulting 202.973.7238 peter.gronvall@navigant.com