Data Breach Preparedness & Response

Similar documents
Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Cybersecurity and Nonprofit

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Risks in the Boardroom Conference

Cyber Insurance: What is your bank doing to manage risk? presented by

DeMystifying Data Breaches and Information Security Compliance

Business continuity management and cyber resiliency

2017 Annual Meeting of Members and Board of Directors Meeting

You ve Been Hacked Now What? Incident Response Tabletop Exercise

What to do if your business is the victim of a data or security breach?

Security Breaches: How to Prepare and Respond

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

DATA BREACH NUTS AND BOLTS

Cyber Security Updates and Trends Affecting the Real Estate Industry

Cybersecurity The Evolving Landscape

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Security Risk Management and Identity Theft

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Assessing Your Incident Response Capabilities Do You Have What it Takes?

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

The Impact of Cybersecurity, Data Privacy and Social Media

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

June 2 nd, 2016 Security Awareness

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

How Breaches Really Happen

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

Security Audit What Why

Cyber Security Incident Response Fighting Fire with Fire

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Governance Ideas Exchange

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The Data Breach: How to Stay Defensible Before, During & After the Incident

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

The Evolving Threat to Corporate Cyber & Data Security

ID Theft and Data Breach Mitigation

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cyber-Threats and Countermeasures in Financial Sector

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Jeff Wilbur VP Marketing Iconix

Data Breach Preparation and Response. April 21, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Table of Contents. Sample

Certified Cyber Security Analyst VS-1160

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Information Security Incident Response Plan

Who We Are! Natalie Timpone

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Cyber Attack: Is Your Business at Risk?

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Getting Started with Cybersecurity

Information Security Incident Response Plan

Cyber Risk for. Small and Medium-Sized Enterprises (SMEs)

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Preparing for a Breach October 14, 2016

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Cybersecurity in Higher Ed

Incident Response Services

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Heavy Vehicle Cyber Security Bulletin

Cyber fraud and its impact on the NHS: How organisations can manage the risk

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

SHS Annual Information Privacy and Security Training

Managing Cybersecurity Risk

Credit Card Data Compromise: Incident Response Plan

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Incident Response Training and Workshop Oct 28, Ralph Durkee Durkee Consulting, Inc.

Automating the Top 20 CIS Critical Security Controls

Legal Aspects of Cybersecurity

Technology Risk Management and Information Security A Practical Workshop

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

HIPAA Security and Privacy Policies & Procedures

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Designing and Building a Cybersecurity Program

Dissecting Data Breaches. What Keeps Going Wrong?

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

CCISO Blueprint v1. EC-Council

Nine Steps to Smart Security for Small Businesses

Understanding the Changing Cybersecurity Problem

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

CYBER SECURITY AND MITIGATING RISKS

Nasty Nine Information Security Mistakes

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Incident Response Table Tops

10 Hidden IT Risks That Might Threaten Your Business

Cyber Security Issues

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Transcription:

Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication Recovery Lessons Learned 1

PREPARATION Identify Your Planning Team This is NOT an IT Project Multidisciplinary planning team Senior management sponsor IT Legal Human Resources Risk Management Business Units Public Relations Risk Management 2

Why Have a Plan Often required PCI HIPAA GLBA Regulators care FTC Guidance: Reasonable plan, reasonably followed, may be the difference with respect to regulatory action decision Insurers care You will be asked in the underwriting process Third parties increasingly intolerant of botched response Risk Assessment What problem are you solving? Undertake at least some level of risk assessment Questions: What types of data are important, and why Where is that data located Other important assets What types of losses present a significant risk to the company Who are significant threat actors 3

Identify Data Types PCI Information (credit card data) Protected Health Information If you are self-insured, all data relating to individual s participation in health plan is likely protected, not just medical data Consumer Personal Information Employee Information Trade Secrets Profile Your Data: Location Servers Laptops Accessible by personal devices The Cloud Don t accept this as an answer: further define Hard copy data Third Parties Vendors Third Party Administrators 4

Profile Your Data: Type At Rest or In Motion Encrypted or Unencrypted? Who owns it? Format Identify Other Important Assets Essential business systems Payroll Order entry/processing Website Email R&D Information Connections to Vendors/Customers It s not just Credit Cards! 5

Assess Loss Tolerance Not all risks are created equal Risk, in fact, is partially defined by Loss Helpful to classify Loss: Catastrophic, Significant, Moderate Can be measured in $$, downtime, or by other metrics Focus first on high likelihood-high loss risks Then on lower likelihood-high risk losses Identify Significant Threat Actors Why might someone go after your systems? (Goals) Information theft Disrupting Business Operations Data Manipulation Revenge (real or imagined slights) Boredom/Street Cred/ Because it s there A cause Motivation The target system stores or processes something valuable 6

Identify Significant Threat Actors Who is likely to go after your systems? Cyber-criminals (identity thieves, credit card thieves) State Actors Hacktivists Joy Hackers Cyber Terrorists INSIDERS Identify Significant Threat Actors Who is likely to accidentally cause security incidents INSIDERS Vendors Customers 7

Data Breach is only one of many threats Ransomware Data Breach is only one of many threats Cyber extortion Code Spaces Nokia Feedly One More Cloud Domino s Durham Police Department Sony 8

Data Breach is only one of many threats Data Integrity Attacks Grades Power Systems Data Breach is only one of many threats Control System attacks 9

Data Breach is only one of many threats Pivoting How do they gain access Spear Phishing SQL Injection Weak Authentication (Password Hacking) Abuse of Authority Removable Media Malware Malicious Links Trojans (RAT Remote Administration Terminal) 10

How hard is it to learn to hack? Everything A Hacker Needs Over 100 Hacking Tools Preinstalled 11

Tools such as: John the Ripper (Password Cracking) Angry IP Scanner (Scanning) THC Hydra (Password Cracking) Cain & Abel (Anything you can imagine on a Windows System) Burp-Suite (Web Apps) Social Engineering Toolkit ( SET ) Wire Shark (packet sniffer) One of the biggest challenges is to choose from among a plethora of tools Nessus How Bad for You/Good for Me Vulnerability Name: So I Can Find It Easily 12

But the Two Most Powerful Hacking Tools? YouTube FUD: Fully Undetectable Remote Administration Terminal (a Trojan) 13

Training One of the most vital steps of Preparation is training Training everyone (IT, employees, managers) to not become victims Training everyone on the Plan and what their responsibilities are Prepare Your Plan Statement of Purpose: Why we have this plan Identify Your Breach Response Team Incident commander (and backup) Breach coach (lawyer) Internal resources (primary & backup) HR, IT, Customer Relations, Communications, Major Business Units External Resources Breach Coach, Forensics Vendor, Identity Theft Services Vendor, Crisis Communications 14

Protecting Privilege Attorney-client privilege can be invoked between the victim company s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm. http://www.secretservice.gov/ectf_best_practic es.pdf Define Incident Not all incidents are a five-alarm fire May be different communications structures for different incident levels No incident is minor Level 1, Level 2 15

Map Team Communication Who is called first? What if they are not available? Have pre-established communications Plan alternate communication modes Standards for Senior Management/Board Communication: When? Who? How? Names, numbers, email, Map External Communications Required Communications: PCI HIPAA Regulatory Other Communications Law Enforcement Vendors/Customers Insurance 16

Identification: Technical Affected Systems Affected Data Means of Access Level of Access Vulnerability Exploited Method of Detection Identification: Business Public Safety Issue? Persons affected Number, type, identification Business lines affected Immediate consequences Potential consequences Malicious or accidental 17

Incident Declaration Date Time Level Ongoing or contained Key Contacts Detection method Systems Affected Data Affected Mode of Attack Impacts Next Steps Define Procedures May be Incident Type Specific Should include Do s and Do Not s Do: Isolate affected equipment; Report incidents Do Not: Communicate out of Channel; Self-Investigate Should include multiple action plans, likely in parallel: Network Investigation Non-network investigation Containment/Eradication Public-facing communications: Who Approval Process Internal communications Who Approval Process Documentation Procedures & Requirements 18

Technical Containment & Eradication Pre-plan for likely scenarios List of Likely Threats Method of Execution & Who s Responsibility Clearly Specify Don ts Identify Network Resources Affected Identify Network Containment Points Compensating Controls Identify Logs & Other Evidence Special Contacts (Hardware, Software, Cloud) Contain, Investigate, Eradicate Recovery Pre-Analysis of What Next for Likely Scenarios Technical E.g. Restoration from Backup Business E.g. Post-event communications 19

Lessons Learned Institute a Formal Requirement for post-action review Tips Use diagrams Data Flows Network Topology Chain of Command Chain of Communication Plan for multiple contingencies Table Top the Plan Plan for regular revisions 20

Handling a Breach FOLLOW YOUR PLAN But, just in case. Key Data Breach Steps Identify Live vs. Historical Isolate Do not turn-off, power down, log in Gather & Preserve other evidence (e.g. logs) Contact counsel Counsel hires external forensics Appoint a leader Gather a team 21

Key Information What data How is this verified How did breach occur Date of incident/intrusion (if known) Date of discovery Method of discovery Number of affected individuals Residence of affected individuals Who has knowledge of incident Emphasize Calculated Speed Fight the tendency to wait for better information Faster communication of incomplete information generally preferred We have had a security event and are investigating. Don t over-promise in initial communications Centralize communications 22

Consider Your Options Generally, the first investigator should be your external forensic team Law Enforcement: Risk of Losing Control PCI: Card Brands have their own agenda Biggest Mistakes Failure to Plan IT Takes Control Lack of Centralized Control Self-Investigation Delay 23

Questions? Dan Nelson, C EH, CIPP/US, Partner 314.552.6650 dnelson@armstrongteasdale.com http://twitter.com/dannelsonesq www.linkedin.com/in/danielcnelson Lucas Amodio, C EH, Associate 314.259.4722 lamodio@armstrongteasdale.com https://www.linkedin.com/in/lucasamodio 47 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback