Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication Recovery Lessons Learned 1
PREPARATION Identify Your Planning Team This is NOT an IT Project Multidisciplinary planning team Senior management sponsor IT Legal Human Resources Risk Management Business Units Public Relations Risk Management 2
Why Have a Plan Often required PCI HIPAA GLBA Regulators care FTC Guidance: Reasonable plan, reasonably followed, may be the difference with respect to regulatory action decision Insurers care You will be asked in the underwriting process Third parties increasingly intolerant of botched response Risk Assessment What problem are you solving? Undertake at least some level of risk assessment Questions: What types of data are important, and why Where is that data located Other important assets What types of losses present a significant risk to the company Who are significant threat actors 3
Identify Data Types PCI Information (credit card data) Protected Health Information If you are self-insured, all data relating to individual s participation in health plan is likely protected, not just medical data Consumer Personal Information Employee Information Trade Secrets Profile Your Data: Location Servers Laptops Accessible by personal devices The Cloud Don t accept this as an answer: further define Hard copy data Third Parties Vendors Third Party Administrators 4
Profile Your Data: Type At Rest or In Motion Encrypted or Unencrypted? Who owns it? Format Identify Other Important Assets Essential business systems Payroll Order entry/processing Website Email R&D Information Connections to Vendors/Customers It s not just Credit Cards! 5
Assess Loss Tolerance Not all risks are created equal Risk, in fact, is partially defined by Loss Helpful to classify Loss: Catastrophic, Significant, Moderate Can be measured in $$, downtime, or by other metrics Focus first on high likelihood-high loss risks Then on lower likelihood-high risk losses Identify Significant Threat Actors Why might someone go after your systems? (Goals) Information theft Disrupting Business Operations Data Manipulation Revenge (real or imagined slights) Boredom/Street Cred/ Because it s there A cause Motivation The target system stores or processes something valuable 6
Identify Significant Threat Actors Who is likely to go after your systems? Cyber-criminals (identity thieves, credit card thieves) State Actors Hacktivists Joy Hackers Cyber Terrorists INSIDERS Identify Significant Threat Actors Who is likely to accidentally cause security incidents INSIDERS Vendors Customers 7
Data Breach is only one of many threats Ransomware Data Breach is only one of many threats Cyber extortion Code Spaces Nokia Feedly One More Cloud Domino s Durham Police Department Sony 8
Data Breach is only one of many threats Data Integrity Attacks Grades Power Systems Data Breach is only one of many threats Control System attacks 9
Data Breach is only one of many threats Pivoting How do they gain access Spear Phishing SQL Injection Weak Authentication (Password Hacking) Abuse of Authority Removable Media Malware Malicious Links Trojans (RAT Remote Administration Terminal) 10
How hard is it to learn to hack? Everything A Hacker Needs Over 100 Hacking Tools Preinstalled 11
Tools such as: John the Ripper (Password Cracking) Angry IP Scanner (Scanning) THC Hydra (Password Cracking) Cain & Abel (Anything you can imagine on a Windows System) Burp-Suite (Web Apps) Social Engineering Toolkit ( SET ) Wire Shark (packet sniffer) One of the biggest challenges is to choose from among a plethora of tools Nessus How Bad for You/Good for Me Vulnerability Name: So I Can Find It Easily 12
But the Two Most Powerful Hacking Tools? YouTube FUD: Fully Undetectable Remote Administration Terminal (a Trojan) 13
Training One of the most vital steps of Preparation is training Training everyone (IT, employees, managers) to not become victims Training everyone on the Plan and what their responsibilities are Prepare Your Plan Statement of Purpose: Why we have this plan Identify Your Breach Response Team Incident commander (and backup) Breach coach (lawyer) Internal resources (primary & backup) HR, IT, Customer Relations, Communications, Major Business Units External Resources Breach Coach, Forensics Vendor, Identity Theft Services Vendor, Crisis Communications 14
Protecting Privilege Attorney-client privilege can be invoked between the victim company s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm. http://www.secretservice.gov/ectf_best_practic es.pdf Define Incident Not all incidents are a five-alarm fire May be different communications structures for different incident levels No incident is minor Level 1, Level 2 15
Map Team Communication Who is called first? What if they are not available? Have pre-established communications Plan alternate communication modes Standards for Senior Management/Board Communication: When? Who? How? Names, numbers, email, Map External Communications Required Communications: PCI HIPAA Regulatory Other Communications Law Enforcement Vendors/Customers Insurance 16
Identification: Technical Affected Systems Affected Data Means of Access Level of Access Vulnerability Exploited Method of Detection Identification: Business Public Safety Issue? Persons affected Number, type, identification Business lines affected Immediate consequences Potential consequences Malicious or accidental 17
Incident Declaration Date Time Level Ongoing or contained Key Contacts Detection method Systems Affected Data Affected Mode of Attack Impacts Next Steps Define Procedures May be Incident Type Specific Should include Do s and Do Not s Do: Isolate affected equipment; Report incidents Do Not: Communicate out of Channel; Self-Investigate Should include multiple action plans, likely in parallel: Network Investigation Non-network investigation Containment/Eradication Public-facing communications: Who Approval Process Internal communications Who Approval Process Documentation Procedures & Requirements 18
Technical Containment & Eradication Pre-plan for likely scenarios List of Likely Threats Method of Execution & Who s Responsibility Clearly Specify Don ts Identify Network Resources Affected Identify Network Containment Points Compensating Controls Identify Logs & Other Evidence Special Contacts (Hardware, Software, Cloud) Contain, Investigate, Eradicate Recovery Pre-Analysis of What Next for Likely Scenarios Technical E.g. Restoration from Backup Business E.g. Post-event communications 19
Lessons Learned Institute a Formal Requirement for post-action review Tips Use diagrams Data Flows Network Topology Chain of Command Chain of Communication Plan for multiple contingencies Table Top the Plan Plan for regular revisions 20
Handling a Breach FOLLOW YOUR PLAN But, just in case. Key Data Breach Steps Identify Live vs. Historical Isolate Do not turn-off, power down, log in Gather & Preserve other evidence (e.g. logs) Contact counsel Counsel hires external forensics Appoint a leader Gather a team 21
Key Information What data How is this verified How did breach occur Date of incident/intrusion (if known) Date of discovery Method of discovery Number of affected individuals Residence of affected individuals Who has knowledge of incident Emphasize Calculated Speed Fight the tendency to wait for better information Faster communication of incomplete information generally preferred We have had a security event and are investigating. Don t over-promise in initial communications Centralize communications 22
Consider Your Options Generally, the first investigator should be your external forensic team Law Enforcement: Risk of Losing Control PCI: Card Brands have their own agenda Biggest Mistakes Failure to Plan IT Takes Control Lack of Centralized Control Self-Investigation Delay 23
Questions? Dan Nelson, C EH, CIPP/US, Partner 314.552.6650 dnelson@armstrongteasdale.com http://twitter.com/dannelsonesq www.linkedin.com/in/danielcnelson Lucas Amodio, C EH, Associate 314.259.4722 lamodio@armstrongteasdale.com https://www.linkedin.com/in/lucasamodio 47 24