©2016 rsm us llp. all rights reserved. · • kroll – leader (cyber security, data breach,...
TRANSCRIPT
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
Cybersecurity Readiness & Incident Response
January 8, 2016
©2016 RSM US LLP. All Rights Reserved.
Agenda
Topic Minutes
Introduction 3
Incident Statistics 7
Security Controls & Investigation Process 15
Mitigating Costs & Risks 15
Cyber Liability Insurance 5
Summary 5
3
©2016 RSM US LLP. All Rights Reserved.
With you today
Director, Risk Advisory ServicesAtlanta Office
Internal Audit / SOX / ERM
EMPLOYMENT HISTORY• RSM – since 2014• Crowe Horwath – 2012-2014, Business Risk Consulting• Cumulus Media – 2009-2012, Director of IA and Compliance• Deloitte – 2007-2009, Enterprise Risk Services• KPMG – 1999-2007, Advisory Services• Coca-Cola – 1995-1999, Corporate Audit / Controller’s Group• Accenture – 1992-1995, System Integration Consulting• SunTrust – 1988-1992, Internal Audit / International Division
(M) 404.449.4877
4
©2016 RSM US LLP. All Rights Reserved.
With you today
Director, Security and Privacy ServicesBoston Office
National Leader – Digital Forensics, eDiscovery, and Data Privacy/Breach
EMPLOYMENT HISTORY• RSM – since 2013• Navigant – National leader (Digital Forensics/Data Breach)• Kroll – Leader (Cyber Security, Data Breach, Forensics)• CIGNA – (eDiscovery, Investigations, Forensics, Cyber Security)• 13+ Years in Boston area law enforcement & Special US Marshall• Police Academy Instructor• Adjunct Professor (Current)• Masters in National Security• NSA Information Security Professional• Expert Testimony/Report Writing
(M) 508.922.4770
5
©2016 RSM US LLP. All Rights Reserved.
Experience the power of being understood
On October 26, 2015 McGladrey LLP changed its name to RSM US LLP and united with fellow firms in its global network under the common brand – RSM.
6
©2016 RSM US LLP. All Rights Reserved.
RSM overview
Fifth largest audit, tax and consulting firm in the U.S.
• Over $1.6 billion in revenue
• 80 cities and more than 8,000 employees in the United States
• Internationally Presence in more than 110
countries More than 37,000 people
in over 740 offices $4.4 billion (U.S.) in
worldwide revenues
7
©2016 RSM US LLP. All Rights Reserved.
RSM US locations
8
©2016 RSM US LLP. All Rights Reserved.
RSM International locations
9
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
INCIDENT STATISTICSData Breach vs Information Security Incident
©2016 RSM US LLP. All Rights Reserved.
Data breach statistics
2015 Verizon Data Breach Report
11
©2016 RSM US LLP. All Rights Reserved.
Security statisticsFour most prevalent attack vectors
1. Hacking • “Traditional” hacking is used post-breach not as the original entry point
• Current methods focus on web apps and browser plugins
2. Malware • Finding and purchasing non-detectable malware in the underground market is trivial
• Modern anti-virus is an 80-20 proposition at best
3. Social engineering • Why bother to do all the heavy lifting involved with “hacking” when you can just ask someone to do something for you?
• While there is a technical component the attack isagainst human nature
4. Physical loss • Rare occurrence but significant impact
12
©2016 RSM US LLP. All Rights Reserved.
Security statistics
2014 Verizon Data Breach Report
13
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
SECURITY CONTROLS & INVESTIGATION PROCESSPrevention, Detection, & Correction
©2016 RSM US LLP. All Rights Reserved.
Today’s topic: Security controls
Security controls can be preventive, detective or corrective by nature
15
©2016 RSM US LLP. All Rights Reserved.
Incident response and investigation process
16
©2016 RSM US LLP. All Rights Reserved.
Incident response
The initial objective is to learn about your organization and IT infrastructure and incident
- What actions have been performed to date?- What information did the attacker ask for and what did he receive?- What known systems/information did the attacker access?- Are there any remote tracking or wiping tools installed on the device?- Does an employee have remote access to the network?- Do logs show unusual network activity or failed login attempts?
Identifying potential evidence sources followed by the preservation/collection of data.
17
©2016 RSM US LLP. All Rights Reserved.
Incident response
Evidence sources: Network servers and applications Computer system memory Firewall, VPN, email, building access logs Network and system backups Information from third-party providers (cloud services) Video surveillance
18
©2016 RSM US LLP. All Rights Reserved.
Investigative hurdles
Investigating “unknowns”- Unable to identify appropriate resources- Third-party providers and custom applications
Evidence preservation – afterthought- Deleted digital evidence – expands scope/risk of harm- Lack of documentation, misconfigured applications, log
retention Data pooling
- Human capital, accounting, user share data combined Data quality
Non-standardized data formats Manual review for protected information
19
©2016 RSM US LLP. All Rights Reserved.
Incident response – Internal Audit questions
Is my organization’s IT staff appropriately trained to handle an information security incident?
Does my organization have the skill sets to conduct a forensic investigation?
Have we been through this type of incident before?
What was the result of previous incidents? / What did we learn about our vulnerabilities?
Does our organization know where our data is physically located?
Who within my organization is accountable for knowing where our data is physically stored?
Have we considered the impact of third-party service providers on our ability to respond?
20
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
MITIGATING COSTS AND RISKSAvoid Financial and Reputational Risk of Harm
©2016 RSM US LLP. All Rights Reserved.
Common Approach
Preferred Approach
IT Risk Assessment Methodology
Low DemandInformation Security Risk Assessment
Security Awareness
Training
Incident Response Plan
Qualified Staff/Vendors
Engaged
Evidence Preservation & Investigation
Low DemandIncident
Discovery (30-120 Days)
Environment Changes & Evidence
Destruction
Qualified Staff/ Vendors
Engaged
Evidence Preservation & Investigation
Information Security Risk Assessment
Lessons Learned
22
©2016 RSM US LLP. All Rights Reserved.
Forensic Investigation & eDiscovery Overview
Information Management Identification
Preservation
Collection
Review
Processing
Analysis
Production Presentation
Volume Relevance
Forensics
Electronic Discovery Reference Model (EDRM)
23
©2016 RSM US LLP. All Rights Reserved.
Mitigating costs and risks - Administrative
Organizational Programs- Written Information Security Program (WISP)- Vendor management- Business continuity and disaster recovery plans
Specific Preparation Tasks- IT risk assessment - Incident response plan- Mock incident response drills- Security awareness training
Response- Documentation
• How was the incident discovered? Who performed what action? When did the change or event occur? What was the result?
24
©2016 RSM US LLP. All Rights Reserved.
Mitigating costs and risks - Technical
Data segregation- Data classification/identification program
Network and application patch management Backup and archiving solutions
- Access to data backup and offsite facilities- Test archiving solutions (email, data vaults)
- Speed of exports, change in file properties, search functionality Network vulnerability testing Enterprise monitoring solutions
- Event logging (VPN, file audit, network access, building access)- Data Loss Prevention (DLP) solutions
25
©2016 RSM US LLP. All Rights Reserved.
Mitigating costs and risks – Internal Audit questions
Does our IT risk assessment look deep enough into incident response capabilities and readiness?
Does my organization do enough security awareness training?
Has my organization’s IT staff tested the input and output of our email backup/archiving solution?
Does my organization have logs available to show who has accessed our network in the past week?
Who within my organization is accountable to review the logs?
Is there evidence that the logs are being reviewed?
What is my organization learning from reviewing the logs?
Is my organization doing enough to make us less vulnerable?
26
©2016 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
CYBER LIABILITY INSURANCEConnected to Digital Forensics & Incident Response
©2016 RSM US LLP. All Rights Reserved.
Risk financing for data breach exposures
Not if, but when!
Data breach events may result in significant costs
More damage is caused by a poor response to a data breach than by the data breach itself
Insurance provides important balance sheet protection – and is ideal for difficult to predict events that create large losses
An insurance carrier can provide significant expertise in order to facilitate an effective and efficient response- Not the insurer’s first rodeo!
28
©2016 RSM US LLP. All Rights Reserved.
Insurance overview
Security and privacy liability- Judgments, settlements and defense costs for a claim seeking damages from a loss, theft or
unauthorized disclosure of information
Regulatory defense and penalties
Payment card industry (PCI) fines and penalties- Contractual fines and assessments for a failure to maintain PCI data security standards
Breach response costs- Expenses for: Computer forensics, notifications, credit monitoring, pre-claim legal,
call center services and public relations
Other coverage options typically available- Media Liability- Business Interruption- Data Protection- Cyber Extortion
29
©2016 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registeredtrademark of RSM US LLP.
© 2016 RSM US LLP. All Rights Reserved.
RSM US LLP1230 Peachtree St., NESuite 1700Atlanta, GA 30309
+1 800.274.3978www.rsmus.com