anatomy of a breach: the good, the bad & the ugly
DESCRIPTION
Today's security and privacy professionals know that breaches are a fact of life. Yet their organizations are often not prepared to respond when the time comes. They're "overweight" on prevention and detection, but "underweight" on response. Based on a decade-plus caseload of actual breach investigations across of range of different organizations, this webinar will examine an amalgamated, anonymized breach situation and review a play-by-play of how the response went: the good, the bad, and the ugly. Attendees will gain hard-earned, battle-tested insight on what to do, and what to avoid when it's their turn to respond to an incident. Our featured speakers for this timely webinar will be: - Don Ulsch, CEO, ZeroPoint Risk. Distinguished Fellow at the Ponemon Institute. - Joseph DeSalvo, Managing Director, ZeroPoint Risk. Former CSO at Mylan and Iron Mountain. - Ted Julian, Chief Marketing Officer, Co3 Systems. Serial security and compliance entrepreneur.TRANSCRIPT
Anatomy of a Data Breach
The Good, The Bad, & The Ugly
Page 2
Agenda
• Introductions
• Today’s Breach Reality
• Common Breach Scenario Themes
• What Happens: The Good, The Bad, and The Ugly
• Conclusions
• Q&A
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Serial security and compliance entrepreneur
• Don Ulsch, CEO, ZeroPoint Risk
• Distinguished Fellow at the Ponemon Institute
• Joseph DeSalvo, Managing Director, ZeroPoint Risk
• Former CSO at Mylan and Iron Mountain
Page 4
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIM
Streamlined Creation
+ Collaboration Create IR plans instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
IR Plan
Marketing
Legal/Compli
ance IT
HR
Industry
Best
Practices
Organizational
Best Practices
Privacy Breach
Requirements
Industry
Standard
Frameworks
Regulatory
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Accelerated Mitigation Speed results by easily outputting
outcomes to your management
platforms
SIM Trouble Ticketing GRC
Page 5
ZeroPoint Risk Research LLC
• ZeroPoint Risk Research LLC is a research and consulting
company concentrating on both pre-breach prevention and
post-breach investigation and recovery services for clients
possessing regulated and unregulated data.
• Its CyberBreach Situation Report, written by Don Ulsch, is
received monthly by nearly half a million professionals.
Page 6
Today’s Breach Reality
Data breaches are on the rise and organizations are
unprepared to detect them or resolve them -
• data breaches have increased in both severity (54 percent) and
frequency (52 percent) in the past 24 months
• …organizations are facing a growing flood of increasingly
malicious data breaches, and they don’t have the tools, staff or
resources to discover and resolve them
1 “The Post Breach Boom” – The Ponemon Institute, February 2013
THE PONEMON INSTITUTE 1
Page 7
Today’s Breach Reality
“If you are going to invest in one
thing, it should be incident
response”
GARTNER
2
“You can’t afford ineffective
incident response”
FORRESTER RESEARCH
3
“Only 20% of respondents rate their
IR program as being ‘very effective’”
1
“Top spending priorities are
training and automation tools”
2013 INCIDENT RESPONSE SURVEY – iSMG
1 “The Need For Speed: 2013 IR Survey”- Information Security Media Group - August 2013 2 Gartner Security Summit, Keynote Address - June 2013 3 “Seven Habits of Highly Effective Incident Response Teams” - April 2013
Page 8
Breach Scenario – Common Findings
• Source
• 3rd-party data provider or technology service provider
• Cause
• Ineffective management of 3rd-party business associate
relationships
• Increased reputation risk
• Greater likelihood of information compromise
• Other Traits
• Discovered long after it occurred
• Inadequate testing for toxic IP addresses
Page 9
Breach Scenario (continued)
• Big gap between understanding security and its
relationship to managing risk
• This separates the Board and executive management
from operations
• GC of the breached company fills this void
• Risk awareness with executives remains low, but is rising
• Many still have an archaic view of technology
• Enablement and cost-savings, not a Trojan Horse into
the enterprise
• Breaches always cost more than you think
Page 10
What Happened? Top reasons why compromises occur
• End users and endpoints
• Click on anything
• Disable endpoint security settings
• Use vulnerable, legacy software and hardware
• Fail to install security patches
• Fail to install anti-virus
• Fail to report lost or stolen device
• Connect to a private network from a public network (ex. coffee shop)
• Use a second access point (mobile broadband from smart phone);
creating a bypass
• Use weak or default passwords, reuse passwords
• Reveal passwords over the phone
Page 11
What Happened? Top reasons why compromises occur
• Infrastructure
• Connect systems and virtual images to the Internet before hardening them
• Connect test systems to the Internet with default accounts or passwords
• Fail to update or patch systems/applications on a timely basis
• Fail to implement or update virus detection software
• Use legacy or end-of-life software and hardware
• Run unnecessary services
• Use insecure back-end management software
• Fail to remove old/unused user accounts
• Implement firewalls with rules that don’t stop malicious or dangerous incoming
or outgoing traffic
• Fail to segment network and/or adequately monitor/block malicious traffic with
IDS/IPS
POLL
Page 13
Breach: The Good, The Bad and The Ugly
The Good:
• Like a personal illness, a breach tends to focus the organization, often
resulting in improved awareness, response, and sustainability of better
preparedness, technology and risk management processes
The Bad:
• Employees lose jobs, executives are sometimes discharged, trust
between company and customer is diminished, and recovery is
expensive
The Ugly:
• Stock plummets, employees get indicted, firm is put out of business
Page 14
Conducting a Breach Investigation
• Attorney-client privilege
• Establish a breach investigation management team
• Establish chain of custody requirements
• Begin process to confirm that a breach has occurred and
profile its scope and dimension
• Determine range of affected information
• Establish detailed breach history
• If there is no breach history, look for similar breaches of
regulated data at other companies
Page 15
Conducting a Breach Investigation (continued)
• Examine intellectual property and trade secret breaches to
see if attacks are similar in nature to the current breach
• Change passwords throughout the organization, using
complex characters
• Determine if breach is ongoing
• Review insurance coverage
• Determine if data was encrypted
• Image hard drives and begin forensic examination
• Begin web and behavioral web analytics – IP addresses,
web sites, email addresses – to assess potential damage
• Determine possible origination with Threat Database
Page 16
Conducting a Breach Investigation (continued)
• Determine source of the breach
• Determine point(s) of breach
• Determine method of breach
• Did breach or attempted breach involve proximity?
• Determine type of data potentially affected
• Determine if law enforcement notification is in order
• Interim reporting
• Develop tactical plan for point of breach containment
• Determine contract obligations and reporting requirements
(may be separate from regulatory reporting requirements)
Page 17
Conducting a Breach Investigation (continued)
• Examine enterprise risk management framework
• Examine policies and procedures for information security
and privacy and compliance
• Establish regulatory reporting requirements in case such
notification becomes a requirement
• Determine requirement for Temporary Restraining
Orders/Abuse Reports and execute
• Depending on circumstances, contain breach information to
the breach management team
• Reporting
POLL
Page 19
• What Should Companies be Doing to Protect Information, Intellectual
Property and Trade Secrets?
• Data Classification and Role Based Access
• Inventory regulated and critical data (where does it reside?)
• Establish need to know access and ensure extra screening
• Eliminate access when the need expires
• Institute continual monitoring
• Annual certification by supervisors (for continuing access)
• Role changes – does the person still require access?
• Department changes – does the person still require access?
Conclusion
Page 20
Conclusion (continued)
• Institute Robust Risk Assessment and Controls to Avoid
Low Awareness and False Sense of Security
• Offshore Relationships and Vendor Management
• Must partners maintain the same security as your co.
(physical, logical, administrative)?
• Background screening of candidates
• Verifying employment, addresses, and education isn’t
enough
• Competitors, organized crime, and foreign nations
infiltrate companies with people that can pass cursory
checks
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Don Ulsch
978-808-6526
Joe DeSalvo
704-907-4557
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013