Anatomy of a Data Breach

The Good, The Bad, & The Ugly

Page 2

Agenda

• Introductions

• Today’s Breach Reality

• Common Breach Scenario Themes

• What Happens: The Good, The Bad, and The Ugly

• Conclusions

• Q&A

Page 3

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Serial security and compliance entrepreneur

• Don Ulsch, CEO, ZeroPoint Risk

• Distinguished Fellow at the Ponemon Institute

• Joseph DeSalvo, Managing Director, ZeroPoint Risk

• Former CSO at Mylan and Iron Mountain

Page 4

SS

AE

16

TY

PE

II C

ER

TIF

IED

HO

ST

ING

FA

CIL

ITY

DA

SH

BO

AR

DS

& R

EP

OR

TIN

G

Co3’s Incident Response Management Platform

Automated Escalation Accelerate response by easily

creating incidents from the systems

you already have

Email Web Form Trouble Ticketing Entry Wizard SIM

Streamlined Creation

+ Collaboration Create IR plans instantly based on

regulations, best practices, and standard

operating procedure. Collaborate on plan

execution across multiple functions

IR Plan

Marketing

Legal/Compli

ance IT

HR

Industry

Best

Practices

Organizational

Best Practices

Privacy Breach

Requirements

Industry

Standard

Frameworks

Regulatory

Requirements

Intelligent Correlation Determine related incidents

automatically to identify broader,

concerted attacks

Integrated Intelligence Gain valuable threat intelligence

instantly from multiple intelligence feeds

Accelerated Mitigation Speed results by easily outputting

outcomes to your management

platforms

SIM Trouble Ticketing GRC

Page 5

ZeroPoint Risk Research LLC

• ZeroPoint Risk Research LLC is a research and consulting

company concentrating on both pre-breach prevention and

post-breach investigation and recovery services for clients

possessing regulated and unregulated data.

• Its CyberBreach Situation Report, written by Don Ulsch, is

received monthly by nearly half a million professionals.

Page 6

Today’s Breach Reality

Data breaches are on the rise and organizations are

unprepared to detect them or resolve them -

• data breaches have increased in both severity (54 percent) and

frequency (52 percent) in the past 24 months

• …organizations are facing a growing flood of increasingly

malicious data breaches, and they don’t have the tools, staff or

resources to discover and resolve them

1 “The Post Breach Boom” – The Ponemon Institute, February 2013

THE PONEMON INSTITUTE 1

Page 7

Today’s Breach Reality

“If you are going to invest in one

thing, it should be incident

response”

GARTNER

2

“You can’t afford ineffective

incident response”

FORRESTER RESEARCH

3

“Only 20% of respondents rate their

IR program as being ‘very effective’”

1

“Top spending priorities are

training and automation tools”

2013 INCIDENT RESPONSE SURVEY – iSMG

1 “The Need For Speed: 2013 IR Survey”- Information Security Media Group - August 2013 2 Gartner Security Summit, Keynote Address - June 2013 3 “Seven Habits of Highly Effective Incident Response Teams” - April 2013

Page 8

Breach Scenario – Common Findings

• Source

• 3rd-party data provider or technology service provider

• Cause

• Ineffective management of 3rd-party business associate

relationships

• Increased reputation risk

• Greater likelihood of information compromise

• Other Traits

• Discovered long after it occurred

• Inadequate testing for toxic IP addresses

Page 9

Breach Scenario (continued)

• Big gap between understanding security and its

relationship to managing risk

• This separates the Board and executive management

from operations

• GC of the breached company fills this void

• Risk awareness with executives remains low, but is rising

• Many still have an archaic view of technology

• Enablement and cost-savings, not a Trojan Horse into

the enterprise

• Breaches always cost more than you think

Page 10

What Happened? Top reasons why compromises occur

• End users and endpoints

• Click on anything

• Disable endpoint security settings

• Use vulnerable, legacy software and hardware

• Fail to install security patches

• Fail to install anti-virus

• Fail to report lost or stolen device

• Connect to a private network from a public network (ex. coffee shop)

• Use a second access point (mobile broadband from smart phone);

creating a bypass

• Use weak or default passwords, reuse passwords

• Reveal passwords over the phone

Page 11

What Happened? Top reasons why compromises occur

• Infrastructure

• Connect systems and virtual images to the Internet before hardening them

• Connect test systems to the Internet with default accounts or passwords

• Fail to update or patch systems/applications on a timely basis

• Fail to implement or update virus detection software

• Use legacy or end-of-life software and hardware

• Run unnecessary services

• Use insecure back-end management software

• Fail to remove old/unused user accounts

• Implement firewalls with rules that don’t stop malicious or dangerous incoming

or outgoing traffic

• Fail to segment network and/or adequately monitor/block malicious traffic with

IDS/IPS

POLL

Page 13

Breach: The Good, The Bad and The Ugly

The Good:

• Like a personal illness, a breach tends to focus the organization, often

resulting in improved awareness, response, and sustainability of better

preparedness, technology and risk management processes

The Bad:

• Employees lose jobs, executives are sometimes discharged, trust

between company and customer is diminished, and recovery is

expensive

The Ugly:

• Stock plummets, employees get indicted, firm is put out of business

Page 14

Conducting a Breach Investigation

• Attorney-client privilege

• Establish a breach investigation management team

• Establish chain of custody requirements

• Begin process to confirm that a breach has occurred and

profile its scope and dimension

• Determine range of affected information

• Establish detailed breach history

• If there is no breach history, look for similar breaches of

regulated data at other companies

Page 15

Conducting a Breach Investigation (continued)

• Examine intellectual property and trade secret breaches to

see if attacks are similar in nature to the current breach

• Change passwords throughout the organization, using

complex characters

• Determine if breach is ongoing

• Review insurance coverage

• Determine if data was encrypted

• Image hard drives and begin forensic examination

• Begin web and behavioral web analytics – IP addresses,

web sites, email addresses – to assess potential damage

• Determine possible origination with Threat Database

Page 16

Conducting a Breach Investigation (continued)

• Determine source of the breach

• Determine point(s) of breach

• Determine method of breach

• Did breach or attempted breach involve proximity?

• Determine type of data potentially affected

• Determine if law enforcement notification is in order

• Interim reporting

• Develop tactical plan for point of breach containment

• Determine contract obligations and reporting requirements

(may be separate from regulatory reporting requirements)

Page 17

Conducting a Breach Investigation (continued)

• Examine enterprise risk management framework

• Examine policies and procedures for information security

and privacy and compliance

• Establish regulatory reporting requirements in case such

notification becomes a requirement

• Determine requirement for Temporary Restraining

Orders/Abuse Reports and execute

• Depending on circumstances, contain breach information to

the breach management team

• Reporting

POLL

Page 19

• What Should Companies be Doing to Protect Information, Intellectual

Property and Trade Secrets?

• Data Classification and Role Based Access

• Inventory regulated and critical data (where does it reside?)

• Establish need to know access and ensure extra screening

• Eliminate access when the need expires

• Institute continual monitoring

• Annual certification by supervisors (for continuing access)

• Role changes – does the person still require access?

• Department changes – does the person still require access?

Conclusion

Page 20

Conclusion (continued)

• Institute Robust Risk Assessment and Controls to Avoid

Low Awareness and False Sense of Security

• Offshore Relationships and Vendor Management

• Must partners maintain the same security as your co.

(physical, logical, administrative)?

• Background screening of candidates

• Verifying employment, addresses, and education isn’t

enough

• Competitors, organized crime, and foreign nations

infiltrate companies with people that can pass cursory

checks

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Don Ulsch

don.ulsch@zeropointrisk.com

978-808-6526

Joe DeSalvo

joseph.desalvo@zeropointrisk.com

704-907-4557

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013