corporate cyber attacks: managing risk to avoid reputation harm
TRANSCRIPT
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │1
GOOD. SMART.BUSINESS. PROFIT.TM
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │2
CORPORATE CYBERATTACKS: MANAGING RISK TO AVOID REPUTATIONAL HARM
September 18, 2014
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │3
Chelsie ChmelaEvents [email protected]
We encourage you to engage during the Q&A portion of today’s webcast by using the “Submit Question” button located within your West LegalEdcenter experience or the Chat Box in ReadyTalk
HOST
QUESTIONS
MATERIALS Included in your registration: • Event recording and deck: West LegalEdcenter provides on-demand event
access for 180 days or until the end of your subscription, if sooner. Ethisphere will provide the recording and presentation deck following the live event to ReadyTalk attendees.
3
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │4
Stuart LeviPartnerSkadden, Arps, Slate Meagher & Flom LLP & Affliates
Devon KerrSenior ConsultantMandiant
SPEAKING TODAY
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │5
Beijing
Boston
Brussels
Chicago
Frankfurt
Hong Kong
Houston
London
Los Angeles
Moscow
Munich
New York
Palo Alto
Paris
São Paulo
Shanghai
Singapore
Sydney
Tokyo
Toronto
Washington, D.C.
Wilmington
Privacy and Cybersecurity 2014: The Current State of Affairs
•Presented by•Stuart Levi
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │6
PRIVACY V. CYBERSECURITY
• Privacy policy compliance
• Big data mining• Privacy regulations• Internet of things• Do not track• Location data• Global enforcement
Privacy
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │7
PRIVACY V. CYBERSECURITY
• Data breaches• Non-data cyber theft• Denial of service attacks• Compliance with security
policies• NIST guidelines
Cybersecurity
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │8
PRIVACY V. CYBERSECURITY
Government Spying
• Snowden revelations• Access to records through
public companies• Government monitoring• Global implications
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │9
PRIVACY V. CYBERSECURITY
PRIVACY CYBERSECURITY
Government spying
DataBreaches
Increased demandsforprivacyregulation
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │10
THE REALITY COMPANIES FACE TODAY
• Data breaches and cyberattacks are increasingly common.
• More companies are considered “targets of choice.”
• A large segment of the security community has adopted an “assume you’ve been breached” mentality.
• Attacks are from:
− Hackers looking to profit
− State-sponsored organizations
− Hackers looking to wreak havoc
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │11
THE REALITY COMPANIES FACE TODAY
• Attacks are not limited to personal information:
− Theft of intellectual property
− Theft of business information
− Denial of service attacks
• No industry is immune from attack.
• Rapid detection has become as important as threat prevention.
− Each day the threat is not detected, the level of damage and harm increases
• Locating the source of the harm is becoming more difficult
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │12
THE REALITY COMPANIES FACE TODAY
• Informative statistics from the Verizon 2013 Data Breach Investigations Report:
− 78% of intrusions were rated as “low difficulty”
− 69% discovered by external parties
− 66% took multiple months to discover
− 75% are considered opportunistic attacks
− 80% involved authentication based attacks
• Each statistic presents a potential liability risk.
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │13
KEY LEGAL THREATS TODAY
• FTC enforcement activity
− “Misleading” consumers by “promising” industry-standard or robust security
− Inadequate security protection
• Shareholder litigation
− For any cybersecurity loss (not just data breaches)
» Denial of service
» Loss of intellectual property or confidential information
• Data breach class actions
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │14
THE RESPONSE CLOCK HAS ACCELERATED
HISTORICAL PRACTICE
COMPANIES OFTEN DELAYED NOTICE UNTIL FULL FORENSIC ANALYSIS WAS DONE» Provided time to formulate a
response and manage PR, communications and legal
» Companies often hopeful that forensics analysis would reveal notice was not required
» Sometimes delay was required by law enforcement, but this was the exception
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │15
THE RESPONSE CLOCK HAS ACCELERATED
• Today, companies face a new and pressing reality:
− Privacy advocates/activists
» Learning of breaches and threatening to go public if the company does not disclose
» Generally unsympathetic to pleas that the company needs more time to formulate its response
− Insurance plans may require prompt notice
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │16
DATA SECURITY CLASS ACTIONS ARE ON THE RISE
• Plaintiffs’ lawyers are looking to cash in on the increase in data security breaches at retailers, banks and other institutions.
• Their tool of choice: large-scale class actions based around theories of alleged damage to consumers’ privacy.
• While relatively few cases have been filed so far, the number will undoubtedly grow.
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │17
THE FTC AND PLAINTIFF LAWYERS NEED A HOOK
• The company failed to install or implement adequate security protections.
− Were there internal or consultant recommendations that were ignored?
• The company “misled” customers about the level of its security.
• The company’s procedures or policies were lacking or not followed.
− Security policies
− Vendor policies
• C-suite and/or board was not adequately kept apprised of security procedures.
• The company took too long to provide notice of a data breach or to respond to an attack
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │18
KEY TAKEAWAY
The goal of every company today should be to eliminate as many of these hooks as possible
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │19
STEPS EVERY COMPANY SHOULD BE TAKING TODAY
• Privacy audit and implementation
• Risk assessment
• Establish a rapid response team
• Testing
• Privacy by design
• Evaluate insurance coverage
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │20
PRIVACY AUDITS
• Typically performed by a law firm and/or external consultant
− External advisers see issues that are hidden to companies
» View each issue from a “what if” lawsuit perspective
− “Good fact” in the event of a litigation
− External advisers have the benefit of seeing best practices at other companies
− Provides regulators with comfort
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │21
PRIVACY AUDITS
• Key Steps:
− Where is data coming into the company?
− How is data used and what controls are in place?
− How are security decisions made and implemented?
− Do internal and external privacy policies align with actual practice?
» Very often they do not
− What is the company saying about its security practices?
− What is the company disclosing in its public filings?
− How are company executives and board members kept informed?
− How mature is the privacy program?
− What sort of training/retraining is provided?
• Critical Step: Need to act on audit recommendations
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │22
RISK ASSESSMENT
• What types of personal information could be compromised?
• Is there a risk of confidential information being compromised?
• What is the potential for lost business?
• Is there a potential for regulatory scrutiny?
• Is there a potential for fines and penalties?
• What is the potential for damage to reputation/loss
of trust/media publicity?
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │23
ESTABLISHING A RAPID RESPONSE TEAM
• Critical in a world where you may lose control of the response timing
• Key stakeholders will bring unique and important perspectives
− IT, legal, security, PR/communications, HR, risk management,corporate management, government relations
• Scrambling to figure out the team once an incident occurs is inefficient and dramatically increases the risk of a misstep
• Create a playbook of how incidents will be handled
• Understand the data breach notification requirements
• Understand SEC disclosure obligations
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │24
TESTING
• Critical to test your incident response plan at least semi-annually
− Consider different scenarios
• Consider creating a report of areas to improve
− But assess the risks of creating such a report
• Assess roles and responsibilities
− Did people leave?
− Was there any internal restructuring?
− Were new systems implemented?
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │25
TESTING
• Update process documents
• Review third-party vendor contacts
» PR
» Forensics
» Notification
» Legal
− Are these still the right contacts?
• Any changes to law
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │26
PRIVACY BY DESIGN
• Area of focus for the FTC
» Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services
• Now a critical area for risk mitigation
• Key ideas:
− Proactive not reactive
− Privacy embedded into the design process
− Visibility and transparency within the organization
− Privacy and security as part of the corporate culture
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │27
EVALUATE INSURANCE COVERAGE
CRITICAL AREAS OF CYBER INSURANCE
− Network security liability (third party)
− Privacy liability (third party)
− Professional liability (third party)
− Notification costs
− Regulatory defense
− Data loss/recreation
− Business Interruption
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │28
Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates
Skadden, Arps, Slate, Meagher & Flom LLPCyberattacks 2014 – How to Prepare Today and Respond Tomorrow │29
Devon Kerr Senior Consultant
© Copyright 2010
Introductions Overview Building an investigation-ready environment During an intrusion Post-incident activities Q&A
Introduction Slide
30
© Copyright 2010
All information is derived from MANDIANT observations in non-classified
environments
Some information has been sanitized to protect our clients’ interests
Important note
31
© Copyright 201032
DEVON KERR
Former IT operations (10+ years)
Lead investigator and forensic analyst
Develop internal training for Mandiant consultants
More than15 investigations this year
Introductions
© Copyright 2010
Build an investigation-ready environment:− Logging and monitoring− Fundamental security controls− Important procedures
Preparing for a breach
33
© Copyright 2010
Before the breach…− Centralize logs and alerts into a unified dashboard
Consolidation reduces effort and increases efficiency Collect logs for user logins of all kinds Increase the amount of logs retained Make sure you can actually get the logs out of the system
− Implement application whitelisting on all critical systems Ensures that only approved software will run Easiest and cheapest way to slow down an attacker
Good for detecting attackers if you centralize these logs, too!
Investigation readiness
34
© Copyright 2010
Before the breach…(continued)− Know where your data is
Intellectual property, financial data, competitive business data (sales, marketing, business logic)
Know the role of critical systems
− Identify Internet points of presence Egress points for user Internet access VPN devices Direct connections to service providers and partners DMZs
− Patch operating system and third party software Critical vulnerabilities should be patched within 2 days
Investigation readiness
35
© Copyright 2010
Before the breach…(continued)− Harden the environment
Block network traffic leaving your environment that doesn’t have a known business purpose
Strengthen systems administration by using dedicated management systems
Identify all users with admin-level privileges and revoke those rights
Domain administrators shouldn’t use privileged accounts for regular computer and network activities – only administration
Implement a second factor of authentication, like a token, for remote access (VPN)
Investigation readiness
36
© Copyright 2010
Facilitating the investigation− Respond to requests quickly
Identifying the function of a system Identifying all systems which may contain a specific type of
data (PII, finacial records, etc) Be able to search logs on-demand
Ex: search all log sources for an IP address Be able to share logs with investigators
Ex: provide a copy of all VPN logs
During an incident
37
© Copyright 2010
Remediating− Work with investigators to develop a remediation plan
that includes short-term tactical and longer-term strategic objectives Block malicious IP addresses Sinkhole malicious domain names Take infected systems offline and rebuild Perform an enterprise password reset …
During an incident
38
© Copyright 2010
When the smoke clears− Determine notification requirements based on incident
type, jurisdiction, and industry− Develop a coordinated message for the public
Understand that the public may include clients, regulatory bodies, and shareholders
− Conduct a lessons learned exercise− Develop metrics
Time from incident to detection, detection to investigation, detection to remediation, etc
Review metrics after each incident
Post-incident activities
39
© Copyright 2010
Q&A
40
© Copyright 2010
Devon Kerr Senior Consultant
© Copyright 2010
Q&A
© Copyright 2010
This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.
For more information on BELA contact:
Laara van Loben SelsSenior Director, Engagement [email protected]
Business Ethics Leadership Alliance (BELA)
© Copyright 2010
October 30, 2014Cyber-Security, IP Theft and Data Breaches: Practical Steps to Protect Corporate Assets
Internally and with Third Parties
All upcoming Ethisphere events can be found at:
http://ethisphere.com/events/
PLEASE JOIN US FOR
© Copyright 2010
THANK YOU