cyber liability: a case study - midwest exchange … liability: a case study ferris state university...
TRANSCRIPT
Cyber Liability: A Case StudyFerris State UniversityCyber Incident & Claim
Presentation to MHECMarch 12, 2015
Christina Weber Justin Pennock FSU EIQ Networks
Katherine KeefeBeazley
About Ferris State University
• Ferris State University:– 14,000+ students– Big Rapids, MI– Over 180 career-oriented
programs• Associates to doctoral degrees• Colleges of Pharmacy and Optometry
2
Topics
• Incident• Response• Things That Went Well• Insurance/Financial Impact• Recommendations for Members
3
The Incident
• Tuesday, 07/23/13, IT department discovered that an unauthorized person evaded our network security & gained access to our Web server
• Discovered at least 11 times that hidden files (hereafter dubbed “The Tool”) were placed on the server since 07/13
• Packet logs verified that database server names, service account names & passwords transferred to unknown IP address
• 47 Cold Fusion data source connections through these service accounts
• Also Found 65 Access databases on the Web server 4
Initial Actions Taken
• IT took Web server off-line & began rebuild (not restore)
• IT commenced active monitoring of logs & compromised service accounts
• IT notified Beazley• Beazley commenced Breach Response
services under the direction of Katherine Keefe
5
Beazley’s Approach to Breach Response
• Proactive breach investigation & response services are covered by the policy
• Early notification maximizes coverage benefits• BBR Services: In-sourced breach response team
assists in project management• Beazley negotiates discounted rates with expert
services providers• BBR Services coordinated legal services (Baker Hostetler), on-site
forensics services (Navigant) and other services for FSU• FSU contracted directly with all vendors
6
In the Meantime…
• Assembled Cyber Response Team– VP Admin & Finance (chair)– CTO & Director of Applications– General Counsel– Risk Management– Public Information– Enrollment Services
• Began meeting at least once a day with Beazley Team
7
Discovery Stage
• IT staff began internal forensic investigation• Navigant rep arrived on site Monday, 07/29• The Good News: “The Tool” was unsuccessful
accessing the Oracle Servers• The Bad News: Web server Access databases
contained sensitive information regarding prospective, as well as current, students
8
What We Discovered
• 39,000+ Name & SS# combos were exposed• 19,000+ Name & CWID combos were exposed• No PCI was compromised• No HIPAA data was compromised• No evidence that any of the data had actually
been taken
9
Behind the Scenes
• Major push on part of our administration to get the word out (transparency)
• Daily meetings to prepare the message• Major precautions on the part of
BakerHostler to not release information too early
10
AND THEN….
• We discovered that “The Tool” could access the “Share” folders on 45 Active Directory servers
• ALL KINDS of information on those servers
• Discovery process intensified
11
Phase 1 Info Release
• Issued press release & Web announcements on 08/15/13
• Contracted with Epiq Systems for notification services – Issued 39,690 letters to SS# “impactees” (required)– Issued 19,377 letters to CWID “impactees” (not
required)– Created FAQs for all versions– Set up two separate Call Centers
12
Discovery Process Ramped Up
• Over the course of the next few weeks:– At least 4 – 5 IT staff devoted almost full-time– Navigant was on-site the majority of that time– Navigant brought in 2 additional specialists
• Used “The Tool” to see what AD Share drives were accessible
• Utilized Identity Finder to look for sensitive data (SS#, DL#, DOB, PCI, HIPAA, & CWID)
• Reviewed over 600,000 files on the Share drives13
Behind the Scenes
• Still meeting….– VP & CTO daily– Breach Response Team at least 3 times a week
• Contracted with Levick to assist with the communications for Phase II– Came on campus and provided media coaching– Reviewed all Phase II release information
14
Phase II Info Release
• Issued press release & Web announcements on 09/24/13
• Epiq Systems issued another 62,630 letters– SS#, CWID, and HIPAA– Employees, current & prospective students, & patients
at the Eye Center
• Created FAQs for all versions• Set up three additional Call Centers
15
Things That Went Well
• Massive collaborative coordination effort• Very little negative press• Forced us to take a closer look at our
systems– Hired an outside consultant to review
• Offered protection for the “impactees”
16
Protection for “Impactees”
• Contracted with Experian for Credit Monitoring– ProtectMyID© Alert– Family Secure for minors
• Offered CWID “impactees” the opportunity to change their CWID
17
Insurance/Financial Impact
BEAZLEY CYBER COVERAGE 2013 ‐ 2014Line of Coverage Limit Deductible
Privacy Breach Response$250,000
$10,000Forensics Services
Legal Services
Notification Mailings & Call Center2,000,000 Individuals
Credit Monitoring
Crisis Management & Public Relations$50,000 $5,000Notification Mailings & Call Center for CWID
Strategic Communications
Information Security & Privacy Liability $3,000,000$ 100,000
Regulatory Defense & Penalties $1,000,000
18
Recommendations for Members
• Expect to eat, sleep, & breath Breach• Let the experts do their jobs• Know your coverage & how the process works• Establish relationships with each facet of response
(Beazley Breach Response, Beazley coverage, attorneys, and notification, crisis communication, & credit monitoring vendors
• Keep records of everything
19
How Do We Prevent This from Happening Again?
• Ferris engaged the services of outside consultant to do a security risk assessment
• As a result, we made immediate changes to reduce vulnerabilities
• Proactive approach– Developed a 3-year plan of initiatives to improve our
security profile
20
Beazley Breach Perspectives
• Higher education breaches are unique• Importance of Incident Response Planning• Have team in place• Regulatory issues
• State laws matter• Enforcement actions• Hot buttons
21
Implementing a Security Program
• Justin Pennock, EIQ Networks• Two components: Reactive & proactive
security procedures
22
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
Justin PennockMarch 12, 2015
MHEC Annual Loss Control WorkshopCyber Liability
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
Security, Risk & Compliance Issues Today
2
• Security, risk and compliance are integrally linked
– 439 million records stolen in the past 6 months– 110 million Americans (50% of U.S. adults)
personal data exposed in the past year• 35% website breaches, 22% from cyberespionage,
14% at POS– 80% of breaches go undetected
• Time and resource scarcity– Experienced and certified professionals are hard
to find• Process lacking
– Post‐incident versus during‐incident versus pre‐incident
• Actionable information for remediation– How did they get in?– How is it moving?
COMPLIANCE
RISK SAFETY
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
• Responding to incidents after they occur
• Long timeframe to investigate & resolve
• Costly
Costs of Security
3
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
What Is An Effective Security Program?
4
• A set of processes and best practices developed and implemented
– Based on industry standards
• Trained, experienced Information Security professionals– Must be operational 24 x7
• Immediate and comprehensive visibility into the “Threat”– Remove silos and connect the dots
“ImplementingJust First 5 Controls
Reduced Malware Infections By 75%”
Jonathan Trull, CISO Colorado
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
DHS CDM adopts SANS Controls
5
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
“The CDM approach moves away from historical compliance reporting and toward combating threats to the nation’s networks on a real time basis.”
Copyright © 2015 EiQ Networks, Inc. All rights reserved.
• MHEC Webinar• Designing & Building a Cyber Security Program
– Guest Presenter: Larry Wilson, Information Security Lead at UMASS President’s Office– Link ‐ https://www.youtube.com/watch?v=lnbIr2i2kmM
• SANS Controls Link– CISO of the State of Colorado & Larry Wilson presentations:
• http://www.sans.org/security‐trends/2013/06/13/the‐critical‐security‐controls‐at‐the‐gartner‐security‐conference
• Contact Information:– Justin Pennock
email: [email protected]: (978) 266‐3165Web: www.eiqnetworks.comTwitter: @eiqnetworks
Resources
6