data breaches - rsa conference · neil daswani chief informaon security oﬃcer – lifelock craig...

NeilDaswaniChiefInforma2onSecurityOfficer–LifeLock

CraigSpiezleExecu2veDirector,OnlineTrustAlliance

DataBreachesTechnology,Threats,Turmoil,Tenacity&Trust

©2016RSAConference.Allrightsreserved.

Who is OTA?

Mission to enhance online trust and empower users, while promo:ng innova:on and the vitality of the internet.

•  Goal to help educate businesses, policy makers and stakeholders while developing and advancing best prac:ces and tools to enhance the protec:on of users' security, privacy and iden:ty.

•  Collabora:ve public-private partnerships, benchmark repor:ng, meaningful self-regula:on and data stewardship.

•  U.S. based 501(c)(3) tax-exempt charitable organiza:on.


•  Provides people a sense of confidence to live freely in an always-connected world. We’re a leading provider of proac:ve iden:ty theS protec:on services for consumers and iden:ty risk and credit worthiness assessment for enterprises.

•  Pioneers in iden:ty protec:on, providing iden:ty threat detec:on, proac:ve iden:ty alerts, and comprehensive remedia:on services.

• With more than 4.3 million LifeLock members, we’re commiVed to providing our consumers some peace of mind amid the threat of iden:ty theS.

LifeLock


Overview

• Challenges & Lesson Learned

• Preven:on, Detec:on & Response

• Evolving Threats & Challenges


Top concerns the plan; • Has liVle rela:onship to how the organiza:on actually

handles security incidents. • Has never been tested. • Does not cover all of the issues that arise in an incident.

•  It is out of date and likely not in compliance with the regulatory landscape.

Reali:es of Incident Response Plans


Why We Are

•  Mistrust in the privacy, security and the online experience are resul:ng in chilling effects.

•  Need to move beyond compliance to stewardship.

•  Inac:on will s:fle economic growth and the benefits to society at large.

•  For Internet to thrive, users must trust their informa:on will be secure and privacy respected.


Challenges •  Moving threat targets

•  Expanded scope of data loss incidents

•  Evolu:on of cybercrime - Increased precision, decreasing a crime of opportunity

•  Evolving Regulatory Landscape

•  Beyond your 4-walls


The Reali:es •  29% increase in publically disclosed breaches •  93% of incidents could have been prevented •  30% due to lack of internal employee controls •  47% increase in iden:ty theS complaints •  Impact is not only financial or PII

•  Cyber vandalism

•  Hac:visim

•  Social engineered exploits •  ACH withdraws


What We Have Learned?

1.  Needs for a cri:cal shiS regarding roles

2.  It is not about compliance!

3.  Yesterdays approaches are oSen inadequate

4.  Security and privacy is beyond your walls


Laws of Data •  Your data includes “covered informa:on” •  You have regulatory requirement(s)

•  You will have a data incident •  If you are unprepared it will cost you

•  Direct Expenses •  Remedia:on •  Partners •  Brand •  Business Shock •  Your Reputa:on


But I’m compliant… and we have a security team. •  PCI, HIPAA, ISO, NIST, ... •  Compliance does not (by any means) guarantee security. •  Most compromised organiza:ons were compliant and passed their

audits. •  Compliance can (at best) be viewed as the minimum bar for security.

“Data stewardship” needs to be every employee’s responsibility. Security is not just the responsibility of the informa:on security team. At best, the informa:on security team members are the shepherds, guides, and “force mul:pliers” for security ini:a:ves. The security team needs to expected to be the “jedis” and not the “clone army.”

[Courtesy:StanfordAdvancedSecurityCer2fica2onEmergingThreatsandDefensesCourse]


The ABCs of a Response Plan •  Create and Empower a Team

•  Designate First Responders

•  Create a No:fica:on “Tree”

•  Develop Law Enforcement Rela:onships

•  Establish procedures for preserving evidence

•  Create Communica:on Templates

•  Training

•  Regulatory and Legal Review

•  Iden:ty Protec:on

•  Cyber Insurance

•  Tes:ng, Cri:que and Refinement


What is “Preventable”?


Security Best Prac:ces 1.  Encryption & Key Management

•  At rest, storage and in some cases “in use” 2.  Password Management 3.  Least privilege user access (LUA) 4.  Security design and code reviews including penetration

tests and vulnerability scans 5.  Deploy multi-layered firewall protections 6.  Authenticate on all mail servers

•  Outbound & inbound •  SPF, DKIM & DMARC •  Sub-domains, active & parked domains


Security Best Prac:ces, cont’d 7.  Mobile device (and IoT) management program

8.  Continuous monitoring in real-time

•  SSL/TLS Configurations •  Log reports

9.  Web application firewalls

10.  Permit only authorized wireless devices

11.  Implement “https” EVERYWHERE


Security Best Prac:ces, cont’d 12.  Review server certificates for vulnerabilities

•  Consider Extended Validation Certs •  Upgrade Domain Validated to Organizational

Validated Certs

13.  Develop, test and continually refine your response plan

14.  Establish and manage a vulnerability / threat intelligence reporting program


Data Stewardship Lifecycle


Communica:ons

Know your audience •  Internal •  Key partners & customers •  Regulators •  Law enforcement, •  Press, media and analysts

4 T’s •  Tac:c •  Tone •  Timing •  Technology


Regulatory Landscape •  Opt-in v. Opt Out •  Honor “Do-Not-Track”

•  Privacy Shield

•  FTC / FCC

•  Reasonable Security

•  Adequate No:ce

•  “Right to be ForgoVen”

•  Data Server Loca:ons

•  Defini:on of PII

•  Government Access


Cyber Insurance – Reali:es

•  Liability (defense costs, seVlements, judgments) •  Incident response (including forensics, public rela:ons,

breach no:fica:on)

•  Loss/replacement of electronic data

•  Expenses for cyber extor:on / ransomware

•  Regulatory fines

•  Business interrup:on, including lost revenue

•  Areas for poten:al claims denial – willful negligence?


Remedies While most States require iden:ty theS monitoring service be provided, there are no consistent standards. It is recommended minimum levels of service be established including but not limited to:

•  24 x 7 customer support

•  Case worker support •  Mul:-lingual support

•  Support for hearing or visibility impaired

21


Evolving Risks •  Increasing Threats & Challenges

•  Ransomware

•  Malver:sing

•  IoT


Overview – IoT Trust Framework •  Focus – Phase 1

•  Connected Home

•  Wearables (Health & Fitness)

•  Code of Conduct •  Founda:on for cer:fica:on

•  30 Principles Addressing: •  Security

•  Privacy

•  Sustainability from purchase to “end-of-life”


Summary of the Guide •  Execu:ve Summary

•  Risk Assessment

•  Security Best Prac:ces

•  Data Lifecycle & Stewardship

•  Incident Response Fundamentals

•  Cyber Insurance Considera:ons

•  No:fica:on Requirements

•  Training, Tes:ng & Budge:ng

•  Regulatory Landscape

•  Resources/Templates


Summary Checklist 1.  Create a security and privacy-aware culture

2.  Re-validate the business purpose of any sensi:ve data collected and respec:ve reten:on policies

3.  Review best prac:ces and industry standards and be ready to jus:fy why you may not be following them

4.  Create a team; assigns a specific person to drive cross company.

5.  Provide a plan for escala:ng informa:on to execu:ves and the board.

6.  Establish rela:ons in advance with law enforcement, PR, outside counsel, forensics firms, remedia:on services and others.

7.  Review cyber-insurance coverage(s)

8.  DraS internal and external communica:ons.

9.  Test, monitor, revise and learn on a daily basis.

25


More Informa:on •  Data Breach Readiness Guide https://otalliance.org/breach

•  Online Trust Honor Roll https://otalliance.org/HonorRoll

•  IoT Framework https://otalliance.org/IoT

•  Contact us

▫  Craig Spiezle, [email protected] @otalliance

▫  Neil Daswani, @NeilDaswani


Appendix

27


Ran$omware •  ShiS from Trojans •  No longer a crime of opportunity

•  Increased precision and targe:ng via spear phishing and malver:sing

•  Beyond consumer data •  Surge pricing •  Doubling in demands; decreasing :me to respond •  Professional services, CPA, financial services, engineering

firms •  Proprietary & client data


Defense & Containment

•  Implement Phishing / Social Engineering counter measures •  DMZ Hardening / Ongoing Port Scans •  Authen:cate All Inbound email •  Block ads from cri:cal systems •  Imped lateral movement and propaga:on

•  VLAN and subnet segmenta:on •  Gateway /firewall segmenta:on •  App blocking / whitelis:ng •  Role base permission (least privilege)

•  Offline backups


Malver:sing

Uservisitsatrustedwebsiteviaalink,typestheURLdirectlyorusestheirfavorites

Adtricksuser/orautodownloads(“driveby”)aprogramthatinstallsmalware

Captures&forwardsdatabacktocreator,turnsintobots,installsransomwareandother

UsedforidenHtytheI,ACHfraud,accounttakeover,corporateespionageandothercrimes

1

4

3

2

InfectedAdServer

InfectedSite

InfectedAd

AllsitevisitorsPlusthe

reputa,onofadver,sers,sites

&brands

Impact


Increased Precision & Reach


The IoT landscape


Mobile app

Fitness Wearables

Service/Data

Providers

IoT Data Processing

IoT Provider Website

Connected Home

Entertainment Devices

Challenges - IoT Ecosystem •  Highly personal, dynamic,

persistent collec:on and transfer of data

•  Combina:on of devices, apps, plaxorms & services

•  Data flows, touch points & disclosures

•  Lack of defined standards

•  Sustainability

•  Lifecycle Supportability

•  Data reten:on / ownership


Data Breach Laws: Started in California in 2003 •  As a result from State’s Teale Data Center in April 2002 that leaked the personal

informa:on of 265,000 state employees: •  “A business or a State agency that maintains unencrypted computerized data that

includes personal informa:on, as defined, [shall] no:fy any California resident whose unencrypted personal informa:on was, or is reasonably believed to have been, acquired by an unauthorized person. The type of informa:on that triggers the no:ce requirement is an individual's name plus one or more of the following:

•  Social Security number, driver's license or California Iden:fica:on Card number, financial account numbers, medical informa:on or health insurance informa:on.” -- California Office of Privacy Protec:on



State breach no:fica:on laws •  California and MassachuseVs laws — most stringent. •  Considera:ons:

•  the number of individuals impacted; •  the specific data elements exposed; •  the risk to the affected cons:tuents from such exposure; regulatory

requirements; and •  law enforcement jurisdic:on.

•  Speed and accuracy equally important. Consumers expect :mely and clear no:fica:on. Consumers may have an expecta:on to be provided remedia:on and monitoring services free of charge.



Risk Assessment •  Board, Officers & Investors

•  What is the worst-case scenario your “crown jewels” that could be compromised?

•  Internal Opera:on Risk •  Are your prac:ces defendable?

•  Cloud, Vendors & Service Providers •  Who owns the rela:onship

•  Do you know who they are? •  What are their no:fica:on triggers?


Is your organiza:on prepared to handle a data breach?

•  Incident response plan and team (phishing, malware, infor leakage…) •  Breach response plan (dis:nct and different from incident response plan) •  Rela:onships in place for:

legal advice? public rela:ons assistance? forensics? iden:ty protec:on?

•  Prac:ce, prac:ce, prac:ce!


data breaches - rsa conference · neil daswani chief informaon security oﬃcer – lifelock craig...

Documents