Would You Trust a Thief?

Webinar 6/28/2016 Noon – 1:00 p.m. ET

The Dos, Don’ts, Wishes and Regrets

Associated with Ransomware

Richard Shutts, HBS Alex Rosati, HBS Alan Winchester, HBS Tad Mielnicki, AAG

www.hbsolutions.com DM#2847972.1

HB Access℠

2

Alex Rosati, HBS Tad Mielnicki, AAG Alan Winchester, HBS Richard Shutts, HBS

HB ACCESS℠ is offered jointly by HB Solutions LLC and Access Advisory Group LLC. About HB Solutions: HB Solutions Data Privacy and Cybersecurity has provided cybersecurity prevention and post-breach response support to organizations in highly regulated industries and can advise on establishing the right level of certification compliance and the necessary reporting to minimize the liability associated with cybersecurity incidents. HB Solutions LLC is a consulting subsidiary of the law firm Harris Beach PLLC, established to provide non-legal consulting services to organizations and individuals in the private and public sectors across numerous industries. About AAG: Access Advisory Group is comprised of proven cybersecurity leaders and technology operators who have worked in the highest levels in the U.S. Department of Defense, Intelligence Community and Department of Homeland Security. AAG has extensive experience in data encryption and management, data collection and analytics and in-depth knowledge across the spectrum of cybersecurity tool

Ransomware Introduction

Ransomware is a type of malware designed to restrict access to the affected computer system until a ransom is paid to the malware operator. It typically encrypts the files it can reach with an algorithm impossible to crack.

3

Ransomware Introduction (continued)

Once the virus is able to penetrate the perimeter defenses it is free to spread throughout large portions of the environment encrypting any and all files it encounters.

4

Ransomware Introduction (continued)

In exchange for payment, the malware operator HOPEFULLY gives the users the encryption key and the computer is returned to an operational status.

5

Ransomware Introduction (continued)

The malware operators historically have made relatively modest demands for the encryption keys; perhaps 1-2 Bitcoins per computer.

6

Ransomware Introduction (continued)

Many companies simply choose to pay the ransom and move on without involving law enforcement or their attorneys.

7

Ransomware Introduction (continued)

How an organization responds to the discovery of Ransomware will significantly impact the ability to detect the other actions which may have been taken.

8

Scenario One

The computer can’t read any of the files and the files on their network drive are also locked.

9

Scenario One Discussion

What happened to this organization? Have they been breached?

10

Scenario One (continued)

o Is this a crime? • Must you report the breach to law enforcement? • Who has jurisdiction? • How does reporting help? • What are the down sides of reporting?

• How common is this? • How do these things get into the company? • Who are these bad actors?

11

And Then….

After ransomware was detected a technician determined that all the corporate information existed on backup and decided to reformat the servers and restore from backups. Then the technician calls you. What issues does this raise?

12

What Happened?

Forensic Issues • What difference did it make that the

technician reformatted over all the drives?

13

What Happened? (continued)

IT perspective • What, if anything, should the technician have

done differently? • How would these different actions have given

the company any additional options? • Given the current situation, is the response

enough or must the company address its other systems and in what manner?

14

IT Suggestions and Concerns

What must you do after a breach and depending on how the technician responded, what options exist?

• Identify affected systems and information? • What to do with infected computers? • How are your backups? • What else did the malware operator do?

15

Policy Issues

Depending on how the technician responded: • Without police involvement is there a basis to

delay notification if it finds that it has a duty to report?

• Should the company assume that any PII on the system has been stolen?

• If so, what duties does it now have?

16

Policy Issues (continued)

Cyber insurance – is coverage impacted? Notification issues

o Does the fact that ransomware was installed trigger a notification duty if there was protected private information on the system?

o How do you assess what information or data types were on the system?

o Regulator, state and federal laws and reporting requirements

o Contractual obligations o Business considerations

17

What Happened? (continued)

How else is the company affected?

• Publicity • Direct Costs. According to Ponemon 2015

Cost study a breach costs $12.60/record. • Indirect costs

18

Risk Reduction Strategies

How would an incident or breach response plan have aided in this situation?

19

Breach Response Team and Issues

Who needs to be involved from within the organization to build a response plan?

Communication / notification considerations • Legal team and security consultants • Management team • Brand issues • Customer issues • Law enforcement Board issues

20

Discussion Topics

• What is a bitcoin and where do I get one? • Is paying the ransom so bad? May 8, 2016 June 22, 2016

21

Risk Reduction Strategies

IT Considerations Surveillance of your network

• Who is on it and does it make sense? • What accounts are enabled? • Is there a thoughtful allocation of rights on the system? • How is the network configured? • Is there separation between different groups to contain

loss? • What rights do users have and are they restricted? • Are there any controls and processes in place to limit

what can be connected to the network?

22

Risk Reduction Strategies

Technical Considerations • Network segmentation • User rights • Data encryption

• End to end data visibility and management

• Surveillance and logging • Red teaming and Pen Testing – Checking

a box is not enough • Other options

23

Risk Reduction Strategies (continued)

Policy Considerations ISO27001; NIST; COBIT; etc. How is confidential information treated?

• Encryption? Contractual and industry requirements Legal requirements (SEC, HIPAA, FTC…)

24

Discussion Topics (continued)

Human Considerations • Social Engineering Testing • Test the Incident Response Plan • User training • Behavior focused handbooks

25

The HB Access team wants to work with you to build your business by helping you understand your Information Security (Infosec) risk in the same way you understand your other risks. Our integrated team understands your business needs and will tailor your policy, human capital and technology Infosec approaches to enable you to build and not stop your efforts. We will tell you how when the industry tells you don’t. HB Access

Policy Human Systems Technical

26

Improving your InfoSec HB Access℠

Combined Risk Assessment

Infosec enables a company to do business by enabling the access, storage and distribution of data that must remain secure. Understanding the lifecycle risk of data is crucial to the operation of any modern business. Typical approaches to Infosec risk apply industry standards without individual business context or policy standards without technical context.

Technical Assessment

Policy / Regulatory Assessment

Human Systems

Assessment

Combined Risk

Assessment

27

HB Access℠ Service Overview

PROACTIVE PROTECTION ANALYSIS

Initial Assessment • Meet with key stakeholder • Identify and develop visions and goals

Compliance Issues • Consult on compliance requirements • Draft policies • Review contracts • Advise on issues of non-compliance

Risk Assessment • Technical • Administrative • Red Teaming • Physical

LOSS MITIGATION Insurance Counseling • Insurance and contract evaluations • Analysis on risk level and exposure

Employee Education & Awareness • Design training programs • Develop and revise employee manuals

Crisis Readiness • Evaluate / develop Incident Response • Communication and media training • Business Recovery Planning

POST BREACH RESPONSE Immediate Crisis Response • Detect and eliminate security breach • Consult on notification requirements

Claims Response • Develop claims response program • Negotiate and audit claims services • Facilitate legal representation

Final thoughts and Questions?

For more information write:

29

Tad Mielnicki tad@accessadvisory.co

Alexander Rosati arosati@hbsolutions.com

Rick Shutts rshutts@hbsolutions.com

Alan Winchester awinchester@hbsolutions.com

HB|Solutions: 866.820.3167