Elements of a Data Breach Response Plan. ⢠Wrap Up. Agenda ... should take to mitigate the risk of a data breach. ...
Adam Victor March 21, 2017
Agenda • Housekeeping • What is a data breach? • How/why do cyber-crooks access confidential business information? • How can we stop them? • The NIST Framework • Elements of a Data Breach Response Plan • Wrap Up
Program Level for CPE Credit • Basic • No prerequisite or advanced preparation required.
Learning Objectives • Understand the tactics cybercriminals use to obtain access to confidential information. • Understand what steps your organization should take to mitigate the risk of a data breach. • Understand the steps your organization should take in order to respond properly to a data breach.
Speaker Bio • I’m a Rutgers Scarlet Knight. March Sadness since 1991. • 28 years in IT – 10 at SE, 18 @ consulting and consumer goods companies. • Lead SE’s Advisory Services division – supporting client security policies, response plans, business continuity planning, and other consulting services. • 3 kids, 2 cats, 1 spouse, 0 data breaches (so far).
What is a Data Breach? A data breach is the intentional or unintentional release of secure personal and identifiable information (PII) or other valuable information such as Intellectual Property (IP) to an untrusted environment.
What is PII Data? • PII: An individual’s first name or first initial, and last name plus one or more of the following data elements:
Date of birth Address Social Security Number or Corporate Tax ID Driver’s license number or state issued ID card number Employee number, Account number, Credit or Debit Card number
How Does a Data Breach Happen? • A lost or stolen PC, Laptop, smartphone or tablet. • Improper disposal of hard drives found in everything from servers to photo copiers. • Improper document handling or intentional theft. • Hacking, Social Engineering, Malware, Ransomware
Who Are the “Bad Guys?” • Organized crime syndicates (~89% of phishing attacks). • They’ve found a “business” model that works. • Who was Willie Sutton? “Why did you rob banks, Willie?” “Because that’s where the money is.”
• Where’s the money now? PII.
Why is PII Valuable? • 2016 Verizon Data Breach Investigations Report: “89% of breaches had a financial or espionage motive.” • Once PII is stolen, the thieves can potentially: Apply for credit cards or loans in your name. Launder money using accounts in your name. File phony tax returns in your name. Apply for jobs, visas, driver licenses in your name.
• Once acquired, hackers sell PII through a number of avenues, including the “deep web,” or the “dark web.”
How Do They Get in to My Network? • No “Security Culture.” • Stolen or simple credentials. • Physical theft or loss. • Phishing (13% of employees…) • Unpatched vulnerabilities. • Crimeware.
So, How Can We Stop Them? • Proper emphasis on training and policies. Build a “culture of security.” • Diligent and methodical patching. • Perimeter protection. • Professional monitoring. • Proper “layers” of security.
If I Do All of Those Things… • …then you’ve mitigated your risk reasonably and responsibly. Nice job! • BUT – there are no guarantees. It only takes one person, clicking once on the wrong link or attachment, and you can be compromised.
• So, then what?
A Framework for Response Identify NIST (National Institute of Standards and Technology)
Protect Detect Respond
Recovery
Framework for Improving Critical Security Infrastructure
Identify Your Risk Up Front Identify
• Do you know where PII/IP data is? • Server Disk, Backup Tapes, USB Sticks • Desktops & Laptops • Tablets, Smartphones
• Cloud • Paper files
• Where are the risks to your network? • Are you making a reasonable effort to block an attack? • Do you have a good backup?
• Do vendors or business partner have access to your network or data?
Protecting your Network and Data • Security Policies, Consistent Training
Protect
• SPAM and Web Content Filters, 2 Factor Authentication
• Firewall, IPS, Vulnerability Scanning
Cyber• Endpoint Patching, Anti-Virus, Encryption • Server Patching, AV, Backup, limit access Defense Layers
Detecting a Security Event
Detect
• PC infections can be obvious, but you can do better. • Event logs can be analyzed, but you can do better. • The NIST framework suggests continuous security monitoring and establishing a formal detection process for anomalous events. • THEN, actually follow your process!
Polling Questions: Stand up if:
• You have ever read your company’s information security policy. • You know who, in your organization, is responsible for leading the response to a data breach. • You’re certain that your organization has a Data Breach Response Plan.
Elements of a Data Breach Response Plan • Identifies compliance and legal requirements. • Dictates response and notification needs for different categories of breach. • Discusses a process to evaluate the incident – what actually happened, and does it constitute a breach? • Identifies the team members and their roles in the event of a breach. • Stipulates procedures for internal notification.
Elements of a Data Breach Response Plan • Determines the circumstances under which external notification is necessary. • Dictates accountability for creating external notification, and defines the notification audience. • Provides guidance on public relations and outreach. • May include sample written notification examples to help guide your organization in times of crisis.
Data Breach Response Plan Identify Protect
Detect Respond Recovery Source: NIST: Framework for Improving Critical Infrastructure Cybersecurity
Analysis
Mitigation Communications Improvement
DBRP – Analysis and Mitigation • Detection process: Notifications received via detection systems are investigated. • Analyze notifications such that the impact of the incident is understood. • If the incident is active, contain the incident. • Mitigate the negative effects as much as possible. • When the threat is fully mitigated or eradicated, document future procedure or document the incident as an acceptable risk. • Conduct appropriate forensics depending on the incident.
DBRP – Communications and Improvement • Coordinate response activities with internal/external stakeholders, and include support from law enforcement agencies. • Personnel should know their roles, per the plan, and the order of operations when a response is needed. • Events should be reported and shared consistently with established criteria as outlined in the DBRP. • Learn from prior experience: Response plans should be updated with lessons learned and updated recovery strategies.
Recovery and Insurance • Public relations issues? • Do you have insurance to cover any extraordinary costs? • Cyber Liability Insurance offers “first party" coverage and typically pays for:
Recovery
Business interruption. The cost of notifying customers of a breach. The expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack.
Where do you go from here? Identify Protect Detect
Respond Recovery Source: NIST: Framework for Improving Critical Infrastructure Cybersecurity
• Assess your risk • Review security policies and training • Create your Data Breach Response Plan. • Update your business continuity plan to include data breach responses. • This isn’t just an IT issue. It should include HR, Legal, Finance/Insurance, IT (or Systems Engineering), Vendors, etc.
Summary • The bad guys are going to keep trying via any vector possible. They are innovative and highly motivated. • An ounce of prevention is worth a pound of cure. Protect your data, protect your reputation. • Prepare for the worst – arm your organization with a data breach response plan. Understand your responsibilities and make reasonable preparations.
Questions?
THANK YOU!
