© 2015 quick intelligence fcba presentation - cybersecurity september 11, 2015 david a. konuch,...

© 2015 Quick Intelligence

FCBA Presentation - Cybersecurity

September 11, 2015

David A. Konuch, General Counsel and Chief Privacy Officer Quick Intelligence U.S.A.


"Whatever level you're worried about cybersecurity, you should be more worried."

LinkedIn co-founder Reid Hoffman, August 24, 2015 (speaking to government officials at Stanford University).

2


Privacy versus Cybersecurity: A Continuum

“Absent effective cybersecurity, there is no privacy.”

David A. Konuch

3


A spectrum of risk, compliance, and security with two endpoints:

1) Target had all the correct software with all the bells and whistles. But, because there was no coordination between executives and IT, an intruder broke in, goodwill and customers were lost. Ultimately, the CEO lost his position.

2) Opposite end of the spectrum: Ashley Madison had no protocol in place and was running with no protection at all. After their files were compromised, several customers committed suicide. Now, their entire enterprise is at risk from lawsuits and bad publicity.

Effective cybersecurity and privacy programs must address both ends of the spectrum.

4


The Seven Things You Need To Do Right Now to Increase Your Chances of Staying Out of the Data Breach Headlines

Task 1: Identify Your Exposure to Common Vulnerabilities and Educate Your Entire Team – from Executives, to Legal, to HR, to IT, about them.

Nearly all breaches result from a few dozen well-known (to security professionals) vulnerabilities. Learn them. Take steps to protect against them. Educate your team about what they are and how they can affect you.

FFIEC estimates 90 percent of breaches result from vulnerabilities that have existing patches.

5



Task 2: Understand that Compliance with applicable rules and regulations does not mean your organization is secure.

Target actually passed its compliance check prior to its breach. Auditors are human beings and sometimes succumb to pressure to sign off on a company’s compliance, which can be different than real world security against threats. Also, that a company passed its annual check today does not mean someone won’t break into your network tomorrow.

6



Task 3: Educate Legal, Executives, HR, BOD, Everyone about cybersecurity basics and their roles in protecting the enterprise.

Legal, HR, BOD, C-suite executives must understand cybersecurity basics and how the IT department is attempting to achieve security and respond to alerts.

(Positive trend: NIST and FFIEC recognize the importance and encourage involvement in cyber defense oversight by senior executives and Boards of Directors).

7



Often if an employee makes a blunder or even honest mistake that imperils the company, that employee is fired. But a large cybersecurity failure can result in C-suite personnel resigning, as happened in Target’s case.

Have a mechanism in place that allows executives to monitor cybersecurity initiatives and understand what security means, in real time.

With a working understanding of risks – a basic understanding of how to detect and remediate network vulnerabilities, C-suite leaders will have the decisionmaking information they need to protect their jobs, and more importantly, their company, shareholders, and customers!

8



Task 4: Understand and manage your subcontractors’ and vendors’ security.

While you need to secure your own network, it’s equally important to monitor the security practices of your subcontractors and vendors. A network is only as secure as it’s weakest link. Financial institutions, which often are ahead of other businesses where security is concerned, spend significant amounts of time on “vendor management,” ensuring that those they do business with employ high standards of network protection. The hackers that breached Target entered the network through Target’s HVAC vendor. Know that this occurs and take steps accordingly so that vendors and subcontractors do not become a weak link in your network security.

9



Task 5 (could be Task 1): Understand social engineering efforts the same way your adversaries do!

Social engineering can take down your entire network, regardless of the other hard security measures you undertake. Many attacks start with information gathered on social media sites for “spear phishing.”

Understand how cyber criminals and corporate espionage threats use social engineering. At events like DefCon and Black Hat, hackers literally make a game out of successful social engineering.

Social engineering, basically, obtaining network information by fooling employees into giving up their passwords, is one of the most effective tools in a hacker’s arsenal. Understand the basic social engineering techniques and take steps to combat them.

10



Task 6: Have a breach response plan in place and practice implementation using “table top” exercises.

Target’s network security company actually sent its IT department automated alerts that a breach had occurred, but the department thought they were false positives, and ignored them. Eventually, they turned the alerts off, with disastrous results. Through a breach response plan, and a vulnerability management platform, the IT department can alert executives to what threats are real and tell the difference between a real threat and a false positive. Ensure you have a breach plan, but also, a communications plan and a way to manage threats so that you can respond to the real and stay vigilant.

11



Task 7: Expect the best, but plan for their worst. Most professionals in the data security industry do not speak in terms of “if” an incident occurs, but rather “when” one occurs, because at the end of the day, no organization is truly immune from data incidents. So, take steps to ensure that, if someone does get through, you have a plan in place. This includes the following subcategories:

With a response plan in place (Task 6), you can mitigate the damage if a breach occurs despite your best efforts. With privacy breach insurance, you can further mitigate risk through insurance (for financial loss, but not reputational risk).

Your final preemptive defense mechanism will be: control and store information so that it becomes useless to anyone breaking in. Storing information in this way represents the ultimate insurance against a data breach.

12


Federal Trade Commission Jurisdiction over Privacy and Cyber: Wyndham Decision

Major court decision this summer upheld FTC’s ability to set standards for cybersecurity implementation: Wyndham.

FTC had brought over 50 enforcement actions alleging ineffective cybersecurity; Wyndham challenged whether FTC possessed adequate jurisdiction over cyber.

FTC alleged Wyndham’s privacy policy was “deceptive.” FTC v. Wyndham Worldwide Corp., (3rd Circuit, August 24, 2015).

13


Wyndham: U.S. Appeals Court Validates FTC’s Ability to Regulate Cybersecurity Practices

Multiple hacks of Wyndham Worldwide Corporation hotel chain allegedly resulted in breach of 600,000 credit card numbers and in excess of $10.6 million in fraudulent charges.

FTC asserted Wyndham’s security practices represented an actionable unfair business practice because Wyndham:

Failed to encrypt payment card data;

Permitted use of “easily guessed” passwords and did not change defaults;

Failed to use firewalls, allowed third-party vendor access to Windham’s network, did not implement available patches for three years.

14


Wyndham: U.S. Appeals Court Validates FTC’s Ability to Regulate Cybersecurity Practices

U.S. Third-circuit’s decision in Wyndham validates FTC as standard setter for cyber generally.

Will create even greater incentives for strong cybersecurity measures by private companies.

Had case gone the other way, companies still would have strong incentives to implement strong cybersecurity.

Wyndham decision gives places General Counsel’s on notice that poor cybersecurity may result in a federal enforcement action, in addition to any harms that may occur to the business as the result of a breach.

15


Interesting Observation…

Millennial generation wants everything electronic, but some older generations still insist on paper.

Despite electronic safeguards, “elder abuse” occurs via identity theft from obtaining paper records.

16


Exploring Some Recent Breaches


Some Interesting Facts

Global Risks 2015 Report, published by World Economic Forum (WEF) states that “90% of companies world-wide recognize they are insufficiently prepared to protect themselves from cyber-attacks

Cyber crime costs the global economy over $400 billion annually

In 2013, over 3,000 US companies had their systems compromised in some fashion

Vulnerabilities in systems are on the rise

The proliferation of the “IOT” (Internet of Things) is exacerbating the problem, more and more IP enabled devices on corporate networks with little or no security (thermostats, cameras, appliances, toys, etc.)

18


What’s Contributing to the hacks?

Lack of employee training / employee awareness. Clicking on links, talking to unauthorized people (social engineering)

Lack of visibility. Many of these attacks persist for weeks and months, in some cases longer. No ability to see them

No real time monitoring. Even if there is some kind of logging in place, there’s nothing looking for unusual behaviour.

Lack of accountability. How many utilities are being penalized for failing to adhere to standards such as NERC-CIP?

Lack of Understanding of seriousness of exposure at the senior management / Board level


What’s Happening in the Industry

Regular reports of utilities being breached (ICS-CERT Monitor)

Numerous incidents of systems being compromised, changes made

In some instances it’s determined the systems have been compromised for extended periods of time

Lack of proper monitoring in most cases

Lack of proper controls, including a “defense in depth” approach, leading to breaches further inside the ICS networks and in many cases breaches in corporate networks

“If you’re connected, you’re likely infected!” ICS-CERT Monitor, 2015


U.S. Dept. of Energy Hacked 159 times in 4 years

Between 2010 and 2014, 1131 attempted breaches of DOE network and components, 159 were successful

On average, a successful breach every 4 days during this period

National Nuclear Security Administration had 19 successful attacks

2013 breach resulted in PII breach of 104,000 Energy employees and contractors

Quick audit of Energy Department found 41 servers and at least 14 workstations with default or easy to guess passwords

53 of the 159 compromises were “root” compromises, meaning the attackers had full unrestricted access to all areas of the systems

90 of the 159 successful breaches were through the DOE’s Office of Science


Recaps of Vulnerabilities, 2013

181 vulnerability reports to ICS-CERT, 177 determined to be real vulnerabilities that required incident response to remediate

87% exploitable remotely, 13% required local access to exploit

Primary recommendation, minimize Internet exposure and configured ICS systems behind firewalls


Sample 2014-2015 Incidents

Water utility switch misconfiguration resulted in massive network traffic, appearing to be a DDoS, lost ability to monitor and manage water systems for a period of time.

Water treatment facility, reported an employee access control systems server without authorization on 4 separate occasions, on one occasion resulting in the overflow of system’s wastewater treatment process. Insufficient evidence to prove employee had performed action, due to lack of proper logging and monitoring

Utility reported the bridge between their corporate network and processing network had been compromised, evidence discovered on an APT (Advanced Persistent Threat). Insufficient asset management made the investigation difficult. Only separation between network was hard-coded IP addresses, easy to bypass.


Recap of Vulnerabilities, Oct-2014-April 2015

108 cyber incidents in the United States

Water with 19% of reported incidents, Energy and electricity 12%

More incidents being reported from outside the asset owners than by the owners themselves

Spear phishing, 21% of all incidents


Quick Hits, January 2014

January, 2014 – Public utility compromised using brute force techniques to gain access to public-facing control system assets. Forensic analysis revealed numerous previous intrusions into the systems over a period of time.

January, 2014- Remote access to control systems server through a SCADA protocol via cellular connection. Device directly accessible to internet, no firewalls or other security controls in place.

January, 2014 – HVAC Systems for an arena at Sochi Olympics discovered on the Internet, no authentication required to access and manage. Fixed just prior to Olympics opening ceremonies


Ashley Madison

Year: 2015

Affected: 33 million user accounts, including email addresses, first and last names and phone numbers.

Cost: The breach could cost the company an estimated $850 million, according to The New York Times.

What happened: In possibly the most publicized attack of the year, more than 30 million accounts on affair-site Ashley Madison, owned by Avid Life Media, were hacked and released to the public. The site claims that full credit card numbers were not taken.


Total Bank, South Florida

Year: 2014

Affected: 72,000 customer records

Cost: TBD

What happened: An unauthorized third party gained unauthorized access into their network and accessed customer names, contact information, bank PINs, account numbers, driver’s license numbers and Social Security numbers.


What can we do to make it better?

Education. Educate senior management, educate employees, educate customers.

Put proper monitoring in place. “You can’t manage what you can’t measure” – Peter Drucker. If you can’t see it, you can’t respond to it

Start enforcing legislation and regulations, hold people accountable, make sure they take responsibility for their clients’ information, their employees information, their company’s sensitive information

Move away from “snapshot” assessments and introduce ongoing checks and balances. We did this in the financial and credit card world years ago, why aren’t we doing it for our systems and users?

© 2015 quick intelligence fcba presentation - cybersecurity september 11, 2015 david a. konuch,...

Documents

quick intelligencethe

quick intelligenceprivacy

quick intelligencei

cybersecurity basics

quick intelligence4the

high cybersecurity

privacy programs

expense of privacy