2012 breach lessons learned - 2013 do differents
DESCRIPTION
TRANSCRIPT
2012 Breach Lessons Learned - 2013 Do Differents
Page 2
Agenda
• Introduction
• 2012 Breach Lessons Learned
• 2013 Do Differents
• Q&A
Page 3
Introductions: Today’s Speaker
• Ted Julian - Chief Marketing Officer
• Security / Compliance entrepreneur• Security industry analyst
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORT
Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESS
Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments
MANAGE
Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
Page 5
2012 – The Year of the Data Breach
Page 6
2012 Notable Breaches
• Payment Processor
• Online Footwear Retailer
• Hotel Chain
• State University
• State Agency
• Social Media Site
Page 7
Payment Processor
Incident Description Hackers broke into a handful of servers and gained access to 1.5 million credit card numbers
Incident Response • Alerted major card networks• Immediately notified law enforcement• Issued new cards
Results • VISA removed company from registry of compliant service providers – asked that they revalidate their compliance process for PCI
• Company spent $94 million last year, expects to spend another $25-35 million this year
Lessons Learned • Stronger fraud detection systems need to be implemented (their system discovered the breach 3 weeks later)
Page 8
Incident Description Hackers gained access to parts of their internal network, potentially affecting 24 million customers
Incident Response • Took assertive steps by requesting that customers change their PWs
• Temporarily shut down their 1-800 in an effort to redeploy customer service reps to respond to customer emails
Results • Class-action lawsuit filed one day later• Mixed reviews from industry analysts:
• “Panic mode” by terminating customer PW access
• Shutting down phone access shows they were unprepared
Lessons Learned • The importance of being prepared before a breach occurs so the response process can be less stressful, more efficient
Online Footwear Retailer
Page 9
Incident Description Hackers gained access to systems, 3 times in less than 3 years
Incident Response • Failed to take action after the company found out about the 1st breach
Results • FTC sued the company for storing data in plain text & other security failures
• Suit alleges that the company’s privacy policy misrepresented the security measures the company and its subsidiaries took to protect customer personal information
Lessons Learned • Take action right away to respond to breaches
• Take steps to prevent future breaches
Hotel Chain
Page 10
Incident Description Bank accounts and SSNs of 350,000 students, faculty and staff were exposed – some over a 15 year period
Incident Response • Issued a press release detailing which info was compromised
• Involved state & regulatory law enforcement agencies to assist in investigation
• Offered free credit monitoring services for 1 year
Results • Just one of many college/university hacks in 2012 - rich target last year
• Had another breach of 3,500 in May 2012, took 7 months to notify
Lessons Learned • The importance of running routine tests/audits of security systems to check configurations
State University
Page 11
Incident Description Phishing Attack - employee opened an email with an attachment which allowed hackers to access tax info of over 4 million individuals and 700,000 businesses.
Incident Response • State Gov. offered free credit monitoring service for 1 year
• Contemplating lifetime credit monitoring
Results • Data protection was found to be at fault, senior management lax since no system monitoring was in place
• CIO of the agency resigned 2 weeks before the breach was made public
Lessons Learned • The importance of data protection• Senior management oversight is crucial to
success
State Agency
Page 12
Incident Description Massive breach – 6.5 million user accounts compromised. Hackers stole and leaked usernames & PWs to a Russian website
Incident Response • Confirmed on the site’s blog that some accounts were compromised
• Advised all members to change PWs
Results • Announced an investigation to determine the cause
• Sent an email to members with instructions on how to change PWs
Lessons Learned • The importance of additional security layers, such as salting passwords
Social Media Site
POLL
Which is most needed at your organization?
Page 14
2012 Lessons Learned
• Breach Preparedness – Don’t wait until you’ve been breached!
• Encryption / obfuscation wherever possible
• Routine security testing of systems with PI
• Maintain compliance with industry regulations
• Audits / firedrills
POLL
What do you plan to do better this year?
Page 16
2013 Do Differents
BEFOREHAND:• Audit encryption policy• Refresh and train incident response team
• Run firedrills!• Verify monitoring of PI• Conduct routine security audits
POST-BREACH:• Run a tight incident response process• Get call center up quickly, highly trained• Establish credit monitoring• Conduct a thorough post-mortem
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE