cyber liability: a case study - midwest exchange … liability: a case study ferris state university...

Cyber Liability: A Case StudyFerris State UniversityCyber Incident & Claim

Presentation to MHECMarch 12, 2015

Christina Weber Justin Pennock FSU EIQ Networks

Katherine KeefeBeazley

About Ferris State University

• Ferris State University:– 14,000+ students– Big Rapids, MI– Over 180 career-oriented

programs• Associates to doctoral degrees• Colleges of Pharmacy and Optometry

2

Topics

• Incident• Response• Things That Went Well• Insurance/Financial Impact• Recommendations for Members

3

The Incident

• Tuesday, 07/23/13, IT department discovered that an unauthorized person evaded our network security & gained access to our Web server

• Discovered at least 11 times that hidden files (hereafter dubbed “The Tool”) were placed on the server since 07/13

• Packet logs verified that database server names, service account names & passwords transferred to unknown IP address

• 47 Cold Fusion data source connections through these service accounts

• Also Found 65 Access databases on the Web server 4

Initial Actions Taken

• IT took Web server off-line & began rebuild (not restore)

• IT commenced active monitoring of logs & compromised service accounts

• IT notified Beazley• Beazley commenced Breach Response

services under the direction of Katherine Keefe

5

Beazley’s Approach to Breach Response

• Proactive breach investigation & response services are covered by the policy

• Early notification maximizes coverage benefits• BBR Services: In-sourced breach response team

assists in project management• Beazley negotiates discounted rates with expert

services providers• BBR Services coordinated legal services (Baker Hostetler), on-site

forensics services (Navigant) and other services for FSU• FSU contracted directly with all vendors

6

In the Meantime…

• Assembled Cyber Response Team– VP Admin & Finance (chair)– CTO & Director of Applications– General Counsel– Risk Management– Public Information– Enrollment Services

• Began meeting at least once a day with Beazley Team

7

Discovery Stage

• IT staff began internal forensic investigation• Navigant rep arrived on site Monday, 07/29• The Good News: “The Tool” was unsuccessful

accessing the Oracle Servers• The Bad News: Web server Access databases

contained sensitive information regarding prospective, as well as current, students

8

What We Discovered

• 39,000+ Name & SS# combos were exposed• 19,000+ Name & CWID combos were exposed• No PCI was compromised• No HIPAA data was compromised• No evidence that any of the data had actually

been taken

9

Behind the Scenes

• Major push on part of our administration to get the word out (transparency)

• Daily meetings to prepare the message• Major precautions on the part of

BakerHostler to not release information too early

10

AND THEN….

• We discovered that “The Tool” could access the “Share” folders on 45 Active Directory servers

• ALL KINDS of information on those servers

• Discovery process intensified

11

Phase 1 Info Release

• Issued press release & Web announcements on 08/15/13

• Contracted with Epiq Systems for notification services – Issued 39,690 letters to SS# “impactees” (required)– Issued 19,377 letters to CWID “impactees” (not

required)– Created FAQs for all versions– Set up two separate Call Centers

12

Discovery Process Ramped Up

• Over the course of the next few weeks:– At least 4 – 5 IT staff devoted almost full-time– Navigant was on-site the majority of that time– Navigant brought in 2 additional specialists

• Used “The Tool” to see what AD Share drives were accessible

• Utilized Identity Finder to look for sensitive data (SS#, DL#, DOB, PCI, HIPAA, & CWID)

• Reviewed over 600,000 files on the Share drives13

Behind the Scenes

• Still meeting….– VP & CTO daily– Breach Response Team at least 3 times a week

• Contracted with Levick to assist with the communications for Phase II– Came on campus and provided media coaching– Reviewed all Phase II release information

14

Phase II Info Release

• Issued press release & Web announcements on 09/24/13

• Epiq Systems issued another 62,630 letters– SS#, CWID, and HIPAA– Employees, current & prospective students, & patients

at the Eye Center

• Created FAQs for all versions• Set up three additional Call Centers

15

Things That Went Well

• Massive collaborative coordination effort• Very little negative press• Forced us to take a closer look at our

systems– Hired an outside consultant to review

• Offered protection for the “impactees”

16

Protection for “Impactees”

• Contracted with Experian for Credit Monitoring– ProtectMyID© Alert– Family Secure for minors

• Offered CWID “impactees” the opportunity to change their CWID

17

Insurance/Financial Impact

BEAZLEY CYBER COVERAGE 2013 ‐ 2014Line of Coverage Limit Deductible

Privacy Breach Response$250,000

$10,000Forensics Services

Legal Services

Notification Mailings & Call Center2,000,000 Individuals

Credit Monitoring

Crisis Management & Public Relations$50,000 $5,000Notification Mailings & Call Center for CWID

Strategic Communications

Information Security & Privacy Liability $3,000,000$ 100,000

Regulatory Defense & Penalties $1,000,000

18

Recommendations for Members

• Expect to eat, sleep, & breath Breach• Let the experts do their jobs• Know your coverage & how the process works• Establish relationships with each facet of response

(Beazley Breach Response, Beazley coverage, attorneys, and notification, crisis communication, & credit monitoring vendors

• Keep records of everything

19

How Do We Prevent This from Happening Again?

• Ferris engaged the services of outside consultant to do a security risk assessment

• As a result, we made immediate changes to reduce vulnerabilities

• Proactive approach– Developed a 3-year plan of initiatives to improve our

security profile

20

Beazley Breach Perspectives

• Higher education breaches are unique• Importance of Incident Response Planning• Have team in place• Regulatory issues

• State laws matter• Enforcement actions• Hot buttons

21

Implementing a Security Program

• Justin Pennock, EIQ Networks• Two components: Reactive & proactive

security procedures

22


Security, Risk & Compliance Issues Today

2

• Security, risk and compliance are integrally linked

– 439 million records stolen in the past 6 months– 110 million Americans (50% of U.S. adults)

personal data exposed in the past year• 35% website breaches, 22% from cyberespionage,

14% at POS– 80% of breaches go undetected

• Time and resource scarcity– Experienced and certified professionals are hard

to find• Process lacking

– Post‐incident versus during‐incident versus pre‐incident

• Actionable information for remediation– How did they get in?– How is it moving?

COMPLIANCE

RISK SAFETY


• Responding to incidents after they occur

• Long timeframe to investigate & resolve

• Costly

Costs of Security

3


What Is An Effective Security Program?

4

• A set of processes and best practices developed and implemented

– Based on industry standards

• Trained, experienced Information Security professionals– Must be operational 24 x7

• Immediate and comprehensive visibility into the “Threat”– Remove silos and connect the dots

“ImplementingJust First 5 Controls

Reduced Malware Infections By 75%”

Jonathan Trull, CISO Colorado


DHS CDM adopts SANS Controls

5

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

“The CDM approach moves away from historical compliance reporting and toward combating threats to the nation’s networks on a real time basis.”


• MHEC Webinar• Designing & Building a Cyber Security Program

– Guest Presenter: Larry Wilson, Information Security Lead at UMASS President’s Office– Link ‐ https://www.youtube.com/watch?v=lnbIr2i2kmM

• SANS Controls Link– CISO of the State of Colorado & Larry Wilson presentations:

• http://www.sans.org/security‐trends/2013/06/13/the‐critical‐security‐controls‐at‐the‐gartner‐security‐conference

• Contact Information:– Justin Pennock

email: [email protected]: (978) 266‐3165Web: www.eiqnetworks.comTwitter: @eiqnetworks

Resources

6

cyber liability: a case study - midwest exchange … liability: a case study ferris state university...

Documents