This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: [email protected] Thank You! 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
This Webcast Will Begin Shortly
If you have any technical problems with the Webcast or the streaming audio, please contact us via email at:
Thank You!
1
You’ve Been Hacked, Now What?
February 26, 2014
Presented By: Daniel E. Frank, Sutherland Asbill & Brennan LLP
Jennifer J.K. Herbert, Sutherland Asbill & Brennan LLP
Moderated By: Joseph Limone, Noble Americas
www.acc.com
2
Topics Addressed Today • Nature of the threat
– Real world examples • Things to do now before a cyber attack
– Top 10 list • Things to do post-cyber attack • The attorney’s role
3
Nature of the Threat
4
Sources of Attack • Targeting critical infrastructure:
– Cyberterrorists – Cyberwarriors – Cyberhacktivists
• Targeting data and information: – Cyberspies – Cyberthieves
• Not mutually exclusive
5
Obligation to be Secure • Many industries and types of data have statutory or regulatory
security requirements – Healthcare – Financial Services – Energy – Non-public personal information
• Critical Infrastructure – The federal government has expressed concern that
businesses comprising the “critical infrastructure” of the United States are not doing enough on security
– Several attempts to legislate (all have failed) – Executive Order 13636; Cybersecurity Framework
6
The Threat to the Energy Sector is Real • DHS’s Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) – Responded to 198 cyber incidents in FY 2012
• Of these, 41% were in the energy sector – In first half of FY 2013, highest percentage of reported incidents
occurred in the energy sector (53%) – Identified in 2012 an active series of cyber intrusions targeting
natural gas pipeline companies dating back to Dec. 2011 • McAfee Report
– Reported incidents of cyber attacks originating in China to collect competitive information about oil and gas fields
• Dating back to 2009
7
The Threat to the Energy Sector is Real (cont’d) • Markey/Waxman Report (May 2013)
– The electric grid is the target of numerous and daily cyber attacks ranging from phishing to malware infection to unfriendly probes
– One utility reported approximately 10,000 attempted cyber attacks each month
• The Bottom Line – Since 2010, DOE has invested more than $100 million
in cybersecurity R&D – But utilities are predicted to spend $7.25 billion in
security from 2013 until 2020 8
The Attack Profile • Many attacks now are specifically targeted
– Spear Phishing – Whaling
• Advanced Persistent Threats (APT) – Hackers lying in wait – Selling time on your computers
• We have met the enemy and he is us – Employees and contractors already have access – They do not need malicious intent to be a problem
9
Real World Examples • Project Aurora
– 2007 mock cyber attack • Stuxnet – Stars – Duqu
– Three attacks on Iran’s nuclear arms program – Highly sophisticated, possibly linked – Future threat to U.S. power grid?
• Night Dragon – Multiple data theft attacks on oil & gas companies
• Chinese hackers – Telvent – Reason: economic espionage
• Shamoon – Saudi Aramco attack – Reason: malicious intent 10
Things to Do Now Before a Cyber Attack
11
The Top 10 1. Get upper management on board 2. Designate a Chief Security Officer 3. Conduct self-assessments 4. Evaluate compliance status 5. Make a plan for improving cybersecurity 6. Train personnel 7. Develop an incident response plan 8. Test your incident response plan 9. Identify “lessons learned” 10. Get involved and stay involved 12
1. Get Upper Management On Board • Critical to a successful cybersecurity program • Robust discussion is necessary
– Educate members of the “C-Suite” – Stress need for internal, proactive efforts beyond
what required by law • Sets the tone for your organization
– Establishes cybersecurity as a visible priority – Encourages others to get on board
• First step in developing a Culture of Security 13
2. Designate A Chief Security Officer • Create a CSO (or CISO) position
– Stand-alone or integrated within an existing position
– Specify duties, responsibilities and objectives • Pick the right person for the job
– Requires a strong and capable leader – One who understands technical and operational
considerations
14
3. Conduct Self-Assessments • Periodically assess what you know and what you don’t know
– Understand current state of company’s cybersecurity – Identify and make plans to mitigate weaknesses – Establish a baseline for measuring improvement
• Stay realistic about capabilities and vulnerabilities – No one is perfect; a breach is likely, if not imminent
• Objectives – Improve understanding of how components interact – Identify what’s working and areas for improvement
• May use NIST Cybersecurity Framework as a guide
15
4. Evaluate Compliance Status • Regulatory and industry requirements and standards
– For example: • North American Electric Reliability Corporation’s
(NERC’s) Critical Infrastructure Protection (CIP) Reliability Standards
• Nuclear Regulatory Commission (NRC) requirements • The perfect time to check compliance with baseline
obligations
16
5. Make A Plan For Improving Cybersecurity • Self-assessment should result in a plan
– Identify gaps in security – Possible solutions to address those gaps – Chief Security Officer should lead with help from others
• Be wary of an “A+” self-assessment – Rarely will a program be perfect – May represent an ineffective self-assessment
• Developing a corrective plan – Start with low-hanging fruit
• E.g., oversight; too many exceptions to security policies – Need short-term, quick-fix plans + longer-term plans
17
6. Train Personnel • Train all personnel
– Cybersecurity is not only an IT concern – Anyone who touches potential access points for attacks
(hardware and software) – this likely means everyone – But adopt a tiered system to train commensurate with
involvement in cyber protection • Educate
– How to identify and respond to threats and attacks – Steps each individual can take to mitigate risk
• Enforce – Discipline violations of training requirements and procedures – Avoid a “bookshelf” compliance program 18
7. Develop An Incident Response Plan • Information security incidents are not just IT’s problem • Establish a virtual incident response team like existing teams
that respond to physical events – E.g., flood, fire, oil spill
• A plan that fits your needs – Monitor, detect and escalate to decision-makers as needed – Assemble pre-designated response teams – Act to mitigate and stop the incident – Activate alternatives to maintain operations during – Communicate with personnel, authorities and the public – Recover normal operations – Evaluate an incident for lessons learned 19
7. Develop An Incident Response Plan (cont’d)
• Membership may include:
20
8. Test Your Incident Response Plan • Periodic testing is the best way to ensure
preparedness when a real incident occurs – “Table-top” exercises on a regular basis – Simulate a variety of cybersecurity incidents to
involve all incident response team members – Conduct some unscheduled exercises to avoid
complacency • Helps engage and mitigate against the human
reaction (i.e., panic) in the event of a real incident
21
9. Identify “Lessons Learned” • Every test should result in lessons learned and an
action plan to modify the response plan to address those lessons – Chief Security Officer should lead and follow-up to
ensure actions are taken • Incorporate changes into the plan and test at the next
opportunity
22
10. Get Involved And Stay Involved • Current regulatory environment is muddled
– Minimal mandatory regulatory requirements exist; vary across industry sectors
– Congressional action in short-term appears unlikely – President’s Cybersecurity Executive Order and the NIST
Cybersecurity Framework • Seek industry-led efforts to educate and share information
– Working groups and other activities – Provides access to lessons learned and best practices
• Ever-changing nature of the threat requires vigilance and collaboration
23
Things to Do After a Cyber Attack
24
First: Preserve the Data • Disconnect infected machines (but leave powered on) • Call forensic experts to image infected machines
– Your IT personnel are not trained investigators • Save log files (firewall, web, intrusion detection) • Pull needed backups out of rotation • Save keycard data and surveillance tapes • Start real-time packet capture • Force password changes
25
Breach Response Challenges • Timing Paradox
– More careful analysis takes time and resources – More careful analysis increases certainty
• Can locate lost or stolen data • Can account for malware changes, attacking addresses • Can run scans across entire network • Can better account for protected personal information sources
– More careful analysis reduces cost in the long-run • 2010 Ponemon findings:
– Quick responder cost = $268 per record – Later responder cost = $174 per record
26
Notification • You may need to notify third parties, including
individuals, business partners, and/or government agencies – Statutory requirements – Regulatory requirements – Contractual obligations – Simply need help
• Who and when to notify – Document all notification efforts
27
The Privacy Dimension • Non-public personal information
– HIPAA – Gramm-Leach-Bliley – Fair Credit Reporting Act – Numerous State and International Laws – Average cost of a breach involving protected
personal information in the U.S. = $5.4 million (Ponemon Institute/Symantec 2013 Cost of Data Breach Study)
• Confidentiality agreements – Whose data was exposed?
28
Other Notification Obligations • Insurance companies • Banks • Credit card processors • Industry organizations
– Information Sharing and Analysis Centers (ISACs) • The SEC?
29
Outside Counsel? • Attorney-Client and Work Product Privileges can give
an investigation time to work and encourage frank information sharing
• Data breach notification laws can be confusing and sometimes contradictory – 47 different state laws, as well as federal and
international laws depending on what data was affected, where the data was, and where the individuals the data is about reside
• Can help navigate other notification obligations and advise on legal remedies available 30
Working with Law Enforcement • Timing
– Report soon, but after breach is defined • Which agency or agencies? • Interaction
– Expect requests for interviews, report, raw data – Consider asking for “friendly” subpoena – Don’t expect updates or immediate results – (Exception – New willingness to share Indicators of
Compromise (IOCs)) • Important: Establish contacts and relationships before the cyber
incident – And refresh your contacts periodically 31
Recovery • Lessons learned
– Examine whether policy changes need to be made – Incorporate learning into response planning – Review insurance coverage or self-insurance
feasibility – Determine if additional employee and/or contractor
training is necessary – If contractor or vendor was involved, examine
contractual protections available 32
The Attorney’s Role
33
The Attorney’s Role • Educate yourself
– Basic understanding of cyber issues does not require a computer science degree
– Costs / benefits involved • Facilitate dialogue across departments – “bridge the gap”
– Liaison between senior management and IT – Proponent for Culture of Security – Separate from Chief Security Officer
• Implement cyber training – Component of firm-wide compliance training – Utilize outside counsel / consultants as appropriate
34
The Attorney’s Role (cont’d) • Counseling on compliance plans
– Culture of Compliance / Security – What is required vs. best practices
• Incident response – Response plans – PR / governmental investigation – Help preserve evidence – Notification requirements and documentation
• Post-event advisor – Self-report – Mitigation plans
35
The Attorney’s Role (cont’d) • Monitor and report on legislative and regulatory
developments • Traditional advocacy work
36
Questions?
37
Joseph Limone Noble Americas 203.363.7536
Daniel E. Frank Sutherland Asbill & Brennan LLP
202.383.0838 [email protected]
Jennifer J.K. Herbert
Sutherland Asbill & Brennan LLP 202.383.0822
38
Thank you for attending another presentation from ACC’s Desktop Learning Webcasts
Please be sure to complete the evaluation form for this program as
your comments and ideas are helpful in planning future programs. If you have questions about this or future webcasts, please contact
ACC at [email protected]
This and other ACC webcasts have been recorded and are available, for one year after the presentation date, as archived webcasts at
http://webcasts.acc.com.
39
Related Documents
