Saturday, July 4, 2015

Anatomy Of A Breach: The Good, The Bad & The Ugly

Anatomy Of A Breach: The Good, The Bad & The Ugly

Today's security and privacy professionals know that breaches are a fact of life. Yet their organizations are often not prepared to respond when the time comes. They're "overweight" on prevention and detection, but "underweight" on response.

Based on a decade-plus caseload of actual breach investigations across of range of different organizations, this webinar will examine an amalgamated, anonymized breach situation and review a play-by-play of how the response went: the good, the bad, and the ugly. Attendees will gain hard-earned, battle-tested insight on what to do, and what to avoid when it's their turn to respond to an incident.

Our featured speakers for this timely webinar will be:

- Don Ulsch, CEO, ZeroPoint Risk. Distinguished Fellow at the Ponemon Institute.

- Joseph DeSalvo, Managing Director, ZeroPoint Risk. Former CSO at Mylan and Iron Mountain.

- Ted Julian, Chief Marketing Officer, Co3 Systems. Serial security and compliance entrepreneur. 
Published in: BusinessTechnology

 Transcript

  • 1. Anatomy of a Data Breach The Good, The Bad, & The Ugly
  • 2. Page 2 Agenda • Introductions • Today’s Breach Reality • Common Breach Scenario Themes • What Happens: The Good, The Bad, and The Ugly • Conclusions • Q&A
  • 3. Page 3 Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Serial security and compliance entrepreneur • Don Ulsch, CEO, ZeroPoint Risk • Distinguished Fellow at the Ponemon Institute • Joseph DeSalvo, Managing Director, ZeroPoint Risk • Former CSO at Mylan and Iron Mountain
  • 4. Page 4 SSAE16TYPEIICERTIFIED HOSTINGFACILITY DASHBOARDS&REPORTING Co3’s Incident Response Management Platform Automated Escalation Accelerate response by easily creating incidents from the systems you already have Email Web Form Trouble Ticketing Entry Wizard SIM Streamlined Creation + Collaboration Create IR plans instantly based on regulations, best practices, and standard operating procedure. Collaborate on plan execution across multiple functions IR Plan Marketing Legal/Compli anceIT HR Industry Best Practices Organizational Best Practices Privacy Breach Requirements Industry Standard Frameworks Regulatory Requirements Intelligent Correlation Determine related incidents automatically to identify broader, concerted attacks Integrated Intelligence Gain valuable threat intelligence instantly from multiple intelligence feeds Accelerated Mitigation Speed results by easily outputting outcomes to your management platforms SIMTrouble Ticketing GRC
  • 5. Page 5 ZeroPoint Risk Research LLC • ZeroPoint Risk Research LLC is a research and consulting company concentrating on both pre-breach prevention and post-breach investigation and recovery services for clients possessing regulated and unregulated data. • Its CyberBreach Situation Report, written by Don Ulsch, is received monthly by nearly half a million professionals.
  • 6. Page 6 Today’s Breach Reality Data breaches are on the rise and organizations are unprepared to detect them or resolve them - • data breaches have increased in both severity (54 percent) and frequency (52 percent) in the past 24 months • …organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them 1 “The Post Breach Boom” – The Ponemon Institute, February 2013 THE PONEMON INSTITUTE 1
  • 7. Page 7 Today’s Breach Reality “If you are going to invest in one thing, it should be incident response” GARTNER 2 “You can’t afford ineffective incident response” FORRESTER RESEARCH 3 “Only 20% of respondents rate their IR program as being ‘very effective’” 1 “Top spending priorities are training and automation tools” 2013 INCIDENT RESPONSE SURVEY – iSMG 1 “The Need For Speed: 2013 IR Survey”- Information Security Media Group - August 2013 2 Gartner Security Summit, Keynote Address - June 2013 3 “Seven Habits of Highly Effective Incident Response Teams” - April 2013
  • 8. Page 8 Breach Scenario – Common Findings • Source • 3rd-party data provider or technology service provider • Cause • Ineffective management of 3rd-party business associate relationships • Increased reputation risk • Greater likelihood of information compromise • Other Traits • Discovered long after it occurred • Inadequate testing for toxic IP addresses
  • 9. Page 9 Breach Scenario (continued) • Big gap between understanding security and its relationship to managing risk • This separates the Board and executive management from operations • GC of the breached company fills this void • Risk awareness with executives remains low, but is rising • Many still have an archaic view of technology • Enablement and cost-savings, not a Trojan Horse into the enterprise • Breaches always cost more than you think
  • 10. Page 10 What Happened? Top reasons why compromises occur • End users and endpoints • Click on anything • Disable endpoint security settings • Use vulnerable, legacy software and hardware • Fail to install security patches • Fail to install anti-virus • Fail to report lost or stolen device • Connect to a private network from a public network (ex. coffee shop) • Use a second access point (mobile broadband from smart phone); creating a bypass • Use weak or default passwords, reuse passwords • Reveal passwords over the phone
  • 11. Page 11 What Happened? Top reasons why compromises occur • Infrastructure • Connect systems and virtual images to the Internet before hardening them • Connect test systems to the Internet with default accounts or passwords • Fail to update or patch systems/applications on a timely basis • Fail to implement or update virus detection software • Use legacy or end-of-life software and hardware • Run unnecessary services • Use insecure back-end management software • Fail to remove old/unused user accounts • Implement firewalls with rules that don’t stop malicious or dangerous incoming or outgoing traffic • Fail to segment network and/or adequately monitor/block malicious traffic with IDS/IPS
  • 12. POLL
  • 13. Page 13 Breach: The Good, The Bad and The Ugly The Good: • Like a personal illness, a breach tends to focus the organization, often resulting in improved awareness, response, and sustainability of better preparedness, technology and risk management processes The Bad: • Employees lose jobs, executives are sometimes discharged, trust between company and customer is diminished, and recovery is expensive The Ugly: • Stock plummets, employees get indicted, firm is put out of business
  • 14. Page 14 Conducting a Breach Investigation • Attorney-client privilege • Establish a breach investigation management team • Establish chain of custody requirements • Begin process to confirm that a breach has occurred and profile its scope and dimension • Determine range of affected information • Establish detailed breach history • If there is no breach history, look for similar breaches of regulated data at other companies
  • 15. Page 15 Conducting a Breach Investigation (continued) • Examine intellectual property and trade secret breaches to see if attacks are similar in nature to the current breach • Change passwords throughout the organization, using complex characters • Determine if breach is ongoing • Review insurance coverage • Determine if data was encrypted • Image hard drives and begin forensic examination • Begin web and behavioral web analytics – IP addresses, web sites, email addresses – to assess potential damage • Determine possible origination with Threat Database
  • 16. Page 16 Conducting a Breach Investigation (continued) • Determine source of the breach • Determine point(s) of breach • Determine method of breach • Did breach or attempted breach involve proximity? • Determine type of data potentially affected • Determine if law enforcement notification is in order • Interim reporting • Develop tactical plan for point of breach containment • Determine contract obligations and reporting requirements (may be separate from regulatory reporting requirements)
  • 17. Page 17 Conducting a Breach Investigation (continued) • Examine enterprise risk management framework • Examine policies and procedures for information security and privacy and compliance • Establish regulatory reporting requirements in case such notification becomes a requirement • Determine requirement for Temporary Restraining Orders/Abuse Reports and execute • Depending on circumstances, contain breach information to the breach management team • Reporting
  • 18. POLL
  • 19. Page 19 • What Should Companies be Doing to Protect Information, Intellectual Property and Trade Secrets? • Data Classification and Role Based Access • Inventory regulated and critical data (where does it reside?) • Establish need to know access and ensure extra screening • Eliminate access when the need expires • Institute continual monitoring • Annual certification by supervisors (for continuing access) • Role changes – does the person still require access? • Department changes – does the person still require access? Conclusion
  • 20. Page 20 Conclusion (continued) • Institute Robust Risk Assessment and Controls to Avoid Low Awareness and False Sense of Security • Offshore Relationships and Vendor Management • Must partners maintain the same security as your co. (physical, logical, administrative)? • Background screening of candidates • Verifying employment, addresses, and education isn’t enough • Competitors, organized crime, and foreign nations infiltrate companies with people that can pass cursory checks
  • 21. QUESTIONS
  • 22. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Don Ulsch don.ulsch@zeropointrisk.com 978-808-6526 Joe DeSalvo joseph.desalvo@zeropointrisk.com 704-907-4557 “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013

at