Transcript Quick Intelligence Florida PSC Cyber Presentation

FCBA Presentation - Cybersecurity
September 11, 2015
David A. Konuch, General Counsel and Chief Privacy Officer
Quick Intelligence U.S.A.
© 2015 Quick Intelligence
"Whatever level you're worried
about cybersecurity, you should be
more worried."
LinkedIn co-founder Reid Hoffman, August 24, 2015 (speaking
to government officials at Stanford University).
2
© 2015 Quick Intelligence
Privacy versus Cybersecurity: A Continuum
“Absent effective cybersecurity,
there is no privacy.”
David A. Konuch
3
© 2015 Quick Intelligence
A spectrum of risk, compliance, and security with
two endpoints:
1) Target had all the correct software with all the bells and whistles.
But, because there was no coordination between executives and IT,
an intruder broke in, goodwill and customers were lost. Ultimately, the
CEO lost his position.
2) Opposite end of the spectrum: Ashley Madison had no protocol in
place and was running with no protection at all. After their files were
compromised, several customers committed suicide. Now, their entire
enterprise is at risk from lawsuits and bad publicity.
Effective cybersecurity and privacy programs must address both ends
of the spectrum.
4
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 1: Identify Your Exposure to Common Vulnerabilities
and Educate Your Entire Team – from Executives, to Legal,
to HR, to IT, about them.
Nearly all breaches result from a few dozen well-known (to
security professionals) vulnerabilities. Learn them. Take steps
to protect against them. Educate your team about what they are
and how they can affect you.
FFIEC estimates 90 percent of breaches result from
vulnerabilities that have existing patches.
5
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 2: Understand that Compliance with applicable rules
and regulations does not mean your organization is secure.
 Target actually passed its compliance check prior to its
breach. Auditors are human beings and sometimes succumb
to pressure to sign off on a company’s compliance, which can
be different than real world security against threats. Also, that
a company passed its annual check today does not mean
someone won’t break into your network tomorrow.
6
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 3: Educate Legal, Executives, HR, BOD, Everyone about
cybersecurity basics and their roles in protecting the enterprise.
 Legal, HR, BOD, C-suite executives must understand cybersecurity
basics and how the IT department is attempting to achieve security
and respond to alerts.
 (Positive trend: NIST and FFIEC recognize the importance and
encourage involvement in cyber defense oversight by senior
executives and Boards of Directors).
7
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Often if an employee makes a blunder or even honest
mistake that imperils the company, that employee is fired. But
a large cybersecurity failure can result in C-suite personnel
resigning, as happened in Target’s case.
 Have a mechanism in place that allows executives to monitor
cybersecurity initiatives and understand what security means,
in real time.
 With a working understanding of risks – a basic
understanding of how to detect and remediate network
vulnerabilities, C-suite leaders will have the decisionmaking
information they need to protect their jobs, and more
importantly, their company, shareholders, and customers!
8
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 4: Understand and manage your subcontractors’ and vendors’
security.
 While you need to secure your own network, it’s equally important to
monitor the security practices of your subcontractors and vendors. A
network is only as secure as it’s weakest link. Financial institutions,
which often are ahead of other businesses where security is
concerned, spend significant amounts of time on “vendor
management,” ensuring that those they do business with employ
high standards of network protection. The hackers that breached
Target entered the network through Target’s HVAC vendor. Know
that this occurs and take steps accordingly so that vendors and
subcontractors do not become a weak link in your network security.
9
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 5 (could be Task 1): Understand social engineering efforts the
same way your adversaries do!
 Social engineering can take down your entire network, regardless of
the other hard security measures you undertake. Many attacks start
with information gathered on social media sites for “spear phishing.”
 Understand how cyber criminals and corporate espionage threats
use social engineering. At events like DefCon and Black Hat,
hackers literally make a game out of successful social engineering.
 Social engineering, basically, obtaining network information by
fooling employees into giving up their passwords, is one of the most
effective tools in a hacker’s arsenal. Understand the basic social
engineering techniques and take steps to combat them.
10
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 6: Have a breach response plan in place and practice
implementation using “table top” exercises.
 Target’s network security company actually sent its IT department
automated alerts that a breach had occurred, but the department
thought they were false positives, and ignored them. Eventually,
they turned the alerts off, with disastrous results. Through a breach
response plan, and a vulnerability management platform, the IT
department can alert executives to what threats are real and tell the
difference between a real threat and a false positive. Ensure you
have a breach plan, but also, a communications plan and a way to
manage threats so that you can respond to the real and stay vigilant.
11
© 2015 Quick Intelligence
The Seven Things You Need To Do Right Now to
Increase Your Chances of Staying Out of the Data
Breach Headlines
 Task 7: Expect the best, but plan for their worst. Most professionals
in the data security industry do not speak in terms of “if” an incident
occurs, but rather “when” one occurs, because at the end of the day,
no organization is truly immune from data incidents. So, take steps
to ensure that, if someone does get through, you have a plan in
place. This includes the following subcategories:
 With a response plan in place (Task 6), you can mitigate the
damage if a breach occurs despite your best efforts. With privacy
breach insurance, you can further mitigate risk through insurance
(for financial loss, but not reputational risk).
 Your final preemptive defense mechanism will be: control and store
information so that it becomes useless to anyone breaking in.
Storing information in this way represents the ultimate insurance
against a data breach.
12
© 2015 Quick Intelligence
Federal Trade Commission Jurisdiction over
Privacy and Cyber: Wyndham Decision
 Major court decision this summer upheld FTC’s ability to set
standards for cybersecurity implementation: Wyndham.
 FTC had brought over 50 enforcement actions alleging
ineffective cybersecurity; Wyndham challenged whether FTC
possessed adequate jurisdiction over cyber.
 FTC alleged Wyndham’s privacy policy was “deceptive.” FTC
v. Wyndham Worldwide Corp., (3rd Circuit, August 24, 2015).
13
© 2015 Quick Intelligence
Wyndham: U.S. Appeals Court Validates FTC’s
Ability to Regulate Cybersecurity Practices
 Multiple hacks of Wyndham Worldwide Corporation hotel chain
allegedly resulted in breach of 600,000 credit card numbers and in
excess of $10.6 million in fraudulent charges.
 FTC asserted Wyndham’s security practices represented an
actionable unfair business practice because Wyndham:
 Failed to encrypt payment card data;
 Permitted use of “easily guessed” passwords and did not change
defaults;
 Failed to use firewalls, allowed third-party vendor access to
Windham’s network, did not implement available patches for three
years.
14
© 2015 Quick Intelligence
Wyndham: U.S. Appeals Court Validates FTC’s
Ability to Regulate Cybersecurity Practices
 U.S. Third-circuit’s decision in Wyndham validates FTC as standard
setter for cyber generally.
 Will create even greater incentives for strong cybersecurity
measures by private companies.
 Had case gone the other way, companies still would have strong
incentives to implement strong cybersecurity.
 Wyndham decision gives places General Counsel’s on notice that
poor cybersecurity may result in a federal enforcement action, in
addition to any harms that may occur to the business as the result of
a breach.
15
© 2015 Quick Intelligence
Interesting Observation…
 Millennial generation wants everything electronic, but some older
generations still insist on paper.
 Despite electronic safeguards, “elder abuse” occurs via identity theft
from obtaining paper records.
16
© 2015 Quick Intelligence
Exploring Some Recent Breaches
© 2015 Quick Intelligence
Some Interesting Facts
 Global Risks 2015 Report, published by World Economic Forum
(WEF) states that “90% of companies world-wide recognize they
are insufficiently prepared to protect themselves from cyber-attacks
 Cyber crime costs the global economy over $400 billion annually
 In 2013, over 3,000 US companies had their systems compromised
in some fashion
 Vulnerabilities in systems are on the rise
 The proliferation of the “IOT” (Internet of Things) is exacerbating
the problem, more and more IP enabled devices on corporate
networks with little or no security (thermostats, cameras,
appliances, toys, etc.)
18
© 2015 Quick Intelligence
What’s Contributing to the hacks?
 Lack of employee training / employee awareness. Clicking
on links, talking to unauthorized people (social engineering)
 Lack of visibility. Many of these attacks persist for weeks and
months, in some cases longer. No ability to see them
 No real time monitoring. Even if there is some kind of logging
in place, there’s nothing looking for unusual behaviour.
 Lack of accountability. How many utilities are being
penalized for failing to adhere to standards such as NERCCIP?
 Lack of Understanding of seriousness of exposure at the
senior management / Board level
© 2015 Quick Intelligence
What’s Happening in the Industry
 Regular reports of utilities being breached (ICS-CERT Monitor)
 Numerous incidents of systems being compromised, changes made
 In some instances it’s determined the systems have been
compromised for extended periods of time
 Lack of proper monitoring in most cases
 Lack of proper controls, including a “defense in depth” approach,
leading to breaches further inside the ICS networks and in many
cases breaches in corporate networks
“If you’re connected, you’re likely infected!” ICS-CERT Monitor, 2015
© 2015 Quick Intelligence
U.S. Dept. of Energy Hacked 159 times in 4 years
 Between 2010 and 2014, 1131 attempted breaches of DOE network
and components, 159 were successful
 On average, a successful breach every 4 days during this period
 National Nuclear Security Administration had 19 successful attacks
 2013 breach resulted in PII breach of 104,000 Energy employees
and contractors
 Quick audit of Energy Department found 41 servers and at least 14
workstations with default or easy to guess passwords
 53 of the 159 compromises were “root” compromises, meaning the
attackers had full unrestricted access to all areas of the systems
 90 of the 159 successful breaches were through the DOE’s Office of
Science
© 2015 Quick Intelligence
Recaps of Vulnerabilities, 2013
 181 vulnerability reports to ICS-CERT, 177 determined to be real
vulnerabilities that required incident response to remediate
 87% exploitable remotely, 13% required local access to exploit
 Primary recommendation, minimize Internet exposure and
configured ICS systems behind firewalls
© 2015 Quick Intelligence
Sample 2014-2015 Incidents
 Water utility switch misconfiguration resulted in massive network traffic,
appearing to be a DDoS, lost ability to monitor and manage water
systems for a period of time.
 Water treatment facility, reported an employee access control systems
server without authorization on 4 separate occasions, on one occasion
resulting in the overflow of system’s wastewater treatment process.
Insufficient evidence to prove employee had performed action, due to lack
of proper logging and monitoring
 Utility reported the bridge between their corporate network and
processing network had been compromised, evidence discovered on an
APT (Advanced Persistent Threat). Insufficient asset management
made the investigation difficult. Only separation between network was
hard-coded IP addresses, easy to bypass.
© 2015 Quick Intelligence
Recap of Vulnerabilities, Oct-2014-April 2015
 108 cyber incidents in the United States
 Water with 19% of reported incidents, Energy and electricity 12%
 More incidents being reported from outside the asset owners than
by the owners themselves
 Spear phishing, 21% of all incidents
© 2015 Quick Intelligence
Quick Hits, January 2014
 January, 2014 – Public utility compromised using brute force
techniques to gain access to public-facing control system assets.
Forensic analysis revealed numerous previous intrusions into the
systems over a period of time.
 January, 2014- Remote access to control systems server through a
SCADA protocol via cellular connection. Device directly accessible
to internet, no firewalls or other security controls in place.
 January, 2014 – HVAC Systems for an arena at Sochi Olympics
discovered on the Internet, no authentication required to access and
manage. Fixed just prior to Olympics opening ceremonies
© 2015 Quick Intelligence
Ashley Madison
 Year: 2015
 Affected: 33 million user accounts, including email addresses, first
and last names and phone numbers.
 Cost: The breach could cost the company an estimated $850
million, according to The New York Times.
 What happened: In possibly the most publicized attack of the year,
more than 30 million accounts on affair-site Ashley Madison, owned
by Avid Life Media, were hacked and released to the public. The site
claims that full credit card numbers were not taken.
© 2015 Quick Intelligence
Total Bank, South Florida
 Year: 2014
 Affected: 72,000 customer records
 Cost: TBD
What happened: An unauthorized third party gained unauthorized
access into their network and accessed customer names, contact
information, bank PINs, account numbers, driver’s license numbers
and Social Security numbers.
© 2015 Quick Intelligence
What can we do to make it better?
 Education. Educate senior management, educate employees,
educate customers.
 Put proper monitoring in place. “You can’t manage what you can’t
measure” – Peter Drucker. If you can’t see it, you can’t respond to
it
 Start enforcing legislation and regulations, hold people accountable,
make sure they take responsibility for their clients’ information, their
employees information, their company’s sensitive information
 Move away from “snapshot” assessments and introduce ongoing
checks and balances. We did this in the financial and credit card
world years ago, why aren’t we doing it for our systems and users?
© 2015 Quick Intelligence