1 / 29

MANAGING DATA BREACH

MANAGING DATA BREACH. Beazley is a specialist insurer and leading provider of cyber insurance. Michael Phillips is a Claims Manager in the Technology, Media, and Business division of Beazley, and focuses his work on managing incidents related to public entities.

kugler
Télécharger la présentation

MANAGING DATA BREACH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MANAGING DATA BREACH

  2. Beazley is a specialist insurer andleading provider of cyber insurance. Michael Phillips is a Claims Manager in the Technology, Media, and Business division of Beazley, and focuses his work on managing incidents related to public entities.

  3. Since 2007, we have helped our Insureds manage more than 6,800 incidents, helping them navigate often complex and thorny breach related situations. Beazley’s Experience • Key sectors: • Public Entities • Telecoms • Utilities • Healthcare • Education

  4. San Francisco MUNI (ransomware; approx. 2 days of lost transit revenue) Multiple state Dep’ts of Fish & Wildlife (ongoing; Oregon, Washington, Idaho, Kentucky, 6M individuals, hack) Utah Department of Health (500K individuals, hack) Texas Retirement Systems (3.5M records, inadvertent disclosure) U.S. Department of Energy (105K individuals, hack) Oregon Employment Department (850K individuals, hack) Montana Department of Public Health and Human Services (1.3M individuals, hack) South Carolina Department of Revenue (5.7M individuals) (phishing) Public Entity Incidents

  5. Public entities are perceived to be an easier target for cyber criminals. • Older, more vulnerable computer systems • Less vigilance • Valuable data • According to the Ponemon Institute’s Annual Study, more than 94 million citizens’ records have been lost or breached since 2009.

  6. The Public Sector suffers more incidents caused by human error (misaddressed email, accidentally published data), suggesting improvements in processes and controls can still add value. 2016 Verizon Data Breach Report

  7. Data Breaches and Cyber Attacks are Increasing in Costs and Frequency.

  8. Data from Beazley Breach Response Services Ransomware Events Quadrupled in 2016; Doubling Again in 2017

  9. Helping the insured see when this claim . . . . . . really looks like this.

  10. Information Security and Privacy Liability (A) Privacy Notification Costs (B) Regulatory Defense and Penalties (C) Website Media Content Liability (Occurrence Based) (D) Cyber Extortion Loss (E) Data Protection Loss (F) and Business Interruption Loss (G) The Classic Cyber Coverages

  11. This isn’t the time to learn on the job. The smallest breach can become a big problem if not handled correctly.

  12. An Incident Happens: What Next? Notice Beazley EARLY AND OFTEN

  13. Collaborative discussions with forensics to drive conclusions Assisting Insureds in understanding fully the legal landscape in complex situations Enabling identity/credit monitoring for individuals whose data has been breached Facilitatingstrategic dialogue with Insureds and counsel about media communications and escalation issues Driving notification through the printing and mailing process even when tight statutory deadlines provide no more than a few days to comply Beazley’s Approach

  14. Official Note The descriptions contained in this presentation are for preliminary informational purposes only. The exact coverage afforded by the products described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk.

  15. Introduction • Colin Zarbough CEH, CISA, HCISPP, PCI-QSA • RSM Manager, Security, Privacy and Risk Consulting • Located in Irvine, California. Service line leader for the Western United States • Just a few examples of what I do on a monthly basis • Security Program Reviews • Cyber Security Strategy • Risk Assessments • Application & Network Security • Business Continuity Planning/Disaster Recovery • Forensics Investigations 4

  16. Misconceptions About Hackers • Think of attackers as a spectrum rather than a generic entity. • Recognize that attackers have differing, but usually similar motives. • Targets of opportunity • Bandwidth and equipment • Financial data and intellectual property • #1 asset on underground market

  17. Misconceptions (continued) • Compliance ≠ Security • Compliance = You have built the foundation to get secure • Security is not bought • Tools are tools, not solutions • You can absolutely do security “on the cheap” if it is done correctly • Security cannot be successful unless it is embedded in a variety of enterprise policies and processes

  18. Misconceptions (continued) • Security threats do not only come from “out there.” • Attacks by rogue employees, mistakes and fraud are not common, but result in immense damage when they occur • Remember, once the bad guys breach your external boundary they are now a version of an insider threat. • The underground economy has lowered the knowledge threshold • Skilled attackers make more money at less risk by selling their knowledge in packaged form • Kits, automation, subscriptions, malware pre-packs, etc. • Result: Pseudo “APT” attackers • aka “Idiots with nuclear weapons”

  19. Threat Overview • Rise of the “low tech” hack • Very polished method of social engineering that does not require actual “hacking” • Fancy name for traditional “con games” • Attacking an environment via manipulating people • Hacking by the KISS principle • Keep it simple, stupid • Why go through all of the effort to bypass firewalls, anti-virus, monitoring solutions, etc.?

  20. Inflection Point aka Glimmer of Hope 2016 Ponemon Institute

  21. Recommendations: Adopt a proactive Risk Management program Recommendations: Adopt A Proactive Risk Management Program • Keys to success: • Risk assessments • Governance structures • Security oversight • Training • Accountability • Reporting Goals: Management defined risk appetite, known security objectives, properly trained staff and resilience

  22. Recommendations: Choose A Security Framework • NIST cybersecurity framework is a great start. • Intel Case study is great resource to understand how to implement • Standardizes understanding across the organization • Drives governance down into the organization (Most important) • Commercially available gap assessment programs available for baselining • Run gap assessment against this program annually Chart taken from NIST CSF framework

  23. Quantify Your Risk And Then Baseline • Risk assessment (annually) to determine where you really need most improvement or need to implement controls and or offload risk to vendors • Focus on how you manage your security process • How do you know you have all the parts in place? • That they are all doing what they should? • That they are effective as threats change? • Do you know what normal activity in your environment looks like? • Make sure these basics are in place, and then go deeper into areas of real security concern.

  24. Vendors and Threat Intelligence • Third-Parties/Vendors • Risk rate all third party vendors and vet them annually • Limit their access to sensitive data • Consultants and contractors • Good resource for current technical skills • Too much reliance may mean you bring additional risk into your environment by accident • Logging and Monitoring • If you don’t log and monitor your environment, you’re basically blind from a security perspective. Review daily! • Log more. Bring it together. Look for anomalies not single events. Know what normal looks like • “87% percent of victims had evidence of the breach in their log files, yet missed it.“ • Verizon Data Breach Report

  25. Testing, Testing And More Testing • Run vulnerability scans on a quarterly basis • Quarterly at a minimum. Failing scans need to have issues remediated and then rescanned with passing result • Scans need to be run internally using automated tools such as Nessus, Qualys, OpenVAS, Nexpose. Many open source and commercial options available • External scans need to be run as well. Look for an approved scanning vendor (ASV) or run a tool such as those above yourselves. You can pay a third party which is generally charged per quarter (generally reasonable), or you can have your team run • Penetration testing • Have a qualified third party run penetration tests both externally and internally annually • After a major change in your environment, must pentest again

  26. Patching Is Extremely Important Straight from NIST (National Institute of Standards and Technology): • Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. • Patches correct security and functionality problems in software and firmware. • Patches mitigate software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation • Patches are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution

  27. Security awareness training • Most attacks start with phishing • Attackers prey upon the volume of email • Awareness training lessens exposure to such attacks • Phishing failure rates drop significantly after internally mounted phishing campaigns are implemented • Breach identification times drop significantly due to identification of malicious email by employees • Needs to be run throughout the year with training, posters, informational emails about all security risks • Commercially available solutions are in module form. Cost effective and content changes according to real life threats

  28. School District Cyber Breach Overview by Dan Mellon

  29. Questions?

More Related