SlideShare a Scribd company logo

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis
Casey Ellis

A moderated panel in for an audience of company General Counsels and litigators.

Technology
1 of 50
Download to read offline
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018 Casey Ellis | Chairman, Founder & CTO – Bugcrowd Elizabeth Cookson | Senior Analyst, Cyber – KIVU Consulting Jake Heath | Partner, Intellectual Property – Orrick LLP Moderator: Tony Kim | Partner, Cyber, Privacy & Data Innovation – Orrick LLP
The Scope of the Problem
What the World Economic Forum Thinks about Us (US)
Where Do Cyberattacks Rank? Source: World Economic Forum Global Risks 2018
(Sobering) Statistics Data Breaches Continue to Mount Source: The Breach Level Index, available at, http://breachlevelindex.com
Biggest Breaches (2008-2009) Source: The Breach Level Index, available at, http://breachlevelindex.com
Biggest Breaches (2016-2017)
Anatomy of a Typical External (Hack) Attack Nation State Organized Crime Hacktivists Initial Compromise Establish Foothold Escalate Privileges Internal Recon Lateral Movement Maintain Presence Malicious Insiders Network Perimeter Financial gain Cyber-extortion Cyber-espionage Competitive advantage Disruption Political Revenge Whistleblower WHY? Internal Damage Ransomware Data Access Data Acquisition
Anatomy of a Typical Company Response Data Access Data Acquisition Initial Triage Forensic Investigation Notifications PR/Communications Law Enforcement Systems Remediation Insurance Recovery Public Disclosures Governance Auditors Regulator Investigations Lawsuits Customer Demands Remedies or Settlements
Common Cost Components Initial Response Costs Business Losses Security consultants Lost revenue Forensic imaging Drop in stock value Restoring service / security upgrades Loss of customer confidence Customer Costs Legal Claims Breach notification Litigation (e.g., consumer or employee class action / shareholder derivative) costs and settlement payouts Identity theft problem Defense of government proceedings Credit monitoring Government fines or penalties Customer inducements PCI/Card brand assessments
Transformative Costs Source: Cybersecurity Ventures and Herjavec Group (2017) “The greatest transfer of economic wealth in history” 2015 2021 $6 trillion $3 trillion Global annual cybercrime costs estimated to grow from $3 trillion to $6 trillion by 2021 Includes estimated costs for: • Damage and destruction of data • Stolen money/fraud/embezzlement • Lost productivity/disruption to operations • Theft of IP, personal data, financial data • Forensic investigation • Restoration and remediation • Reputational harm
Brand Impact = As (or More) Important than Other Costs 74.8% 72.5% 80% of consumers worry about the security of their personal information. Temkin Group "Consumer Benchmark Survey" of consumers don’t believe organizations care about their private data and keeping it safe and secure. HyTrust Inc., the Cloud Security Automation Company 56% 40% 29% Political Action (sign a petition, contact a politician Stop/Reduce Technology Use Social Activity (post to social media, write an op-ed or letter) Actions your customers take when you falter of consumers believe failure to keep customer information secure has a significant negative impact on trust in a company. Edelman Trust Barometer: Financial Services Industry Source: Edelman Proprietary Study, 2014
Companies are Under-Resourced / Staffed / Funded “Cybersecurity has a serious talent shortage” Source: Frost & Sullivan, Center for Cyber Safety and Education (2017) 2017 2022 1.8 million worker shortfall in information security Too few information security workers in my department The most common reason given for this phenomenon is lack of qualified personnel Companies may be looking in the wrong places for talent in this space: • 87% of cyber workers did NOT start in cyber • 30% of cyber workers came from non-IT and non- Engineering background • Disconnect: Managers deeply value communication and analytical skills vs. Candidates predictably prioritize high technical skills
What is Legal’s Role? Lack of Tech Literacy Doesn’t Help “Lawyers don’t need to be coders, they just need not be Luddites” * • Techno-phobia • Continued view of cyber as primarily an IT or InfoSec function • Belief that lawyers should get involved after a breach happens (e.g., breach notification laws), or only in preparing to respond for a breach vs. preventive/mitigation measures • Belief that companies (good guys) can never keep pace with the bad guys in terms of funding, skill, or innovation * “Luddite” = (1) bands of English workers who destroyed machinery that they believed was threatening their jobs; (2) person opposed to new technology
What is Legal’s Role? Tech Competence is Part of the Job A lawyer shall provide competent representation to a client…” Comment 8 to Model Rule of Professional Conduct 1.1: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)
Bug Bounties and “Security Researchers”
Researchers Are Trying to Help . . . Right?
Source: Bugcrowd Bug Bounty 101 – How it Works
Bug Bounty – Is there a Code of Conduct? “Is there Honor Among ‘Security Researchers’”?  Many security researchers have “day jobs,” so they are not out to extort or otherwise disadvantage companies  If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality  Transparency with respect to payment levels for bug severity levels, and level of documentation that must be shown for payment  Security researchers are “rated,” so reputation matters!
Bug Bounty Programs = A Force Multiplier for Companies “It Takes a Crowd” Lack of Resources + expanding attack surfaces = more opportunity for adversaries.  Bug Bounty programs are used by many uber-sophisticated companies, and even the federal government  In 2 weeks, per company, security researchers typically find: Source: Bugcrowd
Third-Party Managed Bug Bounty Programs Program Types Service Elements Source: Bugcrowd
Designing Your Own Bug Bounty? The Department of Justice outlines a framework for designing a “vulnerability disclosure program” to address the concerns that such activity might violate the Computer Fraud and Abuse Act (18 U.S.C. 1030). See https://www.justice.gov/criminal-ccips/page/file/983996/download
Do Bug Bounties Increase Legal Breach Notifications? Phase 1 Identification, Scoping and Severity Assessment Phase 2 Escalation and Deployment of IR Resources Phase 3 Investigation and Remediation Phase 4 Notification and Other External Communications Phase 5 Post-Incident Analysis and Preparation 1. Statutory duty to notify customers? Legal 2. Contractual duty to notify? Legal 3. “Voluntary” notification? Transparency • Generally, triggered on unauthorized “access” or “acquisition” of PI • 47 U.S. state laws + territories • HHS OCR / PCI / Interagency Guidelines • Rest-of-world • Contractual duties override statutory or regulatory duties on notification • Includes “quasi” contracts such as Privacy Policy and Terms of Use, Marketing, Advertising • Forensics are often inconclusive, which leads to a multi- factor decision tree • Voluntary notice scenarios based on facts, risk mitigation, ethical considerations Corporate Incident Response Plan Phases
• How real is the legal risk around known security vulnerabilities? • Researchers can, and do, go public • Researchers can, and do, report to regulatory agencies • Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities alone – even if there’s been no “data breach” – FTC Litigation: D-Link case – FTC/FCC: Stagefright inquiries to mobile device makers – SEC OCIE: Craig Scott Capital case – Litigation (both ways): St. Jude Medical / Muddy Waters case Is there Liability for a “Mere” Security Vulnerability?
What’s the Game Plan? • How should we address security researchers who call or email (especially on a Friday before a holiday at 4:50 pm)? – Who should interact with the researcher? – Should you email or call, or both? – Do you ever acknowledge the vulnerability? Do you pay them? – Do you keep them updated on the status of your investigation, remediation? • Very helpful to have internal game plan for security researcher engagement, including how and who will make decision on payment • IR Planning – Legal and PR/crisis communications should be briefed and ready – Consideration of incorporating into IR plan, or parallel protocol
Ransomware
Ransomware: What is it?
Ransomware: What does it look like? The visual appearance of a ransomware attack may vary widely • Format of the ransom note • File extension • Disk-level ransomware vs. file-level ransomware • Scrambled filename vs. intact filename
Ransomware: How it works
Rapid Acceleration Number of Ransomware Attacks Worldwide (in millions) Source: Statistica
The No More Ransom Project
Approach “Free” Tools With Caution
Should you pay? “The FBI does not support paying a ransom to the adversary….. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom…… Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”
“Dude, stop crying.” Generation of rookie hackers emerges In the past, we were often engaging directly with the malware developer, who could help with software bugs and hiccups With rookie hackers, the tool is either poorly written and / or the actors are unable to help troubleshoot decryption issues
Do companies actually pay? Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
How do (can) you pay? • Does your company/client have a bitcoin wallet? – Your vendor does! • Managed ransomware response: • Vendor takes over communications with attacker (often in attacker’s native language) – Vendor obtains and validates (tests) ransomware decryption tool – Vendor assists in negotiating down the ransom amount – Vendor fronts payment to attacker, in many circumstances – Vendor assists with actual/live decryption and remediation
If you decide to pay . . . Call The Professionals The transaction goes the smoothest when the incident response team is brought in early
Horror Stories Do Not Try This At Home When victims try to engage themselves, they may accidentally antagonize the attacker, or give up information that reveals their identity
Consequences and Protective Measures
What is the legal framework? Civil or criminal liability for hacking Contractual duties re: security and/or breach notification Laws requiring security measures Notification to individuals and regulators Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks
Are “Bugs” and “Ransomware” Notifiable Breach Events??? • Statutes – State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a resident of the state; triggered on “access” or “acquisition” of PI elements – Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS) • Contracts – Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.) – Almost always define “breaches” more broadly than statutes • Industry Rules (e.g., Payment Card Industry – PCI) • SEC public company disclosures (e.g., Form 8-K) • Client’s Internal Policies and Procedures
What have regulators said about Ransomware? “[A] breach has occurred because the [data] encrypted by the ransomware was acquired … and thus is a ‘disclosure’” where security incident defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” 45 C.F.C. 162.402. Special focus on results of forensic analysis and risk assessment “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” -- (Then) Chairwoman Edith Ramirez (2016) Failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
Board Members Under Fire
SEC and DOJ Investigations
Incident Response (IR) Planning Do you have an IR Team? An IR Plan? Have you practiced? Identify Triage & Contain Analyze & Investigate Remove & Recover Prepare Corporate IR Plan Cross- Functional IR Team Cross-Functional IR Team Key Internal Members IR Team Leader Executive Liaison General Counsel/Legal Privacy Officer IT Security Physical Security Corp. Communications Customer Support Human Resources Risk Management Key External Members Outside Counsel Forensics Crisis Communications Investor Relations Vendors (mail house, call center, credit monitoring)
Other Key Elements of Proactive Cybersecurity Programs • Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee • Inventory of data and network assets subject to attack (e.g., data map, network map) • Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic) • Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., ISACs) • Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc. • Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity access management, etc. . . . and other bare minimum protective controls
Other Key Elements (cont’d) • Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance • Implementation of training programs for employees and security team on cybersecurity awareness and response • Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk • Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc. • Explicity consideration of evolving scenarios like Bug Bounties and Ransomware – and how they fit into, or necessitate adjustments to, company’s security breach incident response plan (IRP)
Discussion
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Recommended

U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 

Recommended

U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsJack Whitsitt
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 

More Related Content

What's hot

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for LegislatorsKristin Judge
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsJack Whitsitt
 

What's hot (20)

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Policy Guide for Legislators
Policy Guide for LegislatorsPolicy Guide for Legislators
Policy Guide for Legislators
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & Fraud
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication Skills
 

Similar to MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdframsetl
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 

Similar to MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel (20)

Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 

More from Casey Ellis

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionHack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionCasey Ellis
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCasey Ellis
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...Casey Ellis
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMECasey Ellis
 
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...Casey Ellis
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupCasey Ellis
 
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next LevelGRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next LevelCasey Ellis
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5Casey Ellis
 
KEYNOTE: The Unlikely Romance: Part 2 - What Now?
KEYNOTE: The Unlikely Romance: Part 2 - What Now?KEYNOTE: The Unlikely Romance: Part 2 - What Now?
KEYNOTE: The Unlikely Romance: Part 2 - What Now?Casey Ellis
 
Webinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po editsWebinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po editsCasey Ellis
 
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...Casey Ellis
 
AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonCasey Ellis
 
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIESISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIESCasey Ellis
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing BugcrowdCasey Ellis
 

More from Casey Ellis (20)

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionHack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
 
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
 
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next LevelGRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5
 
KEYNOTE: The Unlikely Romance: Part 2 - What Now?
KEYNOTE: The Unlikely Romance: Part 2 - What Now?KEYNOTE: The Unlikely Romance: Part 2 - What Now?
KEYNOTE: The Unlikely Romance: Part 2 - What Now?
 
Webinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po editsWebinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po edits
 
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
 
AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting Season
 
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIESISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing Bugcrowd
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

  • 1. Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018 Casey Ellis | Chairman, Founder & CTO – Bugcrowd Elizabeth Cookson | Senior Analyst, Cyber – KIVU Consulting Jake Heath | Partner, Intellectual Property – Orrick LLP Moderator: Tony Kim | Partner, Cyber, Privacy & Data Innovation – Orrick LLP
  • 2.
  • 3. The Scope of the Problem
  • 4. What the World Economic Forum Thinks about Us (US)
  • 5. Where Do Cyberattacks Rank? Source: World Economic Forum Global Risks 2018
  • 6. (Sobering) Statistics Data Breaches Continue to Mount Source: The Breach Level Index, available at, http://breachlevelindex.com
  • 7. Biggest Breaches (2008-2009) Source: The Breach Level Index, available at, http://breachlevelindex.com
  • 9. Anatomy of a Typical External (Hack) Attack Nation State Organized Crime Hacktivists Initial Compromise Establish Foothold Escalate Privileges Internal Recon Lateral Movement Maintain Presence Malicious Insiders Network Perimeter Financial gain Cyber-extortion Cyber-espionage Competitive advantage Disruption Political Revenge Whistleblower WHY? Internal Damage Ransomware Data Access Data Acquisition
  • 10. Anatomy of a Typical Company Response Data Access Data Acquisition Initial Triage Forensic Investigation Notifications PR/Communications Law Enforcement Systems Remediation Insurance Recovery Public Disclosures Governance Auditors Regulator Investigations Lawsuits Customer Demands Remedies or Settlements
  • 11. Common Cost Components Initial Response Costs Business Losses Security consultants Lost revenue Forensic imaging Drop in stock value Restoring service / security upgrades Loss of customer confidence Customer Costs Legal Claims Breach notification Litigation (e.g., consumer or employee class action / shareholder derivative) costs and settlement payouts Identity theft problem Defense of government proceedings Credit monitoring Government fines or penalties Customer inducements PCI/Card brand assessments
  • 12. Transformative Costs Source: Cybersecurity Ventures and Herjavec Group (2017) “The greatest transfer of economic wealth in history” 2015 2021 $6 trillion $3 trillion Global annual cybercrime costs estimated to grow from $3 trillion to $6 trillion by 2021 Includes estimated costs for: • Damage and destruction of data • Stolen money/fraud/embezzlement • Lost productivity/disruption to operations • Theft of IP, personal data, financial data • Forensic investigation • Restoration and remediation • Reputational harm
  • 13. Brand Impact = As (or More) Important than Other Costs 74.8% 72.5% 80% of consumers worry about the security of their personal information. Temkin Group "Consumer Benchmark Survey" of consumers don’t believe organizations care about their private data and keeping it safe and secure. HyTrust Inc., the Cloud Security Automation Company 56% 40% 29% Political Action (sign a petition, contact a politician Stop/Reduce Technology Use Social Activity (post to social media, write an op-ed or letter) Actions your customers take when you falter of consumers believe failure to keep customer information secure has a significant negative impact on trust in a company. Edelman Trust Barometer: Financial Services Industry Source: Edelman Proprietary Study, 2014
  • 14. Companies are Under-Resourced / Staffed / Funded “Cybersecurity has a serious talent shortage” Source: Frost & Sullivan, Center for Cyber Safety and Education (2017) 2017 2022 1.8 million worker shortfall in information security Too few information security workers in my department The most common reason given for this phenomenon is lack of qualified personnel Companies may be looking in the wrong places for talent in this space: • 87% of cyber workers did NOT start in cyber • 30% of cyber workers came from non-IT and non- Engineering background • Disconnect: Managers deeply value communication and analytical skills vs. Candidates predictably prioritize high technical skills
  • 15. What is Legal’s Role? Lack of Tech Literacy Doesn’t Help “Lawyers don’t need to be coders, they just need not be Luddites” * • Techno-phobia • Continued view of cyber as primarily an IT or InfoSec function • Belief that lawyers should get involved after a breach happens (e.g., breach notification laws), or only in preparing to respond for a breach vs. preventive/mitigation measures • Belief that companies (good guys) can never keep pace with the bad guys in terms of funding, skill, or innovation * “Luddite” = (1) bands of English workers who destroyed machinery that they believed was threatening their jobs; (2) person opposed to new technology
  • 16. What is Legal’s Role? Tech Competence is Part of the Job A lawyer shall provide competent representation to a client…” Comment 8 to Model Rule of Professional Conduct 1.1: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)
  • 18. Researchers Are Trying to Help . . . Right?
  • 19. Source: Bugcrowd Bug Bounty 101 – How it Works
  • 20. Bug Bounty – Is there a Code of Conduct? “Is there Honor Among ‘Security Researchers’”?  Many security researchers have “day jobs,” so they are not out to extort or otherwise disadvantage companies  If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality  Transparency with respect to payment levels for bug severity levels, and level of documentation that must be shown for payment  Security researchers are “rated,” so reputation matters!
  • 21. Bug Bounty Programs = A Force Multiplier for Companies “It Takes a Crowd” Lack of Resources + expanding attack surfaces = more opportunity for adversaries.  Bug Bounty programs are used by many uber-sophisticated companies, and even the federal government  In 2 weeks, per company, security researchers typically find: Source: Bugcrowd
  • 22. Third-Party Managed Bug Bounty Programs Program Types Service Elements Source: Bugcrowd
  • 23. Designing Your Own Bug Bounty? The Department of Justice outlines a framework for designing a “vulnerability disclosure program” to address the concerns that such activity might violate the Computer Fraud and Abuse Act (18 U.S.C. 1030). See https://www.justice.gov/criminal-ccips/page/file/983996/download
  • 24. Do Bug Bounties Increase Legal Breach Notifications? Phase 1 Identification, Scoping and Severity Assessment Phase 2 Escalation and Deployment of IR Resources Phase 3 Investigation and Remediation Phase 4 Notification and Other External Communications Phase 5 Post-Incident Analysis and Preparation 1. Statutory duty to notify customers? Legal 2. Contractual duty to notify? Legal 3. “Voluntary” notification? Transparency • Generally, triggered on unauthorized “access” or “acquisition” of PI • 47 U.S. state laws + territories • HHS OCR / PCI / Interagency Guidelines • Rest-of-world • Contractual duties override statutory or regulatory duties on notification • Includes “quasi” contracts such as Privacy Policy and Terms of Use, Marketing, Advertising • Forensics are often inconclusive, which leads to a multi- factor decision tree • Voluntary notice scenarios based on facts, risk mitigation, ethical considerations Corporate Incident Response Plan Phases
  • 25. • How real is the legal risk around known security vulnerabilities? • Researchers can, and do, go public • Researchers can, and do, report to regulatory agencies • Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities alone – even if there’s been no “data breach” – FTC Litigation: D-Link case – FTC/FCC: Stagefright inquiries to mobile device makers – SEC OCIE: Craig Scott Capital case – Litigation (both ways): St. Jude Medical / Muddy Waters case Is there Liability for a “Mere” Security Vulnerability?
  • 26. What’s the Game Plan? • How should we address security researchers who call or email (especially on a Friday before a holiday at 4:50 pm)? – Who should interact with the researcher? – Should you email or call, or both? – Do you ever acknowledge the vulnerability? Do you pay them? – Do you keep them updated on the status of your investigation, remediation? • Very helpful to have internal game plan for security researcher engagement, including how and who will make decision on payment • IR Planning – Legal and PR/crisis communications should be briefed and ready – Consideration of incorporating into IR plan, or parallel protocol
  • 29. Ransomware: What does it look like? The visual appearance of a ransomware attack may vary widely • Format of the ransom note • File extension • Disk-level ransomware vs. file-level ransomware • Scrambled filename vs. intact filename
  • 31. Rapid Acceleration Number of Ransomware Attacks Worldwide (in millions) Source: Statistica
  • 32. The No More Ransom Project
  • 34. Should you pay? “The FBI does not support paying a ransom to the adversary….. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom…… Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”
  • 35. “Dude, stop crying.” Generation of rookie hackers emerges In the past, we were often engaging directly with the malware developer, who could help with software bugs and hiccups With rookie hackers, the tool is either poorly written and / or the actors are unable to help troubleshoot decryption issues
  • 36. Do companies actually pay? Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
  • 37. How do (can) you pay? • Does your company/client have a bitcoin wallet? – Your vendor does! • Managed ransomware response: • Vendor takes over communications with attacker (often in attacker’s native language) – Vendor obtains and validates (tests) ransomware decryption tool – Vendor assists in negotiating down the ransom amount – Vendor fronts payment to attacker, in many circumstances – Vendor assists with actual/live decryption and remediation
  • 38. If you decide to pay . . . Call The Professionals The transaction goes the smoothest when the incident response team is brought in early
  • 39. Horror Stories Do Not Try This At Home When victims try to engage themselves, they may accidentally antagonize the attacker, or give up information that reveals their identity
  • 41. What is the legal framework? Civil or criminal liability for hacking Contractual duties re: security and/or breach notification Laws requiring security measures Notification to individuals and regulators Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks
  • 42. Are “Bugs” and “Ransomware” Notifiable Breach Events??? • Statutes – State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a resident of the state; triggered on “access” or “acquisition” of PI elements – Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS) • Contracts – Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.) – Almost always define “breaches” more broadly than statutes • Industry Rules (e.g., Payment Card Industry – PCI) • SEC public company disclosures (e.g., Form 8-K) • Client’s Internal Policies and Procedures
  • 43. What have regulators said about Ransomware? “[A] breach has occurred because the [data] encrypted by the ransomware was acquired … and thus is a ‘disclosure’” where security incident defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” 45 C.F.C. 162.402. Special focus on results of forensic analysis and risk assessment “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” -- (Then) Chairwoman Edith Ramirez (2016) Failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
  • 45. SEC and DOJ Investigations
  • 46. Incident Response (IR) Planning Do you have an IR Team? An IR Plan? Have you practiced? Identify Triage & Contain Analyze & Investigate Remove & Recover Prepare Corporate IR Plan Cross- Functional IR Team Cross-Functional IR Team Key Internal Members IR Team Leader Executive Liaison General Counsel/Legal Privacy Officer IT Security Physical Security Corp. Communications Customer Support Human Resources Risk Management Key External Members Outside Counsel Forensics Crisis Communications Investor Relations Vendors (mail house, call center, credit monitoring)
  • 47. Other Key Elements of Proactive Cybersecurity Programs • Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee • Inventory of data and network assets subject to attack (e.g., data map, network map) • Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic) • Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., ISACs) • Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc. • Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity access management, etc. . . . and other bare minimum protective controls
  • 48. Other Key Elements (cont’d) • Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance • Implementation of training programs for employees and security team on cybersecurity awareness and response • Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk • Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc. • Explicity consideration of evolving scenarios like Bug Bounties and Ransomware – and how they fit into, or necessitate adjustments to, company’s security breach incident response plan (IRP)