An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
2. Agenda
o The current threat environment
o Measuring up your defences
o Getting ready to respond
o Reporting, notifying and sharing
o Managing supply chain risks
2
Critical issues in school board cyber security
4. o High impact, moderate probability
• Ransomware (encryption + data theft)
• Business e-mail compromise
o Moderate impact, moderate probability
• Misconfiguration incidents
• E-mail failures
Types of incidents and attacks
The current threat environment
4
5. o The public sector has been a significant
target
o Questions
• Are we low hanging fruit?
• Do we attract less “professional” criminals
who are harder to manage?
• Can we count on promises not to target the
public sector?
The public sector is a target
The current threat environment
5
6. o IBM/Ponemon put the average cost of an
attack in 2021 at $4.62 million USD
o Costs are being driven by data exfiltration of
loose files, which often requires e-discovery
and heavy individualized
• More files stolen = more cost
• More variation in files = more cost
• Less organization in files = more cost
o Ransom demands are also rising
The cost of a ransomware attack
The current threat environment
6
Incident Response Budget (Major)
Advisors
Remediation and forensics expert $ 150,000.00
Threat actor expert $ 10,000.00
Legal counsel $ 75,000.00
Remediation costs
Payment $ 400,000.00
Misc $ 10,000.00
Notification costs
E-discovery $ 400,000.00
Credit monitoring $ 50,000.00
Notification costs $ 30,000.00
TOTAL $ 1,125,000.00
7. o IBM/Ponemon put the average cost of an
attack in 2021 at $4.62 million USD
o Costs are being driven by data exfiltration of
loose files, which often requires e-discovery
and heavy individualized
• More files stolen = more cost
• More variation in files = more cost
• Less organization in files = more cost
o Ransom demands are also rising
The cost of a ransomware attack
The current threat environment
7
9. o RDP compromise and e-mail phishing have
been the top attack vectors
o Microsoft Exchange and other critical
software vulnerabilities played an
increasingly prominent role in 2021
Attack vectors
Measuring up your defences
9
10. o Low hanging fruit
• Multi-factor authentication, secure remote
access via VPN
o Are you investing enough?
• Security awareness – phishing simulations?
• Patch and vulnerability management
• Incident response readiness
• Legacy technologies
o The wish list
• Endpoint detection, security operations centre
support
Marsh’s 12 key controls
Measuring up your defences
10
11. o The ideal
• Records scheduled
• Information classified
• Protections applied
o The reality
• No classification and no control over sensitive files,
including spreadsheets
• Copies of loose files in e-mail accounts and across the
network, all unencrypted
• Pay dirt for ransomware actors
o What to do
• Create a rule about copies of sensitive documents
• Scan the network periodically to check on compliance
Data governance
Measuring up your defences
11
13. Incident response practice
13
Contain
Starts with the
disconnection of
services
Remediate
Bring the
services back
safely
Often relies upon
special software
Investigate
Starts and time
zero and
continues in
iterations
Includes
speaking with
the threat actor
Formal forensic
investigation is
usually required
Mitigate
Under legal
counsel guidance,
address the
impact of the
incident
May include
reporting,
notification and
information
sharing
Close
Look at the cause
and commit to
improvements
14. o You must have one that
• Defines what “incidents” you will respond to
• Sets out the basic response tasks
• Assigns responsibilities for response
• Commits to lessons learned updating
o You must also practice or test – it is a clear
part of the standard of care (actual incident,
tabletop or operational exercise every 15
months)
Do you have a plan?
Incident response practice
14
15. o Plans are of little to know use unless they are
used as preparation tool
o Many are created without team engagement
o They are not aligned with the reality of incident
response
o They are not understood by law
o To be prepared, conduct a “facilitated review”
of your plan with team members
o What does the plan mean? How will we
actually do this? Then adjust.
o Once you do this, then you’ll be ready for a
tabletop exercise
Does your team understand it?
Incident response practice
15
16. o Who’s on the team? Always? Sometime?
o When do we tell the Board?
o What services are our priority?
o Do we host information for other any other
organizations? What do the MOAs say?
o How will we communicate with each other if e-mail
is down?
o Who are our external stakeholders? When do we
tell them?
o Do we share threat information with other Boards.
What? When?
o What external experts will we use? Are they okay
with our insurer? How do we reach them?
Do you know the answers?
Incident response practice
16
18. o Police – voluntary
• Typically done early, to help with the
management of stakeholders when the
incident is apparent to the public
• Local police have jurisdiction, but can report
through OPP
o IPC – voluntary or mandatory
• Only PHIPA has mandatory reporting
• The IPC mandate and jurisdiction is to deal
with misuse and theft of personal information,
not cyber incidents without such an impact
Reporting
Reporting, notifying and sharing
18
19. o Mandatory under PHIPA, voluntary under
FIPPA, and also a matter of mitigating the risk
of civil liability
o Purpose is to alert individuals to a risk so they
can take steps to protect themselves
o In general, notify based on a risk assessment
and not automatically
o The same goes for extending credit monitoring
offers – do so based on a risk assessment and
not automatically
o Mass notification may be an option to deal
with large populations
Notifying
Reporting, notifying and sharing
19
20. o Voluntary, but there are many reasons to
share threat information with others in the
public sector
• Indicators of compromise (IOCs)
• Tactics techniques and procedures (TTPs)
o Threat information has a limited shelf life, so
must be shared early, and before the public
knows much about an incident
o There is therefore a need to share in
confidence to a trusted network or though a
trusted intermediary
Sharing
Reporting, notifying and sharing
20
22. o More and more of public sector IT
infrastructure is being outsourced to third-
parties
o Legal accountability for storing personal
information remains with the institution
o There is a duty of due diligence that needs to
be met
• Go or no-go decision
• The identity of the vendor
• The vendor’s controls
• The contract
• Administering the relationship
The context
Managing supply chain risks
22
23. Managing supply chain risks
23
o Compliance with privacy legislation
o Ownership of data
o Use and disclosure limitation
o Notice of legal demands
o Notice of access requests
o Reasonable security controls
o Security audit right
o Notice of security incident
o No limitation of liability
o Express indemnification for breach
of promises (not just wilful
misconduct and gross negligence)
o Cyber insurance minimum
o Secure disposition
o Governed by local law
Contract terms to aim for
24. o Seek clarity on who is accountable (or
should be treated as accountable) to the
affected individuals
o Seek an appropriate level of control over
outreach to affected individuals
o Even if you remain at arms length, demand
an appropriate level of “visibility”
o But don’t interfere with the vendors
investigation process – do you really need
daily meetings?
When your vendor has an incident
Managing supply chain risks
24
Talk lots about this
But we need to keep talking
No shortage of complexity change or learning
I’ll come back to that
That’s my key takeaway though
Get IT together with executive teams
Talk often, talk regularly
And today’s maybe a start to that
There’s lots to talk about
Here’s a sampling of the key issue
We’ll do a survey of them here
…
Been lean
Should have time for questions
-here’s most pre an ent types of incidents you should be concerned about
-risk matrix embedded here
-impact x, probability y
-