Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

568 views

Published on

Cybersecurity 2014: The Impact of Policies and Regulations on Companies by Andrea Almeida from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.

  • Be the first to comment

  • Be the first to like this

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

  1. 1. © Copyright 2012, Horzepa Spiegel & Associates, PC. September 26, 2014 Cybersecurity 2014: The Impact of Policies and Regulations on Companies By Andrea Almeida
  2. 2. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. Agenda 1. Introduction 2. Understanding the Threats a. Advanced Persistent Threats b. Trade Secret Theft/Industrial Espionage c. Data Breaches d. Cyber Vandalism 3. The United States Legal & Policy Environment 4. Responding to a Cyber Incident 5. Conclusion
  3. 3. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. I - Introduction • Cybercrime has become an item of international focus – hackers from all parts of the globe. • Businesses face unique difficulties not only addressing cyber security but also mitigating cyber crime. • Cost of handling cyber issues: Report from the Center for Strategic and International Studies – cybercrime costs the US economy $100 billion on an annual basis. • Reputational Damage is one of the greatest risks and impossible to buy back
  4. 4. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. II - Understanding the Threats a. Advanced Persistent Threats (“APT”) ü Highly sophisticated, professional intrusions into secure networks ü Typical techniques include spear-phishing and social engineering combined with zero-day exploits ü Typical perpetuator suspected to be nation-states ü Ex1: Recent case study: purportedly Chinese People’s Liberation Army Unit 61398 devoted to cyber warfare and cyber espionage. ü Ex 2: US Senate panel: found hackers associated with the Chinese government have repeatedly infiltrated the computers systems of US airlines, technology companies and US military contractors.
  5. 5. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. b.Trade Secret Theft/Industrial Espionage ü The vast majority involved insiders. Theft on behalf of foreign corporations is common (over 30%) but can come from domestic sources too. ü Thieves often highly educated or senior employees (one defendant was a Nobel Prize nominee). Examples: ü United States v. Pani, No. 4:08-CR-40034 (D. Mass. 2008) – Intel employee stole processor designs from her company to benefit competitor AMD ü Dongfan Greg Chung (US v. Chung, 8:08-CR-00024 (NDCal 2008)) – Sent over 300,000 pages of documents on the space shuttle, Delta IV Rocket, F-15 Fighter, B-52 Bomber and Chinook helicopter to China over 30 years. Sentenced to imprisonment for 15 years, 8 months
  6. 6. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. c. Data Breaches ü From 2005 to present = 607 million usernames, passwords, bank account numbers, credit card numbers, social security numbers, phone numbers, or mailing addresses have been lost, stolen, or compromised. ü 47 states states have data breach notification laws except Alabama, New Mexico and South Dakota. ü Most breaches involve dozens of different state laws ü Costs of response and remediation can be tens of millions of dollars.
  7. 7. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. d. Cyber Vandalism ü Attackers are generally unknown and motivated by socio-political agenda or personal amusement ü Attacks typically are limited to defaced web pages, but other attacks can be devastating. ü Ex 1: Sony Playstation hack – some have speculated that the attack was retaliation for perceived unfair business practices by Sony. ü Ex 2: Doxxing, which is the release of private information online.
  8. 8. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. III -The U.S. Legal & Policy Environment •2013 Executive Order on Improving Critical Infrastructure Cyber security •Cyber Intelligence Sharing and Protection Act of 2013 (“CISPA”) •Cyber security Act of 2013 •National Cyber security and Critical Infrastructure Protection Act of 2014 (“NCIP”) •Personal Data Privacy and SecurityAct of 2014. •Data Security Act of 2014
  9. 9. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. Executive Order on Improving Critical Infrastructure Cyber security • Creation of Cybersecurity Framework: voluntary program includes incentives • Information sharing and Identification of critical infrastructure for which a cyber security attack could have catastrophic effects • Agencies to determine whether existing regulations are sufficient and take regulatory action to address deficiencies • Use of the federal procurement process to encourage contractors to enhance information security practices. • Consideration of privacy and civil liberties issues.
  10. 10. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. Cyber Security Framework created by NIST • NIST worked with Critical Infrastructure (“CI”) owners and operators ie trade associations, public & private sector organizations • To develop a voluntary, risk-based framework to promote and enhance the security and resiliency of CI and • To help organizations, regardless of industry sector or size, to manage cyber risk. • Is intended to be voluntary and flexible. • Not intended to replace existing sector standards or to add an unnecessary layer on existing standards and practices.
  11. 11. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. The Framework is composed of: • Framework Core, a set of cyber security activities and outcomes applicable across all Critical Infrastructure sectors • Framework Profile, which allows organizations to apply cyber security activities to its unique business requirements, risk tolerances and resources and • Framework Implementation Tiers, which allow an organization to gauge its cyber security by comparing characteristics and approaches to managing cyber risks.
  12. 12. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. Data Security Rules • Federal Law • Fair Credit Reporting Act (“FCRA”) • Gramm-Leach-BlileyAct (“GLBA”) • Children’s Online Privacy Protection Act (“COPPA”) • Health Insurance Portability and Accountability Act (“HIPAA”) • Health Information Technology for Economic and Clinical Health (“HITECH”) • Fair and Accurate Credit Transactions Act (“FACTA”)Disposal Rule • FTC Act
  13. 13. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. Data Security Rules Cont…. • State Requirements • Data Breach notification laws • Data Security laws – require business to maintain data security standards to protect state residents’ personal information from being compromised. • Industry Standards • PCI DSS • ISO • NIST
  14. 14. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. SEC Cybersecurity Guidance • Companies are not disclosing enough. • Vast majority of companies that addressed cyber issues used only boilerplate language. • [B]oards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight. The recent announcement that a prominent proxy advisory firm [Institutional Shareholders Services (ISS)] is urging the ouster of most of the Target Corporation directors because of the perceived “failure…to ensure appropriate management of [the] risks” as to Target’s December 2013 cyber- attack is another driver that should put directors on notice to proactively address the risks associated with cyber-attacks. By Luis Aguilar, SEC Commissioner
  15. 15. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. IV – Responding to a Cyber Incident 1.First Steps: a. Understand and identified unusual behavior a. Don’t disregard threat notifications from law enforcement a. Begin to assess the nature of the attack a. Consider insurance and notify quickly.
  16. 16. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 2. Conduct an Investigation a - Assess potentially significant legal ramifications b - Understand i. Nature of the compromise ii. Data and systems at issue iii.Whether communications systems are secure iv.Whether insiders are involved c - Whether to retain third party forensic expert d - Preserve privilege by involving Legal e - Consider forensic imaging f - Restore the integrity of the system
  17. 17. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 3. Coordination with Regulators and Law Enforcement ü Law enforcement often has a broader view into cyber threats ü Establish an early line of communication ü Assess whether the new obligations resulting from enhanced information-sharing are applicable to your company ü Determine the most appropriate agency. ü Depends on the nature of the compromise local, federal and international Law enforcement may be necessary
  18. 18. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 4. Legal Considerations a. Understand your legal obligations arising out of a Cyber event 1. Legal hold 2. Breach notification and other obligations ü State, Federal and International Law ü Industry Standards ü Contractual Obligations ü SEC reporting b. Proactive Measures 1. Offensive Llitigation 2.Active Defense Strategy
  19. 19. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 5. Notification Process a. Where appropriate or required craft formal notification and reporting documents ü Must be done carefully (and quickly) ü Consider hiring a PR expert b. Take proactive measures to mitigate risks ü Manage media response ü Assemble call center ü Develop FAQs and train agents ü Consider identity protection service
  20. 20. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 6. Risk and Disputes Management a. Assist law enforcement with criminal prosecution of attackers a. Defend against legal actions ü Regulatory enforcement: State and Federal ü Class Action Litigation b. Manage disputes with business partners and other third parties a. Manage insurance claims
  21. 21. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. 7. Good Cybersecurity Practices a. Engage senior management. Cybersecurity is a governance issue. a. Identify and classify sensitive data a. Develop written information security policies and procedures a. Continually assess status of technical and physical protections a. Maintain (and practice) incident response plan a. Manage employee and vendor risks a. Train employees and increase awareness
  22. 22. © Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC. THANK YOU!!!

×