NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

© Copyright 2012, Horzepa Spiegel & Associates, PC.
September 26, 2014
Cybersecurity 2014: The Impact of
Policies and Regulations on Companies
By Andrea Almeida

© Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC.
Agenda
1. Introduction
2. Understanding the Threats
a. Advanced Persistent Threats
b. Trade Secret Theft/Industrial Espionage
c. Data Breaches
d. Cyber Vandalism
3. The United States Legal & Policy Environment
4. Responding to a Cyber Incident
5. Conclusion

I - Introduction
• Cybercrime has become an item of international focus – hackers from
all parts of the globe.
• Businesses face unique difficulties not only addressing cyber security
but also mitigating cyber crime.
• Cost of handling cyber issues: Report from the Center for Strategic
and International Studies – cybercrime costs the US economy $100
billion on an annual basis.
• Reputational Damage is one of the greatest risks and impossible to
buy back

II - Understanding the Threats
a. Advanced Persistent Threats (“APT”)
ü Highly sophisticated, professional intrusions into secure networks
ü Typical techniques include spear-phishing and social engineering
combined with zero-day exploits
ü Typical perpetuator suspected to be nation-states
ü Ex1: Recent case study: purportedly Chinese People’s Liberation
Army Unit 61398 devoted to cyber warfare and cyber espionage.
ü Ex 2: US Senate panel: found hackers associated with the Chinese
government have repeatedly infiltrated the computers systems of
US airlines, technology companies and US military contractors.

b.Trade Secret Theft/Industrial
Espionage
ü The vast majority involved insiders. Theft on behalf of foreign
corporations is common (over 30%) but can come from
domestic sources too.
ü Thieves often highly educated or senior employees (one
defendant was a Nobel Prize nominee). Examples:
ü United States v. Pani, No. 4:08-CR-40034 (D. Mass. 2008) –
Intel employee stole processor designs from her company to
benefit competitor AMD
ü Dongfan Greg Chung (US v. Chung, 8:08-CR-00024 (NDCal
2008)) – Sent over 300,000 pages of documents on the
space shuttle, Delta IV Rocket, F-15 Fighter, B-52 Bomber
and Chinook helicopter to China over 30 years. Sentenced
to imprisonment for 15 years, 8 months

c. Data Breaches
ü From 2005 to present = 607 million usernames, passwords,
bank account numbers, credit card numbers, social security
numbers, phone numbers, or mailing addresses have been lost,
stolen, or compromised.
ü 47 states states have data breach notification laws except
Alabama, New Mexico and South Dakota.
ü Most breaches involve dozens of different state laws
ü Costs of response and remediation can be tens of millions of
dollars.

d. Cyber Vandalism
ü Attackers are generally unknown and motivated by socio-political
agenda or personal amusement
ü Attacks typically are limited to defaced web pages, but other attacks
can be devastating.
ü Ex 1: Sony Playstation hack – some have speculated that the attack was
retaliation for perceived unfair business practices by Sony.
ü Ex 2: Doxxing, which is the release of private information online.

III -The U.S. Legal & Policy Environment
•2013 Executive Order on Improving Critical Infrastructure Cyber
security
•Cyber Intelligence Sharing and Protection Act of 2013 (“CISPA”)
•Cyber security Act of 2013
•National Cyber security and Critical Infrastructure Protection Act of
2014 (“NCIP”)
•Personal Data Privacy and SecurityAct of 2014.
•Data Security Act of 2014

Executive Order on Improving Critical
Infrastructure Cyber security
• Creation of Cybersecurity Framework: voluntary program includes
incentives
• Information sharing and Identification of critical infrastructure for
which a cyber security attack could have catastrophic effects
• Agencies to determine whether existing regulations are sufficient
and take regulatory action to address deficiencies
• Use of the federal procurement process to encourage contractors
to enhance information security practices.
• Consideration of privacy and civil liberties issues.

Cyber Security Framework created by
NIST
• NIST worked with Critical Infrastructure (“CI”) owners and
operators ie trade associations, public & private sector organizations
• To develop a voluntary, risk-based framework to promote and
enhance the security and resiliency of CI and
• To help organizations, regardless of industry sector or size, to
manage cyber risk.
• Is intended to be voluntary and flexible.
• Not intended to replace existing sector standards or to add an
unnecessary layer on existing standards and practices.

The Framework is composed of:
• Framework Core, a set of cyber security activities and
outcomes applicable across all Critical Infrastructure sectors
• Framework Profile, which allows organizations to apply cyber
security activities to its unique business requirements, risk
tolerances and resources and
• Framework Implementation Tiers, which allow an
organization to gauge its cyber security by comparing
characteristics and approaches to managing cyber risks.

Data Security Rules
• Federal Law
• Fair Credit Reporting Act (“FCRA”)
• Gramm-Leach-BlileyAct (“GLBA”)
• Children’s Online Privacy Protection Act (“COPPA”)
• Health Insurance Portability and Accountability Act
(“HIPAA”)
• Health Information Technology for Economic and Clinical
Health (“HITECH”)
• Fair and Accurate Credit Transactions Act
(“FACTA”)Disposal Rule
• FTC Act

Data Security Rules Cont….
• State Requirements
• Data Breach notification laws
• Data Security laws – require business to maintain data
security standards to protect state residents’ personal
information from being compromised.
• Industry Standards
• PCI DSS
• ISO
• NIST

SEC Cybersecurity Guidance
• Companies are not disclosing enough.
• Vast majority of companies that addressed cyber issues used only
boilerplate language.
• [B]oards must take seriously their responsibility to ensure that
management has implemented effective risk management protocols.
Boards of directors are already responsible for overseeing the
management of all types of risk, including credit risk, liquidity risk,
and operational risk and there can be little doubt that cyber-risk also must be
considered as part of board’s overall risk oversight. The recent announcement
that a prominent proxy advisory firm [Institutional Shareholders
Services (ISS)] is urging the ouster of most of the Target Corporation
directors because of the perceived “failure…to ensure appropriate
management of [the] risks” as to Target’s December 2013 cyber-
attack is another driver that should put directors on notice to
proactively address the risks associated with cyber-attacks. By Luis
Aguilar, SEC Commissioner

IV – Responding to a Cyber Incident
1.First Steps:
a. Understand and identified unusual behavior
a. Don’t disregard threat notifications from law enforcement
a. Begin to assess the nature of the attack
a. Consider insurance and notify quickly.

2. Conduct an Investigation
a - Assess potentially significant legal ramifications
b - Understand
i. Nature of the compromise
ii. Data and systems at issue
iii.Whether communications systems are secure
iv.Whether insiders are involved
c - Whether to retain third party forensic expert
d - Preserve privilege by involving Legal
e - Consider forensic imaging
f - Restore the integrity of the system

3. Coordination with Regulators and
Law Enforcement
ü Law enforcement often has a broader view into cyber threats
ü Establish an early line of communication
ü Assess whether the new obligations resulting from enhanced
information-sharing are applicable to your company
ü Determine the most appropriate agency.
ü Depends on the nature of the compromise local, federal and
international Law enforcement may be necessary

4. Legal Considerations
a. Understand your legal obligations arising out of a Cyber event
1. Legal hold
2. Breach notification and other obligations
ü State, Federal and International Law
ü Industry Standards
ü Contractual Obligations
ü SEC reporting
b. Proactive Measures
1. Offensive Llitigation
2.Active Defense Strategy

5. Notification Process
a. Where appropriate or required craft formal notification and
reporting documents
ü Must be done carefully (and quickly)
ü Consider hiring a PR expert
b. Take proactive measures to mitigate risks
ü Manage media response
ü Assemble call center
ü Develop FAQs and train agents
ü Consider identity protection service

6. Risk and Disputes Management
a. Assist law enforcement with criminal prosecution of attackers
a. Defend against legal actions
ü Regulatory enforcement: State and Federal
ü Class Action Litigation
b. Manage disputes with business partners and other third parties
a. Manage insurance claims

7. Good Cybersecurity Practices
a. Engage senior management. Cybersecurity is a governance issue.
a. Identify and classify sensitive data
a. Develop written information security policies and procedures
a. Continually assess status of technical and physical protections
a. Maintain (and practice) incident response plan
a. Manage employee and vendor risks
a. Train employees and increase awareness

THANK YOU!!!

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

More Related Content

What's hot

Viewers also liked

Similar to NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

More from North Texas Chapter of the ISSA

Recently uploaded

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida