MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.
Who is the next target proactive approaches to data securityUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
Technology has permeated pretty much every corner of our lives now and hacker techniques are becoming more sophisticated. As a result cybersecurity best practices have expanded, it’s not just about training and awareness anymore.
This presentation provides an overview of lurking threats and best practices to protect your organization from an attack. Experts from Withum and Axos Bank share their expertise on how to avoid risk by sharing stories of what went wrong for other organizations and advising how to ensure the safety of your information.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.
Who is the next target proactive approaches to data securityUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
Technology has permeated pretty much every corner of our lives now and hacker techniques are becoming more sophisticated. As a result cybersecurity best practices have expanded, it’s not just about training and awareness anymore.
This presentation provides an overview of lurking threats and best practices to protect your organization from an attack. Experts from Withum and Axos Bank share their expertise on how to avoid risk by sharing stories of what went wrong for other organizations and advising how to ensure the safety of your information.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
Cybersecurity 2014: The Impact of Policies and Regulations on Companies by Andrea Almeida from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data.
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
• The Impact of Cyber Crime on our Economy
• The Cost Companies are incurring due to Cyber Crime and Data Breaches
• Who are the threat actors?
• What makes up a Data Loss Prevention ecosystem?
• What does a Data Loss Prevention strategy do for me?
• Hidden Benefits of Data Loss Prevention
• Justifying a Data Loss Prevention Strategy
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring.
Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.”
Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.
Open source software in government challenges and opportunitiesLuke Fretwell
This research identified many challenges to the use of such software in the government and its collaborative development, and in order to maximize its limited resources, the U.S. government must find solutions to address these challenges. They can be grouped into categories such as fears about low quality and malware; concerns about commercial support; inertia; procurement issues; and issues with certification and accreditation (C&A). Interviewees also reported a critical need for OSS guidance and education, and specific recommendations included: requiring that software and C&A materials developed with government funding be maximally shared and developed collaboratively; that the government receive full data rights for such material; and that the government should release such software as OSS by default.
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
-The Current Global Digital Threat Climate
-Cyber-Trends Against The U.S. Financial Service Sector
-Considerations Prior To Outsourcing
-Pitfalls In International Partnerships
-Communications, Connections, And Security Considerations Between Locations
-Dealing With Data Exposures
-5 Things You Can Do To Protect Your Existing Outsourcing Right Now
Session 2 10:30am-11:30am
-Technology Outsourcing Trends
-Secure Outsourcing Technologies
-Collaboration Methods With Remote Teams
-How To Connect People With The Right Information At The Right Time And The Right Place
-How To Connect People With Fellow Employees, Vendors, Partners Or Other External Contacts Outside Of the Organization
-Project Management Technology Of Remote Resources
An important part of RSAC 2020 focused on Business-Critical Application Security and we're seeing a transformational shift in technology. The enterprise architecture we used to know is changing. Cloud application development is accelerating and diversifying where many organizations have virtual machines, containers, and now serverless applications running in the cloud, transforming code into infrastructure. Microservices make a lot of sense for scale and development agility, but if everything is talking to everything else via APIs, it’s likely that there are many (and I mean many) application vulnerabilities. Additionally, API security is new, so processes are likely immature, and API security sits somewhere between application developers, DevOps, and cybersecurity, leading to organizational and skills challenges. We will organize this chaos from RSAC and discuss Security in The API Ecosystem.
Security is morphing to a hybrid model for distributed policy enforcement across cloud-based environments. At the same time, organizations want central policy management for the whole environment.
You will learn more about what I found interesting at RSAC:
1. “Emerging Privacy Issues”
2. “The Human Factor”
3. “Cloud Security”
4. “Advancements in Machine Learning”
5. “Security in App Development”
6. “Trends from the Innovation Sandbox”
7. “New Standards and Regulations”
8. “Security for The API Economy”
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
In Singapore, the Government launched an app using short-distance Bluetooth signals to connect one phone using the app with another user who is close by. It stores detailed records on a user's phone for 21 days decrypt the data if there is a public health risk related to an individual's movements.
China used a similar method to track a person's health status and to control movement in cities with high numbers of coronavirus cases. Individuals had to use the app and share their status to be able to access public transportation.
The keys to addressing privacy concerns about high-tech surveillance by the state is de-identifying the data and giving individuals control over their own data. Personal details that may reveal your identity such as a user's name should not be collected or should be protected with access to be granted for only specific health purposes, and data should be deleted after its specific use is no longer needed.
We will discuss how to protect privacy sensitive data that is collected to control the coronavirus outbreak.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems.. which resides in cyber space, there is an increasing number of frauds associated with the technology revolution in the cyberspace.This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Cybersecurity 2014: The Impact of Policies and Regulations on Companies by Andrea Almeida from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
Your master data is essential to the smooth operation of your business. But it is also valuable to others. Master data is vulnerable to both internal and external attacks. As the future of business and data is increasingly cloud-based, we explore five fundamentals to ensure the security of your data.
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
• The Impact of Cyber Crime on our Economy
• The Cost Companies are incurring due to Cyber Crime and Data Breaches
• Who are the threat actors?
• What makes up a Data Loss Prevention ecosystem?
• What does a Data Loss Prevention strategy do for me?
• Hidden Benefits of Data Loss Prevention
• Justifying a Data Loss Prevention Strategy
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring.
Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.”
Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.
Open source software in government challenges and opportunitiesLuke Fretwell
This research identified many challenges to the use of such software in the government and its collaborative development, and in order to maximize its limited resources, the U.S. government must find solutions to address these challenges. They can be grouped into categories such as fears about low quality and malware; concerns about commercial support; inertia; procurement issues; and issues with certification and accreditation (C&A). Interviewees also reported a critical need for OSS guidance and education, and specific recommendations included: requiring that software and C&A materials developed with government funding be maximally shared and developed collaboratively; that the government receive full data rights for such material; and that the government should release such software as OSS by default.
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
-The Current Global Digital Threat Climate
-Cyber-Trends Against The U.S. Financial Service Sector
-Considerations Prior To Outsourcing
-Pitfalls In International Partnerships
-Communications, Connections, And Security Considerations Between Locations
-Dealing With Data Exposures
-5 Things You Can Do To Protect Your Existing Outsourcing Right Now
Session 2 10:30am-11:30am
-Technology Outsourcing Trends
-Secure Outsourcing Technologies
-Collaboration Methods With Remote Teams
-How To Connect People With The Right Information At The Right Time And The Right Place
-How To Connect People With Fellow Employees, Vendors, Partners Or Other External Contacts Outside Of the Organization
-Project Management Technology Of Remote Resources
An important part of RSAC 2020 focused on Business-Critical Application Security and we're seeing a transformational shift in technology. The enterprise architecture we used to know is changing. Cloud application development is accelerating and diversifying where many organizations have virtual machines, containers, and now serverless applications running in the cloud, transforming code into infrastructure. Microservices make a lot of sense for scale and development agility, but if everything is talking to everything else via APIs, it’s likely that there are many (and I mean many) application vulnerabilities. Additionally, API security is new, so processes are likely immature, and API security sits somewhere between application developers, DevOps, and cybersecurity, leading to organizational and skills challenges. We will organize this chaos from RSAC and discuss Security in The API Ecosystem.
Security is morphing to a hybrid model for distributed policy enforcement across cloud-based environments. At the same time, organizations want central policy management for the whole environment.
You will learn more about what I found interesting at RSAC:
1. “Emerging Privacy Issues”
2. “The Human Factor”
3. “Cloud Security”
4. “Advancements in Machine Learning”
5. “Security in App Development”
6. “Trends from the Innovation Sandbox”
7. “New Standards and Regulations”
8. “Security for The API Economy”
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
In Singapore, the Government launched an app using short-distance Bluetooth signals to connect one phone using the app with another user who is close by. It stores detailed records on a user's phone for 21 days decrypt the data if there is a public health risk related to an individual's movements.
China used a similar method to track a person's health status and to control movement in cities with high numbers of coronavirus cases. Individuals had to use the app and share their status to be able to access public transportation.
The keys to addressing privacy concerns about high-tech surveillance by the state is de-identifying the data and giving individuals control over their own data. Personal details that may reveal your identity such as a user's name should not be collected or should be protected with access to be granted for only specific health purposes, and data should be deleted after its specific use is no longer needed.
We will discuss how to protect privacy sensitive data that is collected to control the coronavirus outbreak.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems.. which resides in cyber space, there is an increasing number of frauds associated with the technology revolution in the cyberspace.This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
We are living in a world where cyber security is a top priority for .pdfgalagirishp
We are living in a world where cyber security is a top priority for all governments and
businesses. In fact, last week the United States announced cyber security as its biggest. James
Clapper, the Director of National Intelligence, says that “the world is applying digital
technologies faster than our ability to understand the security implications and mitigate potential
risks.” Hackers are able to get ahead of governments because they are applying technology faster
than many can understand it.
(http://ca.reuters.com/article/technologyNews/idCABRE92B0LS20130312)
These attackers are persistent, and it is important to be aware of the methods used by hackers as
it is an important step towards defending sensitive company data.
When a hacker strikes, the cost to a company could potentially be millions of dollars. Not only
will it affect the bottom line, but hard-earned reputations can be compromised or destroyed.
It is important to recognize the differences between the different kinds of cyber threats: external
and internal. An external, or outsider threat is much trickier to pinpoint. It can be “from someone
that does not have authorized access to the data and has no formal relationship to the company.”
They could be from someone who is actively targeting the company, or accidentally from
someone who found a lost mobile device.
Internal threats are likely to come from an authorized individual that has easy access to sensitive
corporate data as part of their day-to-day duties. This could be anyone working within the
company or acting as a third party representative. The Global Knowledge Blog states that
insiders have a much greater advantage because they have means, motive, and opportunity,
whereas outsiders most often only have a motive.
(http://globalknowledgeblog.com/technology/security/hacking-cybercrime/insider-vs-outsider-
threats/)
When focusing on internal threats, we have made a digital security check list:
Implement an Intrusion Detection System (IDS). These systems act like security cameras
watching a network. They react to suspicious activity by logging off suspect users, or in some
cases, they might reprogram firewalls to snag a possible intrusion.
Implement a log management platform that will centralize all the logs and correlate to find
threats and alert on them.
Stay proactive with Identity Management systems that will monitor high risk or suspicious user
activity by detecting and correcting situations that are out of compliance or present a security
risk.
Be aware of who has keys and access codes to vulnerable information. Monitor the activity
when these spaces are accessed, authorized, or not.
Create safety policies for when employees with these security privileges leave the company or
are terminated. This will reduce the risk of theft due to careless behaviour, or break-ins from
disgruntled employees.
Get employees involved with the security procedures of the company. As a team, you can work
to strengthen your digital security pr.
1
2
Cyber Research Proposal
Cybersecurity in business
Introduction
Because of today's international economy, securing a company's intellectual property, financial information, and good name is critical for the company's long-term survival and growth. However, with the rise in risks and cyber vulnerability, most businesses find it difficult to keep up with the competition. Since their inception, most companies have reported 16% fraud, 37.7% financial losses, and an average of over 11% share value loss, according to data compiled by the US security. Most corporations and governments are working hard to keep their customers and residents safe from harm. There are both physical and cybersecurity risks involved with these threats. According to a recent study, many company owners aren't aware of the full scope of cybersecurity. People who own their businesses must deal with various issues daily.
Nevertheless, steps are being taken to address these issues. Customers and the company are likely to be protected by the measures adopted. Cybersecurity is one of the most pressing issues facing organizations today. Leaks of a company's intellectual property and other secrets may have devastating effects on its operations, as competitors and rivals will do all in their power to stop them. is an excellent illustration of this. This is perhaps the most talked-about security compromise of the year [footnoteRef:3]. The firm was severely damaged because of this. [1: "Database security attacks and control methods."] [2:q "Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns."] [3: "The Equifax data breach: What cpas and firms need to know now." ]
Some individuals take advantage of clients by stealing highly important information to profit financially from their actions. For example, if the wrong individuals get their hands on your credit card information, you're in serious trouble since you might lose money. Some families lose all their resources, while others are forced to declare bankruptcy after being financially stable for a long period. Many of the findings of this study will be focused on cybersecurity and the sources of cybersecurity risks. The paper outlines a few of the issues and solutions that organizations may use to keep their operations and consumers safe from exploiting dishonest individuals.
Research question
According to the most recent study, more than 1500 companies have been exposed to some cybersecurity assault[footnoteRef:4]. This research details the specific types of attacks that have occurred. Organizational operations are affected, as is corporate governance, and the internal management of financial status is rendered ineffective due to these assaults. The question that will be investigated during the study is: [4: "Towards blockchain-based identity and access management for internet of things in enterprises."]
How doe ...
1
2
Cyber Research Proposal
Cybersecurity in business
Introduction
Because of today's international economy, securing a company's intellectual property, financial information, and good name is critical for the company's long-term survival and growth. However, with the rise in risks and cyber vulnerability, most businesses find it difficult to keep up with the competition. Since their inception, most companies have reported 16% fraud, 37.7% financial losses, and an average of over 11% share value loss, according to data compiled by the US security. Most corporations and governments are working hard to keep their customers and residents safe from harm. There are both physical and cybersecurity risks involved with these threats. According to a recent study, many company owners aren't aware of the full scope of cybersecurity. People who own their businesses must deal with various issues daily.
Nevertheless, steps are being taken to address these issues. Customers and the company are likely to be protected by the measures adopted. Cybersecurity is one of the most pressing issues facing organizations today. Leaks of a company's intellectual property and other secrets may have devastating effects on its operations, as competitors and rivals will do all in their power to stop them. is an excellent illustration of this. This is perhaps the most talked-about security compromise of the year [footnoteRef:3]. The firm was severely damaged because of this. [1: "Database security attacks and control methods."] [2:q "Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns."] [3: "The Equifax data breach: What cpas and firms need to know now." ]
Some individuals take advantage of clients by stealing highly important information to profit financially from their actions. For example, if the wrong individuals get their hands on your credit card information, you're in serious trouble since you might lose money. Some families lose all their resources, while others are forced to declare bankruptcy after being financially stable for a long period. Many of the findings of this study will be focused on cybersecurity and the sources of cybersecurity risks. The paper outlines a few of the issues and solutions that organizations may use to keep their operations and consumers safe from exploiting dishonest individuals.
Research question
According to the most recent study, more than 1500 companies have been exposed to some cybersecurity assault[footnoteRef:4]. This research details the specific types of attacks that have occurred. Organizational operations are affected, as is corporate governance, and the internal management of financial status is rendered ineffective due to these assaults. The question that will be investigated during the study is: [4: "Towards blockchain-based identity and access management for internet of things in enterprises."]
How doe ...
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
This presentation was given by Eric Vaughan to a meeting of the Security Special Interest Group (SIG) of the Software Developers (SD) Forum, in Palo Alto, CA, in July 2008.
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Similar to Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel (20)
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.
Talk originally given at AppSecUSA 2016 | October 13, 2016
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
Recorded on September 21, 2016, Casey Ellis, Bugcrowd CEO and Kymberlee Price, Sr. Director of Researcher Operations, explore current trends in the bug bounty market.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Grant Mccracken and Daniel Trauner give tips for running a successful bug bounty program. From writing a clear bounty brief, to communicating efficiently and effectively with researchers, this presentation, given originally at BSides Austin on April 1, 2016, is a great first step in thinking about running a bug bounty program.
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
When used correctly, gamification can be one of the most effective tools for changing behavior on a large scale, but it requires more than just designing a few digital merit badges for doing security training. In this talk Kati Rodzon will discuss how games like Portal and Candy Crush were able to make millions and how those same techniques can be used to change security as we know it.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Penetration testing is a security standard, but that doesn't mean it's the most effective means of assessment.
We'll discuss why crowdsourcing your security results in increased coverage and more complex security vulnerabilites while meeting your compliance requirements. We'll also introduce Flex, our crowdsourced pen test that provides increased results.
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
We sat down with two members of the Barracuda security team to talk about the evolution of their bug bounty program since its inception in 2010, to its current space with Bugcrowd.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
9. Anatomy of a Typical External (Hack) Attack
Nation State
Organized
Crime
Hacktivists
Initial
Compromise
Establish
Foothold
Escalate
Privileges
Internal
Recon
Lateral
Movement
Maintain
Presence
Malicious
Insiders
Network
Perimeter
Financial gain Cyber-extortion
Cyber-espionage Competitive advantage
Disruption Political
Revenge Whistleblower
WHY?
Internal Damage
Ransomware
Data Access
Data Acquisition
10. Anatomy of a Typical Company Response
Data Access
Data Acquisition
Initial Triage
Forensic
Investigation
Notifications
PR/Communications
Law
Enforcement
Systems
Remediation
Insurance
Recovery
Public
Disclosures
Governance Auditors
Regulator
Investigations
Lawsuits
Customer
Demands
Remedies or
Settlements
11. Common Cost Components
Initial Response Costs Business Losses
Security consultants Lost revenue
Forensic imaging Drop in stock value
Restoring service / security upgrades Loss of customer confidence
Customer Costs Legal Claims
Breach notification
Litigation (e.g., consumer or employee
class action / shareholder derivative) costs
and settlement payouts
Identity theft problem Defense of government proceedings
Credit monitoring Government fines or penalties
Customer inducements PCI/Card brand assessments
12. Transformative Costs
Source: Cybersecurity Ventures and Herjavec Group (2017)
“The greatest transfer of economic wealth in history”
2015 2021
$6 trillion
$3 trillion
Global annual cybercrime costs estimated
to grow from $3 trillion to $6 trillion by 2021
Includes estimated costs for:
• Damage and destruction of data
• Stolen money/fraud/embezzlement
• Lost productivity/disruption to operations
• Theft of IP, personal data, financial data
• Forensic investigation
• Restoration and remediation
• Reputational harm
13. Brand Impact = As (or More) Important than Other Costs
74.8%
72.5%
80%
of consumers worry about the security of their personal information.
Temkin Group "Consumer Benchmark Survey"
of consumers don’t believe organizations care about their private
data and keeping it safe and secure.
HyTrust Inc., the Cloud Security Automation Company
56%
40%
29%
Political Action (sign a petition,
contact a politician
Stop/Reduce Technology Use Social Activity (post to social
media, write an op-ed or letter)
Actions your customers take when you falter
of consumers believe failure to keep customer information secure has a
significant negative impact on trust in a company.
Edelman Trust Barometer: Financial Services Industry
Source: Edelman Proprietary Study, 2014
14. Companies are Under-Resourced / Staffed / Funded
“Cybersecurity has a serious talent shortage”
Source: Frost & Sullivan, Center for Cyber Safety and Education (2017)
2017 2022
1.8 million
worker
shortfall in
information
security
Too few information
security workers in
my department
The most common reason given for this
phenomenon is lack of qualified personnel
Companies may be looking in the wrong places
for talent in this space:
• 87% of cyber workers did NOT start in cyber
• 30% of cyber workers came from non-IT and non-
Engineering background
• Disconnect: Managers deeply value communication and
analytical skills vs. Candidates predictably prioritize high
technical skills
15. What is Legal’s Role? Lack of Tech Literacy Doesn’t Help
“Lawyers don’t need to be coders, they just need not be Luddites” *
• Techno-phobia
• Continued view of cyber as primarily an IT or InfoSec function
• Belief that lawyers should get involved after a breach happens (e.g., breach
notification laws), or only in preparing to respond for a breach vs.
preventive/mitigation measures
• Belief that companies (good guys) can never keep pace with the bad guys in terms
of funding, skill, or innovation
* “Luddite” = (1) bands of English workers who destroyed machinery that they believed was
threatening their jobs; (2) person opposed to new technology
16. What is Legal’s Role? Tech Competence is Part of the Job
A lawyer shall provide competent representation to a client…”
Comment 8 to Model Rule of Professional Conduct 1.1:
Maintaining Competence
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in
the law and its practice, including the benefits and risks associated with relevant
technology, engage in continuing study and education and comply with all continuing
legal education requirements to which the lawyer is subject. (Emphasis added.)
20. Bug Bounty – Is there a Code of Conduct?
“Is there Honor Among ‘Security Researchers’”?
Many security researchers have “day jobs,” so they are not out to extort or otherwise
disadvantage companies
If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality
Transparency with respect to payment levels for bug severity levels, and level of
documentation that must be shown for payment
Security researchers are “rated,” so reputation matters!
21. Bug Bounty Programs = A Force Multiplier for Companies
“It Takes a Crowd”
Lack of Resources + expanding attack surfaces = more opportunity for
adversaries.
Bug Bounty programs are used by many uber-sophisticated companies, and even the federal
government
In 2 weeks, per company, security researchers typically find:
Source: Bugcrowd
23. Designing Your Own Bug Bounty?
The Department of Justice outlines a
framework for designing a “vulnerability
disclosure program” to address the
concerns that such activity might violate
the Computer Fraud and Abuse Act
(18 U.S.C. 1030).
See https://www.justice.gov/criminal-ccips/page/file/983996/download
24. Do Bug Bounties Increase Legal Breach Notifications?
Phase 1 Identification, Scoping and Severity Assessment
Phase 2 Escalation and Deployment of IR Resources
Phase 3 Investigation and Remediation
Phase 4 Notification and Other External Communications
Phase 5 Post-Incident Analysis and Preparation
1. Statutory duty to
notify customers?
Legal
2. Contractual duty
to notify?
Legal
3. “Voluntary”
notification?
Transparency
• Generally, triggered on
unauthorized
“access” or
“acquisition” of PI
• 47 U.S. state laws +
territories
• HHS OCR / PCI /
Interagency Guidelines
• Rest-of-world
• Contractual duties
override statutory or
regulatory duties on
notification
• Includes “quasi”
contracts such as
Privacy Policy and
Terms of Use,
Marketing, Advertising
• Forensics are often
inconclusive, which
leads to a multi-
factor decision tree
• Voluntary notice
scenarios based on
facts, risk mitigation,
ethical
considerations
Corporate Incident Response Plan Phases
25. • How real is the legal risk around known security vulnerabilities?
• Researchers can, and do, go public
• Researchers can, and do, report to regulatory agencies
• Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities
alone – even if there’s been no “data breach”
– FTC Litigation: D-Link case
– FTC/FCC: Stagefright inquiries to mobile device makers
– SEC OCIE: Craig Scott Capital case
– Litigation (both ways): St. Jude Medical / Muddy Waters case
Is there Liability for a “Mere” Security Vulnerability?
26. What’s the Game Plan?
• How should we address security researchers who call or email (especially on a
Friday before a holiday at 4:50 pm)?
– Who should interact with the researcher?
– Should you email or call, or both?
– Do you ever acknowledge the vulnerability? Do you pay them?
– Do you keep them updated on the status of your investigation, remediation?
• Very helpful to have internal game plan for security researcher engagement,
including how and who will make decision on payment
• IR Planning
– Legal and PR/crisis communications should be briefed and ready
– Consideration of incorporating into IR plan, or parallel protocol
29. Ransomware: What does it look like?
The visual appearance of a ransomware attack may vary widely
• Format of the ransom note
• File extension
• Disk-level ransomware vs. file-level ransomware
• Scrambled filename vs. intact filename
34. Should you pay?
“The FBI does not support paying a
ransom to the adversary…..
Paying a ransom does not guarantee the
victim will regain access to their data; in
fact, some individuals or organizations
are never provided with decryption
keys after paying a ransom……
Paying a ransom emboldens the
adversary to target other victims for
profit, and could provide incentive for
other criminals to engage in similar illicit
activities for financial gain.
While the FBI does not support paying a
ransom, it recognizes executives, when
faced with inoperability issues, will
evaluate all options to protect their
shareholders, employees, and customers.”
35. “Dude, stop crying.”
Generation of rookie hackers emerges
In the past, we were often engaging directly with the malware developer, who
could help with software bugs and hiccups
With rookie hackers, the tool is either poorly written and / or the actors are
unable to help troubleshoot decryption issues
36. Do companies actually pay?
Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
37. How do (can) you pay?
• Does your company/client have a bitcoin wallet?
– Your vendor does!
• Managed ransomware response:
• Vendor takes over communications with attacker (often in attacker’s native language)
– Vendor obtains and validates (tests) ransomware decryption tool
– Vendor assists in negotiating down the ransom amount
– Vendor fronts payment to attacker, in many circumstances
– Vendor assists with actual/live decryption and remediation
38. If you decide to pay . . .
Call The Professionals
The transaction goes the smoothest when the
incident response team is brought in early
39. Horror Stories
Do Not Try This At Home
When victims try to engage themselves, they may accidentally antagonize the
attacker, or give up information that reveals their identity
41. What is the legal framework?
Civil or criminal
liability for
hacking
Contractual
duties re:
security and/or
breach
notification
Laws requiring
security
measures
Notification to
individuals and
regulators
Regulator
enforcement
consent decrees,
and related
requirements
Regulator and
industry
standards,
guidelines, and
frameworks
42. Are “Bugs” and “Ransomware” Notifiable Breach Events???
• Statutes
– State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a
resident of the state; triggered on “access” or “acquisition” of PI elements
– Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS)
• Contracts
– Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.)
– Almost always define “breaches” more broadly than statutes
• Industry Rules (e.g., Payment Card Industry – PCI)
• SEC public company disclosures (e.g., Form 8-K)
• Client’s Internal Policies and Procedures
43. What have regulators said about Ransomware?
“[A] breach has occurred because the [data] encrypted by the ransomware
was acquired … and thus is a ‘disclosure’” where security incident
defined as “the acquisition, access, use of disclosure of PHI in a manner
not permitted under the [HIPAA Privacy Rule] which compromises the
security or privacy of the PHI.” 45 C.F.C. 162.402.
Special focus on results of forensic analysis and risk assessment
“A company’s unreasonable failure to patch vulnerabilities known to be
exploited by ransomware might violate the FTC Act.”
-- (Then) Chairwoman Edith Ramirez (2016)
Failure to address “pervasive security bugs” that leave systems vulnerable to
malware will be a key factor in the FTC’s decision to open an investigation or
pursue an enforcement action.
46. Incident Response (IR) Planning
Do you have an IR Team? An IR Plan? Have you practiced?
Identify
Triage &
Contain
Analyze &
Investigate
Remove &
Recover
Prepare
Corporate IR Plan
Cross-
Functional
IR Team
Cross-Functional IR Team
Key Internal Members
IR Team Leader Executive Liaison
General Counsel/Legal Privacy Officer
IT Security Physical Security
Corp. Communications Customer Support
Human Resources Risk Management
Key External Members
Outside Counsel Forensics
Crisis Communications Investor Relations
Vendors (mail house, call center, credit monitoring)
47. Other Key Elements of Proactive Cybersecurity Programs
• Executive CISO or equivalent function responsible for cybersecurity with regular
and direct reporting to Board (Audit/Risk) Committee
• Inventory of data and network assets subject to attack (e.g., data map, network map)
• Regular enterprise-wide cybersecurity assessments, properly scoped and managed
(not just “pen tests” or routine vulnerability scans, but more holistic)
• Participation in threat intelligence sharing forums to develop understanding of threat
landscape (e.g., ISACs)
• Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc.
• Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity
access management, etc. . . . and other bare minimum protective controls
48. Other Key Elements (cont’d)
• Inclusion of cybersecurity-related provisions and audit rights in vendor and business
partner contracts, with program for auditing compliance
• Implementation of training programs for employees and security team on
cybersecurity awareness and response
• Retention of experts and consultants to provide technical services for purpose of
providing legal advice regarding risk
• Procurement of cyber insurance to cover costs of forensic analysis, legal services,
public relations, credit monitoring, litigation defense, etc.
• Explicity consideration of evolving scenarios like Bug Bounties and Ransomware –
and how they fit into, or necessitate adjustments to, company’s security breach
incident response plan (IRP)