Campbell from IT called the presenter on a Saturday to report that key servers at their organization, including the email and file servers, were inaccessible. A cryptic note was left demanding payment to regain access, indicating a potential ransomware attack. The presenter is advised to have Campbell contain the incident by disconnecting from the internet, not make any payments, and call in expert help from lawyers and incident response specialists to properly investigate and mitigate the risks. The presentation then outlines the typical incident response process and provides tips on internal communication, notifying affected individuals, and having an incident response plan in place ahead of time.
The internet as a corporate security resourceDan Michaluk
One hour presentation to in house lawyers at a federally regulated employer. Analysis is based on Canadian federal privacy legislation (PIPEDA) and Ontario Rules of Professoinal Conduct.
1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.
One hour presentation to Ontario public sector institutions that looks at the privacy and security implications the main information flows associated with COVID-19 workplace health and safety.
Given an outcome, we often exaggerate our ability to predict and therefore avoid the same fate. In cybersecurity, this misconception can lead to a false sense of corporate security, or worse, bury the true causes of incidents and lead to repeated data breaches or business-disrupting cyber incidents.
The internet as a corporate security resourceDan Michaluk
One hour presentation to in house lawyers at a federally regulated employer. Analysis is based on Canadian federal privacy legislation (PIPEDA) and Ontario Rules of Professoinal Conduct.
1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.
One hour presentation to Ontario public sector institutions that looks at the privacy and security implications the main information flows associated with COVID-19 workplace health and safety.
Given an outcome, we often exaggerate our ability to predict and therefore avoid the same fate. In cybersecurity, this misconception can lead to a false sense of corporate security, or worse, bury the true causes of incidents and lead to repeated data breaches or business-disrupting cyber incidents.
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
Paula Garrecht, Partner and Commercial Insurance Broker at Capri Insurance, explores the emerging risk of cyber attacks and data breaches with specific relation to public entities. In the ever changing landscape of business communications and processes we face ever changing risks as well. Learn how to:
1. Identify cyber exposures
2. Minimize those exposures
3. Find the right insurance policy to fit your unique cyber needs
A short presentation to college student affairs administrators on managing students at risk in light of recent health and safety amendments in Ontario.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.
Critical Issues in School Board Cyber SecurityDan Michaluk
An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
Cybersecurity and the regulator, what you need to knowCordium
The U.S. Securities and Exchange Commission (“SEC”) has begun to focus in earnest on cybersecurity-related issues at the SEC’s regulated investment adviser and broker-dealer firms. In April 2014, the SEC Office of Compliance Inspections and Examinations (“OCIE”) announced its Cybersecurity Initiative in a National Exam Program (“NEP”) Risk Alert. In response, this presentation will cover compliance and technological aspects of a cybersecurity risk assessment and steps firms are taking to enhance cybersecurity protections.
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
Paula Garrecht, Partner and Commercial Insurance Broker at Capri Insurance, explores the emerging risk of cyber attacks and data breaches with specific relation to public entities. In the ever changing landscape of business communications and processes we face ever changing risks as well. Learn how to:
1. Identify cyber exposures
2. Minimize those exposures
3. Find the right insurance policy to fit your unique cyber needs
A short presentation to college student affairs administrators on managing students at risk in light of recent health and safety amendments in Ontario.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.
Critical Issues in School Board Cyber SecurityDan Michaluk
An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
Cybersecurity and the regulator, what you need to knowCordium
The U.S. Securities and Exchange Commission (“SEC”) has begun to focus in earnest on cybersecurity-related issues at the SEC’s regulated investment adviser and broker-dealer firms. In April 2014, the SEC Office of Compliance Inspections and Examinations (“OCIE”) announced its Cybersecurity Initiative in a National Exam Program (“NEP”) Risk Alert. In response, this presentation will cover compliance and technological aspects of a cybersecurity risk assessment and steps firms are taking to enhance cybersecurity protections.
I hate the term "breach" - please call it a "security incident" - but the term "breach coach" is certainly ingrained. Posting today's presentation on the role of the coach as I step out the door to an insurance sector event.
Data Breach Response: Before and After the BreachFinancial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
Incident ResponseAs a security professional, you will.docxMARRY7
Incident Response
A
s a security professional, you will be versed in a number of different
technologies and techniques, each designed to prevent an attack and secure
the organization. Each of the techniques you will learn is meant to prevent
an attack or limit its scope, but the reality is that attacks can and will happen, and
the techniques you have learned in this course cannot ever be guaranteed to stop
an attack from penetrating your organization. As a security professional, this is
a reality that you will have to accept.
Once you have accepted that an attack will inevitably penetrate your organization
at some point, your job now becomes knowing how to respond to these situations.
This is the role of incident response. Incident response, as the name implies, is the
process of how you and your organization will respond to a security incident when
it occurs. Although security incidents are bound to occur, you shouldn’t sit by and
let them happen. You have to know, in some detail, how you will respond.
Incident response includes those details. If you respond incorrectly to an incident,
you could make a bad situation worse. For example, not knowing what to do,
whom to call, or what the chain of command is in these situations would potentially
do further damage.
Finally, incident response may have a legal aspect. Security incidents are often
crimes, and so you must take special care when responding. When you decide to
pursue criminal charges, you move from the realm of just responding to performing
a formal investigation. The formal investigation will include special techniques
for gathering and processing evidence for the purpose of potentially prosecuting
the criminal later.
This chapter investigates and examines the various aspects of incident response
and ways to plan and design a process for responding to that breach in your
organization.
336
14
CHAPTER
Chapter 14 Topics
This chapter covers the following topics and concepts:
• What a security incident is
• What the process of incident response is
• What incident response plans (IRPs) are
• What planning for disaster and recovery is
• What evidence handling and administration is
• What requirements of regulated industries are
Chapter 14 Goals
When you complete this chapter, you will be able to:
• List the components of incident response
• List the goals of incident response
What Is a Security Incident?
A security incident in an organization is a serious event that can occur at any point from
the desktop level to the servers and infrastructure that make the network work. A security
incident can be anything including accidental actions that result in a problem up to and
including the downright malicious. Regardless of why a security incident occurred, the
organization must respond appropriately.
A security incident can cover a lot of different events, but to clarify what constitutes
a security incident, the following guidelin ...
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
This presentation will give you insights into timely information about current cybersecurity threats faced by small and mid-sized businesses, incident response plans, and Cybersecurity Maturity Model Certification (CMMC) compliance protocols required for government contracts and what you need to do now to protect your business from a cyberattack.
Acting quickly after a data breach can help you regain security, preserve evidence and protect your brand. Use this checklist as your guide in the first 24 hours after discovering a breach.
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...Financial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series:
CYBER SECURITY and DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
Sam looked at some cases of data breaches and hacks and explained the importance of planning, cyber hygiene and recovery plans.
This slideshare was originally presented at the East Midlands Cyber Security Forum's Autumn event on 19th October 2017 at University of Nottingham.
https://emcsf.org.uk/
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxDan Michaluk
One hour presentation to IT professionals at Ontario school boards. Covers labour issues in MFA rollout, threat information sharing and business e-mail compromises and PHIPA.
Here's a one hour presentation to Canadian municipal lawyers on the union right of access to information that arises under labour law and how it has fared against employee privacy claims.
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
45 min prez to compliance professionals at Canadian financial institutions. A survey presentation covering privacy, data security and anti-spam (CASL).
Who is the "health information custodian" when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here's a presentation i gave yesterday in which I argue that the institution (and not its practitioners) should assume the role of the HIC.
Student Conduct Investigations - Examining Evidence and Determining CredibiliityDan Michaluk
A one hour presentation to student conduct investigators at colleges and universities in Canada. Support for the "hard" cases in which credibility is at issue, including hard sexual violence cases.
Privacy and breaches in health care - a legal updateDan Michaluk
A 45 minute presentation to hospital administrators in Ontario. A state of the nation address on the legal environment related to data security incidents.
Presentation to Canadian in-house counsel on data breach response and crises communications. Dan Michaluk and Ian Dick of Hicks Morley and Karen Gordon of Squeaky Wheel Communications.
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Cyber Incident Response - When it happens, will you be ready?
1. Presented By
When it happens,
will you be ready?
How to excel in
handling your next
cyber incident
Dan Michaluk
March 2, 2020
2. Not just any Saturday
2
You just had sat down with a real page turner when you got the call. Campbell
from IT went into the office after receiving a couple calls from staff who were not
able to access e-mail or files from the file share.
Campbell says that the e-mail server, file server and a number of other key
servers are inaccessible. All he can see is a text file that contains a cryptic note
about e-mailing a protonmail address to get access to the data.
Campbell asks you what to do.
3. Not just any Saturday
3
What do you do:
A. Tell Campbell to send an e-mail to the address and ask what needs to be
done to restore access.
B. Tell Campbell to do what he can to contain the incident, call the privacy
commissioner to report a cyber attack and take their advice.
C. Tell Campbell to do what he can to contain the incident and call the Board
chair to give them a heads up that there’s been an attack.
D. Tell Campbell to do what he can to contain the incident and call your insurer
for a referral to expert help.
4. Agenda
o Events, incidents “and breaches”
o The incident response process
o Incident response tips
o The incident response plan
How to excel in handling your next cyber incident
4
6. o A security event is a possible problem that
should be assessed
o An security incident is a confirmed problem
that needs to be managed through the
incident response process
• Cyber attack
• A misconfiguration
• An errant communication
o A “breach” is a legal concept that relates to
unauthorized access to information or loss,
theft…
Learn and use this helpful nomenclature
Events, incidents and “breaches”
6
8. o Quickly re-establish baseline data security
• Confidentiality (stop leakage and exposure)
• Integrity (get bad actors out)
• Availability (restore services)
o To appropriately manage the legal risks of
the incident, especially those arising out of
data exposure
o To foster leaning and security program
improvement
The objects
The incident response process
8
9. o Stop the incident from getting worse
o May involve
• Disconnecting from the internet
• Fixing a misconfiguration
• Changing a password to a compromised
account
o Steps are taken immediately with available
resources
o Should not entail overwriting data to restore
services, which can cause loss of evidence
Step 1a – Contain (first few hours)
The incident response process
9
10. o Don’t
• Call the police
• Call the privacy commissioner
• Call the board chair
o Do
• Consult a lawyer
• Who will retain one or more experts to help
Step 1b – Get help (first few hours)
The incident response process
10
11. o In a malware event this can become difficult
quickly without expert guidance, with
evidence being destroyed and more
information being stolen
o Can involve
• Negotiating a ransom payment and the
retrieval of decryption keys
• Restoration coaching by expert
• Installation of endpoint mentoring software
tools to watch for signs of persistence
Step 2 – Restore and secure (days two to four)
The incident response process
11
12. o Starts with the gathering of digital evidence
o Evidence is analyzed to answer two key
questions:
• How did this happen?
• What data was exposed and how?
o Not search for things you want to find, but
there will often be a duty to conduct a duly
diligent investigation
o If the expert determines there has been no
exposure, you will rest heavily on that
conclusion in taking no father action
Step 3a – Investigate (days four to…)
The incident response process
12
13. o Mitigate all the harms and potential harms arising
out of the incident, including reputational harms and
harms to people
o We do this primarily by communication
• Media releases
• Notification to affected individuals
• Credit monitoring offerings
• Reporting to law enforcement or sharing threat
information
o Keys to success
• Timing – How fast is your “clock speed”?
• Accuracy – Don’t misrepresent or take risks on making
affirmative statements when you don’t know.
Step 3b – Mitigate (days four to…)
The incident response process
13
14. o Investigation is complete
o Mitigation steps taken
o Final remedial plan developed with an
implementation plan
• Take the “how” from the investigation report…
• …and apply the “5 whys”
• Develop a meaningful list of changes to
address the root and next level causes
o Assess your incident response process too!
Step 4 – Learn and move on
The incident response process
14
16. o Use a small cross-functional team with the
necessary experts who keeps the matter
confidential
o All communications outside the zone of
confidence are approved
o If a lawyer leads, communications to/from the
lawyer will be privileged
• Lawyer instructs experts for well-defined
purpose that links to privilege
• Substantive issues all brought to the lawyer for
consideration
• Communications between team members who
are not lawyers are limited to what is factual and
administrative
Internal communication and privilege
Incident response tips
16
17. o Don’t say “we value your privacy.” Show it.
o Consider apologizing, but not profusely
o Convey the facts that will be meaningful to
those affected
• What was exposed
• For how long
• To whom
o Include a list of meaningful remedial measures
o Beware of legal requirements for what must go
in a notification letter
Notifying and communicating
Incident response tips
17
18. o Notification is generally based on exposure of
personal information, not a security incident alone
• Though an incident alone may lead you to engage in
the sharing of threat information
o There may be a statutory duty to notify (and report)
o Or there may be another reason to notify
• There’s a real potential for significant harm
• The incident is known
• The incident is likely to become known
o Many organizations notify reactively, too quickly and
without good reason
When to notify
Incident response tips
18
20. o An “IRP” applies to all forms of security
incidents
o It is premised on the idea that incidents will
occur and can be anticipated
o It structures the response to save time and
support optimal decision-making
• Identifies the key processes and decisions
• Puts information at hand
• Provides decision-making authority
Your response process should be embedded in a PLAN
The incident response plan
20
21. o Frame out the process
o Identify responsibilities
o Append
• Contact information for 24/7 contact
• Pre-retained experts
• Playbooks for certain expected scenarios
o Create playbooks by running scenario
based exercises
What to put in the plan
The incident response plan
21
Dan Michaluk
Privacy and data security lawyer at BLG
Cyber incident response
…
Important topic now
Not if but when
Readiness is important
…
Not going to make you an IR expert here
Objectives
-know what to do right away
-encourage you to get ready and get help when you need it
-encourage you to learn more
Start with a sceanrio
We’ll address the answer in a moment
Here’s the agenda
I’ve left some cushion for questions so feel free to ask
I’ll watch the timing as we go
Topic 1 of 4
I think language matters
And clients struggle with it
All security problems first present as some vague sign of trouble
I don’t think I sent that e-mail
Why don’t I have access to this service
Some will call it a breach at that point….
Others will be smart enough to call it a potential breach
There is some helpful language endorsed by the National Institute of Science and Technology
Event – many, many events
Incident – these are what get escalated and formally managed
NIST doesn’t use the term “breach”
Developed into a legal term used in Canadian privacy law
Much narrower, typically can’t be discovered without significant investigation
Unauthorized access to personal information
Loss or theft of personal information
Part 2 of 4
Walk you through the incident response process
This is my own
….
-you’ll see different models
-NIST model
-Also SANS Incident
-Those models start with preparation
-I’m going to jump right on
-My interpretation of the process
-It’s similar and valid
Three facets of data security – or attributes of secure data
Get it back to “situation normal”
…
Then clean up the mess
…
Then reflect and learn
Four steps
-contain and get help
-restore and secure
-investigate and mitigate
-learn and move on
STEP 1 – CONTAIN AND GET HELP
-broken into a and b because they can happen simultaneously
-both should happen in the first few hours
…
-contain… IT issue
-most IT teams will have enough knowledge to contain
MOST PEOPLE WILL CALL TO GET HELP
-don’t know who to call
-pitch to call a lawyer experience in cyber response
-or your insurer, who will certainly connect you with a lawyer experienced in cyber response
-will slow you down and stop you from doing things you can’t undue
-delete evidence that you may need
-talk to third-parties too before you know what to say
-talk to third-parties and say things that are damaging
-report to the privacy commissioner is not privileged… can’t never take it back
-now I’m working with that as the starting point
-incident response experts do 100s of these every quarter
-versus your IT staff
WRONG WAY
-people who don’t get help tend to stall out here
-it’s hard to do network restoration – malware is “polymorphic” and persistent
-two risks…..
-destroying evidence
-failing to secure the network
RIGHT WAY
-secure and restore network under watchful eye of an expert
-benefits = safe & speedy
-special options
-paying ransom
-installation of endpoint monitoring
-gather digital evidence at the same time as securing the network
-log data
-some full forensic images of devices
Two questions
-not so much why… why comes at end
-forensics should give you the mechanics of the intrusion
-and hopefully what data was exposed and how
My own view – meet those objectives with the minimal amount of text
Use the process in this slide deck and add a little meat to the bones
Contain and seek help
-who’s responsible for it
-and what if that person isn’t available
-what can they do without seeking approval
-what shouldn’t they do without seeking approval
-who to call – at what number