SlideShare a Scribd company logo

Cyber Incident Response - When it happens, will you be ready?

Download as PPTX, PDF
Dan Michaluk
Dan Michaluk

Campbell from IT called the presenter on a Saturday to report that key servers at their organization, including the email and file servers, were inaccessible. A cryptic note was left demanding payment to regain access, indicating a potential ransomware attack. The presenter is advised to have Campbell contain the incident by disconnecting from the internet, not make any payments, and call in expert help from lawyers and incident response specialists to properly investigate and mitigate the risks. The presentation then outlines the typical incident response process and provides tips on internal communication, notifying affected individuals, and having an incident response plan in place ahead of time.

Law
1 of 23
Presented By When it happens, will you be ready? How to excel in handling your next cyber incident Dan Michaluk March 2, 2020
Not just any Saturday 2 You just had sat down with a real page turner when you got the call. Campbell from IT went into the office after receiving a couple calls from staff who were not able to access e-mail or files from the file share. Campbell says that the e-mail server, file server and a number of other key servers are inaccessible. All he can see is a text file that contains a cryptic note about e-mailing a protonmail address to get access to the data. Campbell asks you what to do.
Not just any Saturday 3 What do you do: A. Tell Campbell to send an e-mail to the address and ask what needs to be done to restore access. B. Tell Campbell to do what he can to contain the incident, call the privacy commissioner to report a cyber attack and take their advice. C. Tell Campbell to do what he can to contain the incident and call the Board chair to give them a heads up that there’s been an attack. D. Tell Campbell to do what he can to contain the incident and call your insurer for a referral to expert help.
Agenda o Events, incidents “and breaches” o The incident response process o Incident response tips o The incident response plan How to excel in handling your next cyber incident 4
Events, incidents and “breaches”
o A security event is a possible problem that should be assessed o An security incident is a confirmed problem that needs to be managed through the incident response process • Cyber attack • A misconfiguration • An errant communication o A “breach” is a legal concept that relates to unauthorized access to information or loss, theft… Learn and use this helpful nomenclature Events, incidents and “breaches” 6
The incident response process
o Quickly re-establish baseline data security • Confidentiality (stop leakage and exposure) • Integrity (get bad actors out) • Availability (restore services) o To appropriately manage the legal risks of the incident, especially those arising out of data exposure o To foster leaning and security program improvement The objects The incident response process 8
o Stop the incident from getting worse o May involve • Disconnecting from the internet • Fixing a misconfiguration • Changing a password to a compromised account o Steps are taken immediately with available resources o Should not entail overwriting data to restore services, which can cause loss of evidence Step 1a – Contain (first few hours) The incident response process 9
o Don’t • Call the police • Call the privacy commissioner • Call the board chair o Do • Consult a lawyer • Who will retain one or more experts to help Step 1b – Get help (first few hours) The incident response process 10
o In a malware event this can become difficult quickly without expert guidance, with evidence being destroyed and more information being stolen o Can involve • Negotiating a ransom payment and the retrieval of decryption keys • Restoration coaching by expert • Installation of endpoint mentoring software tools to watch for signs of persistence Step 2 – Restore and secure (days two to four) The incident response process 11
o Starts with the gathering of digital evidence o Evidence is analyzed to answer two key questions: • How did this happen? • What data was exposed and how? o Not search for things you want to find, but there will often be a duty to conduct a duly diligent investigation o If the expert determines there has been no exposure, you will rest heavily on that conclusion in taking no father action Step 3a – Investigate (days four to…) The incident response process 12
o Mitigate all the harms and potential harms arising out of the incident, including reputational harms and harms to people o We do this primarily by communication • Media releases • Notification to affected individuals • Credit monitoring offerings • Reporting to law enforcement or sharing threat information o Keys to success • Timing – How fast is your “clock speed”? • Accuracy – Don’t misrepresent or take risks on making affirmative statements when you don’t know. Step 3b – Mitigate (days four to…) The incident response process 13
o Investigation is complete o Mitigation steps taken o Final remedial plan developed with an implementation plan • Take the “how” from the investigation report… • …and apply the “5 whys” • Develop a meaningful list of changes to address the root and next level causes o Assess your incident response process too! Step 4 – Learn and move on The incident response process 14
Incident response tips
o Use a small cross-functional team with the necessary experts who keeps the matter confidential o All communications outside the zone of confidence are approved o If a lawyer leads, communications to/from the lawyer will be privileged • Lawyer instructs experts for well-defined purpose that links to privilege • Substantive issues all brought to the lawyer for consideration • Communications between team members who are not lawyers are limited to what is factual and administrative Internal communication and privilege Incident response tips 16
o Don’t say “we value your privacy.” Show it. o Consider apologizing, but not profusely o Convey the facts that will be meaningful to those affected • What was exposed • For how long • To whom o Include a list of meaningful remedial measures o Beware of legal requirements for what must go in a notification letter Notifying and communicating Incident response tips 17
o Notification is generally based on exposure of personal information, not a security incident alone • Though an incident alone may lead you to engage in the sharing of threat information o There may be a statutory duty to notify (and report) o Or there may be another reason to notify • There’s a real potential for significant harm • The incident is known • The incident is likely to become known o Many organizations notify reactively, too quickly and without good reason When to notify Incident response tips 18
The incident response plan
o An “IRP” applies to all forms of security incidents o It is premised on the idea that incidents will occur and can be anticipated o It structures the response to save time and support optimal decision-making • Identifies the key processes and decisions • Puts information at hand • Provides decision-making authority Your response process should be embedded in a PLAN The incident response plan 20
o Frame out the process o Identify responsibilities o Append • Contact information for 24/7 contact • Pre-retained experts • Playbooks for certain expected scenarios o Create playbooks by running scenario based exercises What to put in the plan The incident response plan 21
Questions? Questions?
For more information, contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 dmichaluk@blg.com

Recommended

The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resource
Dan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public body
Dan Michaluk
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacy
Dan Michaluk
 
Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice
Dan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
Dan Michaluk
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
Dan Michaluk
 

Recommended

The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resource
Dan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public body
Dan Michaluk
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacy
Dan Michaluk
 
Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice
Dan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
Dan Michaluk
 
Building Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe HarborBuilding Cyber Resilience: No Safe Harbor
Building Cyber Resilience: No Safe Harbor
Advanced Technology Consulting (ATC)
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
Dan Michaluk
 
Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection point
Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
Dan Michaluk
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
Aprio
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
Capri Insurance
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
Studentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus ViolenceStudentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus Violence
Dan Michaluk
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
Dan Michaluk
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
Dan Michaluk
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Cyber Risks
Cyber RisksCyber Risks
Cyber RisksRickWaldman
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
Dan Michaluk
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
Cordium
 

More Related Content

What's hot

Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection point
Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
Dan Michaluk
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
Aprio
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
Capri Insurance
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
Studentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus ViolenceStudentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus Violence
Dan Michaluk
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
Dan Michaluk
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
Dan Michaluk
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 

What's hot (20)

Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection point
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutions
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
Studentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus ViolenceStudentsat Risk Managingon Campus Violence
Studentsat Risk Managingon Campus Violence
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Cyber Risks
Cyber RisksCyber Risks
Cyber Risks
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 

Similar to Cyber Incident Response - When it happens, will you be ready?

Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
Dan Michaluk
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
Cordium
 
Role of a breach coach
Role of a breach coachRole of a breach coach
Role of a breach coach
Dan Michaluk
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
Penelope Toth
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
Incident ResponseAs a security professional, you will.docx
Incident ResponseAs a security professional, you will.docx Incident ResponseAs a security professional, you will.docx
Incident ResponseAs a security professional, you will.docx
MARRY7
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
Quarles & Brady
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
Rea & Associates
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
JoAnna Cheshire
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
Ingenico ePayments
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
Financial Poise
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
Peter Henley
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
Kevin Duffey
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
East Midlands Cyber Security Forum
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Clio - Cloud-Based Legal Technology
 

Similar to Cyber Incident Response - When it happens, will you be ready? (20)

Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
 
Role of a breach coach
Role of a breach coachRole of a breach coach
Role of a breach coach
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
SIA Tas Safety Symposium 2017: Workplace incident response options, alternati...
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
Incident ResponseAs a security professional, you will.docx
Incident ResponseAs a security professional, you will.docx Incident ResponseAs a security professional, you will.docx
Incident ResponseAs a security professional, you will.docx
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
 
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
CYBER SECURITY and DATA PRIVACY 2022: Data Breach Response - Before and After...
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
 

More from Dan Michaluk

Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Dan Michaluk
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
Dan Michaluk
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence Presentation
Dan Michaluk
 
Union access to information
Union access to informationUnion access to information
Union access to information
Dan Michaluk
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
Dan Michaluk
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateAdvocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Dan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk
 
PHIPA for school boards
PHIPA for school boardsPHIPA for school boards
PHIPA for school boards
Dan Michaluk
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
Dan Michaluk
 
Finding internet evidence
Finding internet evidenceFinding internet evidence
Finding internet evidence
Dan Michaluk
 
Sexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeSexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and Practice
Dan Michaluk
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityStudent Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Dan Michaluk
 
Privacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal updatePrivacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal update
Dan Michaluk
 
Cacuss 2015 sexual violence
Cacuss 2015 sexual violenceCacuss 2015 sexual violence
Cacuss 2015 sexual violenceDan Michaluk
 
Responding to Data Breaches
Responding to Data BreachesResponding to Data Breaches
Responding to Data Breaches
Dan Michaluk
 

More from Dan Michaluk (15)

Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence Presentation
 
Union access to information
Union access to informationUnion access to information
Union access to information
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateAdvocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
PHIPA for school boards
PHIPA for school boardsPHIPA for school boards
PHIPA for school boards
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Finding internet evidence
Finding internet evidenceFinding internet evidence
Finding internet evidence
 
Sexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeSexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and Practice
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityStudent Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
 
Privacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal updatePrivacy and breaches in health care - a legal update
Privacy and breaches in health care - a legal update
 
Cacuss 2015 sexual violence
Cacuss 2015 sexual violenceCacuss 2015 sexual violence
Cacuss 2015 sexual violence
 
Responding to Data Breaches
Responding to Data BreachesResponding to Data Breaches
Responding to Data Breaches
 

Recently uploaded

XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
bhavenpr
 
Tax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th semTax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th sem
azizurrahaman17
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
CAAJAYKUMAR4
 
Lifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point PresentationLifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point Presentation
seri bangash
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
o6ov5dqmf
 
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Massimo Talia
 
Matthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government LiaisonMatthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government Liaison
MattGardner52
 
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersDefending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
HarpreetSaini48
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
9ib5wiwt
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
Wendy Couture
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
Finlaw Consultancy Pvt Ltd
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Syed Muhammad Humza Hussain
 
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
CIkumparan
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
9ib5wiwt
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
ShivkumarIyer18
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
Daffodil International University
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
akbarrasyid3
 

Recently uploaded (20)

XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
 
Tax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th semTax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th sem
 
Understanding about ITR-1 and Documentation
Understanding about ITR-1 and DocumentationUnderstanding about ITR-1 and Documentation
Understanding about ITR-1 and Documentation
 
Lifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point PresentationLifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point Presentation
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
 
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
 
Matthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government LiaisonMatthew Professional CV experienced Government Liaison
Matthew Professional CV experienced Government Liaison
 
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersDefending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
 
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
2015pmkemenhub163.pdf. 2015pmkemenhub163.pdf
 
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
定制(nus毕业证书)新加坡国立大学毕业证学位证书实拍图原版一模一样
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
 

Cyber Incident Response - When it happens, will you be ready?

  • 1. Presented By When it happens, will you be ready? How to excel in handling your next cyber incident Dan Michaluk March 2, 2020
  • 2. Not just any Saturday 2 You just had sat down with a real page turner when you got the call. Campbell from IT went into the office after receiving a couple calls from staff who were not able to access e-mail or files from the file share. Campbell says that the e-mail server, file server and a number of other key servers are inaccessible. All he can see is a text file that contains a cryptic note about e-mailing a protonmail address to get access to the data. Campbell asks you what to do.
  • 3. Not just any Saturday 3 What do you do: A. Tell Campbell to send an e-mail to the address and ask what needs to be done to restore access. B. Tell Campbell to do what he can to contain the incident, call the privacy commissioner to report a cyber attack and take their advice. C. Tell Campbell to do what he can to contain the incident and call the Board chair to give them a heads up that there’s been an attack. D. Tell Campbell to do what he can to contain the incident and call your insurer for a referral to expert help.
  • 4. Agenda o Events, incidents “and breaches” o The incident response process o Incident response tips o The incident response plan How to excel in handling your next cyber incident 4
  • 6. o A security event is a possible problem that should be assessed o An security incident is a confirmed problem that needs to be managed through the incident response process • Cyber attack • A misconfiguration • An errant communication o A “breach” is a legal concept that relates to unauthorized access to information or loss, theft… Learn and use this helpful nomenclature Events, incidents and “breaches” 6
  • 8. o Quickly re-establish baseline data security • Confidentiality (stop leakage and exposure) • Integrity (get bad actors out) • Availability (restore services) o To appropriately manage the legal risks of the incident, especially those arising out of data exposure o To foster leaning and security program improvement The objects The incident response process 8
  • 9. o Stop the incident from getting worse o May involve • Disconnecting from the internet • Fixing a misconfiguration • Changing a password to a compromised account o Steps are taken immediately with available resources o Should not entail overwriting data to restore services, which can cause loss of evidence Step 1a – Contain (first few hours) The incident response process 9
  • 10. o Don’t • Call the police • Call the privacy commissioner • Call the board chair o Do • Consult a lawyer • Who will retain one or more experts to help Step 1b – Get help (first few hours) The incident response process 10
  • 11. o In a malware event this can become difficult quickly without expert guidance, with evidence being destroyed and more information being stolen o Can involve • Negotiating a ransom payment and the retrieval of decryption keys • Restoration coaching by expert • Installation of endpoint mentoring software tools to watch for signs of persistence Step 2 – Restore and secure (days two to four) The incident response process 11
  • 12. o Starts with the gathering of digital evidence o Evidence is analyzed to answer two key questions: • How did this happen? • What data was exposed and how? o Not search for things you want to find, but there will often be a duty to conduct a duly diligent investigation o If the expert determines there has been no exposure, you will rest heavily on that conclusion in taking no father action Step 3a – Investigate (days four to…) The incident response process 12
  • 13. o Mitigate all the harms and potential harms arising out of the incident, including reputational harms and harms to people o We do this primarily by communication • Media releases • Notification to affected individuals • Credit monitoring offerings • Reporting to law enforcement or sharing threat information o Keys to success • Timing – How fast is your “clock speed”? • Accuracy – Don’t misrepresent or take risks on making affirmative statements when you don’t know. Step 3b – Mitigate (days four to…) The incident response process 13
  • 14. o Investigation is complete o Mitigation steps taken o Final remedial plan developed with an implementation plan • Take the “how” from the investigation report… • …and apply the “5 whys” • Develop a meaningful list of changes to address the root and next level causes o Assess your incident response process too! Step 4 – Learn and move on The incident response process 14
  • 16. o Use a small cross-functional team with the necessary experts who keeps the matter confidential o All communications outside the zone of confidence are approved o If a lawyer leads, communications to/from the lawyer will be privileged • Lawyer instructs experts for well-defined purpose that links to privilege • Substantive issues all brought to the lawyer for consideration • Communications between team members who are not lawyers are limited to what is factual and administrative Internal communication and privilege Incident response tips 16
  • 17. o Don’t say “we value your privacy.” Show it. o Consider apologizing, but not profusely o Convey the facts that will be meaningful to those affected • What was exposed • For how long • To whom o Include a list of meaningful remedial measures o Beware of legal requirements for what must go in a notification letter Notifying and communicating Incident response tips 17
  • 18. o Notification is generally based on exposure of personal information, not a security incident alone • Though an incident alone may lead you to engage in the sharing of threat information o There may be a statutory duty to notify (and report) o Or there may be another reason to notify • There’s a real potential for significant harm • The incident is known • The incident is likely to become known o Many organizations notify reactively, too quickly and without good reason When to notify Incident response tips 18
  • 20. o An “IRP” applies to all forms of security incidents o It is premised on the idea that incidents will occur and can be anticipated o It structures the response to save time and support optimal decision-making • Identifies the key processes and decisions • Puts information at hand • Provides decision-making authority Your response process should be embedded in a PLAN The incident response plan 20
  • 21. o Frame out the process o Identify responsibilities o Append • Contact information for 24/7 contact • Pre-retained experts • Playbooks for certain expected scenarios o Create playbooks by running scenario based exercises What to put in the plan The incident response plan 21
  • 23. For more information, contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 dmichaluk@blg.com

Editor's Notes

  1. Dan Michaluk Privacy and data security lawyer at BLG Cyber incident response … Important topic now Not if but when Readiness is important … Not going to make you an IR expert here Objectives -know what to do right away -encourage you to get ready and get help when you need it -encourage you to learn more
  2. Start with a sceanrio
  3. We’ll address the answer in a moment
  4. Here’s the agenda I’ve left some cushion for questions so feel free to ask I’ll watch the timing as we go
  5. Topic 1 of 4
  6. I think language matters And clients struggle with it All security problems first present as some vague sign of trouble I don’t think I sent that e-mail Why don’t I have access to this service Some will call it a breach at that point…. Others will be smart enough to call it a potential breach There is some helpful language endorsed by the National Institute of Science and Technology Event – many, many events Incident – these are what get escalated and formally managed NIST doesn’t use the term “breach” Developed into a legal term used in Canadian privacy law Much narrower, typically can’t be discovered without significant investigation Unauthorized access to personal information Loss or theft of personal information
  7. Part 2 of 4 Walk you through the incident response process This is my own …. -you’ll see different models -NIST model -Also SANS Incident -Those models start with preparation -I’m going to jump right on -My interpretation of the process -It’s similar and valid
  8. Three facets of data security – or attributes of secure data Get it back to “situation normal” … Then clean up the mess … Then reflect and learn Four steps -contain and get help -restore and secure -investigate and mitigate -learn and move on
  9. STEP 1 – CONTAIN AND GET HELP -broken into a and b because they can happen simultaneously -both should happen in the first few hours … -contain… IT issue -most IT teams will have enough knowledge to contain
  10. MOST PEOPLE WILL CALL TO GET HELP -don’t know who to call -pitch to call a lawyer experience in cyber response -or your insurer, who will certainly connect you with a lawyer experienced in cyber response -will slow you down and stop you from doing things you can’t undue -delete evidence that you may need -talk to third-parties too before you know what to say -talk to third-parties and say things that are damaging -report to the privacy commissioner is not privileged… can’t never take it back -now I’m working with that as the starting point
  11. -incident response experts do 100s of these every quarter -versus your IT staff WRONG WAY -people who don’t get help tend to stall out here -it’s hard to do network restoration – malware is “polymorphic” and persistent -two risks….. -destroying evidence -failing to secure the network RIGHT WAY -secure and restore network under watchful eye of an expert -benefits = safe & speedy -special options -paying ransom -installation of endpoint monitoring
  12. -gather digital evidence at the same time as securing the network -log data -some full forensic images of devices Two questions -not so much why… why comes at end -forensics should give you the mechanics of the intrusion -and hopefully what data was exposed and how
  13. My own view – meet those objectives with the minimal amount of text
  14. Use the process in this slide deck and add a little meat to the bones Contain and seek help -who’s responsible for it -and what if that person isn’t available -what can they do without seeking approval -what shouldn’t they do without seeking approval -who to call – at what number