4. o Inside out
• Errant e-mails
• Loss and theft
• Shadow IT
• Departing employees
o Outside in (“cyber”)
• Malware/ransomware
• Business e-mail compromise
• Misconfigurations
Inside out and outside in
Types of data security threats
4
5. o Attacks up by 150% in 2020
o Ransom payments are up more than 300% in 2021
o Double and triple extortion threat
• Lock up data
• Steal data and hold it ransom
• DDoS or doxing threat
o Market for insurance is hardening
• Premiums up 20% to 50%
• Higher retentions/deductibles, limits and co-insurance
• New conditions for coverage and harder vetting
The probability is high
Ransomware threat
5
6. o Incident response costs
• Operational drain
• Hard costs
o Business interruption losses
o Reputational harm
• What’s the impact on the business of ruptured
trust?
• Legal reporting/notification obligations require
full and unmitigated transparency
o Civil liability to employees, customers,
business partners and investors/shareholders
The severity is high
Ransomware threat
6
8. o People are clearly accountable, and
someone is ultimately accountable
o That person engages deeply with the
executive team, who engages deeply with
the board
o Policy is recorded, understood and adhered
to
o Risks and readiness is systematically and
periodically assessed
o Translates into continuously evolving
defence in depth
To state the obvious
The elements of a good program
8
9. o The process of managing the deployment,
maintenance, upgrading and disposal of IT
assets
o IT asset = hardware, software or data
repository within the organization’s
technology environment (including cloud)
o Common problems
• Assets are adopted but not under
management
• Legacy technologies are vulnerable and not
integrated with current security technologies
Essential/foundational activity – asset management
Risk management
9
10. o Insecure remote access
• Exposed remote desktop protocol
• No multi-factor authentication and poor
password practices
o Vulnerability and patch management
o Poor implementation of least privilege
principle
o Poor network visibility
o Poorly implemented and untested backup
procedures
Common technical problems
Risk management
Coveware Q2 2021 Ransomware Report
10
12. o Why?
• It’s not if, but rather, when
• You’ll save time and make better
decisions
o The functions of a written IRP
• Establishes a protocol for reporting and
escalation
• Assigns decision-making power and
accountability
• Provides a framework to support strong issue
identification and management
Why have a plan? What’s a plan?
Incident readiness and response capability
12
SECURITY EVENT >> SECURITY INCIDENT >> DATA BREACH
13. o Simplify your incident response plan
o Learn about what may get you
• Pick four incident scenarios from the upper
right quadrant of your risk register
• Dive deep with your team into them over the
next year, learn about them, think about them,
discuss them
• Document your thoughts in a cheat
sheet/playbook
o Pre-retain your vendors – legal, incident
response, negotiator and communications –
and find ways to work with them
Things to do today
Preparing for an incident
13
14. o Timing is everything
• Match the “clock speed” and don’t rush
• You will need to communicate early, but must do
so carefully and without speculation
o Notify only based on the evidence
• Why pay for forensics if you’re going to notify out
of caution?
• Would a plaintiff, with the available evidence, be
able to prove file level access or theft?
o Consider threat intelligence sharing and
reporting to law enforcement – do your part to
help the community win the war
Dan’s top tips
Incident response practice
14
15. o Retain an expert negotiator to communicate on your
behalf, provide you with intelligence and check
sanctions lists
o Threat actors will typically honour their word, and
large and well-known actors are better
o If you’ve lost critical data you may have a
compelling need to pay
o Paying for deletion will not relieve you of any legal
obligation to notify – can’t prove deletion given rule
against hearsay
o Paying for deletion may actually prevent the
representative plaintiff, the regulator or the public
from gaining evidence of widespread leakage
To pay or not to pay?
Paying the ransom
15
-put a cybersecurity presentation together for you
-important topic today because cyber attacks are a critical risk to any and every organization
-for regulators
-operational concern
-regulatory concern
-in other words, cyber certainly an issue tied to the public interest mandates held by many regulators
-particularly those who have a mandate for protecting consumer interests
-very practical presentation today
-lots of legal context, little law
-three parts
-threat environment
-the matter of protection
-the matter of response
-threat environment
-risk matrix
-probability on one axis
-severity on the other
-model for telling you where to invests in risk management
-most of the threats, certainly the ransomware threat, are in the top right box
-larger organizations tend to be have reckoned with that but get hit because they are targets
-many others tend to be hiding in the noise
-don’t feel they are targeted, but get hit as in crimes of opportunism
-the risks of that are real
-types of problems
-could map these on your risk matrix
….
-don’t underestimate insider issues
-errant e-mail – no higher probability, I suspect and can have very significant impact
-ransomware threat is very high right now
-like, right now
-finally seeing a more aggressive policy response, led at the moment in the US
-White House executive order, will create new policy that filters up to Canada
-Aggressive recovery of stolen monies from the Darkside ransomware group
-won’t get into it by the general thrust is that we all need to work together and with law enforcement to win the war
-extortion play
-apparently it succeeds about 50% of the time
-probably lower numbers in the public and not for profit sectors
-but those sectors do pay
-both to recover lost data – bad backups sometimes leave no choice
-surprised… public sector client pay for the promise of data deletion the other day
-that’s the double extortion – lock and exfiltration
-heard about a third type of extortion threat – we’ll harass you until you pay
-cyber insurance is still a major part of risk management (risk transfer)
-perfect financial risk management - costly anomalous events
-insurance market is changing rapidly, however
Risk matrix
Ransomware attack probably medium to high
What about impact?
high – enough to affect the viability of a small or medium sized regulated entity
….
-incident response costs
-mid-market insurer - $300,000 claims cost on average, including ransom
-make sense, with exfiltration… costs rise due to notification
-take a hit at the same time you lose sales or bear other interruption related losses
-reputation
-legal notification
-consumer privacy in Ontario – PIPEDA, federal
-breach notification to individuals, reporting to federal regulator
-has the option of naming and shaming but most often does not, and rarely investigates
-civil liability is possible
-who you are…. Particularly bad facts (children, families)… very bungled response
-assuming none of you are accountable primarily for cyber and privacy at your organizations
-doesn’t matter
-if you have any executive level responsibility, it’s time to learn and engage
-talk about defensive basics
-never going to eliminate the risk, not the objective
-at the same time, meeting the standard of care is not that hard
-requires leadership, investment and commitment that’s often lacking
-that’s all our responsibility
…
-tech community, for its part, needs to be motivated to communicate more and communicate more clearly
-could say this about any program that is meant to protect an organization from a security risk
…
-privacy, data security, health and safety
-not making this up, though
-you’ll see it reflected in data security authority
-National Institute of Standards and Technology (US Dept Commerce)
-OPC major privacy breach reports (Ashley Madison, Vtech, Desjardins)
...
-”defense in depth”
-important security concept to understand
-any given control will fail
-so what we do to meet our standard of care is layer controls
-front gate > security lights > steel door with a deadbolt >> alarm system
-IT security works the same way
-phishing awareness is an element that must be part of every program
-people will always get phished
-anti-spam
-anti-malware and anti-virus
-behavior based monitoring
Foundation activity and common weakens
Very simply, we can’t protect what we can’t identify
…
So a mature organization should have an asset inventory or asset inventories
(A data map is a related though somewhat narrower concept.)
-can be a spreadsheet
-or can use software and databases
If an organization is very good it will categorize assets and classify information according to risk
That’s good because it allows an organization to stratify its controls based on risk – HIGH, MED, LOW
…
Problems you may run into in less sophisticated organizations
-no inventory at all or very poorly maintained inventory
-assets that have been adopted but are not under management – shadow IT
-very old technologies…. Are you running any win 2008? Win 2003?
Can’t stress how fundamental this is
-without it you will have incidents
-and when you have incidents you’ll be running blind
Here are the common culprits for problems
You see data from the Coveware Q2 ransomware attacks here on the most common attack vectors
Consistent with my own experience
…
RDP access enabled outside of the firewall
-good organizations have a network policy in place that disables it
Email phishing
-training programs
-anti-spam
-anti-malware and anti-virus
-behavioral monitoring
-there are other controls too (least privilege, encryption)
…..
Poor network visibility…..
-no advanced monitoring
-poor logging
-no automated means of collecting and analyzing log data – SEIMs
…
Patching and backups are apparently the things that laypersons think are easy to do well but are not all easy to do well and require resources
-theme – good security means expecting failures
-and it is a clear part of the standard plan and prepare for security incidents
-save and make better decisions
-prompt containment example
-literally found the crown jewels five minutes before the company disconnected the network
-at 8:00 am after working since early morning
-most of what an IRP structures happens after
-see that here
-most organizations have plans that are too detailed and not actionable
-don’t get used
-not necessarily bad because creating them begets thinking and structuring
-but I favour a simple plan and continuous dialogue
-new news article about new type of attack, meet and discuss, take some notes, put them somewhere
-you can tabletop formally too
-you have to get ahead and communicate
-but you must be able to do that without information
-holding communication – heavy process focus
-get into trouble with speculation
-