Introduction to Corruption, definition, types, impact and conclusion
HR's Critical Role in Protecting Company Data from Cyber Threats
1. Annual Idaho Parsons Behle & Latimer Employment Law Seminar
HR’S CRITICAL ROLE IN
PROTECTING COMPANY DATA
Tammy B. Georgelas
801.536.6873
tgeorgelas@parsonsbehle.com
parsonsbehle.com
THURSDAY OCTOBER 19, 2017 | BOISE CENTER EAST
3. 3
What is it?
Ransomware is a sophisticated malware that blocks the
victim’s access to her files, and the only way to regain
access to the files is to pay a ransom.
Ransomware
4. 4
Two Types of Ransomware
Encryptors: Use advanced encryption algorithms to block
system files. Examples: CryptoLocker and WannaCry.
Lockers: Lock the victim out of the operating system,
making it impossible to access the desktop and files.
Not encrypted, just locked out. Example: Winlocker.
Ransomware
9. 9
2016: 196 (Apocalypse)
Increase of 2,450% in 3 years
Ransomware
10. 10
Key Characteristics
Encrypts all kinds of files: documents, pictures, videos…
Scrambles file names, so you don’t know which data was
affected. Smart social engineering trick to confuse and
coerce victims into paying the ransom.
Ransomware
11. 11
Key Characteristics
Unbreakable encryption—you can’t decrypt the files on
your own.
Displays an image or a message that says your data has
been encrypted and you must pay ransom to get it back.
Ransomware
13. 13
Key Characteristics
Payment in Bitcoins--extremely difficult for law
enforcement to track the crypto currency.
Payments have a time-limit. Passing the deadline often
means increased ransom or losing the data forever.
Complex evasion techniques go undetected by traditional
antivirus.
Ransomware
14. 14
Key Characteristics
Spreads to other PCs connected to a local network,
creating further damage..
Recruits the infected PCs into botnets, so cyber criminals
can expand their infrastructure and fuel future attacks.
Ransomware
15. 15
Key Characteristics
Can extract data from the affected computer (usernames,
passwords, email addresses, etc.) and send it to a server
controlled by cyber criminals.
Results in triggering breach notification laws.
Ransomware
16. 16
Numerous federal laws governing different kinds of information
– SEC and DOJ Guidelines
– HIPAA
– Gramm Leach Bliley Act
– Federal Trade Commission Act
State law Breach Notification Statutes (48 states, the District of
Columbia, Guam, Puerto Rico and the Virgin Islands)
– Based on the residence of customer, not the business
Breach Notification
17. 17
State law definitions and duties can differ in many ways
– Notification Triggers
• What is a “breach”?
• What information is protected?
– Deadlines
– Method of Notification
– Content of Notification
– Penalties
Breach Notification
18. 18
WannaCry: What
May 12, 2017 ransomware attack hit over 200,000
computers in 150 countries.
Exploited a vulnerability in computers with Microsoft
Windows and Windows XP. Microsoft issued a patch for
newer Windows versions in March 2017, but not for
Windows XP.
Ransomware
19. 19
WannaCry: How
The vulnerability– EternalBlue – was discovered by the
NSA, which had developed it as an exploit to enable
surveillance.
This NSA hacking “tool” was stolen and released publicly
on WikiLeaks in March 2017.
Ransomware
20. 20
WannaCry: Attack Vector
First thought that hackers embedded the WannaCry virus
in .zip files sent in phishing email.
Security experts now think the malware spread through
the Windows Server Message Block SMB protocol, a
system used to share files between computers.
Typically used for inter-office communications, some
connect to the public internet, making them vulnerable.
Ransomware
21. 21
WannaCry: How
Hackers scanned the internet for vulnerable servers after
Eternal Blue was dumped online in March 2017.
Once on a computer, the SMB “worm” could spread
through other computers on the network, and to other
internet-connected computers as well.
Ransomware
22. 22
WannaCry: Cost and Danger
Ransom demand of $300-$600 in Bitcoin per computer to
unlock the files.
Contains additional malware (DoublePulsar), which allows
hackers a “backdoor” to later gain further access to
infected systems.
Ransomware
23. 23
WannaCry: The Battle vs. the War
The same day, a security researcher in London identified
and purchased the domain of the web address where the
first WannaCry strain was attempting to communicate.
This stopped the first attack, but hackers developed
additional strains over the weekend and are openly
planning to attack Windows XP again.
Ransomware
24. 24
WannaCry: Organizations Hacked:
Iberdrola: Spanish electric utility forced to shut down
some systems to respond to the attack.
PetroChina gas stations: Customers forced to pay cash at
Chinese gas stations after payment systems went down.
MegaFon: Largest Russian telecommunications firm.
Telefonica: The largest Spanish telecommunications firm.
Ransomware
25. 25
WannaCry: Organizations Hacked:
FedEx: packages delayed.
Renault: French automobile maker forced to halt
production at sites in France and its factory in Slovenia.
Deutsche Bahn: German train operator. Hijacked signs
showed ransom demand instead of train times.
Bank of China: ATMs across China malfunctioned,
displaying the ransom demand on machines.
Ransomware
26. 26
WannaCry: Organizations Hacked:
NHS: United Kingdom’s National Health Service.
Hundreds of clinics and hospitals across UK were forced
to cancel or delay surgeries and X-rays, and medical
services were reduced following a massive outage from
the attacks.
Ransomware
27. 27
WannaCry: Why didn’t NHS patch its systems?
Relies on specialized legacy software that simply won’t
work with newer Windows releases.
Microsoft first introduced Windows XP in 2001 and hasn’t
supported it since 2014.
Wide open castle to hackers.
Spiceworks survey found > 50% of businesses worldwide
have at least one machine running Windows XP.
Ransomware
29. 29
DoS = Denial of Service
DDoS = Distributed Denial of Service
DDoS
30. 30
What is it?
Denial of Service:
– Hacker sends a large number of requests to a specific server
– When server is overloaded it stops responding
– When legitimate users send requests, server times out
– Shuts down websites. Think if Amazon went down for an hour.
Lost revenue? One hour of downtime today would cost the
company some $3.4 million in lost sales
– Ponemon Institute $154k/hour average
DDoS
31. 31
What is it?
Distributed Denial of Service:
– Hacker hijacks devices connected to the internet, and injects
them with malware used to control it from a remote location
without the knowledge of the owner.
– The group of hijacked devices is called a botnet, or zombie
army.
– Hacker gives a command for all to lie in wait, then attack the
target server at a set time—swiftly overloads the server.
DDoS
32. 32
October 2016 Attack:
Amazon, Twitter, Netflix, Etsy, and Spotify went down
Dyn, one of the biggest DNS companies, suffered a
DDoS.
Domain Name Servers translate what you type into your
browser —www.amazon.com— into IP addresses that
computers can understand.
A core part of the internet's backbone.
DDoS
33. 33
Dyn DDoS Attack:
Well planned and executed, coming from tens of millions
of IP addresses at the same time.
One of the sources of the attack is internet-connected
products like printers, DVRs, and appliances, often called
the "internet of things."
DDoS
35. 35
What is it?
Any device with an on and off switch that is connected to
the Internet and/or each other.
Everything from cellphones and lightbulbs to medical
devices like insulin pumps.
US hospitals currently average 10 to 15 connected
devices per bed. Large hospitals have 5,000 beds.
Analyst firm Gartner says that by 2020 there will be over
26 billion connected devices (others est. 100B).
IoT
36. 36
A Cyber-Disaster in the Making?
Individual attacks: fatal dose administered to an
individual’s insulin pump.
Group attacks: Hackers used a drone to target a set of
Philips light bulbs in an office tower, infecting the bulbs
with a virus that let the attackers turn the lights on and off,
and flash an "SOS" message in Morse code.
Could plunge a whole city into darkness.
IoT
37. 37
IoT DDoS Attacks:
University hit with IoT malware strain that connected to its
smart devices, changed its default password, then
launched brute-force attacks to guess the admin
credentials of nearby devices.
The hacked devices then started flooding the university's
DNS server, resulting in the server dropping legitimate
student traffic.
Over 5,000 smart devices taken over during the incident.
IoT
38. 38
IoT DDoS Attacks:
Hackers broke into a water treatment facility and modified
water treatment parameters without even knowing what
they were doing.
Sea pirates hired hackers to break into the systems of sea
shipping companies, gather information on ships and their
cargos, and then attack only vessels with high-value
merchandise.
IoT
39. 39
Cyber warfare
Work for a government to disrupt or compromise target
governments, organizations, or individuals to gain access
to valuable data or intelligence, and can create incidents
of international significance.
License to hack
Nation State Attacks
40. 40
Russian agencies using cyber attacks to extract
information to influence the U.S. presidential election.
Russian government hackers penetrated the computer
network of the Democratic National Committee and
gained access to the entire database of opposition
research on GOP presidential candidate Donald Trump.
Tried to penetrate the computer networks of the
Republican National Committee, using the same
techniques.
Nation State Attacks
41. 41
2015 CrowdStrike documented seven Chinese
cyberattacks against U.S. technology and
pharmaceuticals companies in a 3 week time period
"where the primary benefit of the intrusions seems clearly
aligned to facilitate theft of intellectual property and trade
secrets, rather than to conduct traditional national
security-related intelligence collection.”
Largest offenders are China and Russia.
Nation State Attacks
42. 42
Knock Knock
The FBI tells you you’ve been hacked
Call your attorney
Work with them to stop the bleeding
Work with them to get immunity and help them defend
against future threats
Nation State Attacks
46. 46
28%
Employee Misconduct
PWC: US Cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey. Survey co-sponsored
by PWC, CSO Magazine, US Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
47. 47
Caused by insiders such as current and former
employees, service providers, and contractors
Employee Misconduct
.
48. 48
The most expensive kind of breach.
Among the hardest types of attacks to detect and defend
against.
Take the longest to resolve.
Because insiders already have legitimate access to data
and systems, determining what insider activity may be a
threat and being able to stop that activity requires
dynamic capabilities for both monitoring and control.
Malicious Insiders
Ponemon Institute “2015 Cost of Cybercrime Study”
49. 49
$144,542
$126,545
$96,424
$85,959
$81,500
$33,565
$7,378
$1,900
$1,075
$0 $20,000 $40,000 $60,000 $80,000 $100,000 $120,000 $140,000 $160,000
MALICIOUS INSIDERS
MALICIOUS CODE
WEB-BASED ATTACKS
PHISHING
DENIAL OF SERVICE
STOLEN DEVICES
MALWARE
VIRUSES, WORMS, TROJANS
BOTNETS
Average Annualized Cost Weighted by
Attack Frequency
Ponemon Institute “2015 Cost of Cybercrime Study”
50. 50
54.4
47.5
27.7
21.9
19.3
12.3
5.8
2.4
2.2
0 10 20 30 40 50 60
MALICIOUS INSIDERS
MALICIOUS CODE
WEB-BASED ATTACKS
PHISHING
DENIAL OF SERVICE
STOLEN DEVICES
MALWARE
VIRUSES, WORMS, TROJANS
BOTNETS
Average Number of Days to Resolve an
Attack
Ponemon Institute “2015 Cost of Cybercrime Study”
52. 52
Lost assets (cell phones, thumb drives)
Improper disposal
Phishing emails
Leaving a machine on unattended
Poor password protection
Employee Mistakes
Price Waterhouse Coopers: US Cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey. Survey
co-sponsored by PWC, CSO Magazine, US Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University.
54. 54
Company
Board of Directors
President, CEO, CISO
Anyone who had a fiduciary duty to keep the
information safe
Who Can Be Sued for a Data Breach?
55. 55
Remediation
– Forensic Experts cost $15,000+/week
– New hardware and software
Business Disruption
– FCC study says average 400 hours resolving identity theft
– Key employees dealing with crisis instead of normal jobs
Costs of a Data Breach
56. 56
Network Downtime for Goods and Services
– 2014 Avaya study says average $150k-$540k/hour in lost
revenue
Employee Productivity
– Distractions, worrying, fear of losing their jobs
Costs of a Data Breach
57. 57
Regulatory Fines and Penalties
– HIPAA
• $5.55M against Advocate Healthcare Network
• Fines range from $110 to $55,000 per violation
• A violation is losing one record, not having one breach
– FTC
• $25M against AT&T
• Recently raised penalty from $16,000 to $40,000 per violation
Costs of a Data Breach
58. 58
Loss of Reputation
Loss of Customers
Public Relations
Credit Monitoring/Identity Theft Repair
Lawsuits and Settlements
Costs of a Data Breach
61. 61
Strong security posture includes:
Training Employees
Decrease costs by 13%-100%
Lower the Cost of a Breach
62. 62
If you know neither the enemy nor yourself, you will
succumb in every battle.
--Sun Tzu, The Art of War
Key Policies and Procedures
63. 63
Top down mentality.
Analyze what sensitive data you have:
– client information like PII, PHI, and financial information
– company IP, correspondence, HR information
Conduct a risk assessment to assess internal system
vulnerabilities and gain an understanding of your
company’s use, storage, and location of sensitive data.
Care as if it were your own bank account information.
Maintain a Culture of Security
64. 64
Keep software, firewalls, virus protection systems, and
operating systems up to date.
Engage outside professionals who can perform the work
for a fraction of the price.
Conduct periodic audits to ensure you are secure.
Follow up on recommendations from the audits, or be
prepared to explain why they were not followed.
Update and Audit
65. 65
The best defense to ransomware is to not care.
Cloud is a good option.
Perpetual Storage for physical information.
Determine timing: hourly, daily, weekly.
Back Up All Important Data
66. 66
Limit access to sensitive data only to employees
with a true need to know.
Ask employees to make a list of what they actually
access and use on a regular basis, then restrict
whenever possible.
The less an employee has access to, the less a
potential hacker has access to.
Limit Access to Sensitive Information
67. 67
Must be tailored to your organization’s needs.
What information do you collect and how do you use it?
How can you maintain a profitable business?
Outsource when you can, but require all third parties and
affiliates to maintain the same security requirements.
Get everything in writing: employee contracts and vendor
contracts.
Draft Viable Information Security Policies
68. 68
Acceptable Use Policy
Defines what are and are not an allowed activities on
company premises, with company equipment, and when
using company resources.
Outlines consequences when violated.
Goal is to guide employees toward working productively
without burning out or putting the organization at risk due
to risky or non-business behaviors.
Draft Viable Information Security Policies
69. 69
Privacy Policy
Defines what is and is not private when working on
company equipment or when on company property.
– What information is collected
– What information is not collected
– What can or cannot be disclosed
– To whom information may be disclosed
– For what purposes the data was collected.
Draft Viable Information Security Policies
70. 70
Retention and Destruction Policy
Defines what to store, for how long, and how to get rid of
it.
Assume everything thrown out is obtained by your
competitors, your enemies, and the government.
Store only what you need and safely and securely
dispose of the rest.
Draft Viable Information Security Policies
71. 71
Incident Response Policy: Should address six key areas:
– Preparation
– Detection
– Containment
– Eradication
– Recovery
– Review
Goal is to minimize downtime, reduce loss, and improve
availability.
Draft Viable Information Security Policies
72. 72
Suggested 12 characters in length with mixed types of
characters.
Use a code or phrase that means something to you so
that you will remember.
https://howsecureismypassword.net/
Consider using a password manager like LastPass or
Dashlane.
Change passwords periodically, e.g. every 90 days.
Enforce Strong Passwords
73. 73
1. 123456
2. Password
3. 12345
4. 12345678
5. Football
6. Qwerty
7. 1234567890
8. 1234567
9. Princess
10.1234
Top 10 Worst Passwords of 2016
Splashdata Survey
75. 75
Require different passwords for work and personal
accounts.
Using a single password across multiple sites poses
serious security risk because most sites don’t encrypt
their stored user login information. No matter how clever
the password, if someone gains access to a server where
it’s stored in plain text, it becomes a race to see how
quickly you can remember and change all the places
you’ve used that password.
Enforce Strong Passwords
76. 76
Phishing is the #1 delivery vehicle for ransomware and
other malware.
30% of phishing emails get opened.
85% of organizations have suffered phishing attacks.
250% surge in phishing detected in Q1 2016.
$1.6 million: the average cost of a spear phishing attack.
1 in 3 companies have been victims of CEO fraud emails.
Train for Phishing Emails
77. 77
Lock your computer when you leave your office
Maintain a clean desk
Secure sensitive hard copies in locked filing cabinets
Shred hard copies—NEVER just throw away sensitive
information
Ask unfamiliar faces who they are
Protect Your Physical Assets
78. 78
A breach will happen. Plan for it now.
Identify the team to address security issues
including breaches.
Practice!
Reduces cost of a data breach by over 10%.
Create Incident Response Plan
79. 79
Commercial General Liability Insurance
–Comprehensive general liability
–First-party property policies
–Employment practices liability
–Errors and omissions
–Management liability
–Fidelity or employee dishonesty
Consider Appropriate Insurance
80. 80
Cyber Security Extensions
– Information security/privacy liability coverage
– Breach response/notification services
– Regulatory defense/penalties
– Specialized media liability
– Specialized errors and omissions
– PCI-DSS fines/expenses
– Cyber-extortion
– First-party data restoration
– Network business interruption
Consider Appropriate Insurance
82. 82
Tammy B. Georgelas
801.536.6873
tgeorgelas@parsonsbehle.com
Thank You
Editor's Notes
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.
The only three states without a data breach notification law are Alabama, New Mexico, and South Dakota.
Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).
Notification Triggers:
Definition of personal information
Determines who to notify
Deadlines
Includes waivers
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Source: Symantec 2015 Internet Security Threat Report
Ponemon Institute 2014 Cost of Data Breach Study: United States
CISO Appointed -$10
BCM Involvement -$13
Incident Response Plan -$17
Strong Security Posture -$21
2015 Data Breach Investigations Report by Verizon
2015 Data Breach Investigations Report by Verizon
SplashData has announced its annual list of the 25 most common passwords found on the Internet – thus making them the "Worst Passwords" that will expose anybody to being hacked or having their identities stolen
11 1234567
12 monkey
13 letmein
14 abc123
15 111111
2015 Data Breach Investigations Report by Verizon
Symantec Security Technology and Response Group, August 2012.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.
Don’t jump to conclusions
Call your outside attorney. Protect your decisions and next steps with the attorney client privilege. Otherwise, every panicked email, detailed investigative report, and embarrassing internal memo could be subject to discovery in a subsequent government investigation or lawsuit and wind up in the hands of class action plaintiffs’ attorneys determined to make your organization pay.