SlideShare a Scribd company logo

Understanding Advanced Cybersecurity Threats for the In-House Counsel

A
Adam Palmer

The document discusses advanced persistent threats (APTs), which are sophisticated cyber attacks by well-resourced actors often sponsored by nation-states. APTs differ from typical cyber attacks in that they establish a long-term foothold within a company's network to steal data over time rather than carrying out single, quick attacks. The impacts of APTs can be substantial, as demonstrated by the large costs and losses companies like Target have faced. While prevention is important, the document emphasizes that companies must also focus on fast detection of threats and effective response plans since APTs are difficult to prevent fully given their resources and tactics like zero-day exploits. It provides advice for general counsels on understanding the APT threat

Law
1 of 8
Download to read offline
By Adam Palmer “Cybersecurity is now a persistent business risk … The impact has extended to the C-suite and boardroom.” – 2015 PwC “Global State of Information Security Survey” of over 9,700 senior global executives CHEAT SHEET ■■ An APTitude for sowing disaster. Advanced Persistent Threats are organizations funded or supported by state actors that target a corporation’s data for some strategic objective. ■■ Accept your limitations. Sophisticated hackers can infiltrate virtually any company, given enough time and resources. ■■ Don’t mistake compliance for security. Real security goes beyond compliance — today’s regulation does not sufficiently mandate preparedness for data threats. ■■ Culture beats tech. Technical solutions will only take you so far; inculcating a culture of preparedness is also required to lower your risk of a breach. ADVANCED PERSISTENT THREATS: Effective Response to Nation-State Attacks ACC DOCKET DECEMBER 2015 47
Are you ready to offer the right advice to help your company prepare for an attack by foreign agents intent on stealing your company’s trade secrets and intellectual property? How would you respond if a foreign government group targets your execu- tives for public embarrassment and destroys content (known as a “wipe and release” attack), as happened last year to Sony? These examples are not one-time attacks perpetrated solely for quick money. These are attacks by an advanced persistent threat (APT), a well-resourced actor (commonly) with some degree of nation-state sponsor- ship. While an APT will exploit a sys- tem using the easiest and least costly mechanism, APTs also have the ability to exploit unknown security vulner- abilities (known as a zero-day exploit) and other sophisticated tools and tac- tics to destroy brand reputations, suck out confidential trade secrets and steal millions of dollars or euros annually. APT threats are capable of doing substantial damage. The cost of APTs has demonstrated the seriousness of the threat. As an example, after the Target Corporation suffered an APT attack: ■■ Profits fell 46 percent in Q4 2013. ■■ Target reportedly spent US$ 61 million (€55 million) mitigating the breach. ■■ The company is facing more than 100 lawsuits and some analysts forecast breach-related losses could top $1 billion (€91 million). In many companies, chief legal officers (CLOs) now supervise chief information security officers (CISOs) and compliance officers. This requires the CLO to adequately understand the company’s approach to preparing for, and responding to, serious threats like APTs. The solution is not solely a tech- nical challenge. The CLO must play a critical role in setting the policy foun- dation for a security program. They must also effectively communicate the threat to the board of directors, coor- dinate executive team communication and be prepared to suggest an effective risk management strategy. This article will help you understand today’s most serious cybersecurity threat — the APT. This article also covers some of the key concepts you should understand about advanced cybersecu- rity threats and how you can properly prepare for these threats as a CLO. What is an APT and why is it the most dangerous cyber threat? An advanced persistent threat, or APT, is the security industry term for groups that typically have some degree of nation-state sponsorship. These groups launch coordinated per- sistent attacks to penetrate a compa- ny’s defenses, sometimes in response to nation-state direction or in support of national objectives. APTs generally do not launch single incident attacks. They generally, and persistently, es- tablish a foothold inside the company for the purposes of reconnaissance, exploitation, data theft, data altera- tion, data destruction and ongoing surveillance. These attackers are classified as “advanced” because they are typically government agents with teams of hackers, often with unique skill capabilities, and the support of large government resources. They are termed “persistent” because they attack relentlessly with the aim to penetrate the target and stay as long as possible on a system. In a 2014 study of advanced threat persistence, the average advanced attacker stayed inside a company’s system for 205 days — with one threat group hiding for over eight years inside a com- pany’s network! Social engineering: Why your executives WILL download malware APTs don’t always use advanced tech- niques and still rely heavily on social engineering to expose secrets or access systems. Almost 80 percent of phishing emails sent to company executives in 2014 were disguised as emails from the corporate IT security group request- ing the executive to provide an access password. The use of sophisticated and person- ally tailored emails sent by APTs to victims is referred to as spear-phishing. Recent examples have included emails sent to senior executives that appear to be from trusted sources and include unique industry terms or previously stolen private data that easily deceives a target into believing the message is legitimate. One example is an APT group that currently targets medical and pharma- ceutical executives with sophisticated spear-phishing emails. This group is believed to be stealing information about new biotech discoveries in an attempt to use this private informa- tion for stock trading. This APT group knows its audience. Their spear-phish- ing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies. The group’s spear-phishing emails fre- quently focus on shareholder and pub- lic disclosure concerns. The example below illustrates one spear-phishing lure sent by an APT group designed to have the victim click a link that would download malware: Subject: employee making negative com- ments about you and the company From: Name I noticed that a user named FinanceBull82 (claiming to be an employee) in an invest- ment discussion forum posted some negative comments about the company in general Adam Palmer manages all international government affairs at FireEye, an advanced cybersecurity company. Palmer is based in Munich, Germany, where he manages a global team. adam.palmer@fireeye.com 48 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS
(executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions. I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropri- ate channels before making his post. The link to the post is located here (it is the second one in the thread): http://forum./ redirect. php?url=http://%2fforum%2fequiti es%2f375823902%2farticle. phppar Could you please talk to him? Thank you for the assistance, Name These examples demonstrate the sophistication of APT spear-phishing attacks and the likelihood that they will be successful in gaining access to your company networks. Rather than focusing solely on prevention, it then becomes necessary to shift your focus to fast detection and response. Why did old security approaches fail? Traditional IT security commonly uses defined criteria or patterns to detect threats. This is similar to digi- tal fingerprints that identify threats based on known characteristics that have been seen in a prior attacks. However, this approach was fatally flawed. APT attackers can easily make changes to malware that alters the digital fingerprint. Some organiza- tions see hundreds, even thousands, of unique variabilities in malware designed to evade any pattern based detection system. This has required a new approach focused on detecting APT based on behavior and not on patterns or signatures. An even more serious, and advanced, attack is the use of a zero day exploit. A zero day exploit is the security industry term for an unknown vulnerability in software or an IT system. These are unknown doors into systems that can be incredibly valuable for attackers to exploit. They are very difficult to detect and can cause large amounts of dam- age. APT may use a zero day exploit to launch a zero day attack that exploits this unknown vulnerability to enter and harm an organization. The seriousness of zero day attacks was highlighted recently in a 2014 study by KPMG of 20 large European multinational companies that found that 93 percent of the organizations were breached, with 79 percent of the attackers stealing confidential data. Fifty percent of these attacks were successful by exploiting previously un- known, zero day exploit vulnerabilities. By creating a unique zero day attack, an APT group can bypass any security that is based on defined patterns or “digital fingerprints.” This makes the detection and elimination of zero day vulnerabilities a primary concern for IT security managers trying to shut the door on APT. Your IT security team is going to lose some battles: Be prepared In 2014, Bank of America CEO Brian Moynihan stated that he was giv- ing his IT security team a financial blank check to implement security, but even with unlimited resources, the CEO noted that “it is going to be a continual and likely never-ending battle to stay ahead of it [cyber threats] — and, unfortunately, not every battle will be won.” Even with unlimited resources, you are still more likely than not to be breached. The recent attack against Sony by North Korea is only the most recent and highly publicized, but there have been thousands of attacks conducted globally by APTs. One of the earli- est known large scale APT attacks was the Aurora attacks in 2010 in which Google disclosed it was one of more than 20 companies successfully targeted by a coordinated effort to gain access to sensitive systems and confidential information. Known targets of the Aurora group spanned a variety of industries, including the financial, technology and chemi- cal sectors. The Aurora attackers, believed to be agents of a large Asian government, used a zero day attack to enter company targets with the aim of locating and extracting con- fidential trade secrets. These trade secrets could then be transferred to commercial competitors in the attacker’s country and destroy the competitive advantage of the victim company. Knowing your company has a high chance of being attacked by an APT, there are three foundational truths you must accept as a general counsel: 1. An ATP breach is probably inevitable. 2. There is no “silver bullet” technical solution to prevent a breach. 3. The solution is to focus on preparation, fast detection and fast response. The Aurora attackers, believed to be agents of a large Asian government, used a zero day attack to enter company targets with the aim of locating and extracting confidential trade secrets. These trade secrets could then be transferred to commercial competitors in the attacker’s country and destroy the competitive advantage of the victim company. ACC DOCKET DECEMBER 2015 49
What can you do to prepare? “Corporate boards need to ensure that manage- ment is fully engaged in developing defense and response plans as sophisticated as the attack methods, or otherwise put their company’s core assets at considerable risk.” — National Asso- ciation of Corporate Directors (NACD), Director’s Handbook Series, Cyber-Risk Oversight. Ninety percent of directors par- ticipating in the NACD governance survey indicated they would like to improve their understanding of cyber- security risk, but they need executive leadership in the company to help them. As the NACD study further emphasized: “It is incumbent upon the executive team to take ownership of cyber risk and ensure that the board understands how the organization will defend against and respond to cyber risks.” Over half of boards are still not involved in security strategy and 75 percent are not reviewing security and privacy risks. This needs to change if you want to be prepared to respond to an APT attack. An ethical and effective response The security community is currently struggling with serious ethical ques- tions related to what extent offensive technical capabilities or potentially in- trusive monitoring may be appropriate as part of an effective security program or incident response program. This topic ranges from use of “cyber weap- ons” against adversaries to aggressive gathering of threat intelligence that may violate personal privacy. These are issues that require very careful con- sideration by the CLO and chief ethics officer. Many global laws restrict the degree of monitoring or types of re- sponse that is allowable. In the United States, the Computer Fraud Abuse Act (CFAA) sets criminal penalties for unauthorized hacking — even if the activity is a “hack-back” in response to an attack. The European Union also has very strict laws protecting personal privacy in the workplace. Your com- pany will need to consider, ethically and legally, what security activity will be appropriately tolerated to be secure. Cybersecurity ethics is a complex topic that requires a lengthy analysis. However, for the purposes of this article, you should be aware that you should include consultation by your chief ethics officer and careful consid- eration of the ethical limits that are appropriate for a security program. Be aware of the need to restrain the some- times natural impulses of executives to “punch back” when attacked. This may not only be ineffective, but also unethical and possibly illegal. There may better options, such as legal “take- downs” of attacker infrastructure that the CLO may help to pursue. Some companies have successfully used legal seizure laws or cooperated with law en- forcement to respond to cyber-attacks. These methods may be more effective and not risk the legal or ethical issues created by technical counter-attacks. Whatever response solution is chosen, it should be validated as legal and ethical. This is a critical part of overall incident response planning. How “good” do you need to make security? You need to understand your com- pany, your market position and what’s at stake to understand how “good” you need to be — and you DO need to decide. This is a tough question to answer but it will determine your corporate security strategy. Don’t leave this critical decision solely to the CISO. Demand assurance that your security team understands the most important company information. Ensure they are taking adequate steps not just to be compliant with regulations but really address the more advanced security threats like hunting for APTs on your network. If a foreign competitor steals your trade secrets, your entire IP protection program may be a waste of time. Make sure your company is tak- ing both the legal and technical steps to protect its intellectual property. Even if your company is “only baking cupcakes,” you should still be concerned about APT because of their propensity to move “upstream.” The most recent example of this is the re- cent massive Target store data breach. In this example it is believed that the attack began through an HVAC sup- plier connected to the Target network. The APT used this HVAC supplier to access a much larger victim — Target. The recent Sony attack also revealed that even the entertainment industry could be a target of an APT nation- state attack. Talking to your board about security The APT threat has become a board issue. As the executive in charge of risk management, if you do not drive a board discussion on this topic yourself, you have to at least be prepared for a meeting with the board of directors about APT and know what questions they will ask. Some questions you should expect include: ■■ What’s going on out there? ■■ Who is after us? ■■ Are we being targeted? ■■ How and where are they aiming? ■■ What are they after? ■■ Have we already been compromised? ■■ Are we prepared to sustain an attack? ■■ How fast can we detect, respond and recover? Be aware of the need to restrain the sometimes natural impulses of executives to “punch back” when attacked. This may not only be ineffective, but also unethical and possibly illegal. 50 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS
■■ Can we prevent bad things from happening? ■■ Where should we focus (and not focus)? ■■ How much is enough? ■■ How can I not impede my business productivity? ■■ How do I continue to manage these risks? Coordinate with your internal security team leader (chief informa- tion security officer) to establish your company’s correct position on a scale of a capability maturity model. Not every company needs the most advanced security, but answer- ing “How good do you need to be?” and what type of cyber insurance risk management program you need should be part of a collaborative discussion with the CISO and CLO. This includes knowing what types of company data might be valuable to an attacker, the type of confidential information your company main- tains, where it is stored and what is most sensitive. Although the security team might conduct much of this work, the CLO can provide valuable insights on this information and probably already tracks the most important information for other legal purposes. Capability maturity model Once you decide “how good you need to be,” you should adopt a policy based risk management approach: Oversight of the technical security process may be led by the CISO, but the CLO can drive a cross team collab- orative approach. Security is a process. It requires a governance structure to serve as the support mechanism to steer the program and resolve critical decisions. Having cross-functional support greatly helps in justifying policy change, budget and the com- pany cultural change you may require to be successful. This is the structure you need to make your strategy a living strategy and maintain business aware- ness when a breach occurs. An Executive Security Steering Committee (ESSC) should meet quarterly and a Security Technology Architecture and Risk Committee (STARC) subcommittee should meet monthly. Some CISOs are only techni- cal focused and may not understand all of the legal issues related to compli- ance. Similarly, legal staff may not fully understand technical issues caused by policy decisions. Collaboration is essential for success. This structure of an ESSC and a STARC subcommittee create an ongoing internal framework for strong security preparedness and response. Without a solid internal structure, you will have trouble building any success. Smart risk management policy and internal coordination are the foun- dation preparing for advanced threats and managing your security program. How can effective risk management save your company money? How to lower your insurance premiums The basic premise of risk management is saving money and shifting risk appropriately. The better you can demonstrate your company’s security posture and resiliency to the insur- ance market, the better the outcome for your company — fair premiums, higher limits, fewer claims — a win for everyone involved. The insurance industry typically uses a prevention and claims approach, where it’s believed the more money you put into preventative activities the less likely claims are to occur. But because 100 percent prevention of APT threats is not a feasible goal, you should consider advocating a monitor and respond approach to lower premi- ums. Underwriters should understand your internal security team’s technical ability to prevent attacks from occur- ring, but also, as legal counsel, you can take it a step further to demonstrate your ability to respond to exposures to minimize losses after they have oc- curred. This is the story that you need to be armed with in order to best pres- ent your enterprise to the insurance market and achieve the desired goal of lowering premium costs. Outline ACC DOCKET DECEMBER 2015 51 Capability maturity model A B C D Sophisticationofthethreat Security capability/agility to respond minimalist minimalist concerned advanced Nation-state attacks advanced APT Cyber espionage basic APT Cybercrime Conventional threats
your internal structure of an executive security committee and your ability to use a cross-functional security man- agement process to respond to attacks. Keep in mind that underwriters will look at a number of factors to arrive at their premium, but all other things being equal, advocating this approach provides a clear risk differentiator that should have underwriters competing for your business. Limit liability with the US Safety Act The SAFETY Act1 is a 2002 US law that created a liability management program for providers of anti- terrorism technologies and it can be directly applied to help protect your company against liability arising from ATP attacks. The SAFETY Act creates liability limitations for “claims arising out of, relating to, or resulting from an Act of Terrorism” where antiterrorism products have been deployed. Under the SAFETY Act, certain security product and service providers may apply for liability protections — in the form of a SAFETY Act award — from the US Department of Homeland Security (DHS). If awarded SAFETY Act protections, the provider is entitled to specific protections from third party liability stemming from the use of that product or service in relation to an “Act of Terrorism” and liability protections associated with this award “flow down” to the buyers of these technologies.2 Tort claims filed against a SAFETY Act certified product user relating to the use, performance, design etc. of the certified security product, the certifica- tion provides a strong defense up to and potentially including dismissal of claims. The Safety Act also provides exclusive federal jurisdiction and a rebuttable presumption of im- mediate dismissal of all third-party claims based on the alleged failure of the product/service used by your company that arise out of or relate to the cyber-attack in question.3 The SAFETY Act can apply even when an attack originates from or actually occurs outside the United States. So long as the attack impacts the United States (either physically or economi- cally) and the ensuing litigation is being decided under US law, both US and international companies may take advantage of the defenses of the SAFETY Act. Reviewing the security products used by your company, and ensuring that they are always SAFETY Act certi- fied, can provide very strong protec- tion against claims arising from an APT attack. What are the public policy trends related to APT? Basic compliance is not good security. Your company goal should be real security and not merely compliance. However, as a CLO, it is important to know the global policy trends now recognizing the APT threat. In Europe, the Network Information Security (NIS) Directive is expected to be finalized by the end of 2015 and will impose new strong security standards for many companies across Europe. Most importantly, this will likely require a large group of companies to adopt “state of the art security” con- trols to manage risk. As APT threats are becoming more pervasive, APT detection protocols are likely to be recognized as part of “state of the art security” requirements. The potential fines for failure to implement these controls can be significant. Germany recently became the first EU country to adopt an updated IT se- curity law that requires a wide range of companies to adopt “state of the art se- curity.” The German law mandates state of the art organizational and technical security measures to avoid interferenc- es of availability, integrity, authenticity and confidentiality of information technology systems. The law includes mandatory data breach reporting and regular audit requirements. The United States government has also recognized that it is critical to adopt measures that will defend against advanced cyber threats like 52 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS Security risk management POLICY ■■ Security policy development ■■ Customer and internal auditing ■■ Security awareness ■■ Compliance management ■■ Security process development RISK MANAGEMENT ■■ Risk assessment and analysis ■■ Vendor management and review ■■ Product release assessments ■■ IT system security assessments ■■ Remediation prioritization ■■ Security planning and strategy ■■ Security governance ■■ Business continuity
APT. One example of a best practice to detect APT is included in the United States NIST Special Publication 800.53 (Rev.4) and has now received wide- spread adoption by Fortune 500 com- panies. This recommendation states that organizations should implement “non-signature-based malicious code detection mechanisms” specifically de- signed to find zero day vulnerabilities and detect APT. Outside Europe and the United States, governments are also adopting policy to protect against APT. In the Asia Pacific Region, the Australian Signals Directorate (ASD) in 2014 added detection of zero day APT vulnerabilities to its Top 10 of “35 Critical Strategies for Cybersecurity.” The ASD recommends that organiza- tions implement “automated dynamic analysis of email and web content run in a sandbox to detect suspicious be- havior including network traffic, new or modified files, or other configura- tion changes.” While these are technical standards, it is important for the CLO to be aware of these emerging recognized best practices. They are becoming security standards and may affect your duty of care. This also provides guidance for your discussion with your security leaders about whether they are fol- lowing best practices to protect your company. The road to success “Accelerating investments is not enough … you have to mature your organization, your people, and your technologies, and that can be a more restraining factor than the availability of capital.” Gary Hayes, CIO of CenterPoint Energy - PWC Global State of Information Security 2014. Whether you directly manage the CISO or work collaboratively as a peer with your security team leader, you play a critical role in your company’s security program. The risk of an APT attack with the ability to destroy your company’s reputation or competitive advantage is a critical concern for your company’s health. You must be prepared to effectively communicate this message to your executive team and board. Verify that your security team is considering not just technical so- lutions, but the advantages of US SAFETY Act certified solutions to detect zero day threats as these can sig- nificantly lower your liability exposure. Stay informed about the latest standard of care requirements for state of the art security now included in many government IT laws. Finally, adopting a detect and respond posture (anticipat- ing a breach) vs. a prevention posture (that is likely to fail) is a strong, smart, risk management model. Technical solutions are only part of the answer. As a CLO you can promote the correct internal risk management structure. You should take responsibil- ity to manage preparedness, reduce insurance costs and coordinate the internal risk management structures. Your IT team may be only considering the technical solutions. However, by being actively engaged in security pre- paredness, you can also significantly lower the risk that an APT threat will cause significant harm. ACC NOTES 1 Support Anti-terrorism by Fostering Effective Technologies Act of 2002, 6 C.F.R. Part 25. 2 71 Fed. Reg. 33, 147, 33, 156 (June 8, 2006, Final Rule). 2 The DHS Secretary has to declare that the cyber-attack in question is an “Act of Terrorism.” However, under the law, “Act of Terrorism” is broadly defined. The attack only needs to be 1) unlawful, 2) cause harm, including economic harm in the United States, and 3) the attacker has to use a weapon or other items that are intended to cause such harm. There is no need to demonstrate “terrorist” motivations or connections to terrorist groups. As such, the SAFETY Act can apply to a broad range of attacks, including state- sponsored or criminal cyber-attacks. 3 SAFETY Act only provides for dismissal of third party claims — regulatory and other types of claims can still proceed. The certified product must also be in the same working form and use as it was certified. ACC DOCKET DECEMBER 2015 53 HAVE A COMMENT ON THIS ARTICLE? VISIT ACC’S BLOG AT WWW.INHOUSEACCESS.COM/ACC-DOCKET. ACC EXTRAS ON… Advanced persistent threats ACC Docket Once More Unto the Breach: Why and How to be Ready for a Data Breach (Sep. 2015) www.accdocket.com/articles/resource. cfm?show=1408899 Cybersecurity: How to Prepare for and Respond to Cyber Attacks (Mar. 2014) www.acc.com/legalresources/resource. cfm?show=1360853 Who is Guarding Your Digital Back Door? (Sep. 2014) www.acc.com/legalresources/ resource.cfm?show=1375719 Practice Resource Data Breaches that Don’t Make the Headlines (Oct. 2013) www.acc.com/legalresources/ resource.cfm?show=1355964 InfoPAKSM Workplace Information Risk in the Digital Age: Monitoring Employees, Social Media Challenges, Managing Access to Data, and Optimizing Flexibility (Feb. 2014) www.acc.com/legalresources/resource. cfm?show=1361821 Cloud Computing for Health Care Organizations: A Practical Framework for Managing Risks (Aug. 2013) www.acc.com/ legalresources/resource.cfm?show=1348128 ACC HAS MORE MATERIAL ON THIS SUBJECT ON OUR WEBSITE. VISIT WWW.ACC.COM, WHERE YOU CAN BROWSE OUR RESOURCES BY PRACTICE AREA OR SEARCH BY KEYWORD.

Recommended

SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 

Recommended

SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceS-RM Risk and Intelligence Consulting
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat FireEye, Inc.
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 

More Related Content

What's hot

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat FireEye, Inc.
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9seadeloitte
 

What's hot (18)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 A
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_Whitepaper
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat M-Trends® 2012: An Evolving Threat
M-Trends® 2012: An Evolving Threat
 
September 2019 part 9
September 2019 part 9September 2019 part 9
September 2019 part 9
 

Similar to Understanding Advanced Cybersecurity Threats for the In-House Counsel

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
53Pan has just been hired as the new cybersecurity manager .pdf
53Pan has just been hired as the new cybersecurity manager .pdf53Pan has just been hired as the new cybersecurity manager .pdf
53Pan has just been hired as the new cybersecurity manager .pdfacecomputertcr
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrimethinkwithniche
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-SecurityTara Gravel
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 

Similar to Understanding Advanced Cybersecurity Threats for the In-House Counsel (20)

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
53Pan has just been hired as the new cybersecurity manager .pdf
53Pan has just been hired as the new cybersecurity manager .pdf53Pan has just been hired as the new cybersecurity manager .pdf
53Pan has just been hired as the new cybersecurity manager .pdf
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrime
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 

Recently uploaded

indian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentindian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentAaruKhanduri
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtGabe Whitley
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipBridgeWest.eu
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfssuser5750e1
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docBRELGOSIMAT
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizgaelcabigunda
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxMwaiMapemba
 
Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsanvithaav
 
Book review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of JusticeBook review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of Justiceanvithaav
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Mike Keyes
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtssuser0576e4
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...Dr. Oliver Massmann
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...AvinashMittal5
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaUniversity of Ferrara
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
 

Recently uploaded (20)

indian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentindian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law student
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptx
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
 
Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of laws
 
Book review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of JusticeBook review - Amartya Sen's Idea of Justice
Book review - Amartya Sen's Idea of Justice
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South Africa
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
 

Understanding Advanced Cybersecurity Threats for the In-House Counsel

  • 1.
  • 2. By Adam Palmer “Cybersecurity is now a persistent business risk … The impact has extended to the C-suite and boardroom.” – 2015 PwC “Global State of Information Security Survey” of over 9,700 senior global executives CHEAT SHEET ■■ An APTitude for sowing disaster. Advanced Persistent Threats are organizations funded or supported by state actors that target a corporation’s data for some strategic objective. ■■ Accept your limitations. Sophisticated hackers can infiltrate virtually any company, given enough time and resources. ■■ Don’t mistake compliance for security. Real security goes beyond compliance — today’s regulation does not sufficiently mandate preparedness for data threats. ■■ Culture beats tech. Technical solutions will only take you so far; inculcating a culture of preparedness is also required to lower your risk of a breach. ADVANCED PERSISTENT THREATS: Effective Response to Nation-State Attacks ACC DOCKET DECEMBER 2015 47
  • 3. Are you ready to offer the right advice to help your company prepare for an attack by foreign agents intent on stealing your company’s trade secrets and intellectual property? How would you respond if a foreign government group targets your execu- tives for public embarrassment and destroys content (known as a “wipe and release” attack), as happened last year to Sony? These examples are not one-time attacks perpetrated solely for quick money. These are attacks by an advanced persistent threat (APT), a well-resourced actor (commonly) with some degree of nation-state sponsor- ship. While an APT will exploit a sys- tem using the easiest and least costly mechanism, APTs also have the ability to exploit unknown security vulner- abilities (known as a zero-day exploit) and other sophisticated tools and tac- tics to destroy brand reputations, suck out confidential trade secrets and steal millions of dollars or euros annually. APT threats are capable of doing substantial damage. The cost of APTs has demonstrated the seriousness of the threat. As an example, after the Target Corporation suffered an APT attack: ■■ Profits fell 46 percent in Q4 2013. ■■ Target reportedly spent US$ 61 million (€55 million) mitigating the breach. ■■ The company is facing more than 100 lawsuits and some analysts forecast breach-related losses could top $1 billion (€91 million). In many companies, chief legal officers (CLOs) now supervise chief information security officers (CISOs) and compliance officers. This requires the CLO to adequately understand the company’s approach to preparing for, and responding to, serious threats like APTs. The solution is not solely a tech- nical challenge. The CLO must play a critical role in setting the policy foun- dation for a security program. They must also effectively communicate the threat to the board of directors, coor- dinate executive team communication and be prepared to suggest an effective risk management strategy. This article will help you understand today’s most serious cybersecurity threat — the APT. This article also covers some of the key concepts you should understand about advanced cybersecu- rity threats and how you can properly prepare for these threats as a CLO. What is an APT and why is it the most dangerous cyber threat? An advanced persistent threat, or APT, is the security industry term for groups that typically have some degree of nation-state sponsorship. These groups launch coordinated per- sistent attacks to penetrate a compa- ny’s defenses, sometimes in response to nation-state direction or in support of national objectives. APTs generally do not launch single incident attacks. They generally, and persistently, es- tablish a foothold inside the company for the purposes of reconnaissance, exploitation, data theft, data altera- tion, data destruction and ongoing surveillance. These attackers are classified as “advanced” because they are typically government agents with teams of hackers, often with unique skill capabilities, and the support of large government resources. They are termed “persistent” because they attack relentlessly with the aim to penetrate the target and stay as long as possible on a system. In a 2014 study of advanced threat persistence, the average advanced attacker stayed inside a company’s system for 205 days — with one threat group hiding for over eight years inside a com- pany’s network! Social engineering: Why your executives WILL download malware APTs don’t always use advanced tech- niques and still rely heavily on social engineering to expose secrets or access systems. Almost 80 percent of phishing emails sent to company executives in 2014 were disguised as emails from the corporate IT security group request- ing the executive to provide an access password. The use of sophisticated and person- ally tailored emails sent by APTs to victims is referred to as spear-phishing. Recent examples have included emails sent to senior executives that appear to be from trusted sources and include unique industry terms or previously stolen private data that easily deceives a target into believing the message is legitimate. One example is an APT group that currently targets medical and pharma- ceutical executives with sophisticated spear-phishing emails. This group is believed to be stealing information about new biotech discoveries in an attempt to use this private informa- tion for stock trading. This APT group knows its audience. Their spear-phish- ing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies. The group’s spear-phishing emails fre- quently focus on shareholder and pub- lic disclosure concerns. The example below illustrates one spear-phishing lure sent by an APT group designed to have the victim click a link that would download malware: Subject: employee making negative com- ments about you and the company From: Name I noticed that a user named FinanceBull82 (claiming to be an employee) in an invest- ment discussion forum posted some negative comments about the company in general Adam Palmer manages all international government affairs at FireEye, an advanced cybersecurity company. Palmer is based in Munich, Germany, where he manages a global team. adam.palmer@fireeye.com 48 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS
  • 4. (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions. I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropri- ate channels before making his post. The link to the post is located here (it is the second one in the thread): http://forum./ redirect. php?url=http://%2fforum%2fequiti es%2f375823902%2farticle. phppar Could you please talk to him? Thank you for the assistance, Name These examples demonstrate the sophistication of APT spear-phishing attacks and the likelihood that they will be successful in gaining access to your company networks. Rather than focusing solely on prevention, it then becomes necessary to shift your focus to fast detection and response. Why did old security approaches fail? Traditional IT security commonly uses defined criteria or patterns to detect threats. This is similar to digi- tal fingerprints that identify threats based on known characteristics that have been seen in a prior attacks. However, this approach was fatally flawed. APT attackers can easily make changes to malware that alters the digital fingerprint. Some organiza- tions see hundreds, even thousands, of unique variabilities in malware designed to evade any pattern based detection system. This has required a new approach focused on detecting APT based on behavior and not on patterns or signatures. An even more serious, and advanced, attack is the use of a zero day exploit. A zero day exploit is the security industry term for an unknown vulnerability in software or an IT system. These are unknown doors into systems that can be incredibly valuable for attackers to exploit. They are very difficult to detect and can cause large amounts of dam- age. APT may use a zero day exploit to launch a zero day attack that exploits this unknown vulnerability to enter and harm an organization. The seriousness of zero day attacks was highlighted recently in a 2014 study by KPMG of 20 large European multinational companies that found that 93 percent of the organizations were breached, with 79 percent of the attackers stealing confidential data. Fifty percent of these attacks were successful by exploiting previously un- known, zero day exploit vulnerabilities. By creating a unique zero day attack, an APT group can bypass any security that is based on defined patterns or “digital fingerprints.” This makes the detection and elimination of zero day vulnerabilities a primary concern for IT security managers trying to shut the door on APT. Your IT security team is going to lose some battles: Be prepared In 2014, Bank of America CEO Brian Moynihan stated that he was giv- ing his IT security team a financial blank check to implement security, but even with unlimited resources, the CEO noted that “it is going to be a continual and likely never-ending battle to stay ahead of it [cyber threats] — and, unfortunately, not every battle will be won.” Even with unlimited resources, you are still more likely than not to be breached. The recent attack against Sony by North Korea is only the most recent and highly publicized, but there have been thousands of attacks conducted globally by APTs. One of the earli- est known large scale APT attacks was the Aurora attacks in 2010 in which Google disclosed it was one of more than 20 companies successfully targeted by a coordinated effort to gain access to sensitive systems and confidential information. Known targets of the Aurora group spanned a variety of industries, including the financial, technology and chemi- cal sectors. The Aurora attackers, believed to be agents of a large Asian government, used a zero day attack to enter company targets with the aim of locating and extracting con- fidential trade secrets. These trade secrets could then be transferred to commercial competitors in the attacker’s country and destroy the competitive advantage of the victim company. Knowing your company has a high chance of being attacked by an APT, there are three foundational truths you must accept as a general counsel: 1. An ATP breach is probably inevitable. 2. There is no “silver bullet” technical solution to prevent a breach. 3. The solution is to focus on preparation, fast detection and fast response. The Aurora attackers, believed to be agents of a large Asian government, used a zero day attack to enter company targets with the aim of locating and extracting confidential trade secrets. These trade secrets could then be transferred to commercial competitors in the attacker’s country and destroy the competitive advantage of the victim company. ACC DOCKET DECEMBER 2015 49
  • 5. What can you do to prepare? “Corporate boards need to ensure that manage- ment is fully engaged in developing defense and response plans as sophisticated as the attack methods, or otherwise put their company’s core assets at considerable risk.” — National Asso- ciation of Corporate Directors (NACD), Director’s Handbook Series, Cyber-Risk Oversight. Ninety percent of directors par- ticipating in the NACD governance survey indicated they would like to improve their understanding of cyber- security risk, but they need executive leadership in the company to help them. As the NACD study further emphasized: “It is incumbent upon the executive team to take ownership of cyber risk and ensure that the board understands how the organization will defend against and respond to cyber risks.” Over half of boards are still not involved in security strategy and 75 percent are not reviewing security and privacy risks. This needs to change if you want to be prepared to respond to an APT attack. An ethical and effective response The security community is currently struggling with serious ethical ques- tions related to what extent offensive technical capabilities or potentially in- trusive monitoring may be appropriate as part of an effective security program or incident response program. This topic ranges from use of “cyber weap- ons” against adversaries to aggressive gathering of threat intelligence that may violate personal privacy. These are issues that require very careful con- sideration by the CLO and chief ethics officer. Many global laws restrict the degree of monitoring or types of re- sponse that is allowable. In the United States, the Computer Fraud Abuse Act (CFAA) sets criminal penalties for unauthorized hacking — even if the activity is a “hack-back” in response to an attack. The European Union also has very strict laws protecting personal privacy in the workplace. Your com- pany will need to consider, ethically and legally, what security activity will be appropriately tolerated to be secure. Cybersecurity ethics is a complex topic that requires a lengthy analysis. However, for the purposes of this article, you should be aware that you should include consultation by your chief ethics officer and careful consid- eration of the ethical limits that are appropriate for a security program. Be aware of the need to restrain the some- times natural impulses of executives to “punch back” when attacked. This may not only be ineffective, but also unethical and possibly illegal. There may better options, such as legal “take- downs” of attacker infrastructure that the CLO may help to pursue. Some companies have successfully used legal seizure laws or cooperated with law en- forcement to respond to cyber-attacks. These methods may be more effective and not risk the legal or ethical issues created by technical counter-attacks. Whatever response solution is chosen, it should be validated as legal and ethical. This is a critical part of overall incident response planning. How “good” do you need to make security? You need to understand your com- pany, your market position and what’s at stake to understand how “good” you need to be — and you DO need to decide. This is a tough question to answer but it will determine your corporate security strategy. Don’t leave this critical decision solely to the CISO. Demand assurance that your security team understands the most important company information. Ensure they are taking adequate steps not just to be compliant with regulations but really address the more advanced security threats like hunting for APTs on your network. If a foreign competitor steals your trade secrets, your entire IP protection program may be a waste of time. Make sure your company is tak- ing both the legal and technical steps to protect its intellectual property. Even if your company is “only baking cupcakes,” you should still be concerned about APT because of their propensity to move “upstream.” The most recent example of this is the re- cent massive Target store data breach. In this example it is believed that the attack began through an HVAC sup- plier connected to the Target network. The APT used this HVAC supplier to access a much larger victim — Target. The recent Sony attack also revealed that even the entertainment industry could be a target of an APT nation- state attack. Talking to your board about security The APT threat has become a board issue. As the executive in charge of risk management, if you do not drive a board discussion on this topic yourself, you have to at least be prepared for a meeting with the board of directors about APT and know what questions they will ask. Some questions you should expect include: ■■ What’s going on out there? ■■ Who is after us? ■■ Are we being targeted? ■■ How and where are they aiming? ■■ What are they after? ■■ Have we already been compromised? ■■ Are we prepared to sustain an attack? ■■ How fast can we detect, respond and recover? Be aware of the need to restrain the sometimes natural impulses of executives to “punch back” when attacked. This may not only be ineffective, but also unethical and possibly illegal. 50 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS
  • 6. ■■ Can we prevent bad things from happening? ■■ Where should we focus (and not focus)? ■■ How much is enough? ■■ How can I not impede my business productivity? ■■ How do I continue to manage these risks? Coordinate with your internal security team leader (chief informa- tion security officer) to establish your company’s correct position on a scale of a capability maturity model. Not every company needs the most advanced security, but answer- ing “How good do you need to be?” and what type of cyber insurance risk management program you need should be part of a collaborative discussion with the CISO and CLO. This includes knowing what types of company data might be valuable to an attacker, the type of confidential information your company main- tains, where it is stored and what is most sensitive. Although the security team might conduct much of this work, the CLO can provide valuable insights on this information and probably already tracks the most important information for other legal purposes. Capability maturity model Once you decide “how good you need to be,” you should adopt a policy based risk management approach: Oversight of the technical security process may be led by the CISO, but the CLO can drive a cross team collab- orative approach. Security is a process. It requires a governance structure to serve as the support mechanism to steer the program and resolve critical decisions. Having cross-functional support greatly helps in justifying policy change, budget and the com- pany cultural change you may require to be successful. This is the structure you need to make your strategy a living strategy and maintain business aware- ness when a breach occurs. An Executive Security Steering Committee (ESSC) should meet quarterly and a Security Technology Architecture and Risk Committee (STARC) subcommittee should meet monthly. Some CISOs are only techni- cal focused and may not understand all of the legal issues related to compli- ance. Similarly, legal staff may not fully understand technical issues caused by policy decisions. Collaboration is essential for success. This structure of an ESSC and a STARC subcommittee create an ongoing internal framework for strong security preparedness and response. Without a solid internal structure, you will have trouble building any success. Smart risk management policy and internal coordination are the foun- dation preparing for advanced threats and managing your security program. How can effective risk management save your company money? How to lower your insurance premiums The basic premise of risk management is saving money and shifting risk appropriately. The better you can demonstrate your company’s security posture and resiliency to the insur- ance market, the better the outcome for your company — fair premiums, higher limits, fewer claims — a win for everyone involved. The insurance industry typically uses a prevention and claims approach, where it’s believed the more money you put into preventative activities the less likely claims are to occur. But because 100 percent prevention of APT threats is not a feasible goal, you should consider advocating a monitor and respond approach to lower premi- ums. Underwriters should understand your internal security team’s technical ability to prevent attacks from occur- ring, but also, as legal counsel, you can take it a step further to demonstrate your ability to respond to exposures to minimize losses after they have oc- curred. This is the story that you need to be armed with in order to best pres- ent your enterprise to the insurance market and achieve the desired goal of lowering premium costs. Outline ACC DOCKET DECEMBER 2015 51 Capability maturity model A B C D Sophisticationofthethreat Security capability/agility to respond minimalist minimalist concerned advanced Nation-state attacks advanced APT Cyber espionage basic APT Cybercrime Conventional threats
  • 7. your internal structure of an executive security committee and your ability to use a cross-functional security man- agement process to respond to attacks. Keep in mind that underwriters will look at a number of factors to arrive at their premium, but all other things being equal, advocating this approach provides a clear risk differentiator that should have underwriters competing for your business. Limit liability with the US Safety Act The SAFETY Act1 is a 2002 US law that created a liability management program for providers of anti- terrorism technologies and it can be directly applied to help protect your company against liability arising from ATP attacks. The SAFETY Act creates liability limitations for “claims arising out of, relating to, or resulting from an Act of Terrorism” where antiterrorism products have been deployed. Under the SAFETY Act, certain security product and service providers may apply for liability protections — in the form of a SAFETY Act award — from the US Department of Homeland Security (DHS). If awarded SAFETY Act protections, the provider is entitled to specific protections from third party liability stemming from the use of that product or service in relation to an “Act of Terrorism” and liability protections associated with this award “flow down” to the buyers of these technologies.2 Tort claims filed against a SAFETY Act certified product user relating to the use, performance, design etc. of the certified security product, the certifica- tion provides a strong defense up to and potentially including dismissal of claims. The Safety Act also provides exclusive federal jurisdiction and a rebuttable presumption of im- mediate dismissal of all third-party claims based on the alleged failure of the product/service used by your company that arise out of or relate to the cyber-attack in question.3 The SAFETY Act can apply even when an attack originates from or actually occurs outside the United States. So long as the attack impacts the United States (either physically or economi- cally) and the ensuing litigation is being decided under US law, both US and international companies may take advantage of the defenses of the SAFETY Act. Reviewing the security products used by your company, and ensuring that they are always SAFETY Act certi- fied, can provide very strong protec- tion against claims arising from an APT attack. What are the public policy trends related to APT? Basic compliance is not good security. Your company goal should be real security and not merely compliance. However, as a CLO, it is important to know the global policy trends now recognizing the APT threat. In Europe, the Network Information Security (NIS) Directive is expected to be finalized by the end of 2015 and will impose new strong security standards for many companies across Europe. Most importantly, this will likely require a large group of companies to adopt “state of the art security” con- trols to manage risk. As APT threats are becoming more pervasive, APT detection protocols are likely to be recognized as part of “state of the art security” requirements. The potential fines for failure to implement these controls can be significant. Germany recently became the first EU country to adopt an updated IT se- curity law that requires a wide range of companies to adopt “state of the art se- curity.” The German law mandates state of the art organizational and technical security measures to avoid interferenc- es of availability, integrity, authenticity and confidentiality of information technology systems. The law includes mandatory data breach reporting and regular audit requirements. The United States government has also recognized that it is critical to adopt measures that will defend against advanced cyber threats like 52 ASSOCIATION OF CORPORATE COUNSEL ADVANCED PERSISTENT THREATS: EFFECTIVE RESPONSE TO NATION STATE ATTACKS Security risk management POLICY ■■ Security policy development ■■ Customer and internal auditing ■■ Security awareness ■■ Compliance management ■■ Security process development RISK MANAGEMENT ■■ Risk assessment and analysis ■■ Vendor management and review ■■ Product release assessments ■■ IT system security assessments ■■ Remediation prioritization ■■ Security planning and strategy ■■ Security governance ■■ Business continuity
  • 8. APT. One example of a best practice to detect APT is included in the United States NIST Special Publication 800.53 (Rev.4) and has now received wide- spread adoption by Fortune 500 com- panies. This recommendation states that organizations should implement “non-signature-based malicious code detection mechanisms” specifically de- signed to find zero day vulnerabilities and detect APT. Outside Europe and the United States, governments are also adopting policy to protect against APT. In the Asia Pacific Region, the Australian Signals Directorate (ASD) in 2014 added detection of zero day APT vulnerabilities to its Top 10 of “35 Critical Strategies for Cybersecurity.” The ASD recommends that organiza- tions implement “automated dynamic analysis of email and web content run in a sandbox to detect suspicious be- havior including network traffic, new or modified files, or other configura- tion changes.” While these are technical standards, it is important for the CLO to be aware of these emerging recognized best practices. They are becoming security standards and may affect your duty of care. This also provides guidance for your discussion with your security leaders about whether they are fol- lowing best practices to protect your company. The road to success “Accelerating investments is not enough … you have to mature your organization, your people, and your technologies, and that can be a more restraining factor than the availability of capital.” Gary Hayes, CIO of CenterPoint Energy - PWC Global State of Information Security 2014. Whether you directly manage the CISO or work collaboratively as a peer with your security team leader, you play a critical role in your company’s security program. The risk of an APT attack with the ability to destroy your company’s reputation or competitive advantage is a critical concern for your company’s health. You must be prepared to effectively communicate this message to your executive team and board. Verify that your security team is considering not just technical so- lutions, but the advantages of US SAFETY Act certified solutions to detect zero day threats as these can sig- nificantly lower your liability exposure. Stay informed about the latest standard of care requirements for state of the art security now included in many government IT laws. Finally, adopting a detect and respond posture (anticipat- ing a breach) vs. a prevention posture (that is likely to fail) is a strong, smart, risk management model. Technical solutions are only part of the answer. As a CLO you can promote the correct internal risk management structure. You should take responsibil- ity to manage preparedness, reduce insurance costs and coordinate the internal risk management structures. Your IT team may be only considering the technical solutions. However, by being actively engaged in security pre- paredness, you can also significantly lower the risk that an APT threat will cause significant harm. ACC NOTES 1 Support Anti-terrorism by Fostering Effective Technologies Act of 2002, 6 C.F.R. Part 25. 2 71 Fed. Reg. 33, 147, 33, 156 (June 8, 2006, Final Rule). 2 The DHS Secretary has to declare that the cyber-attack in question is an “Act of Terrorism.” However, under the law, “Act of Terrorism” is broadly defined. The attack only needs to be 1) unlawful, 2) cause harm, including economic harm in the United States, and 3) the attacker has to use a weapon or other items that are intended to cause such harm. There is no need to demonstrate “terrorist” motivations or connections to terrorist groups. As such, the SAFETY Act can apply to a broad range of attacks, including state- sponsored or criminal cyber-attacks. 3 SAFETY Act only provides for dismissal of third party claims — regulatory and other types of claims can still proceed. The certified product must also be in the same working form and use as it was certified. ACC DOCKET DECEMBER 2015 53 HAVE A COMMENT ON THIS ARTICLE? VISIT ACC’S BLOG AT WWW.INHOUSEACCESS.COM/ACC-DOCKET. ACC EXTRAS ON… Advanced persistent threats ACC Docket Once More Unto the Breach: Why and How to be Ready for a Data Breach (Sep. 2015) www.accdocket.com/articles/resource. cfm?show=1408899 Cybersecurity: How to Prepare for and Respond to Cyber Attacks (Mar. 2014) www.acc.com/legalresources/resource. cfm?show=1360853 Who is Guarding Your Digital Back Door? (Sep. 2014) www.acc.com/legalresources/ resource.cfm?show=1375719 Practice Resource Data Breaches that Don’t Make the Headlines (Oct. 2013) www.acc.com/legalresources/ resource.cfm?show=1355964 InfoPAKSM Workplace Information Risk in the Digital Age: Monitoring Employees, Social Media Challenges, Managing Access to Data, and Optimizing Flexibility (Feb. 2014) www.acc.com/legalresources/resource. cfm?show=1361821 Cloud Computing for Health Care Organizations: A Practical Framework for Managing Risks (Aug. 2013) www.acc.com/ legalresources/resource.cfm?show=1348128 ACC HAS MORE MATERIAL ON THIS SUBJECT ON OUR WEBSITE. VISIT WWW.ACC.COM, WHERE YOU CAN BROWSE OUR RESOURCES BY PRACTICE AREA OR SEARCH BY KEYWORD.