Stuart Clarke, profile picture
Uploaded byStuart Clarke
192 views

White Paper - Nuix Cybersecurity - US Localized

This white paper discusses adopting a "good shepherd model" for cybersecurity to minimize potential damage from data breaches. It recommends knowing where important data is stored, understanding its value, and protecting it accordingly. This involves four activities: 1) defensibly deleting low-value data to reduce investigation scope; 2) locating high-value records and moving them to secure repositories; 3) protecting high-risk private data with encryption and access controls; and 4) applying policies and audits to ensure only authorized users can access important data. Through these efforts, organizations can understand their data worth and reduce opportunities for breaches of important information.

Embed presentation

Download to read offline
NUIX WHITE PAPER WHITE PAPER Four rules for minimizing the potential for—and damage suffered from—data breaches THE GOOD SHEPHERD MODEL FOR CYBERSECURITY By Stuart Clarke and Lee Meyrick
PAGE 2 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY CONTENTS Executive summary.............................................. 3 The rewards and costs of cybercrime................... 4 People are the weakest link................................. 5 Malicious insiders.......................................... 5 Loss or theft................................................... 5 “Bumbling insiders”...................................... 5 Are outside attacks more effective?............... 5 Breaches are inevitable........................................ 6 Where is your data?............................................. 7 The “good shepherd” model................................ 8 Defensible deletion........................................ 8 Data herding.................................................. 9 Data security.................................................. 9 Access controls.............................................. 9 Case study: Investigating a datacenter breach the hard way.................................................10 A change of mindset............................................ 11 References.......................................................... 11 About the authors...............................................12 If we cannot prevent malware from breaching perimeter security or information from leaking outside our virtual walls, how can we protect important, high-value and high-risk data in our care?
PAGE 3 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY EXECUTIVE SUMMARY The high value and easy marketability of private data such as credit cards have made all organizations that store customer information a target for cybercrime. There is also growing evidence of widespread cyber-espionage targeting valuable intellectual property. The costs of a single high-profile data breach can reach many millions of dollars. And now for the bad news: Breaches are inevitable. Security researchers believe determined attackers can infiltrate any perimeter security system and lodge malware within organizations’ networks. However, the majority of incidents that lead to data being exposed are from internal causes: Malicious insiders, loss or theft of devices, or simple errors by IT and security administrators. Knowing this is the case, organizations must adopt a new set of information security disciplines to protect high-value and high-risk data: • Knowing where important data is stored, understanding what it’s worth and making sure it’s protected • Reducing the delay between breaches and when they are detected • Conducting rapid, thorough and effective post-breach investigation and remediation. This paper will focus on the first discipline. It will examine how organizations can use information governance technologies to reduce the costs and extent of cybersecurity breaches by becoming “good shepherds” of their data. These technologies can provide transparency into unstructured data so you can understand what your data is worth and where your organization stores high-value and high-risk information. You can achieve this through four activities: • Defensibly deleting data that has no business value • Locating high-value documents and intellectual property, and migrating them to repositories with encryption, access controls and retention rules • Protecting high-risk private and financial data with appropriate encryption and access controls, and ensuring this information does not leak from controlled repositories • Applying policies and conducting regular audits to ensure only authorized staff members have access to important data. Through these efforts, your organization can minimize the opportunities for malicious or accidental breaches of important information. If you know where your data is, you can respond efficiently to breaches by first targeting the high-risk storage locations. This in turn means you can close information security gaps quickly before they can be exploited again.
PAGE 4 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY Many companies are simply buying more cheap storage to house their growing data but not taking the time to understand and manage it THE REWARDS AND COSTS OF CYBERCRIME Cybercrime has become highly rewarding. A single live credit card number, accompanied by accurate identity details, can fetch up to US$100 on the black market.i Private data is worth more to criminals than most organizations could ever spend protecting it from them. Rapid data growth, teamed with an increasing number of storage devices, cloud technologies and “bring your own device” policies, are all increasing opportunities for data leaks. Many companies are simply buying more cheap storage to house their growing data but not taking the time to understand and manage it. This makes it harder to identify and control the business risks it contains. The costs of data leakages can be vast. For example, in 2013 the UK Information Commissioner’s Office increased the maximum fine it could hand out for data breaches from £5,000 (US$8,400 at time of writing) to £500,000 (US$840,000). The European Union’s General Data Protection Regulation, which is currently before the European Parliament, would levy fines of up to 100 million (US$137 million) or 5% of annual worldwide turnover for breaches of EU citizens’ privacy. But fines are only a part of the total cost, which may include damaged company reputation, disaster recovery costs, loss of intellectual property, a weakened competitive position and the negative impacts on customers who were affected. The estimated total costs of US retailer Target’s credit card breach in 2013 include $61 million of direct costs, consequential costs to third parties of up to $400 million and a fall in Target’s stock price of 11%.ii The value of the stolen credit card numbers to hackers by comparison could be around $53.7 million. A Ponemon Institute survey of 234 organizations in six countries, published late in 2013, found the mean annual cost for cybercrime incidents was $7.2 million per organization, with a range of between $375,000 and $58 million.iii Looking at recovery costs alone, the survey found that cybersecurity attacks took on average 27 days to resolve, once they had been detected, with an average cost of just over $500,000 during that time. Malicious insider attacks took 53 days, on average, to contain. The report showed that the faster an organization resolved an incident, the less it cost overall. According to Verizon’s 2014 Data Breach Investigations Report, around 90% of attackers were able to compromise their targeted information asset within “days.”iv However, only around 25% of attacks were discovered within a similar timeframe. According to Mandiant’s report M-Trends 2014: Beyond the Breach, during 2013 the median number of days attackers were present on a victim network before they were discovered was 229.v This was a slight improvement on the previous year, when the median was 243 days.
PAGE 5 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY PEOPLE ARE THE WEAKEST LINK People are the weakest link when it comes to protecting sensitive data. The Verizon report found insider misuse, physical theft or loss and miscellaneous errors were responsible for majority (57%) of cybersecurity incidents that left organizations’ data exposed. Malicious insiders Insider misuse most commonly involves privilege abuse. This is where employees misuse the access they have been granted to information assets— which they need to do their day-to-day work—to copy or remove information for unauthorized purposes. This frequently involves copying such information to USB devices, emailing it to personal addresses or using it against company policy—for instance, taking high-risk information home to work on it over the weekend. US Government contractor Edward Snowden was the most high-profile incident of insider misuse in the past year but far from the only one. For example, the Ponemon study reported that 60% of respondents said they knew a co-worker had brought data from a previous employer. Loss or theft Physical theft or loss is as the name suggests. The Verizon report found, interestingly, that losses outnumbered thefts 15 to 1. And while the stereotypical physical loss incident is a laptop left on the seat of a train or taxi, the report found almost half of all losses and thefts (43%) occurred inside the office. The scale of this problem is demonstrated by a freedom of information request from security firm McAfee to London’s public transit authority which found that 15,833 mobile phones, 506 tablets and 528 laptops were handed in to its lost property department in 2013.vi “Bumbling insiders” Miscellaneous errors are the result of “bumbling insiders” rather than malicious ones. Breaches can often be the result of IT admins incorrectly configuring security solutions or access control settings. Another common example is publishing errors, where organizations accidentally post non-public information to a public resources such as a web server. For example in February 2014, the Australian Department of Immigration and Citizenship inadvertently posted to its public website a database of names and personal details of 10,000 asylum seekers held in detention. Breaches can also result from disposal errors, where confidential information is thrown away without being shredded, in the case of paper, or properly wiped, in the case of digital assets. Are outside attacks more effective? It is worth noting that while these insider attacks and errors were responsible for the majority of potential data exposures, they only accounted for around 10% of confirmed data loss incidents. This may be because professional criminals are much better than amateur insiders at extracting the information they seek. Sophisticated malware, once it is inside the network, can give attackers all the access an employee would enjoy. Or it may be that most incidents were caught and fixed before anyone had an opportunity to exploit them—as far as anyone knows. The most effective cybersecurity attacks that resulted in data loss were web app attacks (35%), cyber-espionage (22%) and point-of-sale system intrusions (14%). The Verizon report noted that a major theme of 2013 was attacks on point-of- sale systems to extract credit card numbers.
PAGE 6 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY BREACHES ARE INEVITABLE The Ponemon Institute survey estimated the respondent organizations were victim to 1.4 successful cybersecurity attacks per week, on average. It defined a “successful attack” as “one that results in the infiltration of a company’s core networks or enterprise systems.” On the one hand, it broadly defined an “attack” to include malicious code, denial of service, web-based attacks, phishing and social engineering, stolen devices and malicious insiders. On the other hand, these were only the attacks that the organizations detected. It is entirely possible other breaches occurred which they did not notice. Gartner’s bluntly titled report, Malware Is Already Inside Your Organization; Deal With It says “determined attackers can get malware into organizations at will.”vii It argues that “organizations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviors indicative of malicious intent.” If we cannot prevent malware from breaching perimeter security or information from leaking outside our virtual walls, how can we protect important, high-value and high-risk data in our care? It requires a change in mindset and a new set of disciplines around information security. This involves three core capabilities: • Knowing where important data is stored, understanding what it’s worth and making sure it’s protected • Reducing the delay between when breaches occur and when they are detected • Conducting rapid, thorough and effective post-breach investigation and remediation. Organizations must assume they are compromised and invest in detective capabilities that provide continuous monitoring for indications of malicious intent
PAGE 7 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY WHERE IS YOUR DATA? This paper will focus on the first core capability: Knowing where important data is stored, understanding what it’s worth to your organization and making sure it’s protected in proportion to this value. At its heart, this capability is an application of the classic information security triad: • Confidentiality. Information is protected from being disclosed to people who should not see it. • Integrity. Information cannot be modified by people who aren’t authorized to do so. • Availability. The right people can access information at the right time. This is complicated by the fact that organizations store large volumes of unstructured data—typically 80% of the total—which is often in complex formats that are difficult to search and understand. To put it another way, you can’t protect information if you don’t know where it is and what’s in it. It’s also hard to decide how much to spend, or calculate the return on investment of security measures, if you don’t know what the data is worth. One of the main reasons organizations take so long to detect and remediate breaches is they don’t know where the high-value or high-risk data is stored, so they can’t target those systems for investigation. Instead, they must collect data widely, potentially including staff members’ “bring your own” laptops and other unmanaged locations, which takes time. Alternatively they can collect from a random sample of devices, which risks missing the compromised systems. Meanwhile the clock is ticking: Data has gone missing, costs are building up and there is an ever-present risk that someone could exploit the same vulnerability again to do more damage. One of the main reasons organizations take so long to detect and remediate breaches is they don’t know where the high-value or high-risk data is stored
PAGE 8 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY THE “GOOD SHEPHERD” MODEL Thus information governance technologies become a powerful tool in reducing the costs and extent of cybersecurity breaches by delivering transparency into unstructured data and facts upon which security professionals can make informed decisions. 1. Defensible deletion Organizations store large volumes of “eTrash”— data that has no business value because it’s duplicated, trivial, no longer used, past its retention period or potentially risky. While most organizations have strict compliance rules around how long they must retain data, once the retention period is over, the risks and costs it contains greatly outweigh any residual value. Deleting this low-value data, according to predefined and legally sanctioned rules, reduces risks and also minimizes the volume of data that could be compromised. This in turn reduces the scope of a post-breach investigation. Information transparency can have huge impact on how secure your organization is from data breaches and how effectively you can respond to incidents—internal or external, deliberate or accidental. It also gives you a clearer understanding of what data is worth so you can concentrate on protecting the high-value data and easily calculate the return on your security investments. In this model, information security, information governance and records management specialists become good shepherds of their data. They know where all the sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy and not due to be made into shepherd’s pie. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe. Applying these principles to data gives us four broad rules or areas of activity: Figure 1: asvanwervaa vnwr avoern arvn DEFENSIBLE DELETION Valuable data Old data Trivial data No business value Potential risk Fig 1: Deleting low-value data minimizes risk and reduces the scope of post-breach investigations. 1 DATA HERDING Fig 2: Locating records “in the wild” makes high-value information less vulnerable to breaches. 2
PAGE 9 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY 2. Data herding Organizations often have intellectual property and company records such as contracts stored inappropriately in file shares or email attachments. Both records managers and end users struggle to find the time to ensure records are always filed correctly. Information governance technology can locate these records “in the wild” and move them to controlled repositories with appropriate security, access controls and retention rules. This makes it much harder for anyone to gain unauthorized access. 3. Data security Increasingly strict regulations around data privacy and financial information make it imperative to hold personal, financial and health details in the strictest confidence. Nonetheless, this information regularly escapes controlled repositories, whether through poor policies or employees not following the rules. Employees may make “convenience copies” to work from home or as test data for a new application. And even if they dispose of this data correctly, it may still be retained in backups or archives. By conducting regular sweeps of email, file shares and other unprotected systems, organizations can quickly locate and remediate unprotected private data. At the same time, understanding where this high-risk data is stored, organizations do not need to spend time and effort protecting data that doesn’t need it. 4. Access controls The key principle here is making sure the only people who can access high-risk data are those who need to for day-to-day work. This requires a combination of sound policy and constant vigilance. For example, many data loss incidents occur when a disgruntled employee leaves the organization. By cancelling an employee’s login and access credentials as soon as he or she leaves, this minimizes opportunities for important information to go astray (although it may also be prudent to scan their recent emails for indications of company intellectual property or other important data). It is also essential to regularly audit access controls on important systems and employees’ security profiles to ensure the policy theory matches reality. For example, in one data breach investigation we worked on, employees had stumbled across a way they could view salary information and other personal data on a human resources department network drive. It emerged that an IT admin had been updating the access controls to the drive and had mistakenly granted all users access to it during the process. DATA SECURITY ACCESS CONTROLS Fig 3: Keeping private, financial and health data within known, protected locations reduces business risks. Fig 4: Regularly auditing access controls ensures security policy matches reality. 3 4
PAGE 10 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY Nuix analysts worked with a major consulting firm to investigate a breach at a large datacenter. This firm had literally thousands of web, database and file servers belonging to individual clients with no visibility into their contents. It was impossible to know by examining the servers what roles they performed and which of them might contain credit card numbers or other personal data. Fixing the problem was urgent. The company was losing revenue from having to take some clients’ servers offline. And the incident was doing considerable damage to its reputation. Realizing it would be impossible to scan all the servers within a reasonable time, Nuix analysts and the consulting firm staff took a random sample of the servers and used a named entities search to locate credit card numbers and other private data. Fortunately the gamble paid off and they located systems that had been compromised. This provided a signature of the attack they could use to find compromised servers among the remaining systems. Had the hosting provider been conducting regular sweeps, it could have quickly identified any servers that contained credit card numbers and were likely targets of the breach. It could have ring-fenced servers containing sensitive data and applied stringent encryption and access controls. Alternatively, it could have changed its policy so that credit card numbers and other private data could only be stored with a specialist third- party provider, and conducted sweeps to ensure clients were complying. These steps would have minimized the likelihood of future breaches and greatly reduced the time taken to locate them, protecting the firm’s revenue and reputation. CASE STUDY Investigating a datacenter breach the hard way
PAGE 11 WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY A CHANGE OF MINDSET While perimeter security defenses remain essential, organizations must shift their information security mindset from “How much do we have to spend to prevent breaches?” to “How can we minimize the opportunities for breaches and the damage we suffer from them?” and “How can we gain return on our security investments?” By adopting these four common-sense rules around deleting, herding, encrypting and controlling access to data, organizations can: • Know where important and high-risk data is stored and be confident it is only stored in those locations • Minimize the opportunities for malicious and accidental breaches of important information • Respond to breaches in a more targeted and effective way, by first targeting the high-risk storage locations and collecting much less peripheral data • Close information security gaps quickly before they can be exploited again. REFERENCES i Ken Westin, “Stolen Target Credit Cards and the Black Market: How the digital underground works,” Tripwire, December 2013 www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/ ii Brian Krebs, The Target Breach, By the Numbers, May 2014, krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ iii Ponemon Institute, 2013 Fourth Annual Cost of Cyber Crime Study: Global, October 2013, www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reports iv Verizon RISK Team, 2014 Data Breach Investigations Report, May 2014, www.verizonenterprise.com/DBIR/2014/ v Mandiant, M-Trends 2014: Beyond the Breach, April 2014, connect.mandiant.com/m-trends_2014 vi Harry Cockburn, “16,000 phones lost on Tube over 2013, posing personal security risks”, London Loves Business, December 2013, www.londonlovesbusiness.com/business-news/london-transport/16000-phones-lost-on-tube-over-2013-posing-personal-security-risks/7028.article vii Peter Firstbrook, Neil MacDonald, Malware Is Already Inside Your Organization; Deal With It, February 2014 www.gartner.com/doc/2665320/malware-inside-organization-deal-it
APAC North America EMEA Australia: +61 2 9280 0699 USA: +1 877 470 6849 UK: +44 207 877 0300 » Email: sales@nuix.com » Web: nuix.com » Twitter: @nuix Copyright © 2014 Nuix. All rights reserved. ABOUT NUIX Nuix enables people to make fact-based decisions from unstructured data. The patented Nuix Engine makes small work of large and complex human-generated data sets. Organizations around the world turn to Nuix software when they need fast, accurate answers for digital investigation, cybersecurity, eDiscovery, information governance, email migration, privacy and more. Lee Meyrick Director of Information Management, Nuix Lee Meyrick has a decade of experience in data discovery and compliance planning and implementation. He advises organizations on the use of eDiscovery techniques for information retrieval in unstructured data. Lee’s expertise lies with a particular focus on the fields of FCPA and UK Bribery Act and in the discovery of “risky data” for remediation and he has trained organizations on the use of Nuix for corporate investigations and eDiscovery. Stuart Clarke Director of Cybersecurity and Investigation Services, Nuix Stuart Clarke is an experienced consultant who has provided expert evidence in civil and criminal courts and across different jurisdictions including the Technology and Construction Court. Before joining Nuix, Stuart was Head of Forensics and Technical Operations at Millnet and previously Principal Consultant at PA Consulting Group (formally 7Safe). In these roles Stuart operated across digital forensics, eDiscovery and information security, and managed a diverse team of consultants. ABOUT THE AUTHORS To find out more about Nuix’s Cybersecurity visit nuix.com/cybersecurity

More Related Content

PDF
Data Breach Guide 2013
by- Mark - Fullbright
 
PPTX
Ci2 cyber insurance presentation
byEthan S. Burger
 
DOCX
DBryant-Cybersecurity Challenge
bymsdee3362
 
PDF
IMC 618 - Public Relations Campaign
byStephanie Holman
 
PDF
Cyber Review_April 2015
byJames Sheehan
 
PDF
2014 ota databreach3
byMeg Weber
 
PPTX
August 2017 - Anatomy of a Cyber Attacker
byseadeloitte
 
PDF
Where security and privacy meet partnering tips for CSOs and privacy/complian...
byCompliancy Group
 
Data Breach Guide 2013
by- Mark - Fullbright
 
Ci2 cyber insurance presentation
byEthan S. Burger
 
DBryant-Cybersecurity Challenge
bymsdee3362
 
IMC 618 - Public Relations Campaign
byStephanie Holman
 
Cyber Review_April 2015
byJames Sheehan
 
2014 ota databreach3
byMeg Weber
 
August 2017 - Anatomy of a Cyber Attacker
byseadeloitte
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
byCompliancy Group
 

What's hot

PPTX
Who is the next target and how is big data related ulf mattsson
byUlf Mattsson
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
byRandall Chase
 
PDF
The good, the bad and the ugly of the target data breach
byUlf Mattsson
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
PPTX
The Basics of Cyber Insurance
byHB Litigation Conferences
 
PPTX
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
PDF
Cybercrime and the Healthcare Industry
byEMC
 
PDF
Target Breach Analysis
byTal Be'ery
 
PDF
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
byStatewide Insurance Brokers
 
PPTX
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
PDF
Critical Update Needed: Cybersecurity Expertise in the Boardroom
byStanford GSB Corporate Governance Research Initiative
 
PDF
DATA PROTECTION & BREACH READINESS GUIDE 2014
by- Mark - Fullbright
 
PDF
Data breaches - Is Your Law Firm in Danger
byZitaAdlTrk
 
PDF
Digital Espionage and Business Intelligence
byRoopak K Prajapat
 
PDF
3rd Part Cyber Risk Report - 2018
byNormShield
 
PDF
idg_secops-solutions
byJonny Nässlander
 
PDF
Protecting Your Business From Cyber Risks
byThis account is closed
 
PPTX
The CPAs Guide to Buying Cyber Insurance
byJoseph Brunsman
 
PDF
Looking Forward - Regulators and Data Incidents
byResilient Systems
 
Who is the next target and how is big data related ulf mattsson
byUlf Mattsson
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
byRandall Chase
 
The good, the bad and the ugly of the target data breach
byUlf Mattsson
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
The Basics of Cyber Insurance
byHB Litigation Conferences
 
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
Cybercrime and the Healthcare Industry
byEMC
 
Target Breach Analysis
byTal Be'ery
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
byStatewide Insurance Brokers
 
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
byStanford GSB Corporate Governance Research Initiative
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
by- Mark - Fullbright
 
Data breaches - Is Your Law Firm in Danger
byZitaAdlTrk
 
Digital Espionage and Business Intelligence
byRoopak K Prajapat
 
3rd Part Cyber Risk Report - 2018
byNormShield
 
idg_secops-solutions
byJonny Nässlander
 
Protecting Your Business From Cyber Risks
byThis account is closed
 
The CPAs Guide to Buying Cyber Insurance
byJoseph Brunsman
 
Looking Forward - Regulators and Data Incidents
byResilient Systems
 

Similar to White Paper - Nuix Cybersecurity - US Localized

PDF
Data Breaches
bysstose
 
PDF
The Business Case for Data Security
byImperva
 
PPTX
Hacking the Human - How Secure Is Your Organization?
byCBIZ, Inc.
 
PDF
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
PDF
Cybersecurity Facts & Figures - What Every Business Needs to Know
byCBIZ, Inc.
 
PDF
Gbl report risk-value_2018_us_uea_v1
byPaperjam_redaction
 
PDF
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
byNorth Texas Chapter of the ISSA
 
PPTX
What Cybercriminals Want: Company Data – by United Security Providers
byUnited Security Providers AG
 
PDF
Axxera End Point Security Protection
byShawn Crimson
 
PPSX
November 2017: Part 6
byseadeloitte
 
PDF
InformationSecurity_11141
bysraina2
 
PDF
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
byCBIZ, Inc.
 
PDF
Rcs triumfant watchful_webinar_final
byPatrick Florer
 
PDF
Cyber liability and public entities infographic
byGlatfelter Public Practice Insurance
 
PDF
Final cyber risk report 24 feb
bymharbpavia
 
PDF
Signacure Brochure
byDave Lloyd
 
PPTX
Cybersecurity Seminar March 2015
byLawley Insurance
 
DOCX
Running Head DATA BREACH 1DATA BREACH 3Data Breach Whit.docx
bytodd271
 
PPTX
IAPP - Trust is Terrible Thing to Waste
byDave Steer
 
PPTX
The need for a comprehensive breach plan - Ahmore Burger-Smidt
byWerksmans Attorneys
 
Data Breaches
bysstose
 
The Business Case for Data Security
byImperva
 
Hacking the Human - How Secure Is Your Organization?
byCBIZ, Inc.
 
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
Cybersecurity Facts & Figures - What Every Business Needs to Know
byCBIZ, Inc.
 
Gbl report risk-value_2018_us_uea_v1
byPaperjam_redaction
 
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
byNorth Texas Chapter of the ISSA
 
What Cybercriminals Want: Company Data – by United Security Providers
byUnited Security Providers AG
 
Axxera End Point Security Protection
byShawn Crimson
 
November 2017: Part 6
byseadeloitte
 
InformationSecurity_11141
bysraina2
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
byCBIZ, Inc.
 
Rcs triumfant watchful_webinar_final
byPatrick Florer
 
Cyber liability and public entities infographic
byGlatfelter Public Practice Insurance
 
Final cyber risk report 24 feb
bymharbpavia
 
Signacure Brochure
byDave Lloyd
 
Cybersecurity Seminar March 2015
byLawley Insurance
 
Running Head DATA BREACH 1DATA BREACH 3Data Breach Whit.docx
bytodd271
 
IAPP - Trust is Terrible Thing to Waste
byDave Steer
 
The need for a comprehensive breach plan - Ahmore Burger-Smidt
byWerksmans Attorneys
 

White Paper - Nuix Cybersecurity - US Localized

  • 1.
    NUIX WHITE PAPER WHITEPAPER Four rules for minimizing the potential for—and damage suffered from—data breaches THE GOOD SHEPHERD MODEL FOR CYBERSECURITY By Stuart Clarke and Lee Meyrick
  • 2.
    PAGE 2 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY CONTENTS Executive summary.............................................. 3 The rewards and costs of cybercrime................... 4 People are the weakest link................................. 5 Malicious insiders.......................................... 5 Loss or theft................................................... 5 “Bumbling insiders”...................................... 5 Are outside attacks more effective?............... 5 Breaches are inevitable........................................ 6 Where is your data?............................................. 7 The “good shepherd” model................................ 8 Defensible deletion........................................ 8 Data herding.................................................. 9 Data security.................................................. 9 Access controls.............................................. 9 Case study: Investigating a datacenter breach the hard way.................................................10 A change of mindset............................................ 11 References.......................................................... 11 About the authors...............................................12 If we cannot prevent malware from breaching perimeter security or information from leaking outside our virtual walls, how can we protect important, high-value and high-risk data in our care?
  • 3.
    PAGE 3 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY EXECUTIVE SUMMARY The high value and easy marketability of private data such as credit cards have made all organizations that store customer information a target for cybercrime. There is also growing evidence of widespread cyber-espionage targeting valuable intellectual property. The costs of a single high-profile data breach can reach many millions of dollars. And now for the bad news: Breaches are inevitable. Security researchers believe determined attackers can infiltrate any perimeter security system and lodge malware within organizations’ networks. However, the majority of incidents that lead to data being exposed are from internal causes: Malicious insiders, loss or theft of devices, or simple errors by IT and security administrators. Knowing this is the case, organizations must adopt a new set of information security disciplines to protect high-value and high-risk data: • Knowing where important data is stored, understanding what it’s worth and making sure it’s protected • Reducing the delay between breaches and when they are detected • Conducting rapid, thorough and effective post-breach investigation and remediation. This paper will focus on the first discipline. It will examine how organizations can use information governance technologies to reduce the costs and extent of cybersecurity breaches by becoming “good shepherds” of their data. These technologies can provide transparency into unstructured data so you can understand what your data is worth and where your organization stores high-value and high-risk information. You can achieve this through four activities: • Defensibly deleting data that has no business value • Locating high-value documents and intellectual property, and migrating them to repositories with encryption, access controls and retention rules • Protecting high-risk private and financial data with appropriate encryption and access controls, and ensuring this information does not leak from controlled repositories • Applying policies and conducting regular audits to ensure only authorized staff members have access to important data. Through these efforts, your organization can minimize the opportunities for malicious or accidental breaches of important information. If you know where your data is, you can respond efficiently to breaches by first targeting the high-risk storage locations. This in turn means you can close information security gaps quickly before they can be exploited again.
  • 4.
    PAGE 4 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY Many companies are simply buying more cheap storage to house their growing data but not taking the time to understand and manage it THE REWARDS AND COSTS OF CYBERCRIME Cybercrime has become highly rewarding. A single live credit card number, accompanied by accurate identity details, can fetch up to US$100 on the black market.i Private data is worth more to criminals than most organizations could ever spend protecting it from them. Rapid data growth, teamed with an increasing number of storage devices, cloud technologies and “bring your own device” policies, are all increasing opportunities for data leaks. Many companies are simply buying more cheap storage to house their growing data but not taking the time to understand and manage it. This makes it harder to identify and control the business risks it contains. The costs of data leakages can be vast. For example, in 2013 the UK Information Commissioner’s Office increased the maximum fine it could hand out for data breaches from £5,000 (US$8,400 at time of writing) to £500,000 (US$840,000). The European Union’s General Data Protection Regulation, which is currently before the European Parliament, would levy fines of up to 100 million (US$137 million) or 5% of annual worldwide turnover for breaches of EU citizens’ privacy. But fines are only a part of the total cost, which may include damaged company reputation, disaster recovery costs, loss of intellectual property, a weakened competitive position and the negative impacts on customers who were affected. The estimated total costs of US retailer Target’s credit card breach in 2013 include $61 million of direct costs, consequential costs to third parties of up to $400 million and a fall in Target’s stock price of 11%.ii The value of the stolen credit card numbers to hackers by comparison could be around $53.7 million. A Ponemon Institute survey of 234 organizations in six countries, published late in 2013, found the mean annual cost for cybercrime incidents was $7.2 million per organization, with a range of between $375,000 and $58 million.iii Looking at recovery costs alone, the survey found that cybersecurity attacks took on average 27 days to resolve, once they had been detected, with an average cost of just over $500,000 during that time. Malicious insider attacks took 53 days, on average, to contain. The report showed that the faster an organization resolved an incident, the less it cost overall. According to Verizon’s 2014 Data Breach Investigations Report, around 90% of attackers were able to compromise their targeted information asset within “days.”iv However, only around 25% of attacks were discovered within a similar timeframe. According to Mandiant’s report M-Trends 2014: Beyond the Breach, during 2013 the median number of days attackers were present on a victim network before they were discovered was 229.v This was a slight improvement on the previous year, when the median was 243 days.
  • 5.
    PAGE 5 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY PEOPLE ARE THE WEAKEST LINK People are the weakest link when it comes to protecting sensitive data. The Verizon report found insider misuse, physical theft or loss and miscellaneous errors were responsible for majority (57%) of cybersecurity incidents that left organizations’ data exposed. Malicious insiders Insider misuse most commonly involves privilege abuse. This is where employees misuse the access they have been granted to information assets— which they need to do their day-to-day work—to copy or remove information for unauthorized purposes. This frequently involves copying such information to USB devices, emailing it to personal addresses or using it against company policy—for instance, taking high-risk information home to work on it over the weekend. US Government contractor Edward Snowden was the most high-profile incident of insider misuse in the past year but far from the only one. For example, the Ponemon study reported that 60% of respondents said they knew a co-worker had brought data from a previous employer. Loss or theft Physical theft or loss is as the name suggests. The Verizon report found, interestingly, that losses outnumbered thefts 15 to 1. And while the stereotypical physical loss incident is a laptop left on the seat of a train or taxi, the report found almost half of all losses and thefts (43%) occurred inside the office. The scale of this problem is demonstrated by a freedom of information request from security firm McAfee to London’s public transit authority which found that 15,833 mobile phones, 506 tablets and 528 laptops were handed in to its lost property department in 2013.vi “Bumbling insiders” Miscellaneous errors are the result of “bumbling insiders” rather than malicious ones. Breaches can often be the result of IT admins incorrectly configuring security solutions or access control settings. Another common example is publishing errors, where organizations accidentally post non-public information to a public resources such as a web server. For example in February 2014, the Australian Department of Immigration and Citizenship inadvertently posted to its public website a database of names and personal details of 10,000 asylum seekers held in detention. Breaches can also result from disposal errors, where confidential information is thrown away without being shredded, in the case of paper, or properly wiped, in the case of digital assets. Are outside attacks more effective? It is worth noting that while these insider attacks and errors were responsible for the majority of potential data exposures, they only accounted for around 10% of confirmed data loss incidents. This may be because professional criminals are much better than amateur insiders at extracting the information they seek. Sophisticated malware, once it is inside the network, can give attackers all the access an employee would enjoy. Or it may be that most incidents were caught and fixed before anyone had an opportunity to exploit them—as far as anyone knows. The most effective cybersecurity attacks that resulted in data loss were web app attacks (35%), cyber-espionage (22%) and point-of-sale system intrusions (14%). The Verizon report noted that a major theme of 2013 was attacks on point-of- sale systems to extract credit card numbers.
  • 6.
    PAGE 6 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY BREACHES ARE INEVITABLE The Ponemon Institute survey estimated the respondent organizations were victim to 1.4 successful cybersecurity attacks per week, on average. It defined a “successful attack” as “one that results in the infiltration of a company’s core networks or enterprise systems.” On the one hand, it broadly defined an “attack” to include malicious code, denial of service, web-based attacks, phishing and social engineering, stolen devices and malicious insiders. On the other hand, these were only the attacks that the organizations detected. It is entirely possible other breaches occurred which they did not notice. Gartner’s bluntly titled report, Malware Is Already Inside Your Organization; Deal With It says “determined attackers can get malware into organizations at will.”vii It argues that “organizations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviors indicative of malicious intent.” If we cannot prevent malware from breaching perimeter security or information from leaking outside our virtual walls, how can we protect important, high-value and high-risk data in our care? It requires a change in mindset and a new set of disciplines around information security. This involves three core capabilities: • Knowing where important data is stored, understanding what it’s worth and making sure it’s protected • Reducing the delay between when breaches occur and when they are detected • Conducting rapid, thorough and effective post-breach investigation and remediation. Organizations must assume they are compromised and invest in detective capabilities that provide continuous monitoring for indications of malicious intent
  • 7.
    PAGE 7 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY WHERE IS YOUR DATA? This paper will focus on the first core capability: Knowing where important data is stored, understanding what it’s worth to your organization and making sure it’s protected in proportion to this value. At its heart, this capability is an application of the classic information security triad: • Confidentiality. Information is protected from being disclosed to people who should not see it. • Integrity. Information cannot be modified by people who aren’t authorized to do so. • Availability. The right people can access information at the right time. This is complicated by the fact that organizations store large volumes of unstructured data—typically 80% of the total—which is often in complex formats that are difficult to search and understand. To put it another way, you can’t protect information if you don’t know where it is and what’s in it. It’s also hard to decide how much to spend, or calculate the return on investment of security measures, if you don’t know what the data is worth. One of the main reasons organizations take so long to detect and remediate breaches is they don’t know where the high-value or high-risk data is stored, so they can’t target those systems for investigation. Instead, they must collect data widely, potentially including staff members’ “bring your own” laptops and other unmanaged locations, which takes time. Alternatively they can collect from a random sample of devices, which risks missing the compromised systems. Meanwhile the clock is ticking: Data has gone missing, costs are building up and there is an ever-present risk that someone could exploit the same vulnerability again to do more damage. One of the main reasons organizations take so long to detect and remediate breaches is they don’t know where the high-value or high-risk data is stored
  • 8.
    PAGE 8 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY THE “GOOD SHEPHERD” MODEL Thus information governance technologies become a powerful tool in reducing the costs and extent of cybersecurity breaches by delivering transparency into unstructured data and facts upon which security professionals can make informed decisions. 1. Defensible deletion Organizations store large volumes of “eTrash”— data that has no business value because it’s duplicated, trivial, no longer used, past its retention period or potentially risky. While most organizations have strict compliance rules around how long they must retain data, once the retention period is over, the risks and costs it contains greatly outweigh any residual value. Deleting this low-value data, according to predefined and legally sanctioned rules, reduces risks and also minimizes the volume of data that could be compromised. This in turn reduces the scope of a post-breach investigation. Information transparency can have huge impact on how secure your organization is from data breaches and how effectively you can respond to incidents—internal or external, deliberate or accidental. It also gives you a clearer understanding of what data is worth so you can concentrate on protecting the high-value data and easily calculate the return on your security investments. In this model, information security, information governance and records management specialists become good shepherds of their data. They know where all the sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy and not due to be made into shepherd’s pie. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe. Applying these principles to data gives us four broad rules or areas of activity: Figure 1: asvanwervaa vnwr avoern arvn DEFENSIBLE DELETION Valuable data Old data Trivial data No business value Potential risk Fig 1: Deleting low-value data minimizes risk and reduces the scope of post-breach investigations. 1 DATA HERDING Fig 2: Locating records “in the wild” makes high-value information less vulnerable to breaches. 2
  • 9.
    PAGE 9 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY 2. Data herding Organizations often have intellectual property and company records such as contracts stored inappropriately in file shares or email attachments. Both records managers and end users struggle to find the time to ensure records are always filed correctly. Information governance technology can locate these records “in the wild” and move them to controlled repositories with appropriate security, access controls and retention rules. This makes it much harder for anyone to gain unauthorized access. 3. Data security Increasingly strict regulations around data privacy and financial information make it imperative to hold personal, financial and health details in the strictest confidence. Nonetheless, this information regularly escapes controlled repositories, whether through poor policies or employees not following the rules. Employees may make “convenience copies” to work from home or as test data for a new application. And even if they dispose of this data correctly, it may still be retained in backups or archives. By conducting regular sweeps of email, file shares and other unprotected systems, organizations can quickly locate and remediate unprotected private data. At the same time, understanding where this high-risk data is stored, organizations do not need to spend time and effort protecting data that doesn’t need it. 4. Access controls The key principle here is making sure the only people who can access high-risk data are those who need to for day-to-day work. This requires a combination of sound policy and constant vigilance. For example, many data loss incidents occur when a disgruntled employee leaves the organization. By cancelling an employee’s login and access credentials as soon as he or she leaves, this minimizes opportunities for important information to go astray (although it may also be prudent to scan their recent emails for indications of company intellectual property or other important data). It is also essential to regularly audit access controls on important systems and employees’ security profiles to ensure the policy theory matches reality. For example, in one data breach investigation we worked on, employees had stumbled across a way they could view salary information and other personal data on a human resources department network drive. It emerged that an IT admin had been updating the access controls to the drive and had mistakenly granted all users access to it during the process. DATA SECURITY ACCESS CONTROLS Fig 3: Keeping private, financial and health data within known, protected locations reduces business risks. Fig 4: Regularly auditing access controls ensures security policy matches reality. 3 4
  • 10.
    PAGE 10 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY Nuix analysts worked with a major consulting firm to investigate a breach at a large datacenter. This firm had literally thousands of web, database and file servers belonging to individual clients with no visibility into their contents. It was impossible to know by examining the servers what roles they performed and which of them might contain credit card numbers or other personal data. Fixing the problem was urgent. The company was losing revenue from having to take some clients’ servers offline. And the incident was doing considerable damage to its reputation. Realizing it would be impossible to scan all the servers within a reasonable time, Nuix analysts and the consulting firm staff took a random sample of the servers and used a named entities search to locate credit card numbers and other private data. Fortunately the gamble paid off and they located systems that had been compromised. This provided a signature of the attack they could use to find compromised servers among the remaining systems. Had the hosting provider been conducting regular sweeps, it could have quickly identified any servers that contained credit card numbers and were likely targets of the breach. It could have ring-fenced servers containing sensitive data and applied stringent encryption and access controls. Alternatively, it could have changed its policy so that credit card numbers and other private data could only be stored with a specialist third- party provider, and conducted sweeps to ensure clients were complying. These steps would have minimized the likelihood of future breaches and greatly reduced the time taken to locate them, protecting the firm’s revenue and reputation. CASE STUDY Investigating a datacenter breach the hard way
  • 11.
    PAGE 11 WHITE PAPERTHE GOOD SHEPHERD MODEL FOR CYBERSECURITY A CHANGE OF MINDSET While perimeter security defenses remain essential, organizations must shift their information security mindset from “How much do we have to spend to prevent breaches?” to “How can we minimize the opportunities for breaches and the damage we suffer from them?” and “How can we gain return on our security investments?” By adopting these four common-sense rules around deleting, herding, encrypting and controlling access to data, organizations can: • Know where important and high-risk data is stored and be confident it is only stored in those locations • Minimize the opportunities for malicious and accidental breaches of important information • Respond to breaches in a more targeted and effective way, by first targeting the high-risk storage locations and collecting much less peripheral data • Close information security gaps quickly before they can be exploited again. REFERENCES i Ken Westin, “Stolen Target Credit Cards and the Black Market: How the digital underground works,” Tripwire, December 2013 www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/ ii Brian Krebs, The Target Breach, By the Numbers, May 2014, krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ iii Ponemon Institute, 2013 Fourth Annual Cost of Cyber Crime Study: Global, October 2013, www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reports iv Verizon RISK Team, 2014 Data Breach Investigations Report, May 2014, www.verizonenterprise.com/DBIR/2014/ v Mandiant, M-Trends 2014: Beyond the Breach, April 2014, connect.mandiant.com/m-trends_2014 vi Harry Cockburn, “16,000 phones lost on Tube over 2013, posing personal security risks”, London Loves Business, December 2013, www.londonlovesbusiness.com/business-news/london-transport/16000-phones-lost-on-tube-over-2013-posing-personal-security-risks/7028.article vii Peter Firstbrook, Neil MacDonald, Malware Is Already Inside Your Organization; Deal With It, February 2014 www.gartner.com/doc/2665320/malware-inside-organization-deal-it
  • 12.
    APAC NorthAmerica EMEA Australia: +61 2 9280 0699 USA: +1 877 470 6849 UK: +44 207 877 0300 » Email: sales@nuix.com » Web: nuix.com » Twitter: @nuix Copyright © 2014 Nuix. All rights reserved. ABOUT NUIX Nuix enables people to make fact-based decisions from unstructured data. The patented Nuix Engine makes small work of large and complex human-generated data sets. Organizations around the world turn to Nuix software when they need fast, accurate answers for digital investigation, cybersecurity, eDiscovery, information governance, email migration, privacy and more. Lee Meyrick Director of Information Management, Nuix Lee Meyrick has a decade of experience in data discovery and compliance planning and implementation. He advises organizations on the use of eDiscovery techniques for information retrieval in unstructured data. Lee’s expertise lies with a particular focus on the fields of FCPA and UK Bribery Act and in the discovery of “risky data” for remediation and he has trained organizations on the use of Nuix for corporate investigations and eDiscovery. Stuart Clarke Director of Cybersecurity and Investigation Services, Nuix Stuart Clarke is an experienced consultant who has provided expert evidence in civil and criminal courts and across different jurisdictions including the Technology and Construction Court. Before joining Nuix, Stuart was Head of Forensics and Technical Operations at Millnet and previously Principal Consultant at PA Consulting Group (formally 7Safe). In these roles Stuart operated across digital forensics, eDiscovery and information security, and managed a diverse team of consultants. ABOUT THE AUTHORS To find out more about Nuix’s Cybersecurity visit nuix.com/cybersecurity