Data Governance & the

New Security Frontier

Presented by Carol Romej, J.D., L.L.M.|(248) 740-7505 | cromej@hallrender.com

Data Governance & the

Consequences of Ransomware in the

New Security Frontier

Critical & Sensitive Data

• Social Security Number

• Credit Card Information

• Drivers License

• Birth Date

• Protected Health Information under HIPAA/HITECH (Insurance/Medical)

• Employment/Income

• Email address

• Corporate Intellectual Property

• Corporate Proprietary Information

Equifax 2017 Breach Notification

• A software vulnerability that was known (March 9) but security patch was not applied due to ‘human error and technology error’

• Breach: Estimated 145 Million consumer records

• Discovered July 29, but publicly announced one month later

• Forensics has determined that first unauthorized access occurred May 13

Equifax Operations

• Security (3 Year) Budget: $250 Million

• Security Team: 225 Employees

• Discovered July 29, but publicly announced one month later

• Forensics has determined that first unauthorized access occurred May 13

Compromised Equifax User Data

• Entire consumer history of payments with all the attendant personally identifiable information

Yahoo 2013 Breach Notification

• Sent to ‘Potentially Affected Users’ and their account information

• Breach: Estimated 1 Billion current and past users affected

Yahoo 2016 Breach Notification

• Sent to ‘Potentially Affected Users’ and their account information

• Breach: Estimated 500 Million current and past users affected

• Method: A copy of user account information was stolen in 2014

• Suspect a state-sponsored actor

Yahoo 2017 Breach Notification

• Breach: 3 Billion - ALL current and past users as of 2013 affected

• The largest breach in history

• Detected during Verizon integration

Compromised Yahoo User Data

• Names

• Email address

• Telephone Number(s)

• Date of Birth

• Hashed passwords (with bcrypt)

• Encrypted/Unencrypted security questions

Remediation of User Data

• Recommend changing passwords

• Review your account for suspicious activity

• Change security questions

• Enhanced systems to detect and prevent unauthorized access to user accounts

• Working closely with law enforcement

Action Items for Victims

• Change all passwords to your accounts, and elect to have a secondary password assigned

• Ensure two-factor authentication is enabled (PW and Device)

• Obtain copies of credit reports – minimally once a year (Equifax, Experian, TransUnion)

• Activate a “security freeze”

Business Impact

• Verizon/Yahoo merger for $ 4.5 B ($350 M) less due to breach history

• Equifax stock price decline

Two ‘Affected’ Populations

• Users and Consumers

• Shareholders

Gatekeepers of Information

Who ‘touches’ data?

• Accounting

• IT

• Marketing

• Service Lines

• Business Lines

• Vendors

• Customers

Disruptive Technologies

• Internet of Things (IoT)

• The Cloud

• Mobile Devices

• Data Analytics

Who ‘owns’ data risk management?

Who is held accountable?

Ineffective Risk Management

• Not knowing where your Intellectual Property, Sensitive Data, or Proprietary Data is residing (i) Internally or (ii) Externally

• Not procuring cyber insurance

• Accountability for risk management is dispersed throughout the organization

Security Ecosystem

• Critical Business Software Applications

• Hosted / In-house applications

• Mobile Devices

• Copies of data (ordinary course of business)

Software Application Risk

• Default settings in the application store generated reports with sensitive data in accessible locations on the network and employee devices

• Database transaction logs stored in clear readable text outside the secure database

• Employees failing to delete or secure files containing sensitive data

• Servers where the applications reside accessible to employees with domain credentials

2016 DBIR

No industry or organization is bulletproof when it comes to the compromise of data.

Information Security Teams

The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike.

2016 DBIR Report, Page 6

Classifications of Security Incidents

• Web App Attacks

• Cyber-espionage

• POS Intrusions

• Insider Misuse

• Card Skimmers

• Error

• Physical Theft/Loss

2016 DBIR - Verizon

Phishing

• A message, typically an email, with a malicious attachment or link sent with the intent to have email content that will trick the recipient to open the attachment or link

• A means to install malware

• A means to lead users to phony web sites and capture user information

Credentials

• Use of stolen, weak or default passwords (credentials) to gain access to sensitive information and data

• By capturing keystrokes of infected device

• By guessing

• By Point of Sale devices with malware that captures, packages and then delivers (exports) sensitive data

• By insider/employee misuse for unapproved/illegal activity

Web App Attacks

• An attack on the infrastructure of web application servers

• By exploiting code-level vulnerabilities in the application (payment application code is popular)

• By thwarting authentication mechanisms

• By defacing the web site (adding new / disparaging content)

Point of Sale Intrusions

Targets POS terminals and/or POS controllers by either tampering with the device or replacing the device (credit card skimmers)

By using stolen credentials to remotely access the POS environment

By use of memory scraping malware (RAM scrapers)

By targeting POS software vendors directly

29

Data Breach Investigations Report

• Over 60 Global Organizations are Contributors

• Aggregate and analyze common incident patterns

• Publish findings and make recommendations to industry

Key Definitions

• Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.

• Breach: An incident that results in the disclosure or potential exposure of data.

• Data Disclosure: A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party.

2010 – DBIR – Verizon Data

• Most breaches are discovered by external parties

• Most breaches could have been avoided without difficult or expensive controls

Data Breach Trends - Ponemon

• Average cost for each stolen or lost record is $221.00 per record

• Biggest financial consequence is lost business

• Malicious attacks by cyber criminals are taking longer to detect

• Ransomware – focuses on a new primary victim – the organization who is exposed to the additional risk of paying a ransom

Ransomware

Ransomware is a type of malicious software cyber actors use to deny access systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.

www.fbi.gov

Levels of Ransomware Attacks

• Lock the system and display message requiring payment

• Encrypts the victim’s files and systems and demands ransom to decrypt

Method of Ransomware Attack

• Infects legitimate websites and infects a user computer WITHOUT clicking on anything

• Advertising links – click and be infected

• AdobeFlash – its vulnerabilities are attacked

• Phishing and Spear Phishing attacks

Ransomware Debate – Is it a

reportable breach?

• The unavailability of data does not rise to a reportable breach in certain incidents – no access/disclosure

• Most Ransomware attacks are disabling events to the backup systems

• Ex. A bot that activated encryption only

Preventative Measures • Backup regularly, and do NOT maintain backups on

the network

• Utilize whitelisting

• Educate Employees

• Patch OFTEN

• Perform scans of the network regularly

• Have (and test) a business continuity plan

• NEVER click on links you do not TRUST

• NEVER open email attachments from UNTRUSTED sources

Key Data Loss Prevention Controls

• Endpoint security solutions

• Encryption

• Data Governance programs

• Incident Response team

• Investments in in-house expertise

Tone at the Top

• Drives the organization’s control environment

• Reduces the risk of working with vendors that are not trustworthy

• Incorporates integrity and ethics in relationships with vendors

• Increases employee awareness of the importance of security, data protection and business resiliency

Rep. Greg Walden, R-Ore.

• “I don’t think we can pass a law that can fix stupid.”

References

• www.veriscommunity.com

• www.vcdb.org

• www.sans.org

• 2016 Cost of Data Breach Study: United States, Ponemon Institute, June 2016

• www.fbi.gov

• Tone at the Top and Third Party Risk, Ponemon Institute and Shared Assessments 2016, May 2016

• 2016 Data Breach Investigations Report, www.verizonenterprise.com

Please visit the Hall Render Blog at http://blogs.hallrender.com for more information on topics related to health care law.

Carol Romej, J.D., L.L.M. (248) 740-7505 cromej@hallrender.com

Anchorage | Dallas | Denver | Detroit | Indianapolis | Louisville | Milwaukee | Philadelphia | Raleigh | Seattle | Washington, D.C.

This presentation is solely for educational purposes and the matters presented herein do not constitute legal advice with respect to your particular situation.