Upload
dinhmien
View
217
Download
2
Embed Size (px)
Citation preview
Presented by Carol Romej, J.D., L.L.M.|(248) 740-7505 | [email protected]
Data Governance & the
Consequences of Ransomware in the
New Security Frontier
Critical & Sensitive Data
• Social Security Number
• Credit Card Information
• Drivers License
• Birth Date
• Protected Health Information under HIPAA/HITECH (Insurance/Medical)
• Employment/Income
• Email address
• Corporate Intellectual Property
• Corporate Proprietary Information
Equifax 2017 Breach Notification
• A software vulnerability that was known (March 9) but security patch was not applied due to ‘human error and technology error’
• Breach: Estimated 145 Million consumer records
• Discovered July 29, but publicly announced one month later
• Forensics has determined that first unauthorized access occurred May 13
Equifax Operations
• Security (3 Year) Budget: $250 Million
• Security Team: 225 Employees
• Discovered July 29, but publicly announced one month later
• Forensics has determined that first unauthorized access occurred May 13
Compromised Equifax User Data
• Entire consumer history of payments with all the attendant personally identifiable information
Yahoo 2013 Breach Notification
• Sent to ‘Potentially Affected Users’ and their account information
• Breach: Estimated 1 Billion current and past users affected
Yahoo 2016 Breach Notification
• Sent to ‘Potentially Affected Users’ and their account information
• Breach: Estimated 500 Million current and past users affected
• Method: A copy of user account information was stolen in 2014
• Suspect a state-sponsored actor
Yahoo 2017 Breach Notification
• Breach: 3 Billion - ALL current and past users as of 2013 affected
• The largest breach in history
• Detected during Verizon integration
Compromised Yahoo User Data
• Names
• Email address
• Telephone Number(s)
• Date of Birth
• Hashed passwords (with bcrypt)
• Encrypted/Unencrypted security questions
Remediation of User Data
• Recommend changing passwords
• Review your account for suspicious activity
• Change security questions
• Enhanced systems to detect and prevent unauthorized access to user accounts
• Working closely with law enforcement
Action Items for Victims
• Change all passwords to your accounts, and elect to have a secondary password assigned
• Ensure two-factor authentication is enabled (PW and Device)
• Obtain copies of credit reports – minimally once a year (Equifax, Experian, TransUnion)
• Activate a “security freeze”
Business Impact
• Verizon/Yahoo merger for $ 4.5 B ($350 M) less due to breach history
• Equifax stock price decline
Who ‘touches’ data?
• Accounting
• IT
• Marketing
• Service Lines
• Business Lines
• Vendors
• Customers
Ineffective Risk Management
• Not knowing where your Intellectual Property, Sensitive Data, or Proprietary Data is residing (i) Internally or (ii) Externally
• Not procuring cyber insurance
• Accountability for risk management is dispersed throughout the organization
Security Ecosystem
• Critical Business Software Applications
• Hosted / In-house applications
• Mobile Devices
• Copies of data (ordinary course of business)
Software Application Risk
• Default settings in the application store generated reports with sensitive data in accessible locations on the network and employee devices
• Database transaction logs stored in clear readable text outside the secure database
• Employees failing to delete or secure files containing sensitive data
• Servers where the applications reside accessible to employees with domain credentials
Information Security Teams
The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike.
2016 DBIR Report, Page 6
Classifications of Security Incidents
• Web App Attacks
• Cyber-espionage
• POS Intrusions
• Insider Misuse
• Card Skimmers
• Error
• Physical Theft/Loss
2016 DBIR - Verizon
Phishing
• A message, typically an email, with a malicious attachment or link sent with the intent to have email content that will trick the recipient to open the attachment or link
• A means to install malware
• A means to lead users to phony web sites and capture user information
Credentials
• Use of stolen, weak or default passwords (credentials) to gain access to sensitive information and data
• By capturing keystrokes of infected device
• By guessing
• By Point of Sale devices with malware that captures, packages and then delivers (exports) sensitive data
• By insider/employee misuse for unapproved/illegal activity
Web App Attacks
• An attack on the infrastructure of web application servers
• By exploiting code-level vulnerabilities in the application (payment application code is popular)
• By thwarting authentication mechanisms
• By defacing the web site (adding new / disparaging content)
Point of Sale Intrusions
Targets POS terminals and/or POS controllers by either tampering with the device or replacing the device (credit card skimmers)
By using stolen credentials to remotely access the POS environment
By use of memory scraping malware (RAM scrapers)
By targeting POS software vendors directly
29
Data Breach Investigations Report
• Over 60 Global Organizations are Contributors
• Aggregate and analyze common incident patterns
• Publish findings and make recommendations to industry
Key Definitions
• Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.
• Breach: An incident that results in the disclosure or potential exposure of data.
• Data Disclosure: A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party.
2010 – DBIR – Verizon Data
• Most breaches are discovered by external parties
• Most breaches could have been avoided without difficult or expensive controls
Data Breach Trends - Ponemon
• Average cost for each stolen or lost record is $221.00 per record
• Biggest financial consequence is lost business
• Malicious attacks by cyber criminals are taking longer to detect
• Ransomware – focuses on a new primary victim – the organization who is exposed to the additional risk of paying a ransom
Ransomware
Ransomware is a type of malicious software cyber actors use to deny access systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.
www.fbi.gov
Levels of Ransomware Attacks
• Lock the system and display message requiring payment
• Encrypts the victim’s files and systems and demands ransom to decrypt
Method of Ransomware Attack
• Infects legitimate websites and infects a user computer WITHOUT clicking on anything
• Advertising links – click and be infected
• AdobeFlash – its vulnerabilities are attacked
• Phishing and Spear Phishing attacks
Ransomware Debate – Is it a
reportable breach?
• The unavailability of data does not rise to a reportable breach in certain incidents – no access/disclosure
• Most Ransomware attacks are disabling events to the backup systems
• Ex. A bot that activated encryption only
Preventative Measures • Backup regularly, and do NOT maintain backups on
the network
• Utilize whitelisting
• Educate Employees
• Patch OFTEN
• Perform scans of the network regularly
• Have (and test) a business continuity plan
• NEVER click on links you do not TRUST
• NEVER open email attachments from UNTRUSTED sources
Key Data Loss Prevention Controls
• Endpoint security solutions
• Encryption
• Data Governance programs
• Incident Response team
• Investments in in-house expertise
Tone at the Top
• Drives the organization’s control environment
• Reduces the risk of working with vendors that are not trustworthy
• Incorporates integrity and ethics in relationships with vendors
• Increases employee awareness of the importance of security, data protection and business resiliency
References
• www.veriscommunity.com
• www.vcdb.org
• www.sans.org
• 2016 Cost of Data Breach Study: United States, Ponemon Institute, June 2016
• www.fbi.gov
• Tone at the Top and Third Party Risk, Ponemon Institute and Shared Assessments 2016, May 2016
• 2016 Data Breach Investigations Report, www.verizonenterprise.com
Please visit the Hall Render Blog at http://blogs.hallrender.com for more information on topics related to health care law.
Carol Romej, J.D., L.L.M. (248) 740-7505 [email protected]
Anchorage | Dallas | Denver | Detroit | Indianapolis | Louisville | Milwaukee | Philadelphia | Raleigh | Seattle | Washington, D.C.
This presentation is solely for educational purposes and the matters presented herein do not constitute legal advice with respect to your particular situation.