Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Would You Trust a Thief?
Webinar 6/28/2016 Noon – 1:00 p.m. ET
The Dos, Don’ts, Wishes and Regrets
Associated with Ransomware
Richard Shutts, HBS Alex Rosati, HBS Alan Winchester, HBS Tad Mielnicki, AAG
www.hbsolutions.com DM#2847972.1
HB Access℠
2
Alex Rosati, HBS Tad Mielnicki, AAG Alan Winchester, HBS Richard Shutts, HBS
HB ACCESS℠ is offered jointly by HB Solutions LLC and Access Advisory Group LLC. About HB Solutions: HB Solutions Data Privacy and Cybersecurity has provided cybersecurity prevention and post-breach response support to organizations in highly regulated industries and can advise on establishing the right level of certification compliance and the necessary reporting to minimize the liability associated with cybersecurity incidents. HB Solutions LLC is a consulting subsidiary of the law firm Harris Beach PLLC, established to provide non-legal consulting services to organizations and individuals in the private and public sectors across numerous industries. About AAG: Access Advisory Group is comprised of proven cybersecurity leaders and technology operators who have worked in the highest levels in the U.S. Department of Defense, Intelligence Community and Department of Homeland Security. AAG has extensive experience in data encryption and management, data collection and analytics and in-depth knowledge across the spectrum of cybersecurity tool
Ransomware Introduction
Ransomware is a type of malware designed to restrict access to the affected computer system until a ransom is paid to the malware operator. It typically encrypts the files it can reach with an algorithm impossible to crack.
3
Ransomware Introduction (continued)
Once the virus is able to penetrate the perimeter defenses it is free to spread throughout large portions of the environment encrypting any and all files it encounters.
4
Ransomware Introduction (continued)
In exchange for payment, the malware operator HOPEFULLY gives the users the encryption key and the computer is returned to an operational status.
5
Ransomware Introduction (continued)
The malware operators historically have made relatively modest demands for the encryption keys; perhaps 1-2 Bitcoins per computer.
6
Ransomware Introduction (continued)
Many companies simply choose to pay the ransom and move on without involving law enforcement or their attorneys.
7
Ransomware Introduction (continued)
How an organization responds to the discovery of Ransomware will significantly impact the ability to detect the other actions which may have been taken.
8
Scenario One
The computer can’t read any of the files and the files on their network drive are also locked.
9
Scenario One Discussion
What happened to this organization? Have they been breached?
10
Scenario One (continued)
o Is this a crime? • Must you report the breach to law enforcement? • Who has jurisdiction? • How does reporting help? • What are the down sides of reporting?
• How common is this? • How do these things get into the company? • Who are these bad actors?
11
And Then….
After ransomware was detected a technician determined that all the corporate information existed on backup and decided to reformat the servers and restore from backups. Then the technician calls you. What issues does this raise?
12
What Happened?
Forensic Issues • What difference did it make that the
technician reformatted over all the drives?
13
What Happened? (continued)
IT perspective • What, if anything, should the technician have
done differently? • How would these different actions have given
the company any additional options? • Given the current situation, is the response
enough or must the company address its other systems and in what manner?
14
IT Suggestions and Concerns
What must you do after a breach and depending on how the technician responded, what options exist?
• Identify affected systems and information? • What to do with infected computers? • How are your backups? • What else did the malware operator do?
15
Policy Issues
Depending on how the technician responded: • Without police involvement is there a basis to
delay notification if it finds that it has a duty to report?
• Should the company assume that any PII on the system has been stolen?
• If so, what duties does it now have?
16
Policy Issues (continued)
Cyber insurance – is coverage impacted? Notification issues
o Does the fact that ransomware was installed trigger a notification duty if there was protected private information on the system?
o How do you assess what information or data types were on the system?
o Regulator, state and federal laws and reporting requirements
o Contractual obligations o Business considerations
17
What Happened? (continued)
How else is the company affected?
• Publicity • Direct Costs. According to Ponemon 2015
Cost study a breach costs $12.60/record. • Indirect costs
18
Risk Reduction Strategies
How would an incident or breach response plan have aided in this situation?
19
Breach Response Team and Issues
Who needs to be involved from within the organization to build a response plan?
Communication / notification considerations • Legal team and security consultants • Management team • Brand issues • Customer issues • Law enforcement Board issues
20
Discussion Topics
• What is a bitcoin and where do I get one? • Is paying the ransom so bad? May 8, 2016 June 22, 2016
21
Risk Reduction Strategies
IT Considerations Surveillance of your network
• Who is on it and does it make sense? • What accounts are enabled? • Is there a thoughtful allocation of rights on the system? • How is the network configured? • Is there separation between different groups to contain
loss? • What rights do users have and are they restricted? • Are there any controls and processes in place to limit
what can be connected to the network?
22
Risk Reduction Strategies
Technical Considerations • Network segmentation • User rights • Data encryption
• End to end data visibility and management
• Surveillance and logging • Red teaming and Pen Testing – Checking
a box is not enough • Other options
23
Risk Reduction Strategies (continued)
Policy Considerations ISO27001; NIST; COBIT; etc. How is confidential information treated?
• Encryption? Contractual and industry requirements Legal requirements (SEC, HIPAA, FTC…)
24
Discussion Topics (continued)
Human Considerations • Social Engineering Testing • Test the Incident Response Plan • User training • Behavior focused handbooks
25
The HB Access team wants to work with you to build your business by helping you understand your Information Security (Infosec) risk in the same way you understand your other risks. Our integrated team understands your business needs and will tailor your policy, human capital and technology Infosec approaches to enable you to build and not stop your efforts. We will tell you how when the industry tells you don’t. HB Access
Policy Human Systems Technical
26
Improving your InfoSec HB Access℠
Combined Risk Assessment
Infosec enables a company to do business by enabling the access, storage and distribution of data that must remain secure. Understanding the lifecycle risk of data is crucial to the operation of any modern business. Typical approaches to Infosec risk apply industry standards without individual business context or policy standards without technical context.
Technical Assessment
Policy / Regulatory Assessment
Human Systems
Assessment
Combined Risk
Assessment
27
HB Access℠ Service Overview
PROACTIVE PROTECTION ANALYSIS
Initial Assessment • Meet with key stakeholder • Identify and develop visions and goals
Compliance Issues • Consult on compliance requirements • Draft policies • Review contracts • Advise on issues of non-compliance
Risk Assessment • Technical • Administrative • Red Teaming • Physical
LOSS MITIGATION Insurance Counseling • Insurance and contract evaluations • Analysis on risk level and exposure
Employee Education & Awareness • Design training programs • Develop and revise employee manuals
Crisis Readiness • Evaluate / develop Incident Response • Communication and media training • Business Recovery Planning
POST BREACH RESPONSE Immediate Crisis Response • Detect and eliminate security breach • Consult on notification requirements
Claims Response • Develop claims response program • Negotiate and audit claims services • Facilitate legal representation
Final thoughts and Questions?
For more information write:
29
Tad Mielnicki [email protected]
Alexander Rosati [email protected]
Rick Shutts [email protected]
Alan Winchester [email protected]
HB|Solutions: 866.820.3167