View
66
Download
0
Tags:
Embed Size (px)
Citation preview
David Willson, Esq.
CISSP
Titan Info Security Group
“A Risk Management and Cyber Security
Law and Consulting Firm”
Cybersecurity and Liability: Are you informed?
Agenda Suffering a Breach is a foregone conclusion, but how bad is it really?
Why we are still optimistic
Emperor has no clothes
The Problem and the Perfect Storm
Computers – IT – Cyber Security - Risk
Agenda cont. What you can do
Now, before the breach
When the breach is discovered
After the breach
The Assessment
The Policy
The Training
Bottom LineDo an assessment
Write the policies
Train employees
Know when to ask for help(e.g. collaborate with someone to help you assess the risk to
your business, your customers, etc. Collaborate with a cyber
security expert)
How were they breached? Target: Target breach also started with a hacked vendor — a heating and air
conditioning company in Pennsylvania that was relieved of remote-access credentials
after someone inside the company opened a virus-laden email attachment. (PoS)
Home Depot: IT told to minimize costs and system downtime at the expense of
improving security. crooks initially broke in using credentials stolen from a third-party
vendor. (facing at least 44 civil suits) (PoS)
Sears/Kmart: (PoS)
How were they breached? cont. Chick-fil-A: (PoS) Detected by a credit card association who notified financial
institutions that payment card systems had been breached. Breach occurred between
Dec. 2013 and Sept 2014. See the connections, and length of time?
JP Morgan: 76 million households and 8 million small businesses. Root cause –
employee’s computer. Georgetown law professor: "JP Morgan spends crazy amounts
of money on IT security and yet they can still be hacked," he said. "There’s really no
way you can be connected to the Internet and keep things safe."
US Postal Service: 800,000 employee records. Also the Pentagon, NOAA, OPM, the
White House and more.
How were they breached? cont.
White House: The breach was reported to the Govt via an ally. Like many breaches, it was not discovered internally but reported by an outside third-party.
Sony: Well, depending on who you believe, it was either North Korea who was mad because their dictator’s head explodes in a movie that was supposed to be released over Christmas, or, it was former employees who were terminated, or a combination, or maybe something or someone much more nefarious?
* These are just a few of the many breaches that are known. On average most breaches were discovered months after they were initiated, if you can even trust those statistics. Consider the
Shady RAT report from McAfee in 2012. They discovered hackers had been in 70 large companies and nation government computers for 5 years, since 2006, before anyone detected
them!
The Art of Deception Can we really trust the results of investigations that say XXX was
responsible for the breach?
Think about it: if you are going to commit a crime, isn’t making it look
like someone else is responsible a great ruse?
So, who really created and released Stuxnet? Who really attacked
Estonia? Did North Korea hack Sony?
* Can we really know?
SURVEY
Would you believe me if I said, 80% of companies in the US have been or will be
breached?
Statement made by the Director of the FBI!
SURVEY Does anyone believe there is an 80% chance that their company will suffer a breach
in the next year?
50% chance?
30%?
SURVEY Does anyone believe there is an 30% chance another company will be breached?
50% chance?
80%?
SURVEY
When surveyed in my classes, most
believe their neighbor will be breached
but not their company?
Why?
The Perfect Storm
IT Security
• Information Technology: “the technology involving the development,
maintenance, and use of computer systems, software, and networks for
the processing and distribution of data.” Merriam-Webster
• The emperor has no clothes!
Are You Potentially Liable?
What if you are breached?
What if someone you are connected to or
provide service to is breached?
Negligence-Liability & the Target Case
Dec. 2 ruling, Judge Paul A. Magnuson of the U.S. District Court in St.
Paul, Minnesota, refused to dismiss the litigation. He said plaintiffs can
proceed with their lawsuit on a theory of negligence.
He further stated: “At this preliminary stage of the litigation, plaintiffs
have plausibly (pleaded) a general negligence case.” “Although the
third-party hackers' activities caused harm, Target played a key role in
allowing the harm to occur.”
Negligence-Liability & the Target Case cont.
The ruling essentially holds that Target may have been
responsible for the damages the hackers caused even
though there may have been no direct contractual
relationship between the retailer and the credit card
issuers.
Judge Magnuson concluded, “that there can be a direct
duty between the issuing banks and the retailer, and that
lets them get over this motion to dismiss hurdle.”
Negligence-Liability & the Target Case cont.
So, two significant findings that impact us
1. Plaintiffs have put forward enough evidence to
show negligence might be proven.
2. At this point in the case, a causal connection
and duty to protect might be proven between
the banks and Target.
Negligence-Liability & the Target Case cont.
You need to be prepared ahead of time
Make sure you have a proper incident response plan in place, and,
Appropriate lines of authority so there is an immediate response when a
red flag appears.
“The more reasonable the steps [businesses] take — and document — to
protect consumer data, the more likely they are to survive a conduct-
based challenge.” (E.g. Negligence claim)
See: Business Insurance, “Target’s data breach liabilities mount as credit card issuers’ suit proceeds,” http://www.businessinsurance.com/article/20150104/NEWS07/301049970?tags=|299|75|303|335
Assess What do you collect, process, and store?
Categorize it
Where does it come in from?
Who has access to it?
Any outside vendors? What’s their security? Cloud provider?
Policies Do you have written policies?
Two goals
Outline process and policy to inform workforce
Provide proof of a plan
Train
Ensure employees are aware of policies
Teach them how to recognize the risks
Teach them how to react
Teach them what to say
Final Note: the Cloud
Who holds your stuff?
What’s their security?
Who do they allow to see your stuff?
What can you do?
Self Risk Assessment Form
If you would like to receive my self risk assessment form please call
or email me and I will send to you. I will also make it available to
PSA TEC to post so you can get it there. If you have the time and
desire, it will help you make the initial steps to assess the state of
your security. You can also use it to ask customers to provide
feedback to find out where their state of security is.
Q & A
David Willson
Attorney at Law
CISSP
Titan Info Security Group
719-648-4176
www.titaninfosecuritygroup.com