THE INSTITUTE OF INTERNAL AUDITORS – District Conference · 9% -Breach Notification Costs 27% -Post-Breach Costs 57% -Lost Business US $5.9m -Breach Cost Characteristics Factors

March 10, 2015

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

THE INSTITUTE OF INTERNAL AUDITORS –District Conference

Information Security / Cybercrime

PresenterEric GrassDirector, Business Advisory ServicesE: [email protected]

mailto:[email protected]

• What are the nature and compliance requirements related to handling personal information

• What to consider when developing your Information Security Program and what are the trending data breach statistics

• What are organizations doing to plan ahead and prepare

Agenda Topics

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2


Information Privacy

How is personal information classified?Personal Identifiable Information (PII)

– any data that could potentially identify a specific individual. This can be either:

Non-Sensitive Personal Information, or– Name, Address, etc.Sensitive Personal Information (SPI)– SSN, Passport Number, Driver's License, etc.– Personally Identifiable Financial Information (PIFI)

including bank accounts, credit cards, etc.– Personal Health Information (PHI)– Emerging areas (Biometrics, Static IP Addresses, etc.)

Other Personal Information– Employment Information (salary, performance

ratings, etc.)– Customer Information (purchase history, voice

recordings, etc.)

Non-SensitivePersonal

Information

SensitivePersonal

Information

Other Personal

Information


Information Privacy

What are the sources of personal information?

• Public Records– information collected and maintained by a

government entity and available to the general public (example: certain real estate information)

• Publically Available Information– information that is generally available to a

wide range of persons (example: Name and address in the phone book, published information, etc.)

• Nonpublic Information– is not generally available or easily accessed

due to law, custom, or fiduciary duty (example: medical records, financial information, adoption records, employment information, etc.)

NonpublicInformation

PublicRecords

PublicallyAvailable

Information


Information Privacy

What is an organization's responsibilities?• Establish adequate information security safeguards to comply with the

appropriate regulatory requirements and protect personal information• Communicate internally to employees the specific governance regarding the

handling practices for personal information• Communicate externally awareness regarding how the organization intends

to collect, use, retain, and disclose personal information

NonpublicInformation

PublicRecords

PublicallyAvailable

Information

Non-SensitivePersonal

Information

SensitivePersonal

Information

Other Personal

Information

Focus Area


Information Privacy

What are some of the common compliance standards?

Name Type Objective Limited Scope

PCI DSS Payment Card Industry Data Security Standard

Contractual Requirement

Protects cardholder data (i.e., credit cards, debit cards, etc.) Cardholder data

HIPAA / HITECH

Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act

Government Regulation

Governs the use and disclosure of Protected Health Information (PHI) and reporting of data breaches

PHI

GLBA Gramm-Leach-Bliley Act Government Regulation

Governs the collection, disclosure, and protection of consumer's non-public personal information by financial institutions

Consumer's non-public personal information

SOX Sarbanes-Oxley Government Regulation

Governs the adequacy of a company's internal control on financial reporting

Internal controls over financial reporting

SOC Reports

Service Organization Controls Report

Accounting Standard

Documents and tests controls implemented by outsourced service providers.

Controls over outsourced services


Information Privacy

What are the Generally Accepted Privacy Principles (GAPP)?

Core ideaPrivacy encompasses "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information."

Originator Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

Structure Comprised of 10 general principles - which are defined by 73 measurable criteria..

Metrics for compliance

Degree of compliance is known as "Maturity Level" with five levels from least to greatest: Ad Hoc; Repeatable; Defined; Managed; Optimized.

• Industry benchmark for assessing your organization's internal information privacy compliance capabilities


Information Privacy

What are the 10 GAPP Principles?

1. Management: assign accountability2. Notice: provide notice about privacy

policies and purposes for which information is collected, used, retained, and disclosed

3. Choice and consent: obtain consent with respect to collection and use of personal information

4. Collection: collect personal information only for purposes identified in notice

5. Use, retention and disposal: personal information is managed in a manner consistent with privacy notice and applicable laws/regulations

6. Access: access to information for review and update

7. Disclosure to third parties: disclosure consistent with purposes identified in notice and with consent of the individual

8. Security for privacy: personal information protected against unauthorized access (physical and logical)

9. Quality: maintain accurate, complete and relevant personal information for the purposes identified in the notice

10. Monitoring and enforcement: monitor compliance with internal privacy policies and procedures, and institute procedures to address privacy-related complaints and disputes


Information Privacy

What are the Maturity Level Definitions?

Rating Category Definition

1 Ad Hoc Undocumented, uncontrolled and reactive responses by users

2 Repeatable Process that can be recurring and may yield consistent results

3 Defined Documented processes which are periodically subjected to improvement over time

4 Managed Metrics relied upon by management to effectively control "as-is" process

5 Optimized Continual performance improvement through incremental and innovative changes


Information Security

How do information privacy and information security relate?• Information Privacy

– controls an individual's rights to authorize an organizations use of their personal information

– establishes rules governing the collection and handling of personal information– requires Information Security to safeguard personal information … if security is

breached, then privacy controls will not be effective• Information Security

– system of implemented controls, which need to be monitored and reviewed, to ensure the organizational objectives are being met

– includes multiple types (physical, administrative, and technical) of control mechanisms

– protection of all information types in order to prevent loss, unauthorized access, or misuse (includes both personal information and the organization's intellectual property and assets)



What should I include in my Information Security Program?• How do I keep my information security requirements current?

– monitor organizational security threats and vulnerabilities– monitor legal, regulatory, and contractual obligation changes– adapt with your organization's principles, policies, and objectives

• Maintain your information risk profile– conduct a thorough review and access your critical end-to-end

information flows• identify potential threats and vulnerabilities• estimate impact and expected economic loss

– prioritize the risks (i.e. Risk = Threats x Vulnerabilities x Expected Loss)– implement and monitor appropriate security controls– monitor the effectiveness of your information security program



What are common misconceptions?

• It will never happen to me

• Our network is secure

• We are in compliance with industry standards

• We are not a big company

• We don't have any personal information so we aren't a target

• We have never been attacked



What is behind recent high visibility data breaches?Financial

ImpactWhat was Breached? Attack Characteristics

Target$148 million

Credit / debit card holder information

Compromised a 3rd party vendor to gain legitimate login credentials. Infected POS systems with a "Ram-Scraping" virus. Estimated at 3 weeks in duration, $38 million from insurance

Sony$171 million

SPI, NPI, documents and e-

mails

Infected through their e-mail exchange servers.Estimated at 1+ years in duration, $60 million from insurance

eBayTBD

PII, encrypted passwords

Compromised employee credentials used to gain access. eBay was seen as "Exemplar" in its strong and sophisticated cyber defenses.Estimated at 2+ months in duration.

Google(discovered) OpenSSL

Hackers exploited a security vulnerability dubbed "Heartbleed" in the cryptographic software library used to secure millions of websites.Estimated at 2+ years before detection of the bug.

Anthem SPI, NPI, but not HPI Very sophisticated external cyber attack still being investigated



What were the costs of data breaches in 20131?• The average cost of a data breach was $3.5

million ($5.9 million US only) or an average $145 ($201 US only) per record of information

• Data breach root cause is distributed across Malicious or criminal attack (42%), Human error (30%), and System glitch (29%)

7% - Detection and Escalation Costs

9% - Breach Notification Costs

27% - Post-Breach Costs

57% - Lost Business

US $5.9m - Breach Cost Characteristics

Factors that influence average cost per record:

1Ponemon Institute. 2014 Cost of Data Breach Study, May 5, 2014



Are there common incident classification patterns2?

2Verizon 2014 Data Breach Investigation Report

• POS Intrusion – remote attacks where retail transactions are conducted

• Web App Attacks – directed a code-level vulnerabilities as well as thwarting authentication mechanisms

• Insider and Privilege Misuse –unapproved or malicious use of organizational resources

• Crimeware – attacks of various types and purposed using a malware-based approach

• Payment Card Skimmers – a skimming device was physically implanted (tampered) on asset that reads payment cards

• Cyber-Espionage – unauthorized network or system access linked to state-affiliated actors and/or exhibiting motive of espionage

92% of the 100,000 incidents we've analyzed from the last 10 years can

be described by just nine basic patterns



How are incident patterns distributed across industries2?


NA Industry Classification System CodeIncident Classification (Attack) Patterns

1 2 3 4 5 6 7 8 9 10

Accommodation and Food Service 75%

Administration and Support;Waste Mgmt. and Remediation Services 27% 43%

Construction 33%

Educational Services 19% 15% 20% 22%

Arts, Entertainment, and Recreation 22% 32%

Finance and Insurance 27% 22% 26%

Healthcare and Social Assistance 15% 46%

Information 41% 31% 16%

Management of Companies and Enterprises 44%

Manufacturing 24% 30%

Mining, Quarrying, and Oil & Gas Extraction 25% 40%

Professional, Scientific, and Technical Services 37% 29%

Public Administration 24% 19% 34% 21%

Real Estate; Rental and Leasing 37% 20%

Retail Trade 31% 33%

Wholesale Trade 30% 27%

Transportation and Warehousing; Postal Service 15% 16% 15% 24%

Utilities 38% 31%

Other Services (except Public Administration) 29% 17%

Legend:1 – POS Intrusions2 – Web App Attacks3 – Insider Misuse4 – Physical Theft / Loss5 – Miscellaneous Errors6 – Crimeware7 – Payment Card Skimmer8 – DoS Attack9 – Cyber-Espionage10 – Everything else



Has the use of threat actions stayed constant over time2?




How are data breaches discovered2?


Attack Pattern Discovery MethodTimespan of Events

Compromise Discovery

POS Intrusion99% External

(75% law enforcement; 14% fraud detection)

87% within minutes(51% seconds)

98% weeks to months(85% weeks)

Web App Attacks

Financial Motived – 88% External(74% customers)

Ideological Motivated – 98% External(93% unrelated party)

96% days or less(42% minutes)

85% days to years(41% months)

Insider and Privilege Misuse

55% Internal(19% audit activities, 13% by users)

Not provided in study

74% days to weeks(34% days)

Crimeware 84% External 89% within days

Payment Card Skimmers

76% External(26% fraud detection; 21% law

enforcement)Not provided in study

Cyber-Espionage

85% External(67% unrelated party)

83% weeks to years (62% months)


Planning Ahead

What are organizations doing to prepare and plan ahead?

• Refresh their information asset inventory and classification• Update their information security risk assessment• Review the adequacy of their vendor management polices and procedures• Review IT audit procedures for both information privacy and information

security control coverage• Conduct employee awareness and training• Develop Incident Response (IR) plan and procedures

– does DR or BCP plan allow for an investigation to proceed while recovery is effected– have your incident response team ready and practice at least quarterly


Planning Ahead

How comprehensive is your IR plan?

Treat every cyber breach as if it will end up in a criminal prosecution.


Planning Ahead

What is an adaptive Information Security Protection Process3?

• Key Challenges– existing blocking and prevention capabilities are insufficient for a motived

attacker– information security doesn't have the continuous visibility needed to

detect advanced attacks– organizations continue to invest in prevention-only strategies

• Recommendations– shift organizational mindset from "incident response" to "continuous

response" where in systems are assumed to be compromised and require continuous monitoring and remediation

– rebalance investment priorities into detective, response, and predictive capabilities

– develop a security operations center that supports continuous monitoring and is responsible for the threat protection process

3Gartner Designing an Adaptive Security Architecture for Protection From Advance Attacks, February 2014


Planning Ahead

What are the four stages of an Adaptive Security Architecture3?

3Gartner Designing an Adaptive Security Architecture for Protection From Advance Attacks, February 2014

• Harden and Isolate Systems• Divert Attackers• Prevent Incidents

• Detect Incidents• Confirm and prioritize risks• Contain Incidents

• Investigate / Forensics• Design / model change• Remediate / make change

• Baseline Systems• Predict Attacks• Proactive exposure analysis


Questions?